Play interactive tour

Edit tour

Analysis Report BsYHxeX7Ok.dll

Overview

General Information

Sample Name:	BsYHxeX7Ok.dll
Analysis ID:	344139
MD5:	0125320a954399ad7b275b67b97a273f
SHA1:	37afd871f306977f49c56400183ef5a80d8748f1
SHA256:	d8a15d14d7bdc4d2e1d948e20cf2835b452f46b2c0860ccd8147ee8d8a43adec
Tags:	dllHeodo
Most interesting Screenshot:

Detection

Emotet

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Emotet

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to get notified if a device is plugged in / out

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains strange resources

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6404 cmdline: loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

WerFault.exe (PID: 6528 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 7016 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.loaddll32.exe.710000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.850000.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.850000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.loaddll32.exe.710000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: BsYHxeX7Ok.dll	Virustotal: Detection: 14%			Perma Link
Source: BsYHxeX7Ok.dll	ReversingLabs: Detection: 57%

Machine Learning detection for sample

Show sources

Source: BsYHxeX7Ok.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: BsYHxeX7Ok.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb7 source: WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbJ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb; source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdby source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbp source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb\ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: version.pdb% source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: version.pdbv source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbR source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb, source: WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000002.235969294.0000000004E4A000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb( source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb"w0 source: WerFault.exe, 00000004.00000003.231587693.0000000004E4A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp

Spreading:

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00738000 RegisterDeviceNotificationA,GetProcessDpiAwarenessInternal,

1_2_00738000

Networking:

Source: WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoftmT
Source: WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoftmT9

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.850000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.710000.0.unpack, type: UNPACKEDPE

System Summary:

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_007385AC EnumDisplayMonitors,ExitWindowsEx,GetSystemMetrics,GetSystemMetrics,

1_2_007385AC

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071DBB2	1_2_0071DBB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072D87D	1_2_0072D87D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00711662	1_2_00711662
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00711664	1_2_00711664
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072505A	1_2_0072505A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071BA46	1_2_0071BA46
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071F249	1_2_0071F249
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00728C4D	1_2_00728C4D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072DA27	1_2_0072DA27
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00728A24	1_2_00728A24
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071422B	1_2_0071422B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071A82A	1_2_0071A82A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071B22A	1_2_0071B22A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072A02C	1_2_0072A02C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072A82C	1_2_0072A82C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071E42E	1_2_0071E42E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00712814	1_2_00712814
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072821E	1_2_0072821E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00724602	1_2_00724602
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071E8F6	1_2_0071E8F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00711EF9	1_2_00711EF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00716AFC	1_2_00716AFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007138E1	1_2_007138E1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00722CE3	1_2_00722CE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00720CE0	1_2_00720CE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072E4E1	1_2_0072E4E1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072A2E5	1_2_0072A2E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00714AD3	1_2_00714AD3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072B0D5	1_2_0072B0D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007168D8	1_2_007168D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007184D8	1_2_007184D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007142DE	1_2_007142DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007148C7	1_2_007148C7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007212B3	1_2_007212B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072E0B6	1_2_0072E0B6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071BEBD	1_2_0071BEBD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00718EA1	1_2_00718EA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007126A0	1_2_007126A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00712C93	1_2_00712C93
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00721494	1_2_00721494
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071AE9E	1_2_0071AE9E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00720082	1_2_00720082
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072E689	1_2_0072E689
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00728489	1_2_00728489
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072197B	1_2_0072197B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072BF69	1_2_0072BF69
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00717B6A	1_2_00717B6A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071A16A	1_2_0071A16A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00729D6D	1_2_00729D6D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00720950	1_2_00720950
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00721F54	1_2_00721F54
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072CB58	1_2_0072CB58
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00713743	1_2_00713743
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071F54C	1_2_0071F54C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072894D	1_2_0072894D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071D535	1_2_0071D535
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00726334	1_2_00726334
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00724D39	1_2_00724D39
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00728721	1_2_00728721
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00729726	1_2_00729726
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072732F	1_2_0072732F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072C92D	1_2_0072C92D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00723F16	1_2_00723F16
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072CF07	1_2_0072CF07
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00717306	1_2_00717306
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00713F0A	1_2_00713F0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007133F4	1_2_007133F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071A7FA	1_2_0071A7FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007229E3	1_2_007229E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071F7EF	1_2_0071F7EF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007207D3	1_2_007207D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007195DD	1_2_007195DD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072D5DF	1_2_0072D5DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072C1C2	1_2_0072C1C2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007121C0	1_2_007121C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072E9A2	1_2_0072E9A2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071EBA4	1_2_0071EBA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072B598	1_2_0072B598
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072539F	1_2_0072539F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0071799F	1_2_0071799F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0072DD80	1_2_0072DD80
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00727B8D	1_2_00727B8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0074303C	1_2_0074303C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00751E14	1_2_00751E14

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240

Source: BsYHxeX7Ok.dll

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: BsYHxeX7Ok.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal60.troj.winDLL@4/12@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6404

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9730.tmp

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: BsYHxeX7Ok.dll	Virustotal: Detection: 14%
Source: BsYHxeX7Ok.dll	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472

Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb7 source: WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: msctf.pdbJ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000004.00000003.231708622.00000000055A5000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243136061.0000000004FB5000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb; source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdby source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbp source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb\ source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: version.pdb% source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.231666767.00000000055A2000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243107080.0000000004FB2000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267942144.0000000004B62000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: version.pdbv source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdbR source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.231695574.00000000055A0000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243131627.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp, WerFault.exe, 00000007.00000003.243116297.0000000004FB8000.00000004.00000040.sdmp, WerFault.exe, 0000000B.00000003.267956961.0000000004B68000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb, source: WerFault.exe, 0000000B.00000003.267994019.0000000004B60000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000004.00000002.235969294.0000000004E4A000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.231654518.00000000055D1000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.243097538.0000000004E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.267923742.0000000004981000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb( source: WerFault.exe, 00000004.00000003.231672539.00000000055A8000.00000004.00000040.sdmp
Source:	Binary string: upwntdll.pdb"w0 source: WerFault.exe, 00000004.00000003.231587693.0000000004E4A000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.264415332.000000000287F000.00000004.00000001.sdmp

Data Obfuscation:

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00762D98 push 00762E25h; ret	1_2_00762E1D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0077086C push 00770898h; ret	1_2_00770890
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00773848 push 00773874h; ret	1_2_0077386C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00770834 push 00770860h; ret	1_2_00770858
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00764038 push 00764064h; ret	1_2_0076405C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00770020 push 00770058h; ret	1_2_00770050
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073C8F0 push 0073C91Ch; ret	1_2_0073C914
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073B8EC push 0073B92Fh; ret	1_2_0073B927
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007528C8 push 00752933h; ret	1_2_0075292B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073A0B4 push 0073A0E0h; ret	1_2_0073A0D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_007738B8 push 007738E4h; ret	1_2_007738DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073C8A4 push 0073C8E6h; ret	1_2_0073C8DE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00773880 push 007738ACh; ret	1_2_007738A4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073B964 push 0073B990h; ret	1_2_0073B988
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00770934 push 00770960h; ret	1_2_00770958
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073E9E8 push 0073EA14h; ret	1_2_0073EA0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00758994 push ecx; mov dword ptr [esp], ecx	1_2_00758998
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073B99C push 0073B9D4h; ret	1_2_0073B9CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073B274 push 0073B2CDh; ret	1_2_0073B2C5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00738A50 push 00738A7Ch; ret	1_2_00738A74
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073CA58 push 0073CA84h; ret	1_2_0073CA7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073BA30 push 0073BA5Ch; ret	1_2_0073BA54
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073AA38 push 0073AA87h; ret	1_2_0073AA7F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0076CA20 push 0076CA58h; ret	1_2_0076CA50
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0076BAF0 push 0076BB32h; ret	1_2_0076BB2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073AAE0 push 0073AB0Ch; ret	1_2_0073AB04
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073AAA8 push 0073AAD4h; ret	1_2_0073AACC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00738B7C push 00738BA8h; ret	1_2_00738BA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0076BB64 push 0076BB90h; ret	1_2_0076BB88
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_0073BB60 push 0073BB8Ch; ret	1_2_0073BB84
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00739B64 push 00739BA2h; ret	1_2_00739B9A

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000007.00000003.253017420.000000000479F000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000002.279948140.0000000004340000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000007.00000002.254441564.0000000004780000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW(
Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000003.278361427.0000000002854000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWb
Source: WerFault.exe, 00000004.00000002.235986143.0000000004EF0000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.255418021.0000000005040000.00000002.00000001.sdmp, WerFault.exe, 0000000B.00000002.279996637.0000000004440000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_0071A823 mov eax, dword ptr fs:[00000030h]

1_2_0071A823

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_007384D8 mouse_event,GetSystemMetrics,GetSystemMetrics,

1_2_007384D8

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.loaddll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.850000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.850000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.710000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Peripheral Device Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
BsYHxeX7Ok.dll	14%	Virustotal		Browse
BsYHxeX7Ok.dll	57%	ReversingLabs	Win32.Trojan.EmotetCrypt
BsYHxeX7Ok.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.loaddll32.exe.710000.0.unpack	100%	Avira	HEUR/AGEN.1110387		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.microsoftmT9	0%	Avira URL Cloud	safe
http://crl.microsoftmT	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.microsoftmT9	WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoftmT	WerFault.exe, 00000007.00000003.252976080.00000000047C7000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	344139
Start date:	26.01.2021
Start time:	07:15:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	BsYHxeX7Ok.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.winDLL@4/12@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.4% (good quality ratio 0.4%) Quality average: 93.9% Quality standard deviation: 3.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, wermgr.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 13.64.90.137, 104.43.193.48, 92.122.144.200, 51.11.168.160, 95.101.22.224, 95.101.22.216, 51.103.5.186, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, par02p.wns.notify.trafficmanager.net

Simulations

Behavior and APIs

Time	Type	Description
07:16:20	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_7225963344ab2d4b76a392ee69fe603ad8f2abb_b4806494_1a50c15d\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	10134
Entropy (8bit):	3.7646610495056536
Encrypted:	false
SSDEEP:	96:RYnj4CW0yTVy9hTot7JnqpXIQcQac6pcEccw35+a+z+HbHgEVG4rmMKazWbSmvFp:qjXUsH0tGtjpDH/u7s+S274ItWu
MD5:	C422BA0A5A2F8E68DE85C4F2B27F9744
SHA1:	3BF55DF103B0A07C910E7212E996086058E92EE2
SHA-256:	76F9281E1BBF7371B963688062377A17A0FF6C0EA433DA31BAF23F7607B0FD15
SHA-512:	A2CF62D79BE241ED893FC1D22D92A5584BB816D248509E744D6B853D6BC3F610290BEB393E370DA1008D9B711A11E2192F932F6A64E8AD36C30FA1C5AD2678F6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.1.4.7.7.7.4.7.2.5.7.1.1.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.1.4.7.7.7.7.9.7.5.7.1.1.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.9.d.6.e.a.f.-.7.1.e.6.-.4.a.2.9.-.8.e.a.8.-.2.0.2.1.e.c.2.5.3.e.2.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.7.c.d.e.3.2.-.2.3.0.5.-.4.d.7.d.-.8.7.3.3.-.4.f.e.3.3.0.1.4.0.1.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.4.-.0.0.0.1.-.0.0.1.6.-.f.6.d.a.-.b.d.2.a.f.6.f.3.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_c5a25cdcc8f97dcd0e408681553972f33acea_b4806494_1b20ef63\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	10088
Entropy (8bit):	3.7615576725876148
Encrypted:	false
SSDEEP:	96:ox36Plcpj4CW0yEmqy9hT97efvpXIQcQPc6bcEycw37+a+z+HbHgEVG4rmMKazWG:E36SdXU/oHhfoXjpDH/u7sZS274ItWo
MD5:	7C12BFAB0F59B52846C04CA731DB267F
SHA1:	35D9E460CADC4404C6869BD59529D76B7D65F552
SHA-256:	1B1AAD60F962C1D569BFCE727AC594D027798D06BA38326D51FCFB41E7FCC265
SHA-512:	82B663750666DF8D20A7902E743E6304D570E6B48817CAD93D6E2A8750DC97081C2D1C21F59B2BAD1A5D546F56E60611207C4BAD7213C53875AB55179985120F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.1.4.7.7.8.6.0.0.6.9.5.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.6.1.4.7.7.9.0.2.5.6.9.4.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.1.d.f.a.c.c.-.1.3.c.a.-.4.d.e.1.-.b.4.1.7.-.5.e.b.2.d.c.5.f.0.1.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.d.6.2.6.9.f.0.-.5.5.2.e.-.4.3.7.3.-.a.7.1.f.-.7.5.e.6.d.e.a.3.0.0.6.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.4.-.0.0.0.1.-.0.0.1.6.-.f.6.d.a.-.b.d.2.a.f.6.f.3.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_a074f448eb416fc5ae408d6a8da6168cd6117a23_b4806494_19c8a097\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9694
Entropy (8bit):	3.759141443436875
Encrypted:	false
SSDEEP:	96:ACj4CW0yxy9hT97WzSZpXIQcQac6pcEccw35+a+z+HbHgEVG4rmMKazWbSmvFVh/:XXU8H0tGtjpDy/u7s+S274ItbY
MD5:	C0C05C8B451A7A3E6C0931043ACAE82B
SHA1:	BBD9E48041A8C762CA2F04063102F83C6C58E2EC
SHA-256:	124FCECED0D204475F000701E1B296B48038426D5A1C0480FEEB189B8E19D338
SHA-512:	5573A6CB152E6CCBE99D757B9019DD96FB534B8268E279C366226410F10477BC29BDF75F62A1040B5A824A1DF8FC2A1DB78D55E1BF0B6D81E669DBCA3CAF0092
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.6.1.4.7.7.6.9.2.2.5.7.1.5.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.c.f.7.6.d.6.-.c.8.0.b.-.4.1.6.4.-.9.c.c.3.-.9.0.4.f.f.e.5.d.8.f.7.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.a.1.7.b.f.d.-.a.0.6.1.-.4.c.c.8.-.9.5.e.d.-.c.0.6.6.4.0.8.c.6.a.f.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.4.-.0.0.0.1.-.0.0.1.6.-.f.6.d.a.-.b.d.2.a.f.6.f.3.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.1././.3.0.:.1.2.:.1.5.:.2.1.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9730.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jan 26 15:16:09 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	41828
Entropy (8bit):	2.038826544545495
Encrypted:	false
SSDEEP:	192:w0RghZKselJ94Q2S1uBIWrE91VNybNDXnpon/J/j:tRWZ5elJGQ2ScSWwPybN8Fj
MD5:	13F7C11E69DA9921F0651BDEF07D381B
SHA1:	E0892C6958FECCD7EEAF5387B7B8A4B841454185
SHA-256:	7A7A6DB3E948ADCFAEA494D9CEB767647D5BF746395B61BEBAC7B129117D7552
SHA-512:	297C0760F2705149595CB09F3170DB9DA313C8CBCE833C7C2C2C89519DC48427385BE4D7D6EFC4B69B4D15AD41FE11A0C01AB9260AC4175770E2243C40DA62B3
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......92.`...................U...........B..............GenuineIntelW...........T...........52.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9ABC.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8348
Entropy (8bit):	3.6920162098436102
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi4DY6Qu2v6YIvSU8aigmfiSWCpN489bsn41fQkm:RrlsNiD6Z2v6YgSU8aigmfiS9snifi
MD5:	B087A84A63DCF6F547DED7B76CEA8618
SHA1:	0FE760CDC04A8A14D83F93FEC8BE0CB32B1A4415
SHA-256:	8EC704446CE8495B41A93C89D8C6ECFC9B8A969B6C01F3A19773B86A1D45CD63
SHA-512:	923B0462F9B50227320B7885D51437D4265C1F3A1A51256DCDF6BE16704DAA01EB039D193DFA5DA95E1606BD43D6AECCD2360DB4C88CB818B522D8BAB53E78BE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DDA.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4658
Entropy (8bit):	4.429769617248258
Encrypted:	false
SSDEEP:	48:cvIwSD8zsxRJgtWI9r2yWSC8B548fm8M4JONgFa2+q8vYNQxKcQIcQwv+ld:uITfxESSN/1JjKLxKkwv+ld
MD5:	15F23103DA45B2E2067424F685EEAC3B
SHA1:	0A0ECF39D509F43B7A4DDA03CC795ED7FDD98F35
SHA-256:	E7395CD429268F456A2870CFAA16863EEE1BE912FCFB1C984E05C37814307726
SHA-512:	0A25EAA7333E6DB9589FB4BA33CD61043AB5ECC0C0821F0681419D5561AFED3CCC99B61E04083688758C89137E26FE1A82D45EBF2A7BA78B3458EF2CAC9D38AE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="833786" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERACAC.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jan 26 15:16:15 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	41588
Entropy (8bit):	1.9841631652526566
Encrypted:	false
SSDEEP:	192:eTJghZKs+lJV4QLduBIWrNkSIyP0R57uClbfyS:IJWZ5+lJeQLESWR1IycmS
MD5:	765F4C728B13DB1896B73E947B12A075
SHA1:	3A442390A85D48F3C59F11EC23CD50616DF903EE
SHA-256:	90713247A4E4F0607D07381F754AE6FD3ABA76219BB96F45E4D8EEC59D43FF0F
SHA-512:	CC29B2948E90E7B937D9D3440C2D8C1E60365397E1AD1500116E4171F26485C11D364EE26B04B140A880073C7171910DA4C9C3F53F87A58C1B6EE64BB226F312
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......?2.`...................U...........B..............GenuineIntelW...........T...........52.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF9B.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8324
Entropy (8bit):	3.6961754756167085
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi4Dc67k2v6YI6SUqaRyegmf4SWCpr789bRnYsfzbm:RrlsNi36Y2v6Y1SUqawegmf4SiRnLfu
MD5:	62A4C5380C0701B801FB197677E5ABAC
SHA1:	4D292495B0B5F91FE005AE50849CAFABA41DBBA3
SHA-256:	75913919B52F091A4CE08D29F16A405613FC5E3D46BB781B98C4444AD14D4A5D
SHA-512:	3969A874806BBEE55F225514FA20B83BD0A33D7B78CBDBC6B5FF79DF564D3D1937EB3203607CCCEFB696C8AA6F4AF4715ACDD7FB32701BBEA2008A0E535D9FF7
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB133.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4597
Entropy (8bit):	4.472832368306633
Encrypted:	false
SSDEEP:	48:cvIwSD8zsxRJgtWI9r2yWSC8BCa8fm8M4JO6ZFD+q8bDRxKcQIcQwv+kd:uITfxESSNkJ1XGRxKkwv+kd
MD5:	BC1B5B1EEC72DA00CD5949DC7F3BA676
SHA1:	E12EC1F3D79B613019F10A0045D0438CC00E1BCC
SHA-256:	1B18F4B5F4C9BFEBA22BADF0E6151A5E12F659825AD8D70BD4E646BB80C1E6F6
SHA-512:	CEE37113BD761A498F4F3E4EC6967A6254E339AE4FB5657EC08E286BD46DD4ECAAD9FE01C3B775B7C6AF0724369330DB21AD1EF0DB9FAC0828C24E80BD402871
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="833786" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8BE.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jan 26 15:16:26 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	38012
Entropy (8bit):	1.9487981955990552
Encrypted:	false
SSDEEP:	192:T9NhZKs+lJn4QjeuBIWrR79BK7EIjefEgd:JNhZ5+lJ4QjlSWV9BLEy
MD5:	0B9AD215C68D0C2D8D4ECF2D37D404FA
SHA1:	E59D52ABA900ABB633313B1C1069C44EA413D5CD
SHA-256:	A2359A269A277B7C0C9F22E3B87C282F06660E5CD25522CC1B0261CE1010DF7F
SHA-512:	381A837F6896D77F9666D088D5126163C908D6289AF713FD96472AF7DFFDDDFB5AC17C971D5840CB9AEE8928ED6A3418D0AA6D6BB1581F94F1343ABA2CF90BBD
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......J2.`...................U...........B..............GenuineIntelW...........T...........52.`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD04.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.6935941200272753
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi4DK6ON2v6YIBSUqWJGgmfVSNCpDI89bgnYsfT6jAm:RrlsNiZ6U2v6YOSUqRgmfVSognLfex
MD5:	D3EF14C680659FAFE7857906EA45F07E
SHA1:	8E38362D0022974C6F9D4DE01928B9860149F470
SHA-256:	1CC0D42DE82F5B2CD5BF2DAEE353CC4C7D04908884ABAFB8B78401015163A0FA
SHA-512:	18C25D8A622E514729EBCB9BCAB71D67B40557689605E49746F35A412D04FE4B75C9E16C613D3BBCF4A502C444C142360DADEC758B703F01EB53FAF1E89683A1
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF96.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4557
Entropy (8bit):	4.4437911607407345
Encrypted:	false
SSDEEP:	48:cvIwSD8zsxKJgtWI9r2yWSC8Bk8fm8M4JORjFa5+q8p8nxKcQIcQwv+kd:uITf+ESSNnJ1bxKkwv+kd
MD5:	0299DEE8AB3686E56106BD95512135EE
SHA1:	99340B2A5043DCC5BC2953D621AA2A1193B649CF
SHA-256:	085A99D7E2E96BA20FDC7A439CD870BE4B5DBEBE288B8A411B9F9E2EDBC3D448
SHA-512:	913A7E69FF027B2E0FA6468B3AC9D02D316184596845B6B30B581F13B3E11F2D4BFD47D98E73795F3F13222B104D61C496788CA99B032B6E2AE44A06B48A75D4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="833787" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.906327751615201
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 97.97% Win32 Executable Delphi generic (14689/80) 1.44% Win16/32 Executable Delphi generic (2074/23) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20%
File name:	BsYHxeX7Ok.dll
File size:	628736
MD5:	0125320a954399ad7b275b67b97a273f
SHA1:	37afd871f306977f49c56400183ef5a80d8748f1
SHA256:	d8a15d14d7bdc4d2e1d948e20cf2835b452f46b2c0860ccd8147ee8d8a43adec
SHA512:	bc4b30147d97520ff627cf8e843ffe3619ae7423fe1da7f3e6b21a0452728c1ba944d5acb53c65ea07372db22f9fac5c850683a5e385335ad08f28c6d20e6951
SSDEEP:	12288:SYzchQVZnkmt/70MWugxPJZFpf0c1pHBbdJrs2xnd:d4KV5Hpt8bZHLXCA
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b99988fcd4f66e0f

Static PE Info

General
Entrypoint:	0x463ebc
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7ed08afc6b0c9da85427ea1b02b1e145

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
mov eax, 00463C14h
call 00007FCAB4E9DD45h
mov dword ptr [0046666Ch], 00463928h
mov eax, 00000001h
call 00007FCAB4EFB23Dh
call 00007FCAB4E9B9FCh
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x67000	0x22ec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x71000	0x2ba00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6a000	0x6ed4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x62ee8	0x63000	False	0.52030806108	data	6.5550941356	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x64000	0x14cc	0x1600	False	0.433948863636	data	4.11607326462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x66000	0xcd1	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x67000	0x22ec	0x2400	False	0.359809027778	data	4.92726416893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0x6a000	0x6ed4	0x7000	False	0.624232700893	data	6.67422538704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x71000	0x2ba00	0x2ba00	False	0.685765132521	data	6.85431640563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
FF	0x71b2c	0x25c09	data	English	United States
RT_CURSOR	0x97738	0x134	data
RT_CURSOR	0x9786c	0x134	data
RT_CURSOR	0x979a0	0x134	data
RT_CURSOR	0x97ad4	0x134	data
RT_CURSOR	0x97c08	0x134	data
RT_CURSOR	0x97d3c	0x134	data
RT_CURSOR	0x97e70	0x134	data
RT_BITMAP	0x97fa4	0x1d0	data
RT_BITMAP	0x98174	0x1e4	data
RT_BITMAP	0x98358	0x1d0	data
RT_BITMAP	0x98528	0x1d0	data
RT_BITMAP	0x986f8	0x1d0	data
RT_BITMAP	0x988c8	0x1d0	data
RT_BITMAP	0x98a98	0x1d0	data
RT_BITMAP	0x98c68	0x1d0	data
RT_BITMAP	0x98e38	0x1d0	data
RT_BITMAP	0x99008	0x1d0	data
RT_BITMAP	0x991d8	0xe8	GLS_BINARY_LSB_FIRST
RT_ICON	0x992c0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 49, next used block 48059	Russian	Russia
RT_DIALOG	0x995a8	0x52	data
RT_STRING	0x995fc	0x404	data
RT_STRING	0x99a00	0x1cc	data
RT_STRING	0x99bcc	0x188	data
RT_STRING	0x99d54	0x1b0	data
RT_STRING	0x99f04	0x218	data
RT_STRING	0x9a11c	0xec	data
RT_STRING	0x9a208	0x224	data
RT_STRING	0x9a42c	0x33c	data
RT_STRING	0x9a768	0x3d4	data
RT_STRING	0x9ab3c	0x3a4	data
RT_STRING	0x9aee0	0x3e8	data
RT_STRING	0x9b2c8	0xf4	data
RT_STRING	0x9b3bc	0xc4	data
RT_STRING	0x9b480	0x2c0	data
RT_STRING	0x9b740	0x478	data
RT_STRING	0x9bbb8	0x3ac	data
RT_STRING	0x9bf64	0x2d4	data
RT_RCDATA	0x9c238	0x10	data
RT_RCDATA	0x9c248	0x358	data
RT_RCDATA	0x9c5a0	0x29c	Delphi compiled form 'TForm1'
RT_GROUP_CURSOR	0x9c83c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9c850	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9c864	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9c878	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9c88c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9c8a0	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x9c8b4	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x9c8c8	0x14	data	Russian	Russia

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WinExec, WaitForSingleObject, VirtualQuery, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, ExitProcess, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFileA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperW, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharUpperBuffA, CharUpperA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
user32.dll	DdeCmpStringHandles, DdeFreeStringHandle, DdeQueryStringA, DdeCreateStringHandleA, DdeGetLastError, DdeFreeDataHandle, DdeUnaccessData, DdeAccessData, DdeCreateDataHandle, DdeClientTransaction, DdeNameService, DdePostAdvise, DdeSetUserHandle, DdeQueryConvInfo, DdeDisconnect, DdeConnect, DdeUninitialize, DdeInitializeA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2021 07:16:01.119040012 CET	61733	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:01.178134918 CET	53	61733	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:01.209001064 CET	65447	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:01.256872892 CET	53	65447	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:02.487807035 CET	52441	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:02.546792030 CET	53	52441	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:03.683407068 CET	62176	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:03.739995003 CET	53	62176	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:05.011957884 CET	59596	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:05.059942961 CET	53	59596	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:05.960835934 CET	65296	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:06.011603117 CET	53	65296	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:07.402606964 CET	63183	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:07.450618029 CET	53	63183	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:08.767453909 CET	60151	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:08.826179981 CET	53	60151	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:10.116492033 CET	56969	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:10.164515972 CET	53	56969	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:13.290750980 CET	55161	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:13.341430902 CET	53	55161	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:18.910341024 CET	54757	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:18.958494902 CET	53	54757	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:27.058024883 CET	49992	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:27.119025946 CET	53	49992	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:31.141572952 CET	60075	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:31.192306995 CET	53	60075	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:34.584722042 CET	55016	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:34.632829905 CET	53	55016	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:42.898499012 CET	64345	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:42.954871893 CET	53	64345	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:50.643254042 CET	57128	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:50.691179037 CET	53	57128	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:56.036890030 CET	54791	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:56.092883110 CET	53	54791	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:56.728971958 CET	50463	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:56.788089037 CET	53	50463	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:57.551562071 CET	50394	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:57.608000994 CET	53	50394	8.8.8.8	192.168.2.5
Jan 26, 2021 07:16:58.070348024 CET	58530	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:16:58.121098995 CET	53	58530	8.8.8.8	192.168.2.5
Jan 26, 2021 07:17:00.018488884 CET	53813	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:17:00.077462912 CET	53	53813	8.8.8.8	192.168.2.5
Jan 26, 2021 07:17:00.651200056 CET	63732	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:17:00.707487106 CET	53	63732	8.8.8.8	192.168.2.5
Jan 26, 2021 07:17:01.280186892 CET	57344	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:17:01.330993891 CET	53	57344	8.8.8.8	192.168.2.5
Jan 26, 2021 07:17:01.361679077 CET	54450	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:17:01.425633907 CET	53	54450	8.8.8.8	192.168.2.5
Jan 26, 2021 07:17:02.171823025 CET	59261	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:17:02.230834007 CET	53	59261	8.8.8.8	192.168.2.5
Jan 26, 2021 07:17:02.438508034 CET	57151	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:17:02.494695902 CET	53	57151	8.8.8.8	192.168.2.5
Jan 26, 2021 07:17:05.021364927 CET	59413	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:17:05.077379942 CET	53	59413	8.8.8.8	192.168.2.5
Jan 26, 2021 07:17:05.499620914 CET	60516	53	192.168.2.5	8.8.8.8
Jan 26, 2021 07:17:05.555548906 CET	53	60516	8.8.8.8	192.168.2.5

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6404 Parent PID: 5700

General

Start time:	07:16:05
Start date:	26/01/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\BsYHxeX7Ok.dll'
Imagebase:	0x1050000
File size:	120832 bytes
MD5 hash:	2D39D4DFDE8F7151723794029AB8A034
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.282474266.0000000000850000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000001.00000002.282441133.0000000000820000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: WerFault.exe PID: 6528 Parent PID: 6404

General

Start time:	07:16:07
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 240
Imagebase:	0x240000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 6680 Parent PID: 6404

General

Start time:	07:16:13
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 444
Imagebase:	0x240000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 7016 Parent PID: 6404

General

Start time:	07:16:24
Start date:	26/01/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 472
Imagebase:	0x240000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: loaddll32.exe PID: 6404 Parent PID: 5700 loaddll32.exeCOMMON

Executed Functions

Function 0071DBB2, Relevance: 10.4, Strings: 8, Instructions: 359COMMON

Download Yara Rule

Strings

G%, xrefs: 0071E0AB
=y, xrefs: 0071DE8D
|%, xrefs: 0071DCA0
QF, xrefs: 0071DF11
+, xrefs: 0071E065
d5, xrefs: 0071DDBD
00, xrefs: 0071DD05
6, xrefs: 0071DC98

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 00$6$=y$G%$QF$d5$|%$+
API String ID: 0-3837980227
Opcode ID: 15053df94231d9941aceaac3c68e9c5c410af8b7927ad54968c377df8c0b4488
Instruction ID: 012e01646443da632133ddc141b94bd59651289425b894131de4c060315b9f70
Opcode Fuzzy Hash: 15053df94231d9941aceaac3c68e9c5c410af8b7927ad54968c377df8c0b4488
Instruction Fuzzy Hash: CC0216715083819FE368CF25C88969BBBF2FBC5354F50891DF589862A0D7B98989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00748344, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNELBASE(0`w,?,00000100), ref: 0074845B
CharLowerA.KERNELBASE(?), ref: 007484AE

Strings

Dw, xrefs: 00748369, 00748375
8`w, xrefs: 007484C9
MAINICON, xrefs: 0074841C
0`w, xrefs: 00748421, 00748428, 00748453, 0074845A

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: CharFileLowerModuleName
String ID: 0`w$8`w$MAINICON$Dw
API String ID: 515556390-112885075
Opcode ID: 6e6eafef3129c7ada670a94e5b411b3fdd5a4415b88141e71aa940d074cb7d3c
Instruction ID: 5ea2b88dce5bd36cde6f56778b8afa559e551182ce0e2ea104b06f0d5676bf92
Opcode Fuzzy Hash: 6e6eafef3129c7ada670a94e5b411b3fdd5a4415b88141e71aa940d074cb7d3c
Instruction Fuzzy Hash: 3B513C70A04244DFDB51DF28C889BC97BE4AB15304F4885B4E848CF397DBBD9988CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00773928, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 136filememoryCOMMON

Download Yara Rule

APIs

GetEnhMetaFileA.GDI32(trty55345), ref: 007739C2
VirtualAlloc.KERNELBASE(00000000,00776CB4,00001000,00000040), ref: 00773A8E

Strings

trty55345, xrefs: 007739BD
|lw, xrefs: 00773961

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: AllocFileMetaVirtual
String ID: trty55345$|lw
API String ID: 2643768156-1247263927
Opcode ID: 0dc74b11cdaa578b360d69632f9b782e80e2e4ce994f2750d4b6644cdcf80eeb
Instruction ID: 33084f0f6604d5e69af4d51680152bdfe77ec4ae233b4ec12bbde17381c8c589
Opcode Fuzzy Hash: 0dc74b11cdaa578b360d69632f9b782e80e2e4ce994f2750d4b6644cdcf80eeb
Instruction Fuzzy Hash: CC617F70605A01DFE742DF28ED86A5537A1F705784B00C429E58D8B2A9EB7DB9C8DF2C

Uniqueness

Uniqueness Score: -1.00%

Function 00747260, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0074729E

Strings

Dw, xrefs: 0074728E

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: ClientRect
String ID: Dw
API String ID: 846599473-3192257026
Opcode ID: 44d38108a3e5007846c7aaf4a78bb16847e0ce1dab51ad60543d3df6c552145f
Instruction ID: 99dcbfebe4261fffadf9d355f11c3fd334c8d0ac2fb1cab66bad15057e46f36d
Opcode Fuzzy Hash: 44d38108a3e5007846c7aaf4a78bb16847e0ce1dab51ad60543d3df6c552145f
Instruction Fuzzy Hash: E83107B0604240DFD754EF2CD8CAB887BE0AB05314F8494B9F808DF366DB79A949CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00771638, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DdeInitializeA.USER32(00000044,Function_0003E428,00000000,00000000), ref: 00771686

Strings

Link, xrefs: 00771666

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: Initialize
String ID: Link
API String ID: 2538663250-2526951119
Opcode ID: edaf7f0e7ea5ec11e0786028bb753e581c5b6e56debfeb60df99b6f56df91af2
Instruction ID: 5ebbe134278e128d220b5073a75914a958bb4334d501e2544ef0d3804f2f7415
Opcode Fuzzy Hash: edaf7f0e7ea5ec11e0786028bb753e581c5b6e56debfeb60df99b6f56df91af2
Instruction Fuzzy Hash: 10119170600700EBCB20EB7C9D46A8E77F5EF45B50BD19834F404D7691EA3EAA418755

Uniqueness

Uniqueness Score: -1.00%

Function 00711B9D, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE(0000BD7B,572A283C), ref: 00711C68

Strings

<(*W, xrefs: 00711C10

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpi
String ID: <(*W
API String ID: 1586166983-931366690
Opcode ID: c5b6bf103fc0e39ce0b5d6a85e3de0b19e0c157fc654ba76a54f103cd29fec4b
Instruction ID: 5d551b44eaf42ef4afb1362af6fe8eeaee365aa91817b2d52e8a279d06992de4
Opcode Fuzzy Hash: c5b6bf103fc0e39ce0b5d6a85e3de0b19e0c157fc654ba76a54f103cd29fec4b
Instruction Fuzzy Hash: BA21F0B1D40208EFDB04DFE5C94A99EBBB1EB44314F10C08AE514AB2A1E7B99B519F90

Uniqueness

Uniqueness Score: -1.00%

Function 00771A14, Relevance: 3.1, APIs: 2, Instructions: 56serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00771AC8: DdeFreeStringHandle.USER32(?,?), ref: 00771AE8

DdeCreateStringHandleA.USER32(?,00000000), ref: 00771A82
DdeNameService.USER32(?,00000000,00000000,00000001), ref: 00771A95

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: HandleString$CreateFreeNameService
String ID:
API String ID: 374373348-0
Opcode ID: d1161065052fb362d54387c1e5f2ef4210cc46f7f28f965ba3b939afeaad63ee
Instruction ID: 782ee6e02f47d1660dd8738295b5c69250a1fa79d4864ad6c8e0fdf043093537
Opcode Fuzzy Hash: d1161065052fb362d54387c1e5f2ef4210cc46f7f28f965ba3b939afeaad63ee
Instruction Fuzzy Hash: D2118271711254EFCB11EFACCC86A8A37ACAF09B40B8185A0FD049B286D678ED408794

Uniqueness

Uniqueness Score: -1.00%

Function 0074761C, Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00000000,?,?,?,?,007472A3), ref: 00747658

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: a0d2b0a280e74609bc60a5afb4b497b2edd69fa14da614be5a9e1d4be8d52aa4
Instruction ID: 39261d4e342119c7577f725a63b28de1e2ad3b6b4a6d5cdc5bc223f5f0eef47e
Opcode Fuzzy Hash: a0d2b0a280e74609bc60a5afb4b497b2edd69fa14da614be5a9e1d4be8d52aa4
Instruction Fuzzy Hash: D9F02751708A009B8624153C5CD5E7E325ADB82730B620376FD3DC72D1C72D6C81C2A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00714AD3, Relevance: 56.1, Strings: 44, Instructions: 1101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00714AD3() {
				char _v68;
				intOrPtr _v72;
				char _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				unsigned int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				unsigned int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				unsigned int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				unsigned int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _t1180;
				signed int _t1187;
				signed int _t1195;
				signed int _t1200;
				signed int _t1259;
				intOrPtr _t1261;
				signed int _t1276;
				signed int _t1288;
				signed int _t1298;
				signed int _t1299;
				signed int _t1308;
				signed int _t1326;
				signed int _t1407;
				signed int _t1408;
				signed int _t1409;
				signed int _t1412;
				signed int _t1413;
				signed int _t1414;
				signed int _t1415;
				signed int _t1416;
				signed int _t1417;
				signed int _t1418;
				signed int _t1419;
				signed int _t1420;
				signed int _t1421;
				signed int _t1422;
				signed int _t1423;
				signed int _t1424;
				signed int _t1425;
				signed int _t1426;
				signed int _t1427;
				signed int _t1428;
				signed int _t1429;
				signed int _t1430;
				signed int _t1431;
				signed int _t1432;
				signed int _t1435;
				signed int _t1438;
				void* _t1440;
				void* _t1441;
				void* _t1447;
				void* _t1448;
				void* _t1449;

				_t1440 = (_t1438 & 0xfffffff8) - 0x270;
				_v292 = 0xf284;
				_v292 = _v292 + 0xffff5aaa;
				_t1302 = 0x16005848;
				_v292 = _v292 ^ 0x00003d27;
				_v612 = 0xcd90;
				_v612 = _v612 + 0xdfca;
				_v612 = _v612 >> 0xe;
				_v612 = _v612 | 0x90102aac;
				_v612 = _v612 ^ 0x901044a1;
				_v344 = 0x729c;
				_v344 = _v344 + 0x2380;
				_v344 = _v344 >> 0xe;
				_v344 = _v344 ^ 0x00007fcb;
				_v452 = 0xe9c6;
				_v452 = _v452 ^ 0x6183925d;
				_v452 = _v452 ^ 0x6183069b;
				_v220 = 0xf7ec;
				_v220 = _v220 + 0xffffa4eb;
				_v220 = _v220 ^ 0x000098b7;
				_v616 = 0xc1ab;
				_v616 = _v616 + 0x495b;
				_t1412 = 6;
				_v616 = _v616 / _t1412;
				_t1298 = 0x33;
				_v616 = _v616 / _t1298;
				_v616 = _v616 ^ 0x00003f24;
				_v172 = 0xc3e5;
				_v172 = _v172 | 0x8c3924a1;
				_v172 = _v172 ^ 0x8c3990dc;
				_v556 = 0xec7;
				_v556 = _v556 + 0xffffdd66;
				_v556 = _v556 | 0xeb06e3e9;
				_v556 = _v556 + 0xffff4ec5;
				_v556 = _v556 ^ 0xffff0d2a;
				_v404 = 0xebd2;
				_v404 = _v404 ^ 0x39abe120;
				_v404 = _v404 + 0xffff117d;
				_v404 = _v404 ^ 0x39aa0261;
				_v608 = 0x5138;
				_t1413 = 0x1b;
				_v608 = _v608 / _t1413;
				_v608 = _v608 | 0x15307ace;
				_v608 = _v608 << 0xe;
				_v608 = _v608 ^ 0x1ef3a051;
				_v348 = 0xfe76;
				_v348 = _v348 + 0xffff3b1c;
				_v348 = _v348 | 0xcb0de786;
				_v348 = _v348 ^ 0xcb0d8d59;
				_v456 = 0x2747;
				_t1414 = 0x7a;
				_v456 = _v456 / _t1414;
				_v456 = _v456 | 0x91302429;
				_v456 = _v456 ^ 0x91303345;
				_v460 = 0xcf3d;
				_t1415 = 0x45;
				_v460 = _v460 / _t1415;
				_v460 = _v460 + 0xeb19;
				_v460 = _v460 ^ 0x0000cda4;
				_v392 = 0x63af;
				_t1416 = 0x5b;
				_v392 = _v392 * 0x33;
				_v392 = _v392 + 0x892;
				_v392 = _v392 ^ 0x0013c32b;
				_v628 = 0x2d41;
				_v628 = _v628 * 0x3a;
				_v628 = _v628 ^ 0x0e465d81;
				_v628 = _v628 ^ 0x02b58f59;
				_v628 = _v628 ^ 0x0cf9d1f3;
				_v332 = 0x1fb8;
				_t1417 = 0x6f;
				_v332 = _v332 / _t1416;
				_v332 = _v332 / _t1417;
				_v332 = _v332 ^ 0x0000375d;
				_v372 = 0xc55d;
				_v372 = _v372 + 0xf0ae;
				_v372 = _v372 | 0xf3912f04;
				_v372 = _v372 ^ 0xf391ae1e;
				_v388 = 0xb177;
				_t1407 = 0x1e;
				_t1435 = 0x54;
				_v388 = _v388 * 0x3b;
				_v388 = _v388 ^ 0xc27fce9c;
				_v388 = _v388 ^ 0xc2577be9;
				_v624 = 0x5c86;
				_v624 = _v624 | 0xeb73bab0;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x5553c051;
				_v624 = _v624 ^ 0x5554cdf2;
				_v508 = 0x7c12;
				_v508 = _v508 ^ 0x4b00f6f6;
				_v508 = _v508 >> 0xb;
				_v508 = _v508 << 3;
				_v508 = _v508 ^ 0x004b3011;
				_v236 = 0xadb3;
				_v236 = _v236 ^ 0x88d42a99;
				_v236 = _v236 ^ 0x88d4f4cf;
				_v156 = 0xd97f;
				_v156 = _v156 << 5;
				_v156 = _v156 ^ 0x001b098b;
				_v412 = 0x73ca;
				_v412 = _v412 >> 5;
				_v412 = _v412 + 0x32d0;
				_v412 = _v412 ^ _t1407;
				_v476 = 0x7179;
				_v476 = _v476 << 9;
				_v476 = _v476 ^ 0xfa6ca94f;
				_v476 = _v476 + 0x29d1;
				_v476 = _v476 ^ 0xfa8edfe4;
				_v168 = 0xea82;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 ^ 0x00004263;
				_v592 = 0x3b0;
				_v592 = _v592 / _t1435;
				_v592 = _v592 >> 7;
				_v592 = _v592 | 0xeae8dba7;
				_v592 = _v592 ^ 0xeae8c36b;
				_v400 = 0xda5d;
				_v400 = _v400 | 0x54ef1ab9;
				_v400 = _v400 + 0x567d;
				_v400 = _v400 ^ 0x54f01593;
				_v328 = 0x7238;
				_v328 = _v328 | 0xde6da7df;
				_v328 = _v328 ^ 0xde6dfc76;
				_v336 = 0x76a2;
				_t1418 = 0x47;
				_t1299 = 0x79;
				_v336 = _v336 * 0x33;
				_v336 = _v336 ^ 0xb9271891;
				_v336 = _v336 ^ 0xb930902f;
				_v252 = 0xfc5c;
				_v252 = _v252 + 0xffff7b0a;
				_v252 = _v252 ^ 0x000016bf;
				_v600 = 0x59dc;
				_v600 = _v600 ^ 0xd5216188;
				_v600 = _v600 + 0x6faa;
				_v600 = _v600 ^ 0x291e786a;
				_v600 = _v600 ^ 0xfc3f8df9;
				_v304 = 0xd5a8;
				_v304 = _v304 >> 2;
				_v304 = _v304 ^ 0x00000b06;
				_v440 = 0x2e48;
				_v440 = _v440 | 0x7b5fcfcf;
				_v440 = _v440 ^ 0x7b5fcc0c;
				_v296 = 0x1656;
				_v296 = _v296 + 0x19e8;
				_v296 = _v296 ^ 0x00001740;
				_v432 = 0x94e4;
				_v432 = _v432 << 0xa;
				_v432 = _v432 | 0x14facc30;
				_v432 = _v432 ^ 0x16fbf4b9;
				_v288 = 0x5427;
				_v288 = _v288 / _t1418;
				_v288 = _v288 ^ 0x00006e86;
				_v408 = 0x8ade;
				_v408 = _v408 + 0xf781;
				_t1419 = 0x68;
				_v408 = _v408 * 0x65;
				_v408 = _v408 ^ 0x00983bbe;
				_v416 = 0xd77e;
				_v416 = _v416 >> 2;
				_v416 = _v416 ^ 0xa14f526e;
				_v416 = _v416 ^ 0xa14f663e;
				_v424 = 0xdc13;
				_v424 = _v424 + 0xffff3088;
				_v424 = _v424 / _t1299;
				_v424 = _v424 ^ 0x000049b1;
				_v548 = 0x2dc5;
				_v548 = _v548 << 1;
				_v548 = _v548 * 0x23;
				_v548 = _v548 / _t1419;
				_v548 = _v548 ^ 0x00004101;
				_v228 = 0x6679;
				_v228 = _v228 + 0x5c36;
				_v228 = _v228 ^ 0x00008779;
				_v180 = 0x5d8;
				_v180 = _v180 << 0xa;
				_v180 = _v180 ^ 0x00175e46;
				_v356 = 0x866;
				_v356 = _v356 + 0x84b7;
				_v356 = _v356 ^ 0x17867601;
				_v356 = _v356 ^ 0x17869b4b;
				_v212 = 0x219f;
				_v212 = _v212 + 0xffffe051;
				_v212 = _v212 ^ 0x00005b6a;
				_v300 = 0xd0f1;
				_v300 = _v300 << 0xa;
				_v300 = _v300 ^ 0x0343ba67;
				_v448 = 0x3730;
				_v448 = _v448 + 0xfffff2a4;
				_v448 = _v448 ^ 0x356978dd;
				_v448 = _v448 ^ 0x3569194c;
				_v176 = 0x2833;
				_v176 = _v176 + 0x33fd;
				_v176 = _v176 ^ 0x00003a89;
				_v380 = 0x5e6a;
				_v380 = _v380 >> 0xf;
				_t1420 = 0x5f;
				_v380 = _v380 / _t1420;
				_v380 = _v380 ^ 0x00002e7c;
				_v540 = 0x71d2;
				_v540 = _v540 | 0x41bfc7d2;
				_v540 = _v540 >> 3;
				_t1421 = 0x55;
				_v540 = _v540 * 0x14;
				_v540 = _v540 ^ 0xa45f84b6;
				_v620 = 0xa14d;
				_v620 = _v620 << 6;
				_v620 = _v620 >> 0xa;
				_v620 = _v620 + 0xffff1a76;
				_v620 = _v620 ^ 0xffff30e0;
				_v312 = 0x44f8;
				_v312 = _v312 * 0x66;
				_v312 = _v312 + 0xfffff488;
				_v312 = _v312 ^ 0x001b0ac9;
				_v248 = 0x99ec;
				_v248 = _v248 >> 0xb;
				_v248 = _v248 ^ 0x0000517f;
				_v484 = 0x5187;
				_v484 = _v484 << 7;
				_v484 = _v484 << 4;
				_v484 = _v484 >> 0xa;
				_v484 = _v484 ^ 0x0000c372;
				_v152 = 0xd5f0;
				_v152 = _v152 + 0xd416;
				_v152 = _v152 ^ 0x00019eb5;
				_v596 = 0x4698;
				_v596 = _v596 >> 9;
				_v596 = _v596 << 0xd;
				_v596 = _v596 * 0x1c;
				_v596 = _v596 ^ 0x007ab5ff;
				_v488 = 0x3d;
				_v488 = _v488 / _t1421;
				_v488 = _v488 ^ 0x90f6b60e;
				_v488 = _v488 + 0xfc83;
				_v488 = _v488 ^ 0x90f7ae77;
				_v496 = 0x4cc6;
				_v496 = _v496 | 0x7f66ffff;
				_v496 = _v496 + 0xac5a;
				_v496 = _v496 ^ 0x7f679bcd;
				_v504 = 0x36dc;
				_v504 = _v504 | 0xa935dbd5;
				_v504 = _v504 << 6;
				_t1422 = 0x4d;
				_v504 = _v504 / _t1422;
				_v504 = _v504 ^ 0x0101ea82;
				_v512 = 0xafcc;
				_v512 = _v512 >> 4;
				_v512 = _v512 + 0x1599;
				_v512 = _v512 << 1;
				_v512 = _v512 ^ 0x00001cfc;
				_v280 = 0x5f4f;
				_v280 = _v280 << 6;
				_v280 = _v280 ^ 0x0017f419;
				_v576 = 0x9d0c;
				_v576 = _v576 + 0xffffe95f;
				_v576 = _v576 ^ 0x4135f5fe;
				_v576 = _v576 + 0xffffc338;
				_v576 = _v576 ^ 0x41355062;
				_v584 = 0x119;
				_v584 = _v584 ^ 0x421a2dfe;
				_v584 = _v584 ^ 0x4c44e97b;
				_t485 =  &_v584; // 0x4c44e97b
				_t1423 = 0x5d;
				_v584 =  *_t485 * 0x1b;
				_v584 = _v584 ^ 0x83fed64b;
				_v436 = 0x6f14;
				_v436 = _v436 << 8;
				_v436 = _v436 + 0xffff9fc8;
				_v436 = _v436 ^ 0x006ee9f0;
				_v316 = 0x7c6b;
				_v316 = _v316 | 0x96cf289b;
				_v316 = _v316 >> 6;
				_v316 = _v316 ^ 0x025b24fa;
				_v468 = 0xb954;
				_v468 = _v468 / _t1423;
				_v468 = _v468 + 0xdc7c;
				_v468 = _v468 << 3;
				_v468 = _v468 ^ 0x0006ccdd;
				_v232 = 0x5848;
				_v232 = _v232 + 0xffff17ce;
				_v232 = _v232 ^ 0xffff11ef;
				_v240 = 0x4315;
				_t1424 = 0x22;
				_v240 = _v240 * 0x5a;
				_v240 = _v240 ^ 0x00179b48;
				_v560 = 0xec5f;
				_v560 = _v560 ^ 0x0798311e;
				_v560 = _v560 << 0xf;
				_v560 = _v560 << 1;
				_v560 = _v560 ^ 0xdd416a99;
				_v568 = 0x48c3;
				_v568 = _v568 | 0x1c7f515b;
				_v568 = _v568 / _t1424;
				_v568 = _v568 + 0xffff9a03;
				_v568 = _v568 ^ 0x00d6643a;
				_v208 = 0x1899;
				_v208 = _v208 + 0x8724;
				_v208 = _v208 ^ 0x00009731;
				_v216 = 0x3d2a;
				_v216 = _v216 + 0xffffdfbc;
				_v216 = _v216 ^ 0x00002f81;
				_v224 = 0xdaeb;
				_v224 = _v224 + 0xffffce17;
				_v224 = _v224 ^ 0x0000d579;
				_v544 = 0xb9be;
				_v544 = _v544 << 4;
				_v544 = _v544 >> 0x10;
				_v544 = _v544 ^ 0x90137b42;
				_v544 = _v544 ^ 0x9013513c;
				_v536 = 0x38b;
				_v536 = _v536 / _t1407;
				_v536 = _v536 >> 1;
				_v536 = _v536 << 0x10;
				_v536 = _v536 ^ 0x000f26d2;
				_v200 = 0x1a59;
				_v200 = _v200 * 0x74;
				_v200 = _v200 ^ 0x000be304;
				_v184 = 0x859e;
				_v184 = _v184 * 0x74;
				_v184 = _v184 ^ 0x003cfb90;
				_v360 = 0x6490;
				_t1425 = 3;
				_v360 = _v360 * 0x72;
				_v360 = _v360 * 0x2a;
				_v360 = _v360 ^ 0x0758d93d;
				_v192 = 0xf868;
				_v192 = _v192 + 0x2bda;
				_v192 = _v192 ^ 0x000152e4;
				_v528 = 0x676;
				_v528 = _v528 | 0x24bb53fd;
				_v528 = _v528 >> 0xe;
				_v528 = _v528 + 0x8306;
				_v528 = _v528 ^ 0x00017f37;
				_v580 = 0x31f4;
				_v580 = _v580 * 0x62;
				_v580 = _v580 + 0x9de5;
				_v580 = _v580 << 0xc;
				_v580 = _v580 ^ 0x3bd4dd01;
				_v164 = 0xa9a7;
				_v164 = _v164 ^ 0xde8baefc;
				_v164 = _v164 ^ 0xde8b4245;
				_v276 = 0xa5ad;
				_v276 = _v276 >> 0xb;
				_v276 = _v276 ^ 0x0000618b;
				_v524 = 0x1681;
				_v524 = _v524 >> 3;
				_v524 = _v524 / _t1425;
				_v524 = _v524 << 7;
				_v524 = _v524 ^ 0x00005671;
				_v492 = 0xe57e;
				_t1426 = 0xb;
				_v492 = _v492 / _t1426;
				_v492 = _v492 | 0x13317d14;
				_v492 = _v492 ^ 0x21db4678;
				_v492 = _v492 ^ 0x32ea4d5a;
				_v196 = 0x20a5;
				_v196 = _v196 ^ 0x7fec11bc;
				_v196 = _v196 ^ 0x7fec059e;
				_v268 = 0xa0f7;
				_v268 = _v268 + 0xffffbbf0;
				_v268 = _v268 ^ 0x00005585;
				_v284 = 0xc44e;
				_t1427 = 0x17;
				_v284 = _v284 / _t1427;
				_v284 = _v284 ^ 0x00000fe6;
				_v588 = 0x9772;
				_v588 = _v588 | 0x0513faeb;
				_v588 = _v588 << 0xc;
				_v588 = _v588 + 0xffffe845;
				_v588 = _v588 ^ 0x3fffb169;
				_v324 = 0x6fd3;
				_v324 = _v324 ^ 0xb7dcb5b3;
				_v324 = _v324 << 0xd;
				_v324 = _v324 ^ 0x9b4c380e;
				_v564 = 0xdada;
				_v564 = _v564 + 0xffffb040;
				_v564 = _v564 ^ 0xc897d1fc;
				_v564 = _v564 >> 0xc;
				_v564 = _v564 ^ 0x000cb45e;
				_v244 = 0x5a23;
				_v244 = _v244 ^ 0xdd4100c5;
				_v244 = _v244 ^ 0xdd41732b;
				_v188 = 0xe772;
				_v188 = _v188 * 0x17;
				_v188 = _v188 ^ 0x0014b7d9;
				_v532 = 0xb034;
				_v532 = _v532 >> 0xb;
				_v532 = _v532 + 0xffffd8d4;
				_v532 = _v532 + 0xffff18c7;
				_v532 = _v532 ^ 0xfffed948;
				_v444 = 0x6a74;
				_v444 = _v444 + 0xffffe81e;
				_v444 = _v444 >> 3;
				_v444 = _v444 ^ 0x00005cb5;
				_v604 = 0xd470;
				_v604 = _v604 + 0xffff4287;
				_t1428 = 0x36;
				_v604 = _v604 * 0x63;
				_v604 = _v604 + 0xa98f;
				_v604 = _v604 ^ 0x0009be15;
				_v500 = 0x6b4b;
				_v500 = _v500 + 0xffff69a2;
				_v500 = _v500 | 0xfafbe3f5;
				_v500 = _v500 ^ 0xffffc820;
				_v256 = 0x3b65;
				_v256 = _v256 + 0x8a1b;
				_v256 = _v256 ^ 0x00009fa9;
				_v264 = 0x8702;
				_v264 = _v264 + 0x22ce;
				_v264 = _v264 ^ 0x0000c9e2;
				_v272 = 0x6ce9;
				_v272 = _v272 + 0xffff741f;
				_v272 = _v272 ^ 0xffff874d;
				_v384 = 0xcfaa;
				_v384 = _v384 ^ 0x7c84390f;
				_v384 = _v384 << 5;
				_v384 = _v384 ^ 0x909ef8fa;
				_v364 = 0xd754;
				_v364 = _v364 + 0x8a6e;
				_v364 = _v364 + 0xffffa77d;
				_v364 = _v364 ^ 0x00012c0a;
				_v572 = 0x684;
				_v572 = _v572 + 0xffff249d;
				_v572 = _v572 + 0xffff11fc;
				_v572 = _v572 ^ 0x2ec24d92;
				_v572 = _v572 ^ 0xd13c5b3a;
				_v260 = 0x9d26;
				_v260 = _v260 + 0xffff77cf;
				_v260 = _v260 ^ 0x00001045;
				_v420 = 0x19b4;
				_v420 = _v420 << 0xe;
				_v420 = _v420 / _t1435;
				_v420 = _v420 ^ 0x001380cf;
				_v472 = 0xb5c1;
				_v472 = _v472 >> 0xe;
				_v472 = _v472 << 6;
				_v472 = _v472 * 0x45;
				_v472 = _v472 ^ 0x00002a12;
				_v480 = 0x152d;
				_v480 = _v480 << 9;
				_v480 = _v480 + 0xffffaf2b;
				_v480 = _v480 | 0xa623b0fd;
				_v480 = _v480 ^ 0xa62b899a;
				_v204 = 0x66fa;
				_v204 = _v204 << 8;
				_v204 = _v204 ^ 0x0066e5e6;
				_v340 = 0x4192;
				_v340 = _v340 / _t1299;
				_v340 = _v340 / _t1428;
				_v340 = _v340 ^ 0x00003034;
				_v464 = 0xd2ea;
				_v464 = _v464 >> 0xa;
				_t1408 = 0x21;
				_v464 = _v464 / _t1408;
				_v464 = _v464 >> 2;
				_v464 = _v464 ^ 0x00007050;
				_v320 = 0x49ac;
				_v320 = _v320 << 8;
				_v320 = _v320 ^ 0xfb939db0;
				_v320 = _v320 ^ 0xfbda5041;
				_v428 = 0x3fd1;
				_v428 = _v428 | 0x92cdb814;
				_v428 = _v428 << 6;
				_v428 = _v428 ^ 0xb36ff540;
				_v516 = 0xac08;
				_t1429 = 0x50;
				_v516 = _v516 / _t1429;
				_v516 = _v516 << 0xd;
				_v516 = _v516 << 6;
				_v516 = _v516 ^ 0x100461c8;
				_v308 = 0x4309;
				_v308 = _v308 << 0xd;
				_v308 = _v308 ^ 0x08613770;
				_v552 = 0x9a83;
				_v552 = _v552 >> 0xe;
				_v552 = _v552 / _t1408;
				_v552 = _v552 + 0xffffc968;
				_v552 = _v552 ^ 0xffffc969;
				_v396 = 0xd172;
				_v396 = _v396 ^ 0x239e13fe;
				_t1430 = 0x78;
				_v396 = _v396 * 0x38;
				_v396 = _v396 ^ 0xcaba8100;
				_v160 = 0x81d1;
				_v160 = _v160 << 0xf;
				_v160 = _v160 ^ 0x40e89f40;
				_v376 = 0x9bd1;
				_v376 = _v376 >> 0xb;
				_v376 = _v376 | 0x8dece6a5;
				_v376 = _v376 ^ 0x8de15d17;
				_v368 = 0xa942;
				_v368 = _v368 / _t1430;
				_v368 = _v368 >> 0xe;
				_v368 = _v368 ^ 0x000ef420;
				_v352 = 0xcab9;
				_v352 = _v352 >> 6;
				_v352 = _v352 << 0xc;
				_v352 = _v352 ^ 0x0032afa0;
				_v520 = 0x575a;
				_t1431 = 0x33;
				_t1432 = _v452;
				_v520 = _v520 / _t1431;
				_t1409 = _v452;
				_v520 = _v520 / _t1408;
				_v520 = _v520 * 0x27;
				_v520 = _v520 ^ 0x00001ebb;
				while(1) {
					L1:
					_t1180 = 0x26b3c509;
					do {
						while(1) {
							L2:
							_t1447 = _t1302 - 0x1dd159f4;
							if(_t1447 > 0) {
								break;
							}
							if(_t1447 == 0) {
								E00721F54();
								_t1302 = 0x32b5f2ec;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							_t1448 = _t1302 - 0x11b22f62;
							if(_t1448 > 0) {
								__eflags = _t1302 - 0x1a1d010e;
								if(__eflags > 0) {
									__eflags = _t1302 - 0x1accdd0a;
									if(_t1302 == 0x1accdd0a) {
										E007133F4(_v324, _v564, _v244, _v188, _v140);
										_t1440 = _t1440 + 0xc;
										L55:
										_t1302 = 0x27e5de8;
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									__eflags = _t1302 - 0x1b93f384;
									if(_t1302 == 0x1b93f384) {
										E007168D8();
										_t1302 = 0x2a3d3775;
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									__eflags = _t1302 - 0x1bd43c79;
									if(__eflags == 0) {
										_t1302 = 0x1e013a7c;
										continue;
									}
									__eflags = _t1302 - 0x1c27d8f2;
									if(_t1302 != 0x1c27d8f2) {
										goto L105;
									}
									E00712C93();
									E00728314();
									asm("sbb ecx, ecx");
									_t1302 = (_t1302 & 0xeb1b6708) + 0x32b5f2ec;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								if(__eflags == 0) {
									_t1302 = 0x10b5273f;
									_v96 = _v516;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x1314a566;
								if(_t1302 == 0x1314a566) {
									E007133F4(_v364, _v572, _v260, _v420, _v88);
									_t1440 = _t1440 + 0xc;
									L45:
									_t1302 = 0xd26623c;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x134e219d;
								if(_t1302 == 0x134e219d) {
									E007119B4();
									_t1302 = 0xd2fe09a;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x13daa562;
								if(_t1302 == 0x13daa562) {
									_t1276 = E007148C7( &_v140, _v580,  &_v124, _v164, _v276, _v524);
									_t1440 = _t1440 + 0x10;
									__eflags = _t1276;
									if(__eflags == 0) {
										L30:
										_t1302 = 0x1accdd0a;
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									E00721494();
									__eflags = _v116;
									_t1302 = 0x134e219d;
									if(__eflags == 0) {
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									__eflags = _v116 - 7;
									_t1180 = 0x26b3c509;
									_t1302 =  ==  ? 0x26b3c509 : 0x134e219d;
									continue;
								}
								__eflags = _t1302 - 0x16005848;
								if(__eflags != 0) {
									goto L105;
								}
								_t1302 = 0x2e39497;
								continue;
							}
							if(_t1448 == 0) {
								_t1180 = E0072E0B6();
								L109:
								return _t1180;
							}
							_t1449 = _t1302 - 0xb290583;
							if(_t1449 > 0) {
								__eflags = _t1302 - 0xd26623c;
								if(__eflags == 0) {
									_push(_t1302);
									__eflags = E00727B11(_t1409, __eflags);
									if(__eflags != 0) {
										L16:
										_t1302 = 0x2315912d;
										while(1) {
											L1:
											_t1180 = 0x26b3c509;
											goto L2;
										}
									}
									_t1302 = _t1432;
									L104:
									_t1180 = 0x26b3c509;
									goto L105;
								}
								__eflags = _t1302 - 0xd2fe09a;
								if(__eflags == 0) {
									__eflags = E00728489(_v284, _v588, __eflags,  &_v124);
									if(__eflags != 0) {
										_t1409 = _v428;
										_t1432 = 0x3a5ce9e8;
									}
									goto L30;
								}
								__eflags = _t1302 - 0x1086eb0d;
								if(_t1302 == 0x1086eb0d) {
									E0071B22A();
									_t1302 = 0x27ababe3;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x10b5273f;
								if(__eflags != 0) {
									goto L105;
								}
								_t1302 = 0x3a5ce9e8;
								_v92 = _v308;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1449 == 0) {
								_t1326 = _v436;
								E0071EBA4(_t1326, _v316, _v468,  &_v132,  &_v112);
								_t1440 = _t1440 + 0xc;
								asm("sbb ecx, ecx");
								_t1302 = (_t1326 & 0x05f62068) + 0x3558f604;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 == 0x247d67b) {
								_v100 = E0072E8F0();
								_t1302 = 0x1a1d010e;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 == 0x27e5de8) {
								E007133F4(_v532, _v444, _v604, _v500, _v132);
								_t1440 = _t1440 + 0xc;
								_t1302 = 0x3558f604;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 == 0x2e39497) {
								_t1180 = E0071E891(_t1302, __eflags);
								__eflags = _t1180;
								if(__eflags == 0) {
									goto L109;
								}
								_t1302 = 0x390e3d92;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 == 0x51ff6ae) {
								_t1259 = E0072DA27(_v212,  &_v68, _v300, _v448, _v176);
								_t1440 = _t1440 + 0x10;
								__eflags = _t1259;
								if(__eflags == 0) {
									goto L16;
								}
								_v112 =  &_v68;
								_t1261 = E00719E6E(_v380, _v540, _v620, _v312,  &_v68);
								_t1440 = _t1440 + 0xc;
								_v108 = _t1261;
								_t1302 = 0x3b8693b0;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(_t1302 != 0x8d56928) {
								goto L105;
							}
							_v104 = E0072D5DF();
							_t1302 = 0x247d67b;
							while(1) {
								L1:
								_t1180 = 0x26b3c509;
								goto L2;
							}
						}
						__eflags = _t1302 - 0x2e6905fa;
						if(__eflags > 0) {
							__eflags = _t1302 - 0x3558f604;
							if(__eflags > 0) {
								__eflags = _t1302 - 0x390e3d92;
								if(_t1302 == 0x390e3d92) {
									E0072B977();
									_t1302 = 0x2710de7c;
									goto L104;
								}
								__eflags = _t1302 - 0x3a5ce9e8;
								if(_t1302 == 0x3a5ce9e8) {
									E00716AFC(_v488, _v496, _v504,  &_v88, _v512);
									_t1440 = _t1440 + 0xc;
									_t1302 = 0x32775a9c;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x3b4f166c;
								if(_t1302 == 0x3b4f166c) {
									_push(_v568);
									_push(_v560);
									_push( &_v140);
									_push(_v240);
									_push(_v232);
									_t1187 = E0071BEBD(_v552,  &_v132);
									_t1441 = _t1440 + 0x14;
									__eflags = _t1187;
									if(__eflags == 0) {
										E00723B5A();
										_t1432 = 0x3a5ce9e8;
										_t1195 = E007280F6(_v520, _v352, __eflags);
										_t1440 = _t1441 - 0x10 + 0x10;
										_t1409 = _t1195;
										goto L55;
									}
									_t1432 = 0x3a5ce9e8;
									_t1200 = E007280F6(_v368, _v376, __eflags);
									_t1440 = _t1441 - 0x10 + 0x10;
									_t1409 = _t1200;
									_t1302 = 0x13daa562;
									while(1) {
										L1:
										_t1180 = 0x26b3c509;
										goto L2;
									}
								}
								__eflags = _t1302 - 0x3b8693b0;
								if(__eflags != 0) {
									goto L105;
								}
								_v72 = E00723E55();
								_t1302 = 0x8d56928;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							if(__eflags == 0) {
								E007133F4(_v256, _v264, _v272, _v384, _v80);
								_t1440 = _t1440 + 0xc;
								_t1302 = 0x1314a566;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x319984b8;
							if(_t1302 == 0x319984b8) {
								E0072B598();
								asm("sbb ecx, ecx");
								_t1308 = _t1302 & 0xf61e3bde;
								L81:
								_t1302 = _t1308 + 0x1b93f384;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x32775a9c;
							if(_t1302 == 0x32775a9c) {
								E0072B459(_v280, _v576, _v584,  &_v80);
								_t1302 = 0xb290583;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x32b5f2ec;
							if(_t1302 == 0x32b5f2ec) {
								E00712571();
								_t1302 = 0x11b22f62;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x32da3ca5;
							if(__eflags != 0) {
								goto L105;
							}
							_push(_v440);
							_v148 = E00718CF3(_v600, _v304, __eflags, _t1302,  &_v144);
							E007142DE(_v296, _v432, __eflags,  &_v148);
							E0071717B(_v288, _v408, _v416, _v148, _v424);
							_t1440 = _t1440 + 0x1c;
							_t1302 = 0x1bd43c79;
							while(1) {
								L1:
								_t1180 = 0x26b3c509;
								goto L2;
							}
						}
						if(__eflags == 0) {
							__eflags = E00729726();
							if(__eflags == 0) {
								E00728314();
								asm("sbb ecx, ecx");
								_t1302 = (_t1302 & 0x1b21e83b) + 0x1086eb0d;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							E00728314();
							asm("sbb ecx, ecx");
							_t1308 = _t1302 & 0x16059134;
							__eflags = _t1308;
							goto L81;
						}
						__eflags = _t1302 - _t1180;
						if(__eflags > 0) {
							__eflags = _t1302 - 0x2710de7c;
							if(_t1302 == 0x2710de7c) {
								_t1180 = E00727B8D();
								__eflags = _t1180;
								if(_t1180 == 0) {
									goto L109;
								}
								E0071BDAB(_v616);
								_t1302 = 0x1f1ad5e4;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x27ababe3;
							if(_t1302 == 0x27ababe3) {
								E0072CF07();
								_t1302 = 0x1f098d9d;
								while(1) {
									L1:
									_t1180 = 0x26b3c509;
									goto L2;
								}
							}
							__eflags = _t1302 - 0x2a3d3775;
							if(__eflags == 0) {
								_t1302 = 0x32da3ca5;
								goto L2;
							}
							__eflags = _t1302 - 0x2ba8d348;
							if(_t1302 != 0x2ba8d348) {
								goto L105;
							}
							E0072E9A2();
							_t1302 = 0x1086eb0d;
							while(1) {
								L1:
								_t1180 = 0x26b3c509;
								goto L2;
							}
						}
						if(__eflags == 0) {
							_t1180 = E00724602();
							goto L109;
						}
						__eflags = _t1302 - 0x1e013a7c;
						if(__eflags == 0) {
							_t1432 = 0x51ff6ae;
							_t1288 = E007280F6(_v160, _v396, __eflags);
							_t1440 = _t1440 - 0x10 + 0x10;
							_t1409 = _t1288;
							goto L45;
						}
						__eflags = _t1302 - 0x1f098d9d;
						if(_t1302 == 0x1f098d9d) {
							_t1180 = E0071AE9E();
							__eflags = _t1180;
							if(__eflags == 0) {
								goto L109;
							}
							_t1302 = 0x1c27d8f2;
							while(1) {
								L1:
								_t1180 = 0x26b3c509;
								goto L2;
							}
						}
						__eflags = _t1302 - 0x1f1ad5e4;
						if(_t1302 == 0x1f1ad5e4) {
							E00717B6A();
							asm("sbb ecx, ecx");
							_t1302 = (_t1302 & 0xf942a5e9) + 0x2e6905fa;
							goto L1;
						}
						__eflags = _t1302 - 0x2315912d;
						if(_t1302 != 0x2315912d) {
							goto L105;
						}
						_t1180 = E0071A7FA(_t1302);
						goto L109;
						L105:
						__eflags = _t1302 - 0x317f229e;
					} while (__eflags != 0);
					goto L109;
				}
			}

0x00714ad9
0x00714ae3
0x00714af0
0x00714afb
0x00714b00
0x00714b0b
0x00714b13
0x00714b1b
0x00714b20
0x00714b28
0x00714b30
0x00714b3b
0x00714b46
0x00714b4e
0x00714b59
0x00714b64
0x00714b6f
0x00714b7a
0x00714b85
0x00714b90
0x00714b9b
0x00714ba3
0x00714bb1
0x00714bb6
0x00714bc0
0x00714bc5
0x00714bcb
0x00714bd3
0x00714bde
0x00714be9
0x00714bf4
0x00714bfc
0x00714c04
0x00714c0c
0x00714c14
0x00714c1c
0x00714c27
0x00714c32
0x00714c3d
0x00714c48
0x00714c54
0x00714c59
0x00714c5f
0x00714c67
0x00714c6c
0x00714c74
0x00714c7f
0x00714c8a
0x00714c95
0x00714ca0
0x00714cb2
0x00714cb7
0x00714cc0
0x00714ccb
0x00714cd6
0x00714ce8
0x00714ceb
0x00714cf2
0x00714cfd
0x00714d0a
0x00714d1f
0x00714d22
0x00714d29
0x00714d34
0x00714d3f
0x00714d4c
0x00714d50
0x00714d58
0x00714d60
0x00714d68
0x00714d7c
0x00714d7d
0x00714d91
0x00714d9a
0x00714da5
0x00714db0
0x00714dbb
0x00714dc6
0x00714dd1
0x00714de4
0x00714de7
0x00714de8
0x00714def
0x00714dfa
0x00714e05
0x00714e0d
0x00714e15
0x00714e1a
0x00714e22
0x00714e2a
0x00714e35
0x00714e40
0x00714e48
0x00714e50
0x00714e5b
0x00714e66
0x00714e71
0x00714e7c
0x00714e87
0x00714e8f
0x00714e9a
0x00714ea5
0x00714ead
0x00714eb8
0x00714ebf
0x00714eca
0x00714ed2
0x00714edd
0x00714ee8
0x00714ef3
0x00714efe
0x00714f06
0x00714f11
0x00714f1f
0x00714f23
0x00714f28
0x00714f30
0x00714f38
0x00714f43
0x00714f4e
0x00714f59
0x00714f64
0x00714f6f
0x00714f7a
0x00714f87
0x00714f9c
0x00714f9f
0x00714fa0
0x00714fa7
0x00714fb2
0x00714fbd
0x00714fc8
0x00714fd3
0x00714fde
0x00714fe6
0x00714fee
0x00714ff6
0x00714ffe
0x00715006
0x00715011
0x00715019
0x00715024
0x0071502f
0x0071503a
0x00715045
0x00715050
0x0071505b
0x00715066
0x00715071
0x00715079
0x00715084
0x0071508f
0x007150a5
0x007150ac
0x007150b7
0x007150c2
0x007150d7
0x007150d8
0x007150df
0x007150ea
0x007150f5
0x007150fd
0x00715108
0x00715113
0x0071511e
0x00715134
0x0071513b
0x00715146
0x0071514e
0x00715157
0x00715161
0x00715165
0x0071516d
0x00715178
0x00715183
0x0071518e
0x00715199
0x007151a1
0x007151ac
0x007151b7
0x007151c2
0x007151cd
0x007151d8
0x007151e3
0x007151ee
0x007151f9
0x00715204
0x0071520c
0x00715217
0x00715222
0x0071522f
0x0071523a
0x00715245
0x00715250
0x0071525b
0x00715266
0x00715271
0x00715282
0x00715287
0x00715290
0x0071529b
0x007152a3
0x007152ab
0x007152b5
0x007152b8
0x007152bc
0x007152c4
0x007152cc
0x007152d1
0x007152d6
0x007152de
0x007152e6
0x007152f9
0x00715300
0x0071530b
0x00715316
0x00715321
0x00715329
0x00715334
0x0071533f
0x00715347
0x0071534f
0x00715357
0x00715362
0x0071536d
0x00715378
0x00715383
0x0071538b
0x00715390
0x0071539a
0x0071539e
0x007153a6
0x007153bc
0x007153c3
0x007153ce
0x007153d9
0x007153e4
0x007153ef
0x007153fa
0x00715405
0x00715410
0x0071541b
0x00715426
0x00715435
0x00715438
0x0071543f
0x0071544a
0x00715455
0x0071545d
0x00715468
0x0071546f
0x0071547a
0x00715485
0x0071548d
0x00715498
0x007154a0
0x007154aa
0x007154b2
0x007154ba
0x007154c2
0x007154ca
0x007154d2
0x007154da
0x007154e1
0x007154e4
0x007154e8
0x007154f0
0x007154fb
0x00715503
0x0071550e
0x00715519
0x00715524
0x0071552f
0x00715537
0x00715542
0x00715558
0x0071555f
0x0071556a
0x00715572
0x0071557d
0x00715588
0x00715593
0x0071559e
0x007155b1
0x007155b2
0x007155b9
0x007155c4
0x007155cc
0x007155d4
0x007155d9
0x007155dd
0x007155e5
0x007155ed
0x007155fd
0x00715601
0x00715609
0x00715611
0x0071561c
0x00715627
0x00715632
0x0071563d
0x00715648
0x00715653
0x0071565e
0x00715669
0x00715674
0x0071567c
0x00715681
0x00715686
0x0071568e
0x00715696
0x007156a4
0x007156a8
0x007156ac
0x007156b1
0x007156b9
0x007156cc
0x007156d3
0x007156de
0x007156f1
0x007156f8
0x00715703
0x0071571a
0x0071571d
0x0071572c
0x00715733
0x0071573e
0x00715749
0x00715754
0x0071575f
0x00715767
0x0071576f
0x00715774
0x0071577c
0x00715784
0x00715791
0x00715795
0x0071579d
0x007157a2
0x007157aa
0x007157b5
0x007157c0
0x007157cb
0x007157d6
0x007157de
0x007157e9
0x007157f1
0x007157fe
0x00715802
0x00715807
0x0071580f
0x00715821
0x00715826
0x0071582f
0x0071583a
0x00715845
0x00715850
0x0071585b
0x00715866
0x00715871
0x0071587c
0x00715887
0x00715892
0x007158a4
0x007158a7
0x007158ae
0x007158b9
0x007158c1
0x007158c9
0x007158ce
0x007158d6
0x007158de
0x007158e9
0x007158f4
0x007158fc
0x00715907
0x0071590f
0x00715917
0x0071591f
0x00715924
0x0071592c
0x00715937
0x00715942
0x0071594d
0x00715960
0x00715967
0x00715972
0x0071597a
0x00715981
0x00715989
0x00715991
0x00715999
0x007159a4
0x007159af
0x007159b7
0x007159c2
0x007159ca
0x007159d9
0x007159dc
0x007159e0
0x007159e8
0x007159f0
0x007159fb
0x00715a06
0x00715a11
0x00715a1c
0x00715a27
0x00715a32
0x00715a3d
0x00715a48
0x00715a53
0x00715a5e
0x00715a69
0x00715a74
0x00715a7f
0x00715a8a
0x00715a95
0x00715a9d
0x00715aa8
0x00715ab3
0x00715abe
0x00715ac9
0x00715ad4
0x00715adc
0x00715ae4
0x00715aec
0x00715af4
0x00715afc
0x00715b07
0x00715b12
0x00715b1d
0x00715b28
0x00715b3b
0x00715b42
0x00715b4d
0x00715b58
0x00715b60
0x00715b70
0x00715b77
0x00715b82
0x00715b8d
0x00715b95
0x00715ba0
0x00715bab
0x00715bb6
0x00715bc1
0x00715bc9
0x00715bd4
0x00715bea
0x00715bfa
0x00715c01
0x00715c0c
0x00715c17
0x00715c28
0x00715c32
0x00715c3e
0x00715c46
0x00715c51
0x00715c5c
0x00715c64
0x00715c6f
0x00715c7a
0x00715c85
0x00715c90
0x00715c98
0x00715ca3
0x00715cb7
0x00715cbc
0x00715cc3
0x00715ccb
0x00715cd3
0x00715cde
0x00715ce9
0x00715cf1
0x00715cfc
0x00715d04
0x00715d11
0x00715d15
0x00715d1d
0x00715d25
0x00715d30
0x00715d45
0x00715d48
0x00715d4f
0x00715d5a
0x00715d65
0x00715d6d
0x00715d78
0x00715d83
0x00715d8b
0x00715d96
0x00715da1
0x00715db7
0x00715dbe
0x00715dc6
0x00715dd1
0x00715ddc
0x00715de4
0x00715dec
0x00715df7
0x00715e09
0x00715e0e
0x00715e15
0x00715e1f
0x00715e26
0x00715e2f
0x00715e33
0x00715e3b
0x00715e3b
0x00715e3b
0x00715e40
0x00715e40
0x00715e40
0x00715e40
0x00715e46
0x00000000
0x00000000
0x00715e4c
0x0071625e
0x00716263
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00715e52
0x00715e58
0x00716095
0x0071609b
0x007161ad
0x007161b3
0x0071623e
0x00716243
0x00716246
0x00716246
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x007161b5
0x007161bb
0x0071620f
0x00716214
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x007161bd
0x007161c3
0x007161fe
0x00000000
0x007161fe
0x007161c5
0x007161cb
0x00000000
0x00000000
0x007161d8
0x007161e4
0x007161eb
0x007161f3
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x007160a1
0x0071619c
0x007161a1
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x007160a7
0x007160ad
0x00716183
0x00716188
0x0071618b
0x0071618b
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x007160b3
0x007160b9
0x00716154
0x00716159
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x007160bf
0x007160c5
0x00716102
0x00716107
0x0071610a
0x0071610c
0x00716065
0x00716065
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716119
0x0071611e
0x00716126
0x0071612b
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716131
0x00716139
0x0071613e
0x00000000
0x0071613e
0x007160c7
0x007160cd
0x00000000
0x00000000
0x007160d3
0x00000000
0x007160d3
0x00715e5e
0x007166f5
0x0071670f
0x00716716
0x00716716
0x00715e64
0x00715e6a
0x00715ff0
0x00715ff6
0x0071607d
0x00716086
0x00716088
0x00715f40
0x00715f40
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x0071608e
0x007166d4
0x007166d4
0x00000000
0x007166d4
0x00715ff8
0x00715ffe
0x00716058
0x0071605a
0x0071605c
0x00716063
0x00716063
0x00000000
0x0071605a
0x00716000
0x00716006
0x00716030
0x00716035
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716008
0x0071600e
0x00000000
0x00000000
0x0071601b
0x0071601d
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00715e70
0x00715fd0
0x00715fd7
0x00715fdc
0x00715fe1
0x00715fe9
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00715e7c
0x00715fa1
0x00715fa8
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00715e88
0x00715f89
0x00715f8e
0x00715f91
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00715e94
0x00715f55
0x00715f5a
0x00715f5c
0x00000000
0x00000000
0x00715f62
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00715ea0
0x00715ef6
0x00715efb
0x00715efe
0x00715f00
0x00000000
0x00000000
0x00715f11
0x00715f27
0x00715f2c
0x00715f2f
0x00715f36
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00715ea8
0x00000000
0x00000000
0x00715ec1
0x00715ec8
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x0071626d
0x00716273
0x00716437
0x00716439
0x00716581
0x00716587
0x007166ca
0x007166cf
0x00000000
0x007166cf
0x0071658d
0x0071658f
0x007166aa
0x007166af
0x007166b2
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716595
0x0071659b
0x007165c6
0x007165d1
0x007165dc
0x007165dd
0x007165e4
0x007165ef
0x007165f4
0x007165f7
0x007165f9
0x00716646
0x00716659
0x00716677
0x0071667c
0x0071667f
0x00000000
0x0071667f
0x00716609
0x00716627
0x0071662c
0x0071662f
0x00716631
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x0071659d
0x007165a3
0x00000000
0x00000000
0x007165b5
0x007165bc
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x0071643f
0x0071656f
0x00716574
0x00716577
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716445
0x0071644b
0x00716538
0x0071653f
0x00716541
0x0071640b
0x0071640b
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716451
0x00716457
0x00716520
0x00716527
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x0071645d
0x00716463
0x007164fa
0x007164ff
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716469
0x0071646f
0x00000000
0x00000000
0x00716475
0x007164a6
0x007164b5
0x007164dd
0x007164e2
0x007164e5
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716279
0x007163f1
0x007163f3
0x0071641d
0x00716424
0x0071642c
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x007163fc
0x00716403
0x00716405
0x00716405
0x00000000
0x00716405
0x0071627f
0x00716281
0x00716351
0x00716357
0x007163ba
0x007163bf
0x007163c1
0x00000000
0x00000000
0x007163d2
0x007163d7
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716359
0x0071635f
0x007163a4
0x007163a9
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716361
0x00716367
0x0071638f
0x00000000
0x0071638f
0x00716369
0x0071636f
0x00000000
0x00000000
0x00716380
0x00716385
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x00716287
0x0071670a
0x00000000
0x0071670a
0x0071628d
0x00716293
0x00716324
0x00716342
0x00716347
0x0071634a
0x00000000
0x0071634a
0x00716295
0x0071629b
0x007162fc
0x00716301
0x00716303
0x00000000
0x00000000
0x00716309
0x00715e3b
0x00715e3b
0x00715e3b
0x00000000
0x00715e3b
0x00715e3b
0x0071629d
0x007162a3
0x007162d4
0x007162db
0x007162e3
0x00000000
0x007162e3
0x007162a5
0x007162ab
0x00000000
0x00000000
0x007162bf
0x00000000
0x007166d9
0x007166d9
0x007166d9
0x00000000
0x007166e5

Strings

#Z, xrefs: 0071592C
H., xrefs: 00715024
f, xrefs: 00715BC9
f, xrefs: 007156C4
*=, xrefs: 00715632
G', xrefs: 00714CA0
HX, xrefs: 0071557D
{DL, xrefs: 007154DA
$?, xrefs: 00714BCB
u7=*, xrefs: 00716214
Pp, xrefs: 00715C46
O_, xrefs: 0071547A
'T, xrefs: 0071508F
=, xrefs: 007153A6
qV, xrefs: 00715807
bP5A, xrefs: 007154BA
\:, xrefs: 00715C39
j[, xrefs: 007151EE
A-, xrefs: 00714D3F
|., xrefs: 00715290
tj, xrefs: 00715999
yq, xrefs: 00714EBF
Kk, xrefs: 007159F0
'=, xrefs: 00714B00
r, xrefs: 0071594D
ZW, xrefs: 00715DF7
<b&, xrefs: 0071618B
C, xrefs: 00715CDE
u7=*, xrefs: 00716361
8r, xrefs: 00714F64
<b&, xrefs: 00715FF0
e;, xrefs: 00715A1C
k|, xrefs: 00715519
}V, xrefs: 00714F4E
07, xrefs: 00715217
40, xrefs: 00715C01
8Q, xrefs: 00714C48
j^, xrefs: 00715266
l, xrefs: 00715A5E
_, xrefs: 007155C4
cB, xrefs: 00714F06
3(, xrefs: 00715245
[I, xrefs: 00714BA3
ZM2, xrefs: 00715845

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: C$#Z$$?$'=$'T$*=$07$3($40$8Q$8r$<b&$<b&$=$A-$G'$H.$HX$Kk$O_$Pp$ZM2$ZW$[I$_$bP5A$cB$e;$j[$j^$k|$qV$r$tj$u7=*$u7=*$yq${DL$|.$}V$l$\:$f$f
API String ID: 0-245086209
Opcode ID: 9fee5e40c5b386811e62a28aa39bd73519462d30de4c334bac801d5d2945ff92
Instruction ID: f36b94c93c2a25f7e8fdbab4566721aaedab957d388a801746427cd0c40ab939
Opcode Fuzzy Hash: 9fee5e40c5b386811e62a28aa39bd73519462d30de4c334bac801d5d2945ff92
Instruction Fuzzy Hash: D5D2F271509781CBE3B8CF29C58A6DFBBE1BBC5304F50891DE59A862A0D7B88549CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00726334, Relevance: 30.7, Strings: 24, Instructions: 660
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00726334(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32) {
				char _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				unsigned int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				intOrPtr _v312;
				char _v316;
				intOrPtr _t725;
				intOrPtr _t732;
				intOrPtr _t734;
				intOrPtr _t735;
				intOrPtr _t746;
				intOrPtr _t747;
				void* _t749;
				intOrPtr _t752;
				intOrPtr* _t755;
				char _t757;
				signed int _t767;
				void* _t779;
				void* _t819;
				intOrPtr _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				intOrPtr _t851;
				signed int _t852;
				intOrPtr _t853;
				char _t859;
				void* _t861;
				void* _t863;
				void* _t865;

				_t755 = _a32;
				_push(_t755);
				_push(_a28);
				_push(_a24);
				_v16 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12 & 0x0000ffff);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00727B8C(_a12 & 0x0000ffff);
				_v8 = 0x583ce9;
				_v4 = 0;
				_t861 =  &_v316 + 0x28;
				_v24 = 0;
				_t757 = 0;
				_v140 = 0xad16;
				_t859 = 0;
				_v140 = _v140 | 0x555fd697;
				_v140 = _v140 ^ 0x2f7787b8;
				_t852 = 0x25892389;
				_v140 = _v140 ^ 0x7a28782f;
				_v300 = 0x7eb5;
				_v300 = _v300 + 0xfffff63d;
				_v300 = _v300 + 0xffff0078;
				_v300 = _v300 | 0x4797881a;
				_v300 = _v300 ^ 0xfffffd69;
				_v196 = 0x78bf;
				_v20 = 0;
				_t835 = 0x18;
				_v196 = _v196 / _t835;
				_t836 = 0x71;
				_v196 = _v196 / _t836;
				_v196 = _v196 ^ 0x000000c3;
				_v232 = 0x1d52;
				_v232 = _v232 >> 2;
				_v232 = _v232 + 0xa5b0;
				_t837 = 0x42;
				_v316 = 0;
				_v232 = _v232 / _t837;
				_v232 = _v232 ^ 0x0000829f;
				_v272 = 0x1010;
				_v272 = _v272 + 0xa1d3;
				_v272 = _v272 * 0x4d;
				_v272 = _v272 >> 7;
				_v272 = _v272 ^ 0x00002b02;
				_v76 = 0xd02c;
				_v76 = _v76 << 0xb;
				_v76 = _v76 ^ 0x06c16000;
				_v112 = 0x3e7a;
				_v112 = _v112 << 0xf;
				_v112 = _v112 + 0x6fd2;
				_v112 = _v112 ^ 0x1f396fd2;
				_v248 = 0x6540;
				_v248 = _v248 | 0xabd80c30;
				_v248 = _v248 + 0x2f33;
				_v248 = _v248 ^ 0x5dee4f13;
				_v248 = _v248 ^ 0xf236d3b0;
				_v280 = 0x1dad;
				_v280 = _v280 + 0x750f;
				_v280 = _v280 + 0xffffd67c;
				_v280 = _v280 << 1;
				_v280 = _v280 ^ 0x0008d270;
				_v176 = 0x417e;
				_v176 = _v176 >> 0xe;
				_v176 = _v176 >> 5;
				_v176 = _v176 ^ 0x00000200;
				_v224 = 0xe381;
				_v224 = _v224 << 0xa;
				_v224 = _v224 >> 5;
				_v224 = _v224 | 0x19abac4a;
				_v224 = _v224 ^ 0x19bffd6a;
				_v44 = 0x8a1;
				_v44 = _v44 + 0xffff0079;
				_v44 = _v44 ^ 0x7fff091a;
				_v284 = 0x1ee0;
				_v284 = _v284 ^ 0x4b30d2e7;
				_t838 = 0x50;
				_v284 = _v284 * 0xf;
				_v284 = _v284 ^ 0x61762d3d;
				_v284 = _v284 ^ 0x06add954;
				_v32 = 0x6f09;
				_v32 = _v32 << 4;
				_v32 = _v32 ^ 0x0006f093;
				_v276 = 0x6d37;
				_v276 = _v276 | 0xbc9f258d;
				_v276 = _v276 / _t838;
				_v276 = _v276 << 0xb;
				_v276 = _v276 ^ 0xdcbe36a5;
				_v80 = 0x60dd;
				_v80 = _v80 + 0xd81c;
				_v80 = _v80 ^ 0x00015f59;
				_v260 = 0x684a;
				_v260 = _v260 >> 8;
				_v260 = _v260 ^ 0xb6528adf;
				_v260 = _v260 | 0x494b1842;
				_v260 = _v260 ^ 0xff5b9ae8;
				_v268 = 0xd38d;
				_v268 = _v268 * 0x3f;
				_v268 = _v268 ^ 0xb4057afc;
				_v268 = _v268 * 0x61;
				_v268 = _v268 ^ 0x46bd0f38;
				_v212 = 0x72c;
				_v212 = _v212 | 0xf1e32cea;
				_v212 = _v212 >> 4;
				_v212 = _v212 ^ 0x0f1e0789;
				_v72 = 0xb41c;
				_v72 = _v72 | 0x354d258a;
				_v72 = _v72 ^ 0x354d8014;
				_v124 = 0x3806;
				_v124 = _v124 * 0x25;
				_v124 = _v124 * 0xd;
				_v124 = _v124 ^ 0x00692bc5;
				_v132 = 0xfc29;
				_v132 = _v132 << 6;
				_v132 = _v132 >> 0xe;
				_v132 = _v132 ^ 0x000065a9;
				_v244 = 0xd58f;
				_v244 = _v244 + 0xffff2098;
				_v244 = _v244 + 0xffff7f58;
				_v244 = _v244 * 0x5d;
				_v244 = _v244 ^ 0xffcdc61c;
				_v252 = 0xe6a;
				_v252 = _v252 | 0x4f5f9b59;
				_v252 = _v252 ^ 0xd722ed3f;
				_v252 = _v252 ^ 0x478c9a98;
				_v252 = _v252 ^ 0xdff1ee91;
				_v56 = 0x4a89;
				_v56 = _v56 << 3;
				_v56 = _v56 ^ 0x00025781;
				_v64 = 0x976c;
				_v64 = _v64 << 4;
				_v64 = _v64 ^ 0x000949b8;
				_v88 = 0x34ae;
				_v88 = _v88 >> 8;
				_v88 = _v88 ^ 0x00003d4a;
				_v180 = 0xbf07;
				_t839 = 0x57;
				_v180 = _v180 * 0x5d;
				_v180 = _v180 | 0x9efaacd3;
				_v180 = _v180 ^ 0x9effad20;
				_v292 = 0xa8d8;
				_v292 = _v292 * 0x4b;
				_v292 = _v292 + 0xc172;
				_v292 = _v292 | 0x7fda690d;
				_v292 = _v292 ^ 0x7ffa31cb;
				_v96 = 0x5e54;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x000034c1;
				_v188 = 0xf675;
				_v188 = _v188 ^ 0x7b1fe4ea;
				_v188 = _v188 / _t839;
				_v188 = _v188 ^ 0x016a786d;
				_v148 = 0x3e80;
				_v148 = _v148 | 0x1ab31455;
				_v148 = _v148 << 0x10;
				_v148 = _v148 ^ 0x3ed53818;
				_v156 = 0xa6a;
				_v156 = _v156 + 0xa0a9;
				_v156 = _v156 + 0xffff2736;
				_v156 = _v156 ^ 0xffffd082;
				_v164 = 0x310e;
				_v164 = _v164 << 0xe;
				_v164 = _v164 << 0xa;
				_v164 = _v164 ^ 0x0e000421;
				_v172 = 0x2936;
				_v172 = _v172 << 7;
				_v172 = _v172 + 0xf70e;
				_v172 = _v172 ^ 0x0015e7e6;
				_v256 = 0xa47e;
				_v256 = _v256 + 0x19c;
				_v256 = _v256 >> 0xe;
				_t840 = 0x4e;
				_v256 = _v256 / _t840;
				_v256 = _v256 ^ 0x00002858;
				_v128 = 0x994e;
				_v128 = _v128 >> 4;
				_v128 = _v128 << 0xe;
				_v128 = _v128 ^ 0x02654ef8;
				_v192 = 0xbea6;
				_v192 = _v192 ^ 0x5a1b9e43;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x01683e99;
				_v296 = 0xdd28;
				_v296 = _v296 * 0x70;
				_v296 = _v296 + 0xafb5;
				_v296 = _v296 * 0x4a;
				_v296 = _v296 ^ 0x1c2ae579;
				_v152 = 0xdcbf;
				_v152 = _v152 * 0x5c;
				_v152 = _v152 >> 1;
				_v152 = _v152 ^ 0x0027ddb4;
				_v240 = 0xfade;
				_v240 = _v240 ^ 0x4d92b6c4;
				_v240 = _v240 ^ 0xcaafc244;
				_v240 = _v240 | 0x31e719ec;
				_v240 = _v240 ^ 0xb7ffb37a;
				_v264 = 0x28a;
				_v264 = _v264 ^ 0x4da1dd22;
				_t841 = 3;
				_v264 = _v264 / _t841;
				_t842 = 0x73;
				_v264 = _v264 * 6;
				_v264 = _v264 ^ 0x9b43e6ea;
				_v92 = 0x36b5;
				_v92 = _v92 | 0xba462576;
				_v92 = _v92 ^ 0xba467445;
				_v84 = 0xedf4;
				_v84 = _v84 / _t842;
				_v84 = _v84 ^ 0x00003c09;
				_v144 = 0x51e1;
				_v144 = _v144 << 0xe;
				_v144 = _v144 + 0xa393;
				_v144 = _v144 ^ 0x1478f45e;
				_v184 = 0x5a10;
				_v184 = _v184 >> 5;
				_v184 = _v184 | 0x1e1b91bd;
				_v184 = _v184 ^ 0x1e1ba669;
				_v288 = 0xf9e6;
				_t843 = 0x1e;
				_v288 = _v288 / _t843;
				_t844 = 3;
				_v288 = _v288 / _t844;
				_t845 = 0x45;
				_v288 = _v288 / _t845;
				_v288 = _v288 ^ 0x0000175b;
				_v216 = 0xd398;
				_v216 = _v216 + 0xffff1989;
				_v216 = _v216 + 0xffff1285;
				_v216 = _v216 ^ 0xfffef5bc;
				_v308 = 0x655b;
				_v308 = _v308 + 0xffff7e48;
				_v308 = _v308 >> 0xe;
				_v308 = _v308 ^ 0xee581d4a;
				_v308 = _v308 ^ 0xee5bfd9c;
				_v136 = 0x84ab;
				_v136 = _v136 << 0x10;
				_t846 = 0x6f;
				_v136 = _v136 * 9;
				_v136 = _v136 ^ 0xaa037e91;
				_v68 = 0x8def;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x000006e9;
				_v168 = 0x9e4a;
				_v168 = _v168 | 0xf830c118;
				_v168 = _v168 + 0xffffcf48;
				_v168 = _v168 ^ 0xf830fde4;
				_v36 = 0xa749;
				_v36 = _v36 + 0xffffd318;
				_v36 = _v36 ^ 0x00003bcc;
				_v60 = 0x69ce;
				_v60 = _v60 / _t846;
				_v60 = _v60 ^ 0x00004e5d;
				_v48 = 0x1c1d;
				_v48 = _v48 >> 7;
				_v48 = _v48 ^ 0x00007964;
				_v120 = 0x7eee;
				_t847 = 0x25;
				_v120 = _v120 * 0x2e;
				_v120 = _v120 | 0x4861a6de;
				_v120 = _v120 ^ 0x4877a989;
				_v304 = 0x21a6;
				_v304 = _v304 + 0x17af;
				_v304 = _v304 | 0xf7f5c8f1;
				_v304 = _v304 >> 3;
				_v304 = _v304 ^ 0x1efee7b8;
				_v100 = 0xc496;
				_v100 = _v100 + 0xffff73f8;
				_v100 = _v100 ^ 0x00006b63;
				_v200 = 0x6b07;
				_v200 = _v200 + 0xfffffdc4;
				_v200 = _v200 + 0xd3cd;
				_v200 = _v200 ^ 0x000172eb;
				_v40 = 0x13d4;
				_v40 = _v40 << 0x10;
				_v40 = _v40 ^ 0x13d417ed;
				_v108 = 0x6ec0;
				_v108 = _v108 / _t847;
				_v108 = _v108 << 3;
				_v108 = _v108 ^ 0x00005412;
				_v204 = 0xb775;
				_t848 = 0x4d;
				_v204 = _v204 / _t848;
				_t849 = 0x6c;
				_v204 = _v204 * 0x6a;
				_v204 = _v204 ^ 0x00009990;
				_v116 = 0x9fef;
				_v116 = _v116 / _t849;
				_v116 = _v116 + 0xca88;
				_v116 = _v116 ^ 0x0000935e;
				_v160 = 0x4217;
				_v160 = _v160 << 0x10;
				_v160 = _v160 | 0x795e81bc;
				_v160 = _v160 ^ 0x7b5feec4;
				_v228 = 0x15f5;
				_t850 = 0x3f;
				_v228 = _v228 / _t850;
				_v228 = _v228 + 0x27c1;
				_v228 = _v228 ^ 0x58c8dd5f;
				_v228 = _v228 ^ 0x58c8945c;
				_v236 = 0x2df4;
				_v236 = _v236 >> 8;
				_v236 = _v236 * 0x1c;
				_v236 = _v236 | 0x1dc13999;
				_v236 = _v236 ^ 0x1dc147a6;
				_v52 = 0xd70d;
				_v52 = _v52 ^ 0x1df81154;
				_v52 = _v52 ^ 0x1df8a692;
				_v104 = 0x3df6;
				_v104 = _v104 + 0xffff4325;
				_v104 = _v104 ^ 0xfffff2fb;
				_v220 = 0x2318;
				_v220 = _v220 ^ 0x0f1d2b51;
				_v220 = _v220 >> 0xd;
				_v220 = _v220 + 0xa910;
				_v220 = _v220 ^ 0x00012b73;
				_t851 = _v16;
				_v208 = 0x9e39;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 + 0xffffc634;
				_v208 = _v208 ^ 0xffff8828;
				while(1) {
					L1:
					_t819 = 0x247dbf53;
					while(1) {
						_t725 = _v312;
						while(1) {
							L3:
							_t865 = _t852 - _t819;
							if(_t865 > 0) {
								break;
							}
							if(_t865 == 0) {
								__eflags = _t755;
								if(__eflags == 0) {
									_t856 = _v20;
								} else {
									_push(_v288);
									_push(_v184);
									_push(_v144);
									_t747 = E0071B871(0x711644, _v84, __eflags);
									_t856 = _t747;
									_t861 = _t861 + 0xc;
									_v20 = _t747;
								}
								_t851 = E00721115(_v44 | _v224 | _v176 | _v280 | _v248 | _v112 | _v76 | _v272 | _v232, _a16, _v44 | _v224 | _v176 | _v280 | _v248 | _v112 | _v76 | _v272 | _v232, _t856, _v216, _v308, _v136, _v68, _v168, _v312, _v36);
								_t767 = _v60;
								E0071717B(_t767, _v48, _v120, _t856, _v304);
								_t861 = _t861 - 0xc + 0x3c;
								__eflags = _t851;
								if(_t851 == 0) {
									L39:
									_t852 = 0x15d84100;
								} else {
									_push(_t767);
									_v12 = 1;
									_t746 = E0071F0B5(_v100, _v200, _t851,  &_v12, _t767, _v40);
									_t861 = _t861 + 0x14;
									_v12 = _t746;
									_t852 = 0x2004267a;
								}
								goto L17;
							} else {
								if(_t852 == 0x10833e14) {
									_t725 = E0071A47F(_v256, _v128, _v192, _t757, _a8, _v32, _t757, _v296, _v152, _v240, _v28, _t757, _a12, _v264, _v92);
									_t757 = _v316;
									_t861 = _t861 + 0x38;
									__eflags = _t725;
									_v312 = _t725;
									_t819 = 0x247dbf53;
									_t852 =  !=  ? 0x247dbf53 : 0x16fd57e4;
									continue;
								} else {
									if(_t852 == 0x15b84d59) {
										__eflags = E00712814(_t851, _a28);
										_t852 = 0x27bc2f7f;
										_t749 = 1;
										_t859 =  !=  ? _t749 : _t859;
										goto L17;
									} else {
										if(_t852 == 0x15d84100) {
											E0071422B(_v52, _t725, _v104);
											_t852 = 0x16fd57e4;
											goto L17;
										} else {
											if(_t852 == 0x16fd57e4) {
												E0071422B(_v220, _v28, _v208);
											} else {
												if(_t852 != 0x2004267a) {
													L41:
													__eflags = _t852 - 0x1153912b;
													if(_t852 != 0x1153912b) {
														_t725 = _v312;
														continue;
													}
												} else {
													if(_t755 == 0) {
														_t752 = 0;
														__eflags = 0;
													} else {
														_t752 =  *((intOrPtr*)(_t755 + 4));
													}
													if(_t755 == 0) {
														_t834 = 0;
														__eflags = 0;
													} else {
														_t834 =  *_t755;
													}
													E0072BB45(_v108, _t834, _v204, _t757, _t851, _v16, _v116, _v160, _t752);
													_t861 = _t861 + 0x1c;
													asm("sbb esi, esi");
													_t852 = (_t852 & 0x07b198ee) + 0x27bc2f7f;
													L17:
													_t757 = _v316;
													goto L1;
												}
											}
										}
									}
								}
							}
							L44:
							return _t859;
						}
						__eflags = _t852 - 0x25892389;
						if(_t852 == 0x25892389) {
							_t852 = 0x28dd5313;
							goto L41;
						} else {
							__eflags = _t852 - 0x27bc2f7f;
							if(_t852 == 0x27bc2f7f) {
								E0071422B(_v228, _t851, _v236);
								goto L39;
							} else {
								__eflags = _t852 - 0x28dd5313;
								if(_t852 == 0x28dd5313) {
									_v24 = 0x200;
									_t853 = E0071A0AD(0x200, _t819);
									_t779 = 0x200;
									__eflags = _t853;
									if(_t853 != 0) {
										_t732 = E00716717(_t853,  &_v24, _v260, _v268);
										_t863 = _t861 + 0xc;
										__eflags = _t732;
										if(_t732 == 0) {
											_push(_t853);
											_push(_t779);
											_t734 = E0072CB58(_v72, _v124, _v132, _v140, _t779);
											_t863 = _t863 + 0x18;
											_v316 = _t734;
										}
										E007133F4(_v244, _v252, _v56, _v64, _t853);
										_t861 = _t863 + 0xc;
									}
									_t852 = 0x28e249b5;
									goto L17;
								} else {
									__eflags = _t852 - 0x28e249b5;
									if(_t852 == 0x28e249b5) {
										_push(_t757);
										_push(_t757);
										_t735 = E0071A3B5(_t757, _v88, _v180, _v284, _v292, _v96, _t757, _v188);
										__eflags = _t735;
										_v28 = _t735;
										_t852 =  !=  ? 0x10833e14 : 0x1153912b;
										E007133F4(_v148, _v156, _v164, _v172, _v316);
										_t757 = _v316;
										_t861 = _t861 + 0x2c;
										_t819 = 0x247dbf53;
										goto L41;
									} else {
										__eflags = _t852 - 0x2f6dc86d;
										if(__eflags != 0) {
											goto L41;
										} else {
											__eflags = E00720EAE(_t851, _v300, __eflags) - _v196;
											_t852 =  ==  ? 0x15b84d59 : 0x27bc2f7f;
											goto L17;
										}
									}
								}
							}
						}
						goto L44;
					}
				}
			}

0x00726342
0x0072634c
0x0072634d
0x00726357
0x0072635e
0x00726365
0x0072636c
0x00726373
0x00726374
0x0072637b
0x00726382
0x00726383
0x00726384
0x00726389
0x00726396
0x0072639d
0x007263a0
0x007263a7
0x007263a9
0x007263b4
0x007263b6
0x007263c3
0x007263ce
0x007263d3
0x007263de
0x007263e6
0x007263ee
0x007263f6
0x007263fe
0x00726406
0x00726411
0x00726421
0x00726426
0x00726436
0x0072643b
0x00726444
0x0072644f
0x00726457
0x0072645c
0x00726468
0x0072646b
0x0072646f
0x00726473
0x0072647b
0x00726483
0x00726490
0x00726494
0x00726499
0x007264a1
0x007264ac
0x007264b4
0x007264bf
0x007264ca
0x007264d2
0x007264dd
0x007264e8
0x007264f0
0x007264f8
0x00726500
0x00726508
0x00726510
0x00726518
0x00726522
0x0072652a
0x0072652e
0x00726536
0x00726541
0x00726549
0x00726551
0x0072655c
0x00726564
0x00726569
0x0072656e
0x00726576
0x0072657e
0x00726589
0x00726594
0x0072659f
0x007265a7
0x007265b6
0x007265b7
0x007265bb
0x007265c3
0x007265cb
0x007265d6
0x007265de
0x007265e9
0x007265f1
0x007265ff
0x00726603
0x00726608
0x00726610
0x0072661b
0x00726626
0x00726631
0x00726639
0x0072663e
0x00726646
0x0072664e
0x00726656
0x00726663
0x00726667
0x00726674
0x00726678
0x00726680
0x00726688
0x00726690
0x00726695
0x0072669d
0x007266a8
0x007266b3
0x007266be
0x007266d1
0x007266e0
0x007266e7
0x007266f2
0x007266fd
0x00726705
0x0072670d
0x00726718
0x00726720
0x00726728
0x00726735
0x00726739
0x00726741
0x00726749
0x00726751
0x00726759
0x00726761
0x00726769
0x00726774
0x0072677c
0x00726787
0x00726794
0x0072679c
0x007267a7
0x007267b2
0x007267ba
0x007267c5
0x007267da
0x007267dd
0x007267e4
0x007267ef
0x007267fa
0x00726807
0x0072680b
0x00726813
0x0072681b
0x00726823
0x0072682e
0x00726836
0x00726841
0x0072684c
0x00726862
0x00726869
0x00726874
0x0072687f
0x0072688a
0x00726892
0x0072689d
0x007268a8
0x007268b3
0x007268be
0x007268c9
0x007268d4
0x007268dc
0x007268e4
0x007268ef
0x007268fa
0x00726902
0x0072690d
0x00726918
0x00726920
0x00726928
0x00726931
0x00726934
0x00726938
0x00726940
0x0072694b
0x00726953
0x0072695b
0x00726966
0x00726971
0x0072697c
0x00726984
0x0072698f
0x0072699c
0x007269a0
0x007269ad
0x007269b1
0x007269b9
0x007269cc
0x007269d3
0x007269da
0x007269e5
0x007269ed
0x007269f5
0x007269fd
0x00726a05
0x00726a0d
0x00726a15
0x00726a25
0x00726a2a
0x00726a35
0x00726a38
0x00726a3c
0x00726a44
0x00726a4f
0x00726a5a
0x00726a65
0x00726a7b
0x00726a82
0x00726a8d
0x00726a98
0x00726aa0
0x00726aab
0x00726ab6
0x00726ac1
0x00726ac9
0x00726ad4
0x00726adf
0x00726aeb
0x00726af0
0x00726afa
0x00726aff
0x00726b09
0x00726b0e
0x00726b14
0x00726b1c
0x00726b24
0x00726b2c
0x00726b34
0x00726b3c
0x00726b44
0x00726b4c
0x00726b51
0x00726b59
0x00726b61
0x00726b6c
0x00726b7c
0x00726b7d
0x00726b84
0x00726b8f
0x00726b9a
0x00726ba2
0x00726bad
0x00726bb8
0x00726bc3
0x00726bce
0x00726bd9
0x00726be4
0x00726bef
0x00726bfa
0x00726c0e
0x00726c15
0x00726c20
0x00726c2d
0x00726c35
0x00726c40
0x00726c55
0x00726c58
0x00726c5f
0x00726c6a
0x00726c75
0x00726c7d
0x00726c85
0x00726c8d
0x00726c92
0x00726c9a
0x00726ca5
0x00726cb0
0x00726cbb
0x00726cc6
0x00726cd1
0x00726cdc
0x00726ce7
0x00726cf2
0x00726cfa
0x00726d05
0x00726d1b
0x00726d22
0x00726d2a
0x00726d35
0x00726d47
0x00726d4c
0x00726d5d
0x00726d60
0x00726d67
0x00726d72
0x00726d88
0x00726d8f
0x00726d9a
0x00726da5
0x00726db0
0x00726db8
0x00726dc3
0x00726dce
0x00726dda
0x00726ddd
0x00726de1
0x00726de9
0x00726df1
0x00726df9
0x00726e01
0x00726e0b
0x00726e0f
0x00726e17
0x00726e1f
0x00726e2a
0x00726e35
0x00726e40
0x00726e4b
0x00726e56
0x00726e61
0x00726e69
0x00726e71
0x00726e76
0x00726e7e
0x00726e86
0x00726e8d
0x00726e95
0x00726e9a
0x00726ea2
0x00726eaa
0x00726eaa
0x00726eaa
0x00726eaf
0x00726eaf
0x00726eb3
0x00726eb3
0x00726eb3
0x00726eb5
0x00000000
0x00000000
0x00726ebb
0x00727001
0x00727003
0x00727036
0x00727005
0x00727005
0x0072700e
0x00727015
0x00727023
0x00727028
0x0072702a
0x0072702d
0x0072702d
0x007270ad
0x007270be
0x007270c5
0x007270ca
0x007270cd
0x007270cf
0x0072729c
0x0072729c
0x007270d5
0x007270d5
0x007270ef
0x007270ff
0x00727104
0x00727107
0x0072710e
0x0072710e
0x00000000
0x00726ec1
0x00726ec7
0x00726fdd
0x00726fe2
0x00726fe6
0x00726fe9
0x00726feb
0x00726ff4
0x00726ff9
0x00000000
0x00726ecd
0x00726ed3
0x00726f80
0x00726f82
0x00726f89
0x00726f8a
0x00000000
0x00726ed9
0x00726edf
0x00726f65
0x00726f6b
0x00000000
0x00726ee1
0x00726ee7
0x007272c7
0x00726eed
0x00726ef3
0x007272ab
0x007272ab
0x007272b1
0x00726eaf
0x00000000
0x00726eaf
0x00726ef9
0x00726efb
0x00726f02
0x00726f02
0x00726efd
0x00726efd
0x00726efd
0x00726f06
0x00726f0c
0x00726f0c
0x00726f08
0x00726f08
0x00726f08
0x00726f34
0x00726f39
0x00726f3e
0x00726f46
0x00726f4c
0x00726f4c
0x00000000
0x00726f4c
0x00726ef3
0x00726ee7
0x00726edf
0x00726ed3
0x00726ec7
0x007272cf
0x007272d9
0x007272d9
0x00727118
0x0072711e
0x007272a6
0x00000000
0x00727124
0x00727124
0x0072712a
0x00727296
0x00000000
0x00727130
0x00727130
0x00727136
0x00727200
0x0072720c
0x0072720e
0x0072720f
0x00727211
0x00727225
0x0072722a
0x0072722d
0x0072722f
0x00727231
0x00727232
0x00727257
0x0072725c
0x0072725f
0x0072725f
0x0072727a
0x0072727f
0x0072727f
0x00727282
0x00000000
0x0072713c
0x0072713c
0x00727142
0x00727176
0x00727177
0x0072719d
0x007271a2
0x007271a4
0x007271b5
0x007271d9
0x007271de
0x007271e2
0x007271e5
0x00000000
0x00727144
0x00727144
0x0072714a
0x00000000
0x00727150
0x00727167
0x0072716e
0x00000000
0x0072716e
0x0072714a
0x00727142
0x00727136
0x0072712a
0x00000000
0x0072711e
0x00726eaf

Strings

y, xrefs: 00726589
3/, xrefs: 007264F8
Jh, xrefs: 00726631
=-va, xrefs: 007265BB
Q, xrefs: 00726A8D
[e, xrefs: 00726B3C
T^, xrefs: 00726823
){, xrefs: 00727009
/x(z, xrefs: 007263D3
~A, xrefs: 00726536
7m, xrefs: 007265E9
dy, xrefs: 00726C35
<, xrefs: 00726A82
X(, xrefs: 00726938
ck, xrefs: 00726CB0
z>, xrefs: 007264BF
o, xrefs: 007265CB
<X, xrefs: 00726389
]N, xrefs: 00726C15
x, xrefs: 007263EE
j, xrefs: 0072689D
6), xrefs: 007268EF
J=, xrefs: 007267BA
~, xrefs: 00726C40

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: <$o$){$/x(z$3/$6)$7m$=-va$J=$Jh$T^$X($[e$]N$ck$dy$j$x$y$z>$~A$<X$Q$~
API String ID: 0-357131844
Opcode ID: 03080323d80d0ca12b785ca8ba349b19c4dcdb163c3b31e7f90bdd87f0c04a13
Instruction ID: f21f4201854c93a93cca27202c8c4b99bcf0942cd21ab40f4498af6286f8c95f
Opcode Fuzzy Hash: 03080323d80d0ca12b785ca8ba349b19c4dcdb163c3b31e7f90bdd87f0c04a13
Instruction Fuzzy Hash: 26720071508381DBE378CF65C94AB9BBBE1BBC4304F10891DE6DA862A0D7B58949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0071BEBD, Relevance: 29.5, Strings: 23, Instructions: 784
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0071BEBD(intOrPtr __ecx, intOrPtr* __edx) {
				void* __edi;
				void* _t780;
				intOrPtr _t836;
				void* _t842;
				void* _t865;
				void* _t866;
				intOrPtr _t871;
				short _t887;
				signed int _t888;
				signed int _t889;
				signed int _t890;
				signed int _t891;
				signed int _t892;
				signed int _t893;
				signed int _t894;
				signed int _t895;
				signed int _t896;
				signed int _t897;
				signed int _t898;
				signed int _t899;
				signed int _t900;
				signed int _t901;
				signed int _t902;
				signed int _t903;
				signed int _t904;
				signed int _t905;
				signed int _t906;
				intOrPtr _t907;
				void* _t911;
				signed int _t921;
				signed int _t923;
				signed int _t926;
				intOrPtr _t938;
				intOrPtr _t939;
				signed int _t945;
				signed int _t947;
				signed int _t1001;
				intOrPtr* _t1010;
				short* _t1012;
				short* _t1013;
				intOrPtr _t1014;
				signed int _t1020;
				signed int _t1021;
				intOrPtr _t1023;
				void* _t1024;
				void* _t1025;
				void* _t1026;
				void* _t1029;
				void* _t1030;
				void* _t1031;
				void* _t1033;
				void* _t1034;

				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				_t1010 = __edx;
				_t1014 = __ecx;
				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				 *((intOrPtr*)(_t1024 + 0x164)) = __edx;
				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				 *((intOrPtr*)(_t1024 + 0x15c)) = __ecx;
				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				_push( *((intOrPtr*)(_t1024 + 0xca4)));
				_push(__edx);
				_push(__ecx);
				E00727B8C(_t780);
				 *((intOrPtr*)(_t1024 + 0xd0)) = 0x4a25;
				_t1025 = _t1024 + 0x1c;
				 *(_t1025 + 0xb4) =  *(_t1025 + 0xb4) | 0xd188de58;
				 *(_t1025 + 0xb4) =  *(_t1025 + 0xb4) ^ 0x63b06175;
				_t1021 = 0;
				 *(_t1025 + 0xb4) =  *(_t1025 + 0xb4) ^ 0xb238a83d;
				_t911 = 0x1e9f048b;
				 *(_t1025 + 0xd4) = 0xe5d7;
				 *(_t1025 + 0xd4) =  *(_t1025 + 0xd4) | 0x5ea0c49f;
				 *(_t1025 + 0xd4) =  *(_t1025 + 0xd4) + 0xffffbd1c;
				 *(_t1025 + 0xd4) =  *(_t1025 + 0xd4) ^ 0x5ea0b989;
				 *(_t1025 + 0xbc) = 0x468c;
				 *(_t1025 + 0xbc) =  *(_t1025 + 0xbc) ^ 0x89148df0;
				 *(_t1025 + 0xbc) =  *(_t1025 + 0xbc) + 0x483d;
				 *(_t1025 + 0xbc) =  *(_t1025 + 0xbc) ^ 0x89153075;
				 *(_t1025 + 0xf4) = 0xd01c;
				 *(_t1025 + 0xf4) =  *(_t1025 + 0xf4) << 0xc;
				 *(_t1025 + 0xf4) =  *(_t1025 + 0xf4) | 0xddf13833;
				 *(_t1025 + 0xf4) =  *(_t1025 + 0xf4) ^ 0xddf19f30;
				 *(_t1025 + 0x118) = 0xbcb2;
				 *(_t1025 + 0x118) =  *(_t1025 + 0x118) + 0xffffde98;
				 *(_t1025 + 0x118) =  *(_t1025 + 0x118) ^ 0x0000bc99;
				 *(_t1025 + 0x144) = 0xac52;
				 *(_t1025 + 0x144) =  *(_t1025 + 0x144) << 0xa;
				 *(_t1025 + 0x144) =  *(_t1025 + 0x144) ^ 0x02b17baf;
				 *(_t1025 + 0x68) = 0xd4c2;
				_t888 = 0x33;
				 *((intOrPtr*)(_t1025 + 0x15c)) = 0;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x68) * 0x52;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) / _t888;
				_t889 = 0x49;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) * 0x6a;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) ^ 0x008d9254;
				 *(_t1025 + 0x4c) = 0x8a43;
				 *(_t1025 + 0x4c) =  *(_t1025 + 0x4c) / _t889;
				_t890 = 9;
				 *(_t1025 + 0x48) =  *(_t1025 + 0x4c) * 0x3f;
				 *(_t1025 + 0x48) =  *(_t1025 + 0x48) << 4;
				 *(_t1025 + 0x48) =  *(_t1025 + 0x48) ^ 0x00072562;
				 *(_t1025 + 0x20) = 0x127f;
				 *(_t1025 + 0x20) =  *(_t1025 + 0x20) + 0x77ec;
				 *(_t1025 + 0x20) =  *(_t1025 + 0x20) >> 0xb;
				 *(_t1025 + 0x20) =  *(_t1025 + 0x20) + 0x5d50;
				 *(_t1025 + 0x20) =  *(_t1025 + 0x20) ^ 0x00004957;
				 *(_t1025 + 0x1c) = 0xc9ec;
				 *(_t1025 + 0x1c) =  *(_t1025 + 0x1c) + 0xffffbfba;
				 *(_t1025 + 0x1c) =  *(_t1025 + 0x1c) / _t890;
				 *(_t1025 + 0x1c) =  *(_t1025 + 0x1c) + 0xffff5980;
				 *(_t1025 + 0x1c) =  *(_t1025 + 0x1c) ^ 0xffff0e61;
				 *(_t1025 + 0xdc) = 0xe964;
				 *(_t1025 + 0xdc) =  *(_t1025 + 0xdc) + 0x2e7d;
				 *(_t1025 + 0xdc) =  *(_t1025 + 0xdc) << 8;
				 *(_t1025 + 0xdc) =  *(_t1025 + 0xdc) ^ 0x0117d97e;
				 *(_t1025 + 0x104) = 0x8fda;
				 *(_t1025 + 0x104) =  *(_t1025 + 0x104) + 0x2dd5;
				 *(_t1025 + 0x104) =  *(_t1025 + 0x104) ^ 0x00009139;
				 *(_t1025 + 0x100) = 0xcb1f;
				 *(_t1025 + 0x100) =  *(_t1025 + 0x100) + 0xffff73d7;
				 *(_t1025 + 0x100) =  *(_t1025 + 0x100) ^ 0x000013b6;
				 *(_t1025 + 0xe8) = 0xedfd;
				 *(_t1025 + 0xe8) =  *(_t1025 + 0xe8) + 0xd72e;
				 *(_t1025 + 0xe8) =  *(_t1025 + 0xe8) | 0xff7184bc;
				 *(_t1025 + 0xe8) =  *(_t1025 + 0xe8) ^ 0xff71d8fb;
				 *(_t1025 + 0x12c) = 0x60aa;
				 *(_t1025 + 0x12c) =  *(_t1025 + 0x12c) >> 0xe;
				 *(_t1025 + 0x12c) =  *(_t1025 + 0x12c) ^ 0x00006fbb;
				 *(_t1025 + 0x84) = 0x5685;
				 *(_t1025 + 0x84) =  *(_t1025 + 0x84) << 0xa;
				_t891 = 0x21;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x84) / _t891;
				_t892 = 0x69;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) * 0x43;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) ^ 0x02bee05e;
				 *(_t1025 + 0x128) = 0x4ceb;
				 *(_t1025 + 0x128) =  *(_t1025 + 0x128) / _t892;
				 *(_t1025 + 0x128) =  *(_t1025 + 0x128) ^ 0x000035f3;
				 *(_t1025 + 0x138) = 0x2b4;
				 *(_t1025 + 0x138) =  *(_t1025 + 0x138) >> 9;
				 *(_t1025 + 0x138) =  *(_t1025 + 0x138) ^ 0x000010ff;
				 *(_t1025 + 0x140) = 0x4094;
				 *(_t1025 + 0x140) =  *(_t1025 + 0x140) << 1;
				 *(_t1025 + 0x140) =  *(_t1025 + 0x140) ^ 0x0000834c;
				 *(_t1025 + 0xc8) = 0xe8e8;
				_t893 = 0x3e;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc8) * 0x43;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc4) * 0x3f;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc4) ^ 0x0f002b70;
				 *(_t1025 + 0xa0) = 0xcbdf;
				 *(_t1025 + 0xa0) =  *(_t1025 + 0xa0) << 0xb;
				 *(_t1025 + 0xa0) =  *(_t1025 + 0xa0) >> 9;
				 *(_t1025 + 0xa0) =  *(_t1025 + 0xa0) ^ 0x0003171b;
				 *(_t1025 + 0xfc) = 0x4023;
				 *(_t1025 + 0xfc) =  *(_t1025 + 0xfc) | 0x2d298047;
				 *(_t1025 + 0xfc) =  *(_t1025 + 0xfc) ^ 0x2d29b44c;
				 *(_t1025 + 0x108) = 0x7946;
				 *(_t1025 + 0x108) =  *(_t1025 + 0x108) >> 0xc;
				 *(_t1025 + 0x108) =  *(_t1025 + 0x108) ^ 0x0000214f;
				 *(_t1025 + 0x94) = 0xaba4;
				 *(_t1025 + 0x94) =  *(_t1025 + 0x94) + 0xb66c;
				 *(_t1025 + 0x94) =  *(_t1025 + 0x94) << 8;
				 *(_t1025 + 0x94) =  *(_t1025 + 0x94) ^ 0x016246ef;
				 *(_t1025 + 0x50) = 0x568b;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0xf473a73b;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0x81859331;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) >> 2;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0x1d7da742;
				 *(_t1025 + 0x30) = 0xf82a;
				 *(_t1025 + 0x30) =  *(_t1025 + 0x30) / _t893;
				 *(_t1025 + 0x30) =  *(_t1025 + 0x30) >> 0xf;
				 *(_t1025 + 0x30) =  *(_t1025 + 0x30) << 3;
				 *(_t1025 + 0x30) =  *(_t1025 + 0x30) ^ 0x00000ec4;
				 *(_t1025 + 0x58) = 0x6845;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) << 0xc;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) | 0xc650e861;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) ^ 0x863acf7f;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) ^ 0x40ee6b6e;
				 *(_t1025 + 0x28) = 0x20ce;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) ^ 0xabd33ef0;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) ^ 0x8826b47f;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) + 0xffffb37c;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) ^ 0x23f544be;
				 *(_t1025 + 0x110) = 0x6223;
				_t894 = 0x49;
				 *(_t1025 + 0x114) =  *(_t1025 + 0x110) / _t894;
				 *(_t1025 + 0x114) =  *(_t1025 + 0x114) ^ 0x000003e5;
				 *(_t1025 + 0xf0) = 0xbd40;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) + 0xffffe2ec;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) + 0xffff901a;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) ^ 0x00002576;
				 *(_t1025 + 0x7c) = 0xda84;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x7c) + 0x9218;
				_t895 = 0x76;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x7c) / _t895;
				_t896 = 0x60;
				 *(_t1025 + 0x78) =  *(_t1025 + 0x7c) * 0x50;
				 *(_t1025 + 0x78) =  *(_t1025 + 0x78) ^ 0x0000dd6e;
				 *(_t1025 + 0xcc) = 0x4279;
				 *(_t1025 + 0xcc) =  *(_t1025 + 0xcc) | 0x0f4a18d4;
				 *(_t1025 + 0xcc) =  *(_t1025 + 0xcc) * 0x4b;
				 *(_t1025 + 0xcc) =  *(_t1025 + 0xcc) ^ 0x7ac89413;
				 *(_t1025 + 0x9c) = 0x3455;
				 *(_t1025 + 0x9c) =  *(_t1025 + 0x9c) >> 2;
				 *(_t1025 + 0x9c) =  *(_t1025 + 0x9c) | 0x9bcd184a;
				 *(_t1025 + 0x9c) =  *(_t1025 + 0x9c) ^ 0x9bcd6a06;
				 *(_t1025 + 0x38) = 0x512;
				 *(_t1025 + 0x38) =  *(_t1025 + 0x38) + 0x8723;
				 *(_t1025 + 0x38) =  *(_t1025 + 0x38) | 0xc503c931;
				 *(_t1025 + 0x38) =  *(_t1025 + 0x38) >> 0x10;
				 *(_t1025 + 0x38) =  *(_t1025 + 0x38) ^ 0x00009453;
				 *(_t1025 + 0x70) = 0x3b71;
				 *(_t1025 + 0x70) =  *(_t1025 + 0x70) + 0xfd5;
				 *(_t1025 + 0x70) =  *(_t1025 + 0x70) + 0xffffa459;
				 *(_t1025 + 0x70) =  *(_t1025 + 0x70) + 0x6c86;
				 *(_t1025 + 0x70) =  *(_t1025 + 0x70) ^ 0x00005193;
				 *(_t1025 + 0x88) = 0xb179;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) * 0x1b;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) + 0xffffa22a;
				 *(_t1025 + 0x88) =  *(_t1025 + 0x88) ^ 0x00125beb;
				 *(_t1025 + 0x98) = 0xe5ea;
				 *(_t1025 + 0x98) =  *(_t1025 + 0x98) + 0xffff4053;
				 *(_t1025 + 0x98) =  *(_t1025 + 0x98) >> 5;
				 *(_t1025 + 0x98) =  *(_t1025 + 0x98) ^ 0x000076aa;
				 *(_t1025 + 0x90) = 0xd76e;
				 *(_t1025 + 0x90) =  *(_t1025 + 0x90) + 0xffff9866;
				 *(_t1025 + 0x90) =  *(_t1025 + 0x90) + 0x975;
				 *(_t1025 + 0x90) =  *(_t1025 + 0x90) ^ 0x00004dea;
				 *(_t1025 + 0x64) = 0x45b0;
				 *(_t1025 + 0x64) =  *(_t1025 + 0x64) + 0xffffea67;
				 *(_t1025 + 0x64) =  *(_t1025 + 0x64) / _t896;
				 *(_t1025 + 0x64) =  *(_t1025 + 0x64) << 6;
				 *(_t1025 + 0x64) =  *(_t1025 + 0x64) ^ 0x00000f8a;
				 *(_t1025 + 0xb8) = 0xe0cd;
				 *(_t1025 + 0xb8) =  *(_t1025 + 0xb8) << 2;
				 *(_t1025 + 0xb8) =  *(_t1025 + 0xb8) ^ 0xf5a149a5;
				 *(_t1025 + 0xb8) =  *(_t1025 + 0xb8) ^ 0xf5a2e047;
				 *(_t1025 + 0xb0) = 0x3c51;
				 *(_t1025 + 0xb0) =  *(_t1025 + 0xb0) ^ 0x9db995dd;
				 *(_t1025 + 0xb0) =  *(_t1025 + 0xb0) >> 0xa;
				 *(_t1025 + 0xb0) =  *(_t1025 + 0xb0) ^ 0x00275cef;
				 *(_t1025 + 0xa8) = 0x5397;
				 *(_t1025 + 0xa8) =  *(_t1025 + 0xa8) * 0x15;
				 *(_t1025 + 0xa8) =  *(_t1025 + 0xa8) | 0x7fd585c8;
				 *(_t1025 + 0xa8) =  *(_t1025 + 0xa8) ^ 0x7fd7cc7d;
				 *(_t1025 + 0x6c) = 0x1572;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) << 0x10;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) + 0xffffe143;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) + 0xffff2b44;
				 *(_t1025 + 0x6c) =  *(_t1025 + 0x6c) ^ 0x157164c3;
				 *(_t1025 + 0xc0) = 0x7f55;
				 *(_t1025 + 0xc0) =  *(_t1025 + 0xc0) + 0xffff01e2;
				_t897 = 0x50;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc0) / _t897;
				 *(_t1025 + 0xc4) =  *(_t1025 + 0xc4) ^ 0x033363f7;
				 *(_t1025 + 0x134) = 0x57a2;
				 *(_t1025 + 0x134) =  *(_t1025 + 0x134) << 0xc;
				 *(_t1025 + 0x134) =  *(_t1025 + 0x134) ^ 0x057a6a8e;
				 *(_t1025 + 0x14c) = 0x28e;
				_t898 = 0x1d;
				 *(_t1025 + 0x148) =  *(_t1025 + 0x14c) * 0x46;
				 *(_t1025 + 0x148) =  *(_t1025 + 0x148) ^ 0x0000f8ec;
				 *(_t1025 + 0x140) = 0xabee;
				 *(_t1025 + 0x140) =  *(_t1025 + 0x140) << 2;
				 *(_t1025 + 0x140) =  *(_t1025 + 0x140) ^ 0x0002d78d;
				 *(_t1025 + 0x74) = 0x1da9;
				 *(_t1025 + 0x74) =  *(_t1025 + 0x74) | 0xd0b1a5fe;
				 *(_t1025 + 0x74) =  *(_t1025 + 0x74) + 0x5356;
				 *(_t1025 + 0x74) =  *(_t1025 + 0x74) >> 8;
				 *(_t1025 + 0x74) =  *(_t1025 + 0x74) ^ 0x00d0bf87;
				 *(_t1025 + 0xd0) = 0x8095;
				 *(_t1025 + 0xd0) =  *(_t1025 + 0xd0) << 1;
				 *(_t1025 + 0xd0) =  *(_t1025 + 0xd0) + 0xf99e;
				 *(_t1025 + 0xd0) =  *(_t1025 + 0xd0) ^ 0x0001eacd;
				 *(_t1025 + 0xc8) = 0xbdd4;
				 *(_t1025 + 0xc8) =  *(_t1025 + 0xc8) << 0xc;
				 *(_t1025 + 0xc8) =  *(_t1025 + 0xc8) ^ 0x33c80f95;
				 *(_t1025 + 0xc8) =  *(_t1025 + 0xc8) ^ 0x38156a9b;
				 *(_t1025 + 0x138) = 0xf8ef;
				 *(_t1025 + 0x138) =  *(_t1025 + 0x138) | 0x00cc737f;
				 *(_t1025 + 0x138) =  *(_t1025 + 0x138) ^ 0x00ccb370;
				 *(_t1025 + 0x120) = 0x2efc;
				 *(_t1025 + 0x120) =  *(_t1025 + 0x120) / _t898;
				 *(_t1025 + 0x120) =  *(_t1025 + 0x120) ^ 0x0000046b;
				 *(_t1025 + 0x44) = 0x4c3c;
				 *(_t1025 + 0x44) =  *(_t1025 + 0x44) << 4;
				 *(_t1025 + 0x44) =  *(_t1025 + 0x44) + 0xffffcc8e;
				 *(_t1025 + 0x44) =  *(_t1025 + 0x44) >> 9;
				 *(_t1025 + 0x44) =  *(_t1025 + 0x44) ^ 0x00000830;
				 *(_t1025 + 0x14c) = 0xf19f;
				 *(_t1025 + 0x14c) =  *(_t1025 + 0x14c) | 0x2f8648fb;
				 *(_t1025 + 0x14c) =  *(_t1025 + 0x14c) ^ 0x2f86a11c;
				 *(_t1025 + 0xa4) = 0x8d7;
				 *(_t1025 + 0xa4) =  *(_t1025 + 0xa4) | 0x8ff95fff;
				 *(_t1025 + 0xa4) =  *(_t1025 + 0xa4) ^ 0x8ff91ca8;
				 *(_t1025 + 0x60) = 0xf12b;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) << 6;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) + 0x835c;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) ^ 0x5095ce09;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) ^ 0x50a93996;
				 *(_t1025 + 0x3c) = 0x29a4;
				 *(_t1025 + 0x3c) =  *(_t1025 + 0x3c) >> 2;
				 *(_t1025 + 0x3c) =  *(_t1025 + 0x3c) * 0x5e;
				 *(_t1025 + 0x3c) =  *(_t1025 + 0x3c) | 0x07173c39;
				 *(_t1025 + 0x3c) =  *(_t1025 + 0x3c) ^ 0x0717f4b1;
				 *(_t1025 + 0x34) = 0x57f0;
				 *(_t1025 + 0x34) =  *(_t1025 + 0x34) + 0x28ff;
				 *(_t1025 + 0x34) =  *(_t1025 + 0x34) ^ 0xa70a484e;
				 *(_t1025 + 0x34) =  *(_t1025 + 0x34) ^ 0xbe078092;
				 *(_t1025 + 0x34) =  *(_t1025 + 0x34) ^ 0x190d51e7;
				 *(_t1025 + 0x2c) = 0xbdf9;
				 *(_t1025 + 0x2c) =  *(_t1025 + 0x2c) + 0x51b0;
				 *(_t1025 + 0x2c) =  *(_t1025 + 0x2c) | 0xfb7fddff;
				 *(_t1025 + 0x2c) =  *(_t1025 + 0x2c) ^ 0xfb7f84d0;
				 *(_t1025 + 0x24) = 0x973f;
				_t899 = 0x78;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x24) * 0x6b;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) / _t899;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) << 7;
				 *(_t1025 + 0x28) =  *(_t1025 + 0x28) ^ 0x004303f9;
				 *(_t1025 + 0x60) = 0x4f09;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) + 0xb9d7;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) << 8;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) >> 5;
				 *(_t1025 + 0x60) =  *(_t1025 + 0x60) ^ 0x00084ed1;
				 *(_t1025 + 0x12c) = 0xc918;
				_t900 = 0x73;
				 *(_t1025 + 0x12c) =  *(_t1025 + 0x12c) / _t900;
				 *(_t1025 + 0x12c) =  *(_t1025 + 0x12c) ^ 0x00007ad0;
				 *(_t1025 + 0x58) = 0xf83a;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) + 0xffff262e;
				_t901 = 0x25;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) / _t901;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) + 0x552c;
				 *(_t1025 + 0x58) =  *(_t1025 + 0x58) ^ 0x00001f59;
				 *(_t1025 + 0x50) = 0xeb9;
				_t902 = 0x3b;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) / _t902;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0x0b4ccd67;
				_t903 = 0x11;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) / _t903;
				 *(_t1025 + 0x50) =  *(_t1025 + 0x50) ^ 0x00aa4b83;
				 *(_t1025 + 0x84) = 0x8baf;
				_t904 = 0x66;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x84) / _t904;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x80) | 0xdadf0c91;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x80) + 0x6ef2;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x80) ^ 0xdadf5a9b;
				 *(_t1025 + 0xac) = 0x1a38;
				 *(_t1025 + 0xac) =  *(_t1025 + 0xac) * 0x4a;
				 *(_t1025 + 0xac) =  *(_t1025 + 0xac) ^ 0x57a4d343;
				 *(_t1025 + 0xac) =  *(_t1025 + 0xac) ^ 0x57a34a4c;
				 *(_t1025 + 0x40) = 0x3cb0;
				 *(_t1025 + 0x40) =  *(_t1025 + 0x40) + 0xffff772c;
				 *(_t1025 + 0x40) =  *(_t1025 + 0x40) ^ 0xb9bb440b;
				 *(_t1025 + 0x40) =  *(_t1025 + 0x40) >> 5;
				 *(_t1025 + 0x40) =  *(_t1025 + 0x40) ^ 0x02323c33;
				 *(_t1025 + 0xe4) = 0x4806;
				 *(_t1025 + 0xe4) =  *(_t1025 + 0xe4) + 0xffffb267;
				 *(_t1025 + 0xe4) =  *(_t1025 + 0xe4) >> 3;
				 *(_t1025 + 0xe4) =  *(_t1025 + 0xe4) ^ 0x1fffc4b6;
				 *(_t1025 + 0xe0) = 0x6e2c;
				 *(_t1025 + 0xe0) =  *(_t1025 + 0xe0) + 0xffffef6f;
				 *(_t1025 + 0xe0) =  *(_t1025 + 0xe0) + 0x46fe;
				 *(_t1025 + 0xe0) =  *(_t1025 + 0xe0) ^ 0x00008673;
				 *(_t1025 + 0xd8) = 0xc512;
				 *(_t1025 + 0xd8) =  *(_t1025 + 0xd8) >> 9;
				 *(_t1025 + 0xd8) =  *(_t1025 + 0xd8) | 0x69ad0f08;
				 *(_t1025 + 0xd8) =  *(_t1025 + 0xd8) ^ 0x69ad3cd9;
				 *(_t1025 + 0x11c) = 0x96d5;
				_t905 = 0x21;
				 *(_t1025 + 0x120) =  *(_t1025 + 0x11c) / _t905;
				 *(_t1025 + 0x120) =  *(_t1025 + 0x120) ^ 0x0000263b;
				 *(_t1025 + 0x80) = 0xeff1;
				 *(_t1025 + 0x80) =  *(_t1025 + 0x80) >> 0xc;
				_t906 = 0x31;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x80) * 0x38;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x7c) << 7;
				 *(_t1025 + 0x7c) =  *(_t1025 + 0x7c) ^ 0x000196e8;
				 *(_t1025 + 0x114) = 0x754c;
				 *(_t1025 + 0x114) =  *(_t1025 + 0x114) + 0xffffc7a8;
				 *(_t1025 + 0x114) =  *(_t1025 + 0x114) ^ 0x000056ec;
				 *(_t1025 + 0x10c) = 0xad90;
				 *(_t1025 + 0x10c) =  *(_t1025 + 0x10c) << 8;
				 *(_t1025 + 0x10c) =  *(_t1025 + 0x10c) ^ 0x00adae52;
				 *(_t1025 + 0xf8) = 0x8957;
				 *(_t1025 + 0xf8) =  *(_t1025 + 0xf8) + 0xffff8ecd;
				 *(_t1025 + 0xf8) =  *(_t1025 + 0xf8) | 0x8b6b1de0;
				 *(_t1025 + 0xf8) =  *(_t1025 + 0xf8) ^ 0x8b6b4e54;
				 *(_t1025 + 0xf0) = 0x992d;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) ^ 0xd4cf4d9f;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) * 0x11;
				 *(_t1025 + 0xf0) =  *(_t1025 + 0xf0) ^ 0x21cd059f;
				 *(_t1025 + 0x8c) = 0x34d0;
				 *(_t1025 + 0x8c) =  *(_t1025 + 0x8c) + 0xffff2724;
				 *(_t1025 + 0x8c) =  *(_t1025 + 0x8c) / _t906;
				 *(_t1025 + 0x8c) =  *(_t1025 + 0x8c) ^ 0x053974d0;
				_t836 =  *((intOrPtr*)(_t1025 + 0x170));
				_t907 =  *((intOrPtr*)(_t1025 + 0x16c));
				 *((intOrPtr*)(_t1025 + 0x14)) = _t836;
				 *((intOrPtr*)(_t1025 + 0x160)) = _t907;
				while(1) {
					L1:
					_t988 =  *(_t1025 + 0x18);
					while(1) {
						L2:
						_t1033 = _t911 - 0x205ea595;
						if(_t1033 > 0) {
							goto L26;
						}
						L3:
						if(_t1033 == 0) {
							E007133F4( *(_t1025 + 0x48),  *(_t1025 + 0x40),  *(_t1025 + 0x34),  *(_t1025 + 0x28),  *(_t1025 + 0x164));
							_t1025 = _t1025 + 0xc;
							_t911 = 0x2af16eef;
							goto L11;
						} else {
							_t1034 = _t911 - 0xf036da4;
							if(_t1034 > 0) {
								__eflags = _t911 - 0x13ff9a81;
								if(_t911 == 0x13ff9a81) {
									_push(_t907);
									_push( *(_t1025 + 0xf4));
									_push( *(_t1025 + 0x100));
									_t1001 =  *(_t1025 + 0x118);
									_t926 =  *(_t1025 + 0x120);
									goto L50;
								} else {
									__eflags = _t911 - 0x1e21bf02;
									if(_t911 == 0x1e21bf02) {
										_t1015 = E007121AF( *((intOrPtr*)(_t1010 + 4)));
										_t1029 = _t1025 - 0xc + 8;
										_t907 = E0071A0AD(_t858, 0xf036da4);
										 *((intOrPtr*)(_t1029 + 0x164)) = _t907;
										__eflags = _t907;
										if(__eflags != 0) {
											_t836 = E0072A02C( *_t1010,  *((intOrPtr*)(_t1029 + 0x34)), __eflags,  *((intOrPtr*)(_t1029 + 0x2c)),  *((intOrPtr*)(_t1010 + 4)), _t1015,  *((intOrPtr*)(_t1029 + 0xe0)), _t907);
											_t1025 = _t1029 + 0x14;
											 *((intOrPtr*)(_t1025 + 0x14)) = _t836;
											__eflags = _t836;
											if(__eflags == 0) {
												_push(_t907);
												_push( *((intOrPtr*)(_t1025 + 0x130)));
												_push( *(_t1025 + 0xf0));
												_t1001 =  *(_t1025 + 0x10c);
												_t926 =  *(_t1025 + 0x110);
												L50:
												E007133F4(_t926, _t1001);
											} else {
												_t911 = 0x21619046;
												L24:
												_t988 =  *(_t1025 + 0x18);
												goto L14;
											}
										}
									} else {
										__eflags = _t911 - 0x1e9f048b;
										if(_t911 != 0x1e9f048b) {
											goto L46;
										} else {
											 *(_t1025 + 0x154) = E00723B73();
											_t911 = 0x1e21bf02;
											goto L11;
										}
									}
								}
							} else {
								if(_t1034 == 0) {
									E007133F4( *(_t1025 + 0x8c),  *(_t1025 + 0xb8),  *(_t1025 + 0x48),  *(_t1025 + 0xe8),  *((intOrPtr*)(_t1025 + 0x17c)));
									_t1025 = _t1025 + 0xc;
									_t911 = 0x286d9745;
									goto L11;
								} else {
									if(_t911 == 0x641ce7b) {
										_push( *((intOrPtr*)(_t1025 + 0xc9c)));
										_push( *(_t1025 + 0x64));
										__eflags = E0071D535( *(_t1025 + 0xac), _t1025 + 0x168);
										_t911 = 0x205ea595;
										_t865 = 1;
										_t1021 =  !=  ? _t865 : _t1021;
										 *(_t1025 + 0x158) = _t1021;
										goto L11;
									} else {
										if(_t911 == 0x692f583) {
											_push( *(_t1025 + 0x50));
											_push( *(_t1025 + 0x98));
											_push( *(_t1025 + 0x110));
											_t866 = E0071B871(0x7113a8,  *(_t1025 + 0x108), __eflags);
											_t938 =  *0x731fdc; // 0x0
											_t1030 = _t1025 + 0xc;
											_t939 =  *0x731fdc; // 0x0
											E00721E0D(( *(_t938 + 0x1c))[2] & 0x000000ff, __eflags,  *( *(_t938 + 0x1c)) & 0x000000ff,  *((intOrPtr*)(_t1030 + 0x54)),  *((intOrPtr*)(_t1030 + 0x78)), _t1030 + 0x190, _t866,  *((intOrPtr*)(_t1030 + 0x3c)), 0x40,  *( *((intOrPtr*)(_t939 + 0x1c)) + 3) & 0x000000ff,  *((intOrPtr*)(_t1030 + 0x118)),  *((intOrPtr*)(_t1030 + 0xf0)),  *((intOrPtr*)(_t1030 + 0x78)));
											_t1031 = _t1030 + 0x2c;
											E0071717B( *((intOrPtr*)(_t1031 + 0xd8)),  *((intOrPtr*)(_t1031 + 0xa8)),  *((intOrPtr*)(_t1031 + 0x40)), _t866,  *((intOrPtr*)(_t1031 + 0x70)));
											_t871 =  *0x731fdc; // 0x0
											_t1025 = _t1031 + 0xc;
											_t1010 =  *((intOrPtr*)(_t1025 + 0x15c));
											_t911 = 0x3130de7f;
											_t988 =  *( *((intOrPtr*)(_t871 + 0x1c)) + 4) & 0x0000ffff;
											_t836 =  *((intOrPtr*)(_t1025 + 0x14));
											 *(_t1025 + 0x18) =  *( *((intOrPtr*)(_t871 + 0x1c)) + 4) & 0x0000ffff;
											L14:
											_t1014 =  *((intOrPtr*)(_t1025 + 0x150));
											continue;
										} else {
											if(_t911 == 0xbe73cef) {
												E0072A82C(_t1025 + 0x180, _t1025 + 0x214, _t1025 + 0x174);
												_pop(_t945);
												asm("sbb ecx, ecx");
												_t911 = (_t945 & 0x22a409a4) + 0xf036da4;
												goto L11;
											} else {
												if(_t911 != 0xc1f8499) {
													L46:
													__eflags = _t911 - 0x758c803;
													if(__eflags != 0) {
														while(1) {
															L1:
															_t988 =  *(_t1025 + 0x18);
															goto L2;
														}
													}
												} else {
													_t947 =  *(_t1025 + 0x144);
													E00718EA1(_t947, _t1025 + 0x184,  *(_t1025 + 0x148),  *(_t1025 + 0xcc),  *(_t1025 + 0xa4), _t1025 + 0x16c);
													_t1025 = _t1025 + 0x10;
													asm("sbb ecx, ecx");
													_t911 = (_t947 & 0xde255e3e) + 0x286d9745;
													L11:
													_t836 =  *((intOrPtr*)(_t1025 + 0x14));
													while(1) {
														L1:
														_t988 =  *(_t1025 + 0x18);
														L2:
														_t1033 = _t911 - 0x205ea595;
														if(_t1033 > 0) {
															goto L26;
														}
														goto L51;
													}
												}
											}
										}
									}
								}
							}
						}
						L51:
						return _t1021;
						L26:
						__eflags = _t911 - 0x21619046;
						if(_t911 == 0x21619046) {
							 *((intOrPtr*)(_t1025 + 0x18c)) = _t836;
							 *((intOrPtr*)(_t1025 + 0x184)) = _t1014;
							 *((intOrPtr*)(_t1025 + 0x190)) = _t907;
							__eflags = E0072505A(_t1025 + 0x184,  *(_t1025 + 0x128), _t1025 + 0x16c);
							if(__eflags == 0) {
								_t836 =  *((intOrPtr*)(_t1025 + 0x14));
								_t911 = 0x13ff9a81;
								goto L46;
							} else {
								_t911 = 0xc1f8499;
								goto L11;
							}
						} else {
							__eflags = _t911 - 0x21fbe7a4;
							if(__eflags == 0) {
								E00724D39(_t1025 + 0x210, _t1010, __eflags);
								_t911 = 0x2aa4374e;
								goto L11;
							} else {
								__eflags = _t911 - 0x286d9745;
								if(_t911 == 0x286d9745) {
									E007133F4( *((intOrPtr*)(_t1025 + 0xec)),  *(_t1025 + 0xe4),  *((intOrPtr*)(_t1025 + 0x124)),  *(_t1025 + 0x80),  *((intOrPtr*)(_t1025 + 0x16c)));
									_t1025 = _t1025 + 0xc;
									_t911 = 0x13ff9a81;
									goto L11;
								} else {
									__eflags = _t911 - 0x2aa4374e;
									if(__eflags == 0) {
										_push( *(_t1025 + 0xa8));
										_push( *(_t1025 + 0xb4));
										_push( *(_t1025 + 0xc0));
										_t842 = E0071B871(0x7113f8,  *(_t1025 + 0x70), __eflags);
										_t1026 = _t1025 + 0xc;
										E0072BD2C(_t1026 + 0x210, __eflags, _t842,  *((intOrPtr*)(_t1026 + 0xd8)), _t1026 + 0x1a4, _t1026 + 0x4a0,  *((intOrPtr*)(_t1026 + 0x13c)), _t1026 + 0x290, 0x400,  *((intOrPtr*)(_t1026 + 0x148)));
										E0071717B( *((intOrPtr*)(_t1026 + 0x16c)),  *((intOrPtr*)(_t1026 + 0xa0)),  *((intOrPtr*)(_t1026 + 0xf8)), _t842,  *((intOrPtr*)(_t1026 + 0xe8)));
										_t836 =  *((intOrPtr*)(_t1026 + 0x40));
										_t1025 = _t1026 + 0x2c;
										_t911 = 0xbe73cef;
										goto L24;
									} else {
										__eflags = _t911 - 0x2af16eef;
										if(_t911 == 0x2af16eef) {
											E007133F4( *(_t1025 + 0x68),  *(_t1025 + 0x134),  *((intOrPtr*)(_t1025 + 0x5c)),  *(_t1025 + 0x50),  *((intOrPtr*)(_t1025 + 0x174)));
											_t1025 = _t1025 + 0xc;
											_t911 = 0xf036da4;
											goto L11;
										} else {
											__eflags = _t911 - 0x3130de7f;
											if(_t911 == 0x3130de7f) {
												_t1012 = _t1025 + 0x290;
												_t921 = 6;
												_t1023 =  *(_t1025 + 0x154) % _t921 + 1;
												__eflags = _t1023;
												if(__eflags != 0) {
													__eflags = 1;
													do {
														_t1020 = ( *(_t1025 + 0x158) & 0x0000000f) + 4;
														E0071350A( *(_t1025 + 0x90), _t1025 + 0x158, 1, _t1012, _t1020,  *(_t1025 + 0x9c),  *(_t1025 + 0x90));
														_t1025 = _t1025 + 0x14;
														_t1013 = _t1012 + _t1020 * 2;
														_t887 = 0x2f;
														 *_t1013 = _t887;
														_t1012 = _t1013 + 2;
														_t1023 = _t1023 - 1;
														__eflags = _t1023;
													} while (__eflags != 0);
													_t907 =  *((intOrPtr*)(_t1025 + 0x160));
													_t1014 =  *((intOrPtr*)(_t1025 + 0x150));
												}
												_t1021 =  *(_t1025 + 0x158);
												 *_t1012 = 0;
												_t911 = 0x21fbe7a4;
												_t836 =  *((intOrPtr*)(_t1025 + 0x14));
												_t1010 =  *((intOrPtr*)(_t1025 + 0x15c));
												goto L1;
											} else {
												__eflags = _t911 - 0x31a77748;
												if(_t911 != 0x31a77748) {
													goto L46;
												} else {
													_t923 = _t1025 + 0x490;
													 *(_t1025 + 0x164) =  *(_t1025 + 0x164) & 0x00000000;
													 *(_t1025 + 0x168) =  *(_t1025 + 0x8c);
													E00726334(_t923,  *(_t1025 + 0x158),  *((intOrPtr*)(_t1025 + 0x13c)), _t1025 + 0x1a8, _t988, _t1025 + 0x29c,  *(_t1025 + 0x50),  *(_t1025 + 0x154), _t1025 + 0x168, _t1025 + 0x174);
													_t1025 = _t1025 + 0x20;
													asm("sbb ecx, ecx");
													_t911 = (_t923 & 0xdb505f8c) + 0x2af16eef;
													goto L11;
												}
											}
										}
									}
								}
							}
						}
						goto L51;
					}
				}
			}

0x0071bec7
0x0071bece
0x0071bed0
0x0071bed2
0x0071bed9
0x0071bee0
0x0071bee7
0x0071beee
0x0071bef5
0x0071befc
0x0071befd
0x0071befe
0x0071bf03
0x0071bf0e
0x0071bf11
0x0071bf1e
0x0071bf29
0x0071bf2b
0x0071bf36
0x0071bf3b
0x0071bf46
0x0071bf51
0x0071bf5c
0x0071bf67
0x0071bf72
0x0071bf7d
0x0071bf88
0x0071bf93
0x0071bf9e
0x0071bfa6
0x0071bfb1
0x0071bfbc
0x0071bfc7
0x0071bfd2
0x0071bfdd
0x0071bfe8
0x0071bff0
0x0071bffb
0x0071c00a
0x0071c00d
0x0071c014
0x0071c020
0x0071c029
0x0071c02c
0x0071c030
0x0071c038
0x0071c048
0x0071c051
0x0071c052
0x0071c056
0x0071c05b
0x0071c063
0x0071c06b
0x0071c073
0x0071c078
0x0071c080
0x0071c088
0x0071c090
0x0071c09e
0x0071c0a2
0x0071c0aa
0x0071c0b2
0x0071c0bd
0x0071c0ca
0x0071c0d2
0x0071c0dd
0x0071c0e8
0x0071c0f3
0x0071c0fe
0x0071c109
0x0071c114
0x0071c11f
0x0071c12a
0x0071c135
0x0071c140
0x0071c14b
0x0071c156
0x0071c15e
0x0071c169
0x0071c174
0x0071c185
0x0071c18a
0x0071c19b
0x0071c19e
0x0071c1a5
0x0071c1b0
0x0071c1c6
0x0071c1cd
0x0071c1d8
0x0071c1e3
0x0071c1eb
0x0071c1f6
0x0071c201
0x0071c208
0x0071c213
0x0071c226
0x0071c227
0x0071c236
0x0071c23d
0x0071c248
0x0071c253
0x0071c25b
0x0071c263
0x0071c26e
0x0071c279
0x0071c284
0x0071c28f
0x0071c29a
0x0071c2a2
0x0071c2ad
0x0071c2b8
0x0071c2c3
0x0071c2cb
0x0071c2d6
0x0071c2de
0x0071c2e6
0x0071c2ee
0x0071c2f3
0x0071c2fb
0x0071c309
0x0071c30d
0x0071c312
0x0071c317
0x0071c31f
0x0071c327
0x0071c32c
0x0071c334
0x0071c33c
0x0071c344
0x0071c34e
0x0071c356
0x0071c35e
0x0071c366
0x0071c36e
0x0071c382
0x0071c387
0x0071c390
0x0071c39b
0x0071c3a6
0x0071c3b1
0x0071c3bc
0x0071c3c7
0x0071c3cf
0x0071c3db
0x0071c3e0
0x0071c3eb
0x0071c3ec
0x0071c3f0
0x0071c3f8
0x0071c403
0x0071c416
0x0071c41d
0x0071c428
0x0071c433
0x0071c43b
0x0071c446
0x0071c451
0x0071c459
0x0071c461
0x0071c469
0x0071c46e
0x0071c476
0x0071c47e
0x0071c486
0x0071c48e
0x0071c496
0x0071c49e
0x0071c4b1
0x0071c4b8
0x0071c4c3
0x0071c4ce
0x0071c4d9
0x0071c4e4
0x0071c4ec
0x0071c4f7
0x0071c502
0x0071c50d
0x0071c518
0x0071c523
0x0071c52b
0x0071c539
0x0071c53d
0x0071c542
0x0071c54a
0x0071c555
0x0071c55d
0x0071c568
0x0071c573
0x0071c57e
0x0071c589
0x0071c591
0x0071c59c
0x0071c5af
0x0071c5b6
0x0071c5c3
0x0071c5ce
0x0071c5d6
0x0071c5db
0x0071c5e3
0x0071c5eb
0x0071c5f3
0x0071c5fe
0x0071c612
0x0071c617
0x0071c620
0x0071c62b
0x0071c636
0x0071c63e
0x0071c649
0x0071c65c
0x0071c65d
0x0071c664
0x0071c66f
0x0071c67a
0x0071c682
0x0071c68d
0x0071c695
0x0071c69d
0x0071c6a5
0x0071c6aa
0x0071c6b2
0x0071c6bd
0x0071c6c4
0x0071c6cf
0x0071c6da
0x0071c6e5
0x0071c6ed
0x0071c6f8
0x0071c703
0x0071c70e
0x0071c719
0x0071c724
0x0071c738
0x0071c73f
0x0071c74a
0x0071c752
0x0071c757
0x0071c75f
0x0071c764
0x0071c76c
0x0071c777
0x0071c782
0x0071c78d
0x0071c798
0x0071c7a3
0x0071c7ae
0x0071c7b6
0x0071c7bb
0x0071c7c3
0x0071c7cb
0x0071c7d3
0x0071c7db
0x0071c7e5
0x0071c7e9
0x0071c7f1
0x0071c7f9
0x0071c801
0x0071c809
0x0071c811
0x0071c819
0x0071c821
0x0071c829
0x0071c831
0x0071c839
0x0071c841
0x0071c852
0x0071c855
0x0071c861
0x0071c865
0x0071c86a
0x0071c872
0x0071c87a
0x0071c882
0x0071c887
0x0071c88c
0x0071c894
0x0071c8a6
0x0071c8ab
0x0071c8b4
0x0071c8bf
0x0071c8c7
0x0071c8d3
0x0071c8d8
0x0071c8de
0x0071c8e6
0x0071c8ee
0x0071c8fa
0x0071c8ff
0x0071c905
0x0071c911
0x0071c916
0x0071c91c
0x0071c924
0x0071c936
0x0071c939
0x0071c940
0x0071c94b
0x0071c956
0x0071c961
0x0071c974
0x0071c97b
0x0071c986
0x0071c991
0x0071c999
0x0071c9a1
0x0071c9a9
0x0071c9ae
0x0071c9b6
0x0071c9c1
0x0071c9cc
0x0071c9d4
0x0071c9df
0x0071c9ea
0x0071c9f5
0x0071ca00
0x0071ca0b
0x0071ca16
0x0071ca1e
0x0071ca29
0x0071ca34
0x0071ca4a
0x0071ca4f
0x0071ca58
0x0071ca63
0x0071ca6e
0x0071ca7e
0x0071ca7f
0x0071ca83
0x0071ca88
0x0071ca90
0x0071ca9b
0x0071caa6
0x0071cab1
0x0071cabc
0x0071cac4
0x0071cacf
0x0071cada
0x0071cae5
0x0071caf0
0x0071cafb
0x0071cb06
0x0071cb19
0x0071cb20
0x0071cb2b
0x0071cb36
0x0071cb4a
0x0071cb51
0x0071cb5c
0x0071cb63
0x0071cb6a
0x0071cb6e
0x0071cb75
0x0071cb75
0x0071cb75
0x0071cb79
0x0071cb79
0x0071cb79
0x0071cb7f
0x00000000
0x00000000
0x0071cb85
0x0071cb85
0x0071ce56
0x0071ce5b
0x0071ce5e
0x00000000
0x0071cb8b
0x0071cb90
0x0071cb92
0x0071cd76
0x0071cd7c
0x0071d153
0x0071d154
0x0071d15b
0x0071d162
0x0071d169
0x00000000
0x0071cd82
0x0071cd82
0x0071cd88
0x0071cde5
0x0071cdeb
0x0071cdf5
0x0071cdf7
0x0071cdff
0x0071ce01
0x0071ce1d
0x0071ce22
0x0071ce25
0x0071ce29
0x0071ce2b
0x0071d134
0x0071d135
0x0071d13c
0x0071d143
0x0071d14a
0x0071d170
0x0071d170
0x0071ce31
0x0071ce31
0x0071ce36
0x0071ce36
0x00000000
0x0071ce36
0x0071ce2b
0x0071cd8a
0x0071cd8a
0x0071cd90
0x00000000
0x0071cd96
0x0071cda9
0x0071cdb0
0x00000000
0x0071cdb0
0x0071cd90
0x0071cd88
0x0071cb98
0x0071cb98
0x0071cd64
0x0071cd69
0x0071cd6c
0x00000000
0x0071cb9e
0x0071cba4
0x0071cd0b
0x0071cd19
0x0071cd2b
0x0071cd2d
0x0071cd34
0x0071cd35
0x0071cd38
0x00000000
0x0071cbaa
0x0071cbb0
0x0071cc44
0x0071cc4d
0x0071cc54
0x0071cc62
0x0071cc67
0x0071cc6d
0x0071cc8e
0x0071ccb8
0x0071ccbd
0x0071ccd7
0x0071ccdc
0x0071cce1
0x0071cce4
0x0071cceb
0x0071ccf3
0x0071ccf7
0x0071ccfb
0x0071ccff
0x0071ccff
0x00000000
0x0071cbb6
0x0071cbbc
0x0071cc2c
0x0071cc33
0x0071cc34
0x0071cc3c
0x00000000
0x0071cbbe
0x0071cbc4
0x0071d127
0x0071d127
0x0071d12d
0x0071cb75
0x0071cb75
0x0071cb75
0x00000000
0x0071cb75
0x0071cb75
0x0071cbca
0x0071cbee
0x0071cbf5
0x0071cbfa
0x0071cbff
0x0071cc07
0x0071cc0d
0x0071cc0d
0x0071cb75
0x0071cb75
0x0071cb75
0x0071cb79
0x0071cb79
0x0071cb7f
0x00000000
0x00000000
0x00000000
0x0071cb7f
0x0071cb75
0x0071cbc4
0x0071cbbc
0x0071cbb0
0x0071cba4
0x0071cb98
0x0071cb92
0x0071d17a
0x0071d184
0x0071ce68
0x0071ce68
0x0071ce6e
0x0071d0d7
0x0071d0ec
0x0071d102
0x0071d110
0x0071d112
0x0071d11e
0x0071d122
0x00000000
0x0071d114
0x0071d114
0x00000000
0x0071d114
0x0071ce74
0x0071ce74
0x0071ce7a
0x0071d0c8
0x0071d0cd
0x00000000
0x0071ce80
0x0071ce80
0x0071ce86
0x0071d0af
0x0071d0b4
0x0071d0b7
0x00000000
0x0071ce8c
0x0071ce8c
0x0071ce92
0x0071cfeb
0x0071cff7
0x0071cffe
0x0071d009
0x0071d00e
0x0071d054
0x0071d076
0x0071d07b
0x0071d07f
0x0071d082
0x00000000
0x0071ce98
0x0071ce98
0x0071ce9e
0x0071cfd9
0x0071cfde
0x0071cfe1
0x00000000
0x0071cea4
0x0071cea4
0x0071ceaa
0x0071cf37
0x0071cf42
0x0071cf47
0x0071cf47
0x0071cf48
0x0071cf4c
0x0071cf4d
0x0071cf73
0x0071cf79
0x0071cf7e
0x0071cf81
0x0071cf86
0x0071cf87
0x0071cf8a
0x0071cf8d
0x0071cf8d
0x0071cf8d
0x0071cf90
0x0071cf97
0x0071cf97
0x0071cf9e
0x0071cfa7
0x0071cfaa
0x0071cfaf
0x0071cfb3
0x00000000
0x0071ceb0
0x0071ceb0
0x0071ceb6
0x00000000
0x0071cebc
0x0071cec3
0x0071ceca
0x0071ced2
0x0071cf13
0x0071cf18
0x0071cf1d
0x0071cf25
0x00000000
0x0071cf25
0x0071ceb6
0x0071ceaa
0x0071ce9e
0x0071ce92
0x0071ce86
0x0071ce7a
0x00000000
0x0071ce6e
0x0071cb79

Strings

v%, xrefs: 0071C3BC
p+, xrefs: 0071C23D
V, xrefs: 0071CAA6
O, xrefs: 0071C872
<L, xrefs: 0071C74A
%J, xrefs: 0071BF03
=H, xrefs: 0071BF7D
;&, xrefs: 0071CA58
#b, xrefs: 0071C36E
U4, xrefs: 0071C428
VS, xrefs: 0071C69D
L, xrefs: 0071C1B0
,U, xrefs: 0071C8DE
WI, xrefs: 0071C080
,n, xrefs: 0071C9DF
#@, xrefs: 0071C26E
O!, xrefs: 0071C2A2
q;, xrefs: 0071C476
yB, xrefs: 0071C3F8
}., xrefs: 0071C0BD
\', xrefs: 0071C591
M, xrefs: 0071C518
nk@, xrefs: 0071C33C

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: O$#@$#b$%J$,U$,n$;&$<L$=H$O!$U4$VS$WI$nk@$p+$q;$v%$yB$}.$L$M$V$\'
API String ID: 0-3340991546
Opcode ID: 71d7d85f0d09bb04e08dc16bb947aecde57aaac12dec3a22585392ec66d379a9
Instruction ID: e6d923268d6405586ca8a8b644fb509a0493cce34f8adc785c31a8f1240e5011
Opcode Fuzzy Hash: 71d7d85f0d09bb04e08dc16bb947aecde57aaac12dec3a22585392ec66d379a9
Instruction Fuzzy Hash: 8392F371508381DBE3B9CF65C88AB9BBBE1BBC4304F10891DE1DA862A0D7B55959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0071F7EF, Relevance: 25.4, Strings: 20, Instructions: 412
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0071F7EF(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				intOrPtr _v108;
				signed int _v112;
				signed int _v116;
				unsigned int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr _t415;
				void* _t424;
				signed int _t427;
				intOrPtr _t430;
				intOrPtr _t434;
				intOrPtr _t435;
				void* _t474;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				signed int _t486;
				signed int _t487;
				signed int _t488;
				signed int _t489;
				signed int _t490;
				signed int _t491;
				intOrPtr* _t492;
				signed int _t495;
				intOrPtr _t500;
				signed int* _t502;
				void* _t505;

				_t435 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_v32 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E00727B8C(__edx);
				_v16 = 0x3b9680;
				_t434 = 0;
				_v12 = 0x6ba317;
				_t502 =  &(( &_v196)[6]);
				_v8 = 0;
				_v4 = 0;
				_t495 = 0x2719ab8d;
				_v116 = 0xd377;
				_t500 = 0;
				_v116 = _v116 + 0x238d;
				_v116 = _v116 | 0xa2970609;
				_v116 = _v116 ^ 0xa297c99a;
				_v188 = 0x17;
				_t480 = 0x57;
				_v188 = _v188 * 0x6e;
				_v188 = _v188 + 0xffff0dd3;
				_v188 = _v188 << 8;
				_v188 = _v188 ^ 0xff1794f3;
				_v140 = 0x3e07;
				_v140 = _v140 * 0x4c;
				_v140 = _v140 + 0xffff97ee;
				_v140 = _v140 ^ 0x0012480d;
				_v104 = 0xd8e6;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0xecef;
				_v104 = _v104 ^ 0x0d8f715b;
				_v96 = 0x573a;
				_v96 = _v96 + 0x5e68;
				_v96 = _v96 >> 0xe;
				_v96 = _v96 ^ 0x0000075e;
				_v128 = 0x566c;
				_v128 = _v128 >> 9;
				_v128 = _v128 + 0xffffddf0;
				_v128 = _v128 ^ 0xfffffe2b;
				_v44 = 0xee83;
				_v44 = _v44 | 0x7b89a95f;
				_v44 = _v44 ^ 0x7b89d350;
				_v112 = 0x19ad;
				_v112 = _v112 + 0xa3ec;
				_v112 = _v112 << 9;
				_v112 = _v112 ^ 0x017b186a;
				_v184 = 0x2e78;
				_v184 = _v184 | 0x9e5a38ae;
				_v184 = _v184 + 0xffff0bef;
				_v184 = _v184 << 1;
				_v184 = _v184 ^ 0x3cb2b70a;
				_v136 = 0xcc56;
				_v136 = _v136 ^ 0x8cba8dc2;
				_v136 = _v136 * 0xa;
				_v136 = _v136 ^ 0x7f46992b;
				_v76 = 0x21;
				_v76 = _v76 / _t480;
				_v76 = _v76 ^ 0x00005921;
				_v168 = 0xa72;
				_v168 = _v168 << 0xb;
				_v168 = _v168 ^ 0x98e8c4ea;
				_v168 = _v168 << 7;
				_v168 = _v168 ^ 0x5daa545d;
				_v124 = 0xaec3;
				_v124 = _v124 + 0xffff192a;
				_t481 = 0x5b;
				_v124 = _v124 / _t481;
				_v124 = _v124 ^ 0x02d064ad;
				_v192 = 0x6651;
				_t482 = 0x1d;
				_v192 = _v192 / _t482;
				_t483 = 0x1f;
				_v192 = _v192 * 0x25;
				_v192 = _v192 | 0x9bd6b283;
				_v192 = _v192 ^ 0x9bd6bccf;
				_v88 = 0xd9ca;
				_v88 = _v88 + 0xf892;
				_v88 = _v88 ^ 0x0001ae1d;
				_v120 = 0x6348;
				_v120 = _v120 >> 6;
				_v120 = _v120 ^ 0x00003c96;
				_v172 = 0xaef9;
				_v172 = _v172 * 0x31;
				_v172 = _v172 * 0x12;
				_v172 = _v172 ^ 0xedb2a137;
				_v172 = _v172 ^ 0xefe82b79;
				_v84 = 0xacfc;
				_v84 = _v84 + 0xffff1368;
				_v84 = _v84 ^ 0xffff9d08;
				_v48 = 0x6e4c;
				_v48 = _v48 / _t483;
				_v48 = _v48 ^ 0x0000060e;
				_v176 = 0xeee3;
				_v176 = _v176 ^ 0x903f1269;
				_v176 = _v176 + 0xffff48ed;
				_v176 = _v176 << 0xf;
				_v176 = _v176 ^ 0xa2bb9fa4;
				_v152 = 0x58ce;
				_v152 = _v152 + 0xffff963f;
				_v152 = _v152 + 0x75c9;
				_v152 = _v152 >> 6;
				_v152 = _v152 ^ 0x000066f7;
				_v56 = 0x6674;
				_v56 = _v56 << 0x10;
				_v56 = _v56 ^ 0x66740fb2;
				_v160 = 0xd031;
				_t484 = 0x28;
				_v160 = _v160 / _t484;
				_v160 = _v160 + 0xffff71b6;
				_v160 = _v160 ^ 0xd9e43e8e;
				_v160 = _v160 ^ 0x261b2d71;
				_v60 = 0x303a;
				_t485 = 0x7d;
				_v60 = _v60 / _t485;
				_v60 = _v60 ^ 0x0000510e;
				_v132 = 0x1d5d;
				_t486 = 0x56;
				_v132 = _v132 / _t486;
				_v132 = _v132 | 0x6e535a32;
				_v132 = _v132 ^ 0x6e5321ef;
				_v80 = 0x7967;
				_v80 = _v80 ^ 0x7560054b;
				_v80 = _v80 ^ 0x75603850;
				_v164 = 0x8cdd;
				_v164 = _v164 + 0xffff8ed4;
				_v164 = _v164 << 0xc;
				_v164 = _v164 ^ 0x828fa879;
				_v164 = _v164 ^ 0x8334cc1e;
				_v52 = 0xa51f;
				_t487 = 0x2e;
				_v52 = _v52 * 0x1c;
				_v52 = _v52 ^ 0x0012379c;
				_v40 = 0x18d2;
				_v40 = _v40 << 0xf;
				_v40 = _v40 ^ 0x0c697b49;
				_v144 = 0x15f3;
				_v144 = _v144 << 3;
				_v144 = _v144 ^ 0xc4cc54f8;
				_v144 = _v144 ^ 0xc4ccfaa5;
				_v196 = 0x22c6;
				_v196 = _v196 | 0x1ab9b1b6;
				_v196 = _v196 << 9;
				_v196 = _v196 / _t487;
				_v196 = _v196 ^ 0x02822d20;
				_v92 = 0x67c;
				_t488 = 0x64;
				_v92 = _v92 / _t488;
				_v92 = _v92 + 0xffff740a;
				_v92 = _v92 ^ 0xffff0769;
				_v64 = 0x1c6a;
				_t489 = 0x41;
				_v64 = _v64 / _t489;
				_v64 = _v64 ^ 0x000016c9;
				_v100 = 0x5f8f;
				_v100 = _v100 ^ 0x595f77d3;
				_v100 = _v100 | 0xb719b4dd;
				_v100 = _v100 ^ 0xff5ff567;
				_v72 = 0x2102;
				_v72 = _v72 >> 0xc;
				_v72 = _v72 ^ 0x00003ab9;
				_v68 = 0xef66;
				_t490 = 0x45;
				_v68 = _v68 / _t490;
				_v68 = _v68 ^ 0x00000379;
				_v156 = 0x2131;
				_v156 = _v156 | 0x611fe25d;
				_t491 = 0x3f;
				_v156 = _v156 / _t491;
				_v156 = _v156 + 0xffff0648;
				_v156 = _v156 ^ 0x0189b07f;
				_v180 = 0xf4b8;
				_v180 = _v180 | 0x619cc8cd;
				_v180 = _v180 * 6;
				_v180 = _v180 + 0xffff3081;
				_v180 = _v180 ^ 0x49ad1e6e;
				_t492 = _v28;
				while(1) {
					L1:
					while(1) {
						_t505 = _t495 - 0x2719ab8d;
						if(_t505 > 0) {
							goto L18;
						}
						L3:
						if(_t505 == 0) {
							_t495 = 0x3321e816;
							continue;
						} else {
							if(_t495 == _t474) {
								E00718114(_v48,  &_v20, _v176, _t435, _v68, _v152, _t500, _v56, _v36);
								_t495 =  !=  ? 0x2d69547a : 0x2669c161;
								_t415 = E0072EF5D(_v160, _v60, _v36, _v132);
								_t502 =  &(_t502[9]);
								L27:
								_t435 = _v148;
								_t474 = 0x252cad7;
								goto L28;
							} else {
								if(_t495 == 0x11388fe4) {
									return E007133F4(_v92, _v64, _v100, _v72, _t434);
								}
								if(_t495 == 0x122b2781) {
									_push(_t435);
									_t500 = E0071A0AD(0x2000, _t474);
									_t495 =  !=  ? 0x132b3d3f : 0x11388fe4;
									goto L14;
								} else {
									if(_t495 == 0x132b3d3f) {
										_t424 = E007261AD( &_v24, _v96, _v128, _t435, _v44, _t435, _v32, _v112, _t435, _v184,  &_v28, _v136, _t434, _t435, _v76, _t435, _v168, _v124, _v192);
										_t502 =  &(_t502[0x12]);
										if(_t424 == 0) {
											_t495 = 0x363e2349;
											L14:
											_t415 = _v108;
										} else {
											_t427 = E00723B73();
											_t495 = 0x2dd7ef02;
											_t415 = _v28 * 0x2c + _t434;
											_v108 = _t415;
											_t492 =  >=  ? _t434 : (_t427 & 0x0000001f) * 0x2c + _t434;
										}
										_t435 = _v148;
										goto L1;
									} else {
										if(_t495 != 0x2669c161) {
											L28:
											if(_t495 != 0x323b38fa) {
												_t415 = _v108;
												continue;
											}
										} else {
											_t492 = _t492 + 0x2c;
											asm("sbb esi, esi");
											_t495 = (_t495 & 0xf799cbb9) + 0x363e2349;
											while(1) {
												_t505 = _t495 - 0x2719ab8d;
												if(_t505 > 0) {
													goto L18;
												}
												goto L3;
											}
											goto L18;
										}
									}
								}
							}
						}
						L31:
						return _t415;
						L18:
						_t415 = 0x2d69547a;
						if(_t495 == 0x2d69547a) {
							_t415 = E00729BD1(_v156, _v80, _v164, _t435, _t500);
							_t502 =  &(_t502[3]);
							_t495 = 0x363e2349;
							goto L27;
						} else {
							if(_t495 == 0x2dd7ef02) {
								_t430 = E00724FA1( *_t492, _v172, _v180, _v32, _v84);
								_t435 = _v148;
								_t502 =  &(_t502[3]);
								_v36 = _t430;
								_t415 = _v108;
								_t474 = 0x252cad7;
								_t495 =  !=  ? 0x252cad7 : 0x2669c161;
								continue;
							} else {
								if(_t495 == 0x3321e816) {
									_push(_t435);
									_t415 = E0071A0AD(0x20000, _t474);
									_t434 = 0x2d69547a;
									if(0x2d69547a != 0) {
										_t495 = 0x122b2781;
										goto L14;
									}
								} else {
									if(_t495 != 0x363e2349) {
										goto L28;
									} else {
										E007133F4(_v52, _v40, _v144, _v196, _t500);
										_t502 =  &(_t502[3]);
										_t495 = 0x11388fe4;
										goto L14;
									}
								}
							}
						}
						goto L31;
					}
				}
			}

0x0071f7ef
0x0071f7f9
0x0071f802
0x0071f806
0x0071f80d
0x0071f814
0x0071f81b
0x0071f822
0x0071f823
0x0071f824
0x0071f829
0x0071f834
0x0071f836
0x0071f841
0x0071f844
0x0071f84d
0x0071f854
0x0071f859
0x0071f861
0x0071f863
0x0071f86b
0x0071f873
0x0071f87b
0x0071f88a
0x0071f88b
0x0071f88f
0x0071f897
0x0071f89c
0x0071f8a4
0x0071f8b1
0x0071f8b5
0x0071f8bd
0x0071f8c5
0x0071f8cd
0x0071f8d2
0x0071f8da
0x0071f8e2
0x0071f8ea
0x0071f8f2
0x0071f8f7
0x0071f8ff
0x0071f907
0x0071f90c
0x0071f914
0x0071f91c
0x0071f927
0x0071f932
0x0071f93d
0x0071f945
0x0071f94d
0x0071f952
0x0071f95a
0x0071f962
0x0071f96a
0x0071f972
0x0071f976
0x0071f97e
0x0071f986
0x0071f993
0x0071f997
0x0071f99f
0x0071f9b3
0x0071f9ba
0x0071f9c5
0x0071f9cd
0x0071f9d2
0x0071f9da
0x0071f9df
0x0071f9e7
0x0071f9ef
0x0071f9ff
0x0071fa04
0x0071fa0a
0x0071fa12
0x0071fa1e
0x0071fa23
0x0071fa2e
0x0071fa31
0x0071fa35
0x0071fa3d
0x0071fa45
0x0071fa50
0x0071fa5b
0x0071fa66
0x0071fa6e
0x0071fa7b
0x0071fa83
0x0071fa90
0x0071fa99
0x0071fa9d
0x0071faa5
0x0071faad
0x0071fab8
0x0071fac3
0x0071face
0x0071fae4
0x0071faeb
0x0071faf6
0x0071fafe
0x0071fb06
0x0071fb0e
0x0071fb13
0x0071fb1b
0x0071fb23
0x0071fb2b
0x0071fb33
0x0071fb38
0x0071fb40
0x0071fb4b
0x0071fb53
0x0071fb5e
0x0071fb6a
0x0071fb6f
0x0071fb75
0x0071fb7d
0x0071fb85
0x0071fb8d
0x0071fb9f
0x0071fba4
0x0071fbad
0x0071fbb8
0x0071fbc4
0x0071fbc7
0x0071fbcd
0x0071fbd5
0x0071fbdd
0x0071fbe8
0x0071fbf3
0x0071fbfe
0x0071fc06
0x0071fc0e
0x0071fc13
0x0071fc1b
0x0071fc23
0x0071fc38
0x0071fc3b
0x0071fc42
0x0071fc4d
0x0071fc58
0x0071fc60
0x0071fc6b
0x0071fc73
0x0071fc78
0x0071fc80
0x0071fc88
0x0071fc90
0x0071fc98
0x0071fca5
0x0071fca9
0x0071fcb1
0x0071fcbd
0x0071fcc2
0x0071fcc8
0x0071fcd0
0x0071fcd8
0x0071fcea
0x0071fcef
0x0071fcf8
0x0071fd03
0x0071fd0b
0x0071fd13
0x0071fd1b
0x0071fd23
0x0071fd2e
0x0071fd36
0x0071fd41
0x0071fd53
0x0071fd58
0x0071fd61
0x0071fd6c
0x0071fd74
0x0071fd80
0x0071fd83
0x0071fd87
0x0071fd8f
0x0071fd97
0x0071fd9f
0x0071fdac
0x0071fdb0
0x0071fdb8
0x0071fdc0
0x0071fdcb
0x0071fdcb
0x0071fdd0
0x0071fdd0
0x0071fdd6
0x00000000
0x00000000
0x0071fddc
0x0071fddc
0x0071ff56
0x00000000
0x0071fde2
0x0071fde4
0x0071ff1f
0x0071ff46
0x0071ff49
0x0071ff4e
0x0072003b
0x0072003b
0x0072003f
0x00000000
0x0071fdea
0x0071fdf0
0x00000000
0x00720074
0x0071fdfc
0x0071fed3
0x0071fede
0x0071feed
0x00000000
0x0071fe02
0x0071fe08
0x0071fe7e
0x0071fe83
0x0071fe88
0x0071fec0
0x0071fec5
0x0071fec5
0x0071fe8a
0x0071fe92
0x0071fe9a
0x0071feac
0x0071feb0
0x0071feb4
0x0071feb4
0x0071feb7
0x00000000
0x0071fe0a
0x0071fe10
0x00720044
0x0072004a
0x0072004c
0x00000000
0x0072004c
0x0071fe16
0x0071fe16
0x0071fe1b
0x0071fe23
0x0071fdd0
0x0071fdd0
0x0071fdd6
0x00000000
0x00000000
0x00000000
0x0071fdd6
0x00000000
0x0071fdd0
0x0071fe10
0x0071fe08
0x0071fdfc
0x0071fde4
0x00720081
0x00720081
0x0071ff60
0x0071ff60
0x0071ff67
0x0072002e
0x00720033
0x00720036
0x00000000
0x0071ff6d
0x0071ff73
0x0071fff2
0x0071fff7
0x0071fffb
0x00720000
0x00720007
0x00720010
0x00720015
0x00000000
0x0071ff75
0x0071ff7b
0x0071ffba
0x0071ffc0
0x0071ffc5
0x0071ffca
0x0071ffd0
0x00000000
0x0071ffd0
0x0071ff7d
0x0071ff83
0x00000000
0x0071ff89
0x0071ffa0
0x0071ffa5
0x0071ffa8
0x00000000
0x0071ffa8
0x0071ff83
0x0071ff7b
0x0071ff73
0x00000000
0x0071ff67
0x0071fdd0

Strings

lV, xrefs: 0071F8FF
Qf, xrefs: 0071FA12
f, xrefs: 0071FD41
P8`u, xrefs: 0071FBF3
:0, xrefs: 0071FB8D
Ln, xrefs: 0071FACE
I#>6, xrefs: 00720036
x., xrefs: 0071F95A
!Y, xrefs: 0071F9BA
zTi-, xrefs: 0071FF60
Hc, xrefs: 0071FA66
I#>6, xrefs: 0071FF7D
I#>6, xrefs: 0071FEC0
zTi-, xrefs: 0071FF3C
1!, xrefs: 0071FD6C
h^, xrefs: 0071F8EA
tf, xrefs: 0071FB40
y+, xrefs: 0071FA8B, 0071FA94
!Sn, xrefs: 0071FBD5
y+, xrefs: 0071FAA5

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !Y$1!$:0$Hc$I#>6$I#>6$I#>6$Ln$P8`u$Qf$f$h^$lV$tf$x.$y+$y+$zTi-$zTi-$!Sn
API String ID: 0-241465763
Opcode ID: efcd2f295585981908b3a7feb0db04efecde80df6b2f1b4b7c5ec256f0dfc581
Instruction ID: e5f7c4374166794caa4d32de856dc0a77d4b5a3fec6ff11f622797e13037344a
Opcode Fuzzy Hash: efcd2f295585981908b3a7feb0db04efecde80df6b2f1b4b7c5ec256f0dfc581
Instruction Fuzzy Hash: E51232725083819FD364CF29D889A8FFBE2BBC4354F10891DE6D9862A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0072A82C, Relevance: 25.4, Strings: 20, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0072A82C(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				intOrPtr* _v132;
				intOrPtr _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				unsigned int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				unsigned int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _t432;
				signed int _t436;
				intOrPtr* _t463;
				signed int _t506;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				intOrPtr _t515;
				void* _t516;
				void* _t519;
				void* _t522;
				intOrPtr* _t525;
				signed int* _t526;
				signed int* _t527;
				signed int* _t528;

				_t463 = __ecx;
				_t526 =  &_v312;
				_v300 = 0xbd2e;
				_v300 = _v300 ^ 0x64ca91f9;
				_v300 = _v300 + 0xffff8c4b;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x3264cef1;
				_v184 = 0xdbc4;
				_v184 = _v184 >> 9;
				_v184 = _v184 ^ 0x00003117;
				_v268 = 0x9d1d;
				_v136 = __edx;
				_t516 = 0x2232b3b9;
				_v132 = __ecx;
				_t506 = 0x39;
				_v268 = _v268 / _t506;
				_v268 = _v268 >> 1;
				_v268 = _v268 << 6;
				_v268 = _v268 ^ 0x00004c83;
				_v308 = 0x5460;
				_v308 = _v308 >> 0x10;
				_v308 = _v308 + 0x7d77;
				_v308 = _v308 << 3;
				_v308 = _v308 ^ 0x0003a260;
				_v192 = 0x89bd;
				_v192 = _v192 + 0xffff13d7;
				_v192 = _v192 ^ 0xffffc185;
				_v232 = 0x81b3;
				_t507 = 0x3d;
				_v232 = _v232 / _t507;
				_t508 = 0x54;
				_v232 = _v232 * 0x1b;
				_v232 = _v232 ^ 0x00007be6;
				_v260 = 0x444c;
				_v260 = _v260 + 0xa661;
				_v260 = _v260 >> 9;
				_v260 = _v260 << 0xa;
				_v260 = _v260 ^ 0x0001e14b;
				_v292 = 0xe8e0;
				_v292 = _v292 >> 5;
				_v292 = _v292 / _t508;
				_t509 = 0x60;
				_v292 = _v292 / _t509;
				_v292 = _v292 ^ 0x00006d5b;
				_v204 = 0xeb94;
				_v204 = _v204 * 0x6c;
				_v204 = _v204 ^ 0x006376b1;
				_v212 = 0x3796;
				_v212 = _v212 + 0x35e;
				_v212 = _v212 << 0xd;
				_v212 = _v212 ^ 0x075eba48;
				_v244 = 0x1352;
				_v244 = _v244 << 5;
				_v244 = _v244 + 0xffff6073;
				_v244 = _v244 ^ 0x0001d834;
				_v144 = 0x59f8;
				_v144 = _v144 >> 5;
				_v144 = _v144 ^ 0x00002e13;
				_v312 = 0x8cf7;
				_v312 = _v312 ^ 0xbf441b39;
				_v312 = _v312 | 0x28cbe9eb;
				_v312 = _v312 >> 2;
				_v312 = _v312 ^ 0x2ff3e9a9;
				_v284 = 0xffa;
				_v284 = _v284 | 0xe9186ba1;
				_v284 = _v284 >> 0xd;
				_v284 = _v284 ^ 0xd21d4053;
				_v284 = _v284 ^ 0xd21a29d9;
				_v220 = 0x2b97;
				_v220 = _v220 + 0xae4a;
				_v220 = _v220 << 0xe;
				_v220 = _v220 ^ 0x3678486c;
				_v236 = 0xfd50;
				_t510 = 0x6c;
				_v236 = _v236 / _t510;
				_v236 = _v236 ^ 0x9f1c3997;
				_v236 = _v236 ^ 0x9f1c5b69;
				_v176 = 0xba6a;
				_v176 = _v176 << 0x10;
				_v176 = _v176 ^ 0xba6a61c0;
				_v296 = 0xf2ab;
				_v296 = _v296 >> 6;
				_v296 = _v296 + 0xfc70;
				_t511 = 0x51;
				_v296 = _v296 / _t511;
				_v296 = _v296 ^ 0x000068ba;
				_v304 = 0x2e74;
				_v304 = _v304 + 0xffff3a6f;
				_v304 = _v304 | 0x7157ede5;
				_v304 = _v304 >> 3;
				_v304 = _v304 ^ 0x1fffc312;
				_v148 = 0xea9a;
				_v148 = _v148 + 0xffff87b8;
				_v148 = _v148 ^ 0x000028e5;
				_v228 = 0xba9a;
				_v228 = _v228 + 0x4fe3;
				_t512 = 0x2c;
				_v228 = _v228 / _t512;
				_v228 = _v228 ^ 0x0000072d;
				_v156 = 0x98f7;
				_v156 = _v156 + 0xffff0467;
				_v156 = _v156 ^ 0xffffa503;
				_v196 = 0xdd3a;
				_v196 = _v196 | 0x1e2ca60c;
				_v196 = _v196 ^ 0x1e2cc1ee;
				_v200 = 0xf4ab;
				_v200 = _v200 + 0xa7c;
				_v200 = _v200 ^ 0x0000b10f;
				_v152 = 0xb61b;
				_v152 = _v152 + 0xffff2699;
				_v152 = _v152 ^ 0xffff8336;
				_v240 = 0xe627;
				_v240 = _v240 ^ 0x0bd8e9ed;
				_v240 = _v240 >> 4;
				_v240 = _v240 ^ 0x00bd9e8d;
				_v168 = 0xe666;
				_v168 = _v168 + 0x78a2;
				_v168 = _v168 ^ 0x00015447;
				_v248 = 0xdb6c;
				_v248 = _v248 + 0xf22e;
				_v248 = _v248 ^ 0x685e4dc9;
				_v248 = _v248 ^ 0x685fea9f;
				_v188 = 0x51ba;
				_v188 = _v188 * 3;
				_v188 = _v188 ^ 0x00008a0d;
				_v224 = 0x1d8e;
				_v224 = _v224 << 0xd;
				_v224 = _v224 | 0x84a5e482;
				_v224 = _v224 ^ 0x87b58dd8;
				_v252 = 0x40ac;
				_v252 = _v252 + 0xffff9f23;
				_v252 = _v252 << 0x10;
				_v252 = _v252 ^ 0xdfcf4bf5;
				_v288 = 0x3632;
				_v288 = _v288 << 7;
				_v288 = _v288 << 7;
				_v288 = _v288 ^ 0xb6b0a59c;
				_v288 = _v288 ^ 0xbb3c3b26;
				_v160 = 0xc42b;
				_t513 = 0x55;
				_v160 = _v160 / _t513;
				_v160 = _v160 ^ 0x00002872;
				_v276 = 0x7421;
				_v276 = _v276 + 0xffffcb98;
				_v276 = _v276 ^ 0xf0c79252;
				_v276 = _v276 ^ 0xc0d7c1d4;
				_v276 = _v276 ^ 0x3010741b;
				_v272 = 0xad29;
				_v272 = _v272 + 0xe018;
				_v272 = _v272 ^ 0x2068524c;
				_v272 = _v272 | 0x3a7994d3;
				_v272 = _v272 ^ 0x3a79cc32;
				_v280 = 0x95b2;
				_v280 = _v280 ^ 0x380918ff;
				_v280 = _v280 ^ 0xe70704ef;
				_v280 = _v280 | 0x7ae96ecd;
				_v280 = _v280 ^ 0xffefb4b6;
				_v180 = 0x4ded;
				_t514 = 0x6e;
				_t525 = _a4;
				_t460 = _v136;
				_v180 = _v180 * 0x55;
				_v180 = _v180 ^ 0x0019acfa;
				_v208 = 0xdae3;
				_v208 = _v208 << 4;
				_t515 = _v136;
				_v208 = _v208 / _t514;
				_v208 = _v208 ^ 0x0000287b;
				_v216 = 0x308a;
				_v216 = _v216 ^ 0x02b7a3de;
				_v216 = _v216 ^ 0xfa6741bc;
				_v216 = _v216 ^ 0xf8d0dbd3;
				_v256 = 0x42d;
				_v256 = _v256 ^ 0x167aeac8;
				_v256 = _v256 ^ 0xb7aced8a;
				_v256 = _v256 >> 0xb;
				_v256 = _v256 ^ 0x00141120;
				_v164 = 0x6ef4;
				_v164 = _v164 + 0x121;
				_v164 = _v164 ^ 0x00003438;
				_v264 = 0x58b1;
				_v264 = _v264 | 0x4462e83a;
				_v264 = _v264 + 0xd6e9;
				_v264 = _v264 ^ 0x0a3c556e;
				_v264 = _v264 ^ 0x4e5f821c;
				_v172 = 0x705d;
				_v172 = _v172 * 0x5f;
				_v172 = _v172 ^ 0x0029ca37;
				while(_t516 != 0x1200af6e) {
					if(_t516 == 0x122c380f) {
						_t502 = _v160;
						E0071E2FD(_t515, _v160,  *((intOrPtr*)(_t463 + 4)), _v276,  *_t463);
						_t463 = _v132;
						_t526 =  &(_t526[3]);
						_t516 = 0x35a4eec9;
						_t515 = _t515 +  *((intOrPtr*)(_t463 + 4));
						continue;
					}
					if(_t516 == 0x2232b3b9) {
						_v140 = E00723B73();
						_t516 = 0x386557c0;
						L10:
						_t463 = _v132;
						continue;
					}
					if(_t516 == 0x2d0f7694) {
						_push(_t463);
						_t515 = E0071A0AD(_a4, _t502);
						 *_t525 = _t515;
						__eflags = _t515;
						if(_t515 == 0) {
							L15:
							__eflags = 0;
							return 0;
						}
						_t516 = 0x1200af6e;
						_t460 = _a4 + _t515;
						__eflags = _a4 + _t515;
						goto L10;
					}
					if(_t516 == 0x35a4eec9) {
						_push(0x7113c8);
						E0071BDB3(_v136, __eflags, E00713F0A(_v272, _v280, __eflags), _v208, _t460 - _t515, _v216, _t515);
						E0071717B(_v256, _v164, _v264, _t453, _v172);
						return 1;
					}
					if(_t516 != 0x386557c0) {
						L14:
						__eflags = _t516 - 0x275acb38;
						if(__eflags != 0) {
							continue;
						}
						goto L15;
					}
					_t516 = 0x2d0f7694;
					_a4 =  *((intOrPtr*)(_t463 + 4)) + 0x1000;
				}
				_t432 = E0072BD78(_v192, _v232, _v260,  &_v140, _v292);
				_t527 =  &(_t526[3]);
				_t519 = (_t432 & 0x0000000f) + 4;
				_push( &_v64);
				E0072CDE2(_v204,  &_v140, _v192, _v212, _t519, _v244, _v144);
				 *((char*)(_t527 + _t519 + 0x124)) = 0;
				_t436 = E0072BD78(_v312, _v284, _v220,  &_v140, _v236);
				_t528 =  &(_t527[9]);
				_t522 = (_t436 & 0x0000000f) + 4;
				_push( &_v128);
				E0072CDE2(_v176,  &_v140, _v312, _v296, _t522, _v304, _v148);
				_push(0x711468);
				 *((char*)(_t528 + _t522 + 0xe4)) = 0;
				_t515 = _t515 + E0072E064( &_v64, __eflags, _t515, _v200, _v136,  &_v128, _v152, _v240, _v168, _v248, _t460 - _t515, E00713F0A(_v228, _v156, __eflags));
				__eflags = _t515;
				_t502 = _v224;
				E0071717B(_v188, _v224, _v252, _t439, _v288);
				_t463 = _v132;
				_t526 =  &(_t528[0x14]);
				_t516 = 0x122c380f;
				goto L14;
			}

0x0072a82c
0x0072a82c
0x0072a832
0x0072a83a
0x0072a842
0x0072a84a
0x0072a84e
0x0072a856
0x0072a861
0x0072a869
0x0072a874
0x0072a884
0x0072a88b
0x0072a894
0x0072a89b
0x0072a8a0
0x0072a8a6
0x0072a8aa
0x0072a8af
0x0072a8b7
0x0072a8bf
0x0072a8c4
0x0072a8cc
0x0072a8d1
0x0072a8d9
0x0072a8e4
0x0072a8ef
0x0072a8fa
0x0072a906
0x0072a90b
0x0072a916
0x0072a919
0x0072a91d
0x0072a925
0x0072a92d
0x0072a935
0x0072a93a
0x0072a93f
0x0072a947
0x0072a94f
0x0072a95c
0x0072a964
0x0072a967
0x0072a96b
0x0072a973
0x0072a980
0x0072a984
0x0072a98c
0x0072a994
0x0072a99c
0x0072a9a1
0x0072a9a9
0x0072a9b1
0x0072a9b6
0x0072a9be
0x0072a9c6
0x0072a9d1
0x0072a9d9
0x0072a9e4
0x0072a9ec
0x0072a9f4
0x0072a9fc
0x0072aa03
0x0072aa0b
0x0072aa13
0x0072aa1b
0x0072aa20
0x0072aa28
0x0072aa30
0x0072aa38
0x0072aa40
0x0072aa45
0x0072aa4d
0x0072aa5b
0x0072aa60
0x0072aa66
0x0072aa6e
0x0072aa76
0x0072aa81
0x0072aa89
0x0072aa94
0x0072aa9c
0x0072aaa1
0x0072aaad
0x0072aab2
0x0072aab8
0x0072aac0
0x0072aac8
0x0072aad0
0x0072aad8
0x0072aadd
0x0072aae5
0x0072aaf0
0x0072aafb
0x0072ab06
0x0072ab0e
0x0072ab1a
0x0072ab1d
0x0072ab21
0x0072ab29
0x0072ab34
0x0072ab3f
0x0072ab4a
0x0072ab55
0x0072ab60
0x0072ab6b
0x0072ab76
0x0072ab81
0x0072ab8c
0x0072ab97
0x0072aba2
0x0072abad
0x0072abb5
0x0072abbd
0x0072abc2
0x0072abca
0x0072abd5
0x0072abe0
0x0072abeb
0x0072abf3
0x0072abfb
0x0072ac03
0x0072ac0b
0x0072ac1e
0x0072ac25
0x0072ac30
0x0072ac38
0x0072ac3d
0x0072ac45
0x0072ac4d
0x0072ac57
0x0072ac5f
0x0072ac64
0x0072ac6c
0x0072ac74
0x0072ac79
0x0072ac7e
0x0072ac86
0x0072ac8e
0x0072aca2
0x0072aca7
0x0072acb0
0x0072acbb
0x0072acc3
0x0072accb
0x0072acd3
0x0072acdb
0x0072ace3
0x0072aceb
0x0072acf3
0x0072acfb
0x0072ad03
0x0072ad0b
0x0072ad13
0x0072ad1b
0x0072ad23
0x0072ad2b
0x0072ad33
0x0072ad46
0x0072ad47
0x0072ad4e
0x0072ad55
0x0072ad5c
0x0072ad67
0x0072ad6f
0x0072ad7a
0x0072ad81
0x0072ad85
0x0072ad8d
0x0072ad95
0x0072ad9d
0x0072ada5
0x0072adad
0x0072adb5
0x0072adbd
0x0072adc5
0x0072adca
0x0072add2
0x0072addd
0x0072ade8
0x0072adf3
0x0072adfb
0x0072ae03
0x0072ae0b
0x0072ae13
0x0072ae1b
0x0072ae2e
0x0072ae35
0x0072ae40
0x0072ae52
0x0072aeeb
0x0072aef7
0x0072aefc
0x0072af03
0x0072af06
0x0072af0b
0x00000000
0x0072af0b
0x0072ae5e
0x0072aed7
0x0072aede
0x0072aebb
0x0072aebb
0x00000000
0x0072aebb
0x0072ae66
0x0072ae9a
0x0072aea3
0x0072aea5
0x0072aea9
0x0072aeab
0x0072b06d
0x0072b06d
0x00000000
0x0072b06d
0x0072aeb4
0x0072aeb9
0x0072aeb9
0x00000000
0x0072aeb9
0x0072ae6e
0x0072b082
0x0072b0ac
0x0072b0c8
0x00000000
0x0072b0d2
0x0072ae7a
0x0072b061
0x0072b061
0x0072b067
0x00000000
0x00000000
0x00000000
0x0072b067
0x0072ae83
0x0072ae8d
0x0072ae8d
0x0072af2e
0x0072af33
0x0072af49
0x0072af4c
0x0072af68
0x0072af78
0x0072af90
0x0072af95
0x0072afab
0x0072afae
0x0072afc7
0x0072afd7
0x0072afdc
0x0072b037
0x0072b037
0x0072b042
0x0072b04d
0x0072b052
0x0072b059
0x0072b05c
0x00000000

Strings

|, xrefs: 0072AB76
[m, xrefs: 0072A96B
nU<, xrefs: 0072AE0B
lHx6, xrefs: 0072AA45
{(, xrefs: 0072AD85
LRh , xrefs: 0072ACF3
84, xrefs: 0072ADE8
(, xrefs: 0072AAFB
26, xrefs: 0072AC6C
M, xrefs: 0072AD33
f, xrefs: 0072ABCA
O, xrefs: 0072AB0E
LD, xrefs: 0072A925
]p, xrefs: 0072AE1B
{, xrefs: 0072A91D
Wq, xrefs: 0072AAD0
!t, xrefs: 0072ACBB
r(, xrefs: 0072ACB0
w}, xrefs: 0072A8C4
', xrefs: 0072ABAD

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !t$'$26$84$LD$LRh $[m$]p$f$lHx6$nU<$r($w}${($|$($M$O${$Wq
API String ID: 0-99976484
Opcode ID: 1736145bc3ce2f589310e1b10bee00bd5bdd3265603db4c449d9a923c140fea8
Instruction ID: f1c3e2decff1858c9321406a1cd34870e24073965c5f8b61ba7c6b9a40402f3d
Opcode Fuzzy Hash: 1736145bc3ce2f589310e1b10bee00bd5bdd3265603db4c449d9a923c140fea8
Instruction Fuzzy Hash: 71220371508380DFE364CF25C58AA8BBBE2BBC4758F108A1DE5D9862A0D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0072539F, Relevance: 24.3, Strings: 19, Instructions: 584
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0072539F(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				signed int _v1816;
				signed int _v1820;
				signed int _v1824;
				signed int _v1828;
				signed int _v1832;
				unsigned int _v1836;
				signed int _t640;
				signed int _t644;
				void* _t645;
				signed int _t674;
				signed int _t680;
				signed int _t682;
				signed int _t683;
				signed int _t684;
				signed int _t685;
				signed int _t686;
				signed int _t687;
				signed int _t688;
				signed int _t689;
				signed int _t690;
				signed int _t691;
				signed int _t692;
				signed int _t693;
				signed int _t694;
				signed int _t695;
				signed int _t696;
				signed int _t697;
				signed int _t698;
				signed int _t699;
				signed int _t700;
				void* _t701;
				signed int _t757;
				signed int _t758;
				signed int _t759;
				signed int _t760;
				signed int _t764;
				unsigned int* _t765;
				void* _t770;

				_t765 =  &_v1836;
				_v1640 = 0x9ed1;
				_v1640 = _v1640 << 4;
				_v1640 = _v1640 ^ 0x0009ed39;
				_v1828 = 0x4475;
				_v1592 = __edx;
				_t759 = 0x270f492f;
				_v1588 = __ecx;
				_t682 = 0xa;
				_v1828 = _v1828 / _t682;
				_v1828 = _v1828 | 0x664197f3;
				_v1828 = _v1828 + 0xffff9f12;
				_v1828 = _v1828 ^ 0x6641015a;
				_v1796 = 0x90c2;
				_v1796 = _v1796 >> 0xa;
				_v1796 = _v1796 | 0x8e9a31fe;
				_v1796 = _v1796 + 0xffff1c7e;
				_v1796 = _v1796 ^ 0x8e991a8d;
				_v1656 = 0x921a;
				_t683 = 0x21;
				_v1656 = _v1656 / _t683;
				_v1656 = _v1656 ^ 0x00002ae4;
				_v1704 = 0x70dd;
				_v1704 = _v1704 ^ 0xefb8cf03;
				_v1704 = _v1704 + 0xecc8;
				_v1704 = _v1704 ^ 0xefb9df7a;
				_v1648 = 0x63fc;
				_t684 = 9;
				_v1648 = _v1648 / _t684;
				_v1648 = _v1648 ^ 0x00000390;
				_v1688 = 0x5306;
				_v1688 = _v1688 + 0x4f;
				_t757 = 0x49;
				_v1688 = _v1688 / _t757;
				_v1688 = _v1688 ^ 0x000046db;
				_v1696 = 0xde59;
				_v1696 = _v1696 + 0x5e7b;
				_v1696 = _v1696 << 8;
				_v1696 = _v1696 ^ 0x013cb205;
				_v1768 = 0xb21e;
				_t685 = 0x28;
				_v1768 = _v1768 / _t685;
				_v1768 = _v1768 >> 2;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x00007e99;
				_v1836 = 0x681b;
				_v1836 = _v1836 | 0x868276cf;
				_v1836 = _v1836 << 5;
				_v1836 = _v1836 >> 0xd;
				_v1836 = _v1836 ^ 0x00069237;
				_v1780 = 0x55b6;
				_v1780 = _v1780 | 0x3a86f450;
				_t686 = 0x37;
				_v1780 = _v1780 / _t686;
				_t687 = 0x5c;
				_v1780 = _v1780 / _t687;
				_v1780 = _v1780 ^ 0x00028002;
				_v1736 = 0xdebb;
				_v1736 = _v1736 << 0xa;
				_t688 = 0xc;
				_v1736 = _v1736 * 0x43;
				_v1736 = _v1736 ^ 0xe92bb4ad;
				_v1744 = 0x28cf;
				_v1744 = _v1744 | 0x522daf15;
				_v1744 = _v1744 / _t688;
				_v1744 = _v1744 ^ 0x06d914f4;
				_v1832 = 0x5722;
				_t689 = 0x60;
				_v1832 = _v1832 / _t689;
				_v1832 = _v1832 << 2;
				_v1832 = _v1832 + 0xffff27bd;
				_v1832 = _v1832 ^ 0xffff1d44;
				_v1752 = 0x1265;
				_t690 = 0x5f;
				_v1752 = _v1752 / _t690;
				_v1752 = _v1752 << 1;
				_v1752 = _v1752 ^ 0x00001c18;
				_v1792 = 0xd1ac;
				_v1792 = _v1792 | 0xf4f7bd6b;
				_t691 = 0x14;
				_v1792 = _v1792 / _t691;
				_v1792 = _v1792 ^ 0x0c3fe825;
				_v1800 = 0x8db3;
				_v1800 = _v1800 + 0xffff68c6;
				_v1800 = _v1800 + 0x1926;
				_v1800 = _v1800 + 0xf67b;
				_v1800 = _v1800 ^ 0x00012b40;
				_v1808 = 0xed7e;
				_t692 = 0x70;
				_v1808 = _v1808 / _t692;
				_v1808 = _v1808 << 1;
				_v1808 = _v1808 ^ 0x8cf05c2a;
				_v1808 = _v1808 ^ 0x8cf05f6a;
				_v1816 = 0xcf42;
				_v1816 = _v1816 | 0xec69bd89;
				_v1816 = _v1816 ^ 0xec81a445;
				_v1816 = _v1816 * 0x70;
				_v1816 = _v1816 ^ 0x65a86482;
				_v1604 = 0xef91;
				_v1604 = _v1604 >> 5;
				_v1604 = _v1604 ^ 0x00004430;
				_v1756 = 0xf464;
				_v1756 = _v1756 | 0x9e0683bc;
				_v1756 = _v1756 >> 9;
				_v1756 = _v1756 ^ 0x004f036f;
				_v1824 = 0x7495;
				_v1824 = _v1824 << 0xb;
				_v1824 = _v1824 * 0x41;
				_t693 = 0x2e;
				_v1824 = _v1824 * 0x64;
				_v1824 = _v1824 ^ 0x80b9cb3f;
				_v1664 = 0x566f;
				_v1664 = _v1664 + 0xffff6a64;
				_v1664 = _v1664 ^ 0xffffdf01;
				_v1672 = 0xe5e0;
				_v1672 = _v1672 + 0xffff19f8;
				_v1672 = _v1672 ^ 0xffffca67;
				_v1720 = 0xa118;
				_v1720 = _v1720 | 0xc1e2d537;
				_v1720 = _v1720 + 0xfffffe5a;
				_v1720 = _v1720 ^ 0xc1e29751;
				_v1748 = 0xa5d3;
				_v1748 = _v1748 + 0xffffc3f2;
				_v1748 = _v1748 + 0xeb01;
				_v1748 = _v1748 ^ 0x0001636e;
				_v1728 = 0xb3a4;
				_v1728 = _v1728 + 0xffff6085;
				_v1728 = _v1728 / _t693;
				_v1728 = _v1728 ^ 0x00003051;
				_v1764 = 0xe0c8;
				_t694 = 0x75;
				_v1764 = _v1764 / _t694;
				_v1764 = _v1764 + 0x780e;
				_t695 = 0x6b;
				_v1764 = _v1764 / _t695;
				_v1764 = _v1764 ^ 0x00003502;
				_v1608 = 0xc148;
				_t696 = 0xb;
				_v1608 = _v1608 / _t696;
				_v1608 = _v1608 ^ 0x000043bf;
				_v1600 = 0x4c2f;
				_v1600 = _v1600 >> 7;
				_v1600 = _v1600 ^ 0x00001f0b;
				_v1644 = 0xc9d8;
				_v1644 = _v1644 >> 0xb;
				_v1644 = _v1644 ^ 0x00002399;
				_v1612 = 0x99ab;
				_t697 = 7;
				_v1612 = _v1612 / _t697;
				_v1612 = _v1612 ^ 0x00001df9;
				_v1732 = 0x6def;
				_v1732 = _v1732 >> 7;
				_v1732 = _v1732 ^ 0x00004878;
				_v1616 = 0x2b7d;
				_v1616 = _v1616 ^ 0xf0a9b86c;
				_v1616 = _v1616 ^ 0xf0a9e0bd;
				_v1636 = 0x3ef5;
				_v1636 = _v1636 ^ 0x3d1afa43;
				_v1636 = _v1636 ^ 0x3d1aa6d2;
				_v1692 = 0x8d02;
				_v1692 = _v1692 + 0xde26;
				_t698 = 0x6d;
				_v1692 = _v1692 / _t698;
				_v1692 = _v1692 ^ 0x000075dc;
				_v1820 = 0xf0ca;
				_v1820 = _v1820 + 0xffffea39;
				_v1820 = _v1820 + 0xf2e4;
				_v1820 = _v1820 | 0xcde1ca17;
				_v1820 = _v1820 ^ 0xcde1c2f6;
				_v1772 = 0xcdf;
				_v1772 = _v1772 + 0xffffac41;
				_v1772 = _v1772 >> 1;
				_v1772 = _v1772 + 0x1d08;
				_v1772 = _v1772 ^ 0x7fff804a;
				_v1812 = 0x29e0;
				_v1812 = _v1812 + 0x4298;
				_v1812 = _v1812 ^ 0xcc69229e;
				_v1812 = _v1812 << 4;
				_v1812 = _v1812 ^ 0xc694cccf;
				_v1724 = 0x65cc;
				_v1724 = _v1724 ^ 0xea2d0893;
				_v1724 = _v1724 >> 8;
				_v1724 = _v1724 ^ 0x00ea5362;
				_v1788 = 0x5558;
				_v1788 = _v1788 | 0xfcdfdffd;
				_v1788 = _v1788 + 0xffff6daa;
				_v1788 = _v1788 ^ 0xfcdf7cee;
				_v1716 = 0xe9b8;
				_v1716 = _v1716 + 0xffff349c;
				_v1716 = _v1716 >> 8;
				_v1716 = _v1716 ^ 0x00003491;
				_v1700 = 0xa160;
				_v1700 = _v1700 >> 7;
				_v1700 = _v1700 | 0x7f727545;
				_v1700 = _v1700 ^ 0x7f720e1b;
				_v1804 = 0x1967;
				_v1804 = _v1804 + 0x7129;
				_v1804 = _v1804 << 7;
				_v1804 = _v1804 ^ 0xe14ed8e7;
				_v1804 = _v1804 ^ 0xe10ba7f5;
				_v1628 = 0x3ca3;
				_v1628 = _v1628 * 0x7e;
				_v1628 = _v1628 ^ 0x001dfd2f;
				_v1652 = 0xd82d;
				_v1652 = _v1652 + 0xffff947b;
				_v1652 = _v1652 ^ 0x00000d4e;
				_v1708 = 0xd600;
				_v1708 = _v1708 + 0xb427;
				_v1708 = _v1708 + 0xffff57a7;
				_v1708 = _v1708 ^ 0x0000d9d1;
				_v1676 = 0x42ee;
				_v1676 = _v1676 >> 7;
				_v1676 = _v1676 ^ 0x00003a8b;
				_v1660 = 0x9956;
				_v1660 = _v1660 >> 5;
				_v1660 = _v1660 ^ 0x00007e24;
				_v1740 = 0x8ca6;
				_v1740 = _v1740 << 3;
				_v1740 = _v1740 + 0xfffff96e;
				_v1740 = _v1740 ^ 0x0004389c;
				_v1596 = 0x9f9;
				_v1596 = _v1596 + 0x52b8;
				_v1596 = _v1596 ^ 0x00006fba;
				_v1668 = 0xf3f1;
				_v1668 = _v1668 >> 3;
				_v1668 = _v1668 ^ 0x00003c73;
				_v1684 = 0x7fe3;
				_v1684 = _v1684 >> 5;
				_v1684 = _v1684 | 0x5488c9ea;
				_v1684 = _v1684 ^ 0x54889371;
				_v1776 = 0x4bf4;
				_v1776 = _v1776 / _t757;
				_v1776 = _v1776 >> 0xd;
				_v1776 = _v1776 + 0xffff7fa4;
				_v1776 = _v1776 ^ 0xffff3292;
				_v1784 = 0x3382;
				_v1784 = _v1784 * 0xb;
				_t699 = 0x30;
				_v1784 = _v1784 / _t699;
				_v1784 = _v1784 + 0xffffabca;
				_v1784 = _v1784 ^ 0xffffcf0e;
				_v1712 = 0x870e;
				_v1712 = _v1712 + 0xffff5ffb;
				_v1712 = _v1712 | 0xdd5f6132;
				_v1712 = _v1712 ^ 0xffffafe6;
				_v1624 = 0x68da;
				_v1624 = _v1624 + 0xffffec61;
				_v1624 = _v1624 ^ 0x00000005;
				_v1760 = 0x29b3;
				_t640 = _v1760;
				_t700 = 0x46;
				_t752 = _t640 % _t700;
				_v1760 = _t640 / _t700;
				_v1760 = _v1760 + 0x8bb3;
				_v1760 = _v1760 >> 8;
				_v1760 = _v1760 ^ 0x00006bff;
				_v1632 = 0x9ea1;
				_v1632 = _v1632 | 0x9159fffd;
				_v1632 = _v1632 ^ 0x91598ff5;
				_v1680 = 0x593f;
				_v1680 = _v1680 + 0xffff5c1c;
				_v1680 = _v1680 >> 0xf;
				_v1680 = _v1680 ^ 0x00019d52;
				_v1620 = 0x376b;
				_v1620 = _v1620 << 7;
				_v1620 = _v1620 ^ 0x000bb580;
				_t644 = E00711D81();
				_t758 = _v1592;
				_t764 = _t644;
				_t680 = _v1592;
				while(1) {
					L1:
					_t645 = 0xbb652cf;
					do {
						while(1) {
							L2:
							_t770 = _t759 - 0x210d0174;
							if(_t770 > 0) {
								break;
							}
							if(_t770 == 0) {
								_v1572 = E007118FE();
								_v1568 = 2 + E0072D52C(_v1736, _v1744, _v1832, _t659, _v1752) * 2;
								_t700 = _t764;
								_t752 = _v1792;
								E007120D7(_t700, _v1792,  &_v1576, _v1620, _v1800, _v1808, _v1736, _v1736, _t764, _v1816, _v1604, _t764, _v1756, _v1824);
								_t765 =  &(_t765[0xf]);
								asm("sbb esi, esi");
								_t760 = _t759 & 0x05909a0f;
								__eflags = _t760;
								L16:
								_t759 = _t760 + 0x2d803f1a;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 == 0xa9c154a) {
								_push(_v1628);
								_push(0);
								_push(_t700);
								_push(_v1804);
								_t700 = 0;
								_push(_v1700);
								_t752 = _v1716;
								_push( &_v1564);
								_push(1);
								E0072B0D5(0, _v1716, __eflags);
								_t765 =  &(_t765[7]);
								_t759 = 0x1cb2b1be;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 == _t645) {
								_push(_v1732);
								_push(_v1612);
								_push(_v1644);
								E0072BD2C(_t680, __eflags, E0071B871(0x71111c, _v1600, __eflags), _v1636,  &_v524,  &_v1564, _v1692,  &_v1044, 0x104, _v1820);
								_t752 = _v1812;
								_t700 = _v1772;
								E0071717B(_t700, _v1812, _v1724, _t667, _v1788);
								_t765 =  &(_t765[0xe]);
								_t759 = 0xa9c154a;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 == 0x1ae17071) {
								 *((intOrPtr*)(_t758 + 0x34)) = _v1588;
								_t674 =  *0x73140c; // 0x0
								 *(_t758 + 0x2c) = _t674;
								 *0x73140c = _t758;
								return _t674;
							}
							if(_t759 == 0x1cb2b1be) {
								_t752 = _v1708;
								_t700 = _v1652;
								E007133F4(_t700, _v1708, _v1676, _v1660, _t680);
								_t765 =  &(_t765[3]);
								_t759 = 0x1d6c6a37;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 == 0x1d6c6a37) {
								_t752 = _v1596;
								_t700 = _v1740;
								E007133F4(_t700, _v1596, _v1668, _v1684, _v1584);
								_t765 =  &(_t765[3]);
								_t759 = 0x30e47afb;
								while(1) {
									L1:
									_t645 = 0xbb652cf;
									goto L2;
								}
							}
							if(_t759 != 0x2108acc9) {
								goto L28;
							}
							_t752 = _v1728;
							_t700 = _v1748;
							_t680 = E0071F249(_v1728, _v1764, _v1580, _v1608, _v1584);
							_t765 =  &(_t765[4]);
							_t645 = 0xbb652cf;
							_t759 =  !=  ? 0xbb652cf : 0x1d6c6a37;
						}
						__eflags = _t759 - 0x270f492f;
						if(_t759 == 0x270f492f) {
							_t701 = 0x3c;
							_t758 = E0071A0AD(_t701, _t752);
							_t700 = _t700;
							__eflags = _t758;
							if(_t758 == 0) {
								_t759 = 0x1abcf402;
								_t645 = 0xbb652cf;
								goto L28;
							}
							_t752 = _v1640;
							E0072BA7B(_v1640, _t700, _v1648, _v1688, _t700,  &_v524, _v1696, _v1768);
							_t765 =  &(_t765[7]);
							_t759 = 0x2e2ba405;
							while(1) {
								L1:
								_t645 = 0xbb652cf;
								goto L2;
							}
						}
						__eflags = _t759 - 0x2d803f1a;
						if(_t759 == 0x2d803f1a) {
							return E007133F4(_v1624, _v1760, _v1632, _v1680, _t758);
						}
						__eflags = _t759 - 0x2e2ba405;
						if(_t759 == 0x2e2ba405) {
							_t752 = _v1592;
							E007184D8(_v1588, _v1592, 0x7110bc,  &_v1044);
							asm("sbb esi, esi");
							_pop(_t700);
							_t760 = _t759 & 0xf38cc25a;
							goto L16;
						}
						__eflags = _t759 - 0x30e47afb;
						if(_t759 == 0x30e47afb) {
							_t752 = _v1784;
							E0071ADFC(_v1776, _v1784, _v1576, _v1712);
							_pop(_t700);
							_t759 = 0x1ae17071;
							while(1) {
								L1:
								_t645 = 0xbb652cf;
								goto L2;
							}
						}
						__eflags = _t759 - 0x3310d929;
						if(_t759 != 0x3310d929) {
							goto L28;
						}
						_t752 =  &_v1576;
						_t570 =  &_v1664; // 0xd4e
						_t700 =  *_t570;
						E0072BF69( &_v1576, _v1672, _v1720,  &_v1584);
						_t765 =  &(_t765[3]);
						asm("sbb esi, esi");
						_t759 = (_t759 & 0xf02431ce) + 0x30e47afb;
						goto L1;
						L28:
						__eflags = _t759 - 0x1abcf402;
					} while (__eflags != 0);
					return _t645;
				}
			}

0x0072539f
0x007253a5
0x007253b0
0x007253b8
0x007253c3
0x007253d3
0x007253da
0x007253e3
0x007253ea
0x007253ef
0x007253f5
0x007253fd
0x00725405
0x0072540d
0x00725415
0x0072541a
0x00725422
0x0072542a
0x00725432
0x00725444
0x00725449
0x00725452
0x0072545d
0x00725468
0x00725473
0x0072547e
0x00725489
0x0072549b
0x007254a0
0x007254a9
0x007254b4
0x007254bf
0x007254ce
0x007254d3
0x007254dc
0x007254e7
0x007254f2
0x007254fd
0x00725505
0x00725510
0x0072551c
0x00725521
0x00725527
0x0072552c
0x00725531
0x00725539
0x00725541
0x00725549
0x0072554e
0x00725553
0x0072555b
0x00725563
0x0072556f
0x00725572
0x0072557e
0x00725583
0x00725589
0x00725591
0x00725599
0x007255a3
0x007255a6
0x007255aa
0x007255b2
0x007255ba
0x007255ca
0x007255ce
0x007255d6
0x007255e2
0x007255e7
0x007255ed
0x007255f2
0x007255fa
0x00725602
0x0072560e
0x00725613
0x00725619
0x0072561d
0x00725625
0x0072562d
0x00725639
0x0072563e
0x00725644
0x0072564c
0x00725654
0x0072565c
0x00725664
0x0072566c
0x00725674
0x00725680
0x00725683
0x00725687
0x0072568b
0x00725693
0x0072569b
0x007256a3
0x007256ab
0x007256b8
0x007256bc
0x007256c4
0x007256cf
0x007256d7
0x007256e2
0x007256ea
0x007256f2
0x007256f7
0x007256ff
0x00725707
0x00725711
0x0072571e
0x00725721
0x00725725
0x0072572d
0x00725738
0x00725743
0x0072574e
0x00725759
0x00725764
0x0072576f
0x0072577a
0x00725785
0x00725790
0x0072579b
0x007257a3
0x007257ab
0x007257b3
0x007257bb
0x007257c6
0x007257dc
0x007257e3
0x007257ee
0x007257fa
0x007257ff
0x00725805
0x00725811
0x00725816
0x0072581c
0x00725824
0x00725836
0x0072583b
0x00725844
0x0072584f
0x0072585a
0x00725862
0x0072586d
0x00725878
0x00725880
0x0072588b
0x0072589d
0x007258a2
0x007258ab
0x007258b6
0x007258c6
0x007258cb
0x007258d3
0x007258de
0x007258e9
0x007258f4
0x007258ff
0x0072590a
0x00725915
0x00725920
0x00725932
0x00725935
0x0072593e
0x00725949
0x00725951
0x00725959
0x00725961
0x00725969
0x00725971
0x00725979
0x00725981
0x00725985
0x0072598d
0x00725995
0x0072599d
0x007259a5
0x007259ad
0x007259b2
0x007259ba
0x007259c5
0x007259d0
0x007259d8
0x007259e3
0x007259eb
0x007259f3
0x007259fb
0x00725a03
0x00725a0e
0x00725a19
0x00725a21
0x00725a2c
0x00725a37
0x00725a3f
0x00725a4a
0x00725a55
0x00725a5d
0x00725a65
0x00725a6a
0x00725a72
0x00725a7a
0x00725a8d
0x00725a94
0x00725a9f
0x00725aaa
0x00725ab5
0x00725ac0
0x00725acb
0x00725ad6
0x00725ae1
0x00725aec
0x00725af7
0x00725aff
0x00725b0a
0x00725b15
0x00725b1d
0x00725b28
0x00725b30
0x00725b35
0x00725b3d
0x00725b45
0x00725b50
0x00725b5b
0x00725b66
0x00725b71
0x00725b79
0x00725b84
0x00725b8f
0x00725b97
0x00725ba2
0x00725bad
0x00725bbb
0x00725bbf
0x00725bc4
0x00725bcc
0x00725bd4
0x00725be1
0x00725bed
0x00725bf2
0x00725bf8
0x00725c00
0x00725c08
0x00725c13
0x00725c1e
0x00725c29
0x00725c34
0x00725c3f
0x00725c4a
0x00725c52
0x00725c5a
0x00725c5e
0x00725c5f
0x00725c61
0x00725c65
0x00725c6d
0x00725c72
0x00725c7a
0x00725c85
0x00725c90
0x00725c9b
0x00725ca6
0x00725cb1
0x00725cb9
0x00725cc4
0x00725ccf
0x00725cd7
0x00725cea
0x00725cef
0x00725cf6
0x00725cf8
0x00725cff
0x00725cff
0x00725cff
0x00725d04
0x00725d04
0x00725d04
0x00725d04
0x00725d0a
0x00000000
0x00000000
0x00725d10
0x00725ed0
0x00725efa
0x00725f1f
0x00725f2c
0x00725f31
0x00725f36
0x00725f3b
0x00725f3d
0x00725f3d
0x00725f43
0x00725f43
0x00725cff
0x00725cff
0x00725cff
0x00000000
0x00725cff
0x00725cff
0x00725d1c
0x00725e85
0x00725e93
0x00725e95
0x00725e96
0x00725e9a
0x00725e9c
0x00725ea3
0x00725eaa
0x00725eab
0x00725ead
0x00725eb2
0x00725eb5
0x00725cff
0x00725cff
0x00725cff
0x00000000
0x00725cff
0x00725cff
0x00725d24
0x00725df9
0x00725e02
0x00725e09
0x00725e5a
0x00725e6b
0x00725e6f
0x00725e73
0x00725e78
0x00725e7b
0x00725cff
0x00725cff
0x00725cff
0x00000000
0x00725cff
0x00725cff
0x00725d30
0x00726094
0x00726097
0x0072609c
0x0072609f
0x00000000
0x0072609f
0x00725d3c
0x00725dd9
0x00725de0
0x00725de7
0x00725dec
0x00725def
0x00725cff
0x00725cff
0x00725cff
0x00000000
0x00725cff
0x00725cff
0x00725d48
0x00725dad
0x00725db4
0x00725db8
0x00725dbd
0x00725dc0
0x00725cff
0x00725cff
0x00725cff
0x00000000
0x00725cff
0x00725cff
0x00725d50
0x00000000
0x00000000
0x00725d6f
0x00725d76
0x00725d7f
0x00725d81
0x00725d8b
0x00725d90
0x00725d90
0x00725f4e
0x00725f54
0x0072602c
0x00726032
0x00726034
0x00726035
0x00726037
0x00726075
0x0072607a
0x00000000
0x0072607a
0x0072605b
0x00726063
0x00726068
0x0072606b
0x00725cff
0x00725cff
0x00725cff
0x00000000
0x00725cff
0x00725cff
0x00725f5a
0x00725f60
0x00000000
0x007260c6
0x00725f66
0x00725f6c
0x00725fea
0x00726005
0x0072600d
0x0072600f
0x00726010
0x00000000
0x00726010
0x00725f6e
0x00725f74
0x00725fca
0x00725fd9
0x00725fdf
0x00725fe0
0x00725cff
0x00725cff
0x00725cff
0x00000000
0x00725cff
0x00725cff
0x00725f76
0x00725f7c
0x00000000
0x00000000
0x00725f91
0x00725f9f
0x00725f9f
0x00725fa6
0x00725fab
0x00725fb0
0x00725fb8
0x00000000
0x0072607f
0x0072607f
0x0072607f
0x00000000
0x00725d04

Strings

XU, xrefs: 007259E3
B, xrefs: 00725AEC
k7, xrefs: 00725CC4
)q, xrefs: 00725A5D
uD, xrefs: 007253C3
O, xrefs: 007254BF
0D, xrefs: 007256D7
?Y, xrefs: 00725C9B
"W, xrefs: 007255D6
s<, xrefs: 00725B79
9$~, xrefs: 00726022
{^, xrefs: 007254F2
}+, xrefs: 007258D3
$~, xrefs: 00725B1D
), xrefs: 00725995
N9$~, xrefs: 00725F9F
/L, xrefs: 0072584F
xH, xrefs: 007258CB
bS, xrefs: 007259D8

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "W$$~$)q$/L$0D$9$~$?Y$N9$~$O$XU$bS$k7$s<$uD$xH${^$}+$)$B
API String ID: 0-754033634
Opcode ID: 705bbec890b657b35265de41c540761303ae16595554bf507bd9ae1b75ef8673
Instruction ID: d2ecd23b659dde25f424706621f09b20be13d90d63ca5767a88ac38c66e9efac
Opcode Fuzzy Hash: 705bbec890b657b35265de41c540761303ae16595554bf507bd9ae1b75ef8673
Instruction Fuzzy Hash: 3262F3715087819FE378CF25C84AB9BBBE1BBC4304F10891DE5D9962A0DBB99949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00722CE3, Relevance: 21.8, Strings: 17, Instructions: 525
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00722CE3(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				void* __ecx;
				void* _t512;
				signed int _t569;
				intOrPtr _t570;
				intOrPtr _t571;
				signed int _t573;
				intOrPtr _t578;
				void* _t580;
				intOrPtr _t587;
				intOrPtr _t589;
				signed int _t590;
				intOrPtr _t591;
				signed int _t595;
				intOrPtr _t600;
				intOrPtr* _t602;
				signed int _t604;
				signed int _t605;
				signed int _t606;
				signed int _t607;
				signed int _t608;
				signed int _t609;
				signed int _t610;
				signed int _t611;
				signed int _t612;
				signed int _t613;
				signed int _t614;
				signed int _t615;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t619;
				signed int _t620;
				intOrPtr _t621;
				void* _t623;
				intOrPtr _t624;
				intOrPtr _t626;
				intOrPtr _t668;
				void* _t670;
				signed int* _t685;
				void* _t690;

				_t602 = _a4;
				_push(_a8);
				_push(_t602);
				_push(__edx);
				E00727B8C(_t512);
				_v16 = 0x5ee29f;
				_t668 = 0;
				_v12 = 0x3cbc62;
				_t685 =  &(( &_v236)[4]);
				_v8 = 0x45a058;
				_v4 = 0;
				_t670 = 0x362f6652;
				_v76 = 0xe2db;
				_t604 = 0x32;
				_v76 = _v76 * 0x7c;
				_v76 = _v76 ^ 0x006d841a;
				_v212 = 0x6eb3;
				_v212 = _v212 / _t604;
				_v212 = _v212 << 0xf;
				_v212 = _v212 + 0xffff4a42;
				_v212 = _v212 ^ 0x011aca46;
				_v72 = 0xa0d9;
				_v72 = _v72 + 0x9429;
				_v72 = _v72 ^ 0x0001b502;
				_v44 = 0x36a8;
				_v44 = _v44 + 0xffffd0ae;
				_v44 = _v44 ^ 0x00000757;
				_v96 = 0x32c6;
				_v96 = _v96 + 0xffffcd0a;
				_v96 = _v96 ^ 0xffffff90;
				_v112 = 0x9784;
				_v112 = _v112 + 0xffff4573;
				_v112 = _v112 + 0x74ab;
				_v112 = _v112 ^ 0xf00051a2;
				_v92 = 0xdb6d;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x00db1e42;
				_v232 = 0x7e9e;
				_t605 = 0x7e;
				_v232 = _v232 / _t605;
				_v232 = _v232 << 2;
				_v232 = _v232 + 0xffff3a93;
				_v232 = _v232 ^ 0xffff0163;
				_v168 = 0xf2c3;
				_v168 = _v168 | 0xd6db62be;
				_v168 = _v168 + 0xffff6f22;
				_t606 = 0x3d;
				_v168 = _v168 * 0x65;
				_v168 = _v168 ^ 0xc48de5b0;
				_v40 = 0x2075;
				_v40 = _v40 / _t606;
				_v40 = _v40 ^ 0x000006c0;
				_v176 = 0xf598;
				_t607 = 0x38;
				_v176 = _v176 / _t607;
				_v176 = _v176 + 0xffffb66b;
				_v176 = _v176 << 0xe;
				_v176 = _v176 ^ 0xeeb32d0c;
				_v100 = 0x5dd7;
				_v100 = _v100 ^ 0x12253627;
				_v100 = _v100 >> 4;
				_v100 = _v100 ^ 0x012243c1;
				_v196 = 0x45aa;
				_v196 = _v196 << 9;
				_v196 = _v196 << 0xc;
				_v196 = _v196 + 0xffff6c26;
				_v196 = _v196 ^ 0xb53f7e8b;
				_v28 = 0x6599;
				_v28 = _v28 << 0xd;
				_v28 = _v28 ^ 0x0cb330d8;
				_v152 = 0xe16d;
				_v152 = _v152 ^ 0xb9b23617;
				_t608 = 0x61;
				_v152 = _v152 / _t608;
				_v152 = _v152 ^ 0x01ea6276;
				_v128 = 0x762b;
				_v128 = _v128 + 0xa127;
				_v128 = _v128 + 0x7c7d;
				_v128 = _v128 ^ 0x0001917e;
				_v156 = 0x619c;
				_t609 = 0x46;
				_v156 = _v156 * 0x61;
				_v156 = _v156 + 0x6fe8;
				_v156 = _v156 ^ 0x00251fee;
				_v228 = 0x5afb;
				_v228 = _v228 + 0xffff4790;
				_v228 = _v228 ^ 0x9145963b;
				_v228 = _v228 / _t609;
				_v228 = _v228 ^ 0x0194c371;
				_v52 = 0x390e;
				_v52 = _v52 ^ 0x5b9c2b98;
				_v52 = _v52 ^ 0x5b9c4ce1;
				_v172 = 0x4548;
				_v172 = _v172 >> 0xb;
				_t610 = 0x17;
				_v172 = _v172 * 5;
				_v172 = _v172 ^ 0x0def0e77;
				_v172 = _v172 ^ 0x0def4e18;
				_v84 = 0xb33d;
				_v84 = _v84 ^ 0xe440f93d;
				_v84 = _v84 ^ 0xe4406dc7;
				_v116 = 0xf8a5;
				_v116 = _v116 + 0x9254;
				_v116 = _v116 * 0x13;
				_v116 = _v116 ^ 0x001d2a0c;
				_v124 = 0x4054;
				_v124 = _v124 | 0xded7cd5a;
				_v124 = _v124 * 0x75;
				_v124 = _v124 ^ 0xd8a0c3d2;
				_v200 = 0x4ac3;
				_v200 = _v200 + 0xffff8054;
				_v200 = _v200 + 0xffffeff3;
				_v200 = _v200 + 0xfad9;
				_v200 = _v200 ^ 0x00009635;
				_v132 = 0xefbf;
				_v132 = _v132 / _t610;
				_t611 = 0x1c;
				_v132 = _v132 / _t611;
				_v132 = _v132 ^ 0x00007b9a;
				_v216 = 0x9862;
				_v216 = _v216 + 0xcd8c;
				_t612 = 0x59;
				_v216 = _v216 * 0x6b;
				_v216 = _v216 >> 0xe;
				_v216 = _v216 ^ 0x00007580;
				_v224 = 0x7679;
				_v224 = _v224 | 0x1de9301d;
				_v224 = _v224 / _t612;
				_v224 = _v224 | 0x1a292d9a;
				_v224 = _v224 ^ 0x1a7f2191;
				_v164 = 0xaea;
				_v164 = _v164 >> 0xc;
				_t613 = 0x25;
				_v164 = _v164 / _t613;
				_v164 = _v164 ^ 0x00001e34;
				_v88 = 0x21c7;
				_v88 = _v88 >> 4;
				_v88 = _v88 ^ 0x00002372;
				_v160 = 0xf733;
				_v160 = _v160 >> 2;
				_v160 = _v160 | 0xe557628e;
				_v160 = _v160 ^ 0xe557290b;
				_v80 = 0x201;
				_v80 = _v80 << 0xf;
				_v80 = _v80 ^ 0x0100c247;
				_v140 = 0xd69e;
				_v140 = _v140 >> 0xb;
				_v140 = _v140 << 9;
				_v140 = _v140 ^ 0x0000101c;
				_v148 = 0x16c0;
				_v148 = _v148 + 0xffff6d7b;
				_v148 = _v148 + 0xffffaffc;
				_v148 = _v148 ^ 0xffff4fe4;
				_v184 = 0x8d1a;
				_v184 = _v184 + 0x4516;
				_v184 = _v184 + 0xa617;
				_v184 = _v184 ^ 0x7b88f180;
				_v184 = _v184 ^ 0x7b89ad1c;
				_v48 = 0xfae0;
				_t614 = 0x3c;
				_v48 = _v48 * 0x4c;
				_v48 = _v48 ^ 0x004a6468;
				_v108 = 0xa52f;
				_v108 = _v108 + 0xffffc18c;
				_v108 = _v108 << 9;
				_v108 = _v108 ^ 0x00cd3cf9;
				_v56 = 0x1aa4;
				_v56 = _v56 * 0x2f;
				_v56 = _v56 ^ 0x000483de;
				_v60 = 0xcbbf;
				_v60 = _v60 << 4;
				_v60 = _v60 ^ 0x000cd020;
				_v32 = 0xd987;
				_v32 = _v32 / _t614;
				_v32 = _v32 ^ 0x00002152;
				_v68 = 0x4c5a;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x0004a014;
				_v144 = 0xeb70;
				_v144 = _v144 + 0xffffaba9;
				_v144 = _v144 * 0x7e;
				_v144 = _v144 ^ 0x004a6848;
				_v236 = 0x2cd5;
				_v236 = _v236 + 0xa079;
				_v236 = _v236 ^ 0x1ff9cd14;
				_v236 = _v236 | 0x581cc9a3;
				_v236 = _v236 ^ 0x5ffdee5c;
				_v204 = 0x406;
				_v204 = _v204 >> 0xd;
				_t615 = 0x1d;
				_v204 = _v204 * 0x1e;
				_v204 = _v204 / _t615;
				_v204 = _v204 ^ 0x0000165c;
				_v104 = 0x6364;
				_v104 = _v104 >> 4;
				_v104 = _v104 + 0xffffdeba;
				_v104 = _v104 ^ 0xffffa095;
				_v36 = 0x9412;
				_v36 = _v36 ^ 0x8477f2e6;
				_v36 = _v36 ^ 0x84776b75;
				_v188 = 0xad73;
				_v188 = _v188 + 0xffffc193;
				_v188 = _v188 + 0x2da0;
				_v188 = _v188 << 1;
				_v188 = _v188 ^ 0x00010764;
				_v136 = 0xcf63;
				_v136 = _v136 << 9;
				_v136 = _v136 + 0x584d;
				_v136 = _v136 ^ 0x019f5af5;
				_v120 = 0xa224;
				_v120 = _v120 | 0x0ae654b5;
				_v120 = _v120 ^ 0xe905d59f;
				_v120 = _v120 ^ 0xe3e3047c;
				_v180 = 0x9c23;
				_t616 = 0x57;
				_v180 = _v180 / _t616;
				_v180 = _v180 + 0xfabc;
				_t617 = 0x51;
				_v180 = _v180 / _t617;
				_v180 = _v180 ^ 0x00007dc1;
				_v220 = 0x512c;
				_v220 = _v220 >> 9;
				_t618 = 0x4a;
				_v220 = _v220 / _t618;
				_v220 = _v220 >> 0xd;
				_v220 = _v220 ^ 0x00005be7;
				_v64 = 0x9a4f;
				_t619 = 0x3a;
				_v64 = _v64 / _t619;
				_v64 = _v64 ^ 0x000102a9;
				_v208 = 0x28ca;
				_v208 = _v208 | 0x21866eea;
				_v208 = _v208 + 0xffff189b;
				_v208 = _v208 + 0xffff7793;
				_v208 = _v208 ^ 0x2184ff0b;
				_v192 = 0xcc4e;
				_v192 = _v192 << 2;
				_t620 = 0x60;
				_v192 = _v192 * 0x2f;
				_v192 = _v192 / _t620;
				_v192 = _v192 ^ 0x00019019;
				goto L1;
				do {
					while(1) {
						L1:
						_t690 = _t670 - 0x2fc7a808;
						if(_t690 > 0) {
							break;
						}
						if(_t690 == 0) {
							_push(_t620);
							_push(_t620);
							_t624 =  *0x731fd4; // 0x0
							_t472 = _t624 + 0x24; // 0x24
							_t620 = _v236;
							_t580 = E0071A703(_t620, _v204, _v104, _v36,  *((intOrPtr*)(_t624 + 0x2c)), _t472, _v188, _v212);
							_t685 =  &(_t685[8]);
							if(_t580 != 0) {
								_t668 = 1;
							} else {
								_t670 = 0xc68fc75;
								continue;
							}
						} else {
							if(_t670 == 0x3cdca14) {
								E007133F4(_v168, _v40, _v176, _v100,  *0x731fd4);
							} else {
								if(_t670 == 0xc68fc75) {
									_t626 =  *0x731fd4; // 0x0
									_t620 =  *(_t626 + 0x10);
									E0072A5E6(_t620);
									_t685 = _t685 - 0xc + 0xc;
									_t670 = 0x309f0f8a;
									continue;
								} else {
									if(_t670 == 0xe4f59d7) {
										_t587 =  *0x731fd4; // 0x0
										_t589 =  *0x731fd4; // 0x0
										_t620 = _v60;
										_t590 = E00728B98(_t620, _v32, _v68, _v44,  *((intOrPtr*)(_t589 + 0x2c)), _v144, _t587 + 0x10, _v76);
										_t685 =  &(_t685[6]);
										asm("sbb esi, esi");
										_t670 = ( ~_t590 & 0xff28987e) + 0x309f0f8a;
										continue;
									} else {
										if(_t670 == 0x2135d019) {
											_push(_t620);
											_t591 =  *0x731fd4; // 0x0
											_t620 = _v196;
											_t595 = E0072814E(_t620, _v28, _t620, _t620, _v112 | _v96, _t591 + 0x2c, _v152, _v128, _v156);
											_t685 =  &(_t685[8]);
											asm("sbb esi, esi");
											_t670 = ( ~_t595 & 0x2f05871c) + 0x3cdca14;
											continue;
										} else {
											if(_t670 != 0x2b2956b4) {
												goto L23;
											} else {
												_t600 =  *0x731fd4; // 0x0
												_push(_t620);
												_push(_t620);
												E0072162A(_t620,  *((intOrPtr*)(_t600 + 0x2c)));
												_t685 =  &(_t685[4]);
												_t670 = 0x3cdca14;
												continue;
											}
										}
									}
								}
							}
						}
						L27:
						return _t668;
					}
					if(_t670 == 0x309f0f8a) {
						_t621 =  *0x731fd4; // 0x0
						_t620 =  *(_t621 + 0x20);
						E0072A5E6(_t620);
						_t685 = _t685 - 0xc + 0xc;
						_t670 = 0x2b2956b4;
						goto L23;
					} else {
						if(_t670 == 0x32d35130) {
							_t666 =  *_t602;
							_t620 = _v116;
							_t569 = E00718C0D(_t620,  *_t602, _v124, _t620, _v192 | _v64,  *((intOrPtr*)(_t602 + 4)),  &_v20, _v200,  &_v24, _v72, _v132, _v208, _v216);
							_t685 =  &(_t685[0xb]);
							asm("sbb esi, esi");
							_t670 = ( ~_t569 & 0x0a7f093f) + 0x2b2956b4;
							goto L1;
						} else {
							if(_t670 == 0x35a85ff3) {
								_t570 =  *0x731fd4; // 0x0
								_t571 =  *0x731fd4; // 0x0
								_t573 = E0071BDF0(_v224, _v164, _t571 + 0x20, _v20, _v88, _t620, _t620, _v160,  *((intOrPtr*)(_t570 + 0x2c)), _v24);
								_t666 = _v140;
								_t620 = _v80;
								asm("sbb esi, esi");
								_t670 = ( ~_t573 & 0xe3260323) + 0x2b2956b4;
								E0071B6C7(_t620, _v140, _v24, _v148);
								_t685 =  &(_t685[0xa]);
								goto L23;
							} else {
								if(_t670 != 0x362f6652) {
									goto L23;
								} else {
									_t623 = 0x34;
									_t578 = E0071A0AD(_t623, _t666);
									 *0x731fd4 = _t578;
									_t620 = _t620;
									if(_t578 != 0) {
										_t670 = 0x2135d019;
										goto L1;
									}
								}
							}
						}
					}
					goto L27;
					L23:
				} while (_t670 != 0x3b735277);
				goto L27;
			}

0x00722cea
0x00722cf4
0x00722cfb
0x00722cfc
0x00722cfe
0x00722d03
0x00722d0e
0x00722d10
0x00722d1b
0x00722d1e
0x00722d2b
0x00722d32
0x00722d37
0x00722d4c
0x00722d4f
0x00722d56
0x00722d61
0x00722d71
0x00722d75
0x00722d7a
0x00722d82
0x00722d8a
0x00722d95
0x00722da0
0x00722dab
0x00722db6
0x00722dc1
0x00722dcc
0x00722dd7
0x00722de2
0x00722dea
0x00722df5
0x00722e00
0x00722e0b
0x00722e16
0x00722e21
0x00722e29
0x00722e34
0x00722e40
0x00722e45
0x00722e4b
0x00722e50
0x00722e58
0x00722e60
0x00722e68
0x00722e70
0x00722e7d
0x00722e80
0x00722e84
0x00722e8c
0x00722ea2
0x00722ea9
0x00722eb4
0x00722ec0
0x00722ec3
0x00722ec7
0x00722ecf
0x00722ed4
0x00722edc
0x00722ee9
0x00722ef4
0x00722efc
0x00722f07
0x00722f0f
0x00722f14
0x00722f19
0x00722f21
0x00722f29
0x00722f34
0x00722f3c
0x00722f47
0x00722f4f
0x00722f5d
0x00722f62
0x00722f68
0x00722f70
0x00722f7b
0x00722f86
0x00722f91
0x00722f9c
0x00722fa9
0x00722fac
0x00722fb0
0x00722fb8
0x00722fc0
0x00722fc8
0x00722fd0
0x00722fe0
0x00722fe4
0x00722fec
0x00722ff7
0x00723002
0x0072300d
0x00723015
0x0072301f
0x00723022
0x00723026
0x0072302e
0x00723036
0x00723041
0x0072304c
0x00723057
0x00723062
0x00723075
0x0072307c
0x00723087
0x00723092
0x007230a5
0x007230ac
0x007230b7
0x007230bf
0x007230c7
0x007230cf
0x007230d7
0x007230df
0x007230ef
0x007230f7
0x007230fa
0x007230fe
0x00723106
0x00723110
0x0072311f
0x00723122
0x00723126
0x0072312b
0x00723133
0x0072313b
0x0072314b
0x0072314f
0x00723157
0x0072315f
0x00723167
0x00723170
0x00723175
0x0072317b
0x00723183
0x0072318e
0x00723196
0x007231a1
0x007231a9
0x007231ae
0x007231b6
0x007231be
0x007231c9
0x007231d1
0x007231dc
0x007231e4
0x007231e9
0x007231ee
0x007231f6
0x007231fe
0x00723206
0x0072320e
0x00723216
0x0072321e
0x00723226
0x0072322e
0x00723236
0x0072323e
0x00723251
0x00723252
0x00723259
0x00723264
0x0072326f
0x0072327a
0x00723282
0x0072328d
0x007232a0
0x007232a7
0x007232b2
0x007232bd
0x007232c5
0x007232d0
0x007232e4
0x007232eb
0x007232f6
0x00723301
0x00723309
0x00723314
0x0072331c
0x00723329
0x0072332d
0x00723335
0x0072333d
0x00723345
0x0072334f
0x00723357
0x0072335f
0x00723367
0x00723373
0x00723376
0x00723382
0x00723386
0x0072338e
0x00723399
0x007233a1
0x007233ac
0x007233b7
0x007233c2
0x007233cd
0x007233d8
0x007233e0
0x007233e8
0x007233f0
0x007233f4
0x007233fc
0x00723404
0x00723409
0x00723411
0x00723419
0x00723424
0x0072342f
0x0072343a
0x00723445
0x00723451
0x00723456
0x0072345c
0x00723468
0x0072346d
0x00723473
0x0072347b
0x00723483
0x0072348c
0x00723491
0x00723497
0x0072349c
0x007234a4
0x007234b6
0x007234bb
0x007234c4
0x007234cf
0x007234d7
0x007234df
0x007234e7
0x007234ef
0x007234f7
0x007234ff
0x00723509
0x0072350a
0x00723514
0x0072351d
0x0072351d
0x00723525
0x00723525
0x00723525
0x00723525
0x0072352b
0x00000000
0x00000000
0x00723531
0x0072367a
0x0072367b
0x00723684
0x0072368a
0x007236a3
0x007236a7
0x007236ac
0x007236b1
0x00723853
0x007236b7
0x007236b7
0x00000000
0x007236b7
0x00723537
0x0072353d
0x00723847
0x00723543
0x00723549
0x0072365f
0x00723665
0x00723668
0x0072366d
0x00723670
0x00000000
0x0072354f
0x00723555
0x007235f6
0x00723603
0x00723620
0x00723627
0x0072362c
0x00723633
0x0072363b
0x00000000
0x0072355b
0x00723561
0x0072359b
0x007235ab
0x007235cc
0x007235d0
0x007235d5
0x007235dc
0x007235e4
0x00000000
0x00723563
0x00723565
0x00000000
0x0072356b
0x00723581
0x00723586
0x00723587
0x0072358c
0x00723591
0x00723594
0x00000000
0x00723594
0x00723565
0x00723561
0x00723555
0x00723549
0x0072353d
0x00723854
0x00723860
0x00723860
0x007236c7
0x0072380a
0x00723810
0x00723813
0x00723818
0x0072381b
0x00000000
0x007236cd
0x007236d3
0x007237ca
0x007237cc
0x007237d3
0x007237d8
0x007237df
0x007237e7
0x00000000
0x007236d9
0x007236df
0x00723720
0x00723735
0x0072374d
0x00723759
0x00723769
0x00723772
0x0072377a
0x0072377c
0x00723781
0x00000000
0x007236e1
0x007236e7
0x00000000
0x007236ed
0x007236fb
0x007236fc
0x00723701
0x00723706
0x00723709
0x0072370f
0x00000000
0x0072370f
0x00723709
0x007236e7
0x007236df
0x007236d3
0x00000000
0x0072381d
0x0072381d
0x00000000

Strings

Rf/6, xrefs: 00722D32
dc, xrefs: 0072338E
ZL, xrefs: 007232F6
Rf/6, xrefs: 007236E1
wRs;, xrefs: 0072381D
[, xrefs: 0072349C
hdJ, xrefs: 00723259
R!, xrefs: 007232EB
HhJ, xrefs: 0072332D
}|, xrefs: 00722F86
T@, xrefs: 00723087
r#, xrefs: 00723196
o, xrefs: 00722FB0
HE, xrefs: 0072300D
MX, xrefs: 00723409
u , xrefs: 00722E8C
yv, xrefs: 00723133

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: HE$HhJ$MX$R!$Rf/6$Rf/6$T@$ZL$dc$hdJ$r#$u $wRs;$yv$}|$[$o
API String ID: 0-3509968422
Opcode ID: 0d4ee92cf343068209eca1089ae4fd9828ad214e74f29bc9039cbfc515c53cf3
Instruction ID: deaf85f15474e5b0e0bb855bea91542f393733fe6cbd1cef2df7db8ab258123c
Opcode Fuzzy Hash: 0d4ee92cf343068209eca1089ae4fd9828ad214e74f29bc9039cbfc515c53cf3
Instruction Fuzzy Hash: A9421572509381DFE368CF25C989A9BFBE1BBC4304F10891DE5D9862A0D7B99949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00721F54, Relevance: 20.5, Strings: 16, Instructions: 480COMMON

Download Yara Rule

Strings

;E, xrefs: 007221A4
U*, xrefs: 00722064
,XPD, xrefs: 007226E1
HQ, xrefs: 00721FE2
,8, xrefs: 00722560
eK, xrefs: 00722236
U4, xrefs: 007223F5
7[, xrefs: 00722289
5A, xrefs: 007223C5
0, xrefs: 00722367
u_, xrefs: 0072243F
g~d, xrefs: 00722024
?%, xrefs: 00722586
il-, xrefs: 007229C0
Am, xrefs: 0072241A
il-, xrefs: 007228AF

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,8$,XPD$5A$7[$;E$?%$Am$HQ$U*$eK$g~d$il-$il-$u_$0$U4
API String ID: 0-1960404279
Opcode ID: 18ba72fcf73bb1a28df290c2f4f1235f37b2b17f3e7c00683302ee158f1b7054
Instruction ID: 191981b4d2180700398908cc12e000ee00124cf72caf753e4daa90b972780038
Opcode Fuzzy Hash: 18ba72fcf73bb1a28df290c2f4f1235f37b2b17f3e7c00683302ee158f1b7054
Instruction Fuzzy Hash: 1E42027150D3819FE364CF65C949A9BBBE1BBD4304F108A1DE2999A2A0D7B98949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00728C4D, Relevance: 20.4, Strings: 16, Instructions: 436COMMON

Download Yara Rule

Strings

~8, xrefs: 0072913C
&, xrefs: 00728CDC
WM[0, xrefs: 0072927C
~O, xrefs: 00729189
g, xrefs: 00729088
R4F, xrefs: 007292A5
, xrefs: 00728E03
Cq, xrefs: 007292AD
,, xrefs: 007292DA
x, xrefs: 00728C80
Na, xrefs: 00728CFD
FA, xrefs: 00728E30
?a, xrefs: 00729249
#1, xrefs: 0072901C
|}, xrefs: 00728EF7
7I, xrefs: 007291E6

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #1$&$7I$?a$Cq$FA$Na$R4F$WM[0$x$|}$~8$~O$ $,$g
API String ID: 0-1818104641
Opcode ID: 073bafe08638c8c28e7b59fe594aa3cebabe35a69718713a7850d46e36c8760d
Instruction ID: 5f3f4a055aa0244662529c1c2df353f9605347b6a7cf0fd6ee8330586c8b1499
Opcode Fuzzy Hash: 073bafe08638c8c28e7b59fe594aa3cebabe35a69718713a7850d46e36c8760d
Instruction Fuzzy Hash: 18321271508381DFE378CF21D84AA9BBBE2BBC5744F10891DE2C9862A0D7B58959CF53

Uniqueness

Uniqueness Score: -1.00%

Function 00718EA1, Relevance: 19.1, Strings: 15, Instructions: 362COMMON

Download Yara Rule

Strings

H,8, xrefs: 007194DB
^`, xrefs: 00718ED1
H,8, xrefs: 0071958E
l}, xrefs: 00718F47
jG, xrefs: 00718F5F
K%, xrefs: 007190E3
G , xrefs: 007192DD
>, xrefs: 0071929B
L, xrefs: 0071901D
l, xrefs: 00719395
Lr, xrefs: 00719206
{e, xrefs: 00718F9C
Y~\(, xrefs: 00719311
K`, xrefs: 00719133
Y~\(, xrefs: 00719400

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: G $K%$K`$Lr$Y~\($Y~\($^`$jG$l$l}${e$>$H,8$H,8$L
API String ID: 0-982405454
Opcode ID: 40b5b414f0972a89ec4149162baea5dc7bc12f68a9c54990dd66feaebb593d42
Instruction ID: 4f1ebdf0133d55cf6275ddfb703d443df87428f103306c1e392c905391b73ea0
Opcode Fuzzy Hash: 40b5b414f0972a89ec4149162baea5dc7bc12f68a9c54990dd66feaebb593d42
Instruction Fuzzy Hash: 39024472408381DFD764CF29C549A9BBBF1BBC4704F108A1DF699862A0D7B99949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 007195DD, Relevance: 16.6, Strings: 13, Instructions: 345COMMON

Download Yara Rule

Strings

0P, xrefs: 0071971E
@], xrefs: 0071975D
&, xrefs: 0071980C
/, xrefs: 007198AD
:X, xrefs: 00719A46
r, xrefs: 00719845
e|, xrefs: 007196DD
uP, xrefs: 00719903
tr, xrefs: 00719AB2
_], xrefs: 00719954
Q, xrefs: 007199ED
#((;, xrefs: 00719A65
f>, xrefs: 00719A3C

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /$#((;$&$0P$:X$@]$_]$e|$f>$r$tr$uP$Q
API String ID: 0-2055608467
Opcode ID: 3ddbf27cc2ecdec53af975f697200be60aa989005d8014a2824e6661306c1b62
Instruction ID: bd1f66346bd80ded75d12e2b48ab339b248b237db6b276863ddc847bfe053087
Opcode Fuzzy Hash: 3ddbf27cc2ecdec53af975f697200be60aa989005d8014a2824e6661306c1b62
Instruction Fuzzy Hash: F6020371508380DFE3648F25D44969FBBE1BBC4758F108A1DE2DA962A0D7B98989CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0072C1C2, Relevance: 16.5, Strings: 13, Instructions: 297COMMON

Download Yara Rule

Strings

1y, xrefs: 0072C470
jIc3, xrefs: 0072C5C6
$u, xrefs: 0072C247
9w, xrefs: 0072C2F1
c, xrefs: 0072C4D8
jIc3, xrefs: 0072C719
z;, xrefs: 0072C2A0
+*, xrefs: 0072C3BF
jIc3, xrefs: 0072C672
A1, xrefs: 0072C4A6
X, xrefs: 0072C41C
)p, xrefs: 0072C50E
jIc3, xrefs: 0072C74D

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $u$)p$+*$1y$9w$A1$jIc3$jIc3$jIc3$jIc3$z;$X$c
API String ID: 0-3357977862
Opcode ID: 89f07276a36e955e7aa98077464d943e4e2d2c8f86c293562ca72a0f31a2c519
Instruction ID: 7bd85bf3f11386e4eaed2e8398f946b94980555db530377497fc062d1a841c19
Opcode Fuzzy Hash: 89f07276a36e955e7aa98077464d943e4e2d2c8f86c293562ca72a0f31a2c519
Instruction Fuzzy Hash: 43E151725093819FE368CF25D48940BFBE1FBD4748F108A1DF199962A0D7B9DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 007184D8, Relevance: 15.3, Strings: 12, Instructions: 332COMMON

Download Yara Rule

Strings

II, xrefs: 0071872D
rx, xrefs: 0071867D
R, xrefs: 00718868
u}, xrefs: 00718898
sC-, xrefs: 0071890E
x, xrefs: 007188B8
[Z, xrefs: 007189DD
Li, xrefs: 007187CB
HK, xrefs: 007184DE
"y, xrefs: 00718813
Mp, xrefs: 0071896C
uF, xrefs: 007189D2

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: R$"y$HK$II$Li$Mp$[Z$rx$sC-$uF$u}$x
API String ID: 0-1461101150
Opcode ID: 14243db0a6652a7347d74f12ae79b2c995fac47d736910144fd4e1ba056538df
Instruction ID: 91cddb5ed2600661bcfe8a962c707dff87d6bab96f6ffbe2bbabd1a5a4bc2d85
Opcode Fuzzy Hash: 14243db0a6652a7347d74f12ae79b2c995fac47d736910144fd4e1ba056538df
Instruction Fuzzy Hash: 170223715093809FE368CF25C54AA4BFBE1BBC5714F108A0DE1D9862A0DBB99949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 00712C93, Relevance: 15.3, Strings: 12, Instructions: 315COMMON

Download Yara Rule

Strings

Q,, xrefs: 00713060
(~4, xrefs: 00712CB4
;R, xrefs: 00712D1F
s%, xrefs: 00713023
1>p#, xrefs: 00713327
]}, xrefs: 00712D37
1K, xrefs: 00712FB5
]L, xrefs: 00712DAA
TN, xrefs: 00712F5D
!X, xrefs: 00712E1C
92, xrefs: 00712E59
Ac, xrefs: 00712E24

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !X$(~4$1>p#$1K$92$;R$Ac$Q,$TN$]L$]}$s%
API String ID: 0-3070783794
Opcode ID: 633f6361a6a41bba6e8f6c8b49dee600f300d4919861fd816113b304cc34e967
Instruction ID: 7d766157d90c16807df3ac65493dfbdbb280d4ea1c3af159fb6d3d1f5b4752f3
Opcode Fuzzy Hash: 633f6361a6a41bba6e8f6c8b49dee600f300d4919861fd816113b304cc34e967
Instruction Fuzzy Hash: 44F10371508380DFE368CF65C549A9BBBF1FBC4718F10891DF29A862A0D7B99949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00720082, Relevance: 15.3, Strings: 12, Instructions: 309COMMON

Download Yara Rule

Strings

P, xrefs: 007202DB
h$j:, xrefs: 0072044E
Z;=, xrefs: 00720159
y, xrefs: 00720233
;g, xrefs: 00720264
PV, xrefs: 007201C4
c], xrefs: 0072042A
=j, xrefs: 007203A3
K4, xrefs: 00720108
@K, xrefs: 0072045E
Dy, xrefs: 00720376
hF, xrefs: 00720476

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Z;=$;g$=j$@K$Dy$K4$PV$P$c]$h$j:$hF$y
API String ID: 0-1527654613
Opcode ID: a50f685c1c168d7e40925f5166b89ad163144dea55600ca38d68a2fe782f5480
Instruction ID: 460c4df66db9072ee627a1a317a58108dbeba3d585ab01d5137e4007463491d7
Opcode Fuzzy Hash: a50f685c1c168d7e40925f5166b89ad163144dea55600ca38d68a2fe782f5480
Instruction Fuzzy Hash: B4E13FB15083809FE358CF26D58A90BFBF1FBC5708F108A1DF295962A0D7B9D9548F82

Uniqueness

Uniqueness Score: -1.00%

Function 00724602, Relevance: 15.3, Strings: 12, Instructions: 307COMMON

Download Yara Rule

Strings

Sz, xrefs: 007247A5
Nj, xrefs: 0072470D
lW, xrefs: 007248D7
ZF, xrefs: 00724A68
-2, xrefs: 00724ACA
g, xrefs: 007246CB
7, xrefs: 0072497B
b, xrefs: 00724A96
-2, xrefs: 0072461E
v[, xrefs: 007247DD
Ls, xrefs: 0072475C
bu, xrefs: 00724638

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -2$-2$7$Ls$Nj$Sz$ZF$bu$lW$v[$b$g
API String ID: 0-1557431968
Opcode ID: 6ae442ed9ccdec57d6a004318d5cd8cdea99a7b8a048f44a277d9defe0106ec6
Instruction ID: dffaff8f44ae326b89c6631305d8548702797a5f79edae7b35e92e67287fe5f4
Opcode Fuzzy Hash: 6ae442ed9ccdec57d6a004318d5cd8cdea99a7b8a048f44a277d9defe0106ec6
Instruction Fuzzy Hash: 8EF124715087809FD368CF25D589A4BBBF1BBC4748F108A1DF2DA862A0D7B98949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0072CF07, Relevance: 15.3, Strings: 12, Instructions: 259COMMON

Download Yara Rule

Strings

`Q, xrefs: 0072D0D8
#, xrefs: 0072D166
6Lc*, xrefs: 0072D2FB
p, xrefs: 0072CFE1
5K, xrefs: 0072D0F3
wy, xrefs: 0072D1E2
w., xrefs: 0072D023
1, xrefs: 0072D22D
d6, xrefs: 0072CF5C
$[, xrefs: 0072D2DD
34, xrefs: 0072D273
]d, xrefs: 0072D298

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $[$34$5K$6Lc*$]d$`Q$d6$p$w.$wy$#$1
API String ID: 0-530726773
Opcode ID: b88f4adbdd680e5d2c38a654164de6572362300423e180e53d54f67cdae25b6e
Instruction ID: 765b72c6801978e7d4ca5e5309308ef68568e0e48d3d7fd8318e63644c02da8f
Opcode Fuzzy Hash: b88f4adbdd680e5d2c38a654164de6572362300423e180e53d54f67cdae25b6e
Instruction Fuzzy Hash: 16D100B15093809FE368CF21C489A5BFBE1FBC4758F508A1DF596862A0D7B98949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0071A82A, Relevance: 15.2, Strings: 12, Instructions: 248COMMON

Download Yara Rule

Strings

^, xrefs: 0071A856
+b, xrefs: 0071AAFB
kp, xrefs: 0071AA11
yI, xrefs: 0071A88D
<<, xrefs: 0071AA21
uo, xrefs: 0071AAB0
>C), xrefs: 0071ABC0
ZO&, xrefs: 0071A99D
>C), xrefs: 0071A84E
T3, xrefs: 0071AB68
+, xrefs: 0071A9BA
Pd&, xrefs: 0071ABB8

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +b$<<$Pd&$T3$ZO&$^$kp$uo$yI$+$>C)$>C)
API String ID: 0-4081541337
Opcode ID: b8e9ed50516590915f463b796a4a3b83ba4f83e0445f61fa85c92735586718b0
Instruction ID: 4b8899a0a5c64b03e71caed34ab9ae474502a4ac116cd66657cc5d9eb600dae3
Opcode Fuzzy Hash: b8e9ed50516590915f463b796a4a3b83ba4f83e0445f61fa85c92735586718b0
Instruction Fuzzy Hash: 0BC142B2409381AFE364CF25C48A45BFBF1BBC4758F504A1DF5A5962A0D3B98A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00729726, Relevance: 14.0, Strings: 11, Instructions: 259COMMON

Download Yara Rule

Strings

3B, xrefs: 0072981B
^sG, xrefs: 007299D8
a, xrefs: 00729953
s=, xrefs: 007297AC
:, xrefs: 007298D1
]`+, xrefs: 00729A8B
4, xrefs: 00729871
ju, xrefs: 00729A5F
W?)8, xrefs: 007298E9
]`+, xrefs: 00729AF7
Kc<, xrefs: 007299A4

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 4$3B$Kc<$W?)8$^sG$a$s=$:$]`+$]`+$ju
API String ID: 0-1108746688
Opcode ID: 13f7924de4efc1a26915373cde2b421b2759c9b0f560f712709678b3f00ac7b4
Instruction ID: 4fc9c9c2c7cb6a17eb32e8ad7b571b2c10053a17b915e4e1463af30d643274f6
Opcode Fuzzy Hash: 13f7924de4efc1a26915373cde2b421b2759c9b0f560f712709678b3f00ac7b4
Instruction Fuzzy Hash: 19C132B25083809FE358CF25D48990BBBF2BBC5358F14891DF6C5962A0D3B99949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00717B6A, Relevance: 14.0, Strings: 11, Instructions: 212COMMON

Download Yara Rule

Strings

`Y, xrefs: 00717DCA
N, xrefs: 00717D34
Im, xrefs: 00717B86
>', xrefs: 00717BC1
Qg&9, xrefs: 00717E32
Qg&9, xrefs: 00717EFA
\d, xrefs: 00717D72
Qg&9, xrefs: 00717EE0
cf, xrefs: 00717C58
[, xrefs: 00717CF9
|, xrefs: 00717DB5

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: >'$Im$Qg&9$Qg&9$Qg&9$[$\d$`Y$cf$N$|
API String ID: 0-888967344
Opcode ID: 0c02003b01eaabb8f107f14660268d05514e738c42ed7ef9c888b35452110209
Instruction ID: bff8bada1b5166f62b8aaff5d252661031ac2ce06bca6b4a5b9ede8a5b9c260c
Opcode Fuzzy Hash: 0c02003b01eaabb8f107f14660268d05514e738c42ed7ef9c888b35452110209
Instruction Fuzzy Hash: 78A1117140C3819BD358CF29D48A45BFBF0BB84318F504A1DF595962A0D7B9DA8ACF43

Uniqueness

Uniqueness Score: -1.00%

Function 0071AE9E, Relevance: 13.9, Strings: 11, Instructions: 190COMMON

Download Yara Rule

Strings

lr, xrefs: 0071AEA4
XP, xrefs: 0071AF3B
O8, xrefs: 0071AFAD
qS, xrefs: 0071AF53
77;, xrefs: 0071B06E
ne, xrefs: 0071AF26
0, xrefs: 0071AEFD
?=, xrefs: 0071AEC7
s, xrefs: 0071B0DD
V, xrefs: 0071B0FD
`I, xrefs: 0071B01D

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: s$0$77;$?=$O8$V$XP$`I$lr$ne$qS
API String ID: 0-3626900128
Opcode ID: b275accd0fee2c4d84c3b99562fd07ab54f1fafecaaf99d0e1349c6749a0133d
Instruction ID: 28e3a5667adab2a7bfbdbec993ee5a32a106606aecb00f252c4617196592f7a9
Opcode Fuzzy Hash: b275accd0fee2c4d84c3b99562fd07ab54f1fafecaaf99d0e1349c6749a0133d
Instruction Fuzzy Hash: 769141725093819BD358CF29D98945FBBE1FBC0B18F50491DF682862A0D7B9CA49CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0072732F, Relevance: 12.9, Strings: 10, Instructions: 365COMMON

Download Yara Rule

Strings

lD, xrefs: 007274AF
~~, xrefs: 00727553
H#, xrefs: 0072769F
@, xrefs: 00727765
0, xrefs: 00727514
o|, xrefs: 00727791
Z\:, xrefs: 007274FA
5X, xrefs: 00727433
I$, xrefs: 007275F2
Zx, xrefs: 007277B1

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Z\:$0$5X$@$H#$I$$Zx$lD$o|$~~
API String ID: 0-3052698863
Opcode ID: de87ad0f56cb0696ac65094176b18654ca973b1e26a16360f9b352ef3a453732
Instruction ID: a08e05aeed2044d69cbb8e0119f7276bf3f43a470faa0ddab1d760f633c5a5aa
Opcode Fuzzy Hash: de87ad0f56cb0696ac65094176b18654ca973b1e26a16360f9b352ef3a453732
Instruction Fuzzy Hash: 4012437150D381DFE368CF24D58AA4BBBE1BBC4304F508A1DE5DA862A0D7B99949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00723F16, Relevance: 12.8, Strings: 10, Instructions: 344COMMON

Download Yara Rule

Strings

+<, xrefs: 00723F85
[., xrefs: 007240C3
?!, xrefs: 007240F6
X , xrefs: 00723FDD
~ , xrefs: 00724347
[:, xrefs: 00724067
pL, xrefs: 0072404F
Ic, xrefs: 00723F43
KI, xrefs: 0072423E
;_, xrefs: 00724178

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +<$;_$?!$Ic$KI$X $[.$[:$pL$~
API String ID: 0-1893785045
Opcode ID: fea4c08cde577ebb64c2fbe4ac89167ff67900502abc2566873892f91dc70608
Instruction ID: bdf33900c6943be62eccedb8ac15c19ab27a4ae49b0bc6031a064aee6cac6511
Opcode Fuzzy Hash: fea4c08cde577ebb64c2fbe4ac89167ff67900502abc2566873892f91dc70608
Instruction Fuzzy Hash: DBF121711083819FE368CF25C58AA5BBBE1BBC4718F10891CF5DA862A0D7B99949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00712814, Relevance: 12.7, Strings: 10, Instructions: 208COMMON

Download Yara Rule

Strings

Qj, xrefs: 007128F5
1pv:, xrefs: 00712AA6
R}, xrefs: 00712954
N8, xrefs: 007129FF
gH, xrefs: 007128CF
1pv:, xrefs: 00712B8D
i*, xrefs: 0071282D
ml, xrefs: 00712825
1, xrefs: 007128B3
X@, xrefs: 007128FD

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 1$1pv:$1pv:$N8$Qj$R}$X@$gH$i*$ml
API String ID: 0-2748510710
Opcode ID: 71160ac7658b3973f75ae2cc60728a7941a981c0bb2ad8ddb5d14b7525e3a8a6
Instruction ID: bf7924b5712eb0ced31a373e5b72f07824c28e568e25462df5f6090a6c8c4011
Opcode Fuzzy Hash: 71160ac7658b3973f75ae2cc60728a7941a981c0bb2ad8ddb5d14b7525e3a8a6
Instruction Fuzzy Hash: 39A13DB15093818FC368CF69C48945FFBE0BBC4B48F508A1DF59596260D7B8D94ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 00717306, Relevance: 11.5, Strings: 9, Instructions: 277COMMON

Download Yara Rule

Strings

L, xrefs: 00717448
M, xrefs: 007173D0
x6, xrefs: 0071763A
84, xrefs: 00717538
![, xrefs: 00717496
K{, xrefs: 00717662
-', xrefs: 007175EF
^u:, xrefs: 007174CE
b, xrefs: 00717620

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ![$-'$K{$L$^u:$b$x6$84$M
API String ID: 0-2099710246
Opcode ID: 008a80f03873ded7cfbb1931598d7a04c5d4679916d579fce4a4a6c9e9ad7482
Instruction ID: ce8551744c452b431a180d296a19915556a43fac44b8234184753dae95e397c9
Opcode Fuzzy Hash: 008a80f03873ded7cfbb1931598d7a04c5d4679916d579fce4a4a6c9e9ad7482
Instruction Fuzzy Hash: FBD133725083418FE3A8DF29C48A54BBBF1BBC4748F108A1DF5D5962A0D7B99949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0071EBA4, Relevance: 11.5, Strings: 9, Instructions: 275COMMON

Download Yara Rule

Strings

oA, xrefs: 0071EC98
=\, xrefs: 0071ED7C
Yf, xrefs: 0071EC10
E, xrefs: 0071ED26
Hk, xrefs: 0071ECF2
,M, xrefs: 0071EDF7
h `K, xrefs: 0071EDD2
j~, xrefs: 0071EE39
Z^, xrefs: 0071EE41

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,M$=\$E$Hk$Yf$Z^$h `K$j~$oA
API String ID: 0-693924685
Opcode ID: 1bffc10bec51c740af9c62bc7d531a766bacedf1785e94121b55c9f4d6615e87
Instruction ID: 18fa5dc207e8622960ac65f2de1299e4938ea9eb0d1c38bb1519abeb52fc16ae
Opcode Fuzzy Hash: 1bffc10bec51c740af9c62bc7d531a766bacedf1785e94121b55c9f4d6615e87
Instruction Fuzzy Hash: FAC142711083419FD368CF25C48986BFBE1FBD4748F508A1DF596862A0D7BA9A89CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0072197B, Relevance: 11.5, Strings: 9, Instructions: 243COMMON

Download Yara Rule

Strings

G?, xrefs: 00721B76
D, xrefs: 00721D45
>s, xrefs: 00721C6E
T,5, xrefs: 00721DE0
O, xrefs: 00721AB4
5, xrefs: 00721C8E
dR, xrefs: 007219BE
@, xrefs: 00721B32
f!, xrefs: 00721C3D

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: >s$@$D$G?$T,5$dR$5$O$f!
API String ID: 0-2375948987
Opcode ID: 26121c04860f2c697203fcca5379f1602fb07eb6a860006dc57eca605e7f85b2
Instruction ID: 255588326a107dc3100ac750d835258f9955ceaf3bb814ba4f2e89fd45a4c99e
Opcode Fuzzy Hash: 26121c04860f2c697203fcca5379f1602fb07eb6a860006dc57eca605e7f85b2
Instruction Fuzzy Hash: 22B1247150C3809FE364CF25D98AA1FBBE1BBC8758F50891DF295962A0D3BA8945CF43

Uniqueness

Uniqueness Score: -1.00%

Function 007121C0, Relevance: 11.4, Strings: 9, Instructions: 195COMMON

Download Yara Rule

Strings

39, xrefs: 0071238D
0l, xrefs: 00712334
7, xrefs: 00712272
DB, xrefs: 007123C9
"S, xrefs: 0071232C
![, xrefs: 00712367
ih, xrefs: 0071242A
y!, xrefs: 00712454
J&, xrefs: 007121F0

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ![$"S$0l$39$7$DB$J&$ih$y!
API String ID: 0-1080273064
Opcode ID: 71a06335f837a521a27f55f91de5d45f8bd156bcc714f4bb2446ebf9afc01acb
Instruction ID: ae02face6a7691d6d7793e02edb5a73cba59a9eb5ab5ae84c9f4ed9d62b60a65
Opcode Fuzzy Hash: 71a06335f837a521a27f55f91de5d45f8bd156bcc714f4bb2446ebf9afc01acb
Instruction Fuzzy Hash: 2D9131711083809BD358CF29C88A85BFBF1BBC5758F508A1DF196962A0D3B98A59CF47

Uniqueness

Uniqueness Score: -1.00%

Function 0071D535, Relevance: 10.3, Strings: 8, Instructions: 312COMMON

Download Yara Rule

Strings

H>, xrefs: 0071D598
b^, xrefs: 0071D740
eT, xrefs: 0071D818
8=, xrefs: 0071D7E7
G~, xrefs: 0071D629
R, xrefs: 0071D6AF
qL, xrefs: 0071D631
\', xrefs: 0071D786

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 8=$G~$H>$\'$b^$eT$qL$R
API String ID: 0-903231968
Opcode ID: ccd29ecfe4662ea07949bca52668ff0e2a0f975941d68003cfeae706f0c78e43
Instruction ID: 3d92329a152d0143969eae38813e5f5d4a10308fa294afc5043684e5944400d5
Opcode Fuzzy Hash: ccd29ecfe4662ea07949bca52668ff0e2a0f975941d68003cfeae706f0c78e43
Instruction Fuzzy Hash: 7DE123715087409FD368CF29C98996BBBE1FBD4708F508A1DF596862A0D3B9C945CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00716AFC, Relevance: 10.3, Strings: 8, Instructions: 305COMMON

Download Yara Rule

Strings

C, xrefs: 00716C81
zJ, xrefs: 00716C07
M, xrefs: 00716D73
~6, xrefs: 00716DF9
0, xrefs: 00716CD8
<, xrefs: 00716BCE
'0, xrefs: 00716D59
7j, xrefs: 00716E7B

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: '0$0$7j$<$C$zJ$~6$M
API String ID: 0-3399841341
Opcode ID: 4da7c865c4061b1a131f1d113d6e34429b97972dba5ae2acca5a7aef2882f015
Instruction ID: 2cf2c2a7b89901a63358029f06518b4896823ddb7f189876be71904ab9a5f4f5
Opcode Fuzzy Hash: 4da7c865c4061b1a131f1d113d6e34429b97972dba5ae2acca5a7aef2882f015
Instruction Fuzzy Hash: 63E153711083818BD368CF29C589A5BFBF1BBC4758F60891DF1DA862A0D7B9D949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0071F249, Relevance: 10.2, Strings: 8, Instructions: 165COMMON

Download Yara Rule

Strings

Q!>, xrefs: 0071F461
X, xrefs: 0071F2D9
@, xrefs: 0071F38F
Q!>X, xrefs: 0071F458
'3, xrefs: 0071F3AF
d\, xrefs: 0071F2F6
x#, xrefs: 0071F318
ys, xrefs: 0071F3C4

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: '3$@$Q!>$Q!>X$d\$x#$ys$X
API String ID: 0-3282412013
Opcode ID: f535d80aa6a69b6c4010f8fe8906834d63bc4782d879ed49cdf781dea3a2fa1e
Instruction ID: c132c701cf42ce1f8b053324b3496478014cd07722b85efa082d66eae7db5592
Opcode Fuzzy Hash: f535d80aa6a69b6c4010f8fe8906834d63bc4782d879ed49cdf781dea3a2fa1e
Instruction Fuzzy Hash: 0F812FB1508341AFD358CF25C98981BBBF1BBD8758F105A2DF585962A0D3B9CA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 00711662, Relevance: 10.1, Strings: 8, Instructions: 112COMMON

Download Yara Rule

Strings

xD, xrefs: 007116BC
X0, xrefs: 00711755
<S, xrefs: 00711699
){, xrefs: 007117D6
2, xrefs: 007117B3
2R, xrefs: 007117F2
B+, xrefs: 007116DC
fw, xrefs: 00711794

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ){$2R$<S$B+$X0$fw$xD$2
API String ID: 0-3223740375
Opcode ID: 32eb09211fe1fc05b7f806f34c304d892ece1e02a739826004e091a8b2668cc2
Instruction ID: 670333204bf2792b3e8720fd015d962703fc82fae42bff918f2231b321ee5576
Opcode Fuzzy Hash: 32eb09211fe1fc05b7f806f34c304d892ece1e02a739826004e091a8b2668cc2
Instruction Fuzzy Hash: 6F51DFB1C0161AEBDF19CFE5D98A4DEBFB1FB08314F208149E115762A0C3B90A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00711664, Relevance: 10.1, Strings: 8, Instructions: 111COMMON

Download Yara Rule

Strings

xD, xrefs: 007116BC
X0, xrefs: 00711755
<S, xrefs: 00711699
){, xrefs: 007117D6
2, xrefs: 007117B3
2R, xrefs: 007117F2
B+, xrefs: 007116DC
fw, xrefs: 00711794

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ){$2R$<S$B+$X0$fw$xD$2
API String ID: 0-3223740375
Opcode ID: 9a64dee1358eee0ff17e50ef4d66aa90558940b9857709b65784d7679d4c0e7b
Instruction ID: 451977ddf131cc1b9750256bfb178d48e81ed8d96a4e8f4d2b740bd80b88420e
Opcode Fuzzy Hash: 9a64dee1358eee0ff17e50ef4d66aa90558940b9857709b65784d7679d4c0e7b
Instruction Fuzzy Hash: C851DFB1C0161AEBDF09CFE5D98A4DEBFB1FB08314F208149E115762A0C3B90A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0071BA46, Relevance: 8.9, Strings: 7, Instructions: 197COMMON

Download Yara Rule

Strings

j, xrefs: 0071BAD6
P#Sy, xrefs: 0071BC58
U, xrefs: 0071BCA9
S|, xrefs: 0071BC70
o]M, xrefs: 0071BC48
J5, xrefs: 0071BB1D
;, xrefs: 0071BADE

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: U$;$J5$P#Sy$S|$o]M$j
API String ID: 0-1100184680
Opcode ID: 636a0e21c5a4ea879bfb2d8839fe7b0c22ca4155c6eee459cadcba9029d8c5f8
Instruction ID: 5e16d0e0ce34f141bb275876f19650d4c68e7d94f13798f979235ba5ede9a328
Opcode Fuzzy Hash: 636a0e21c5a4ea879bfb2d8839fe7b0c22ca4155c6eee459cadcba9029d8c5f8
Instruction Fuzzy Hash: 0D9100721083409FE358CF65C98991BFBE1FBC9748F108A1DF195962A0D7BADA488F43

Uniqueness

Uniqueness Score: -1.00%

Function 0072BF69, Relevance: 8.9, Strings: 7, Instructions: 137COMMON

Download Yara Rule

Strings

gw6, xrefs: 0072C1AC
gw6, xrefs: 0072C0F4
fy, xrefs: 0072C071
e(hC, xrefs: 0072BFA1
{<, xrefs: 0072BF8F
N9$~, xrefs: 0072BF89
G, xrefs: 0072BFDC

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: N9$~$e(hC$fy$gw6$gw6${<$G
API String ID: 0-3456090699
Opcode ID: 58f62488f3dd0f3e0de2b5d3b2492f1e3d73fadc4139eb016a584664b31dba12
Instruction ID: 6980c501290657c0019a7571bc2b0d4f80c5b3e0fc3ab78fde56add2a5f3f8a6
Opcode Fuzzy Hash: 58f62488f3dd0f3e0de2b5d3b2492f1e3d73fadc4139eb016a584664b31dba12
Instruction Fuzzy Hash: 3E519A71109345DFD729CF20E58A62FBBE1FBD8708F504A1DF18A96291C7798A08CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00721494, Relevance: 8.9, Strings: 7, Instructions: 119COMMON

Download Yara Rule

Strings

h^, xrefs: 0072F128
yN, xrefs: 0072F14D
y, xrefs: 0072F08E
ys, xrefs: 0072F06F
G{J, xrefs: 0072F025
>d, xrefs: 0072F0E5
YX, xrefs: 0072F120

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: >d$G{J$YX$h^$ys$y$yN
API String ID: 0-1280234317
Opcode ID: 2037fab8d18c0274c0812116fe9400b0319e85e851b11866430375a43fc26108
Instruction ID: bc6afd98314c225fd4f7d4af502cc1469e18ba70a741d142d90fd460c3e08f7f
Opcode Fuzzy Hash: 2037fab8d18c0274c0812116fe9400b0319e85e851b11866430375a43fc26108
Instruction Fuzzy Hash: B0511371408300DFE355CF21D98940BBBF1FB98798F508A1DF09A56261C3B9EA88CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00720CE0, Relevance: 8.9, Strings: 7, Instructions: 107COMMON

Download Yara Rule

Strings

cD, xrefs: 00720D99
y!X, xrefs: 00720CF0
hS, xrefs: 00720D42
d, xrefs: 00720CF8
l, xrefs: 00720D64
d, xrefs: 00720DCF
`m, xrefs: 00720D74

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: l$`m$cD$hS$y!X$d$d
API String ID: 0-2731310073
Opcode ID: d79add5e6c4ae851d2d859ef871b30299807bb86dc21d4bf0f981f4be876768b
Instruction ID: 41c84e68dc2af39fd6d73bebc7ed0f9f346930fe8564ca8bb07c414a540e90a0
Opcode Fuzzy Hash: d79add5e6c4ae851d2d859ef871b30299807bb86dc21d4bf0f981f4be876768b
Instruction Fuzzy Hash: 6E419771508311DFD358DF24E48A42FBBE0FBC4758F108D2DF49692261C3B89A48CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0071A7FA, Relevance: 8.8, Strings: 7, Instructions: 94COMMON

Download Yara Rule

Strings

h^, xrefs: 0072F128
yN, xrefs: 0072F14D
y, xrefs: 0072F08E
ys, xrefs: 0072F06F
G{J, xrefs: 0072F025
>d, xrefs: 0072F0E5
YX, xrefs: 0072F120

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: >d$G{J$YX$h^$ys$y$yN
API String ID: 0-1280234317
Opcode ID: d847815306dae0ef632cfdd4b31b7b01bf04ae37f68aea09f8732a062628e924
Instruction ID: 791bc8120f21cb9d829700a8f9e8f11b3b864da9b96fe46e63150a6f12f296a4
Opcode Fuzzy Hash: d847815306dae0ef632cfdd4b31b7b01bf04ae37f68aea09f8732a062628e924
Instruction Fuzzy Hash: A84105714093409FE359CF25D58914BBBF0FB94B98F508A1DF09A562A0C3B99A89CF86

Uniqueness

Uniqueness Score: -1.00%

Function 007384D8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 00738530
GetSystemMetrics.USER32(00000000), ref: 00738545
GetSystemMetrics.USER32(00000001), ref: 00738550

Part of subcall function 00738000: GetProcessDpiAwarenessInternal.USER32 ref: 00738080

Strings

GetMonitorInfoW, xrefs: 007384F0
DISPLAY, xrefs: 00738571

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: MetricsSystem$AwarenessInternalProcessmouse_event
String ID: DISPLAY$GetMonitorInfoW
API String ID: 3215245216-2774842281
Opcode ID: 973cecda456079aa133a3b25f2c43d6b232366af08b76b9b2caa94e89d8f4f97
Instruction ID: d2c096b3cbb99c4f044fce4aaf68c5ee05a345c7eb864533c3c1e468aa230bc8
Opcode Fuzzy Hash: 973cecda456079aa133a3b25f2c43d6b232366af08b76b9b2caa94e89d8f4f97
Instruction Fuzzy Hash: B8112671A017059FE7A0DF648C44BA7B7E8EB05350F04852AFD19C7282DB78B984CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 007138E1, Relevance: 7.7, Strings: 6, Instructions: 247COMMON

Download Yara Rule

Strings

%Oa+, xrefs: 00713A9F
7$, xrefs: 00713BB0
m\}z, xrefs: 00713B42
XF, xrefs: 00713A11
C#, xrefs: 00713B15
pM, xrefs: 00713C0F

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %Oa+$7$$C#$XF$m\}z$pM
API String ID: 0-644714891
Opcode ID: 753dd283c74eed5ffaef3d20842a04b3bf0d9440b842eb0f2a224c86d1625a2d
Instruction ID: b84eb0fcf027bff4d114cc2772ae5b7411b04759390b1375a73be2fbbdc07663
Opcode Fuzzy Hash: 753dd283c74eed5ffaef3d20842a04b3bf0d9440b842eb0f2a224c86d1625a2d
Instruction Fuzzy Hash: 37C131725083419FE368CF29D88A91FFBE1BBC4758F10891DF195962A0D7B98A48CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00727B8D, Relevance: 7.7, Strings: 6, Instructions: 239COMMON

Download Yara Rule

Strings

v2, xrefs: 00727CE0
>W, xrefs: 00727FBE
f,, xrefs: 00727DE5
n;, xrefs: 00727D0D
>Q, xrefs: 00727D25
^^, xrefs: 00727E1E

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: >Q$>W$^^$f,$n;$v2
API String ID: 0-2235603452
Opcode ID: bc341fff72efb64b16a47f94dda72bf623d1028731fa9d5c2ddbdedd040d24e8
Instruction ID: 2610f7fc659134f18cafc49cb7936cb3e9fbf928cdfb683518de2caf7faaf464
Opcode Fuzzy Hash: bc341fff72efb64b16a47f94dda72bf623d1028731fa9d5c2ddbdedd040d24e8
Instruction Fuzzy Hash: 25B143B110D3418BD358CF25D68A81BBBE1FBC5B18F504A1DF1869A2A0D3B9CA49CB47

Uniqueness

Uniqueness Score: -1.00%

Function 0071E42E, Relevance: 7.6, Strings: 6, Instructions: 143COMMON

Download Yara Rule

Strings

+0, xrefs: 0071E58E
/,, xrefs: 0071E532
Pd&, xrefs: 0071E5AE
>C), xrefs: 0071E47D
DF, xrefs: 0071E522
>C), xrefs: 0071E5B6

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +0$/,$DF$Pd&$>C)$>C)
API String ID: 0-3775570201
Opcode ID: f7b686de69a2ba217ca7fefc2ba494ca4d2606fd97d3cc470df5592cd399870d
Instruction ID: 8bc39e75217af754561729d55b63cd3ee1d5b9e0a797717836b6df968dfbe9f2
Opcode Fuzzy Hash: f7b686de69a2ba217ca7fefc2ba494ca4d2606fd97d3cc470df5592cd399870d
Instruction Fuzzy Hash: 06518F718083419BD354CF28C48595BFBE1FBD8758F544A1EF889A72A0D778DA888B86

Uniqueness

Uniqueness Score: -1.00%

Function 007168D8, Relevance: 7.6, Strings: 6, Instructions: 120COMMON

Download Yara Rule

Strings

;U, xrefs: 007169EC
~, xrefs: 0071698D
W#, xrefs: 007169E7
<, xrefs: 0071699D
], xrefs: 00716975
a, xrefs: 00716A10

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ~$;U$<$]$a$W#
API String ID: 0-1192180114
Opcode ID: 752f2c7c7d192da0f89bdd0508a95238d31b5b90dbf924608e7e85e657cbaa14
Instruction ID: d6bbeece720f0eef8c3aa28e8da73d816554b5d1d4984796d524146c8db4beaf
Opcode Fuzzy Hash: 752f2c7c7d192da0f89bdd0508a95238d31b5b90dbf924608e7e85e657cbaa14
Instruction Fuzzy Hash: 9C5168715093819FD354CF28D58980BBBE0BB88758F508E1DF49A662A0D3B9DA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 007212B3, Relevance: 7.6, Strings: 6, Instructions: 107COMMON

Download Yara Rule

Strings

un, xrefs: 007213D1
t, xrefs: 0072131C
wE, xrefs: 007213B1
/R, xrefs: 007213D9
_Z, xrefs: 00721376
@, xrefs: 007212D2

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: t$ @$/R$_Z$un$wE
API String ID: 0-3242100037
Opcode ID: 3b47c789d72f15953d938d22ddd8894b9e2db61e4a578097bd58bcfec11e0b67
Instruction ID: 0f9167b2b0708ffb3409fb018f040d983a7ae1588929ea5076aebb86f5cc5d8e
Opcode Fuzzy Hash: 3b47c789d72f15953d938d22ddd8894b9e2db61e4a578097bd58bcfec11e0b67
Instruction Fuzzy Hash: 724167710083419FD759DF20E98681FBBE5FB98758F904A1DF48AA6260D778CA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 007385AC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 007385E5
GetSystemMetrics.USER32(00000000), ref: 0073860A
GetSystemMetrics.USER32(00000001), ref: 00738615

Part of subcall function 00738000: GetProcessDpiAwarenessInternal.USER32 ref: 00738080

Strings

EnumDisplayMonitors, xrefs: 007385C4

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: MetricsSystem$AwarenessDisplayEnumInternalMonitorsProcess
String ID: EnumDisplayMonitors
API String ID: 3238271974-2491903729
Opcode ID: 889ec39613ae85ebfc0c38cfac25b58baa1a8435c13dea73924be2611e1b7e67
Instruction ID: 05236d380363c486ad49f1c7956ce4d7dbd3924e3a431c84cb931441caf7c9d8
Opcode Fuzzy Hash: 889ec39613ae85ebfc0c38cfac25b58baa1a8435c13dea73924be2611e1b7e67
Instruction Fuzzy Hash: 023110B2A01209EFEB51DFA5CC459EF77BCAF45300F144526F915D3242EB38EA458BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0071B22A, Relevance: 6.5, Strings: 5, Instructions: 229COMMON

Download Yara Rule

Strings

:K, xrefs: 0071B2F7
`, xrefs: 0071B368
vl, xrefs: 0071B43D
CR2, xrefs: 0071B68A
O], xrefs: 0071B31B

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: :K$O]$vl$CR2$`
API String ID: 0-2518798236
Opcode ID: f70696eb6fbe76863c6db8e5aefbfec75e3dab46ae25f7520a917344f100b852
Instruction ID: 91991f8b40d63fe0fe6533d1921eb2478cb3f48ae85a242fd971ac1c694f3324
Opcode Fuzzy Hash: f70696eb6fbe76863c6db8e5aefbfec75e3dab46ae25f7520a917344f100b852
Instruction Fuzzy Hash: 87C120725083419FD364CF25D94A94FBBF1BBC4758F108A0DF2A6962A0C7B58A49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0072DA27, Relevance: 6.5, Strings: 5, Instructions: 210COMMON

Download Yara Rule

Strings

k, xrefs: 0072DB4B
qZ, xrefs: 0072DBB4
em, xrefs: 0072DB8D
s], xrefs: 0072DC1D
9j, xrefs: 0072DAC4

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: k$9j$em$qZ$s]
API String ID: 0-39266908
Opcode ID: a04e65bb602c871855a1ee0058a47c314eadce8a5a99709ef6cf1ede692460cb
Instruction ID: ae4923a89ac8f8027a9dbaa499a92e7feb03e49cd1be2872ab5f9a28081b3092
Opcode Fuzzy Hash: a04e65bb602c871855a1ee0058a47c314eadce8a5a99709ef6cf1ede692460cb
Instruction Fuzzy Hash: E2916471509740AFE364CF25D98955FBBE2BBC5708F40891DF2958A2A0D3B9C949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0071F54C, Relevance: 6.4, Strings: 5, Instructions: 153COMMON

Download Yara Rule

Strings

<M, xrefs: 0071F65A
), xrefs: 0071F600
40', xrefs: 0071F57C
g[, xrefs: 0071F67F
2|!, xrefs: 0071F589

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: )$2|!$40'$<M$g[
API String ID: 0-2269409361
Opcode ID: 97faa131daff5194895e370456d54cf966f3132aa0ad9cffd3763bff10c97cca
Instruction ID: 57e0f3af031fdc631bfad04bc63900d07d2380e46ce6e2d76062fcd4b20d6097
Opcode Fuzzy Hash: 97faa131daff5194895e370456d54cf966f3132aa0ad9cffd3763bff10c97cca
Instruction Fuzzy Hash: 6F61467110C3429FD758CF25D48986FBBE1BBC4318F544A1EF496962A0D7B88A49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0072CB58, Relevance: 6.4, Strings: 5, Instructions: 151COMMON

Download Yara Rule

Strings

iK, xrefs: 0072CCCA
70, xrefs: 0072CCF0
D, xrefs: 0072CC23
y+, xrefs: 0072CCDF
8s, xrefs: 0072CCA0

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 70$8s$D$iK$y+
API String ID: 0-3581635242
Opcode ID: e4da605cac189cb1e3f0c5929f7df62af95bd3137ac56ddfd44896faeb0f3670
Instruction ID: ea9849c53f6c4297af832c61f2872ac1420be2ec27416497d31050853a864968
Opcode Fuzzy Hash: e4da605cac189cb1e3f0c5929f7df62af95bd3137ac56ddfd44896faeb0f3670
Instruction Fuzzy Hash: D6616771208341ABD755CF21D88991FBFE1BBD4768F540A2DF086962A0D3798A48CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0072B598, Relevance: 6.4, Strings: 5, Instructions: 147COMMON

Download Yara Rule

Strings

4d, xrefs: 0072B5E6
3>, xrefs: 0072B61E
Dg, xrefs: 0072B6AA
D$, xrefs: 0072B606
*&)3, xrefs: 0072B692

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: *&)3$3>$4d$D$$Dg
API String ID: 0-1744236248
Opcode ID: 3853b8ef6381e0484490cd790ca1073661cacda29dd99c15f507afcf66c83a09
Instruction ID: 93190ed367a17dfa1dd95ff615212a92cc5bc596fbf9af971ab8a17e5ef9365b
Opcode Fuzzy Hash: 3853b8ef6381e0484490cd790ca1073661cacda29dd99c15f507afcf66c83a09
Instruction Fuzzy Hash: 3A5132711083829BD358CE25D48941FBBE2FFC4758F508A1EF4D6962A1D7B8CA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 0071799F, Relevance: 6.4, Strings: 5, Instructions: 117COMMON

Download Yara Rule

Strings

O, xrefs: 00717A80
6D5, xrefs: 00717A0D
T, xrefs: 007179C3
8(, xrefs: 00717ACE
os, xrefs: 00717AA2

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID: lstrcmpi
String ID: T$6D5$8($O$os
API String ID: 1586166983-1387091587
Opcode ID: 8b01875a937f305760172334c909633e2e6d306cb27973cadd94906d3f62b5c2
Instruction ID: ff4b276d8066b85f74470ac5585dacfad99a27bd06f45ec79976ea14f0f709a1
Opcode Fuzzy Hash: 8b01875a937f305760172334c909633e2e6d306cb27973cadd94906d3f62b5c2
Instruction Fuzzy Hash: 7951F672D0120EDBEF04CFA5C94A9EEBBB2FB44318F208159D1117A290D7B95B56CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00711EF9, Relevance: 6.4, Strings: 5, Instructions: 108COMMON

Download Yara Rule

Strings

c_, xrefs: 00712064
@o, xrefs: 00711FC2
x, xrefs: 00711FE2
?Ja, xrefs: 00712056
5?, xrefs: 00711F53

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 5?$?Ja$@o$c_$x
API String ID: 0-4250105947
Opcode ID: 698a09d22f9bc59a0764a825212f956db9bc17e4f8a651ac393f2d01f4e09914
Instruction ID: 22c399c7f4f1044655dd0078060a00eb7c99a8f44bda2a800b3d6b9edb27c491
Opcode Fuzzy Hash: 698a09d22f9bc59a0764a825212f956db9bc17e4f8a651ac393f2d01f4e09914
Instruction Fuzzy Hash: 79511171D0121DEBDF49CFE4D98AAEEBBB1FB04318F208058E511762A0C7B94A58CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0072E4E1, Relevance: 6.3, Strings: 5, Instructions: 97COMMON

Download Yara Rule

Strings

?, xrefs: 0072E4E7
?e, xrefs: 0072E53A
w , xrefs: 0072E568
_, xrefs: 0072E5E2
Gl, xrefs: 0072E5A0

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ?e$Gl$w $?$_
API String ID: 0-1446513408
Opcode ID: b1f33b02b3c19594a660f9c01347cd1a977885be0c323f8fab719329a1c47fb8
Instruction ID: 2430360224008ef087d9ed8b5ca9501065e7c9a8bcec55e21cf6e1140e3083c3
Opcode Fuzzy Hash: b1f33b02b3c19594a660f9c01347cd1a977885be0c323f8fab719329a1c47fb8
Instruction Fuzzy Hash: 2641EF72D0020DEBEF54CFE1D94A8EEBBB1BB08714F208159D512B62A0D3B91A49CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00729D6D, Relevance: 6.3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

Strings

o%, xrefs: 00729E69
]2, xrefs: 00729E89
]2, xrefs: 00729DA3
|, xrefs: 00729DD4
;C, xrefs: 00729E61

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ;C$o%$]2$]2$|
API String ID: 0-4053395349
Opcode ID: 06c3ae6766c3862e80847a3f5f850226f9bc4fcf48f9e7f7670e8bac13bbd3b4
Instruction ID: 0b495682ae7d4792ebc4619fe3029158a754f563b497946ed9c465cb84a721af
Opcode Fuzzy Hash: 06c3ae6766c3862e80847a3f5f850226f9bc4fcf48f9e7f7670e8bac13bbd3b4
Instruction Fuzzy Hash: 474156729083518BD308CE25D94A40BBBE1FBD8758F154A1DF999A7260C3798A19CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0072E0B6, Relevance: 5.2, Strings: 4, Instructions: 211COMMON

Download Yara Rule

Strings

V9, xrefs: 0072E30A
5e, xrefs: 0072E13C
ox., xrefs: 0072E34F
'7, xrefs: 0072E222

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: '7$5e$V9$ox.
API String ID: 0-3496647276
Opcode ID: 9aacc44f7160103a431ae218622dfefa682f47689b1d25089d065c98f29650c4
Instruction ID: 7b62c49de67f6e9770d5f88b27bf27259ea340969b3dcb3de56621245ee9ad5b
Opcode Fuzzy Hash: 9aacc44f7160103a431ae218622dfefa682f47689b1d25089d065c98f29650c4
Instruction Fuzzy Hash: AFA1F0711083819FE768CF65D58994FBBF1FB84758F408A1DF1A6962A0D3B9CA09CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0072E9A2, Relevance: 5.2, Strings: 4, Instructions: 198COMMON

Download Yara Rule

Strings

,P, xrefs: 0072EB1A
L/, xrefs: 0072EA9A
ye@N, xrefs: 0072E9EC
a1, xrefs: 0072EB05

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,P$L/$a1$ye@N
API String ID: 0-1743522807
Opcode ID: ba72548239c4b675a1eaed4f2f194bcef8304c43631dd0d5d8108911692ed899
Instruction ID: af5767e7a3e6e0b8e5c858579e5bd8289252b691230014c501bc7772299c870c
Opcode Fuzzy Hash: ba72548239c4b675a1eaed4f2f194bcef8304c43631dd0d5d8108911692ed899
Instruction Fuzzy Hash: 818165712083519BD358CF25D58981FBBE2FBC5758F44492DF68A962A0C7B9CA48CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0072505A, Relevance: 5.2, Strings: 4, Instructions: 175COMMON

Download Yara Rule

Strings

M, xrefs: 00725087
c!K, xrefs: 0072516A
02, xrefs: 0072513C
hD, xrefs: 0072507C

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: M$c!K$02$hD
API String ID: 0-3086900411
Opcode ID: c5e1dac38949899f44cdd6c68e2c6c59be49bcae53d5fb46c62309e07114ce41
Instruction ID: 05eba6af770d86a63fd143f9bf3bf93716674ee231a7a3f6337a84a57064c2f1
Opcode Fuzzy Hash: c5e1dac38949899f44cdd6c68e2c6c59be49bcae53d5fb46c62309e07114ce41
Instruction Fuzzy Hash: 73814DB1509341DFE368CF24D58982BBBE0BBC4758F504A1DF196962A0D7B9DA48CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0072C92D, Relevance: 5.1, Strings: 4, Instructions: 133COMMON

Download Yara Rule

Strings

x3, xrefs: 0072C966
N9, xrefs: 0072CA8C
Q>, xrefs: 0072C988
Y, xrefs: 0072CA40

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: N9$Q>$Y$x3
API String ID: 0-1902231974
Opcode ID: 8d3f0fed10d58b8ca1f72992de0987e26d3e9d9c3f3c0c5a1bb1977f5a5c67fa
Instruction ID: c24d2736900461d05314c000301f87b7d32fa41c3e171aa80c14ea55cecc39e2
Opcode Fuzzy Hash: 8d3f0fed10d58b8ca1f72992de0987e26d3e9d9c3f3c0c5a1bb1977f5a5c67fa
Instruction Fuzzy Hash: 755124715083409FD718CF29C88A81BBBF1FBC9758F044A1DF9999A260C3BAD945CF06

Uniqueness

Uniqueness Score: -1.00%

Function 0072E689, Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

], xrefs: 0072E7F7
un, xrefs: 0072E6BC
z, xrefs: 0072E75E

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: un$z$]
API String ID: 0-4241683264
Opcode ID: 885142b66529b9e9648675a164305462b694be2daed5d9c061d6829b76ede426
Instruction ID: d840668408a3b46fb7676b72cfd306aa9606cf81feadb1c3a29dfd66395ba6bc
Opcode Fuzzy Hash: 885142b66529b9e9648675a164305462b694be2daed5d9c061d6829b76ede426
Instruction Fuzzy Hash: 2B517571009341ABD358CF61E98981FBBE5FBC5358F105A1DF192962A0D7B9CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00724D39, Relevance: 3.9, Strings: 3, Instructions: 137COMMON

Download Yara Rule

Strings

Ue, xrefs: 00724DF8
(+, xrefs: 00724EE6
^(, xrefs: 00724E3E

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (+$Ue$^(
API String ID: 0-3438607706
Opcode ID: 340144c76a2c3c1ae3fb0f50570e5bff50d6312e98429875ede8289528a64e2d
Instruction ID: aa2e01ded9b8cb85f02be0b7b41000e7f9cf06c8aa0a644bd141204a859f9243
Opcode Fuzzy Hash: 340144c76a2c3c1ae3fb0f50570e5bff50d6312e98429875ede8289528a64e2d
Instruction Fuzzy Hash: 015114B1A083419FD348CF29D44950BBBE1FBD4758F408E1DF19A962A0D7B9DA09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0072D87D, Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

#`lb, xrefs: 0072D9C5
^+, xrefs: 0072D8F6
(PZ, xrefs: 0072D8A4

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #`lb$(PZ$^+
API String ID: 0-1774321979
Opcode ID: 05284d1d4aea52bb7ade3189c8723a9012c1f65da6b36867904c5e0e46cbb29e
Instruction ID: 70f6a803bb36ebfbcb4232b3e1867f259ccbd8e57c84abaf9cd8935469e158f2
Opcode Fuzzy Hash: 05284d1d4aea52bb7ade3189c8723a9012c1f65da6b36867904c5e0e46cbb29e
Instruction Fuzzy Hash: A251DE71D0121AEBDB48CFE5D94A4EEFBB1BF04314F208599D421B62A0D7B94B05CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00738000, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetProcessDpiAwarenessInternal.USER32 ref: 00738080

Strings

GetMonitorInfoA, xrefs: 00738049

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: AwarenessInternalProcess
String ID: GetMonitorInfoA
API String ID: 2489441696-2497991506
Opcode ID: 6a7a7d68a42ee837dd32a518af3d520b36fad020f052fdd1fee258e84da27a13
Instruction ID: 61a2b884bad843c95d8e94871ae3b3a25bcf409fa3fb7b5309d3376123c6c8fd
Opcode Fuzzy Hash: 6a7a7d68a42ee837dd32a518af3d520b36fad020f052fdd1fee258e84da27a13
Instruction Fuzzy Hash: E01163B0501304EEF7A8DB74CC09BA93BD88746380F154868F408832A2DABC6DCCAB52

Uniqueness

Uniqueness Score: -1.00%

Function 00751E14, Relevance: 2.9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

d.u, xrefs: 007520C1, 007521E9
kw, xrefs: 00752018, 0075202F, 0075203A, 00752107, 00752229

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID:
String ID: kw$d.u
API String ID: 0-821490350
Opcode ID: e8224622edbd97a7015bd8eccf6ce9811b409e0efe26af2868549fdddc4df7b4
Instruction ID: c95be4e14e311531c7ada75be86c561d1c900ce730e0da77714ed5fa2c6c66db
Opcode Fuzzy Hash: e8224622edbd97a7015bd8eccf6ce9811b409e0efe26af2868549fdddc4df7b4
Instruction Fuzzy Hash: EEE15834A00609DFCB10DF68C8859DEF7F5FB49302B6585A4E904A7762DBB8ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00720950, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

H, xrefs: 00720991
oo, xrefs: 00720AC8

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: H$oo
API String ID: 0-1614718691
Opcode ID: 35570222b46468966bd551cd3b27edd3af8765477437d4debfe0f9f0754122bf
Instruction ID: bb4d8dcd0fc690b1a6c5479f05b8f000438f4db19a18961cd308a20d4654a025
Opcode Fuzzy Hash: 35570222b46468966bd551cd3b27edd3af8765477437d4debfe0f9f0754122bf
Instruction Fuzzy Hash: 3D9124B2108341AFD368CF65D84A94FBFE1BBC4754F408A0DF69586260C3B98949CF93

Uniqueness

Uniqueness Score: -1.00%

Function 0071E8F6, Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

e;, xrefs: 0071EA62
87, xrefs: 0071EA39

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 87$e;
API String ID: 0-2890554552
Opcode ID: f20320664dc57826dc9ba7750b836680312a2150651fd3c17f66ee3de94e0c1d
Instruction ID: 631c65c03d70dcc02357af98bbf69afd80499fe94cb4a8d489dd60413f1924f2
Opcode Fuzzy Hash: f20320664dc57826dc9ba7750b836680312a2150651fd3c17f66ee3de94e0c1d
Instruction Fuzzy Hash: 8B6198B15083829BE754CF25D88592FFBE1FBC4318F504A1DF8C6562A0D7B9DA488B87

Uniqueness

Uniqueness Score: -1.00%

Function 0072D5DF, Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

d)$., xrefs: 0072D66A
J, xrefs: 0072D6A2

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: J$d)$.
API String ID: 0-495709582
Opcode ID: 7ca551a060e5eb2bf7f8fe5bffec3d44243766162c9424cc1b725e71f4a1066b
Instruction ID: e75cbf8a651a6a6b6d6ae1e173b5776412f018c46ce29eeaf9d55014eaef5992
Opcode Fuzzy Hash: 7ca551a060e5eb2bf7f8fe5bffec3d44243766162c9424cc1b725e71f4a1066b
Instruction Fuzzy Hash: 2F41D37160C351CBD728CE15E58542FBBE5EBD4798F24091EF486A62A0D7B9CE48CB83

Uniqueness

Uniqueness Score: -1.00%

Function 007142DE, Relevance: 2.6, Strings: 2, Instructions: 106COMMON

Download Yara Rule

Strings

vX, xrefs: 0071432B
<, xrefs: 0071434B

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: <$vX
API String ID: 0-1268996359
Opcode ID: 1b3333257c265e3ffe679d5e34de2784ce9561bc7df9a542160e10a5868a6af7
Instruction ID: a542d7a301613193cb7d3496cb808242b27f2b2c13365c0f4636ba5dedd4a43b
Opcode Fuzzy Hash: 1b3333257c265e3ffe679d5e34de2784ce9561bc7df9a542160e10a5868a6af7
Instruction Fuzzy Hash: AA4135B1C0120AEFEF44CFA5D9495EEBBB4FF04368F208059D411B62A1D7B98A46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0071A16A, Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

O8, xrefs: 0071A1DE
b, xrefs: 0071A1A6

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: O8$b
API String ID: 0-375063481
Opcode ID: 4c2a46bce24161298ed771d0f1db2b5558028cc7e7116a51708685bc93327d38
Instruction ID: fd5a65837eee41f5a33f208ddf1955dbe3116b90449175ac80e3d16ad17a196e
Opcode Fuzzy Hash: 4c2a46bce24161298ed771d0f1db2b5558028cc7e7116a51708685bc93327d38
Instruction Fuzzy Hash: 3B4114711083029FD318DF29D18955BFBE0BB94758F104A1DF0D9962A0D778EA89CF93

Uniqueness

Uniqueness Score: -1.00%

Function 00728721, Relevance: 2.6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

Strings

LWUS, xrefs: 0072878E
f, xrefs: 007287FF

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: LWUS$f
API String ID: 0-4217296692
Opcode ID: ef9f322d9bd000ba71132533618b996c93a789f3135d71b46bb7abc531569492
Instruction ID: b0f13052a0af70fabbb2cd3f0b7908d89a82a3ecaefd9d8d7ba6d3b74e4ed232
Opcode Fuzzy Hash: ef9f322d9bd000ba71132533618b996c93a789f3135d71b46bb7abc531569492
Instruction Fuzzy Hash: 0A412471E0031AEBDF58CFA5D84A5EEBBB6FB44310F208259D410B62A0D7B95B55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 007229E3, Relevance: 2.6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

Strings

:)A<, xrefs: 00722A90
_)W, xrefs: 007229F1

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: :)A<$_)W
API String ID: 0-1915120261
Opcode ID: 7546286ec2eba56676f673f278e70adb749299ad851b1c735cce35ec08986939
Instruction ID: 1c1058049d6c0b3b03d3357e6352c9aa80bfe0ef9aebfc661fcc14736760da00
Opcode Fuzzy Hash: 7546286ec2eba56676f673f278e70adb749299ad851b1c735cce35ec08986939
Instruction Fuzzy Hash: 7C410F71D00219EBDF04DFA5D94A8EEFFB1FB48318F208159D521BA2A0C7B94A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0074303C, Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

d.u, xrefs: 007431FF, 00743316

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID:
String ID: d.u
API String ID: 0-2616669809
Opcode ID: e854a681b0aa4703b4375009899a9a1c2474ae24c45be6d42c50b66c152c8f7d
Instruction ID: 5302fc8fc630751d5f7cc73d3037783d0b9cc604e174b4b91d5edbc51d0dba8c
Opcode Fuzzy Hash: e854a681b0aa4703b4375009899a9a1c2474ae24c45be6d42c50b66c152c8f7d
Instruction Fuzzy Hash: 65B16274B00148EFDB15DF68C99AAADB3F5EB09310F6544A5E818A7261DB39AF44CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0072B0D5, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

4V|q, xrefs: 0072B12A

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 4V|q
API String ID: 0-2461308344
Opcode ID: 95f32673c102f6614b90733422b27ca3e0fc97e60e2c9efea81dcb63516b578c
Instruction ID: 2c2030fe6f2a97e7638bec641de79a2291ce55992e9404d4dd061d657151af92
Opcode Fuzzy Hash: 95f32673c102f6614b90733422b27ca3e0fc97e60e2c9efea81dcb63516b578c
Instruction Fuzzy Hash: 8381F271501288EFEF59CF60D94A5CE3BA1FF44358F508218FE1A961A0D7BAD998CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00713743, Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

,gB5, xrefs: 00713771

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,gB5
API String ID: 0-314899355
Opcode ID: 68a686b219e4400f96dd3d0f881fbb5fb260a2290e08df0bd638af8037ec20a9
Instruction ID: f82d00c849c6a0aa99bcda4fb29a5582f939a3c558f3400d5eb896e72f302a6b
Opcode Fuzzy Hash: 68a686b219e4400f96dd3d0f881fbb5fb260a2290e08df0bd638af8037ec20a9
Instruction Fuzzy Hash: 7C415871D0070ADBDF19CFA8C84A5EEBBB1EF15314F208199D512B62A0C7B91B86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00713F0A, Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

}, xrefs: 00713F1C

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: }
API String ID: 0-3670237491
Opcode ID: 5254b0bf0b904ba689c6c0ae5d2de66ac2549e1d576a0ae5edab4532bae23a23
Instruction ID: 00647db83eac8c8098b9a365f59af6cea1a9b252c622cb67c38fcb22addb99f4
Opcode Fuzzy Hash: 5254b0bf0b904ba689c6c0ae5d2de66ac2549e1d576a0ae5edab4532bae23a23
Instruction Fuzzy Hash: 8B31C032A083018BC314CF2CC48555BFBE0EF98754F150A2DE489A7392D774EA49CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0072894D, Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

$lq2, xrefs: 007289AC

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $lq2
API String ID: 0-2972371974
Opcode ID: 937e18654ce9cfee17fb576de1af0eaf00890edb1919500877a490a108165734
Instruction ID: a1211b9b43ec41c9d28db94c58c556a9d3cc353a36c36541330684c3f334fd2f
Opcode Fuzzy Hash: 937e18654ce9cfee17fb576de1af0eaf00890edb1919500877a490a108165734
Instruction Fuzzy Hash: 5E21D671905208FFDB18DFA5C54689EBBB6EF85710F20C499E815AB260D778AA50DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0072DD80, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e2b183595885b600878884a4008e472c3c51de15e127b8d0bf5cdf82f9a96e
Instruction ID: 9cfd0c23871f5b122ca8ea54765d0cd52588baef80214abddb5d86f967ec908d
Opcode Fuzzy Hash: c7e2b183595885b600878884a4008e472c3c51de15e127b8d0bf5cdf82f9a96e
Instruction Fuzzy Hash: EA6100B1C0021EEBDF54CFA0D98A8DEBBB1FF44314F10815AE515B62A0D7B95A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00728489, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0796a24d570bf65319b0d2d9e6296b4b4ef0cc5c553f3067dd5e605f41e1bd1d
Instruction ID: e242481b320f67dbf97a71112958eac32c56af2a590c06959d5807a3c9d338a0
Opcode Fuzzy Hash: 0796a24d570bf65319b0d2d9e6296b4b4ef0cc5c553f3067dd5e605f41e1bd1d
Instruction Fuzzy Hash: 50515431D0121EDBDF14DFA4E94A8EEBBB2EF04304F208109D501B61A1EBB95A09CF92

Uniqueness

Uniqueness Score: -1.00%

Function 007148C7, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a67e62cccba0795b3f698259be2eeecdd67942647a4c0cc2f68250543a850406
Instruction ID: 3c1f6aebe89ec6756ee6a816b770664b9b4dad5f8dabbf41837fbfce93f442d2
Opcode Fuzzy Hash: a67e62cccba0795b3f698259be2eeecdd67942647a4c0cc2f68250543a850406
Instruction Fuzzy Hash: E7517B715083419BD714CF25C88995FBBE1FFD8348F108A1DF4CA662A1D7798A898F87

Uniqueness

Uniqueness Score: -1.00%

Function 00728A24, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab5d3344d0a2e917cacd8248694e89e02b1c84ccc32102f68cf3e68d931eae67
Instruction ID: 700d97c25c103a4344986b13d3ea6a02c08d06714f9a98d121764973abc92f66
Opcode Fuzzy Hash: ab5d3344d0a2e917cacd8248694e89e02b1c84ccc32102f68cf3e68d931eae67
Instruction Fuzzy Hash: 054120B1C0021AABDF09DFE4C98A4EEFBB5FB44304F208149E515B6260C3B95A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0072A2E5, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 832e10844e16e16048eb53dcc9218467a0507bd3233a24ca1574e9739c1e9e5c
Instruction ID: 7a6ba401c34b33c8f44e3291509b436b5127e5017621b5281495dff6c4b115ed
Opcode Fuzzy Hash: 832e10844e16e16048eb53dcc9218467a0507bd3233a24ca1574e9739c1e9e5c
Instruction Fuzzy Hash: 4A41E071D0121EEBDB58CFA5C98A4EEBFB1EB44314F208199D511B62A0C7B81B85CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 007126A0, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0a2a2bea74d570145c3c06be963f1e1d42539b00e1b26c16524673e156b2778
Instruction ID: 1b23982d6b7df559cc0478d668894c737db7edba56adc699693c6adb97ec4731
Opcode Fuzzy Hash: e0a2a2bea74d570145c3c06be963f1e1d42539b00e1b26c16524673e156b2778
Instruction Fuzzy Hash: 653189729083018FD304CF25D48941BFBE0FBD4758F044A2DF498A62A0D3B4CA598B87

Uniqueness

Uniqueness Score: -1.00%

Function 007207D3, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ab277858e9f73df25cc0c75edbdff45429ab9e24ea314ab3d4a584f8627f7fd
Instruction ID: 5077abc8f15868ea93317725c601867bb582bb656cb977c85536dd1f9d9943bc
Opcode Fuzzy Hash: 0ab277858e9f73df25cc0c75edbdff45429ab9e24ea314ab3d4a584f8627f7fd
Instruction Fuzzy Hash: 2B41DF71C0121DEBDF09DFA4D94A9EEBBB0BB04304F208189D012B6261D3B95B95DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0072821E, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eea4465e1f055327c782df879b11535222294411be65fe2a437fa610a87b8207
Instruction ID: 1bdeca9a9dff3daaad2a11ca4a1ec0c2bceac8b19982caeddf40030a8ae57c59
Opcode Fuzzy Hash: eea4465e1f055327c782df879b11535222294411be65fe2a437fa610a87b8207
Instruction Fuzzy Hash: 9F310976E01208FFEB04CFA5DC4A9DEBFB2EB49354F10C189F51466290D7B69A219B80

Uniqueness

Uniqueness Score: -1.00%

Function 0072A02C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7b0b64186a3cdfd76440f1da54e30841a36925943d5aa199563e2cc1b1a93d
Instruction ID: e5ea885aec74305215f3fb173f1c483b72dcf65bb3c1f2fcfb7fb0869d856274
Opcode Fuzzy Hash: ce7b0b64186a3cdfd76440f1da54e30841a36925943d5aa199563e2cc1b1a93d
Instruction Fuzzy Hash: 14314471E0021DEBDF04DFA4D94A8AEBFB1FB44314F608099E915A7260C7764B64DF91

Uniqueness

Uniqueness Score: -1.00%

Function 007133F4, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af1b6885b0b32aa53b04c30637edc936b233755d7c1623c00e9d73c5891a307
Instruction ID: 679fde0d9b847955558723230df8377d87e2afaea189e1eef0732f19f1234d5b
Opcode Fuzzy Hash: 0af1b6885b0b32aa53b04c30637edc936b233755d7c1623c00e9d73c5891a307
Instruction Fuzzy Hash: 4431C0B1C0030AEBDF45DFE4C98A5AEBBB0FB14318F208598D421662A0D7B94795CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0071422B, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40d83b43d3c4978e428880e6d6cc98d4ab46759700d65f7608bcb38c223fecae
Instruction ID: 91cb4d6f762ea48bd65bed3adfc990792559507a241ff76990ef24dddaa305b1
Opcode Fuzzy Hash: 40d83b43d3c4978e428880e6d6cc98d4ab46759700d65f7608bcb38c223fecae
Instruction Fuzzy Hash: A31158B5D0120CEBEB09DFA4D94A9DEBBB4FF10308F108198E400A7240D7B48B48CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0071A823, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.282217417.0000000000710000.00000040.00020000.sdmp, Offset: 00710000, based on PE: true

Associated: 00000001.00000002.282272461.0000000000731000.00000040.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0074DD34, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

GetProcessDpiAwarenessInternal.USER32 ref: 0074DD71
GetProcessDpiAwarenessInternal.USER32 ref: 0074DEC4

Strings

?, xrefs: 0074DDEB
,, xrefs: 0074DDE4

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: AwarenessInternalProcess
String ID: ,$?
API String ID: 2489441696-2308483597
Opcode ID: 381a08383d524fd2f3187ad56e7577a4ff067736a2bd976a5c9325ae6bf35105
Instruction ID: 953eff5c0a10156757e64bb57f652438fae0b1197be5186f2c5b58e731c00711
Opcode Fuzzy Hash: 381a08383d524fd2f3187ad56e7577a4ff067736a2bd976a5c9325ae6bf35105
Instruction Fuzzy Hash: 7C61C230A00254DBDB21EF78DC856AABBF6BF09350F048565E894E7396E738DC85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00738330, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00738361
GetSystemMetrics.USER32(00000000), ref: 0073839D
GetSystemMetrics.USER32(00000001), ref: 007383A8

Part of subcall function 00738000: GetProcessDpiAwarenessInternal.USER32 ref: 00738080

Strings

DISPLAY, xrefs: 007383C9
GetMonitorInfo, xrefs: 00738348

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: MetricsSystem$AwarenessInfoInternalMonitorProcess
String ID: DISPLAY$GetMonitorInfo
API String ID: 1000648782-1633989206
Opcode ID: 2327ee4ad3faca5d7499f0dca0d65b6b054de401ed613e0095b0fd39d34ef0bb
Instruction ID: 9c6fd373077f78cf2fb4a9e7d0d09e45b9c28421b2775fb152e3d10c7ba1642f
Opcode Fuzzy Hash: 2327ee4ad3faca5d7499f0dca0d65b6b054de401ed613e0095b0fd39d34ef0bb
Instruction Fuzzy Hash: 8E1106726017059FE7609F249C44BABB7E8EB05B50F004529FD4AD7342DBB8B848CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00738404, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00738471
GetSystemMetrics.USER32(00000001), ref: 0073847C

Part of subcall function 00738000: GetProcessDpiAwarenessInternal.USER32 ref: 00738080

Strings

DISPLAY, xrefs: 0073849D
GetMonitorInfoA, xrefs: 0073841C

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: MetricsSystem$AwarenessInternalProcess
String ID: DISPLAY$GetMonitorInfoA
API String ID: 3286765135-1370492664
Opcode ID: 9983f103271668ff6d327d2ae8f73119ba7c23e78c6b4a3416f5e6e32ff76804
Instruction ID: d15457f73c8092b2916816fa9af71373b443b673ba26b541b517d1157344cd0a
Opcode Fuzzy Hash: 9983f103271668ff6d327d2ae8f73119ba7c23e78c6b4a3416f5e6e32ff76804
Instruction Fuzzy Hash: BD1129716017069FE760DF64DC44BA7B7E8EB05360F00852DFD598B642DB7CB8848BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00756DF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

EnumPropsA.USER32 ref: 00756E40
EnumPropsExA.USER32 ref: 00756E60
EnumPropsW.USER32 ref: 00756E80

Strings

$?u, xrefs: 00756E09

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: EnumProps
String ID: $?u
API String ID: 3788141014-3098843297
Opcode ID: 6d295ebc4eab864257085963f70739205d79e5da7a9a4c35d7bdb5085fe6cad5
Instruction ID: 455b0bc4866bf3d15c690f533f300e2bbf6334ea656b1382f37942b99a269904
Opcode Fuzzy Hash: 6d295ebc4eab864257085963f70739205d79e5da7a9a4c35d7bdb5085fe6cad5
Instruction Fuzzy Hash: 0C0121A174024097D7486A3CDC9B79B66D99B98702F50943FB907EB3D6CEBECC0E4200

Uniqueness

Uniqueness Score: -1.00%

Function 00744A08, Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

SetWindowBand.USER32(00000000,00744C78), ref: 00744B0C
SetWindowBand.USER32(00000000,00744C78), ref: 00744B32
SetWindowBand.USER32(00000000,00744C78), ref: 00744B87

Part of subcall function 00740A40: SetWindowCompositionTransition.USER32(00000000,?,00000000,00000000,00000000,00744BDC,00000000,00744C78), ref: 00740A50

SetWindowBand.USER32(00000000,00744C78), ref: 00744BD7

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: Window$Band$CompositionTransition
String ID:
API String ID: 3393954239-0
Opcode ID: ce843b5ba6339640440b7849ad252bf97247acf9fbd71120c7f3970f1a523f7a
Instruction ID: 12a86f0415d0ce1d0ab0ddd7aaa46ac60314c6f5ed00b5eaef451e247e771a7d
Opcode Fuzzy Hash: ce843b5ba6339640440b7849ad252bf97247acf9fbd71120c7f3970f1a523f7a
Instruction Fuzzy Hash: AB716A74701A44EFCB14EF68D585BA9B7E6FB48340B258095E818DB322D738ED41EB98

Uniqueness

Uniqueness Score: -1.00%

Function 00772B38, Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

DdeCreateStringHandleA.USER32(00000015,00000000), ref: 00772B7C
DdeClientTransaction.USER32(00000000,000000FF,00000000,?,?,00001034,000003E8,?), ref: 00772BA9
DdeGetLastError.USER32(00000015), ref: 00772BBB
DdeFreeStringHandle.USER32(00000015,?), ref: 00772BCD

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: HandleString$ClientCreateErrorFreeLastTransaction
String ID:
API String ID: 2421758087-0
Opcode ID: 6f3ab94e19a0a8caca59b3b40b1469a715b3d1bb1a144e9ce8f49412b0cece71
Instruction ID: 06ee640996f0d9b75edce030ed681be382fab14d1c3560f132be9bf4b43701df
Opcode Fuzzy Hash: 6f3ab94e19a0a8caca59b3b40b1469a715b3d1bb1a144e9ce8f49412b0cece71
Instruction Fuzzy Hash: 20210875204240DFDB40DF68C8C5E5977E8AB49350F14C195F958CF2A7E679E881CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0074A6C4, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 282windowCOMMON

Download Yara Rule

APIs

GetMenuInfo.USER32 ref: 0074A9BD

Strings

\Du, xrefs: 0074A86D
$?u, xrefs: 0074A7CD

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: InfoMenu
String ID: $?u$\Du
API String ID: 2982508413-2618095673
Opcode ID: f6fec9d21a73b9911601ad2767bc7b5be37535d83a96aac816e097cf4825fafe
Instruction ID: 670eb322971fb45eab4d5bae00c907a5b60e7f27933e25ee9909ebee2c5687d6
Opcode Fuzzy Hash: f6fec9d21a73b9911601ad2767bc7b5be37535d83a96aac816e097cf4825fafe
Instruction Fuzzy Hash: 52C1D175A00658DFCB10DFA8C884A9EB7F5BF09300F1580A5E905EB366DB74AD4ACF51

Uniqueness

Uniqueness Score: -1.00%

Function 00771428, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 169COMMON

Download Yara Rule

APIs

DdeQueryConvInfo.USER32(?,?,00000060), ref: 007714BF

Strings

`, xrefs: 00771498
0w, xrefs: 00771607

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: ConvInfoQuery
String ID: 0w$`
API String ID: 701148680-3847901652
Opcode ID: 9a92e76222eebb7168e2eac68a0ce00c512b330deebf1ef07513c5effba423ac
Instruction ID: 41ca8ca816a696ccdf16a4ceeacbab9721d59783fc8aa2bb11e8539ae367eb50
Opcode Fuzzy Hash: 9a92e76222eebb7168e2eac68a0ce00c512b330deebf1ef07513c5effba423ac
Instruction Fuzzy Hash: 13516076A002198BCF14DE6CD9898AE73A9AB483D4F55C060F90EE7745CA38DD128BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0074D770, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

GetProcessDpiAwarenessInternal.USER32 ref: 0074D795

Part of subcall function 0074D710: GetProcessDpiAwarenessInternal.USER32 ref: 0074D75E

GetProcessDpiAwarenessInternal.USER32 ref: 0074D7A5

Strings

>t, xrefs: 0074D80E, 0074D7F4

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: AwarenessInternalProcess
String ID: >t
API String ID: 2489441696-2653846633
Opcode ID: 5bec7acebb53539bd84f4dfbce166b32e7b3159a5730d47f814f0a7efda671bb
Instruction ID: 4e408899b9df40d2bdf3abe159a89574dace8859a476df0bd222eae51a21a397
Opcode Fuzzy Hash: 5bec7acebb53539bd84f4dfbce166b32e7b3159a5730d47f814f0a7efda671bb
Instruction Fuzzy Hash: BA316D35E0818D9FCB22DBA884816FEBBB66F45310F254595D8E4B7342D7385E06CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00738298, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 007382E6
GetSystemMetrics.USER32(00000001), ref: 007382F8

Part of subcall function 00738000: GetProcessDpiAwarenessInternal.USER32 ref: 00738080

Strings

MonitorFromPoint, xrefs: 007382AA

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: MetricsSystem$AwarenessInternalProcess
String ID: MonitorFromPoint
API String ID: 3286765135-1072306578
Opcode ID: 8fb601f7f9643dc20c6693466cb2ac40eeabefbff18bf5386da453f567c4c1e8
Instruction ID: f4a3bca53cf706fa5ad18dd1459d0186b14f6ab3b7cd9bdbc4e3974f3eeef515
Opcode Fuzzy Hash: 8fb601f7f9643dc20c6693466cb2ac40eeabefbff18bf5386da453f567c4c1e8
Instruction Fuzzy Hash: 4201D672201709EFEB405F50DC48B9E7B55FB50B90F048025FA298B313CB78AC848BA7

Uniqueness

Uniqueness Score: -1.00%

Function 00738170, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 007381C1
GetSystemMetrics.USER32(00000001), ref: 007381CD

Part of subcall function 00738000: GetProcessDpiAwarenessInternal.USER32 ref: 00738080

Strings

MonitorFromRect, xrefs: 00738185

Memory Dump Source

Source File: 00000001.00000002.282288141.0000000000733000.00000020.00020000.sdmp, Offset: 00733000, based on PE: false

Similarity

API ID: MetricsSystem$AwarenessInternalProcess
String ID: MonitorFromRect
API String ID: 3286765135-4033241945
Opcode ID: 4c02d171d8feeb44af69ee0499e5a2de3ca458e89c36b559d3ff1618450884f2
Instruction ID: 9c50ae4b14f452a8cd5d6ccb7cf0a33b231c5c96d30821d01801789da5e77bc7
Opcode Fuzzy Hash: 4c02d171d8feeb44af69ee0499e5a2de3ca458e89c36b559d3ff1618450884f2
Instruction Fuzzy Hash: 8B014B32200319DBE7509B14DD85BA7B799E750391F18846AFD08CA207CA7D9C8A8BA6

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report BsYHxeX7Ok.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6404 Parent PID: 5700

General

Function 00714AD3, Relevance: 56.1, Strings: 44, Instructions: 1101
COMMONCrypto

Function 00726334, Relevance: 30.7, Strings: 24, Instructions: 660
COMMONCrypto

Function 0071BEBD, Relevance: 29.5, Strings: 23, Instructions: 784
COMMONCrypto

Function 0071F7EF, Relevance: 25.4, Strings: 20, Instructions: 412
COMMONCrypto

Function 0072A82C, Relevance: 25.4, Strings: 20, Instructions: 390
COMMONCrypto

Function 0072539F, Relevance: 24.3, Strings: 19, Instructions: 584
COMMONCrypto

Function 00722CE3, Relevance: 21.8, Strings: 17, Instructions: 525
COMMONCrypto